So Much Social Media Data, So Little Guidance

The explosion of social networking represents a paradigm shift in online communications. According to the latest statistics, individuals now spend more time interacting through social networking sites than they do through traditional e-mail. (See, “What Americans Do Online: Social Media and Games Dominate Activity,” Nielson.com, Aug. 2, 2010.) Facebook alone now boasts more than 500 million active members, larger than the entire population of the United States. See, Facebook Press Room: Statistics (www.facebook.com/press/info.php?statistics); and Robert Schlesinger, “U.S. Population, 2010: 308 Million and Growing,” U.S. News.com, Dec. 30, 2009. MySpace, Twitter, LinkedIn, and other sites have seen similar growth.

This new mode of communication is not simply confined to personal use. Businesses have discovered social networking's marketing potential and have set up their own social networking pages to attract customers and promote their products or services.

All of this online social interaction has created mountains of personal information about users that, prior to the advent of social networking, would have been regarded as private and difficult to obtain.

The potential usefulness of that data in litigation is obvious. With just a few mouse clicks, litigators can investigate the background and views of opposing
parties and key witnesses ' as well as potential jurors. See, “Web Searches As a Litigation Tool,” Internet Law & Strategy, March 2010 (www.ljnonline.com/issues/ljn_internetlaw/8_3/news/153405-1.html). With a bit more digging, these sites may also reveal the existence of less obvious witnesses and important evidence in a case. See, e.g., Mackelprang v. Fidelity Nat'l Title Agency, No. 2:06-cv-00788-JCM-GWF, 2007 U.S. Dist. LEXIS 2379 (D. Nev. Jan. 9, 2007) (defendant sought to admit content on plaintiff's social networking page to counter plaintiff's sexual harassment claim).

Social networking sites have already proven their worth to plaintiffs' lawyers in mass tort and consumer cases by revealing consumer complaints about products, and as a means of recruiting and interacting with potential clients.

The prevalence of social networking data raises novel issues with respect to the use of this information in litigation. Preservation, privacy and admissibility issues frequently arise in this context, as do many others. Unfortunately, the law has significantly lagged behind social networking. Some of the more problematic issues are only now being addressed, while others continue to wait much needed guidance from the courts.

Access and Preservation Challenges

Litigants seeking social networking data face considerable challenges with respect to both access and preservation of potential evidence.

A user's online pages are usually password protected and their contents can be deleted with just a few strokes of the keyboard. Social networking pages are also dynamic, with new content frequently added or changed. A user's social network page, therefore, may be significantly different from day-to-day, or even hour-to-hour.

These characteristics make it difficult to access and isolate the contents of social networking pages at any given point in time. Indeed, the individual's own computer may not provide a “picture” or “snapshot” of the page as it appeared at a time relevant to the litigation. As discussed further below, privacy and authentication issues present real obstacles for parties attempting to use social networking data in litigation.

For litigants, including businesses, that may be the target of discovery requests seeking social networking data, the problems of access and preservation are likewise complex. Parties generally have a duty to preserve any potentially relevant evidence once litigation is “reasonably anticipated.” Pension Comm. of the Univ. of Montreal Pension Plan v. Banc of Am. Sec., LLC, No. 05 Civ. 9016, 2010 U.S. Dist. LEXIS 4546, at 14-15 (S.D.N.Y. Jan. 15, 2010). And courts have imposed significant penalties on parties who fail to preserve electronically stored information.

To the extent that businesses maintain social networking pages, a duty to preserve that data may arise if relevant to anticipated or actual litigation. That data will also need to be captured as part of a litigation hold. While many businesses have protocols and document preservation policies directed at traditional e-mail and electronic computer files, few have procedures that touch upon or concern social networking data. These businesses will be ill prepared to meet their preservation obligations with respect to that data.

Even more problematic for businesses, employees may use company computers to post messages to their personal social networking accounts that will be relevant to litigation. This information may, in fact, be accessible in the form of “cached” Web pages on a company's computer servers. The company, however, may not even be aware that an employee's personal social networking postings are available on its system, and that information is unlikely to be captured by a traditional litigation hold.

In these circumstances, there is a considerable risk that relevant data will be lost or destroyed, with potentially serious consequences for both the party seeking the information, as well as the party who has a duty to preserve it. Unfortunately, little guidance has been provided by the courts regarding a company's obligations in these circumstances, and a number of unanswered questions remain. Businesses are therefore well advised to develop internal policies governing the use and preservation of social networking data, and should make those policies well known to their employees.

Privacy

The retrieval and use of information on social networking sites can pose Fourth Amendment and privacy concerns, and there are a number of factors that may affect the level of protection a court is willing to grant these communications. First, the Stored Communications Act (“SCA”), 18 U.S.C. '2702, presents a threshold challenge to litigants seeking to obtain an individual's social networking data directly from a third party social networking Web site.

In Crispin v. Christian Audigier Inc., No. CV 09-09509 MMM, 2010 U.S. Dist. LEXIS 52832 (C.D. Cal. May 26, 2010), the U.S. District Court for the Central District of California examined whether messages and “wall posts” from social networking sites can be subpoenaed in a civil case. Plaintiff in that case brought an action for the misuse and non-consensual use of his artwork. Id. at 2. Defendants served subpoenas on Facebook and MySpace, seeking all of plaintiff's communications related to a relevant license agreement. Id. at 4-5.

In its ruling on plaintiff's motion to quash, the court held that the SCA prevents providers of communication services from divulging private communications to certain parties and creates a Fourth Amendment-like privacy protection by statute. Id. at 12. The court therefore extended protection to private messages on social networking sites since they “are not readily accessible to the general public.” Id. at 77. At the same time, the court implied that wall postings and comments on these sites are not protected where they are readily available to a wider audience. Id. at 78-79.

For parties seeking to prevent disclosure of social networking data on privacy grounds, a “reasonable expectation of privacy under the circumstances” must be demonstrated. See, Moreno v. Hanford Sentinel Inc., 91 Cal. Rptr. 3d 858, 862 (Cal. Ct. App. 2009). As the author of a profile or social networking communication, a user has the primary responsibility to limit access to information that the user believes is private.

Based on Web site privacy preferences chosen by the user, a profile page or other communication may be available to the general public or only those authorized to access it. Where the user elects to make information available more generally, the courts have held that there is a lower expectation of privacy and, consequently, such information will receive less protection from disclosure. See, Guest v. Leis, 255 F.3d 325 (6th Cir. 2001) (public postings lack a legitimate expectation of privacy); see also, Moreno, 91 Cal. Rptr. 3d at 862 (since plaintiff posted her article on MySpace, “no reasonable person would have had an expectation of privacy regarding the published material.”)

Other factors may also undermine a user's expectation of privacy in social network postings. For example, in the employment setting, social networking data created or accessed by an employee on the employer's computer may be subject to company policies in effect at the time. Those policies may very well provide that an employee has no expectation of privacy with respect to communications using company computer systems.

Indeed, even “privacy policies” established by social networking sites may weaken a user's privacy claim. Many of these policies make clear that information provided by the user is generally intended to be shared with others.

Similarly, the function and/or purpose of a social networking site may also be important in determining whether a user has a reasonable expectation of privacy. Some such sites may be geared toward more limited, professional networking, while others may strive to spread a user's postings far and wide. Compare Twitter “About Us” (“Twitter asks 'what's happening' and makes the answer spread across the globe to millions, immediately”) with LinkedIn “About Us” (“LinkedIn exists to help you make better use of your professional network .'”).

