Work with federal information systems? Responsible for risk management, continuous monitoring, or FISMA compliance? Check out my book: FISMA and the Risk Management Framework.

Wednesday, September 29, 2010

Conflicting rulings leave open debate on privacy protections for social network data

In June, we noted with interest a California federal district court ruling in Crispin v. Christian Audigier that provided an interpretation of the status of social networking sites under the Stored Communications Act (18 U.S.C. §121) that found that Facebook, MySpace, and other services should be considered "electronic communications services" under the definition in the SCA, and used that determination to quash several subpoenas issued in a copyright infringement case that sought the disclosure of private messages, user posts, and other information communicated by a user of the sites. As electronic communication services, social network operators are prohibited under the SCA from disclosing "to any person or entity the contents of a communication while in electronic storage by that service" (18 U.S.C. §2702(a)(1)). Where the SCA provides several legal avenues by which government entities can request the disclosure of such information, parties to civil suits such as the one in this case have no such standing, and the subpoenas issued in this civil matter therefore did not provide a means to overcome the statutory restricts on disclosure.

In marked contrast to the district court ruling, the New York Supreme Court last week issued a ruling that ordered an individual's Facebook and MySpace postings to be provided as discovery in a civil lawsuit. The judge in this case, Romano v. Steelcase, did not consider the constraints imposed by the SCA at all, despite the statute being cited as justification for refusing disclosure. Instead, the majority of the legal reasoning in the ruling addresses the scope of permissible discovery under New York State law and the extent to which the social network site user has a reasonable expectation of privacy with respect to content posted to their profile pages. The judge's determination that the user does not have such an expectation of privacy was the result of applying prevailing Fourth Amendment doctrine, despite the fact that party seeking the disclosure is not a government entity, but a corporation. The New York court also apparently chose not to take into account the privacy settings Romano had in place for her accounts, possibly because those settings already permitted some potentially relevant information to be publicly accessible.

Courts trying to apply the provisions of the SCA, which was enacted in 1986 as part of the Electronic Communications Privacy Act (ECPA) and modified in 1994 through the Communications Assistance for Law Enforcement Act (CALEA), often seem challenged to fit the law to suit issues arising with more modern technologies and services. For its interpretation of SCA, the court in the Crispin case relied not only on precedents from judicial rulings (including the Ninth Circuit opinion in Quon v. Arch Wireless) but also on books and relevant law journal articles from professors with expertise in this area of the law. In its analysis of the applicability of the SCA, the district court considered both private messages send through the social networking sites and posts on user pages (like a user's Facebook wall), analogizing the former to web-based email and the latter to non-public electronic bulletin boards, and thus managed to tie contemporary Internet services to logical technical equivalents that were in use at the time the law was passed. That potential sign of progress notwithstanding, the order in the Romano case prompted a Wall Street Journal Online blog post that offered a cautionary note to New York residents not to assume that anything they post to social networking sites is protected from discovery.

No comments:

Post a Comment