Robin Wilton blogs about the Romano v. Steelecase case:
There has been a court ruling recently with significant implications for organisations with any kind of a data governance regime – particularly if it concerns the handling of personal information. What has triggered this all starts with a Facebook profile…
If you search for “Jeffrey Arlen Spinner” online you will find, among other things, a link to his Facebook profile. Follow that link and you’ll find a photo, along with a list of some of Jeffrey’s interests, and some very minimal biographical data – for instance, he admits that he’s male (thanks, I inferred that from the photo…), but is reticent about his age. If you have a Facebook account, you might even log on and have a look at his public profile page. On that page, you will see the following message:
“People who aren’t friends with Jeffrey see only some of his profile information. If you know Jeffrey personally, send him a message or add him as a friend.”
It would seem that Jeffrey has a pretty good grasp of the difference between data he’s willing to disclose via the profile visible to anyone with a computer, and data which is only accessible to those he has defined as friends using the preference settings Facebook makes available.
All pretty unremarkable – except that Jeffrey happens not to be plain “Mr Spinner” – he is in fact Acting Supreme Court Justice in Suffolk County, NY. In that role he recently ruled in the case of Romano v Steelcase Furniture, concluding that Mrs Romano’s Facebook postings should be disclosed in full (regardless of whether they were from her public or private pages, and irrespective of whether they were current or deleted) as part of the pre-trial discovery process.
Read more on Gartner. Although I do not agree with Wilton on every point he raises, I do agree — also as a non-lawyer — that Judge Spinner’s reasoning is faulty in at least one section of the opinion (citations and footnotes omitted):
You post User Content . . . on the Site at your own risk. Although we allow you to set privacy options that limit access to your pages, please be aware that no security measures are perfect or impenetrable.
When you use Facebook, certain information you post or share with third parties (e.g., a friend or someone in your network), such as personal information, comments, messages, photos, videos . . . may be shared with others in accordance with the privacy settings you select. All such sharing of information is done at your own risk. Please keep in mind that if you disclose personal inlormation in you profile or when posting comments, messages, photos, videos. Marketplace listing or other items. this information may become publicly available.
Thus, when Plaintiff created her Facebook and MySpace accounts, she consented to the fact that her personal information would be shared with others, notwithstanding her privacy settings. Indeed, that is the very nature and purpose of these social networking sites else they would cease to exist. Since Plaintiff knew that her information may become publicly available, she cannot now claim that she had a reasonable expectation of privacy. As recently set forth by commentators regarding privacy and social networking sitcs, given the millions of users, “[iln this environment, privacy is no longer grounded in reasonable expectations, but rather in some theoretical protocol better known as wishful thinking . ”
No site or organization can totally guarantee complete privacy. I expected the judge to make the old “third party” argument, but this is different. If the judge wants to argue that anything less than a guarantee of total and complete privacy means that individuals who use a service or company waive a reasonable expectation of privacy, then let’s time travel back to the 1700’s and keep everything in our homes.
Don’t get me wrong: I do think the judge’s decision is consistent with other e-discovery rulings, but his logic here seems really faulty.
Update: Andy Serwin comments on the case over on Privacy & Security Source.