Court Says Employees Have No Expectation Of Privacy For Stuff On Company Owned Computers
from the well,-duh dept
A court ruling in New Jersey doesn’t seem all that surprising, but may lead to more legal questions in the future. The case involved an employee who was stealing from his employer. The employee was eventually found guilty of the theft, but argued that the evidence used against him was gathered illegally, in that it was in a password protected file on his company-owned laptop. It’s actually a little more confusing, as the guy actually claimed the laptop was his, but that turned out not to be true. He had originally purchased the computer using his employers credit card… but then still pretended the computer was his personal laptop. Yet, later, he “sold” the laptop to the company — so realistically, the company had bought the laptop twice.
So, then the legal question was whether or not the guy had a “reasonable expectation of privacy” for stuff stored on that laptop, especially in a password protected file. The court ruled no, that an employee does not have a reasonable expectation for privacy, and that, effectively, anything on the computer is fair game for the employer (even if it’s password protected).
You can understand the reasoning there, as it makes sense that a company should feel free to go through the contents of a computer it owns. However, it does raise some other questions. Earlier this summer, we wrote about another case in which a company continued to read the personal email of a fired employee, because he had left his personal online email account logged in from the company-owned laptop. While that seems different, is it really that big a leap from data stored on the local hard drive, to data stored on a remote hard drive, accessed via a web browser? It does, however, start to become a much trickier question, especially as more data and apps move from the local laptop into the “cloud” and as work and life boundaries blur.
Comments on “Court Says Employees Have No Expectation Of Privacy For Stuff On Company Owned Computers”
What was he thinking
The guy is obviously missing something upstairs.
Illusive
That illusive “cloud”. What do we do with it ?
Re: Illusive
It is worth noting that as clouds build and grow dark, there is a distinct possibilty of severe storms which cause widespread damage …….. I look forward to the future web weather predictions. Today – partly cloudy and isolated storms
Re: Illusive
Clouds…storms??!! OMG Sarah Connor was right!
Honestly folks...
When using company property on OR off company time it should be expected that you do not possess any privacy within the realms of said property. If you want to surf porn, do it on your own time on your own computer. Then again, we’re not talking about porn in this case. We’re talking about about an employee suspected of theft of company assets. This company decided to access it’s own property for data either exonerating or incriminating an employee. The fact he password protected something stored on, and using, company property isn’t any sort of argument or shelter. Had this been a case of snooping like mentioned later in the post my opinion would be different. Unfortunately for this particular person he did something rather stupid and used company property to record and store incriminating evidence of his actions.
Re: Honestly folks...
And many companies seem to “suspect” everybody.
Why didn't he wipe the system prior to turning it over to them?
There’s nothing like a good 7-pass DoD wipe to discourage employers from doing such things. Why didn’t this guy sanitize the system when he handed over?
One word...
Truecrypt.
Let them chew on that.
Re: One word...
Truecrypt.
Let them chew on that.
Hardware key logger. Gotcha covered.
Re: Re: One word...
if he or she doesn’t check their workstations prior to starting to type, then they get what they deserve. ALWAYS check for dongles!
Re: Re: Re: One word...
For one thing, who said they were dongles? They can built in to the hardware. For another thing, even if it is a dongle it may be semipermanently attached and against company rules to remove or tamper with.
Re: Re: Re:2 One word...
must you be an effing troll. maybe it is in the damn keyboard. who cares. the jist of what I typed was CHECK YOUR WORKSTATION. Period. Dumba$$ troll.
Re: Re: Re:3 One word...
must you be an effing troll. maybe it is in the damn keyboard. who cares. the jist of what I typed was CHECK YOUR WORKSTATION. Period. Dumba$$ troll.
Resorting to profanity and name calling, eh? I guess once you’ve made such stupid statements you might as well. I mean, you don’t really have much credibility left to loose anyway.
Re: Re: Re:4 One word...
True, left to loose, as in your shoelace is loose. Congrats! Superb intellect strikes again. Now go get a job so you can move out of your Mom’s basement.
Re: Re: Re:5 One word...
True, left to loose, as in your shoelace is loose. Congrats! Superb intellect strikes again. Now go get a job so you can move out of your Mom’s [sic] basement.
Hey, you caught a typo! Congratulations! Is it your first? Did you get your picture taken with it? Too bad there isn’t some way you could have it mounted and hung on your wall where you could sit and gaze at it for hours on end. Oh, and by the way, “Mom’s” shouldn’t be capitalized there.
Re: Re: One word...
How does hardware keylogger work on a notebook. Unless you use an external keyboard and never take it home. Forget about docking station they are not usually prone to allow extra PS2 or USB tongles.
