Privacy

Encryption and the Press Clause

Encryption and the Press Clause
Download a pdf version of this article here. Almost twenty years ago, a hostile debate over whether government could regulate encryption—later named the Crypto Wars—seized the country. At the center of this debate stirred one simple question: is encryption protected speech? This issue touched all branches of government percolating from Congress, to the President, and eventually to the federal courts. In a waterfall of cases, several United States Court of Appeals appeared to reach a consensus that encryption was protected speech under the First Amendment, and with that the Crypto Wars appeared to be over, until now. Nearly twenty years later, the Crypto Wars have returned. Following recent mass shootings, law enforcement has once again questioned the legal protection for encryption and tried to implement “backdoor” techniques to access messages sent over encrypted channels. In the case, Apple v. FBI, the agency tried to compel Apple to grant access to the iPhone of a San Bernardino shooter. The case was never decided, but the legal arguments briefed before the court were essentially the same as they were two decades prior. Apple and amici supporting the company argued that encryption was protected speech. While these arguments remain convincing, circumstances have changed in ways that should be reflected in the legal doctrines that lawyers use. Unlike twenty years ago, today surveillance is ubiquitous, and the need for encryption is no longer felt by a seldom few. Encryption has become necessary for even the most basic exchange of information given that most Americans share “nearly every aspect of their lives—from the mundane to the intimate” over the Internet, as stated in a recent Supreme Court opinion.* Given these developments, lawyers might consider a new justification under the Press Clause. In addition to the many doctrinal concerns that exist with protection under the Speech Clause, the Press Clause is normatively and descriptively more accurate at protecting encryption as a tool for secure communication without fear of government surveillance. This Article outlines that framework by examining the historical and theoretical transformation of the Press Clause since its inception. ————————— * Riley v. California, 134 S. Ct. 2473, 2490 (2014).

Is Facebook Killing Privacy Softly? The Impact of Facebook’s Default Privacy Settings on Online Privacy

By Michael J. Kasdan* A pdf version of this article may be downloaded here. “IMPORTANT!!  Tomorrow, Facebook will change its privacy settings to allow Mark Zuckerberg to come into your house while you sleep and eat your brains with a sharpened spoon.  To stop this from happening go to Account > Home Invasion Settings > Cannibalism > Brains, and uncheck the “Tasty” box.  Please copy and repost.” – Satirical Status Post from Friend’s Facebook Status on February 15, 2011. Introduction Since launching its now ubiquitous social networking website out of the Harvard dorm room of Mark Zuckerberg in early 2004, Facebook has rapidly become one of the most dominant websites on the planet.  And “rapid” doesn’t quite do it justice.  It has been estimated that over 40% of the U.S. population has a Facebook account.[FN1] Facebook now boasts over 600 million active user accounts [FN2] and was recently estimated to be adding user accounts at the unbelievable clip of well over half a million new users per day.[FN3] The very nature of a social networking site like Facebook is to provide its users with a platform through which they can share massive amounts of personal information.  Facebook has created a platform where users can post personal data such as their contact information, birthdays, favorite movies, books, music and news articles, share scads of written comments and notes, post pictures and videos of themselves and others, associate themselves with various products, services, and groups, and post information about where they are and what they are doing. Over its six-year existence, Facebook’s privacy policy – the set of rules that dictate which information is shared and with whom – has undergone significant systemic revisions that have had the effect of collectively encouraging, and in some cases requiring, users to share more personal information with bigger groups of people and companies.  Facebook’s original privacy policy provided that no personal information would be shared with any other user who did not belong to a group specified in the user’s privacy settings.  The principle behind this policy was one of user control over personal information.  By contrast, under today’s Facebook privacy policy, owners of numerous websites and applications may access broad categories of user information, and the default settings are such that many categories of user information will be widely accessible, unless users carefully review and modify them. This article explores the background, impact, and legal and policy challenges posed by Facebook’s evolving privacy policy. Background Facebook (www.facebook.com) is a social-networking website that is privately owned and operated by Facebook, Inc.  Facebook is free to use.  Once registered, users of the Facebook.com website may create a personal profile and can then create their “social network” by inviting other users to be their “friends.”  Users can upload photos and albums and update their “status” to inform their friends of their whereabouts, actions, and thoughts.  Users and their friends may communicate with each other through private and/or public messages (i.e., privately, through email, or publicly, by writing or posting a comment on another user’s “wall”), view and comment on each other’s status updates and postings, and share and comment on each other’s pictures, videos, and other Internet content. [FN4] Facebook users can also associate with and recommend (i.e., “like”) brands, products, services, web pages, and articles posted all over the Internet by clicking a “like” button on Facebook or on those web pages.  When a user’s friend views that same web page, they can see which of their friends have “liked” the page.  A user’s “likes” are also posted in that user’s “newsfeed,” which is a running list of comments, pictures, status updates, etc. of that user and his friends that is visible to friends.  These “likes” are, of course, also recorded by Facebook’s business partners that are associated with brands, products, and services.  Most recently, Facebook has added a “check-in” or “places” feature.  Using this feature, Facebook users can indicate that they are currently at a restaurant, store, bar, or other real-world location.  This information is posted onto their profile and is also recorded by Facebook for use by its business partners, which may include, for example, the restaurant or bar at which the user has checked in. In addition, Facebook has partnered with certain third-party websites, such as Yelp, to provide Facebook “personalization features” for its users.  Specifically, if a user has a Facebook account and goes to the Yelp website, a site that collects user reviews about businesses such as restaurants and bars, that user will be able to see which of his Facebook friends have reviewed a particular business, which friends have “liked” a particular business, and review his Facebook friends’ Yelp reviews and “likes.”[FN5] Facebook users can also access third-party applications (“apps”) on the Facebook site.  These apps include trivia quizzes, games, and other interactive content.  Many of these applications gather personal information about the user and his Facebook friends. There clearly are tremendous benefits to the social networking experience on Facebook.  The broad disclosure by users and their friends of all sorts of personal details about themselves is central to Facebook’s functionality.  It is in large part what makes Facebook interesting, interactive, and fun to its users.  It is also equally (if not more) important to Facebook as a business, and the key to its ability to monetize Facebook.com.  Indeed, much of the perceived value of Facebook as a business[FN6] is Facebook’s ability to gather personalized information about its massive user base and to leverage that user base.  The costs to these same activities, in terms of the sacrifices to one’s own personal privacy, may be harder to spot at first, but they are also significant.[FN7] Facebook’s Privacy Policy – A Brief History Facebook’s privacy policy has undergone a significant shift over its relatively short existence.  Its original policy limited the distribution of user information to a group of that user’s choice (thus creating a private space for user communication).  By contrast, its current policy makes much user information public by default and requires other information to be public.  This public information is accessible by Facebook and its business partners and advertisers.  The shift in Facebook’s default privacy settings over time is perhaps most strikingly illustrated by an info-graphic created by Matt McKeon, a developer at the Visual Communication Lab at IBM Research.[FN8] The blue shading indicates the extent that the viewing of various categories of information is limited to a user’s friends, friends of friends, all Facebook users, or the entire Internet.  Heavier shading towards the outer part of the circle indicates that the information is more widely accessible.
