Ninth Circuit Mostly Eliminates Private-Sector Workplace Privacy Rights in Computers:
This is a very long blog post in response to a troubling new Fourth Amendment decision handed down by the Ninth Circuit yesterday, United States v. Ziegler. It's a long post because the issues are both very important and very complicated, and the only way to show the problems with the decision is to do it in a fairly detailed way. I think the post is worth the payoff; the stakes of the case are potentially enormous, so the court's wrong turn is worth explaining in depth.

  First, some background. One of the tricky aspects of Fourth Amendment law is the distinction between the Fourth Amendment protection of government employees and private sector employees. The basic rule for the private sector is that employees have privacy rights at work unless their work space is completely open to the public, with the caveat that their employer can consent to a search of spaces that are not open to the public.

  The rules for government employment are totally different, thanks to the Supreme Court's somewhat odd decision in O'Connor v. Ortega. In that case, the Supreme Court created a sui generis, split-the-baby-in-half regime for government employee Fourth Amendment rights (announced in a plurality opinion by, you guessed it, Justice O'Connor). Under the O'Connor framework for government employee privacy, Fourth Amendment protections in the government workplace hinge on whether the workspace is shared with other employees, or whether the employer has enacted legitimate workplace policies that define privacy rights. The result is that government employees have much less Fourth Amendment protection than private sector employees, with the caveat that government employers cannot consent to a search while private sector employers can. (For more on this, and all the relevant case citations, see the chapter on it in the Justice Department manual on Searching and Seizing Computers that I wrote in '99-'01.)

  With that background in mind, it's a little painful to read yesterday's opinion by the Ninth Circuit in United States v. Ziegler. Ziegler was an employee of a company called Frontline Processing, described in the opinion as "a company that services Internet merchants by processing on-line electronic payments" in Bozeman, Montana. Ziegler downloaded some child pornography to his computer at work, and his employer, in an effort to help out the FBI, went into Ziegler's office and copied his computer to give to the FBI. The computer contained child pornography, leading to charrges. Ziegler then filed a motion to suppress, arguing that he had a reasonable expectation of privacy on his workplace computer that was violated by the government-directed search.

  The correct way to resolve this case would have been to say that of course Ziegler had a reasonable expectation of privacy in the contents of his private-sector office, see Mancusi v. DeForte, 392 U.S. 364 (1968), including the computer in his office. Then the court should have turned to whether the search was either a private search or else a reasonable warrantless search pursuant to the employer's valid third-party consent. Unfortunately, however, it seems that no one realized that private-sector Fourth Amendment privacy rights are so different from public-sector Fourth Amendment privacy rights. The defense attorney apparently didn't notice the difference, and it seems that the AUSA didn't either. (I couln't find the briefs on Westlaw, but the opinions summarize the parties' positions.) [UPDATE: I have now read the appellant's brief. It has all of five pages of analysis, and it didn't see the public/private distinction at all.] And the failure to understand this basic distinction in Fourth Amendment law then worked its way up the line, with apparently no one stepping back and noticing that you couldn't rely on the public sector Fourth Amendment cases to analyze whether a private-sector employee has a reasonbable expectation of privacy at work.

