Social Networking Websites - Just How Private Are they?
By: Audrey Millemann and Etan Zaitsu
The federal Stored Communications Act (SCA) of 1986 was established in an attempt to give Fourth Amendment-type privacy protections to people for their Internet communications. In other words, Congress sought to protect people’s Internet privacy from warrantless intrusion.
As some legal scholars have noted, however, the SCA has not been amended to keep up with the changing dynamics of the Internet. See, e.g., William Jeremy Robison, Free at What Cost? Cloud Computing Privacy Under the Stored Communications Act, 98 GEO. L.J. 1195, 1196 (2010). For example, one development that has raised concerns about the protections afforded by the SCA is the rise of social networking sites like Facebook. It is questionable whether and to what extent the SCA protects the privacy of users of social networking sites.
One court has addressed at least one aspect of the privacy concerns related to social networking sites. According to the district court for the Central District of California in Crispin v. Christian Audigier, Inc., 2010 U.S. Dist. LEXIS 52832 (C.D. Cal. May 26, 2010), the SCA does protect the private communications of users of social networking sites against warrantless disclosure.
The section of the SCA relevant to the protection of Internet communications is 18 U.S.C. § 2702(a)(1). This section prevents providers of electronic communications service (ECS) from knowingly divulging the contents of communications while in electronic storage in that system. The question for the Crispin court was whether Facebook is an ECS.
Under the SCA, an ECS provider is "any service which provides to users thereof the ability to send or receive wire or electronic communications." Facebook would seem to qualify as an ECS provider because communicating electronically is a major feature of Facebook. However, courts have interpreted the SCA’s definition of an ECS provider to be limited to entities that provide e-mail services to the public at large, and in particular, to Internet service providers (ISPs) that provide customers with Internet access. Andersen Consulting LLP v. UOP, 991 F.Supp. 1041, 1042-43 (N.D. III. 1998). See also Crowley v. Cybersource Corp., 166 F.Supp.2d 1263,1270 (N.D. Cal. 2001) (agreeing with Andersen Consulting and holding that Amazon.com, an online merchant, was not an ECS provider because it did not independently provide Internet services, even though it received emails from customers), and In re Doubleclick Inc., 154 F.Supp.2d 497, 508-9 (S.D. N.Y. 2001) (held, ECS provider refers to ISPs such as American Online, UUNET, and Juno).
The Crispin court clarified that an ECS provider includes social networking sites. Thus, under the ruling, Facebook, absent a warrant pursuant to criminal proceedings, cannot disclose the contents of a user’s private electronic communications. The court then had to decide what communications are “private” and what content is protected.
According to the court, determining whether a communication is private requires a traditional Fourth Amendment privacy analysis—whether a person has an expectation of privacy. Thus, messages posted on a person’s wall page that are made public under certain Facebook settings would likely not be considered private because there is no expectation of privacy over content that is made public. On the other hand, an individually sent message to one person, not made public on that person’s wall, would probably be considered private. It is unclear, however, whether wall posts that can be viewed by more than one person, such as a select group, but are not public, would be considered private or public.
With respect to what content is protected under the SCA, the court explained that “content” is defined as "any information concerning the substance, purport, or meaning of that communication." See 18 U.S.C. § 2510(8). In other words, the message that makes up the communication is considered “content.” A message includes text a person writes, an attachment, a video, a photo, etc.
According to the SCA and other case law, however, “content,” does not include information that identifies an account holder. The SCA, under 18 USC § 2702(c), specifically allows for “disclosure of customer records to anyone other than a government entity.” Further, case law interpreting the SCA has defined the term “customer records” to include identifying information of an account user. For example, in Jessup-Morgan v. America Online, Inc., 20 F. Supp.2d 1105 (E.D. Mich. 1998),the plaintiff sued America Online, Inc. (AOL), claiming a violation of the SCA for revealing her identity to a private individual. In compliance with a civil subpoena, AOL had disclosed the identity of the plaintiff as the person who had posted a damaging message about another. The district court dismissed the plaintiff's claims against AOL, holding that AOL did not violate the SCA because the information revealed was not the "contents of a communication,” but instead “customer records” under section 2702(c).
Although Jessup-Morgan dealt with an account holder who used a false name to defame another, Facebook users may use pseudonyms or nicknames for lawful purposes. Given the ease with which Facebook users may find people, pseudonyms are fairly common.
Nothing in the SCA, however, limits disclosure of identifying information. While AOL, in the Jessup-Morgan case, disclosed information in response to a civil subpoena, nothing in the statute requires a subpoena for release of identifying information. Arguably then, a Facebook user’s account information is not protected from disclosure.
Thus, the advent of social networking sites like Facebook raises new concerns about privacy rights and the laws governing privacy on the Internet. Whether the SCA will be amended to take into account these new concerns is uncertain. But until then, Facebook users ought to be aware that while some communications via Facebook are protected under the SCA, account information and user identity might not be.