The History of Facebook's Default Privacy Settings
  Facebook has been criticized by privacy advocates and industry watch groups for its revision of its privacy policies.  For example, after Facebook rolled out its revised privacy settings in late 2009, the Electronic Frontier Foundation (“EFF correctly concluded that these changes reduce the amount of control the users have over their personal data while at the same time push Facebook’s users to publicly share more of their personal information than before.[FN9] As the Electronic Frontier Foundation (“EFF”) put it, viewing Facebook’s successive privacy policies from 2005-2010 “tell[s] a clear story.  Facebook originally earned its core base of users by offering simple and powerful controls over their personal information.  As Facebook grew larger and became more important . . . [it] slowly but surely helped itself – and its advertising and business partners – to more and more of its users’ information, while limiting the user’s options to control their own information.”[FN10] Under Facebook’s current privacy policy, certain personal information, such as a user’s name, profile pictures, current city, gender, networks, and pages that user is a “fan” of (now, pages that user “likes”) is deemed “publicly available information.”  And this user information is now accessible by Facebook applications that are added by any of that user’s Facebook friends, even if that user does not use these applications.  In March, 2011, Facebook announced that it would be moving forward with a plan to give third-party developers and external websites the ability to access Facebook users’ home addresses and cell phone numbers.[FN11] Facebook users may not restrict access to this information to a more controlled group or prevent application developers from accessing it.[FN12] In addition, when a Facebook user “likes” a product or service or “checks-in” to a place, such as Starbucks, the coffee company displays that information, both in the user’s news feed and also as part of a paid advertisement for Starbucks.  This functionality is called “Sponsored Stories,” and Facebook users cannot opt out of the use of their information in Sponsored Stories if they “like” or “check-in” to a business or service.[FN13] Based on these changes, Facebook users are now sharing a lot of personal information with the third party companies that partner with Facebook to develop applications and advertisements.[FN14] Finally, Facebook’s “privacy transition tool,” which guides users through the configuration of privacy settings will “recommend” (i.e., preselect by default) each user’s privacy settings for sharing information posted to Facebook, including status messages and wall posts, to be set to share with “everyone” on the Internet.  The prior default setting for such information had been limited to each users’ “Networks and Friends” on Facebook.  As discussed in the following section of this Article, default settings are often outcome determinative.  It is human nature to accept and not change the suggested default settings.  In this way, Facebook’s “privacy transition tool” results in more users shifting their privacy level to share their information with more people than before.[FN15] This erosion of privacy should come as no great surprise.  Social networks like Facebook benefit from loose privacy rules:  “the more incentives [Facebook] create[s] for people to share data, the more valuable the network . . . because [Facebook] ha[s] data you can resell or study for marketing trends.”[FN16] Controlling, storing, using, and providing access to or analytics concerning vast stockpiles of user data is tremendously lucrative.  Because Facebook makes money through targeted advertising and the like, reducing the privacy settings of its service is to its financial benefit.[FN17] To this end, Mark Zuckerberg and Facebook have taken the position that “‘Facebook has always been about friends and community and that therefore the default has been skewed towards sharing information rather than restricting it.”[FN18] This position also aligns with Facebook’s profit motive, monetization end-game, and growing valuation. [FN19] Default Settings Matter a Great Deal What is important to keep in mind in the ongoing debate about Facebook’s privacy settings is the significant power of default settings in affecting user behavior and outcomes.  When defending its increasingly “public” default privacy settings, Facebook often focuses on the fact that it gives its users the ability to change these privacy settings to control information (though not all information) more tightly, if they so choose.  But the reality is that defaults are often determinative.  Most users surely clicked through the new default settings without realizing it.  And while users could, theoretically, change these more public “recommended” settings by navigating through the detailed privacy settings, doing so takes more effort.[FN20] Defaults have a particularly strong influence in software.  System or device defaults are rarely altered by users.  And commentators have observed that “psychological studies have shown that the tiny bit of extra effort needed to alter a default is enough to dissuade most people from bothering, so they stick to the default despite their untapped freedom.”[FN21] With the rise of ubiquitous network software systems like Facebook, the outcome-determinative nature of defaults has the ability to fundamentally influence social concerns, such as privacy.[FN22] Indeed, the evolution of Facebook’s privacy settings demonstrate the company’s understanding of the importance of default settings.  On the one hand, Facebook does provide a good deal of granular control to its users in terms of privacy settings.  But on the other hand, as studies in human computer interaction and behavioral economics show, users tend to favor the status quo or default settings.[FN23] In the case of Facebook, these are the privacy recommendations and default settings that are provided.  