Likewise, the type of social networking data requested may also be a factor in determining privacy protection. For example, users of social networking sites will likely have a stronger privacy interest in Web mail and private messages sent through those sites and directed at a particular recipient, as opposed to comments posted on profile pages that may be available to others more generally. See, Crispin, 2010 U.S. Dist. LEXIS at 77 (“[w]ith respect to [W]eb mail and private messaging, the court is satisfied that those forms of communications media are inherently private such that stored messages are not readily accessible to the general public.”); see also, United States v. Maxwell, 45 M.J. 406, 417 (C.A.A.F. 1996) (indicating that general e-mail messages are afforded more privacy than “chat room” postings).

Admissibility

Assuming that access, preservation, and privacy issues can all be overcome in a bid to use social networking evidence in litigation, a final challenge awaits. Ultimately, the data must be admitted into evidence, and all of the rules for admissibility that apply to other forms of evidence apply to social networking data. See, Lorraine v. Markel Am. Insur. Co., No. PWG-06-1893, 2007 U.S. Dist. LEXIS 33020, at 15 (D. Md. May 4, 2007) (indicating that the rules of evidence must be considered whenever electronically stored information is offered as evidence). Particularly problematic in this regard is the foundational requirement of authenticity.

Information found on social networking sites is especially susceptible to fraud and manipulation. See, Vasanth Sridharan, “How to Hack Facebook in 51 Seconds,” Business Insider.com, March 28, 2008. And the problem of viruses or spam e-mails from “friends” as a result of Internet hacking is prevalent in social networking communications. See, Claire Suddath, “The Downside of Friends: Facebook's Hacking Problem,” TIME.com, May 5, 2009. Moreover, as mentioned earlier, there is the problem of obtaining an accurate snapshot of a social networking page at any given point in time. For these reasons, courts are especially cautious when admitting social networking data and other electronically stored information (“ESI”). See, Lorraine at 33 (“courts have recognized that authentication of ESI may require greater scrutiny than that required for the authentication of 'hard copy' documents.”)

As the court observed in Lorraine: “Application of the Federal Rules of Evidence to electronic information ' is not well settled and courts vary in how they weigh whether evidence is sufficient to support a finding of authenticity.” See also, Ronald J. Levine and Susan L. Swatski-Lebson, “Whose Space? Discoverability of Social Networking Web Sites,” Internet Law & Strategy, December 2008 (www.ljnonline.com/issues/ljn_internetlaw/6_12/news/151425-1.html); and Lorraine at 36 (“there is no 'one size fits all' approach that can be taken when authenticating electronic evidence, in part because technology changes so rapidly that it is often new to many judges.”)

The court, however, observed that Rule 901(b)(4) is most frequently used to authenticate electronically stored information, including the content of Web sites. Lorraine at 44-45. Under that rule, authentication may be accomplished by circumstantial evidence. Id. at 44. Importantly, the creation of electronic data may itself produce certain information that can be used as circumstantial evidence to identify the author of the posting. See, e.g., Id. at 50 (“metadata shows the date, time and identity of the creator of an electronic record, as well as all changes made to it.”) The court in Lorraine described the use of “hash marks” (numerical identifiers assigned to a file) and “metadata” (information describing the history, tracking, or management of an electronic document) as potentially useful in authenticating electronic data. Id. at 46-49.

This same information might also prove useful in identifying the contents of a user's social network page at a certain point in time. For these reasons, litigants are well advised to seek metadata and other identifying information in discovery.

The Future

With the number of online social network users growing each year, such data will undoubtedly expand as an important litigation tool. And as social networking data takes greater prominence in litigation, issues beyond those mentioned in this article will certainly arise.

Unfortunately, the law is far behind this new form of communication. Just as occurred with the advent of e-mail, however, the courts need to address the challenges and complexities raised by social networking and provide meaningful guidance to litigants.

Businesses likewise need to recognize that social networking data has the potential to create significant exposure to companies both in terms of liability and in the cost of complying with electronic discovery. For these reasons, the development of comprehensive internal policies will be a key to managing the business risks created by online social networking.

