A US judge has ordered that women suing their employer for sexual harassment must hand over passwords for Facebook, email and other social media accounts.
The case was brought by the Equal Employment Opportunity Commission (EEOC) on behalf of some 20 women against The Original Honeybaked Ham Company.
Lead plaintiff Wendy Cabrera and her fellow plaintiffs have charged their manager, James Jackman, with "frequently" groping and making sexual requests of the women who worked for him.
The plaintiffs also claim that they reported Jackman's behavior to the corporate office, but Jackman's higher-ups failed to do anything to stop the harassment.
On 7 November, Michael E. Hegarty, a Colorado federal magistrate judge, issued a court order [PDF] declaring Cabrera's Facebook posts to be fair game for the defendant to use, arguing that posting it in such a public place pretty much nixes any privacy objections.
The precise nature of the material from the court order is as follows:
- Statements that discuss [Cabrera's] financial expectations in [the] lawsuit;
- A photograph of [Cabrera] wearing a shirt with the word [C***] in large letters written across the front (a term she alleges was used pejoratively against her, also alleging that such use offended her);
- Musings about her emotional state in having lost a beloved pet as well as having suffered a broken relationship;
- Other writings addressing her positive outlook on how her life was post-termination;
- Her self-described sexual aggressiveness;
- Statements about actions she engaged in as a supervisor with Defendant...;
- Sexually amorous communications with other class members;
- Her post-termination employment and income opportunities and financial condition...
Hegarty wrote in his court order that each of these categories is potentially relevant, and the fact that it was stored on Facebook means the claimants have already put it out there — at least in semi-public view:
"If all of this information was contained on pages filed in the 'Everything About Me' folder, it would need to be produced. Should the outcome be different because it is on one's Facebook account? There is a strong argument that storing such information on Facebook and making it accessible to others presents an even stronger case for production, at least as it concerns any privacy objection. It was the claimants (or at least some of them) who, by their own volition, created relevant communications and shared them with others."
In a posting to Eric Goldman's Techology & Marketing Law blog, Venkat Balasubramani writes that in the realm of the zany, this takes the cake, given that handing over passwords gives away the entire contents of the plaintiffs' accounts, including irrelevant information or information protected under the Stored Communications Act.
Besides exposing information that's got nothing to do with the case and which is legally protected from discovery, litigators fumbling around in somebody's account could well make "unwitting changes", he writes.
Better, he argues, to manually export the specific material requested.
Justice Hegarty admitted that social media presents "thorny and novel issues" with which courts are only now coming to grips, and that despite Honeybaked Ham's requests being justifiably relevant, the handover of such material is a "significant intrusion" on the plaintiffs' "semi-private lives".
So while he agreed that the women's social media content should be produced, Judge Hegarty also said he wasn't sold on all of Honeybaked's alleged areas of relevant information, is appreciative of privacy concerns, and therefore is using a forensic expert as the data middleman.
The women have been ordered to turn over cell phones used in text messaging, their social media logins, and whatever else is needed to get into email accounts or blogs used during the time covered by the allegations. The forensic expert will step in as necessary to make sure that only legitimately discoverable materials change hands.
What constitutes reasonable expectation of privacy as it pertains to Facebook? The Electronic Frontier's (EFF) Surveillance Self-Defense Project drills down into Fourth Amendment questions like that, noting that the Supreme Court has stated that:
"The Fourth Amendment does not prohibit the obtaining of information revealed to a third party and conveyed by him to Government authorities, even if the information is revealed on the assumption that it will be used only for a limited purpose and the confidence placed in the third party will not be betrayed."
The EFF explains that we don't necessarily have Fourth Amendment protection for the records others keep on us, given that we either freely gave it to them and thereby knowingly exposed it, or it was gathered on public sources:
"It doesn’t necessarily matter if you thought you were handing over the information in confidence, or if you thought the information was only going to be used for a particular purpose."
For what it's worth, in the comments section to Ars Technica's coverage of this story, there's a thoughtful discussion vis-a-vis whether wearing a t-shirt with a pejorative word like "C***" on it disqualifies a person from claiming harassment connected to the use of that same word.
What's more relevant to the question of cyber privacy, to my mind, is that the court views social media as fair game for discovery, including logins and cell phones.
Be warned: This attitude negates whatever limited privacy we can expect from, for example, limiting who can view our posts.
It's yet another example of the futility of expecting that we have control over the things we post online, so be careful what you post.
If you don't want a given Tweet or Facebook post to wind up in front of a hostile lawyer or on the front page of the newspaper, think about not posting it at all.