Furthermore, Facebook’s programs that pass information to its third-party business partner sites, such as Yelp, require users to “opt out,” which means that Facebook will freely disseminate user information unless the user affirmatively objects.  Therefore, even though Facebook offers detailed privacy options, by pre-selecting the default settings for those user privacy settings and requiring users to affirmatively opt-out, Facebook is effectively “dictating what kind of privacy [users] will or will not have.”[FN24] The Risks So what?  Aside from throwing around important-sounding words like “privacy issues,” what is the big deal? Recently, industry watch groups, like the EFF and Consumer Reports, as well as the U.S. government, have articulated a host of real-world concerns.  For example, posting personal information (including birthdates, street addresses, whether you are home or away), can expose a user to crime of either the cyber- or real-world variety.[FN25] In addition, the privacy settings of users and users’ Facebook friends can expose users to harassment, malware, spyware, identity theft, viruses and scams.  For example, a recent article estimated that out of the 18 million Facebook users who used “apps” of Facebook’s business partners and advertisers, roughly 1.8 million (or 10%) of their computers were infected by these applications.  Many of these applications access a large swath of personal information, often without the user realizing it.[FN26] Aside from the above crime risks, there are serious “social” and “commercial” risks as well.  Sharing the likes and dislikes of users and their friends, as well as the places to which they go and the products they recommend could lead to a world where companies, advertising agencies, and others who seek to influence your behavior are able to track each individual user to such an extent that they can compile a set of incredibly granular and personal details about each person, including what time he gets up, where he goes, what he buys, what he reads, what his political views are, etc.[FN27] For many, that may be an uncomfortable place to be. Addressing the Issue of Online Privacy – Personal Choice, Regulation and Enforcement, or Both? Broadly speaking, there are two general approaches to addressing the implications of online privacy settings, such as Facebook’s.  It is unlikely that either one of these approaches alone will adequately address the privacy concerns raised above. The first approach is to rely on the market and users to drive changes to privacy settings, when required.  This approach relies on users to recognize that their privacy settings are important and to take the time and responsibility to set them.[FN28] This laissez faire approach relies on individuals to take more care about what default settings they are agreeing to and to demand change in areas of paramount importance. Users who care should certainly take more care in setting their privacy options.  However, there are limitations to relying on users alone.  When settings and choices are not apparent to users, or defaults are repeatedly set in such a way that the vast majority of users are unlikely to understand the consequences of their selections or be able to demand change, it seems that more may be required.[FN29] The second approach is to rely on government regulation and enforcement to ensure that there are clearly laid-out privacy options.[FN30] In this regard, the U.S. government recently has began to raise questions about Facebook’s privacy policy.  For example, when Facebook announced plans to enable its partners to access users’ addresses and phone numbers, Congressman Edward Markey (D-Mass) and Joe Barten (R-Texas), the Co-Chairmen of the House Bipartisan Privacy Caucus, sent a letter to Facebook CEO Mark Zuckerberg seeking answers about the company’s plans.[FN31] Similarly, in May of 2010, the Article 29 Data Protection Working Party, a coalition of European data protection officials, sent a letter to Facebook criticizing the changes it made to its privacy policy and default privacy settings.[FN32] The Working Party argued that significant changes to a privacy policy and settings relating to sharing of user information should require the active consent of users rather than mere notice of the changes to users. The Federal Trade Commission (FTC) has likewise become more active in investigating online privacy violations. Section 5 of the FTC Act grants the FTC the power to pursue claims against entities which engage in unfair or deceptive acts or practices in interstate commerce with respect to consumers.[FN33] In the past, the FTC has taken action against websites for violating their own privacy policies as a deceptive trade practice.  The FTC has also used its Section 5 powers to pursue claims against online companies related to spyware and adware, etc.[FN34] Most significantly, last month, the FTC settled its Section 5 investigation into the privacy practices of Google in relation to Google Buzz, a social networking tool in Gmail that Google introduced last year.  As part of the settlement, Google agreed to start a privacy program, to undergo privacy audits for a period of 20 years, and to obtain user consent before changing the way that any Google product shares personal information.[FN35] As relevant to Facebook, privacy interest groups led by the Electronic Privacy Information Center (“EPIC”) have filed multiple Complaints with the FTC, accusing Facebook of violations to the privacy interests of Internet users.[FN36] EPIC’s first FTC Complaint against Facebook focuses on Facebook’s practices relating to the sharing of user information with third-party app developers.  In particular, it alleges that the mandatory public disclosure of certain user information to the public, including third-party app developers, is an unfair practice.  The Complaint also alleges that Facebook’s policies regarding third-party app developers are misleading and deceptive, and provide for more information sharing and less user control of that information without a clear way for users to opt out.[FN37] EPIC’s second Complaint against Facebook focuses on newer changes to Facebook, including the “like” feature and “instant personalization” feature, both of which, it is alleged, cause the sharing of user information in ways that are deceptive to the user.