Social networking, mobile devices, and cloud computing are enabling new forms of commerce and communication. In turn, businesses, regulators, and courts are confronting the expanded role of social media and cloud services in litigation and investigations and particularly the privacy issues raised by seeking social media and cloud-based content for litigation. Legal rights to access this information will have to be balanced with privacy rights under contracts, common law rights, statutes and the Constitution. The precise contours of that balance are still evolving. Because some recent cases that have been decided may provide guidance about how such a calculus is beginning to be performed, we have summarized recent cases below.
Growth Of The Cloud And Social Networks As Potential Source Of Evidence
While it may sound mysterious and foreboding, the "cloud" concept is a simple one - to harness the instantaneous remote access of the Internet and seemingly limitless storage for common use. "Hotmail" and "Gmail" email accounts are an omnipresent example of cloud application and storage. Email functionality is provided by remote Hotmail or Gmail servers, which then store the email sent and received. For a user, these cloud services achieve email functionality at no cost and with no requirement that the user have his own servers or any sort of technology infrastructure other than access to the Internet.
That the federal government has begun to adopt the "cloud" paradigm may be evidence of increasing acceptance of cloud computing. On September 15, 2009, Obama administration Chief Information Officer Vivek Kundra announced the cloud computing initiative apps.gov, a site for federal agencies to browse and purchase cloud-based IT services. In July 2010, Google earned FISMA compliance for its Google Apps suite of IT applications - the first platform to achieve such certification. FISMA, or the Federal Information Security Management Act (44 U.S.C. § 3541 et seq. ), requires agencies to establish security standards for information systems and hold vendors to them. Google has relied on its FISMA certification as it competes for government contracts against other enterprise- and cloud-based services.
Growth in cloud and social media and mobile computing has quickly been followed by efforts to seek records for litigation. The federal government now trains its investigators on collecting information from social networking sites. One such Department of Justice presentation, "Obtaining and Using Evidence from Social Networking Sites," presents social networking sites as valuable sources of information in investigations about the target and potential witnesses and identifies legal and practical issues for investigators to be aware of when they gather evidence from these sites that may reveal communications, motives, relationships, location information, alibis, or the existence of a crime. It was obtained by a FOIA request and is now publicly available at http://www.eff.org/files/filenode/ social_network/20100303__crim_socialnetworking.pdf.
Private litigants also have found information from social networking sites to be valuable evidence. A recent New York Times article highlighted the use of social networking sites to gather evidence in divorce actions. A divorce lawyer interviewed for the article said, "It has changed the way we do business. Beforewe would strive forever to get evidence, and now people can't wait to post on MySpace or Facebook who they are out drinking with. We just come along and scoop that up." Nadine Brozan, Divorce Lawyers' New Friend: Social Networks , N.Y. Times, May 13, 2011.
Given the interest in obtaining information from social networking sites, sometimes access to this information is contested. But courts have not shied from compelling production of discovery from social networking sites. In one discrimination lawsuit, EEOC v. Simply Storage Mgmt., L.L.C. et al. , 270 F.R.D. 430, 436 (S.D. Ind. 2010), the District Court for the Southern District of Indiana allowed discovery of plaintiff's social network content despite claims of privacy. Two female plaintiffs alleged that they were sexually harassed by their supervisors. Defendant requested discovery on the contents of plaintiffs' Facebook and MySpace accounts, including photographs, videos, updates, and messages. Defendant argued that this discovery was relevant because plaintiffs had placed their mental health status at issue. Plaintiffs objected that these requests were overbroad and irrelevant and invaded their privacy. The court found that the discovery requests were not barred because plaintiffs made their social network profiles "private," noting that plaintiffs' privacy concerns could be addressed by the protective order in the case. The court compelled discovery on any social network "profiles, postings, or messages" that relate to any emotion, feeling, or mental state, and all photographs, reasoning that plaintiffs' appearance may reveal their "emotional or mental status."
Recent Cases Balancing Access To The Cloud Against Privacy Rights
While courts may be willing to countenance discovery and collection of evidence from social networking sites and the cloud, courts also recognize their role in protecting privacy. For example, courts have already begun to issue decisions establishing that email in the cloud deserves privacy protection. It is noteworthy that courts have awarded privacy protection on multiple grounds and in multiple contexts. Privacy protection has been awarded against access attempts by individuals, employers and the government.
There is no doubt that the ultimate calculus in awarding privacy protection will continue to evolve. What follows below is a sampling of some recent cases where courts have addressed the privacy interests that are presented in the context of the cloud, social media, and mobile computing.
In civil litigation contexts, courts have protected privacy interests in email stored in the cloud. One statute that they have relied on is the federal statute known as the Electronic Communications Privacy Act (ECPA), and specifically the portion of ECPA known as the Stored Communications Act (SCA), codified at 18 U.S.C. 2701 et seq . In Jennings v. Jennings , 697 S.E.2d 671, 675-80 (S.C. Ct. App. 2010), the Court of Appeals of South Carolina held that an individual violated the SCA by accessing her father-in-law's Yahoo! Mail account without authorization. In divorce proceedings, the husband's daughter-in-law accessed his email using his password and disclosed communications to his wife that were allegedly between him and his girlfriend. The husband sued his daughter-in-law for, among other things, violation of the SCA's prohibition against accessing without authorization a "facility through which electronic communication service is provided" to access an "electronic communication" while it is in "electronic storage." The court found that Yahoo! is an electronic communications service and that emails stored on Yahoo! servers were stored electronic communications under the SCA. The court therefore found that plaintiff's daughter-in-law violated the SCA by accessing plaintiff's email account.