  The unfortunate result is an opinion that makes a quite clearly incorrect conclusion that private-sector employees do not have a reasonable expectation of privacy in the workplace computers in their offices when the employer has access rights to the machine. The Court based its holding primarily by analogy to United States v. Simons, a Fourth Circuit case imvolving a federal government agency search:
  In United States v. Simons, the case upon which the district court relied, the Fourth Circuit reasoned that an employer's Internet-usage policy—which required that employees use the Internet only for official business and informed employees that the employer would "conduct electronic audits to ensure compliance," including the use of a firewall— defeated any expectation of privacy in "the record or fruits of [one's] Internet use." 206 F.3d at 395, 398. A supervisor had reviewed "hits" originating from Simons's computer via the firewall, had viewed one of the websites listed, and copied all of the files from the hard drive. Id. at 396. Despite that the computer was located in Simons's office, the court held that the "policy placed employees on notice that they could not reasonably expect that their Internet activity would be private." Id. at 398.
  As the government suggests, similar circumstances inform our decision in this case. Though each Frontline computer required its employee to use an individual log-in, Schneider and other IT-department employees "had complete administrative access to anybody's machine." As noted, the company had also installed a firewall, which, according to Schneider, is "a program that monitors Internet traffic . . . from within the organization to make sure nobody is visiting any sites that might be unprofessional." Monitoring was therefore routine, and the IT department reviewed the log created by the firewall "[o]n a regular basis," sometimes daily if Internet traffic was high enough to warrant it. Upon their hiring, Frontline employees were apprised of the company's monitoring efforts through training and an employment manual, and they were told that the computers were company-owned and not to be used for activities of a personal nature. Ziegler, who has the burden of establishing a reasonable expectation of privacy, presented no evidence in contradiction of any of these practices. Like Simons, he "does not assert that he was unaware of, or that he had not consented to, the Internet [and computer] policy." Simons, 206 F.3d at 398 n.8.
  There are a bunch of problems in this section. To begin with, this is a very unpersuasive reading of Simons. The court conveniently doesn't mention this, but in Simons the Fourth Circuit held that the employee did have a reasonable expectation of privacy that was violated by physical entry to the office to get the physical machine. The court only permitted the search of the computer after holding that it was a reasonable search under the "special needs" exception as adopted by O'Connor v. Ortega. The part mentioned above was only about remote monitoring that preceded the physical entry. Here's what the Simons court said about the phsyical entry to Simons' office:
Here, Simons has shown that he had an office that he did not share. As noted above, the operational realities of Simons' workplace may have diminished his legitimate privacy expectations. However, there is no evidence in the record of any workplace practices, procedures, or regulations that had such an effect. [FN: The Internet policy did not render Simons' expectation of privacy in his office unreasonable. * * * ] We therefore conclude that, on this record, Simons possessed a legitimate expectation of privacy in his office.
Simons, 206 F.3d at 399.

  The Ziegler court seems to say in a footnote that this case is different because it involved a computer. In footnote 9, the court suggests that entering the office to search a computer is a search of the computer but not a search of the office. ("Although an employee may have a legitimate expectation of privacy in his office, here the Frontline employees did not actually search Ziegler's office.") This makes no sense, as everything in an office is an item separate from the office; if this rationale were valid, then you could never search an office, just stuff in an office.

  But I digress, so let me get back to the really important stuff. The Ziegler court seems unconcerned that Simons was a government search decided under O'Connor v. Ortega, rather than a private sector search that should be analyzed under Mancusi v. DeForte. So the Court makes its (unpersuasive) analogy to a decision that rested on the framework of government employee rights, apparently applying the low-protection government framework to what used to be the higher-protection private-sector framework. The end-result: the relatively high level of protection that private sector employees have in their computer hard drives are dropped to the low level of protection that government employees have. Not good.

  There is one paragraph in the Zeigler opinion that at least suggests an awareness that there might be some difference between public and private employee Fourth Amendment rights. Here it is:
  Other courts have scrutinized searches of workplace computers in both the public and private context, and they have consistently held that an employer's policy of routine monitoring is among the factors that may preclude an objectively reasonable expectation of privacy. See Biby v. Bd. of Regents, 419 F.3d 845, 850-51 (8th Cir. 2005) (holding that no reasonable expectation of privacy existed where a policy reserved the employer's right to search an employee's computer for a legitimate reason); United States v. Thorn, 375 F.3d 679, 683 (8th Cir. 2004), cert. granted and judgment vacated on other grounds by 543 U.S. 1112 (2005) (holding that a public agency's computer-use policy, which prohibited accessing sexual images, expressly denied employees any personal privacy rights in the use of the computer systems, and provided the employer the right to access any computer in order to audit its use, precluded any reasonable expectation of privacy); United States v. Angevine, 281 F.3d 1130, 1133-35 (10th Cir. 2002) (holding that the employer's computer-use policy, which included monitoring and claimed a right of access to equipment, and the employer's ownership of the computers defeated any reasonable expectation of privacy); Muick v. Glenayre Electronics, 280 F.3d 741, 743 (7th Cir. 2002) ("Glenayre had announced that it could inspect the laptops that it furnished for the use of its employees, and this destroyed any reasonable expectation of privacy . . . ."); Wasson v. Sonoma County Jr. Coll. Dist., 4 F. Supp. 2d 893, 905-06 (N.D. Cal. 1997) (holding that a policy giving the employer "the right to access all information stored on [the employer's] computers" defeated an expectation of privacy).
  Notably, however, almost all of the cases in this strong cite are public sector cases, not private sector cases. The one private sector case on the list is Judge Posner's opinion in Muick v. Glenayre Electronics. But Muick is a bit of an analytical disaster. Here is an excerpt from a case summary I wrote on the case soon after it came out:
With all due repect to Judge Posner, his breezy opinion largely ignores the applicable law on several fronts, and although he reaches the right result, he does so for the wrong reasons. First, Posner gets the agency inquiry pretty clearly wrong. The FBI's request for the store to hold the computer on its behalf almost certainly makes the store a state actor for 4th Amendment purposes: the fact that the employer was acting "selfishly" doesn't mean it wasn't acting at the FBI's behest.