[FN38] EPIC’s Facebook Complaints may provide the FTC with the vehicle to take on Facebook, should it perceive the need to do so. At the very least, the FTC’s recent landmark settlement with Google signals that the FTC is ready and willing to use its Section 5 powers to remedy privacy violations in connection with social networking, where it deems appropriate. The FTC has also provided guidance by issuing a Privacy Report entitled “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers,” which seeks to provide a framework for consumers, businesses, and policymakers to address online privacy issues.[FN39] The FTC Report concludes that industry efforts to address privacy through self-regulation have been too slow and have failed to provide adequate and meaningful protection to consumers.  Among the recommendations in the FTC’s proposed framework is that consumers be presented with a clear and easy to understand choice about the collection and sharing of their data at the time and in the context in which they are making decisions.  The FTC framework also addresses the tracking, collection, and sharing of user data with advertisers, recommending the adoption of a universal mechanism for implementing a user’s choice to opt out of such practices.[FN40] In response, Facebook has argued against excessive regulation, indicating that Internet companies should be self-regulated so as not to stifle innovation.[FN41] It is unclear what ultimate impact the FTC Report and the proposals of other commentators will have on the industry or on policymakers, if any.  These developments at least have the effect of bringing about public debate over many core privacy issues implicated by social networks and other online companies. In this regard, some of the policies championed by the FTC and others are making their way before Congress in newly proposed privacy bills. Specifically, Representative Jackie Speier (D-California) introduced Bill HR 654 that would direct the FTC to put forth standards that provide an online mechanism for consumers to opt out of the collection and use of their personal information online and would require online advertisers and third-party website operators to disclose their practices with respect to data collection and use.[FN42] These regulatory and legislative efforts may provide some baseline requirements for privacy policies and provide users with a privacy bill of rights. As with the FTC Report, it is not yet clear what shape such privacy legislation will take, and the extent to which legislators will seek to address such privacy issues through legislation.[FN43] Conclusion In the age of instantaneous sharing of information on Facebook, it is fair to ask whether privacy is dead or dying, and whether online social networks like Facebook are killing it. Despite what may be seen as an unstoppable cultural imperative to socialize, connect, share, communicate, and post information about oneself at a dizzying pace, it is important not to lose sight of the risks to handing over control over our personal information. As we status-update our way through the information age, both users and regulators alike must continue to closely monitor companies that receive access to the information we share. At the same time, we must also carefully weigh the benefits of increased interconnectivity against the costs of reduced privacy.  
* Michael J. Kasdan is a Partner at Amster, Rothstein & Ebenstein LLP and is a 2001 graduate of NYU School of Law.  He is a Facebook user.  The views and opinions expressed in this article are his own.  Mr. Kasdan also authored Student Speech in Online Social Networking Sites: Where to Draw the Line, https://jipel.law.nyu.edu/2010/11/22/student-speech-in-online-social-networking-sites-where-to-draw-the-line/ (November 22, 2010). [FN1] See Roy Wells, 41.6% of the U.S. Population Has a Facebook Account, socialmediatoday (Aug. 8, 2010), http://socialmediatoday.com/index.php?q=roywells1/158020/416-us-population-has-facebook-account. [FN2] See Nicholas Carlson, Goldman to clients: Facebook has 600 million users, Business Insider (Jan. 5, 2011), http://www.msnbc.msn.com/id/40929239/ns/technology_and_science-tech_and_gadgets/. [FN3] See Justin Smith, Facebook Now Growing by Over 700,000 Users a Day, and New Engagement Stats, Inside Facebook (July 2, 2009), http://www.insidefacebook.com/2009/07/02/facebook-now-growing-by-over-700000-users-a-day-updated-engagement-stats/. [FN4] For the BBC’s truly hilarious take on the Facebook paradigm, see Facebook in Real Life, http://www.youtube.com/watch?v=BYNYLq_KvW4 (last visited March 22, 2011). [FN5] See Yelp Partners With Facebook For A Personal Experience, Yelp Web Log (Apr. 21, 2010), http://officialblog.yelp.com/2010/04. [FN6] Facebook is presently a privately held company.  Recently, a consortium including Goldman Sachs invested $500 million “in a transaction that values [Facebook] at $50 billion.” Susan Craig & Andrew Ross Sorkin, Goldman Offering Clients a Chance to Invest in Facebook, DealBook (Mar. 29, 2011), http://dealbook.nytimes.com/2011/01/02/goldman-invests-in-facebook-at-50-billion-valuation/. [FN7] It is significant to note that there are clear generational differences at work as to how a particular person will assess these types of trade-offs.  For example, I use Google’s Gmail service because it is slick and functional.  My father, however, will not, because he is greatly bothered by the fact that Google pushes context-based advertising at its Gmail users based upon the content of a user’s emails.  Likewise, on Facebook, the younger generation is more apt to publicly share private details through status updates or to publicly share embarrassing pictures of their Saturday night escapades.  In online social networks like Facebook, there is a quid pro quo in which privacy is gladly exchanged in favor of social interaction.  