The explosion of social networking represents a paradigm shift in online communications. According to the latest statistics, individuals now spend more time interacting through social networking sites than they do through traditional e-mail. (See, “What Americans Do Online: Social Media and Games Dominate Activity,” Nielson.com, Aug. 2, 2010.) Facebook alone now boasts more than 500 million active members, larger than the entire population of the United States. See, Facebook Press Room: Statistics (www.facebook.com/press/info.php?statistics); and Robert Schlesinger, “U.S. Population, 2010: 308 Million and Growing,” U.S. News.com, Dec. 30, 2009. MySpace, Twitter, LinkedIn, and other sites have seen similar growth.

This new mode of communication is not simply confined to personal use. Businesses have discovered social networking's marketing potential and have set up their own social networking pages to attract customers and promote their products or services.

All of this online social interaction has created mountains of personal information about users that, prior to the advent of social networking, would have been regarded as private and difficult to obtain.

The potential usefulness of that data in litigation is obvious. With just a few mouse clicks, litigators can investigate the background and views of opposing
parties and key witnesses ' as well as potential jurors. See, “Web Searches As a Litigation Tool,” Internet Law & Strategy, March 2010 (www.ljnonline.com/issues/ljn_internetlaw/8_3/news/153405-1.html). With a bit more digging, these sites may also reveal the existence of less obvious witnesses and important evidence in a case. See, e.g., Mackelprang v. Fidelity Nat'l Title Agency, No. 2:06-cv-00788-JCM-GWF, 2007 U.S. Dist. LEXIS 2379 (D. Nev. Jan. 9, 2007) (defendant sought to admit content on plaintiff's social networking page to counter plaintiff's sexual harassment claim).

Social networking sites have already proven their worth to plaintiffs' lawyers in mass tort and consumer cases by revealing consumer complaints about products, and as a means of recruiting and interacting with potential clients.

The prevalence of social networking data raises novel issues with respect to the use of this information in litigation. Preservation, privacy and admissibility issues frequently arise in this context, as do many others. Unfortunately, the law has significantly lagged behind social networking. Some of the more problematic issues are only now being addressed, while others continue to wait much needed guidance from the courts.

Access and Preservation Challenges

Litigants seeking social networking data face considerable challenges with respect to both access and preservation of potential evidence.

A user's online pages are usually password protected and their contents can be deleted with just a few strokes of the keyboard. Social networking pages are also dynamic, with new content frequently added or changed. A user's social network page, therefore, may be significantly different from day-to-day, or even hour-to-hour.

These characteristics make it difficult to access and isolate the contents of social networking pages at any given point in time. Indeed, the individual's own computer may not provide a “picture” or “snapshot” of the page as it appeared at a time relevant to the litigation. As discussed further below, privacy and authentication issues present real obstacles for parties attempting to use social networking data in litigation.

For litigants, including businesses, that may be the target of discovery requests seeking social networking data, the problems of access and preservation are likewise complex. Parties generally have a duty to preserve any potentially relevant evidence once litigation is “reasonably anticipated.” Pension Comm. of the Univ. of Montreal Pension Plan v. Banc of Am. Sec., LLC, No. 05 Civ. 9016, 2010 U.S. Dist. LEXIS 4546, at 14-15 (S.D.N.Y. Jan. 15, 2010). And courts have imposed significant penalties on parties who fail to preserve electronically stored information.

To the extent that businesses maintain social networking pages, a duty to preserve that data may arise if relevant to anticipated or actual litigation. That data will also need to be captured as part of a litigation hold. While many businesses have protocols and document preservation policies directed at traditional e-mail and electronic computer files, few have procedures that touch upon or concern social networking data. These businesses will be ill prepared to meet their preservation obligations with respect to that data.

