Corporate Social Media | Civil Lawsuit E-Discovery

Log-on and Password to Opponent?

A few cases have required a social media user to give his password, user name and log in ID to an opponent for ediscovery.  In these cases, the user was an individual.   But what if the user were an enterprise?

In Zimmerman v. Weis Markets Inc., an employee claimed he suffered great injury from a workplace accident, so he sued his employer.   But the public portions of his Myspace and Facebook sites contradicted some of his claims.   His employer surmised that non-public portions of his social sites would reveal more information relevant to his injury.

No Expectation of Privacy?

The Pennsylvania court compelled the employee to give to the employer his Myspace and Facebook passwords, user names and log in names.
 The court dismissed the employee’s claims to privacy, saying, “Zimmerman voluntarily posted all of the pictures and information on his Facebook and Myspace sites to share with other users of these social network sites, and he cannot now claim he possesses any reasonable expectation of privacy to prevent [his employer] from access to such information.”

What Do Social Media Privacy Policies Say?

The court went on to say, “All the authorities recognize that Facebook and Myspace do not guarantee complete privacy.  Facebook’s privacy policy explains that users post any content on the site at their own risk and informs users that this information may become publicly available.”

Although the privacy policies at those sites are very complex, the court did not engage in an in-depth analysis of the precise words in those policies.

Access to Email and Chat Messages?

Further, the court did not consider that those log-on credentials will grant access to the content of private, one-on-one chat or email messages, or messages that are the equivalent to private email.

Historically, in civil ediscovery, it has been more common to require an email user to turn over relevant messages -- one-by-one –- not to turn over his log-on credentials so the opponent can access all messages in his email account.

The configuration of social media sites is complex, and privacy for particular bits of information can often be adjusted with a fine degree of precision.  For example, in Google Plus, a user can “post” information on his page, but make it viewable by only one friend.  In effect, the “post” is analogous to a private email message to that friend.


Enterprise Data in the Cloud

Could the logic of Zimmerman be applied against an enterprise in a civl lawsuit?  Could it lead to a requirement that an enterprise turn over full administrator access credentials for a social networking facility the enterprise uses with its employees and select trading partners such as vendors and customers?

It is becoming common for firms to use services like Yammer or Chatter, third-party, cloud-based services, to provide “internal” social networking.

Imagine this scenario: The opponent of a corporation shows a court that public postings of the corporation, sent in connection with a service like Yammer, are inconsistent with claims the corporation makes in litigation.   The “internal” part of the service shares information among the corporation, its employees and selected “business associates.”  In the “internal” service, varying degrees of access are granted to different people for different bits of information.

Further imagine that the confidentiality terms of the service provider do not guarantee absolute confidentiality under all circumstances. (A service provider cannot make such a guarantee.)

Under the logic of Zimmerman, I can imagine the corporation’s opponent arguing that it should be given powerful log-on credentials so it can broadly view the part of the service used “internally” by the corporation.

Non-Disclosure Terms

What is a corporation using services like Yammer to do?   One step would be to liberally post terms and banners requiring users of the internal service to agree that the contents of the service are confidential and shall not be disclosed.   That step will not defeat all of the Zimmerman logic, but it will help to distance this corporate scenario from the facts of the Zimmerman case.  In Zimmerman, the employee did not post a notice on the private portions of his social sites requiring viewers to maintain confidentiality.

–Benjamin Wright

Mr. Wright teaches the law of data security and investigations at the SANS Institute.

Related Post: Social Network terms of service applicable to forensic investigation?

Subpoena Facebook

Locating Social Network Legal Evidence

[See latest update 2014 on how to get subpoena results.]

If you seek to cause Facebook to disclose the content of communications to or from a Facebook user, remember that the user's home or business email account may contain much of the information you seek.  (The same goes for LinkedIn, Foursquare, Yelp, Skype, Groupon or online dating sites and services.)

The email account may contain some of the messages the user posted on Facebook.  Facebook allows a user to submit, via email, updates for publication on his or her Facebook Wall.  See my records management discussion about the Facebook-update-by-email feature.

Further, Facebook often emails a user with notices about and/or copies of content of messages posted by others for the benefit of the user.  For example, here is a screenshot of an email from Facebook:
















Hence, the user’s email account may contain the content and date/time of many desired Facebook messages, even those messages (ESI*) that have been deleted from Facebook.  

 

Records on Cell Phones

Another place to look for Facebook notices and content may be SMS records on the user’s cell phone. Facebook can be configured to send certain notices (with copies of FB message content) to the user’s SMS account. The types of notices that FB sends to SMS are not as numerous as the types that FB may send to electronic mail.

