Can we trust social media publishers to protect our privacy? Barry Murphy, co-founder and principal analyst of EDJ Group, cautions that this question has legal ramifications for every company that uses Facebook, Twitter or any other social service.
In this guest post, Murphy takes a closer look at social media publishers and how big business litigation may expose your social media content.
Can we really rely on the social media publishers to protect our privacy? Major social media publishers (Facebook, Google, LinkedIn, Twitter) tout their privacy policies and controls as a means of protecting users, but close examination of the actual language reveals that publishers have, in fact, carefully crafted policies designed to facilitate the discovery of information should law enforcement or the courts request it.
Let’s take a closer look at the policies of some of the major social media publishers as they relate to eDiscovery:
Facebook (relating to destruction)
When you delete IP content, it is deleted in a manner similar to emptying the recycle bin on a computer. However, you understand that removed content may persist in backup copies for a reasonable period of time (but will not be available to others). (https://www.Facebook.com/legal/terms)
Facebook (relating to legal discovery)
We may share your information in response to a legal request (like a search warrant, court order or subpoena) if we have a good faith belief that the law requires us to do so. This may include responding to legal requests from jurisdictions outside of theUnited Stateswhere we have a good faith belief that the response is required by law in that jurisdiction, affects users in that jurisdiction, and is consistent with internationally recognized standards. We may also share information when we have a good faith belief it is necessary to: detect, prevent and address fraud and other illegal activity; to protect ourselves and you from violations of our Statement of Rights and Responsibilities; and to prevent death or imminent bodily harm. You acknowledge, consent and agree that we may access, preserve, and disclose your registration and any other information you provide if required to do so by law or in a good faith belief that such access preservation or disclosure is reasonably necessary in our opinion to: (1) comply with legal process, including, but not limited to, civil and criminal subpoenas, court orders or other compulsory disclosures; (2) enforce this Agreement; (3) respond to claims of a violation of the rights of third parties, whether or not the third party is a User, individual, or government agency; (4) respond to customer service inquiries; or (5) protect the rights, property, or personal safety of LinkedIn, our Users or the public. We may preserve or disclose your information if we believe that it is reasonably necessary to comply with a law, regulation or legal request; to protect the safety of any person; to address fraud, security or technical issues; or to protect Twitter’s rights or property. Google+ We will share personal information with companies, organizations or individuals outside of Google if we have a good-faith belief that access, use, preservation or disclosure of the information is reasonably necessary to:
- Meet any applicable law, regulation, legal process or enforceable governmental request.
- Enforce applicable Terms of Service, including investigation of potential violations.
- Detect, prevent, or otherwise address fraud, security or technical issues.
- Protect against harm to the rights, property or safety of Google, our users or the public as required or permitted by law.
There is little question that publishers will enable eDiscovery of social media content if forced to; there is very little incentive for them to fight costly legal battles against law enforcement agencies or companies with subpoenas. Information you provide to social media publishers is not as private as you might think it is, a reality that is underscored by the fact that each publisher has APIs that solution providers can write to in order to collect information.
Social Media and Litigation: Determining Discoverability
As a mainstream communication and collaboration mechanism, social media poses thorny questions about the discoverability of its content. Is all social media discoverable? Who is responsible for producing social media: companies, individuals, or social media publishers? How can various forms of social media be defensibly collected and preserved?
In determining discoverability, there is not an overwhelming amount of case law pertaining to social media that can be referenced. One important case to note, however, is In re NTL, Inc. Securities Litigation; Gordon Partners, et al., v. Blumenthal, 2007 U.S. Dist. LEXIS 6198. The main idea in this case is that, if a company has “access to documents to conduct business, it has possession, custody or control of documents for the purposes of discovery.”  Essentially, that means companies are on the hook for eDiscovery of social media.
In theory, of course, the Stored Communications Act of 1986 (SCA) prevents publishers from releasing an individual’s information to third parties, even in response to a civil subpoena. But case law regarding social media content has not always been consistent with this. Instead, the courts appear to have adopted the view that social media content may not necessarily remain completely private.
