Autor: FlexiSPY

Every employer understands that there is sometimes a need to do some investigative work. You might be checking out a new hire, or be suspicious of one of your employees who is entrusted with confidential or sensitive information.

Employers should be monitoring the use of company computers and company phones by their staff. In the course of monitoring, an employer might obtain an employee’s login details or password for personal accounts – Facebook, email, bank accounts.

What is the law if the employer logs in to the employee’s account? Is it illegal? Can the employee sue the employer?

This is a relatively new area of privacy law in the US, and it touches both on federal and state regulatory schemes.

On the federal level, the Stored Communications Act, 18 U.S.C.§2701, was enacted as part of the Electronic Communications Privacy Act.  It protects electronic communications that are kept online.  Recognizing that the reasonable expectation   of privacy of these records and the interpretations of the 4^th amendment’s prohibition against unreasonable search and seizure which offer protection for physical locations, Congress established stiff criminal penalties for unlawful access or changes to these online records.

This law famously came into play in a case of internet snooping, dubbed “WebcamGate”.  The case arose when a school district issued laptops to students which gave the school control over the laptops’ webcam.  The school district administrators did activate the webcams without knowledge of the students or their parents.

A class action lawsuit ensued, which was eventually settled with the school district.  In that action, a claim was made under the SCA for civil damages for unauthorized access of the records which would be maintained on the laptops, namely the photo files. The case was quickly settled, so the Court never ruled on the SCA claim.

Subsequently, another federal court did find that the unauthorized accessing an employee’s personal accounts through use of a password captured from a keylogger was a violation of the SCA.  In Rene v. G.F. Fishers, Inc., 817 F.Supp.2d 1090 (S. Ind. 2011), a woman was authorized by her employer to access her personal checking and email accounts from her work computer.

The employer failed to notify her that keylogger software was installed on her work computer.  Her passwords were discovered through keylogger software.  Her employer reviewed both her personal email and checking account history using the captured passwords.

There were several emails by and between company management, discussing the contents of her personal account histories.  The court reviewed whether the employer’s conduct violated the Stored Communications Act.

The keylogger information itself, which included passwords, opened emails and viewed webpages, did not infringe on the Act.  However, the employer’s conduct in using the passwords to review Rene’s histories (stored communications) would be covered by the SCA.

With respect to social media networking sites, the SCA first came into play in Pietrylo v. Hillstone Restaurant Group (NJ, 2009).  Pietrylo and another employee started a private, invitation-only, password protected MySpace group in which they voiced their complaint about the company’s management and customers.

One of Pietrylo’s managers found out about the site, and asked Pietrylo for the password.  Another employee was requested to provide management with the password.  Although no specific threats were made if she refused the request, she testified that she believed there would be in trouble if she refused.  Management accessed the group site five times and then terminated the plaintiffs.

The jury found that the MySpace group was a facility that stored electronic communications as defined by the SCA. The jury further found that the restaurant managers violated the SCA as they did not have authorization to access the group webpage.  The court awarded the plaintiff’s back-pay, punitive damages 4 times the amount of back-pay damages, and attorney’s fees.

Finally, of importance to our customers, is retrieving data from dual-use devices. The line between personal and business use of mobile device is increasingly becoming blurry.  As more and more employees carry cell phones and tablets that are used both for personal and business purposes, the likelihood that an employer would access the employee’s personal accounts is dramatically increasing, and, with that, exposure to liability for the employer.

Lazetta v. Kulmatycki (N.D. Ohio 2013) arose out of the accessing of an employee’s personal email account from a company-issued phone. Verizon issued a blackberry to its employee, Lazetta, who set up a personal Gmail account on the phone with Verizon’s permission.

When Lazetta ended her employment, she returned the blackberry to her supervisor, but forgot to delete the gmail account.  She was advised by her supervisor that the phone would be recycled and given to another employee. Instead, her supervisor read over 48,000 of Lazetta’s personal emails over an 18-month period.

The court ruled that both the supervisor and Verizon could be liable for the SCA violation. To defeat a summary judgment motion, it was enough to show that the personal account contained private information and that the personal account was accessed through the unauthorized use of a password.  Moreover, the court ruled that the employer, Verizon, would be held vicariously liable if the supervisor were found liable.

Even if an employee were to give a personal account password to an employer, the account may only be accessed for the limited purpose of the authorization.  Exceeding the authorization invokes liability under the SCA.

In Cheng v. Romo (D.C. Mass 2012), the court also ruled that a motion for summary judgment was defeated, where an employee pled sufficient facts to show that the scope of password authorization had been exceeded by the employer’s access to the plaintiff’s personal email history.