Even more problematic for businesses, employees may use company computers to post messages to their personal social networking accounts that will be relevant to litigation. This information may, in fact, be accessible in the form of “cached” Web pages on a company's computer servers. The company, however, may not even be aware that an employee's personal social networking postings are available on its system, and that information is unlikely to be captured by a traditional litigation hold.

In these circumstances, there is a considerable risk that relevant data will be lost or destroyed, with potentially serious consequences for both the party seeking the information, as well as the party who has a duty to preserve it. Unfortunately, little guidance has been provided by the courts regarding a company's obligations in these circumstances, and a number of unanswered questions remain. Businesses are therefore well advised to develop internal policies governing the use and preservation of social networking data, and should make those policies well known to their employees.

Privacy

The retrieval and use of information on social networking sites can pose Fourth Amendment and privacy concerns, and there are a number of factors that may affect the level of protection a court is willing to grant these communications. First, the Stored Communications Act (“SCA”), 18 U.S.C. '2702, presents a threshold challenge to litigants seeking to obtain an individual's social networking data directly from a third party social networking Web site.

In Crispin v. Christian Audigier Inc., No. CV 09-09509 MMM, 2010 U.S. Dist. LEXIS 52832 (C.D. Cal. May 26, 2010), the U.S. District Court for the Central District of California examined whether messages and “wall posts” from social networking sites can be subpoenaed in a civil case. Plaintiff in that case brought an action for the misuse and non-consensual use of his artwork. Id. at 2. Defendants served subpoenas on Facebook and MySpace, seeking all of plaintiff's communications related to a relevant license agreement. Id. at 4-5.

In its ruling on plaintiff's motion to quash, the court held that the SCA prevents providers of communication services from divulging private communications to certain parties and creates a Fourth Amendment-like privacy protection by statute. Id. at 12. The court therefore extended protection to private messages on social networking sites since they “are not readily accessible to the general public.” Id. at 77. At the same time, the court implied that wall postings and comments on these sites are not protected where they are readily available to a wider audience. Id. at 78-79.

For parties seeking to prevent disclosure of social networking data on privacy grounds, a “reasonable expectation of privacy under the circumstances” must be demonstrated. See , Moreno v. Hanford Sentinel Inc. , 91 Cal. Rptr. 3d 858, 862 (Cal. Ct. App. 2009). As the author of a profile or social networking communication, a user has the primary responsibility to limit access to information that the user believes is private.

Based on Web site privacy preferences chosen by the user, a profile page or other communication may be available to the general public or only those authorized to access it. Where the user elects to make information available more generally, the courts have held that there is a lower expectation of privacy and, consequently, such information will receive less protection from disclosure. See , Guest v. Leis , 255 F.3d 325 (6th Cir. 2001) (public postings lack a legitimate expectation of privacy); see also , Moreno , 91 Cal. Rptr. 3d at 862 (since plaintiff posted her article on MySpace, “no reasonable person would have had an expectation of privacy regarding the published material.”)

Other factors may also undermine a user's expectation of privacy in social network postings. For example, in the employment setting, social networking data created or accessed by an employee on the employer's computer may be subject to company policies in effect at the time. Those policies may very well provide that an employee has no expectation of privacy with respect to communications using company computer systems.

Indeed, even “privacy policies” established by social networking sites may weaken a user's privacy claim. Many of these policies make clear that information provided by the user is generally intended to be shared with others.

Similarly, the function and/or purpose of a social networking site may also be important in determining whether a user has a reasonable expectation of privacy. Some such sites may be geared toward more limited, professional networking, while others may strive to spread a user's postings far and wide. Compare Twitter “About Us” (“Twitter asks 'what's happening' and makes the answer spread across the globe to millions, immediately”) with LinkedIn “About Us” (“LinkedIn exists to help you make better use of your professional network .'”).

