In the world of social networking, users will commonly choose information-sharing over privacy — often without realizing that they are making such a choice. Facebook alone boasts 500 million active users with an average of 130 friends each, who share more than 30 billion “pieces of content” each month. Facebook, Press Room, http://www. facebook.com/press/info.php?statistics (last visited Feb. 22, 2011). Its founder, Marc Zuckerburg, has opined that “the age of privacy is over.” Bobbie Johnson, Privacy No Longer a Social Norm, says Facebook Founder, The Guardian, Jan. 11, 2010, available athttp://www.guardian.co.uk/ technology/2010/ jan/11/facebook-privacy. Users of social networks typically share personal information, pictures and videos via user-created profile pages, notes and private messaging services, inadvertently creating a depository of potentially valuable, discoverable evidence for litigants. This wealth of “pieces of content” has recently raised the issue of whether parties are entitled to discovery of an adversary’s social networking data, particularly when that data is designated to remain “private.”
Two recent decisions have begun to define the contours of social media discovery, with seemingly divergent results. In Romano v. Steelcase, Inc., the New York Supreme Court found that a plaintiff did not have a reasonable expectation of privacy in certain content on her accessrestricted Facebook and Myspace pages and ordered discovery. 907 N.Y.S.2d 650 (N.Y. Sup. Ct., Suffolk Co. 2010). Conversely, in Crispin v. Audigier, Inc., a federal court in California quashed defendant’s subpoenas to social network providers to the extent they requested private, access-restricted content, relying on the classification of the information under a federal statute. 717 F. Supp. 2d 965, 970 (C.D.Cal. 2010). These cases suggest both the limits of social media “privacy” and also the methods that may be used by parties to obtain social media discovery.
New York State Court: Romano v. Steelcase
The plaintiff in Romano brought suit against Steelcase for personal injuries and loss of enjoyment of life. Steelcase asserted that the public portions of the plaintiff’s Myspace and Facebook pages contained evidence of an active lifestyle, including travel “during the time period she claim[ed] that her injuries prohibited such activity.” Romano, 907 N.Y.S.2d at 653. After Romano refused Steelcase’s discovery requests for additional information from her social network accounts, Steelcase sought an order granting access to plaintiff’s “current and historical Facebook and Myspace pages and accounts, including all deleted pages and related information.” Id. at 651. Romano objected to the application on privacy grounds.
The Romano court’s ruling on the discoverability of plaintiff’s “private” social networking data turned on the presence of material she had placed on the public portions of those sites that contradicted her claims. The court explained that under CPLR 3101, which provides for “full disclosure of all nonprivileged matter which is material and necessary to the defense or prosecution of an action,” a plaintiff who “places [her] physical condition in controversy, may not shield from disclosure material which is necessary to the defense of the action.” Id. at 652; CPLR 1301. Thus, “in an action seeking damages for personal injuries, discovery is generally permitted with respect to materials that may be relevant both to the issue of damages and the extent of a plaintiff’s injury.” Romano, 907 N.Y.S.2d at 652.
The court found that the plaintiff’s public profile page contained information contrary to her claims and deposition testimony, in that it depicted her “smiling happily in a photograph outside the confines of her home despite her claim that she has sustained permanent injuries and is largely confined to her house and bed.” Id. at 654. Accordingly, the court granted Steelcase access to the private portions of Romano’s social networking site pages. Justice Arlen Spinner explained that because the public portions of those sites contained content material necessary to the litigation, there was a reasonable likelihood that the same would hold true as to the private portions.
The Romano court then turned to whether there is “a right to privacy regarding what one posts on their on-line social networking pages such as Facebook and Myspace” (Id. at 656) — an issue of first impression in New York. Because there was no New York case law directly on point, the court looked to other jurisdictions (including international) for guidance. Specifically, the Romano court relied on a personal injury case from the Colorado District Court in which the court granted a subpoena to obtain information from the public access areas of plaintiff’s social networking sites. Ledbetter v. Wal-Mart Stores, Inc., 2009 WL 1067018 (D. Colo. Apr. 21, 2009). Justice Spinner also looked to a Canadian case that reached the same conclusion, emphasizing that individuals should not be allowed to hide behind “self-set privacy controls” on a site designed to share information with others, as this would deprive the adverse party of information that could be necessary to ensuring a fair trial. Leduc v. Roman, No. 06-CV-3054666PD3,  O.J. No. 681 (O.S.C.J. Feb. 20, 2009). The Romano court found these cases instructive and adopted their reasoning. Romano, 907 N.Y.S.2d at 655. Justice Spinner held that to deny the defendant an opportunity to access the private pages “not only would go against the liberal discovery policies of New York favoring pre-trial disclosure, but would condone Plaintiff’s attempt to hide relevant information behind self-regulated privacy settings.” Id.
Justice Spinner concluded that the plaintiff in Romano had no reasonable expectation of privacy in accessrestricted areas of her social network pages, in part, due to the very nature of Facebook and Myspace, which exist so that users may share information about their personal lives. The court looked to case law addressing analogous facts in the electronic information context which had concluded that there was no reasonable expectation of privacy in sent email (United States v. Lifshitz, 369 F.3d 173 (2d Cir. 2009)), or in shared electronic posts (Beye v. Horizon Blue Cross Blue Shield of New Jersey, 2008 WL 3064757 (D.N.J. July 28, 2009)). The court also examined Myspace’s and Facebook’s privacy policies, which provide that, notwithstanding a user’s privacy settings, complete privacy is not guaranteed. Because the plaintiff knew that her private information might become publicly available, the court decided she could not claim she had a reasonable expectation of privacy. The court also cited commentaries regarding privacy and social networking sites, which explain that, “[i]n this environment, privacy is no longer grounded in reasonable expectations, but rather in some theoretical protocol better known as wishful thinking.” Romano, 907 N.Y.S.2d at 657.