Re: Re: Re: One word...
What ?
Re: Re: Re: One word...
Pretty much the same as it does on other computers.
Are you thinking that they have to be external? If so, then you don’t know much about them. They can be internal as well. And many companies put tamper-evident physical “security seals” on company computers, the breaking of which can be cause for termination. Now you know one of the reasons why they might like to do that. (Some “enterprise” computers also have “intrusion detection” switches and BIOS’s won’t even let a computer boot if the case has been opened until a special password is entered.)
Re: One word...
Truecrypt requires administrative access to install the drivers. Many (most?) companies do not give their regular employees administrative access or allow Truecrypt.
Key loggers
I wonder how the courts would rule on employers using key loggers to capture employees’ banking passwords, etc.
Re: Key loggers
Years ago, before there was any such thing as Internet banking, people used to “bank by phone” using automated touch-tone systems. I was an engineer for a high tech company at the time and one of my duties was to maintain and configure the telephone system there. They had me, against my wishes, setup the PBX to capture and record all the keys pressed on all the company phones, except for certain upper-managers and executives of course. The reasoning being that the phones were company property so they had a right to monitor them. Not that there had been any problems, but “you can never be too careful, you know”.
Well, a lot of people would check their account balances, make fund transfers, etc. during their lunch breaks at their desks over the phone using the automated touch-tone systems. Little did they know that the company wound up with records of their bank numbers, account numbers and the PINs to go along with them. The company was eventually bought out and reorganized numerous times. Who knows were all that information wound up. Anybody with access to a pay phone could have probably cleaned out those accounts very easily.
Re: Re: Key loggers
Oops, I meant anybody with access to a pay phone and those records could have probably cleaned out those accounts very easily.
Re: Re: Key loggers
The phones were the company’s property. Therefore any information sent over those phones, including any banking or otherwise private information, becomes the property of the company. Thus, having freely given the company the information to access their accounts, they were also giving the company implicit permission to do so. Or, now that the company legally owned that information, they could have sold it on the open market (which is essentially what they did when they included it in the sale of the company). Why is this all so hard for you people to understand?
Re: Re: Re: Key loggers
first of all, you’re assuming the employees knew the phones were being tapped, cuz otherwise there’s no giving freely of the information hence no implicit permission.
secondly, just because you store information, you don’t own it. If that were the case, we would all own the information on any webpage we see, because whatever server is freely giving the information to us
and lastly, my private phone line, I might own the cable within the confines of my property, but somebody else owns the part from my house to the central and so forth. Wouldn’t whoever owns that, by your same reasoning, subsequently own any information I send over my phone line? Yet the law doesn’t seem to agree with you on that one, now does it?
Re: Key loggers
I wonder how the courts would rule on employers using key loggers to capture employees’ banking passwords, etc.
==========================================
Don’t do your banking on company property. I realize that’s over-simplifying it. I strongly believe in and advocate privacy rights, but when you’re on your employers infrastructure you do not and should not have any right to privacy unless such is explicitly given to you.
So I guess the solution is one of:
1.) don’t bank at work
2.) bank with your own laptop/cellphone at work
Re: Re: Key loggers
First you said “Don’t do your banking on company property.” But then you also said “bank with your own laptop/cellphone at work”. Well, wouldn’t that still be “banking on company property”? You seem to be confused.
Re: Re: Re: Key loggers
well, how would using your own cellphone (be it at work, the local butcher or at home) involve the company you’re working for. Same thing for the laptop, unless you would use your companies internet connection, you wouldn’t be using anything of your employer (you know, the part about YOUR OWN …) so how would that be doing anything on somebody else’s property?
seems to me like it’s mainly you who’s confused
Re: Re: Key loggers
when you’re on your employers infrastructure you do not and should not have any right to privacy unless such is explicitly given to you.
I remember reading a story where an employer was found to have installed hidden video cameras connected to recorders in the ladies’ toilet. The employer pointed out that he owned the toilets and never explicity told the employees that they had any “privacy” in the toilets. Yet a court found that it was reasonable for employees to expect so anyway. Some courts just don’t “get it”, do they?
The company may own the laptop, but I’m pretty he certain that he owns the data, and as such would have control over it through IP laws. That is, of course, assuming that IP law can be used by both civilians and companies…
Re: The company may own the laptop, but I'm pretty he certain that he owns the data,
Actually, if proper paper work was given to the employee than no. A lot of companies will have employees sign off on “this is company property” papers. Anything written and published on a company computer or laptop belongs to the company. The gray area is online networks and communities.
Seriously?