Second, Posner ignores the fact that all of the cases he relies on for his third rationale are government employment cases, and that the store was not a government employer. The Supreme Court in O'Connor v. Ortega created a special 4th Amendment standard for the government workplace, and under that standard notice alone can eliminate a "reasonable expectation of privacy." However, these cases aren't applicable to private employers such as the store, so notice alone should not be enough to eliminate privacy rights there.

* * * [T]he court should have stopped after the first rationale and not offered confusing and misleading alternative holdings on the Fourth Amendment when it didn't need to do so to resolve the case.
  Finally, just to add to the confusion here, the Ziegler court has a long discussion analyzing and ultimately endorsing a California appellate court decision, TBG Ins. Services Corp. v. Superior Court, 117 Cal. Rptr.2d 155, 96 Cal.App. 4th 443 (Cal. Ct. App.2002), which had a long involved discussion of expectations of privacy and social norms in computers. But the Ziegler opinion once again seems not to notice a doctrinal category error: the TBG Ins. Services Corp. case is not a Fourth Amendment opinion. Rather, it is a decision under Article I, section I, of the California Constitution, which provides: "All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy." It turns out that the California courts use the "reasonable expectation of privacy" framework in that context, too, but it seems to have a different meaning than the same phrase has in the Fourth Amendment context. (This is not uncommon, actually. The phrase "reasonable expectation of privacy" is used in the context of privacy torts, as well as in the legal ethics area in the context of attorney-client privilege, and it has a different meaning in each context. As a result, you can't lift the interpretation of "reasonable expectation of priuvacy" from one context and use it in another context.)

  Okay, so by now you're wondering, what difference does it make? If you analyze this case under the private-sector framework, you still will reach the same result because the employer had "common authority" to search the computer, right? Off the top of my head, yes, I think that's right. But the framework announced in Ziegler will still make an enormous difference in lots of other cases. Under the Fourth Amendment, private-sector employees have traditionally enjoyed Fourth Amendment protection in the contents of their offices, including in their office computers. The police can't just barge in to your office and rifle through your desktop computer. Instead, the police need either to get a warrant or to go your employer and ask for the employer's permission to conduct the search. But if private-sector employees have no reasonable expectation of privacy in the hard drives of their office computers, it means that the police don't need to get the boss's permission first. The police can pick an office known to have a computer access policy and simply barge in and grab any computers they want. And they can do this even over the objection of all the employees and the boss. The boss might have a civil claim against the government, but the employee won't have any rights at all; under the Ziegler opinion, the employee has no reasonable expectation of privacy in the contents of his computer.

  The Supreme Court created a special framework for public-sector searches because in that context there's no Fourth Amendment difference between the boss and the police: they're all "the government" for Fourth Amendment purposes. But I think it's important not to let that different framework created for the specific needs of public-sector workplaces bleed over into the private sector. As tricky as these doctrinal distinctions are (and they really are pretty tricky, I think), a great deal of privacy protection hinges on keeping them straight.