Can You Be Forced to Turn Over Your Social Network Passwords in a Civil Case?

Posted by:
Category: Civil Procedure, Computer Law, Privacy Rights
6 Comments »

Let’s say you’re the plaintiff in a civil case against a neighbor, an employer, or a company you’ve done business with. One of the many pains of litigation is the discovery process–the process whereby each side collects information that it believes will help it win the case. Discovery can come in many forms, such as conducting depositions (sworn testimony from witnesses), requesting documents, or even requesting permission to visit a site and look around.

But let’s say that you have a Facebook account. The other side believes that some of your Facebook communications might be relevant to the case, so they specifically request access to your account. You refuse, and the issue goes to the court to sort out (if you’re in federal court, under Rule 37, for those of you playing at home). How should the court rule? Specifically, what should the court order you to do? Do you have to give the password for your account over to a party that, to put it mildly, you are probably not on the best of terms with?

Surprisingly, at least one court has said yes [Update: see comments below], and I believe similar requests are being made in courts all around the country. I believe this is a deeply disturbing development and is the result of either a failure to understand social networking technology, the rules of civil procedure, or both.

The case is Romano v. Steelcase Inc., 2010 N.Y. Slip Op. 20388 (Sept. 21, 2010). (H/T NY Law Journal, via Kashmir Hill, via Dan Solove.) In Romano, the plaintiff, Kathleen Romano, is suing Steelcase, the manufacturer of her office desk chair, for injuries she received as a result of alleged defects in the chair. Steelcase requested access to her Facebook and MySpace accounts, the public portions of which they claimed “reveal[ ] that she has an active lifestyle and can travel and apparently engages in many other physical activities inconsistent with her claims in this litigation.” The court — properly, in my view — held that the requested information was relevant and rejected the plaintiff’s privacy arguments that she should not have to produce any information at all from her Facebook and Myspace accounts. The court then ordered the following relief:

ORDERED, that Defendant STEELCASE’s motion for an Order granting said Defendant access to Plaintiff’s current and historical Facebook and MySpace pages and accounts, including all deleted pages and related information, is hereby granted in all respects; and it is further

ORDERED, that, within 30 days from the date of service of a copy of this Order, as directed herein below, Plaintiff shall deliver to Counsel for Defendant STEELCASE a properly executed consent and authorization as may be required by the operators of Facebook and MySpace, permitting said Defendant to gain access to Plaintiff’s Facebook and MySpace records, including any records previously deleted or archived by said operators . . . .

As I indicated, I don’t believe this is an isolated incident. I’ve heard of similar requests being made here in Wisconsin, and there are probably other court orders out there that just haven’t made the news. In fact, this is probably the initial wave of a growing trend. So what’s wrong with issuing such an order?

Plenty. First of all, Romano was overreaching in trying to block any production at all of information from her Facebook account on privacy grounds. Parties in American courts are given broad latitude in seeking relevant materials; the general standard under the federal rules is “any nonprivileged matter that is relevant to any party’s claim or defense,” including finding leads to other admissible evidence. (R.26(b)(1). Romano is a New York case under N.Y. C.P.L.R. § 3101, but the differences are immaterial.) If the information is particularly sensitive and not terribly useful, Romano might have been able to seek a protective order, but there’s no across-the-board principle that says that individuals can never be forced to turn over private but relevant communications with third parties in a litigation. Certainly photos or descriptions of Romano engaged in vigorous activity pass the relevance test.

But in ordering Romano to turn over her account password access to her account, the court went way too far. The proper order would have been to require Romano to produce the requested material to Steelcase, not to allow Steelcase to go rummaging around in her account for it. The court spends quite some time talking about how Romano has no privacy interest in her Facebook and Myspace accounts, but that is not only false, it’s irrelevant to the question of how the requested information should be produced.

Social networking communications come in many forms. Some are communications made publicly available to the world. Others are posts visible to one’s entire network of “friends,” which can number in the dozens (if you’re like me) or even thousands. Still others are posts visible to some subset of that network, such as a group labeled “close friends.” Finally, social network sites can be used to send one-to-one communications that act just like emails.

In other words, communications on social networks have varying levels of privacy and relevance, just like other forms of communication, such as written documents. The ordinary discovery procedures for written documents are clear: one party must file a request with the other to produce relevant documents. The other party’s attorneys then do what litigation associates everywhere lovingly call a “document review”; they review the documents first to cull out documents that have not been asked for, then documents the production of which would be objectionable for some reason–for instance, privileged communications with counsel or material discussing litigation strategy. Only then are the remaining documents turned over to the other side for inspection.

