«Social Media Evidence—How to Find It and How to Use It” Social Media Evidence—How to Find It and How to Use It Moderators: Gary L. Beaver ...»
ABA Section of Litigation, 2013 ABA Annual Meeting, August 8-12, 2013:
“Social Media Evidence—How to Find It and How to Use It”
Social Media Evidence—How to
Find It and How to Use It
Gary L. Beaver
Nexsen Pruet, LLC
Mark A. Romance
O’Melveny & Myers LLP
Los Angeles, CA Cecil A. Lynn III Littler Mendelson P.C.
Phoenix, AZ SOCIAL MEDIA EVIDENCE – How To Find It And How To Use It by Gary L. Beaver, Steven Brower, Amy Longo, Cecil Lynn, and Mark Romance I. The Importance and Forms of Social Media The growth of social media use has been exponential. Over 70% of the people in the U.S. are using social media of one form or another (over 50% on Facebook alone). You have probably never even heard of one of the most widely used social media websites –Qzone – it is a Chinese social media similar to Facebook with over 500 million monthly users.
There are many forms of social media. Litigation attorneys must do their best to keep up with what the public is doing on social media in order to know where to look for evidence. The numbers below are estimated number of users though some or even many may not be active users. The numbers were obtained from various websites and we cannot vouch for their accuracy. They are provided to provide a sense of the important role of social mediarTF today.
Personal interaction/ friendship: Facebook (about 1 billion monthly users); Twitter (500 million); Qzone (500 million); Google-plus (340 million); Tagged (330 million); WeChat (300 million); Badoo (170 million); Netlog (90 million); MyLife (60 million); Tango (mobile video chat – 80 million); Sonico (focused on Latin American users; 55 million); Stumbleupon (30 million); Bebo (30 million); MySpace (25 million unique monthly users).
Business: LinkedIn (200 million users); Branchout (30 million).
Dating sites: match; zoosk; meetup; eharmony; spark; datehookup; okcupid; spark;
gofishdating; mingle2; connectingsingles; howaboutwe; flirt; howaboutwe. Some are a bit more focused: christiandating; christianmingle; jdate (for Jewish faith); blackplanet (for African- Americans); ourtime (over 50 years old); professionalsinglesover40; and for those who are not satisfied with chasing Nigerian fortunes on the internet some Sugar Daddy dating sites – findrichguys.com and seekingmillionaire.com.
Photo and video-sharing and editing: Youtube (800 milliion); Instagram (90 million/ 4 billion photos); Dropbox (100 million); Flickr (75 million); Imgur (50 million); Pinterest (25 million; over 90% are women).
Videos/ audio: YouTube (800 million; 4 billion views per day); Soundcloud (180 million); Socialcam (50 million); Viddy (40 million).
Blogs: Sina Weibo (Chinese; 400 million); Tumblr (over 75 million multimedia blogs and 150 million users); personal blogs (for example, see on the internet the story of the young woman fired from a nonprofit for her graphic sex blog “The Beautiful Kind” created on her own time).
Coupons: Groupon (40 million); Living Social.
Entertainment: Shazam (share movies, TV shows, music; 250 million users and 5 billion tags); Steam (gaming; 50 million).
Shopping preferences: Paypal (117 million); Ebay (100 million); Pinterest (50 million and rising rapidly; only 3 years old; 80% or more of users are women); Foursquare (local businesses and restaurants – 25 million).
Communications: QQ (Chinese instant messaging; 700 million); Skype (280 million);
Ortsbo (200 million); Viber (140 million); Voxer (70 million); Kakao Talk (70 million); Kik Messenger (mobile instant messaging; 30 million).
News: Reddit (40 million; 37 billion).
Directions: Waze (34 million).
There are additional sources of valuable information such as comments on websites’ bulletin boards, note storage (Evernote: 45 million users). You will have to use searches on internet search engines and traditional discovery methods to discover such information.
A review of many reported cases indicates that the likeliest sources of relevant information are Facebook, Twitter, and MySpace. While LinkedIn has become immensely popular, it is work-oriented and postings are less likely to reveal the bad acts and true character of the posters.
Facebook. Your public postings on Facebook go to anyone in the world unless you have placed access restrictions on your Facebook page. Note also that Facebook updates access controls and often defaults new features to “public view” which necessitates frequent checking of preferred settings and options to maintain desired levels of privacy.
Twitter. Twitter posts differ from Facebook posts. Twitter users post “tweets” of up to 140 characters, can monitor, follow, and repost others’ tweets, and can permit or forbid access to their own tweets. Twitter is more like a private electronic bulletin board which is only seen by persons who sign up to be on the board. If you follow someone on Twitter, Twitter will send them an email notifying them that you are following them using your Twitter account name.
Despite this difference, tweets on Twitter are usually discoverable.
MySpace. After dominating from about 2005 to 2008, MySpace appears to have lost the battle for No.1 to Facebook in the personal message arena. However, it has had more success in discovering and promoting new music artists. MySpace is in the process of reinventing itself by focusing on interaction about entertainment, including music, movies, celebrities, and TV.
II. Privacy Protection A. Federal Statutory Privacy Protection. A number of federal statutory schemes
govern the possession and use of individuals’ private data. Included:
1. The Federal Trade Commission Act (FTC Act), 15 U.S. C. § 25, generally prohibits unfair and deceptive acts and practices affecting commerce. The FTC has brought a number of cases under the FTC Act in instances where companies have failed to comply with 2
their own privacy policies. These types of actions have generally arisen in two circumstances:
(1) where the company promised a specific level of data security to its customers, only to have its data compromised because it did not in fact deliver the promised level of security, and; (2) where the company promised not to sell or otherwise disclose customer information to third parties, only to do so when a sale of the information turned out to be financially attractive to the company;
2. The Financial Services Modernization Act, also known as the GrammLeach Bliley Act (GLBA), 15U.S.C. §§ 6801-6809, requires financial institutions to issue privacy notices to their customers giving them the opportunity to opt-out of sharing personally identifiable financial information with outside companies;
3. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), includes provisions designed to encourage electronic transactions and also creates an opt-in framework for the use and disclosure of protected health information. There are hefty criminal and civil penalties available to punish violators;
The Children’s Online Privacy Protection Act (COPPA), 15 U.S.C. §§ 4.