  Service Providers Resist

Normally, when handed a civil subpoena, such as in a divorce, infidelity or child custody investigation, a service provider like Facebook (or Hotmail or Google ) will resist disclosing the content of a user’s communications unless and until the user consents.  A common rationale cited for resistance is that the content is protected under the Stored Communications Act.

Compelling User to Cooperate

Often, law will compel the user to consent to the service provider releasing records of communications. Some recent cases have been compelling users to turn over, to their adversaries, their social media user ID and password.

Metadata and other Non-Message Content Data

See practical discussion on the retetion and disclosure of text and other messages by service providers.  Service providers may see a distinction between the content of messages and metadata about the messages, such as time of transmission.  Some service providers believe they can be compelled to turn over meta data but not message content.

An emerging class of social media services (Foursquare.com, Yelp, Gowalla) collect and store not just messages, but also  location information.  John was at the burger joint on May 11, 6:33pm, and at the ball park May 12 at 7:07pm.  This data will be the target of subpoenas.  The degree to which service providers will resist the subpoenas remains to be seen.

–Benjamin Wright

Mr. Wright teaches data law at the SANS Institute.  

*What is "ESI"?  ESI means electronically stored information.  It is a legal term of art applying to electronic information that is desired for legal purposes such as a lawsuit or an investigation.

See related post on deception in investigations on Facebook  and other social networks.

Related article: How to record what you see on Facebook or other online media.

Update 2013:  Facebook sent an SMS text to my phone telling me it will begin sending me a steady stream of text messages regarding FB activities of my friends and me . . . unless I opt out.  So the default at FB (at least for a user like me) is to send lots of text messages to my phone that refer to activity in my FB world.

Update:  Send a preservation letter to the subject of an investigation.

Tag Disclosed ESI | Privacy, Control, Security

Warn FBI, Auditor, Examiner, Adversary, Regulator, Investigator or Inspector General

Ediscovery Production Strategy-Services for Text, Email, Twitter, Facebook Google+ or Other Social Network Records

Subpoena . . . tax audit . . . court order . . . police raid . . . search warrant . . . criminal investigation . . . regulatory proceeding . . . administrative summons . . . grand jury inquiry . . . litigation discovery demand -- any of these could compel or motivate a party holding e-records to reveal or produce them.

But often the party that receives (or seizes) the records should be expected to safeguard them after they arrive.

Laws requiring the safeguarding of records are many and diverse.  One small example:  As a business discloses information to the federal government, it can (if justified) tag or annotate the information as a “trade secret.”  By so doing, the business warns government employees that they violate federal law (18 U.S.C. Section 1905) if they abuse the trade secret, such as disclose it to a competitor or to the news media.

Legally speaking, the tagging or annotating of records can be strategically powerful.  But when a large quantity of e-records (SMS, chat, e-mail, Web 2.0, iPhone, BlackBerry) is involved, manual annotation is laborious and expensive.

Emerging technology affords a solution.  Technology empowers producing parties to annotate (label, tag) records with ever-better precision and efficiency.

When records like instant messages are disclosed under law, it is becoming more common that they be disclosed in an electronic format that supports annotations, such as XML.

Electronic annotation (commenting) enables highly granular, specifically-targeted legal notices.  Targeted annotation can give the producing party an advantage.  The advantage is more apparent when large numbers of record are at issue and different records require different notices.

By long-standing practice, lawyers often mark disclosed records with warnings or reservations of rights. But historically these notices were expressed as general, blanket statements in transmittal letters. (See footnote.)

When numerous records are involved, blanket statements may not be as effective as specific, record-by-record annotations.   Suppose for example that five million email records are being produced.  Within those records are, say, 2137 that contain personally identifiable information (PII), which the producing party is obligated to safeguard.  The producing party may better fulfill its obligation by specifically annotating each of the 2137 with strong warnings, rather than with general notices covering the whole five million.  (Example:  “WARNING: This email may contain private data protected by law.  Access on need-to-know basis only.”)

Specific annotations can include any of a range of legal statements:  disclaimers, instructions, interpretations, cross references, self-serving language, reservations of rights, claims of privacy, contractual terms of use, designation as attorney work product and more.

According to Ranjit Sarai, e-discovery consultant at Messaging Architects, “Annotations can involve advanced services in e-record production.  Manual annotation of individual records can be very time consuming.  But we can recommend or develop routines for identifying relevant records and placing the prescribed annotations on them.  We can facilitate collaborative, team annotations.  We can also help bring the appropriate attention to annotations.  Some annotations should be understated.  Others should scream out in blinking neon lights.”