Several recent decisions illustrate the tendency of the courts to expect that, if social media content may be relevant to a given matter, it will be subject to collection and preservation. In Largent v. Reed, for example, the court ruled that information posted by a party on a personal Facebook page was discoverable and not subject to the Stored Communication Act (SCA) because the plaintiff was requesting the information directly from the defendant and not from the publisher (Facebook, in this case). Case law on this issue seems to confirm that social media publishers can be subpoenaed and may be required to turn over information that users might assume is private.
Even more recently, People v. Harris, No. 2011NY080152 (N.Y. Crim. Ct. 2012) featured a ruling in which Twitter was ordered to produce account information for a defendant in a criminal proceeding arising from his participation in the “Occupy” demonstrations. While this is a criminal case, it is another example of how U.S. courts are likely to make information discoverable if it is relevant to a case at hand.
How To Handle Social Media When a Lawsuit Arises
If collection and preservation of social media content is required, the major social media publishers have APIs that third parties can write to in order to enable collection directly from the publisher. By writing to an API, it is possible to capture all of the data and metadata that the publisher makes available – for example, a Facebook page – and then map that data back into a preservation repository. There are many third-party solution providers – such as Actiance, HP/Autonomy, Reed Technologies, Hanzo Archives, Nextpoint, Socialware, SocialLogix, X1 Discovery and Gnip, to name just a few – that integrate with the APIs of major social media publishers.
It is also worth noting that publisher-specific collection exists, such as Twitter’s “public follow” and Facebook’s “download your information.” However, these methods have limitations and won’t be suitable for many cases. For instance, Twitter’s “public follow” feature enables access to past tweets of a specified user and any new tweets in real-time without generating a formal “follow” request, but this feature limits the number of past tweets that can be collected to 3,200 and only works if the user allows tweets to be public.
With Facebook’s “download your information” service, users can download all of the photos or videos they have shared on Facebook wall posts and in messages and chat conversations, as well as friends’ names and some email addresses. However, anecdotes from clients that have used this feature to test for eDiscovery worthiness have sometimes noted inconsistencies between the downloaded material and what was actually on the account. From what eDJ has seen to date, it would not be prudent to rely on this service for eDiscovery purposes.
The Takeaway? Be Ready: Clear Policies And Technologies Can Help Companies and Employees Avoid eDiscovery Nightmares
In order to avoid potential eDiscovery catastrophes – such as sanctions for an inability to collect social media or huge review costs from collecting too much social media – companies need to be ready with both policies and technologies. Internal social media usage policies can help companies control how their employees use these forms of communication. Thoughtful policies can go a long way toward filtering out bad behavior and, if necessary, clamping down on usage of certain kinds of social media. Apart from the specific guidelines they establish, such policies can also serve to raise awareness among employees that social media content, even if it is intended to be private, can be made public as part of litigation or regulatory action.
Finally, it must be said that policies by themselves are not enough to prepare companies for eDiscovery of social media. Savvy companies will also have a technology plan that specifies how to collect different kinds of social media content – either directly from the publisher or via proxy servers, web crawling or screenshots. By having such a plan in place, companies will reduce the risk of being caught unprepared in the event social media content turns out to be relevant to litigation.
Barry Murphy co-founder and principal analyst of EDJ Group
Barry is a thought leader in all things retention — eDiscovery, records management and content archiving. Previously, Barry was Director of Product Marketing at Mimosa Systems, a leading content archiving and eDiscovery software. He joined Mimosa after a highly successful stint as Principal Analyst for eDiscovery, records management and content archiving at Forrester Research.
Barry’s past experience includes covering content management, business process management and Web services technology as an analyst with The Delphi Group. Prior to working forDelphi, Barry was a management consultant at the boutique eBusiness strategy consulting firm eMaven.
Barry has spoken at numerous industry events, including the Forrester IT Forum, AIIM Conference & Expo, the ARMA conference and LegalTech. At these events, he has delivered keynotes and provided industry expertise on moderated panels. He has been quoted in publications including the Wall Street Journal, KMWorld, Red Herring, Computerworld and Intelligent Enterprise, and has appeared as an industry expert on outlets such as CNBC.
Barry received a B.S. from the State University of New York at Binghamton and an M.B.A from the University of Notre Dame. He is an active member of both AIIM and ARMA.