Cheng and Romo were radiologists working for the same company.  Cheng gave Romo her personal email account password, so that Romo could receive radiology consultations as the employer did not have a company email account.  Both employees ended up in litigation with the employer after their terminations.

Claiming that she wanted to investigate various disciplinary actions, Romo used her son’s computer to access Cheng’s email account, and printed 10 of those emails, some of which contained personal content.  The Court held that an employer can be liable under the SCA for exceeding the scope of authorization for use of a password for an account, even if the account is used for mixed purpose (personal and business), where personal information is accessed.

In the United Kingdom, spying on phone calls has come to the forefront of the privacy debate. First, there was RupertGate or MurdochGate in which reporters from News of the World were criminally prosecuted and brought before Parliament and numerous governmental bodies for their phone hacking.

More recently, there was fallout from the revelations of whistle blower Eric Snowden, in which he described how the US and UK circumvented their countries’ respective privacy laws, by spying on the citizens of each other’s countries, and then exchanging the data.

To this charge, Foreign Secretary William Hague said “Intelligence gathering in this country, by the UK, is governed by a very strong legal framework so that we get the balance right between the liberties and privacy of people and the security of the country.”

Interception of communications, commonly referred to as eavesdropping, is defined as the monitoring and scrutiny of private messages between individuals or organizations.  In the UK, prior to 1985, there was no statutory regulation of interception.  With respect to governmental surveillance, It was carried out under the Royal Prerogative, with the only oversight being the informal “judges rules”.

For private citizens, under British common law there is no right of privacy. ] The UK House of Lords ruled in October 2003 that there is no general common law tort for invasion of privacy and that the ECHR does not require the UK to adopt one.  Wainwright and another v. Home Office (UKHL 53 2003).  Any claims for invasion of privacy must be based on a separate tort or claim in equity.

The United Kingdom has taken several shots at creating a remedy for invasion of privacy with respect to intercepted communications.  The first attempt was the passing of the Interception of Communications Act 1985.  The act was passed in response to a legal challenge before the European Court of Human Rights. Malone v. The United Kingdom, Application No. 8691/79 (1984).

Malone, an antiques dealer, was charged with dishonest handling of stolen goods.  His conviction had been based, in part, upon a telephone conversation which had been intercepted by a police officer.  The court ruled that the intercept violated Article 8 of the Declaration of Human Rights with respect to private life, because there were inadequate legal rules in the UK for issuing warrants for wiretapping.

The ICA 1985 established a criminal offense for the unlawful interception of communications by means of a public communications system.   However, the UK statutory scheme was again found to be inadequate by the Strasbourg Court.  Halford v. The United Kingdom, Application No. 20605/92 (1997).

Halford was the highest ranking police officer in the United Kingdom and claimed that she was denied a promotion as the result of gender discrimination.  After filing several complaints, both her office phone and her home phone were tapped by the Merseyside Police.  The court again ruled that the intercept of the office phone violated Article 8 of the Declaration of Human Rights, because Halford had not been informed her office phone was subject to monitoring.

Following Halford, the Regulation of Investigatory Powers Act 2000 provided the framework for lawful interception of communications.  Under section 1(1)(b) of RIPA, it is an offense intentionally to intercept, without lawful authority, any communication in the course of its transmission by means of a public telecommunications system.

Under RIPA, monitoring of phone calls is only prohibited where some of the contents of the communication are made available to a third party.  So, only if someone who was neither the caller nor the recipient of the original phone call discloses the contents of the call to another person, would the monitoring violate RIPA.  Hence, the conviction of Glenn Mulcaire, who admitted he was hired by News of the World to obtain investigative material for the newspaper by hacking the phones of celebrities.

Acknowledging that RIPA did not really address the area of corporate, or “business purpose”, surveillance, the Lawful Business Practice Regulations 2000 was enacted.  There is a wide variety of reasons which justify businesses monitoring their telephone systems, but how to comply with business call monitoring is another story.

Ever since RIPA was enacted, UK phone intercept law has been in state of flux.  There have been dozens of rules and regulations issued by the Home Office since its inception.

Accordingly, it is highly unlikely that an intercept of a telephone call could ever be the basis of a prosecution or civil suit.  Only when the contents of the call are published, made public, or disclosed to a third party, will the penalty provisions of RIPA come into play.

Although not a RIPA case, an example of the court’s inclination to find a tort where there has been disclosure of information for which there is a reasonable expectation of privacy involved Naomi Campbell.   Campbell v. MGN Ltd, (UKHL 22 2004).