6501-08 and 16 C.F.R. Part 312, applies to online business collecting information from children under the age of 13;
5. The Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g and 34 C.F.R. § 99, and the Protection of Pupil Rights Amendment (PPRA),”), 20 U.S.C.
§ 1232h and 34 C.F.R. § 98, govern student records. Institutions that receive federal funds must comply with FERPA or lose their federal funding. Specifically, the statute and its regulations cover public and private institutions that “provide education services or instruction” and receive any kind of federal funding. See 34 C.F.R. § 99.3.
6. The Fair Credit Reporting Act (FCRA), 15 U.S.C. §§ 1681 et seq., applies to data collected by consumer reporting agencies;
7. The primary statute affecting discovery of social media is the Stored Communications Act (SCA), 18 USC §§ 2707-2711, which is part of the Electronic Communications Privacy Act enacted in 1986. This is a pre-Internet statute. See Section D below for more about the SCA.
B. State data privacy laws. The 50 individual states have their own privacy laws and standards. Many states have laws governing privacy for social security numbers; some have laws governing website privacy policies. Some states, like California, have constitutional provisions as well as numerous privacy statutes (see, e.g., California Constitution, Sec. 1, California Invasion of Privacy Act and Song-Beverly Credit Card Act). California also has a new Privacy Enforcement and Protection Unit. In addition, under California law, businesses are
required to comply with the following state code provisions:
1. Disposal of Customer Records (Calif. Civil Code § 1798.79.8) - Requires businesses to shred, erase, or otherwise modify personal information when disposing of customer records under their control.
2. Security of Personal Information (Calif. Civil Code § 1798.81.5) - This law requires specified businesses to use safeguards to ensure the security of Californians' personal information (defined as name plus SSN, driver's license/state ID, financial account number) and to contractually require third parties to do the same. It does not apply to businesses that are subject to certain other information security laws.
If you seek social media information from an entity in another state, review that state’s data privacy laws to ensure that you do not run afoul of them. Do not count on the target of your discovery request to know the applicable laws and assert the required protections.
C. International data privacy laws may be more restrictive than those in the United States though there are decisions in other countries, including the United Kingdom and France, that allow employers to discipline employees for making social media comments that are detrimental to the employer and its image. The Baker Hostetler law firm has an accessible International Compendium of Data Privacy Laws on its website. It is organized by country and runs about 200 pages long. If you have an issue regarding social media evidence posted by someone outside the United States, then you ought to examine the laws that apply in that country as well as the laws in the country in which you are trying to obtain the information.
In addition to the laws enacted by individual countries, there are international organizations’ laws that might apply. For example, EU Directive 9546 was created to regulate movement of personal data across the borders of the EU countries and to establish security guidelines for storing, transmitting, and processing personal information. It has 33 articles in 8 chapters and took effect in October 1998. Other European Commission (EC) enactments also affect privacy such as the e-Privacy Directive applicable to the communications sector and Framework Decision 2008/977/JHA applicable to police and criminal matters. The EC is also expected to unify data protection in the EU with a single law called the General Data Protection Regulation. A proposal was published on January 25, 2012, and is planned for adoption in 2014, to take effect in 2016 (to allow for the transition).
D. Common Law Protections. In addition to the specific federal statutes described above, common law causes of action provide private remedies where sensitive information is improperly disclosed. Three common law privacy causes of action that can be brought in the wake of improper disclosure of private information include the torts of intrusion upon seclusion;
public disclosure of private facts; and misappropriation of personality. Generally they entail the
1. intrusion upon seclusion is a tort where a given intentional intrusion (in circumstances where there is a reasonable expectation of privacy) would be highly offensive to a reasonable person, but does not include conduct that is simply offensive, insensitive or intrusive in the normal sense;
2. public disclosure of private facts is a tort which occurs when private personal information (such as health information, etc. ) is "published" in a manner that would be highly offensive to a reasonable person. This tort results in liability for the owner of the database in which the information is stored and for the publisher. California recently expanded this tort in
3. misappropriation is a tort where someone else's name or personality is used for gain without consent.
In Roberts v. Careflite, 2012 WL 4662962 (Tex. Ct. App. 2012), Roberts, a paramedic, had commented on Facebook that she had wanted to slap a patient who needed restraining. The post was communicated to a company compliance officer who gave Roberts a calm warning.
Rather than take heed, Roberts again let her anger show in another post and was soon thereafter fired. She challenged the firing by asserting two invasion of privacy torts – public disclosure of private facts and intrusion upon her seclusion. She lost on summary judgment.
In R.S. v. Minnewaska Area Sch. Dist. No. 2149, 894 F.Supp.2d 1128 (D.Minn. 2012), the court allowed a claim for invasion of privacy claim to go forward but dismissed a claim for intentional infliction of emotional distress.
In Lawlor v. North American Corp., 983 N.E.2d 414 (Ill. 2012), the Illinois Supreme Court affirmed a lower court holding that defendant was vicariously liable for “invasion upon seclusion” when its hired investigators obtained her phone records by pretending to be her, i.e., “pretexting.”
E. Social Media and the Stored Communications Act