The U.S. Justice Department announced last week that they were dropping their court action in which they sought to compel Apple to create a backdoor to override their existing iPhone passcode protection software.
If you followed this story, you know that a public and controversial battle ensued between the Justice Department and Apple over access to the iPhone used by Syed Farook, one of the perpetrators of the San Bernardino terrorist attack.
The FBI recovered Mr. Farook’s phone but was prompted for a four-digit passcode when they attempted to access it. The phone’s auto-wipe feature was programmed to erase all the phone’s data after 10 failed passcode attempts. The FBI asked Apple for help in disabling the auto-wipe feature by writing code to bypass this feature. Apple refused, saying they did not wish to set a dangerous precedent or compromise their efforts to keep their customers’ data secure. The FBI ultimately unlocked the phone with the help of an unknown third-party, but not before a very public showdown with Apple.
The encrypted phone at issue was Mr. Farook’s work phone and, in fact, the property of his employer, San Bernardino County. The employer didn’t have the phone’s passcode (if they had, this case may have resolved itself simply and quietly) or the password for the iCloud account associated with the phone. The employer reset the iCloud password, but unfortunately for the FBI the data captured there was incomplete.
Privacy Rights and Work Devices
The public debate surrounding this case brings to light a myriad of privacy-related issues including the question of employee privacy rights as device users, and how far they extend.
The amount of personal data stored on people’s devices – both work and personal devices – is exploding as people use them in ever-increasing ways. As Time Magazine put it: “Device by device, service by service, we have built over the past decade a world in which an amazing amount of what we do is recorded by our personal devices: our social lives, our health, our money, what we watch, who we talk to, where we go, what we look at.”
Moreover, the line between what is a work device and a personal device is increasingly blurring.
Privacy legislation in Canada aims to balance an organization’s need to know with an individual’s right to privacy. The Personal Information Protection and Electronic Documents Act applies to employee information in federal works, undertakings or businesses. Quebec, British Columbia and Alberta have similar legislation applying to employee information.
The common law in Canada also recognizes a right to personal privacy, more specifically enforced as a “tort of intrusion upon seclusion” (Jones v. Tsige, 2012 ONCA 32).
Workplace policies and practices can reduce an individual’s expectation of privacy in a work computer based on comments made by the Supreme Court of Canada in R. v. Cole, 2012 SCC 53,  3 S.C.R. 34. This decision dealt with law enforcement reviewing the contents of an accused’s work computer without a warrant. The Court also recognized, however, that computers that are reasonably used for personal purposes, whether found in the workplace or the home, contain information that is meaningful and intimate to the user and thus may involve a reasonable expectation of privacy.
The takeaway flowing from Canadian privacy legislation and the Jones v. Tsige and Cole decisions is that employers should only access personal data on work devices where the employer does so for legitimate reasons, such as addressing safety or performance issues or investigating complaints or incidents of prohibited or illegal conduct in the workplace. It is strongly recommended that employers obtain legal advice before accessing personal data on an employee’s work device.
First, employers need to be explicit, in writing, with their employees as to their expectations with respect to the use of employer-owned devices, and the employer’s right of access (i.e. that there is no reasonable expectation of privacy in such devices).
Second, employers may wish to consider implementing a policy requiring employees to routinely provide passcodes for employer-owned devices.
Third, employers should require employees to sign a written statement acknowledging and agreeing to these policies.
Finally, employers should develop a plan for how they will respond to a government-initiated request for cooperation, similar to the one received by Apple, and implement a policy that supports this plan.