Consent, Contracts, Privacy Rights in the Information Economy
Professional investigators should read cyber terms of service.
Technology contracts like terms of service (ToS) and end user license agreements (EULAs) are having a growing impact on the execution and outcome of investigations . . . internal investigations,
private investigations, forensics examinations, law enforcement investigations, intellectual property investigations, cyber-theft investigations and many more.
Increasingly, social, business, academic and entertainment interaction occurs inside virtual environments. These environments saturate modern life: web pages, video games, online schools, social networks, digital media (books, music, movies) smartphone apps and corporate computer networks.
As users enter these environments, they are commonly required to agree to legal terms of use and access. These agreements can govern official investigations that may come later. These agreements can (and increasingly do) contain statements that users consent to official audits and probes and consent to limits on their privacy.
University Network Terms Applicable to Student
For example, when a freshman student at the University of Wisconsin attached his PC to the university's network, he agreed to terms of service, which included an acknowledgment that the university could execute IT security measures. Later, when a university system administrator suspected that the student's PC was involved in an ongoing, dangerous hacking incident on the network, the administrator hacked remotely into the student's PC.
While searching inside the PC, the administrator found evidence that incriminated the student in illegal hacking outside the university's network. The university gave this evidence to government prosecutors, who attempted to use the evidence in a criminal trial against the student. The student objected, on the grounds that the university had violated his privacy. The court disagreed with the student. The court said the student's privacy had not been violated because he consented – by virtue of the security clause in the network terms of service – to the search by the system administrator. US v. Heckenkamp
Social Network's Terms Authorizing Investigation
Here are example terms of service authorizing investigations, published by Zenbe, a social networking service for sharing information among friends:
Zenbe reserves the right to access, read, archive, monitor, and disclose any information it reasonably believes is necessary to: 1. enforce this Agreement, including investigation of potential violations hereof. 2. protect the rights, property or safety of Zenbe, its users and the public. 3. satisfy any applicable law, regulation, legal process or governmental request. 4. detect, prevent, or address fraud, security or technical issues, including the filtering of spam.
Terms like these can be relevant to monitoring users in online communities and business transactions.
Terms for Investigationg Abuse of Online Games and Credits
Entrepreneurs are inventing new ways to transact business online. They are devising myriad electronic credits, coupons, vouchers, discount codes, trading cards, play money, online property, virtual game pieces and more. As they distribute these virtual goods and assets to users, their power to investigate their users is critical to nixing abuse, foiling hacks, thwarting counterfeits and maintaining the quality of their product or service. Investigations are a growing component of the information economy.
A substantial method for entrepreneurs to police their products and services is to require users to click on terms of use that include power on the part of the entrepreneurs to investigate their users.
Terms for Internal Investigations
Some investigations are internal to an enterprise, as is the case with a human resources (HR) investigation. The scope of an internal investigation can depend on contract terms or written employment policies. For example, in Ontario v Quon, a police officer said his boss violated his privacy when the boss reviewed text messages the officer sent from his employer-issued pager. In other words, he argued that his government employer violated his Fourth Amendment right to be free from unreasonable search. However, the US Supreme Court held the employer did not violate privacy, in part because the officer had previously known by virtue of department policy that management could review (investigate) the content of messages exchanged through the department's equipment.
An employer or other organization that creates an electronic space is remiss if it lacks terms of use that include rights for official investigation. Although those rights may exist without explicit statement in an agreement, the user's assent to them erodes her ability to object to an investigation when it happens.
Terms of Service Applicable to Professional Investigators
To be sure, terms in an agreement cannot legitimize an irresponsible investigation. But terms can help clarify that the user was warned he could be scrutinized, records could be captured and evidence could be used against him. They can clarify that as a condition to his treatment as an authorized user, he consents to monitoring and evaluation.
A professional investigator should take note when the subject of investigation has agreed to no relevant terms or agreement. The lack of agreed terms can constrain the investigation.
Conversely the investigator should note whether multiple, overlapping terms of investigation apply simultaneously to a person under investigation. For instance, suppose an investigator is engaged by the operator of a game app that works inside Facebook, and the investigator is examining whether Jane is abusing the game. The game terms that Jane agreed to when she started the game may support the investigation. The investigator may gather relevant evidence from game app’s network.
In addition, the terms of Facebook may support the investigation. The investigator may be able to get help from Facebook. Facebook, based on its terms of service, may be willing to cooperate with the investigation and turn over its own records about Jane.
–Benjamin Wright
Mr. Wright teaches e-Investigations Law at the SANS Institute.
Related: EDiscovery and Investigations on Facebook.