Can You Be Forced to Turn Over Your Social Network Passwords in a Civil Case?

facebook-scales-1Let’s say you’re the plaintiff in a civil case against a neighbor, an employer, or a company you’ve done business with. And let’s say that you have a Facebook account. The other side believes that some of your Facebook communications might be relevant to the case, so they specifically request access to your account. You refuse, and the issue goes to the court to sort out. How should the court rule? Specifically, what should the court order you to do? Do you have to give the password for your account over to a party that, to put it mildly, you are probably not on the best of terms with?

Surprisingly, at least one court has said yes, and I believe similar requests are being made in courts all around the country. I believe this is a deeply disturbing development and is the result of either a failure to understand social networking technology, the rules of civil procedure, or both.

The case is Romano v. Steelcase Inc., 2010 N.Y. Slip Op. 20388 (Sept. 21, 2010). (H/T NY Law Journal, via Kashmir Hill, via Dan Solove.) In Romano, the plaintiff, Kathleen Romano, is suing Steelcase, the manufacturer of her office desk chair, for injuries she received as a result of alleged defects in the chair. Steelcase requested access to her Facebook and MySpace accounts, the public portions of which they claimed “reveal[ ] that she has an active lifestyle and can travel and apparently engages in many other physical activities inconsistent with her claims in this litigation.” The court — properly, in my view — held that the requested information was relevant and rejected the plaintiff’s privacy arguments that she should not have to produce any information at all from her Facebook and Myspace accounts. The court then ordered the following relief:

ORDERED, that Defendant STEELCASE’s motion for an Order granting said Defendant access to Plaintiff’s current and historical Facebook and MySpace pages and accounts, including all deleted pages and related information, is hereby granted in all respects; and it is further

ORDERED, that, within 30 days from the date of service of a copy of this Order, as directed herein below, Plaintiff shall deliver to Counsel for Defendant STEELCASE a properly executed consent and authorization as may be required by the operators of Facebook and MySpace, permitting said Defendant to gain access to Plaintiff’s Facebook and MySpace records, including any records previously deleted or archived by said operators . . . .

As I indicated, I don’t believe this is an isolated incident. I’ve heard of similar requests being made here in Wisconsin, and there are probably other court orders out there that just haven’t made the news. In fact, this is probably the initial wave of a growing trend. So what’s wrong with issuing such an order?

Plenty. First of all, Romano was overreaching in trying to block any production at all of information from her Facebook account on privacy grounds. Parties in American courts are given broad latitude in seeking relevant materials; the general standard under the Federal Rules of Civil Procedure is “any nonprivileged matter that is relevant to any party’s claim or defense,” including finding leads to other admissible evidence. (R.26(b)(1). Romano is a New York case under N.Y. C.P.L.R. § 3101, but the differences are immaterial.) If the information is particularly sensitive and not terribly useful, Romano might have been able to seek a protective order, but there’s no across-the-board principle that says that individuals can never be forced to turn over private but relevant communications with third parties in a litigation. Certainly photos or descriptions of Romano engaged in vigorous activity pass the relevance test.

But in ordering Romano to turn over her account password, the court went way too far. The proper order would have been to require Romano to produce the requested material to Steelcase, not to allow Steelcase to go rummaging around in her account for it. The court spends quite some time talking about how Romano has no privacy interest in her Facebook and Myspace accounts, but that is not only false, it’s irrelevant to the question of how the requested information should be produced.

Social networking communications come in many forms. Some are communications made publicly available to the world. Others are posts visible to one’s entire network of “friends,” which can number in the dozens (if you’re like me) or even thousands. Still others are posts visible to some subset of that network, such as a group labeled “close friends.” Finally, social network sites can be used to send one-to-one communications that act just like emails.

In other words, communications on social networks have varying levels of privacy and relevance, just like other forms of communication, such as written documents. The ordinary discovery procedures for written documents are clear: one party must file a request with the other to produce relevant documents. The other party’s attorneys then do what litigation associates everywhere lovingly call a “document review”; they review the documents first to cull out documents that have not been asked for, then documents the production of which would be objectionable for some reason–for instance, privileged communications with counsel or material discussing litigation strategy. Only then are the remaining documents turned over to the other side for inspection.

It would be a highly intrusive system if the normal procedure was, instead of a party producing its own documents, the other party’s attorneys entering your house or business, looking through all your papers and effects, and taking away the material that in their judgement was relevant and non-privileged. That’s why the default is that parties produce their own materials after reviewing them first, except in very unusual cases. That default procedure does not depend on the producing party being able to show any special privacy interest in the materials — the general rule is that strangers shouldn’t be allowed to go rifling through your stuff, no matter how private you’ve kept it.