To these users, the social and community benefits of sharing such information far outweigh the more subtle-to-perceive-downside of diminished privacy. See Schneier, Google and Facebook’s Privacy Illusion, http://www.forbes.com/2010/04/05/google-facebook-twitter-technology-security-10-privacy (April 6, 2010). [FN8] See http://www.allfacebook.com/infographic-the-history-of-facebooks-default-privacy-settings-2010-05 (May 9, 2010) & http://www.goso.blog/2010/06/facebook-default-privacy-settings-over-time. [FN9] Kevin Bankston, Facebook’s New Privacy Changes: The Good, The Bad, and The Ugly, Electronic Frontier Foundation (Dec. 9, 2010), http://www.eff.org/deeplinks/2009/12/facebooks-new-privacy-changes-good-bad-and-ugly. [FN10] For a complete timeline of the changes to Facebook’s privacy policy from 2005 to present, see Facebook’s Eroding Privacy Policy: A Timeline, Electronic Frontier Foundation, http://www.eff.org/deeplinks/2010/04/facebook-timeline/ (April 28, 2010). [FN11] See Bianca Bosker, Facebook To Share Users Home Addresses, Phone Numbers with External Sites, HuffPost Technology (Feb. 28, 2011) http://www.huffingtonpost.com/2011/02/28/facebook-home-addresses-phone-numbers_n_829459.html. [FN12] “When you connect with an application or website it will have access to General Information about you.  The term General Information includes you and your friends’ names, profile pictures, gender, user IDs, connections, and any content  shared using the Everyone privacy settings . . . . The default privacy setting for certain types of information you post on Facebook is set to ‘everyone.’”  See Facebook’s Eroding Privacy Policy: A Timeline, Electronic Frontier Foundation, http://www.eff.org/deeplinks/2010/04/facebook-timeline/ (April 28, 2010)(quoting Facebook’s Privacy Policy). [FN13] Clint Boulton, Facebook Invites Privacy Concerns with Sponsored Story Ads, eWeek (Jan. 26, 2011), http://www.eweek.com/ [FN14] Bankston, supra note 10. [FN15] Id. [FN16] Privacy: The Slow Tipping Point, Carnegie Mellon University (2007 Interview Transcript, Podcast Interview of Alessandro Acquisti). [FN17] Bruce Schneier, Google and Facebook’s Privacy Illusion, Forbes (Apr. 6, 2010)(quoting Mark Zuckerburg), http://www.forbes.com/2010/04/05/google-facebook-twitter-technology-security-10-privacy. [FN18] Memmott, Zuckerberg:  Sharing Is What Facebook Is About, http://www.npr.org/alltechconsidered/2010/05/27/127210855/facebook-zuckerberg- (May 27, 2010). [FN19] See Craig, supra note 6. [FN20] Forbes Magazine notes that companies like Facebook are driven by market forces “to kill privacy” by controlling defaults, limiting privacy options, and making it difficult to change such settings.  This results in making it “hard …to opt out.”  Schneier, supra note 18. [FN21] See Pat Coyle, Triumph of the default in sports social networks, Technium Blog (Aug. 18, 2010) http://www.coylemedia.com/2010/08/18/power-of-the-default-in-sports-social-networks. [FN22] Jay Kesan and Rajiv C. Shah, Establishing Software Defaults: Perspectives from Law, Computer Science, and Behavioral Economics, Notre Dame Law Review, Vol. 82, pp. 583-634, 2006 (available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=906816). [FN23] Examples that illustrate the power of defaults are found not only in the technology field but across many other fields.  One oft-cited study of defaults is the work of Madrian and Shea, who studied the impact of defaults on money saving tendencies by changing the defaults of 401(k) retirement plans. Specifically, they changed the default enrollment rule so that new employees had to choose to opt out of contributing to the 401(k) plan rather than to opt into it.  The results were striking.  Changing this one simple default rule brought participation in the 401(k) plan from less than 40% to over 85%.  Furthermore, those who participated made few subsequent changes to their default plan.  This study indicates that defaults can strongly influence real-life decision-making, and that people generally defer to defaults in their decision-making.  Whether the cause of this behavior is momentum, laziness, procrastination, passivity, a tendency to follow the guidance or advice of experts, or some other phenomena, the effect of defaults is very powerful and very real.  See Simon Kemp, Psychology & Economics in Regulation, Institute of Policy Studies (Feb. 19, 2010); Sendhil Mullainathan, Psychology and Development Economics (June 2004) (unpublished manuscript) (on file with Harvard University Department of Economics) see also James M. Poterba,Behavioral Economics and Public Policy: Reflections on the Past and Lessons for the Futurein Policymaking Insights from Behavioral Economics (Christopher L. Foot et al eds., 2007); Kesan, supra note 24. [FN24] Acquisti, supra note 17. For humorous satirical commentary on this phenomena, see Entire Facebook Staff Laughs As Man Tightens Privacy Settings, The Onion (May 26, 2010), http://www.theonion.com/articles/entire-facebook-staff-laughs-as-man-tightens-priva,17508/. [FN25] See Jeff Fox, Why Facebook Users Need Protection, HuffPost Technology (May 4, 2010), http://www.huffingtonpost.com/jeff-fox/why-facebook-users-need-p_b_562945.htmlsee also Protecting Your Computer from Online Threats, Consumer Reports (June 2010), http://www.consumerreports.org/cro/magazine-archive/2010/june/electronics-computers/. [FN26] Id. [FN27] See e.g., JC Raphael, Facebook Privacy: Secrets Unveiled, PC World (May 16, 2010), http://www.pcworld.com/article/196410/facebook_privacy_secrets_unveiled.html. [FN28] “It’s very simple: Facebook is a business and their goal is to make money.  They make money through advertising and selling virtual goods.  The more of your personal information they can mine, the more likely their advertising will result in revenue for Facebook and to their clients. . . . What about privacy settings?  You need to set them, it’s your responsibility and no one else’s.  Facebook wants you to share as much as possible since it helps them monetize your account.  Consequently the default settings tend to be “opt out” rather than “opt in,” knowing that most people review their privacy settings. . . .  