Skip to site navigation Skip to main content Skip to footer content Skip to Site Search page Skip to People Search page

Bylined Articles

Is 'Private' Data on Social Networks Discoverable?

By Alan Klein, John M. Lyons and Andrew R. Sperl
August 23, 2010
The National Law Journal

Is 'Private' Data on Social Networks Discoverable?

By Alan Klein, John M. Lyons and Andrew R. Sperl
August 23, 2010
The National Law Journal

Read below

Alan Klein and John LyonsOn May 26, a federal court issued an opinion in a discovery dispute that applies outmoded federal electronic privacy laws from the 1980s to Facebook and MySpace. The ruling could permanently change the way "social networking" sites are viewed by businesses and those involved in litigation. The decision also appears to offer the first in-depth analysis on the effect of "privacy settings" found on many social networking sites and whether information is protected from discovery by federal privacy laws.

The U.S. district court's decision partially reversed and partially vacated a magistrate judge's order declining to quash subpoenas for certain materials held by a third party in a copyright infringement case. See Crispin v. Christian Audigier Inc., 2010 U.S. Dist. Lexis 52832 (C.D. Calif. May 26, 2010). The decision appears to be the first to apply the Stored Communications Act, enacted in 1986, to content on today's social networking sites. See 18 U.S.C. 2701-11. The plaintiff, an artist named Buckley Crispin, claimed that the defendants, Christian Audigier Inc. and its sublicensees, used his artwork in violation of their oral agreement. The defendants sought information from MySpace and Facebook, including Crispin's subscriber information and all communications by Crispin referring to any of the defendants. A federal magistrate declined to quash certain of the defendants' subpoenas, rejecting among other arguments that the information they sought was protected by the SCA.

The district court's decision offered answers to two key questions. First, the holding explains that the SCA's protections reach at least some of the content hosted on social networking sites and that such content will be precluded from discovery from those sites. Second, the decision suggests that privacy settings matter. The private messaging features of social networking sites were protected because the court considered them to be as private as e-mail. Moreover, the court found that the SCA's protections applied to wall postings and comments only to the extent that those communications were not available to the general public.

Applying 80s Law to Today's Sites

The Stored Communications Act was designed to protect the privacy of certain digital information. Although the district court in Crispin eventually concluded that some content on MySpace and Facebook is protected, the SCA does not easily apply to these new technologies. That is because the SCA "freez[es] into the law" the way that computers were used in 1986, in particular by extending its protections to two specific types of network service providers—electronic communication services and remote computing services. When the SCA was drafted, subscribers used third-party network services for two main purposes—sending communications, such as e-mail, and outsourcing resource-intensive computing tasks, such as storing large files or processing data. The two types of service providers targeted by the SCA corresponded to these two roles. See Orin S. Kerr, "A User's Guide to the Stored Communications Act, and a Legislator's Guide to Amending It," 72 Geo. Wash. L. Rev. 1208 (2004).

The first hurdle in extending SCA protection to content on MySpace and Facebook was to decide whether those services were ECS or RCS providers. The district court found that both are ECS providers and noted that the magistrate judge's opposite conclusion was based upon an incorrect understanding that the sites did not provide mechanisms for private communication—a caution to practitioners to fully understand how these new media operate. The district court also analogized certain site features to older technology. In particular, Facebook wall postings and MySpace comments function similarly to private electronic-bulletin-board systems, which were familiar when the SCA was passed.

However, the district court was not only required to find that the websites were covered providers, but also that the content in question constituted "electronic storage" under the SCA. Under the SCA, an ECS provider holds information in electronic storage if it is being held pending delivery or temporarily as a backup (e.g., an e-mail awaiting download by the recipient). Maintenance of longer-term backups is a function of RCS providers (e.g., an e-mail left on the server after the recipient has downloaded it). See Kerr, supra.

Messages Found to Be Protected

The district court ultimately found that both private messages as well as comments visible to a restricted set of Facebook or MySpace users (e.g., Facebook wall postings) were held in "electronic storage," but its analysis was complicated by novel features of these technologies. Instead of downloading messages to their own computers, users of private messaging on social networking sites compose and read messages on the provider's server without ever downloading them to their own computers. Relying on precedent discussing web-mail services, the court concluded that, with respect to private messages, social networking sites acted as ECS providers until the messages were viewed by the recipient, after which they acted as RCS providers. The court disallowed discovery of such private messaging content.

The court found the issue of whether Facebook wall postings and MySpace comments were electronic storage to be "more difficult," because wall postings and comments did not fit neatly into the definition of either intermediate or backup storage. The court decided to protect Facebook wall postings and MySpace comments. However, the court hedged its reasoning, preferring to treat wall postings and comments as communications facilitated by the sites as ECS providers, but alternatively holding that the sites were RCS providers offering storage for the messages, similar to videos stored on YouTube.

The decision leaves a number of questions unanswered. First, does the SCA protect forms of content that are radically different from anything that existed in 1986? What makes sites like MySpace and Facebook unique is not that they provide users with another mechanism to send e-mail but rather that they facilitate linkages between people. These linkages generate new types of content. For instance, Facebook users can post status updates with up-to-the minute information about what they are doing. Some of the most important forms of content on Facebook, like a user's list of "friends" and his or her history of activity on the site, have no clear analog in the pre-social networking era.

The decision does not address how restricted access to content must be in order for that content to be considered private. Is content private if one must be a site subscriber to access it, or must access be limited to a user's "friends," which on Facebook may number in the thousands? Finally, it does not address the interaction between a provider's policies and an individual's privacy choices. What if a user is unaware of these distinctions? May a user avoid discovery simply by modifying his or her settings at the time of trial? Courts will have to decide how to apply the SCA's dated technological model to these issues.

Alan Klein, a partner in the Philadelphia office of Duane Morris, concentrates on litigation and handles a wide variety of cases with a focus on products liability and toxic torts. John M. Lyons, an associate in that office, practices in the area of litigation, with a focus on products liability, toxic torts and commercial litigation. Andrew R. Sperl, a summer associate at the firm, is a member of the class of 2011 at New York University School of Law.

Reprinted with permission from The National Law Journal, © ALM Media Properties LLC. All rights reserved.