Hewlett-Packard, Privacy, and Consent

hewlett-packard.jpgThe recent scandal at Hewlett-Packard has had remarkable staying power. Like most others, I was taken aback by the investigatory methods HP officials used to find the source of boardroom leaks. They crossed the line, certainly as a normative matter, and, if the California indictments are any indication, as a legal one too.

Now let’s add a twist: What if members of HP’s Board of Directors had agreed in advance to be spied on? Say they had agreed when they were named to the board that HP could conduct unannounced investigations and surveillance of their personal contacts and communications – including access to personal phone and other records – if necessary to protect firm interests. And suppose this consent was “narrowly tailored” in the sense that such an investigation would occur only after HP officials determined that there had been a leak, it most likely had originated with a board member, and further leaks would potentially harm the legitimate interests of the corporation. I wonder whether such prior consent would change many individuals’ views of at least some of HP’s actions.

Demanding such a waiver is not far removed from reality because of growing concern among firms about leaks of confidential or embarrassing information and the growing ease of publishing such things through blogging, media leaks, etc. And, as discussed in a prior post by Dan Solove, this is not the first time we have seen firms go to great lengths to identify the source of comments on the inner workings of the business.

In addition, in terms of existing doctrine, consent is a seemingly intractable problem for those seeking greater privacy protections for employees. Employee consent to monitoring eats away at privacy on the front end by eviscerating the “reasonableness” of their expectation of privacy; to the extent some privacy interest nevertheless remains, consent privileges the intrusion on the back end. Since the vast majority of employers now have some combination of surveillance/monitoring policies and waivers, consent has become a nearly all-consuming black hole, at least with regard to employee communications while at work or on employer-owned communications devices.

By the way, according the New York Times, HP also spied on its employees electronically, including monitoring one employee’s instant messaging with the media. The employee, who turned out not to be the source of the leak, acknowledged that he knew HP monitored such communications and noted a later apology from company officials.

Is the director hypo more troubling than consent to monitoring in the employee context? At first blush, it seems less problematic. Directors are certainly in a better position than many employees when it comes to bargaining, and the spying policy I described is far more narrowly drawn than most employer monitoring polices.

It is true that most monitoring of employees occurs at the workplace or on employer-provided communications devices, while the monitoring in the hypo I posed is more sweeping. Yet maybe this “turf” distinction is too old-fashioned. The “workplace” may be just shorthand for describing various legitimate employer interests in monitoring. In the hypo, such an interest is definitional, and in the real world HP seemed to have legitimate business reasons for seeking to stop the leaks and find the leaker – distinguishing this from, say, a situation in which a firm seeks to find and punish a whistleblower. And one can foresee even more compelling reasons (preventing further leaks of highly sensitive information or the passing of valuable secrets to a competitor).

Perhaps, instead, surveillance of personal communications made from workplace or on employer equipment seems inherently less intrusive or offensive to our notions of the private than efforts to monitor personal calls and communications made elsewhere or on one’s own telephone or computer. But maybe that is just part of the expectations feedback loop to which consent contributes, and, if so, as directors or others start giving consent to be “spied on” elsewhere, it may one day seem no more problematic.

In the end, this is one area where my thinking tentatively confirms my original instincts: consent should not be dispositive in a society where it can be purchased or extracted, particularly given the potential externalities of cumulative consent. I am very interested in what others think.

You may also like...

7 Responses

  1. Ned Ulbricht says:

    What if members of HP’s Board of Directors had agreed in advance to be spied on?

    47 USC § 222(c)(2) (“Disclosure on request by customers”) provides:

    A telecommunications carrier shall disclose customer proprietary network information, upon affirmative written request by the customer, to any person designated by the customer.

    If the directors had designated HP to receive their detailed toll records, then the phone company would appear to have an obligation to provide access to those records.

    But, AT&T might not have an obligation to provide electronic access to designated agents through its normal customer interface. Thus, a designee who changed a customer’s login password (as HP agents / employees are accused of) might have exceeded authorized access to AT&T’s billing records system.

  2. olsen says:

    I read with interest your comments on HP. I know this seems elementary, but how does this spying differ from the president of the USA? What justifies spying (researching) a suspected leak? Will the case against CEO really go to court and why should we care?

  3. olsen says:

    I read with interest your comments on HP. I know this seems elementary, but how does this spying differ from the president of the USA? What justifies spying (researching) a suspected leak? Will the case against CEO really go to court and why should we care? By the way I am not a student of law, but I find the law really fascinating.

  4. Frank says:

    You’re raising some very big (and troubling) issues about the extent to which one can “contract around” extant laws. There are many “extreme contracts” out there–an i-book reader makes buyers promise not to read things aloud, a content seller may reserve the right to “phone home” its users behavior, etc.

    But I have one potential defense of the surveillance thing, from Elster’s Ulysses and the Sirens. Someone may want to “tie themselves to the mast”, like Ulysses did in passing the sirens, in order to assure they don’t behave badly.

    But I think this oft-overlooked policy concern is probably not enough to justify such “Contracting around” surveillance laws, especially given the asymmetries in bargaining power here. But to the extent such surveillance is appropriate, such contracts on the “high end” of the corporate ladder are perhaps more justifiable than those effectively “imposed” on the monitored workers (since the former have more bargaining power).

  5. Frank says:

    by the way, I really like the phrase “externalities of cumulative consent.” there’s a book by Timur Kuran on the “social consequences of preference falsification” (and preference cascades) that may be of interest.

  6. Tim Glynn says:

    Thanks all for your comments and questions.

    Ned: The provision you cite is helpful, as is your analysis of the ATT scenario. This statute is an example of how consent privileges the intrusion, and, of course, there are others in federal and state law. Again, I believe we ought to be very careful about which types of consent we credit.

    Olsen: You raise a number of good questions – ones that I cannot address fully here. There are important differences between the spying at issue in the HP context and spying and surveillance ordered by the President. One doctrinal distinction is that the United States Constitution constrains the conduct of the government and government actors (including the President) but not that of nongovernmental actors such as HP and its agents. Nevertheless, both raise significant privacy and autonomy concerns. Dan Solove and others have discussed various aspects of these issues at length on this blog, and, if you are interested in exploring these questions further, a good way to get started is to review one or more of the various “privacy” category archives located to the left. In terms of the criminal charges, there are a number of steps in the process before this matter might go to trial(during which the prosecutor would seek to prove the allegations in the indictment). We are a long way from knowing how all of this will play out, but I will be watching with interest.

    Frank: Yes, this is but one manifestation of the contracting around/extreme contracts problem, and, as you point out, these issues have become paramount in many areas. I also take your point on the “Ulysses” defense, although I agree with your suggestion that it often will fall short, not only because of bargaining asymmetries, but also because of cumulative effects and the availability of other, less problematic means of promoting desired behavior. And thanks for the really useful tip on Kuran’s book.

  7. robert schaefer says:

    Why should the board be treated any different than other employees? At what point would the board be assured that board members will still follow the rules when they aren’t being watched?What if board members, to be board members, needed to consent to blood tests, urine tests, lie detector tests, and examination of tax records? Cameras in the bedroom? Perhaps each board member could have his or her own personal “political” helpmate to follow and monitor on that board member and report?