Friends With Benefits (How Privacy Law Evolves for Social Media)
A few weeks ago I examined how copyright law — like most legal subjects dealing with technology — is lagging behind the fast-moving and disruptive changes wrought by social media to old legal rules for determining rights to Internet content. Part of my critique was that in deciding ownership of user-generated content (UGC), courts have not yet evaluated the difference between posting content “in the clear” and restricting content to “friends” or some other defined class far smaller than the entire Internet community.
Things may at last be getting a bit more settled. A New Jersey federal court ruled recently that nonpublic Facebook wall posts are covered by the federal Stored Communications Act (SCA) (18 U.S.C. §§ 2701-12). The SCA, part of the broader Electronic Communications Privacy Act (ECPA) (18 U.S.C. §§ 2510 et seq.) that addresses both “the privacy expectations of citizens and the legitimate needs of law enforcement,” protects confidentiality of the contents of “electronic communication services,” providing criminal penalties and a civil remedy for unauthorized access. It’s a decades-old 1986 law that was enacted well before the commercial Internet and either email or social media had become ubiquitous. Yet by interpreting the statute, in light of its purpose, to apply to new technologies, District Judge William J. Martini has done Internet users, and common sense, a great service.
Plaintiff Deborah Ehling, a registered nurse, paramedic and president of her local EMT union — apparently a thorn in the side of her hospital employer for pursuing EPA and labor complaints as well — posted a comment to her Facebook wall implying that the paramedics who arrived on the scene of a shooting at the D.C. Holocaust museum should have let the shooter die. Unbeknownst to Ehling, a co-worker with whom she was Facebook friends had been taking screenshots of her profile page and sending them to a manager at Ehling’s hospital.
Ehling was temporarily suspended with pay and received a memo stating that the hospital was concerned that her comment reflected a deliberate disregard for patient safety. After an unsuccessful NLRB complaint based on labor law, Ehling’s federal lawsuit alleged that the hospital had violated the SCA by improperly accessing her Facebook wall post about the museum shooting, contending that her Facebook wall posts were covered by the law because she selected privacy settings limiting access to her Facebook page to her Facebook friends.
Judge Martini concluded that the SCA indeed applies to Facebook wall posts when a user has limited his or her privacy settings. He noted that “Facebook has customizable privacy settings that allow users to restrict access to their Facebook content. Access can be limited to the user’s Facebook friends, to particular groups or individuals, or to just the user.” Therefore, because the plaintiff selected privacy settings that limited access to her Facebook wall content only to friends and “did not add any MONOC [hospital] managers as Facebook friends,” she met the criteria for SCA-covered private communications.
Facebook wall posts that are configured to be private are, by definition, not accessible to the general public. The touchstone of the Electronic Communications Privacy Act is that it protects private information. The language of the statute makes clear that the statute’s purpose is to protect information that the communicator took steps to keep private. See 18 U.S.C. § 2511(2)(g)(i) (there is no protection for information that is “configured [to be] readily accessible to the general public”). [The] SCA confirms that information is protectable as long as the communicator actively restricts the public from accessing the information.
That’s a bold move by a jurist sensitive to the constraints on Congress, especially one as polarized as we have in America today. It reflects a willingness to adapt the law to changing technology by application of the basic principles and purposes of legislation, even if the statutory framework is old and its language somewhat archaic. As Judge Martini observed with a bit of consternation, “Despite the rapid evolution of computer and networking technology since the SCA’s adoption, its language has remained surprisingly static.” Thus, the “task of adapting the Act’s language to modern technology has fallen largely upon the courts.”
Three final points. First, the precedent established here applies only to the SCA. So even though its reasoning would suggest the conclusion that UGC is protected by copyright when a user, for instance, limits her Facebook photos only to friends — and conversely is unprotected if posted photos are freely available to the public — some other court will need to connect the dots in a later case. Second, the SCA is hardly a satisfactory solution, even as now interpreted, because it protects only short-term electronic communications, not those 180+ days or older. (Whether the Fourth Amendment overrides that hole is another issue the courts are currently wrestling with.) Third, Nurse Ehling lost her case. The crucial fact there was that her co-worker and admitted Facebook friend had authorized access to Ehling’s wall posts, and were responsible for revealing its contents, hence the hospital had done nothing wrong.
It is often said that privacy and data security are symbiotic. Less attention has been given to the fact that as technology disrupts social interaction with virtual friendships and self-generated content, privacy and copyright are also integrally related. Ehling v. Monmouth-Ocean Hospital Service Corp. is one sign that the law can react to such pervasive change, but slowly and cautiously. So while the Ehling decision clarifies privacy as between social media friends and third-parties, still unresolved is what right, if any, a friend has to user-shared, restricted Web content. For that issue, both copyright and privacy law, such as state tort rules on invasion of privacy, remain very much still in limbo.