Update:  Tags and annotations can be inserted according to varying degrees of granularity, whether record-by-record, word-by-word, or something else.  US intelligence agencies are managing massive databases on terrorists by tagging each word, one-by-one.  A tag can show, for example, the level of security clearance an analyst needs in order to see the word.  Advanced search software can prevent an analyst from seeing information for which he does not have adequate clearance, while alerting him that the database may contain additional information relevant to his inquiry, access to which will require higher authority.   Siobhan Gorman, "How a Team of Geeks Cracked Spy Trade," Wall St. J., 4 Sept. 09.

–Benjamin Wright

Mr. Wright delivers education on cyber defense law under the SANS Institute.


Footnote:  A case known as Teachers Insurance(1) suggested that when a company discloses information to the Securities and Exchange Commission, it waives attorney-client privilege on that information, unless it explicitly reserves its privilege rights.  Applying that idea, a company in another case(2) attempted to make such a reservation of rights in the transmittal letter sent with documents disclosed to the SEC. 

(1)Teachers Insurance and Annuity Assn. of America v. Shamrock Broadcasting Co, 521 F. Supp. 638 (SDNY 1981).

(2)In re Subpoena Duces Tecum to Fulbright and Jaworski and Vinson & Elkins, 183 Fed. Sec. L. Rep. para. 99,505 (DDC 1983).

Recordkeeping for Social Networking Managers

Social Networks for Official, Commercial & Employment Transactions

By law, employers generally need to keep records of employment decisions.  So when the boss conveys a pink slip by way of Facebook, the employer needs a legal record of it.

What?  Fire someone by Facebook . . . a posting on a wall?  Would a manager do that?  Yes.  A spa in Canada (British Columbia) used Facebook to notify Crystal Bell of her job termination.

The history of electronic messaging tells a story about business records.  As each new form of message comes along, we initially doubt you can conduct business with such a flimsy thing.  Fax as a medium for transacting serious business?  No way, people thought in the early 1980s.  But as time passed –- and as court cases enforced fax contracts -- we grew more comfortable with fax as a business tool.  Today, fax is considered a responsible, even conservative medium for transmitting signed agreements and binding business records. 

Then, when electronic mail came into the workplace, conventional wisdom dismissed it.  Convention said e-mail was not a business record, said it could not (conveniently) be authenticated with a signature, and said it should be deleted quickly like so much water-cooler chitchat.  But naturally business people embraced e-mail as a tool for making obligations and delegating authority.  Today we see the law giving enterprises growing reason to store e-mail as business records.

I predict the same process will unfold for collaborative (Web 2.0 and social network) media like instant message, Facebook, Twitter and Myspace.  Old-fashioned folks will try to ban these technologies as methods for conducting important business.  They will, initially, ignore them as records to be kept.

But the outcome of the story is inevitable.  Busy people (like the boss in BC) will use the new channels to hire, fire, negotiate, agree and so on.

The managers of records need to plan for capturing the records of Web 2.0.  Those records can become the subject of a subpoena, an IRS taxpayer audit, an administrative summons or an internal investigation or the source of exculpatory evidence in defense of lawsuits.

Web 2.0 records are a topic of growing interest to financial regulators.  The US Treasury Department is proposing extensive recordkeeping requirements for OTC non-standardized derivatives contracts.  Given technology's rapid advance, this proposal will involve the retention of many informal records.

Update:  Government attorneys are cautioning officials about government maintenance of Facebook pages.

–Benjamin Wright

Mr. Wright is a paid colleague of Messaging Architects, consultants in eDiscovery services.  He provides training in e-commerce law at the SANS Institute.

PII Security Legislation

Safeguard Anonymous Private Data?

Patterns of Behavior Are Protected Identifiers?

Privacy as a legal concept is in crisis. The law of privacy is becoming so expansive that the scope of the law is confusing, and literal compliance can entail strange and arduous effort.

Connecticut Legislation

Consider Connecticut’s new Public Act No. 08-167. Section 1(a) says, “Any person in possession of personal information of another person shall safeguard the data, computer files and documents containing the information from misuse by third parties . . .” Then, Section 1(c) explains:

“As used in this section, ‘personal information’ means information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver's license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number, and does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.”

That seems like a breathtakingly broad definition.

Observe that it considers any “account number” as an identifier that triggers the requirement for security in Section 1(a). Public Act No. 08-167 does not define “account number,” which can make for surprising results for all kinds of organizations that collect money, including small ones like neighborhood parent-teacher associations. 