Another source of privacy protection for information in the cloud arises from the common law privilege. Such cases often arise when employees consult with an attorney for personal matters via their employer's company network. For example, in Stengart v. Loving Care Agency , 990 A.2d 650, 665-66 (N.J. 2010), the New Jersey Supreme Court held that attorney-client privilege protected email sent to and from a cloud-based email account, even though it was transmitted over company networks. Thus, the attorney-client privilege protected emails sent by an employee to her attorney from her Yahoo! Mail account on her employer's computer. The employer obtained the emails through monitoring software without the employee's knowledge. The employer had a policy that employees had no expectation of privacy on company-owned computers. The court nonetheless found that this policy did not invalidate or waive the employee's privilege. The court therefore found that the employer did not have the right to read the emails because they were protected by the attorney-client privilege.
In criminal cases, courts have found privacy protection for information in the cloud to arise from the Constitution. The Sixth Circuit Court of Appeals recently held that email stored on remote server is protected by the Fourth Amendment, requiring a search warrant for government access to emails even though the email is stored on a server - not stored on the recipient's own computer. In United States v. Warshak , 631 F.3d 266, 288 (6th Cir. 2010), the Sixth Circuit Court of Appeals held that an email subscriber has a reasonable expectation of privacy under the Fourth Amendment in emails stored or received through an Internet service provider (ISP). Defendant Steven Warshak and others were convicted of federal charges for fraudulent marketing and distribution of herbal supplements. The Stored Communications Act (SCA), which limits access under some circumstances (such as those noted above in Jennings v. Jennings ) actually authorizes the government to compel a service provider to disclose electronic communications older than 180 days by subpoena or court order based on less than probable cause. During its investigation, the government compelled the ISP that provided Warshak email service to disclose his emails by subpoena and then court order. Defendants appealed their convictions, arguing that this warrantless seizure violated the Fourth Amendment. The court held that Warshak had a reasonable expectation of privacy in his emails stored by the ISP, finding that emails are subject to the same Fourth Amendment protections as letters and phone calls. The court found the SCA unconstitutional to the extent that it permits the government to obtain emails without a warrant.
The Added Dimension of Mobile Computing
Today, about as many users access social networking sites through a mobile device as do through a stationary computer. The prevalence of sophisticated mobile devices has led to increasing attention to laws protecting privacy on those devices. For example, on May 10, 2011, the Senate Judiciary Committee's Subcommittee on Privacy, Technology, and the Law held a hearing on "Protecting Mobile Privacy: Your Smartphones, Tablets, Cell Phones and Your Privacy." Testimony was provided by witnesses from the Federal Trade Commission, Google, Apple, and others.
As a result, the courts have begun to weigh in as well on the issue of legal privacy rights in mobile devices against efforts to obtain this information for litigation. Most notably, in 2010, the Supreme Court for the first time addressed privacy rights on mobile devices. In City of Ontario et al. v. Quon et al. , 130 S.Ct. 2619, 2629-31, 2635 (2010), the Supreme Court addressed public employees' rights on mobile devices under the Fourth Amendment. Plaintiff Quon was a SWAT team officer in Ontario, California. Quon repeatedly exceeded the monthly allotment of messages on his city-issued pager, and the city audited his message records over his objections. The audit showed that many of Quon's messages were not work-related and that some were sexually explicit. The city disciplined Quon, and Quon sued the city arguing that the audit was an unreasonable search under the Fourth Amendment. The Court assumed without deciding that Quon had an expectation of privacy in his work-issued pager. Nonetheless, the Court found that the audit was a reasonable search. The Court emphasized Quon knew his pager could be audited at any time and that knowing whether Quon's overages were due to non-work messages was a legitimate work-related rationale supporting the audit.
It is significant that the Supreme Court, by assuming that Quon had an expectation of privacy in his pager, recognized the viability of such a constitutional right. Moreover, the Court declined to lay down a hard and fast rule regarding mobile devices, noting changing technology and cultural attitudes toward technology. In his concurring opinion, Justice Scalia criticized the majority's opinion for its reticence, writing "Applying the Fourth Amendment to new technologies may sometimes be difficult, but when it is necessary to decide a case we have no choice. The times-they-are-a-changin' is a feeble excuse for disregard of duty." Nonetheless, the majority reasoned, "A broad holding concerning employees' privacy expectations vis-à-vis employer-provided technological equipment might have implications for future cases that cannot be predicted."
As the Supreme Court recognized in Quon , "Rapid changes in the dynamics of communications and information transmission are evident not just in the technology itself but in what society accepts as proper behavior." The cloud, social networks and mobile computing are a growing and important source of information in furtherance of investigations and litigation. Recent court decisions confirm that legal rights to access this information must be balanced with privacy rights under contracts, common law rights, statutes and the Constitution. In short, privacy law is playing an essential role in mediating emergent issues in the evolving seams of cyberspace.
David J. Goldstone is a Partner in the Litigation Department of Goodwin Procter LLP resident in the Boston office, specializing in litigation relating to computer and Internet technologies. Daniel B. Reagan is an Associate in the Litigation Department of Goodwin Procter LLP resident in the New York office. This article is reprinted from the Boston Bar Journal, a publication of the Boston Bar Association.