It would be a highly intrusive system if the normal procedure was, instead of a party producing its own documents, the other party’s attorneys entering your house or business, looking through all your papers and effects, and taking away the material that in their judgement was relevant and non-privileged. That’s why the default is that parties produce their own materials after reviewing them first, except in very unusual cases. That default procedure does not depend on the producing party being able to show any special privacy interest in the materials — the general rule is that strangers shouldn’t be allowed to go rifling through your stuff, no matter how private you’ve kept it.

There aren’t many cases on point; it appears that few litigants have tried to make an argument in the pen-and-paper world that they should be allowed to go fishing for documents on the other side’s premises. At least one court has held that a Rule 34 request to permit inspection does not allow the requesting party to go roving around the other side’s facilities, questioning employees in mini-unsworn depositions without notice or the opportunity for objections. See Belcher v. Bassett Furniture Indus., Inc., 588 F.2d 904, 907-908 (4th Cir. 1978).

The electronic world is no different. There may be unusual circumstances where direct access to a hard drive or server is required, as the Rules Advisory Committee recognized in 2006 in updating the federal rules to account for electronically stored information. The committee was careful to note that “addition of testing and sampling to Rule 34(a) with regard to documents and electronically stored information is not meant to create a routine right of direct access to a party’s electronic information system, although such access might be justified in some circumstances.” As Moore’s Federal Practice concludes, “Any order for such discovery should define parameters of time and scope, and place sufficient access restrictions to protect the party from whom discovery is requested.” 7 Moore’s Federal Practice § 34.12.

There’s all sorts of irrelevant and embarrassing information that might be social networking sites. An individual might have sent flirting messages to someone. Satirical political posts might be misinterpreted out of context. Drunken party pictures or photos of one’s children might have no relevance to the case. Granting the opposing party access to the account means that they will see everything you’ve ever done with the account, no matter how irrelevant to the facts of the case. Indeed, it means that they will have continuing access to all of your communications, and friends’ communications, on the site going forward until you change the password. There’s even the risk that a malicious opposing party could send messages under your name — unlikely and dangerous for any opposing party to do, but there’s no need for civil litigants to even have to worry that such a thing will be possible. Civil litigants with relevant, nonprivileged Facebook or MySpace material should be required to produce that material and nothing else.

Print Friendly

You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

AddThis Social Bookmark Button

6 Responses to “Can You Be Forced to Turn Over Your Social Network Passwords in a Civil Case?”

  1. Bruce, I may be missing something, but I didn’t see where the court ordered Romano to turn over her account password. The defendants get the material in her account, but not her password.

  2. Eric, you’re right that nothing in the decision specifically says that Romano has to turn over her password and I may have made an inferential leap or two. What caught my attention was the court’s repeated declarations that the defendant’s required “access” to the accounts, rather than discovery of the materials in the accounts. E.g. right at the beginning:

    Defendant STEELCASE moves this Court for an Order granting said Defendant access to Plaintiff’s current and historical Facebook and MySpace pages and accounts, including all deleted pages and related information . . . .

    It’s a little unclear to me on re-reading it exactly how the “access” is supposed to be accomplished. The order specifically says that Romano is to send authorization to Facebook and MySpace “permitting said Defendant to gain access to Plaintiff’s Facebook and MySpace records.” Possibly this is intended merely to consent to Facebook and MySpace’s production of documents in response to a subpoena, but it doesn’t say that and given the rest of the opinion I don’t read it that way. I read it as a requirement that Romano authorize Facebook and MySpace to grant Steelcase access to her account. I don’t see how that’s going to be done except through some sort of login procedure that allows Steelcase to log in to Romano’s account. Possibly it won’t be the same password Romano uses, but that wasn’t really the source of my concern. My concern is with allowing unfettered access to the material in the account without prior screening for responsiveness, relevance, privilege, etc.

    P.S. I’ve updated the post to reflect these caveats.

  3. Myspace and Facebook will not turn over user content without a signed release. The order will force a release which would then be turned over to Myspace and Facebook. The 2 sites will then send all the content to the requester.

  4. This is interesting, I was doing research in a different context, looking for us-practices concerning social websites passing data to authorities for investigation of criminal activities when asked. I don’t understand how above stated coud be relevant in such a civil case, social communities are presentation media, so exaggerating one’s activities for increased popularity seems natural…

    Kind Regards from Germany,

    Wofgang Bruckner

  5. Robin Maynard Says:

    I am involved in a custody case where the other party is requesting my social networking passwords in an interrogatory. I don’t have any social networking activity, but I think this is horrendous that it is being allowed. Not only can they “roam” around at irrelevant content (to the issue at hand) but this means, for security and identity theft purposes, folks are going to have to change passwords, maybe even screen names, etc. to ensure that others are not posting as them. In my case, I do not trust the other party to not try and truly damage me in any way possible.

  6. I don’t understand how above stated coud be relevant in such a civil case; social communities are presentation media, so exaggerating one’s activities for increased popularity seems natural…

Leave a Reply