“If Privacy Matters in Your Life, It Should Matter to the Phone Your Life is On.
Privacy. That’s iPhone.”
Simply put, Apple gives employers way too much power over the corporate apps they develop. Apple does this by issuing enterprise developer certificates, which allow employers to disseminate apps to employees outside of the app store without any privacy or security review by Apple, as well as grant themselves “root access” to employees’ personal phones. With root access, an employer can write software giving it complete control over an employee’s iPhone; an employer could change the phone’s configurations, data, and files, and access all phone data, including texts, emails, photos, contacts, social media activity, web browsing, location data, and banking activity. This problem may not be unique to Apple, but recent news has focused specifically on this design flaw in the iPhone. In an era where employees are increasingly using their personal devices for work, many have unknowingly left the door wide open for their employers to peer into their personal lives.
Many might reasonably ask how any of this is legal. While certain federal and state laws address different parts of this problem, the law currently does not offer a comprehensive, clear-cut solution.
Notice and Consent
Can employers secretly monitor employees on their personal devices?
The first is the Stored Communications Act (SCA), which prohibits (1) intentionally gaining unauthorized access or exceeding access of a (2) facility through which an electronic communication service is provided, (3) thereby obtaining or altering access (4) to a wire or electronic communication (5) in electronic storage. Another statute is called the Computer Fraud and Abuse Act (CFAA), which also prohibits gaining unauthorized access, or exceeding authorized access, to a computer (including smartphones).
The SCA and CFAA aren’t limited to the employment context, but employees have used them against employers for privacy violations. But their protection is limited. For instance, they don’t apply when the employer provides or administers the system/device being monitored (e.g. an email system or work-issued device).
Courts also disagree as to the scope and coverage of these laws. For instance, it’s unclear whether the SCA’s “electronic storage” element includes already opened emails, emails saved on a hard-drive, text messages on a phone, and whether “electronic communications” include address books and location data. These discrepancies are problematic, as ill-intentioned employers could theoretically exploit these loopholes to their advantage, for instance by writing software that reads personal emails only after they’ve been opened.
But employers don’t even need that much technical savvy, because surveillance is non-actionable under the CFAA and SCA when the employee has authorized (i.e. consented) to it. Given the default rule of at-will employment, employers can easily pressure employees to agree to intrusive policy policies by making it a condition of their employment. And courts have accepted this as a form of implied consent in SCA/CFAA lawsuits. Though many states have passed analogous state laws, as well as found state constitutional and common-law privacy rights, their availability often turns on factors such as whether the employee had a reasonable expectation of privacy, whether the employee consented to the monitoring, and whether the intrusion was “highly offensive” or “serious.”
Social Media Privacy Laws
Most responsive to Apple’s privacy dilemma is legislation recently passed in 26 states that prohibits employers from requesting or requiring employees/prospective employees to provide access to their personal social media accounts.
While many states define social media account broadly, arguably covering things like personal email and financial accounts, most have also created an exception for employers when investigating employment-related misconduct or theft of employer data. A few states also immunize “innocent discovery” of protected information during ordinary network monitoring. But no statute appears to immunize employers who obtain the “consent” of their employees to access/monitor these accounts.
These laws seem to address the privacy concern raised in this post. After all, if employers cannot demand access to employees’ personal social media accounts, then presumably they also cannot use a corporate app to collect employees’ personal social media data. Moreover, what sets them apart from other federal/state laws is that employers cannot circumvent them by getting employees’ consent.
However, several concerns remain. First, many states have vague and confusing definitions of things like “personal” and “social media account.” Some states don’t even bother to define them. States also vary greatly in terms of what qualifies as a social media account. While California and Nevada define it as “electronic service or account, or electronic content,” other states define it as an internet-based service that allows users to create a public/semi-public account, generate a network of users/friends, and then view and navigate that network. With few (if any) lawsuits brought so far, judges will have to grapple with and give shape to these laws.
Second, upon closer examination, very few states fully address this problem. Most state laws seem to prohibit employers from accessing private data on social media accounts including Facebook, Instagram, Twitter, Whatsapp, and Snapchat. But there is still a lot of personal data not connected to social media that would probably not be covered in most states: your texts, contacts, calendar, photos on your phone, web browsing history, and location data, to name a few.
So, where does this leave us? Currently, in 24 states, employers can essentially collect as much personal data as they want, so long as they get “consent.” And for the 26 states with social media laws in place, it makes a lot of important personal data unavailable to employers, but not all of it.
There are several potential solutions, both in law and in tech:
- Hopefully, states continue to pass social media laws with broad protections.
- A comprehensive federal privacy law is also long overdue.
- Apple (and other smartphone devices if applicable to them) could also refuse to grant employers this level of access, or alternatively provide root access only when businesses show why such access is vital to their operations.
- Businesses can provide employees with work-only devices and make it clear that it’s not for personal use.
- Alternatively, if companies insist on having a BYOD policy yet are worried about trade secrets being stolen, they can write software that keeps the proprietary information on lockdown within the corporate app, rather than monitoring all activity occurring outside of the app.
With numerous solutions available, it’s time to get moving.