The company may own the laptop, but I’m pretty he certain that he owns the data, and as such would have control over it through IP laws. That is, of course, assuming that IP law can be used by both civilians and companies…
By that respect any person committing… let’s say any “real world” crime owns the data of their crime. Can he claim he owns copyright on what he said while committing the act, patent on his methods, or trademark if he’s a serial offender? All BS aside, this isn’t really worthy of techdirt.com. He committed a crime and left evidence in a place he didn’t have ownership over. The lesson: if you feel compelled to be a thief, don’t cry about how you own the evidence of your crime when it’s created and stored somewhere you DON’T OWN. If he quit while storing important documents in a locked company filing cabinet, would anyone here have any issue with the company taking a pry-bar to the cabinet after he left and took the keys?
Does the company really have all the rights over the employee?
The question is a fundamental one: how much right does a company have over its employees? First off, stealing is wrong. And im not condoning what the employee did. But if the company can access personal information that’s password protected from its machines, then there is something wrong with the way we’re constructing our emerging work spaces. Speaking of myself, my work is my life. it’s as personal as it gets. but that certainly doesnot mean that i don’t have the right to create my definition of personal space within my larger professional one. And i certainly do not appreciate any institution governing my right to paint the contours of my space.
Re: Does the company really have all the rights over the employee?
Are you joking? You shouldn’t have any PERSONAL information on a company machine. It’s that simple. It’s not your computer, no matter how you use it. Access anything “remote” is just stupid to do from within a company network.
Re: Re: Does the company really have all the rights over the employee?
That would include your fingerprints and DNA because as soon as you touch it you are probably leaving copies of both behind on it. If you don’t like that then you should wear a full haz-mat suit to work, eh?
Re: Re: Does the company really have all the rights over the employee?
Are you joking? You shouldn’t have any PERSONAL information on a company machine. It’s that simple. It’s not your computer, no matter how you use it.
That would include your fingerprints and DNA because as soon as you touch it you are probably leaving copies of both behind on it. If you don’t like that then you should wear a full haz-mat suit to work, eh?
(sorry for the double post, don’t know how the first one got screwed up)
Re: Re: Re: Does the company really have all the rights over the employee?
What’s your point?
Re: Re: Re:2 Does the company really have all the rights over the employee?
That would include your fingerprints and DNA because as soon as you touch it you are probably leaving copies of both behind on it.
What’s your point?
I’m sorry, I thought it would be clear. The point is that if it is indeed true that any personal information you leave on a company machine becomes company property (which of course they can then sell or do with as they please) and you don’t want them doing that with your fingerprints and DNA (very personal information) then there are few options to prevent that. But again, that’s only if the original premise is true.
Re: Re: Re:3 Does the company really have all the rights over the employee?
Wow…you got me. I should’ve said DIGITAL information. Give me a break, you know what I meant and are just trying to be a smartass.
Trial by Jury Solves This!
It’s not the legal system that’s broken, it’s our use of the legal system that’s broken. This is the sort of thing that ought to be settled by trial by jury, and those jurors should be the ones to decide whether this is reasonable or an injustice.
We don’t need more laws, or more clarification of laws, we need jurors who’re aware of their rights and are willing to vote their conscience, not just go along with the laws as presented by the “system”.
Jury Nullification. Look it up.
Why so surprised?
listen, if you expect anyone to protect you’re privacy other than yourself, you are foolish. if you speak in public you can’t go to the people around you and say you can’t listent to this and expect privacy.
Here’s a news flash for you, the internet IS public. Ok, you have things like email where you have entrusted another organization to keep your works out of other peoples eyes, but seriously, when you send information online it transfers through any number of servers that are guess what, not controlled by you.
Say what you want about how people should behave, but when you entrust things to travel through the hands of others, and trust them not to look, you’ve done so at your own risk. Any laws or TOS simply mitigate that risk.
If you make data publicly available, the only person you may blame a number of people who didn’t protect you’re privacy, but guess what, it’s your privacy and ultimately you’re responsibility. once you make information public, it’s out there, and you can’t pull it back.
Re: Why so surprised?
Or your physical safety. That’s why you should never go out without being well armed.
True. Once again, never go out without being well armed. Preferably with automatic weapons. I recommend the AK-47 for its generally higher reliability in the hands of casual users.
If you go out in public, you’re ultimately responsible for your own safety too.
Working Tools
As a tech, I buy my own software tools. It always concerned me to have to install these on my work computer. I have now started to use these from my own scan disk thumb drive.
This is pretty relevant to weather or not my own equipment and tools ever become the property of the company if they are attached to the corporate network. I sure hope not.
Re: Working Tools
If you work for a company that is so cheap they won’t provide you the tools to make *them* money, ownership of said tools should be the least of your worries.
Re: Re: Working Tools
That seems to be pretty typical of many companies. Welcome to the working world.