Surprising Case Example - Health Club Locker Number 

For example, suppose a small health club keeps track of membership payments according to locker numbers, which are viewable in the locker room. That practice may be a mistake under Connecticut’s law because anyone walking through the locker room could learn that my locker number, i.e., my account number, is “57". That unit of identifying information might be misused by, say, a snoopy debt collector who is investigating how much I spend on luxuries like club membership. Knowing my name and locker number, he could telephone the health club and say, “This is Ben Wright, and my locker number is 57.  Can you tell me how much I owe on my club membership this month?”

So, to say it in different words:  This little health club has opened itself to a lawsuit in Connecticut by doing something (making account number and locker number the same thing) that would seem to be perfectly natural and insignificant to anyone but the most paranoid of lawyers.

Behavior Patterns as Identifiers?

Although Connecticut’s law itemizes some identifiers like “account numbers” and Social Security numbers, its definition of personal information reaches wider than the itemized list.  The law regulates any and all “information capable of being associated” with a person through an “identifier.”

What kinds of information can be used to identify people by way of an “identifier?” What about patterns of behavior and patterns of social relationship? Could patterns of activity be “identifiers?” I don’t see why not.

Academic researchers have demonstrated that so-called anonymous data about human behavior can be used to identify individuals. For instance, researchers started with “anonymized” data from one Web 2.0 service, Twitter.  From this data, they ascertained the identities of individual Twitter users.  How did they do it? They drew on behavior data from another Web 2.0 service, Flickr.  By comparing maps of relationships from unnamed Twitter users with maps of relationships for known Flickr users, the researchers uncovered the identities of the Twitter users!

From the perspective of privacy, this research is chilling.

Is All Data About a Person Private?

Responding to this research, a privacy advocate is naturally inclined to say that no one should keep any data about anyone. 

While that response may be excessive, it does accurately reflect the privacy concern when anyone retains information about the patterns of behavior of individuals.

Another Case Example - Identifying People by Writing Style

So given how information about behavior patterns can serve as the “identifiers” of an individual . . . let's consider the following application of Connecticut law.  Suppose a small nonprofit in Connecticut works with volunteers to develop and publish opinions on controversial civil rights topics, such as abortion or homosexual marriage.  The organization attributes the opinions only to itself, without identifying the volunteers involved in writing them.  

Sally is one of those writer volunteers. The organization publishes a controversial opinion based largely on prose composed by Sally. Could the organization be violating Connecticut law simply by publishing Sally’s written words? Logically, the answer could be yes. Here’s the logic . . .

Examples of Sally’s writing – on non-controversial topics – appear in association with her name in many public places such as blogs, libraries, Facebook pages, LinkedIn comments, letters to the editor and so on.  

Research shows that people can be identified according to their writing style – syntax, word choice and so on.  In fact, researchers today track “anonymous” terrorists according to the style of their writing, records and communication on the web.

Hence, when the civil rights organization publishes Sally’s words, even with her name removed, it is failing to safeguard her personal information.  It is opening her to embarrassment and ridicule by people who disagree. Adversaries could analyze the patterns of behavior exhibited in the published words and ascertain that Sally is the author!  

In other words, in the legislative terms of Public Act No. 08-167, the organization failed to protect her personal identifying information (i.e., the patterns of her unique writing style woven into her text) from being "misused" to criticize her personally. 

What Does This Mean in Practice?

So what could the organization have done to comply with Connecticut law?  Before publishing Sally's words, the organization could have removed from the words the “identifier” linking to Sally by hiring a team of third-party writers to rearrange the words into anonymous writing style.

Shiver my timbers. Thats a lot of work for a small nonprofit, just to comply with Connecticut privacy law.  The regulation chills free speech.  Is that really what the Connecticut legislature had in mind?

Society faces an emerging conflict between the civil right of privacy and the civil right of free speech.

Global Impact of Strange Legislation

Notice that the foregoing conundrums arise from legislation enacted by just one small US state.  But in our Internet-connected world, the data privacy law of Connecticut can be applicable to the activities of an organization in Australia or Hong Kong.  Further, nothing prevents the legislature of Arizona, Pennsylvania, Michigan or name-your-jurisdiction from adopting law that is similarly strange and broad in scope -- all the while using words and standards that differ from Connecticut's.  

Full compliance with data privacy law has become very difficult.

–Benjamin Wright

Mr. Wright teaches data law, including electronic data discovery (EDD) at the SANS Institute.