You are responsible for what information you post about yourself, the Facebook friends you link to, the privacy settings and the applications you use.” Howard Steven Friedman, You Are Responsible for Your Own (Facebook) Privacy, HuffPost Technology (Mar. 3, 2011) (emphasis added), http://www.huffingtonpost.com/howard-steven-friedman/you-are-responsible-for-y_b_830652.html. [FN29] Another aspect of a laissez faire approach to dealing with online privacy would be to rely on the market to provide competing social networking systems that address privacy differently than Facebook. In other words, if clearer and tighter privacy controls are something that consumers want and value, a market competitor to Facebook should offer a competing alternative. Cf. Hiroki Tabuchi, Facebook Wins Relatively Few Friends in Japan, New York Times (January 9, 2011), http://www.nytimes.com/2011/01/10/technology/10facebook.html (noting Facebook’s relative lack of success in Japan, whose Internet users are “fiercely private.” In Japan, Facebook’s competitors, which “let members mask their identities, in distinct contrast to the real-name, oversharing hypothetical user on which Facebook’s business model is based,” have been far more successful). However, because the value of a social network is largely based on the fact that all of one’s friends are members, the sheer size and momentum of Facebook in the U.S. market may well prevent viable competitors from easily emerging. [FN30] Schneier, supra note 18 (stating that “[i]f we believe privacy is a social good, something necessary for democracy, liberty, and human dignity, then we can’t rely on market forces to maintain it” and calling for broad legislation that would protect personal privacy by giving people control over their personal data). [FN31] See Thomas Clayburn, Facebook Faces Congressional Privacy Interrogation, Information Week (Feb. 5, 2011), http://www.informationweek.com/news/internet/social_network/showArticle.jhtml?articleID=229201226. Facebook responded to this inquiry in a letter on February 23, 2011 (available at http://markey.house.gov/docs/facebook_response_markey_barton_letter_2.2011.pdf) in which it highlighted that Facebook users have various different levels at which they can set their privacy options and that users must give applications seeking to access their personal information permission to do so. Information concerning the Congressmens’ response to Facebook can be found at Markey, Barton Respond to Facebook (Feb. 28, 2011), http://markey.house.gov/index.php?option=content&task=view&id=4238&Itemid=125. [FN32] Article 29 Data Protection Working Party, Press Release, May 12, 2010, available at http://ec.europa.eu/justice/policies/privacy/news/docs/pr_12_05_10_en.pdf. [FN33] Act of March 21, 1938, ch. 49, § 3, 52 Stat. 111 (codified at 15 U.S.C. § 45(a)(1)(1994)). [FN34] See e.g., Federal Trade Commission, Privacy Initiatives, http://business.ftc.gov/legal-resources/29/36 (Last visited February 18, 2011). [FN35] See C. Miller and T. Vega, Google Unveils New Social Tool as It Settles Privacy Case, New York Times (March 20, 2011); Google Agrees to Implement Comprehensive Privacy Program to Protect Consumer Data, http://www.ftc.gov/opa/2011/03/google.shtm (March 30, 2011).  A copy of the consent order is available at http://www.ftc.gov/os/caselist/1023136/110330googlebuzzagreeorder.pdf (Last Visited, April 6, 2011). [FN36] The EPIC Complaints are available at http://epic.org/privacy/inrefacebook/EPIC-FacebookComplaint.pdf (“EPIC I”)  and http://epic.org/privacy/facebook/EPIC_FTC_FB_Complaint.pdf (“EPIC II”).  For additional general background regarding the EPIC Complaints, see http://epic.org/privacy/inrefacebook and http://epic.org/privacy/facebook/in_re_facebook_ii.html. [FN37] EPIC I, supra note 37. [FN38] EPIC II, supra note 37 at ¶¶ 65-94. [FN39] See generally FTC Staff Releases Privacy Report, Offers Framework for Consumers, Businesses and Policymakers, Federal Trade Commission (Dec. 1, 2010), http://www.ftc.gov/opa/2010/12/privacyreport.shtm; FTC Staff, FTC Staff Report: Protecting Consumer Privacy in an Era of Rapid Change (2010), http://www.ftc.gov/os/2010/12/101201privacyreport.pdf. [FN40] Similarly, the EFF recently proposed a “Bill of Privacy Rights for Social Network Users.” The Proposed Bill of Privacy Rights includes (i) “the right to informed decision-making” about who sees their personal data, (ii) “the right to control” the use and disclosure of their data, including requiring a default opt-in permission by users, so that user data is not shared unless a user makes an informed decision to share it, and (iii) “the right to leave” a social network, at which point the user data is permanently deleted from the social network’s databases and those of its partners. See Kurt Opsahl,  A Bill of Privacy Rights for Social Network Users, Electronic Frontier Foundation (May 19, 2010), http://www.eff.org/deeplinks/2010/05/bill-privacy-rights-social-network-users; see also Dani Manor, Proposed New Bill of Rights for Facebook Users, Electronic Frontier Foundation (May 21, 2010), http://www.allfacebook.com/eff-proposes-new-bill-of-rights-for-facebook-users-2010-05. [FN41] See e.g., Katie Kindelan, What You Should Know About Facebook’s Response to the FTC, Social Times (Feb. 25, 2011), http://www.socialtimes.com/2011/02/what-you-should-know-about-facebooks-response-to-the-ftc/see also Bianca Boscer, Facebook Response to FTC’s Privacy Plans, Huffpost Technology (Feb. 23, 2011), http://www.huffingtonpost.com/2011/02/23/facebook-responds-to-ftcs_n_827260.html; Leigh Goessl, Facebook Response to FTC Privacy Investigation, Helium (Feb. 27, 2011), http://www.helium.com/items/2103119-facebook-response-to-ftc-privacy-investigation. [FN42] See H.R. 654, 112th Cong. (2011).; See also Bert Knabe, Two Privacy Bills Introduced by Representative Jackie Speier, Lubbock Avalanche-Journal (Feb. 14, 2011), http://lubbockonline.com/interact/blog-post/bert-knabe/2011-02-14/two-privacy-bills-introduced-representative-jackie-speier-d. [FN43] Cf. Farhad Manjoo, No More Privacy Paranoia, Slate (April 7, 2011), http://www.slate.com/id/2290719/pagenum/all/#p2 (noting that regulators must carefully balance the costs of privacy protection with its benefits).