Finally, the court found that the defendant’s need for access to the content on the social networking sites outweighed plaintiff’s privacy concerns. The court concluded that without access to this information, Steelcase would be “at a distinct disadvantage in defending this action.” Id. Accordingly, because Romano did not have a reasonable expectation of privacy in the material, and the social media content was material and relevant, the court granted Steelcase’s application.
It is important to note that New York courts have emphasized the need for a factual predicate with respect to the relevancy of the data on social media accounts and will not permit parties to conduct “a fishing expedition.” McCann v. Harleysville Insts. Co. of New York, 78 A.D.3d 1524, 1525 (4th Dep’t 2010). In McCann, issued a few months after Romano, the Fourth Department held that a litigant is not entitled to another party’s social network information without an adequate showing of relevancy, and found that defendant failed to make such a showing for discovery of plaintiff’s Facebook account. The court permitted defendant the opportunity to renew its request at a later date.
California Federal Court: Crispin v. Audigier, Inc.
In Crispin, the plaintiff brought a copyright infringement claim against defendant Audigier, alleging that Audigier violated the parties’ oral license agreement and sublicensed artwork to others without the plaintiff’s consent. The defendants served subpoenas on Facebook, Myspace, and webmail provider Media Temple, to obtain, among other things, Crispin’s subscriber information and all communications that referred or related to Audigier, including private social-networking messages. Audigier asserted that these communications were relevant in determining the nature and terms of the alleged agreement.
Crispin brought a motion to quash the subpoenas on the ground that they sought private electronic communications that internet service providers are prohibited from disclosing, pursuant to the Stored Communications Act of 1986 (“SCA”), 18 U.S.C. §2701 et seq.
The Crispin court first explained that the SCA created “a set of Fourth-Amendment-like privacy protections by statute, regulating the relationship between government investigators and service providers in possession of users’ private information.” Crispin, 717 F. Supp. 2d at 972. The SCA prohibits electronic communication services (ECS) and remote computing services (RCS) from voluntarily disclosing users’ private messages, such as electronic mail, to outside entities and individuals, absent a statutory exception. Id.
The Crispin court then evaluated whether a user’s private communications sent through and held by social networking sites are afforded protection from disclosure under the SCA, an issue of first impression. Judge Margaret M. Morrow reviewed provisions of the SCA that apply to “providers” of communication services and the information in their custody concerning individuals and companies. The SCA defines an ECS provider as “any service which provides to users thereof the ability to send or receive wire or electronic communications” and RCS is defined as “the provision to the public of computer storage or processing services by means of an electronic communications system.” The court reasoned that Facebook and Myspace are hybrid providers that allow several types of communications, with varying levels of privacy. Because these social network sites “provide private messaging or email services,” they were deemed to be qualified as ECS providers. Id. at 980. Thus, those features of the sites are protected under the SCA in the same manner as traditional web-based email providers.
Judge Morrow also found that Facebook and Myspace “wall postings” and comments also rendered these sites as RCS providers because their content is stored on the service providers’ website, and can be kept private by restricting them to a limited number of others. The court cited to a case from the Southern District of New York, Viacom International Inc. v. Youtube Inc., which found that because YouTube encouraged individuals to post videos to its site, yet also had restricted-access features limiting who can view the videos, it qualified as an RCS provider with respect to the restricted postings. 253 F.R.D. 256 (S.D.N.Y. 2008). The court analogized YouTube’s restricted-access features to the postings and comments on Facebook and Myspace that can be posted and marked by the poster as private. Judge Morrow concluded that because Facebook and Myspace provide private messaging or email services, as well as electronic storage, they qualified as both ECS and RCS providers.
The Crispin court quashed the subpoenas served on Facebook and Myspace to the extent they sought to compel disclosure of electronic messages, as well as Facebook wall and Myspace postings and comments, that had been marked as “private” by the plaintiff and that were not accessible to the general public. With respect to the portion of subpoenas that sought information from the plaintiff’s other Facebook wall and Myspace comments and wallpostings, Judge Morrow found that there was insufficient evidence to determine whether these wall postings and comments constituted private communications, as the user’s privacy settings for them were not clear. The court ordered further fact investigation to determine what privacy settings, if any, the plaintiff had employed.
Crispin and Romano provide important guidance to potential litigants seeking content from individuals’ private social networking accounts. Romano suggests that — notwithstanding privacy settings — litigants may be ordered to disclose information or communications on social networking sites that may be relevant and material to a litigation because such discovery fulfills the mandates of liberal civil discovery rules. On the other hand, the Crispin decision suggests that civil parties seeking communications directly from a social networking site via subpoena may be prevented from obtaining much of this information by virtue of the Stored Communications Act. Access to adversaries’ social networking pages and accounts will become increasingly important in personal injury, employment and fraud cases, where plaintiffs may post pictures and messages that contradict their claims. Arguably, the lesson from these cases for a party seeking discovery is to seek materials in the first instance from an adverse party, rather than a social networking provider. Moreover, it is prudent for potential litigants who can expect to receive discovery requests to exercise discretion in their communications on social networking sites even when “privacy” settings are utilized.