Who owns what?
This is pretty relevant to weather or not my own equipment and tools ever become the property of the company if they are attached to the corporate network. I sure hope not.
Just because you plug your thumb drive into a company computer doesn’t make it theirs. Data, on the other hand, gets much more vague. Was the data stored on company time and/or using company assets? If so, who owns the data? These are questions yet to be tested by the courts.
However these are not the questions raised in this case. To sacrifice an analogy, we all know that when you put your trash out at the curb you no longer hold any rights over it’s contents. In this case he might as well have typed out his own evidence on a typewriter, put it in a shredder, and thrown it in the company’s trash.
There is a distinction that needs to be made here. Let’s look at the facts. Long after he left he became suspected of embezzling and the company decided to access data stored on its property. Let’s look at the premise from the other side of the coin. This is no different than hiring a contractor into your house for maintenance. If you suspect he stole from you, then as the homeowner it is your right to allow the authorities into your property and search for any incriminating evidence the contractor may have left behind.
Ownership
I think a lot of people are forgetting the contract that you sign when you get hired. Basically, anything you create on company property is owned by the company. If anyone actually reads the contract and can understand it then you would know, that the company basically owns your soul… Just until they don’t need you anymore.
Also, some companies lock down computers so much that you can not really do a whole lot. For example, the company I work for, I have no access to the HDD, USB, CD-ROM, I can’t even change the clock on my desktop let alone connect a flash drive.
Re: Ownership
Huh? Do you really believe that all employees sign contracts? And that they are the same as yours? That’s very myopic.
No wonder.
Browser reading company cache
In the case of the company laptop left logged in to a private email account, the company could easily argue that the browser was merely reading the cache which was stored on the company-laptop’s local drive.
The same principles and limitations of physical privacy should apply to computer data. Can your employer open any locked drawer in your desk, for any reason? Do you agree to have all conversations monitored at work, for any reason? If not, then you have a reasonable expectation of privacy. Why should it be any different for a password-protected file?
I understand that there was a criminal investigation in this case. I don’t doubt the guy was a scammer. But at no point was a warrant obtained to search the locked file, as is our Constitutional right.
Simple answer. The company has a right to access any passwords stored on a company computer. A company has no right to USE that password to gain unauthorized access to an account that is not theirs, even if the account autologs on.
At most, the company can look at the email headers that come up. Any clicking on anything on that account is illegal.
Extending ownership
Just how long until the employment contract says;
“Any devices you attach to any company-supplied computers, becomes the property of the company.”
If I was that guy, I’d have challenged the admissibility of the document in question. “Yer honour, that’s not mine, I’m being framed by an evil collegue!”
It worked for this guy;
http://www.theregister.co.uk/2003/04/24/trojan_defence_clears_man/
I think the only purpose this article serves is to remind folks at least once a year about the no expectation of privacy at work.
This is the very same reason that companies only want you to use their computers and their software for company business, because it strengthens their ownership claims. A better case study would be where an employee was forced to buy a hardware asset, like a laptop, to do company business. There the employee would be able to make a claim that the employee not the employer owns the data.
For anyone that has spent more than a year or two in the working world knows that everything you do on a company computer or a company owned asset is considered owned by the company. The only ones arguing against that are students, those living in denial, and folks that simply like to argue a contrary position.
You want to see draconian get a job as an engineer or a scientist and read the NDA’s and patent agreements you are forced to sign.
by Paul
But at no point was a warrant obtained to search the locked file, as is our Constitutional right.
Ah, that only applies to LAW ENFORCEMENT. courts have long held that a warrant is not required for an employer to access these things. Also, since the computer was the company’s, they can legally give permission to law enforcement to access anything or perform a forensic analysis.
And for the record, I am all FOR privacy in every way, shape or form, but this guy was an idiot…
Re:
It is expected that you do not have any privacy when using company property.
That’s a pretty broad statement. So you’re saying that the court ruling about hidden cameras in company toilets no longer stands? Are you sure you’re a licensed attorney?
Only you wouldn’t capitalize Mom. You must have had two Dad’s.
Re: Re:
Really…it’s not that complicated.
Correct usage:
I’m going to call Mom tonight.
or
I was on top of your mom last night.
Re: Re: Re:
So that means you’re into Necrophilia? Can you please at least replace the flowers and leave an inscription? Also, light the candle when you’re done. Thanks.
Re: Re: Re: Re:
So that means you’re into Necrophilia?
Mind in the gutter much? Why did you capitalize necrophilia?
Mind in the gutter much? No, Mom has been dead since 2000.
Re: Re:
You used capitalization correctly! /thread
Sorry about your mom. 🙁