Likewise, the type of social networking data requested may also be a factor in determining privacy protection. For example, users of social networking sites will likely have a stronger privacy interest in Web mail and private messages sent through those sites and directed at a particular recipient, as opposed to comments posted on profile pages that may be available to others more generally. See, Crispin, 2010 U.S. Dist. LEXIS at 77 (“[w]ith respect to [W]eb mail and private messaging, the court is satisfied that those forms of communications media are inherently private such that stored messages are not readily accessible to the general public.”); see also , United States v. Maxwell , 45 M.J. 406, 417 (C.A.A.F. 1996) (indicating that general e-mail messages are afforded more privacy than “chat room” postings).

Admissibility

Assuming that access, preservation, and privacy issues can all be overcome in a bid to use social networking evidence in litigation, a final challenge awaits. Ultimately, the data must be admitted into evidence, and all of the rules for admissibility that apply to other forms of evidence apply to social networking data. See, Lorraine v. Markel Am. Insur. Co., No. PWG-06-1893, 2007 U.S. Dist. LEXIS 33020, at 15 (D. Md. May 4, 2007) (indicating that the rules of evidence must be considered whenever electronically stored information is offered as evidence). Particularly problematic in this regard is the foundational requirement of authenticity.

Information found on social networking sites is especially susceptible to fraud and manipulation. See, Vasanth Sridharan, “How to Hack Facebook in 51 Seconds,” Business Insider.com, March 28, 2008. And the problem of viruses or spam e-mails from “friends” as a result of Internet hacking is prevalent in social networking communications. See, Claire Suddath, “The Downside of Friends: Facebook's Hacking Problem,” TIME.com, May 5, 2009. Moreover, as mentioned earlier, there is the problem of obtaining an accurate snapshot of a social networking page at any given point in time. For these reasons, courts are especially cautious when admitting social networking data and other electronically stored information (“ESI”). See, Lorraine at 33 (“courts have recognized that authentication of ESI may require greater scrutiny than that required for the authentication of 'hard copy' documents.”)

As the court observed in Lorraine: “Application of the Federal Rules of Evidence to electronic information ' is not well settled and courts vary in how they weigh whether evidence is sufficient to support a finding of authenticity.” See also, Ronald J. Levine and Susan L. Swatski-Lebson, “Whose Space? Discoverability of Social Networking Web Sites,” Internet Law & Strategy, December 2008 (www.ljnonline.com/issues/ljn_internetlaw/6_12/news/151425-1.html); and Lorraine at 36 (“there is no 'one size fits all' approach that can be taken when authenticating electronic evidence, in part because technology changes so rapidly that it is often new to many judges.”)

The court, however, observed that Rule 901(b)(4) is most frequently used to authenticate electronically stored information, including the content of Web sites. Lorraine at 44-45. Under that rule, authentication may be accomplished by circumstantial evidence. Id. at 44. Importantly, the creation of electronic data may itself produce certain information that can be used as circumstantial evidence to identify the author of the posting. See, e.g., Id. at 50 (“metadata shows the date, time and identity of the creator of an electronic record, as well as all changes made to it.”) The court in Lorraine described the use of “hash marks” (numerical identifiers assigned to a file) and “metadata” (information describing the history, tracking, or management of an electronic document) as potentially useful in authenticating electronic data. Id. at 46-49.

This same information might also prove useful in identifying the contents of a user's social network page at a certain point in time. For these reasons, litigants are well advised to seek metadata and other identifying information in discovery.

The Future

With the number of online social network users growing each year, such data will undoubtedly expand as an important litigation tool. And as social networking data takes greater prominence in litigation, issues beyond those mentioned in this article will certainly arise.

Unfortunately, the law is far behind this new form of communication. Just as occurred with the advent of e-mail, however, the courts need to address the challenges and complexities raised by social networking and provide meaningful guidance to litigants.

Businesses likewise need to recognize that social networking data has the potential to create significant exposure to companies both in terms of liability and in the cost of complying with electronic discovery. For these reasons, the development of comprehensive internal policies will be a key to managing the business risks created by online social networking.