Hewlett-Packard, Privacy, and Consent
posted by Timothy Glynn
The recent scandal at Hewlett-Packard has had remarkable staying power. Like most others, I was taken aback by the investigatory methods HP officials used to find the source of boardroom leaks. They crossed the line, certainly as a normative matter, and, if the California indictments are any indication, as a legal one too.
Now let’s add a twist: What if members of HP’s Board of Directors had agreed in advance to be spied on? Say they had agreed when they were named to the board that HP could conduct unannounced investigations and surveillance of their personal contacts and communications – including access to personal phone and other records – if necessary to protect firm interests. And suppose this consent was “narrowly tailored” in the sense that such an investigation would occur only after HP officials determined that there had been a leak, it most likely had originated with a board member, and further leaks would potentially harm the legitimate interests of the corporation. I wonder whether such prior consent would change many individuals’ views of at least some of HP’s actions.
Demanding such a waiver is not far removed from reality because of growing concern among firms about leaks of confidential or embarrassing information and the growing ease of publishing such things through blogging, media leaks, etc. And, as discussed in a prior post by Dan Solove, this is not the first time we have seen firms go to great lengths to identify the source of comments on the inner workings of the business.
In addition, in terms of existing doctrine, consent is a seemingly intractable problem for those seeking greater privacy protections for employees. Employee consent to monitoring eats away at privacy on the front end by eviscerating the “reasonableness” of their expectation of privacy; to the extent some privacy interest nevertheless remains, consent privileges the intrusion on the back end. Since the vast majority of employers now have some combination of surveillance/monitoring policies and waivers, consent has become a nearly all-consuming black hole, at least with regard to employee communications while at work or on employer-owned communications devices.
By the way, according the New York Times, HP also spied on its employees electronically, including monitoring one employee’s instant messaging with the media. The employee, who turned out not to be the source of the leak, acknowledged that he knew HP monitored such communications and noted a later apology from company officials.
Is the director hypo more troubling than consent to monitoring in the employee context? At first blush, it seems less problematic. Directors are certainly in a better position than many employees when it comes to bargaining, and the spying policy I described is far more narrowly drawn than most employer monitoring polices.
It is true that most monitoring of employees occurs at the workplace or on employer-provided communications devices, while the monitoring in the hypo I posed is more sweeping. Yet maybe this “turf” distinction is too old-fashioned. The “workplace” may be just shorthand for describing various legitimate employer interests in monitoring. In the hypo, such an interest is definitional, and in the real world HP seemed to have legitimate business reasons for seeking to stop the leaks and find the leaker – distinguishing this from, say, a situation in which a firm seeks to find and punish a whistleblower. And one can foresee even more compelling reasons (preventing further leaks of highly sensitive information or the passing of valuable secrets to a competitor).
Perhaps, instead, surveillance of personal communications made from workplace or on employer equipment seems inherently less intrusive or offensive to our notions of the private than efforts to monitor personal calls and communications made elsewhere or on one’s own telephone or computer. But maybe that is just part of the expectations feedback loop to which consent contributes, and, if so, as directors or others start giving consent to be “spied on” elsewhere, it may one day seem no more problematic.
In the end, this is one area where my thinking tentatively confirms my original instincts: consent should not be dispositive in a society where it can be purchased or extracted, particularly given the potential externalities of cumulative consent. I am very interested in what others think.
Please contact the server administrator,
support@supportwebsite.com and inform them of the time the error occurred,
and anything you might have done that may have
caused the error.
More information about this error may be available
in the server error log.
October 5, 2006 at 12:29 pm
Posted in: Privacy, Privacy (Electronic Surveillance)
OK
The server encountered an internal error or
misconfiguration and was unable to complete
your request.
Apache/1.3.33 Server at www.concurringopinions.com Port 80