You May Not “Like” This Title: Everything Stored on Facebook Is Discoverable

By Darren A. Heitner* A pdf version of this article may be downloaded here. On its own Fan Page, Facebook describes itself as a service that gives “people the power to share and make the world more open and connected.”[FN1] People over the age of twelve, but not too old to understand how to use a computer keyboard, are able to sign up for a Facebook account and immediately share content and information with the world.  Facebook users may upload photos and videos, update their statuses, share links, create events and groups, make comments, write notes, write messages on their own or others’ “Walls,” and send private messages to other users (all of which will hereinafter be referred to as “Published Facebook Content”).  Facebook delivers on its promise to permit sharing in an online environment where people can easily get caught up on their friends’ actions and activities.  The openness is what makes Facebook extremely desirable; it also makes the platform a potential legal nightmare for those who do not understand how its content may be used as evidence in a lawsuit. In an effort to provide its users with a sense of security, Facebook regularly updates its privacy options, including one which allows users to change the visibility of their profiles from the default “everyone” setting to something more limited or completely private.  If the “everyone” setting is enabled, any person, Facebook user or not, has access to Published Facebook Content (other than private messages) and its association with the user who posted the information.[FN2] Facebook users have the ability to block others from seeing their contact information, personal information, gender and birth date, and Published Facebook Content.[FN3] However, nestled into Facebook’s Privacy Policy in the section titled, “How We Share Information” is a paragraph that begins with, “To respond to legal requests and prevent harm.”[FN4] The paragraph states the following:
We may disclose information pursuant to subpoenas, court orders, or other requests (including criminal and civil matters) if we have a good faith belief that the response is required by law. This may include respecting requests from jurisdictions outside of the United States where we have a good faith belief that the response is required by law under the local laws in that jurisdiction, apply to users from that jurisdiction, and are consistent with generally accepted international standards. We may also share information when we have a good faith belief it is necessary to prevent fraud or other illegal activity, to prevent imminent bodily harm, or to protect ourselves and you from people violating our Statement of Rights and Responsibilities. This may include sharing information with other companies, lawyers, courts or other government entities.[FN5]
Any privacy granted to a Facebook user is only temporary, as Facebook, at any point in time and at its complete discretion, may invoke the aforementioned paragraph and disclose Published Facebook Content to, not only a court of law, but also a private company, attorney, or other governmental entity.  Even if Facebook attempts to protect a user’s privacy rights, a court may deem that the Published Facebook Content is discoverable.  While there is a deep concern regarding Facebook’s apparent willingness to share Published Facebook Content with companies, lawyers, courts and other government entities, this discussion will focus exclusively on a court’s effort to require Facebook to produce information. I. Discovery Background Under the Federal Rules of Civil Procedure (FRCP) for the United States District Courts, a party may obtain discovery regarding any non-privileged matter that is relevant to any party’s claim or defense, and the court may order discovery of any matter relevant to the subject matter involved in the action.[FN6] The responding party may claim that the information being requested is privileged, and thus refuse to submit the information.[FN7] Alternatively, a party may move for a protective order to guard against annoyance, embarrassment, oppression, or undue burden or expense.[FN8] In lieu of modern civil procedure contemplating liberal disclosure rules for discovery requests, “discovery is not unbridled and not unlimited,” and individuals deserve to have their privacy protected.[FN9] While not all states have adopted rules of civil procedure that match or even closely resemble the FRCP, many states have discovery procedures that are based on the federal system. II.  McCann v. Harleysville Insurance The Supreme Court, Appellate Division, Fourth Department of New York addressed the protection of a Facebook user’s Published Facebook Content in a case involving a driver injured in an automobile accident.[FN10] The Defendant, Harleysville Insurance Company of New York, was not convinced that the Plaintiff, Kara McCann, had sustained serious injuries, and requested production of photographs from McCann’s Facebook account as a means of verification.[FN11] The trial court denied Harleysville Insurance’s motion to compel discovery based on the motion’s being overly broad and the apparent lack of proof regarding the relevancy of the Facebook photos.[FN12] The Appellate Court affirmed the trial court’s holding.[FN13] The decision reveals that parties do not have carte blanche in discovery requests concerning Published Facebook Content.  If a party wishes to require a Facebook user to produce Published Facebook Content, the party must be specific in its demand and clearly identify the relevancy of producing such information.  The Court stated that Harleysville Insurance “essentially sought permission to conduct a ‘fishing expedition’ into plaintiff’s Facebook account based on the mere hope of finding relevant evidence.”[FN14] With a clear showing of relevance by Harleysville Insurance, however, McCann might not have escaped the production of her Facebook photographs, whether she made them available to all through the “everyone” setting or restricted their exposure to a limited group of people. III. Romano v. Steelcase Inc. In another New York case, the Court showed what might happen when a discovery request involving Published Facebook Content is relevant and specific.  