It has been reported that Presidential spokesperson Sean Spicer called an emergency meeting of his staff to hunt for leaks. At that meeting, reportedly approved by and supervised by White House counsel, Spicer demanded that the staffers produce their cell phones (government and personal) for examination to determine whether or not they were the leakers, and also to advise the staffers that the use of so-called “read and destroy” features (such as the messaging app “confide”) likely violate the provisions of the Presidential Records Act.
So two questions arise that are significant from an information security and information governance perspective. First, can an employer demand that employees (government, intelligence, commercial, etc.) produce their personal electronic devices in order to investigate leaks of company/government information? Second, do these messaging apps violate records retention laws and policies? The easy answer is yes, and yes. The more complicated answer is, maybe and maybe. But you knew that already.
Your [Personal] Cell Phone or Your Life – Or, Your Personal Cell Phone IS Your Life
Can your employer demand that you produce your personal cell phone, iPod, iPad, tablet or even home PC? The short answer is, in general your employer can demand just about anything. They can demand that you stand on the conference room table and sing the theme music from La La Land while tap dancing. The real question is, what can your employer do if you refuse?
In the United States, absent a union agreement or a contract, we have employment at will. This means your employer can fire you for a good reason, a bad reason, or no reason at all, provided that they don’t fire you for a prohibited reason.
Prohibited reasons generally revolve around identity (race, religion, national origin), age, disability (with reasonable accommodation), or status – e.g., firing someone in retaliation for whistleblowing activities or the like. In addition, employment agreements (or corporate or government policies) may mandate that employees cooperate in internal investigations (or in “legitimate” internal investigations), and a “phone check” may be part of such an investigation.
So, it’s likely that an employer could discipline or even terminate an employee for refusing to “cooperate” in a leak investigation by refusing to turn over even their personal cell phone for examination.
But it’s more complicated than that. First, beginning in 2012, many states began passing laws restricting the rights of employers to demand that employees provide things like their social media passwords as a condition of employment or continued employment.
An example would be the Maryland law which prohibits an employer in Maryland from refusing to hire or taking disciplinary action against anyone who refuses to “disclose any username, password, or other means for accessing a personal account or service through an electronic communications device.”
On the other hand, the law does allow employers in certain regulated industries – like brokerages, etc., that mandate that employee communications be monitored – to demand social media passwords. It also allows employers to demand such passwords in connection with an investigation “about the unauthorized downloading [technically uploading] of an employer’s proprietary information or financial data to a personal Web site, Internet Web site, Web–based account, or similar account by an employee…”
Demanding a personal cell phone with saved passwords linked to social media accounts for inspection would likely constitute demanding the passwords themselves, so employers must be careful in doing so. Moreover, the White House can argue that they were investigating possible “leaks” of White House “proprietary information” and therefore come under this exception; however, “proprietary” information is not synonymous with “embarrassing” information.
Not all “leaks” and “thefts” of information are the same. The short answer to the question of whether or not an employer can demand to see the personal phones of employees, and whether or not they can be fired for refusing is complicated. Ask your lawyers first. In one recent case, a police dispatcher in Laredo, TX had her personal cell phone removed from an unlocked locker at work and examined for violations of department policy. The Court ruled that the inspection – without a warrant or probable cause or consent – did not violate the federal Stored Communications Act.
In the government context, this gets more complicated by the fact that the Fourth Amendment applies to “governmental” searches and seizures, even if the government is acting as employer – but “consent” is an exception to the Fourth Amendment.
Then it would get to the “reasonableness” of the search – a blanket “someone is leaking, and you work here” might not be a narrowly defined and reasonable search – but again, they can always ask for permission. This issue comes up frequently in the context of BYOD policies and employee privacy.
One problem for employers – government and otherwise – is that if they insist on being able to inspect the personal cell phones of their employees, then in the course of later litigation and discovery of “corporate” or “government” records over which the employer has “possession, custody and control,” courts may conclude that the regular inspection of the contents of personal devices renders the data in them at least “quasi-employer” information. Even in non-BYOD situations, the line between what is strictly “personal” and what is “employer” may be hard to define.
The second part of the White House staff emergency meeting reportedly dealt with the staff’s use of applications like Snapchat, Confide, Wickr, Clipchat, TigerText, SilentCircle, BurnNotice, CyberDust,Telegram, Dontalk, SpeakOn, Bleep, Hash, StealthChat or others. What these have in common is that they permit – to a greater or lesser degree – end-to-end communications and file transfer (voice, text, pictures or files) which are then “deleted,” “wiped,” or simply not stored or saved after being viewed. Some of them also are designed to minimize the problem of screen capture – requiring a user to scroll line by line (although a second smartphone could be used to video capture the contents of the first, right?).
All of these are methods of preventing a trace of activities from being created. Or technically (and this is important) being retained.
There’s nothing wrong with having or even using such apps. In fact, Presidential Spokesperson Spicer himself had the app Confide on his personal phone until he reportedly deleted it, claiming that the apps that are on his personal phone are “personal” and none of anyone’s business. What you CAN’T do is use such apps to delete records (on personal or other phones) that are required to be stored and maintained.
Under document retention requirements – whether it’s the Presidential Records Act, the National Archives Act, corporate retention laws, IRS retention requirements, or even litigation holds, an entity is required to preserve records covered by the act. They can’t delete them – and these apps delete records. If the record is required to be preserved, then the use of these apps may violate the retention law.
But here’s where technology and the law get weird. Just like there “’aint nothin in the rules that says dogs can’t play basketball,” there aint nothin in the rules (in most instances) that says a record must be created in the first place. So, if a White House staffer wants to have a conversation with a reporter without a trace, they can use American Sign Language, blink in Morse Code, or use Semaphore to communicate without a record. The idea of having a face-to-face or telephonic conversation to avoid creating a record of the contents of the conversation is not abnormal – even if the sole reason for the meeting is to avoid creating a record.
But technology is weird. If I have a phone call with you over a copper POTS line (Plain Old Telephone Service), the call is ephemeral – no record of the contents (unless Rosemary Woods, Alexander Butterfield or J. Edgar Hoover are listening – kids ask your parents).
But if we have the same conversation over VOIP – even partially over VOIP – then we turn the audio file into packets which are stored, copied and transmitted across the Internet. There we would potentially have more than a “failure to preserve” the records – the packets would be deleted – possibly in violation of the retention requirements. As we inadvertently store – even briefly – records of what would otherwise be ephemeral, we may have a requirement of preservation. So that if your employee named Jeremiah Denton blinks out a message in Morse code, the video of that “communication” if created must be retained.
Again, for Republicans, like for Democrats (and Green, Independent, or other parties), there’s no absolute prohibition on the use of personal devices for official business. It’s just that if you do use such a device, the records that relate to official business must be preserved on that device and can’t be deleted.
So, just as Hilary Clinton’s emails sent from a private server must be preserved and not deleted if they relate to her official function, those of White House staff must be preserved if covered by the statute. So a FaceTime conversation typically does not “preserve” a record of that conversation, but it does so in a manner similar to these disappearing chat messages.
The packets that make up the FaceTime conversation are, in fact, created, stored, transmitted, and reassembled. They just aren’t “preserved.” Would using FaceTime, Skype, Facebook Messenger or other video messaging programs that don’t by default preserve the contents of the communication violate the Presidential Records Act?
Don’t ask me – my brain is starting to hurt. Just recognize that both technology and the law evolve – just at different paces. Also remember that every President since George Washington railed against leakers (for GW, the most damaging leaker was his Secretary of State, Thos. Jefferson.) And every one of them was unsuccessful in preventing them. The ship of state has always been a leaky one.