publications full of ideas
The Suspicious Husband, His Wife, and Cloud Computing: The Sixth Circuit Applies the Wiretap Statute To Monitoring Software


Hollywood has traditionally shown suspicious spouses relying on the same Victorian sleuthing techniques as Sherlock Holmes: a search for an errant strand of exotic hair, the stray lipstick mark or the lingering whiff of a strange perfume. However, suspicious spouses are increasingly tech-savvy. Their activities are creating new law with implications far from the family law arena.

Notably, the recent Sixth Circuit decision in Luis v. Zang held that a software company whose monitoring tools were allegedly used by a suspicious spouse is potentially liable under federal and state wiretap laws. The twist: liability hinged on the fact that the company hosted intercepted communications on its own servers. If this reasoning gains traction, employers monitoring employee computers will have to carefully evaluate both their technical and legal frameworks. More broadly, companies using cloud computing will have to vet their operations for potential legal, regulatory and compliance risks.

The defendant software maker in Zang produces WebWatcher, a web monitoring software package. Joseph Zang installed WebWatcher on his family computer after he became suspicious of his wife's relationship with another man. WebWatcher allegedly captured communications between the wife and the other man, Javier Luis. Copies were then routed to the software company's servers for subsequent retrieval by Mr. Zang.

Mr. Luis sued both Mr. Zang and the software company after Mr. Zang used the communications "as a battering ram" during divorce proceedings. (He apparently never met Mrs. Zang in real life.) Mr. Luis argued that WebWatcher was used to intercept his communications in violation of wiretap statutes, and that the software maker marketed the product to encourage illegal use.

The Sixth Circuit held that Mr. Luis had sufficiently alleged illegal interception. This determination hinged on a key allegation: that the communications were routed to the software maker's servers as they were written. Moreover, since WebWatcher captured all activity - including drafts that were neither saved nor sent - this translated into "near real-time monitoring." The opinion strongly suggests, however, that had WebWatcher captured and retained the activity records on the Zangs' own computer, it would not have violated wiretap laws.

The implications are significant. Many employers routinely monitor their employees' computers during the work day. Indeed, in some heavily regulated industries, such as health care or finance, compliance requirements may mandate monitoring. While employees expect and explicitly assent to such monitoring, the recipients of their communications do not. Zang may encourage legal challenges from such non-consenting persons. Such challenges would be particularly likely if the communications are routed to, or vetted via, the employer's servers.

An even more extreme example, though one that is common in the American workplace, is a Bring-Your-Own-Device (BYOD) program. Employers increasingly permit employees to use their personal equipment, such as iPhones, tablets and laptop computers, to access work files. But this access often requires the installation of mobile device management software that may enable the employer to monitor personal communications from the device.

An illustration highlights the potential implications of the Zang decision. Consider a bank employee on a family vacation. The bank asks her to review a draft commitment letter. Rather than disrupt the family and interrupt her vacation to return to her office, she accepts her uncle's offer to use his laptop to log in remotely. Remote access to the bank's IT systems requires the installation of special software. She installs it. She approves the letter. She returns to her vacation.

But unless she was careful to delete the software, it remains on the uncle's machine. This potentially enables the bank to monitor the uncle's future activity. The uncle, of course, never expressly or knowingly consented to such monitoring. (Arguably, permitting his niece to use the laptop implied consent, but even then the scope and duration of the consent could be disputed.) This scenario may appear to be a stretch. But then so do the facts and legal arguments in Zang.

Ultimately, the issue highlights a fundamental tension in modern business practice: flexibility versus control. The cloud computing genie is out of the bottle. It offers many advantages: flexibility, scalability, collaboration, and economy. But it does so at the cost of control of data: processing generally takes place off-site, perhaps even in a different country (a point that brings its ownissues). Conversely, in pre-Internet telecommunications, data transmission was largely a matter of connecting two parties directly and in real-time, and any undisclosed third-party access to the transmitted data would be rightly seen as wiretapping. But just as Victorian-era sleuthing techniques are now viewed as somewhat quaint, 20th century wiretapping laws and concepts seem potentially outmoded by (or, at the very least, ill-suited to) a world where cloud-based computing has increasingly become the norm. Until the law catches up with technology, however, the legal implications will remain anything but elementary, dear reader.

related information

follow us on twitter