A party may have to produce requested Published Facebook Content, even though it was originally marked as private on the social network. In Romano v. Steelcase Inc., Judge Spinner held that, 1) private information sought from Plaintiff Kathleen Romano’s Facebook account was material and necessary for Defendant Steelcase’s defense; 2) Romano did not have a reasonable expectation of privacy in information published on Facebook; and 3) Steelcase’s need for access to Romano’s private information on Facebook outweighed any privacy concerns voiced by Romano.[FN15] Whereas the court in McCann refused to allow the defendant to access a single photograph that the plaintiff posted on her Facebook page, in the instant case, Steelcase was able to reach Romano’s current and historical Facebook pages and accounts, including deleted pages.[FN16] The key difference is that this Court found that the information request was material and necessary, which is a standard that is to be interpreted liberally, requiring disclosure of “any facts bearing on the controversy which will assist preparation for trial by sharpening the issues and reducing delay and prolixity.”[FN17] Romano claimed that she suffered serious injuries which affected her enjoyment of life based, at least partially, on her lack of capacity to participate in certain activities.[FN18] If true, those facts could influence the Court to sympathize with Romano, likely affecting the outcome of the case.  Viewing only the public sections of Romano’s Facebook and MySpace pages, Steelcase discerned that Romano’s active lifestyle had not been affected by any injury.[FN19] Romano claimed that she was confined to her house; public Facebook pictures displayed Romano outside of her home, smiling happily as if she enjoyed her life as much as she had in her pre-injury state.[FN20] With this type of information readily available for the general public to view, what could Steelcase find in the private sections of Romano’s Facebook profile? The Court did not limit Steelcase’s discovery to Romano’s public Published Facebook Content.[FN21] Instead, the Court stated that preventing access to Romano’s private postings would be “in direct contravention to the liberal disclosure policy in New York State.”[FN22] As stated supra, liberal disclosure rules for discovery requests exist on the federal level and within many other states’ disclosure policies. The severity of the claimed injury and the amount of damages requested might play a role in whether a court compels the discovery of private Published Facebook Content as well.  Additionally, private Published Facebook Content may be easier for a defendant to compel in a personal injury case than one involving a different cause of action.  The Court in Romano quoted a Canadian court, which also permitted the discovery of private Published Facebook Content in a personal injury scenario.  The quoted portion is as follows, To permit a party claiming very substantial damages for loss of enjoyment of life to hide   behind self-set privacy controls on a website, the primary purpose of which is to enable people to share information about how they lead their social lives, risks depriving the opposite party of access to material that may be relevant to ensuring a fair trial.[FN23] In response to the Canadian case, the Court held, “To deny Defendant an opportunity to access these sites not only would go against the liberal discovery policies of New York favoring pre-trial disclosure, but would condone Plaintiff’s attempt to hide relevant information behind self-regulated privacy settings.”[FN24] Not only would a party aiming to compel discovery of private Published Facebook Content have a better chance of success in a loss of enjoyment of life case, but they will likely also have a better chance of proving that the opposing party is hiding relevant information in bad faith. Another noteworthy part of the decision is the Court’s rejection of Romano’s Fourth Amendment’s right to privacy argument.  The Court’s reasoning was that Facebook does not guarantee complete privacy and, thus, Romano had no legitimate reasonable expectation of privacy.[FN25] In the Court’s dicta, the following quote was referenced, “[i]n this environment, privacy is no longer grounded in reasonable expectations, but rather in some theoretical protocol better known as wishful thinking.”[FN26] IV.  Conclusion Facebook users may have a false sense of security regarding their Published Facebook Content.  No matter what types of privacy settings a user puts in place, a court may determine that the Published Facebook Content is discoverable by a party to a lawsuit.  For a party attempting to learn more about an adverse party, this could be a pleasant surprise; for a party attempting to hide something that was once posted on his Facebook Page without any thought, it could be the piece of evidence that tears apart his case.  
* Darren Heitner is an associate in the Fort Lauderdale, Florida law firm of Koch Parafinczuk & Wolf, P.A., where he practices all kinds of litigation, including an emphasis on intellectual property law.  He is the Founder and Chief Executive Officer of Dynasty Athlete Representation, a full service sports agency, and is the Founder and Chief Editor of SportsAgentBlog.com and ChangeLegal.com.  Darren graduated from the University of Florida and the University of Florida Levin College of Law. [FN1] Facebook, http://www.facebook.com/facebook (last visited Dec. 31, 2010). [FN2] Statement of Rights and Responsibilities, Facebook, http://www.facebook.com/terms.php (last visited Dec. 31, 2010). [FN3] Facebook’s Privacy Policy, Facebook, http://www.facebook.com/policy.php (last visited Dec. 31, 2010). [FN4] Facebook, supra note 4. [FN5] Facebook, supra note 4 (emphasis added). [FN6] Fed. R. Civ. P. 26(b)(1). [FN7] Fed. R. Civ. P. 26(b)(5)(A). [FN8] Fed. R. Civ. P. 26(c)(1). [FN9] Hecht v. Pro-Football, Inc., 46 F.R.D. 605, 607 (D.D.C. 1969). [FN10] See McCann v. Harleysville Ins. Co. of N.Y., 912 N.Y.S.2d 614, 615 (N.Y. App. Div. 2010) [FN11] Id. [FN12] Id. [FN13] Id. [FN14] Id. [FN15] Romano v. Steelcase Inc., 907 N.Y.S.2d 650, 654-657 (N.Y. Sup. Ct. 2010). [FN16] Id. at 657. [FN17] Id. at 652. [FN18] Id. at 653. [FN19] See id. at 653. [FN20] Id. at 654. [FN21] See id. at 655. [FN22] Id. at 655. [FN23] Leduc v. Roman (2009), 308 D.L.R. 4th 353 (Can. Ont. Sup. Ct. J.). [FN24] Steelcase, 907 N.Y.S.2d at 655. [FN25] Id. at 656. [FN26] Dana L. Flemming & Joseph M. Herlihy, What Happens When the College Rumor Mill Goes Online?, 53 B.B.J. 16, 16 (2009).