There aren’t many cases on point; it appears that few litigants have tried to make an argument in the pen-and-paper world that they should be allowed to go fishing for documents on the other side’s premises. At least one court has held that a Rule 34 request to permit inspection does not allow the requesting party to go roving around the other side’s facilities, questioning employees in mini-unsworn depositions without notice or the opportunity for objections. See Belcher v. Bassett Furniture Indus., Inc., 588 F.2d 904, 907-908 (4th Cir. 1978).

The electronic world is no different. There may be unusual circumstances where direct access to a hard drive or server is required, as the Rules Advisory Committee recognized in 2006 in updating the federal rules to account for electronically stored information. The committee was careful to note that “addition of testing and sampling to Rule 34(a) with regard to documents and electronically stored information is not meant to create a routine right of direct access to a party’s electronic information system, although such access might be justified in some circumstances.” As Moore’s Federal Practice concludes, “Any order for such discovery should define parameters of time and scope, and place sufficient access restrictions to protect the party from whom discovery is requested.” 7 Moore’s Federal Practice § 34.12.

There’s all sorts of irrelevant and embarrassing information that might be social networking sites. An individual might have sent flirting messages to someone. Satirical political posts might be misinterpreted out of context. Drunken party pictures or photos of one’s children might have no relevance to the case. Granting the opposing party access to the account means that they will see everything you’ve ever done with the account, no matter how irrelevant to the facts of the case. Indeed, it means that they will have continuing access to all of your communications, and friends’ communications, on the site going forward until you change the password. There’s even the risk that a malicious opposing party could send messages under your name — unlikely and dangerous for any opposing party to do, but there’s no need for civil litigants to even have to worry that such a thing will be possible. Civil litigants with relevant, nonprivileged Facebook or MySpace material should be required to produce that material and nothing else.

Cross-posted at the Marquette University Law Faculty Blog.

[Update: See Eric Goldman’s comment on this post over at the Marquette Faculty Blog and my response. I may have over-described the Romano opinion as requiring production of Romano’s passwords. But I still believe it requires Romano to authorize unrestricted access to her accounts.]

2 thoughts on “Can You Be Forced to Turn Over Your Social Network Passwords in a Civil Case?

  1. When I was in practice, I got this kind of discovery (and my clients had to give it up) all the time. Of course, these were trade secret cases, where hard drive lockdown was critical.

    A couple of practical points:
    1. You can subpoena the provider in some cases if you follow SCA procedures, and get the same info that way
    2. Is your concern the password, or the access? In past cases, the compromise we often made was that the owner could change the password temorarily and turn that over, and after a certain amount of time change it back.
    3. There is a huge difference between what a self reported production will yield and what a forensic expert can find. Not sure how that plays with a website where it is limited access, but to say that self production is good enough is not the complete story.

  2. That’s a good point Michael; there are instances in which direct access to data, e.g. on a hard drive, will be appropriate. I’m not that familiar with trade secrets law but I have participated in requests under copyright law, 17 U.S.C. s 503(a)(1). I think in both circumstances the reason for allowing practices such as mirror imaging of hard drives is to assess the extent of the harm resulting from unauthorized redistribution so that a proper injunction can be entered. But it’s far from the ordinary case, even where there is the potential for spoliation. The Facebook/Myspace situation seems to me to be no different than any other request for potentially damaging documents. There’s always a concern about how forthcoming parties will be, but the alternative is, I think correctly, viewed as worse.

    To answer your specific questions:

    1. Section 2703 prohibits ISPs from responding to pretrial subpoenas without the consent of the party. But the court could require consent to production of responsive, nonprivileged documents pursuant to such a subpoena. It strikes me that it would be slightly tricky to phrase that consent just right.

    2. My concern is the access, not so much the password; the harm of divulging a person’s password didn’t actually occur to me.

    3. The advisory committee notes on the 2006 amendments note that inspection or testing might extend to computer systems or ESI, but that it “may raise issues of confidentiality or privacy. . . . Courts should guard against undue intrusiveness resulting from inspecting or testing such systems.” As far as I can tell from a quick look at the cases under the amended discovery rules, that’s what courts have done: direct inspection or mirroring is not routinely ordered, counsel must be present, a protocol must be in place to protect nonresponsive data, and the opposing party should not be able to, e.g., directly query the database. See, e.g., John B. v. Goetz, 531 F.3d 448, 459 (6th Cir. 2008); In re Ford Motor Co., 345 F.3d 1315, 1317 (11th Cir. 2003); Playboy Enters. v. Welles, 60 F. Supp. 2d 1050, 1055 (S.D. Cal. 1999). But this case just seems like an ordinary products liability case to me, with no allegations of spoliation, just stonewalling through objections.

Comments are closed.