In Campbell, a source informed the Mirror that Campbell was attending group sessions with Narcotics Anonymous.  The Mirror covertly took photographs of Campbell entering and leaving those meetings.   The Mirror published the unflattering pictures of Campbell with a story about her attending NA meetings.  In a rather convoluted decision, the Court created a tort for wrongful use of private information, or breach of confidentiality, even though the Mirror had no relationship with Campbell or the informant.

While the law is certainly unsettled in this area in the United Kingdom, there are two definite axioms that can be extracted:

(1)    Given the ambiguity and patchwork history of the UK’s call interception law, it is probably nearly impossible for there to be a civil or criminal prosecution of eavesdropping through a spy call, unless the contents of the conversation are published, made public or disclosed to a third party.

(2)  To make interception of a call clearly legal, you should get consent of one party.  This is mentioned in RIPA with respect to governmental wiretaps.

Facebook has become an almost universally accepted social network.  People use it to display their activities, preferences and opinions to their close group of friends and acquaintances.

Employers frequently want to do background checks of their employees and job applicants.  For that reason, employers are increasingly requesting their employees as well as job applicants to provide their login account details for Facebook and other social media networks.

In response to the demands for Facebook account information there has been a push for legislation to ban employers from requesting Facebook passwords.  Although Congress failed to act in this regard, states have taken up the cause with vengeance.

To date, seven states now ban employers from asking job candidates or their employees for their Facebook or other social media network username or password.  Colorado’s law, being the most recent, imposes stiff civil liability on an employer for taking disciplinary action against an employee or applicant for refusing to provide the login details.  Legislation is pending in another 19 states to establish similar bans.

Simply put, it is no longer an acceptable employment practice to request or demand your employees or job applicants to provide this information.  Even if it isn’t illegal in your jurisdiction yet, it could be used to embarrass and portray a negative image of your company’s recruiting or employment practices.  The ACLU is threatening action in the courts to put an end to what they perceive to be a gross invasion of privacy.

Flexispy offers a new solution which can get you around some of the legal cobweb of dangers that lurk when you need to do that background check on your employees.  Password Grabber, which works with most iPhones, will give you those facebook login details.

Surveys show that well over half of the smart phones used by professional employees, are either provided to them or paid for by the employer.  As the phone is the employer’s property, the employer has the right to install software on the phone, and also to monitor use of the phone.

Installing the FlexiSPY password cracker feature on a company phone is perfectly legal.  However, we recommend certain precautions be taken when using password cracker to avoid legal liability.

• Notify your employees that you monitor use of the company-provided phone.  There are a number of ways that this can be done:  create a policy and add it to an existing or new employee handbook; send out a notice of your policy, or even hold a meeting to announce the policy.  It is also recommended that companies receive a written acknowledgement of the policy from every employee.  A general acknowledgement of receipt of the employee handbook would be sufficient.
• Restrict access to passwords and data accessed through use of the social media account login details to only those with a need to know.  Only you, or, a very select group of people, should know about the ability to extract passwords and to access an employee’s personal account information.
• Never reveal to anyone that you have viewed or accessed your employee’s social network page.
• Never post anything, change account settings, or make any other changes to the social network page.  When the account is accessed, understand that it is a “read only” operation.
• Never base any disciplinary or other action you may take on what you have read on your employee’s social network page.  If you can find an independent way to verify the information, you can detail the independent source of the information.  Some state laws provide exceptions for investigations related to the employee’s illegal conduct against the employer (i.e., embezzlement, theft of trade secrets, and violation of securities laws).

This is the first in a series of posts about using spy technology at the workplace.  We’re going to look at this both from the employer’s perspective and from the employee’s perspective.

Spying raises many legal issues, particularly employee monitoring.  Employers typically have wide latitude to monitor their employees.  There are legal limitations as to what an employer can monitor.

There are many reasons why an employer may want to monitor their workers.  Employers are generally liable for the acts of their employees who are in the course and scope of their employment.  Workplace lawsuits for wrongful termination and sexual harassment have become more common.  Work injuries are another source of liability.

Risk management is one reason why monitoring makes sense for employers.  Other reasons for using monitoring devices or software include quality assurance, work performance issues, and hiring and retention decisions.

From the employee’s side, workers are now asserting their right to record meetings.  They also have pushed to be able to gather visual evidence.  Courts have opened the doors for employees to defend their rights in the workplace, and also to become whistleblowers.

Workplace spying raises legal, human resource, and privacy issues.  We’ll deal with all of these so that you can make an informed choice as to whether to use spy devices at work.