Through the Looking Glass: The Curious Interaction of Social Networks and Privacy Law

Sara J. Packman

Sara J. Packman is an attorney in Connecticut.  She practices in many areas, including privacy and free speech on the Internet.

The use of the Internet can feel like a natural replacement, or even extension, of pre-existing modes of communication.  But the Internet is indeed a new world, and the general principles that would apply to those pre-existing modes do not necessarily apply to the Internet.  Two recent cases, Romano v. Steelcase, Inc.,[1] and Crispin v. Christian Audigier Inc.,[2] illustrate how complicated the analysis can become.  Both cases are concerned with discovery, which is the process by which a party in litigation can require the opposing party to disclose information relevant to the case.  If the information is considered private, a party in litigation may not access that information. Generally, information that has already been disclosed to some third party is not considered private.[3]  This information may be obtained by serving a subpoena on whomever has possession of the information.  Subpoenas are a relatively simple means of discovering information; usually, a lawyer simply needs to fill out a form and give it to some disinterested party for service.

Romano v. Steelcase illustrates the application of the well established privacy principles mentioned above to Internet communication.  In that case, the plaintiff brought an action against a chair manufacturer, claiming she sustained injuries when she fell out of a defective chair.  The plaintiff claimed that these injuries had a severe impact on her quality of life.  Yet her public Facebook profile pictures displayed her smiling happily outside of her house, traveling, and socializing with friends.  The court ruled that these photographs were directly relevant to determining the nature and scope of her injuries and that if the photographs were excluded from discovery the defendant would be at a disadvantage.   This comports with basic privacy law, which generally states that information willfully exposed to third parties is not protected.  According to this decision, displaying information on your Facebook profile, even if it is limited to a few people, would allow an opposing party to access that information in discovery.

However, the federal legislature passed a suite of statutes that may circumvent traditional privacy law.  The Stored Communications Act of 1986,[4] also governs much of the activity on the Internet and significantly changes the analysis.  Congress created the Act in an attempt to protect the privacy of Internet users.   In 1986, in order to send a message via the Internet, the sender’s computer would first transmit the message to some other server owned by an Internet service provider such as America Online.  The message would then stay until the recipient downloaded the message to her local computer, at which point the message would typically be deleted from the server.  Lawmakers were concerned that this brief exposure to some unknown server would be considered exposure to third parties, and thus make it impossible to transmit private information through the Internet.

The Act mainly concerns itself with how a governmental entity can access data.  It broadly categorizes Internet activities into two services.  “Electronic communications services” (ECS) are those services which are primarily to send and receive communications.[5]  ECS providers are considered to store data only temporarily, and they are prohibited from disclosing this data while it is in temporary storage, subject only to a few exceptions.   The government may only access data held by an ECS provider with a warrant.[6]  Warrants are much more difficult to obtain than subpoenas, since they require law enforcement officials to state some valid reason for needing the data, which must be approved by a judge.  The second type of services are “remote communications services” (RCS) which provide storage and computing services on some remote computer.[7]  RCS can hold data for longer periods of time, and are generally prohibited from disclosure as well.  However, government entities may access the data with merely a subpoena or court order.[8]

The Act does not say whether a party in litigation which is not a governmental entity may obtain data held by and ECS or RCS through discovery.  Courts have generally interpreted this silence to mean that litigants cannot access information held by ECS or RCS providers through a simple subpoena.[9]  This is a departure from basic privacy law, which might have considered that information already disclosed to third parties, and therefore not private.  Finally, if the information is available to the general public then no subpoena or other process is required to obtain it.[10] 

The use of the Internet has changed dramatically since 1986 for many reasons.  Most notably, with the rise of webmail, cloud computing, and social networks, vast amounts of data are now stored on third party servers as a matter of course.  For instance, every picture, link, status update, and message shared on Facebook stays on Facebook’s servers indefinitely, whereas before such communication might have been deleted regularly from those servers and stored instead on an individual’s computer.  Some of this data clearly falls under the protections of the Act, but other data might not, even though it may seem to be private and secure. 

In contrast to Romano, the Stored Communications Act was the basis for the analysis in Crispin v. Audigier.  In that case, the plaintiff claimed the defendant used a logo that the plaintiff created in violation of a previous agreement.  The defendant served subpoenas on several social networking sites in order to gain information on whether and to what extent the plaintiff was licensing his logo to other organizations.  After a lengthy analysis, the Crispin court found that whether the information was disclosed depended on the plaintiff’s privacy settings on the various social media.  The defendant was certainly entitled to information that was available to the general public, but any information that the plaintiff limited to his friends could not be discovered pursuant to a subpoena under the Stored Communications Act.  The court reasoned that such information would be analogous to a private bulletin board service, which previous decisions had held were protected through the act.  However, according to traditional privacy law, the information would not have been considered private since it had already been exposed to some third parties.

The comparison between these two cases and the outdated Stored Communications Act demonstrates the confused status of privacy law surrounding social networks.  Without a set of clear principles, it can be difficult to know what is and is not subject to disclosure through discovery.  All people, including clients and lawyers should use caution when posting information on a social network because without clear guidelines, the legal and social ramifications of distributing this information online are difficult to foresee.

[1] 2010 NY Slip Op 32645  (NY Supreme Court 2010, Spinner, J.)

[2] 2010 WL 2293238, at *3 (C.D.Cal. May 26, 2010, Morrow, J.)

[3] See, e.g., U.S. v. Miller, 425 US 435 (1976).

[4] 18 U.S.C. § 2701 et seq.

[5] 18 U.S.C. § 2510(15).

[6] 18 U.S.C. § 2703.

[7] See, 18 U.S.C. § 2711.

[8] 18 U.S.C. § 2703.

[9] William Jeremy Robison, Note, Free at What Cost? Cloud Computing Privacy Under the Stored Communications Act.  98 Geo. L. J. 1196, 1208-09 (2010).

[10] 18 U.S.C. § 2511.


Premium Content for:

Join Now

Already a member? Log In


Add a committee to your existing ABA Young Lawyers Division membership for free and enhance your career. The Division has 31 committees dedicated to substantive practice areas and special interests.