Seeking User Data
California Lawyer
More Social Media

Seeking User Data

March 2011

Lawyers may be tempted to mine social networking services for information relevant to their cases. After all, these sites store a wealth of personal information about their users, detailing their comments, daily activities, and associations. But legal and ethical pitfalls confront lawyers who try to collect such information.

In the first place, it's nearly impossible to win a civil subpoena to get user communications from a social networking site. Generally, anything reasonably calculated to lead to admissible evidence is discoverable. However, the Stored Communications Act (SCA) (18 U.S.C. §§ 2701 – 2712) protects user information and records stored by providers of "electronic communication services" and "remote computing services."

For the most part, providers covered by the SCA are prohibited from voluntarily disclosing the contents of communications. (18 U.S.C. § 2702.) The SCA allows law enforcement agencies to compel disclosure of various types of user information only if they satisfy an intricate set of legal standards, ranging from a warrant requirement to gain access to the contents of certain user communications, to lesser court orders or subpoenas for other types of content or subscriber records. (18 U.S.C. § 2703.) The statute also provides a form of immunity for providers who comply with court orders. (18 U.S.C. § 2703(e), 2707(e).)

Most important, though, the statute doesn't provide a way for civil litigants to obtain user communications that are stored with providers. (See O'Grady v. Superior Court, 139 Cal. App. 4th 1423, 1442 – 1447 (2006).) Furthermore, two federal judges in California have held that users have standing to move to quash a subpoena served upon a third party seeking personal information protected by the SCA. (See Chasten v. Franklin, 2010 WL 4065606 (N.D. Cal.); Crispin v. Audigier, Inc., 2010 WL 2293238 (C.D. Cal).)

But the Stored Communications Act hasn't been substantially updated since its passage in 1986, so its applicability to recent innovations like social networking websites is remarkably unclear. The only federal court to consider the question--California's Central District in the Crispin case--held that the SCA does apply to social networking services, including Facebook and MySpace. The reasoning goes that they're electronic communication service providers when they provide email or private messaging services, and they're remote computing service providers when they store private communications that subscribers have read (Crispin, 2010 WL 2293238 at *9 – 15).

They're also covered by the SCA for purposes of storing "wall" posts and comments made available by a subscriber to only certain approved users. As a result, the Central District court held, the statute precludes civil litigants from using subpoenas to retrieve private messages and other content from social networking service providers whenever the user has restricted access to the information to "friends," excluding the general public (Crispin, 2010 WL 2293238 at *14 – 16).

California law also punishes parties who attempt to subpoena social networking sites' user information to unmask an anonymous user if the subpoena is issued in a meritless lawsuit that was initiated in another state. California Code of Civil Procedure section 1987.2(b) was recently amended to provide for the mandatory award of attorneys fees to an anonymous speaker who successfully quashes a California subpoena seeking identifying information from a service provider where "the underlying action arises from the moving party's exercise of free speech rights on the Internet and the respondent has failed to make a prima facie showing of a cause of action" in out-of-state litigation. This means that litigants from other states who try to misuse the California legal system to expose anonymous speakers must pay their targets' attorneys fees if the court finds their underlying claims baseless.

Next, is it OK to create a fake profile in hopes of persuading a user of interest to give you access to her profile, or to persuade someone who is already a "friend" of a target to reveal information to you? Nothing in the Federal Rules of Evidence, the California Rules of Professional Conduct, or the ABA Model Rules of Professional Conduct directly addresses these questions. However, under California's ethics regime and based on guidance issued by other states' ethics committees, it's clear that honesty is the best policy.

California Business and Professions Code section 6106 forbids attorneys from committing "any act involving moral turpitude, dishonesty, or corruption," while section 6128 similarly provides misdemeanor penalties for any lawyer who "is guilty of any deceit or collusion, or consents to any deceit or collusion, with intent to deceive the court or any party."

In criminal matters, California Penal Code section 1054.8(a) forbids prosecutors, defense attorneys, or investigators working for either side to contact victims or witnesses without clearly identifying themselves, who they work for, and who they represent. And California Rule of Professional Conduct 2-100 forbids lawyers from communicating directly with a party represented by another lawyer in the matter, without obtaining that lawyer's consent.

Though California's legal ethics and rules do not directly address the issue of lawyers asking a third party to "friend" a potential witness--presumably to gain access to information that could be used to impeach the testimony of that witness--local bar associations in other states have weighed in on this issue. In both New York City and Philadelphia, for example, ethics committees have determined that falsely friending someone to obtain information--whether done directly by counsel or through a third party--is improper. (See Bar Assoc. of the City of New York, Comm. on Prof. Ethics, Formal Opn. 2010-2 (Sept. 10, 2010); Phila. Bar Assoc., Prof. Guidance Comm., Opinion 2009-02 (Mar. 2009).) The opinions cite rules similar to the California statutes mentioned above that bar dishonesty and deceit by attorneys.

Although creating a fake profile may also violate a social network site's terms of service, it doesn't constitute a violation of computer crime laws, as both the federal government and Facebook have unsuccessfully argued. (See United States v. Drew, 259 F.R.D. 449 (C.D. Cal. 2009) (rejecting government's argument that violating MySpace's terms of service is itself a violation of the Computer Fraud and Abuse Act [18 U.S.C. § 1030]; Facebook, Inc. v. Power Ventures, Inc., 2010 WL 3291750 (N.D. Cal.) (rejecting Facebook's argument that breaching terms of service constitutes access without permission in violation of California Penal Code § 502).)

For more information about the ethics of gathering evidence from social networking sites, visit Website_Research-Handbook.pdf.

Marcia Hofmann, a senior staff attorney at the Electronic Frontier Foundation, focuses on digital civil liberties issues.

We welcome your comments!


E-mail: (will not be published)

By submitting a comment, you agree to abide by our comment policy.

Enter the characters on the left: