Robin Wilton blogs about the Romano v. Steelecase case:
There has been a court ruling recently with significant implications for organisations with any kind of a data governance regime – particularly if it concerns the handling of personal information. What has triggered this all starts with a Facebook profile…
If you search for “Jeffrey Arlen Spinner” online you will find, among other things, a link to his Facebook profile. Follow that link and you’ll find a photo, along with a list of some of Jeffrey’s interests, and some very minimal biographical data – for instance, he admits that he’s male (thanks, I inferred that from the photo…), but is reticent about his age. If you have a Facebook account, you might even log on and have a look at his public profile page. On that page, you will see the following message:
“People who aren’t friends with Jeffrey see only some of his profile information. If you know Jeffrey personally, send him a message or add him as a friend.”
It would seem that Jeffrey has a pretty good grasp of the difference between data he’s willing to disclose via the profile visible to anyone with a computer, and data which is only accessible to those he has defined as friends using the preference settings Facebook makes available.
All pretty unremarkable – except that Jeffrey happens not to be plain “Mr Spinner” – he is in fact Acting Supreme Court Justice in Suffolk County, NY. In that role he recently ruled in the case of Romano v Steelcase Furniture, concluding that Mrs Romano’s Facebook postings should be disclosed in full (regardless of whether they were from her public or private pages, and irrespective of whether they were current or deleted) as part of the pre-trial discovery process.
Read more on Gartner. Although I do not agree with Wilton on every point he raises, I do agree — also as a non-lawyer — that Judge Spinner’s reasoning is faulty in at least one section of the opinion (citations and footnotes omitted):
Indeed, as neither Facebook nor MySpace guarantee complete privacy, Plaintiff has no legitimate reasonable expectation of privacy. In this regard, MySpace warns users not to forget that their profiles and MySpace Forums are public spaces, and Facebook’s privacy policy set forth, inter alia, that:
You post User Content . . . on the Site at your own risk. Although we allow you to set privacy options that limit access to your pages, please be aware that no security measures are perfect or impenetrable.
Further that:
When you use Facebook, certain information you post or share with third parties (e.g., a friend or someone in your network), such as personal information, comments, messages, photos, videos . . . may be shared with others in accordance with the privacy settings you select. All such sharing of information is done at your own risk. Please keep in mind that if you disclose personal inlormation in you profile or when posting comments, messages, photos, videos. Marketplace listing or other items. this information may become publicly available.
Thus, when Plaintiff created her Facebook and MySpace accounts, she consented to the fact that her personal information would be shared with others, notwithstanding her privacy settings. Indeed, that is the very nature and purpose of these social networking sites else they would cease to exist. Since Plaintiff knew that her information may become publicly available, she cannot now claim that she had a reasonable expectation of privacy. As recently set forth by commentators regarding privacy and social networking sitcs, given the millions of users, “[iln this environment, privacy is no longer grounded in reasonable expectations, but rather in some theoretical protocol better known as wishful thinking . ”
Accepting some risk of a possible security breach due to forces outside of a social networking site is not the same as waiving an expectation of privacy. Customers are saying, “I expect you to keep my posts private consistent with your privacy policy and my privacy settings, although I realize that if the site is hacked, my information may become public.” Site users also realize that even if their settings are private, someone who legitimately views their information may commit an indiscretion or intentional privacy violation and reveal that information to others. But that does not mean that the individual has consented to the information being shared in that way or that any expectation of privacy they have is therefore unreasonable.
No site or organization can totally guarantee complete privacy. I expected the judge to make the old “third party” argument, but this is different. If the judge wants to argue that anything less than a guarantee of total and complete privacy means that individuals who use a service or company waive a reasonable expectation of privacy, then let’s time travel back to the 1700’s and keep everything in our homes.
Don’t get me wrong: I do think the judge’s decision is consistent with other e-discovery rulings, but his logic here seems really faulty.
Via @privacyfocused
Update: Andy Serwin comments on the case over on Privacy & Security Source.