US Supreme Court Issues Opinion in Quon Sexting Case

The United States Supreme Court ruled today that a public employer’s search of sexually explicit text messages on a police officer’s employer-issued pager did not constitute an illegal invasion of privacy.  The Court overturned the Ninth Circuit, which had determined the employee had a reasonable expectation of privacy in his text messages and that the city’s search was not reasonable.

The city argued its employees had no reasonable expectation of privacy in communications made on employer-provided devices.  The Court explained:

The record does establish that OPD, at the outset, made it clear that pager messages were not considered private. The City’s Computer Policy stated that “[u]sers should have no expectation of privacy or confidentiality when using” City computers. . . . Chief Scharf’s memo and Duke’s statements made clear that this official policy extended to text messaging.

The disagreement over the expectation of privacy question arose as a result of later communications by the officer responsible for the city's contract with Arch Wireless, and whether these later representations overrode the city's official policy.  The Court, however, avoided deciding that question -- resting its decision on narrower grounds.  The Court advised, "Prudence counsels caution before the facts in the instant case are used to establish far-reaching premises that define the existence, and extent, of privacy expectations enjoyed by employees when using employer-provided communication devices." 

The Court acknowledged that "[r]apid changes in the dynamics of communication and information transmission are evident not just in the technology itself but in what society accepts as proper behavior" and concluded that "[a]t present, it is uncertain how workplace norms, and the law’s treatment of them, will evolve."  The Court said a broad holding on the question of employee privacy expectations vis-à-vis employer-provided equipment may well have implications for future cases that can't be predicted.  The Court essentially moved on to simply assume without deciding that even if Quon had a reasonable expectation of privacy in his text messages, the city did not violate the Fourth Amendment by obtaining and reviewing the transcripts in this case.

Stay tuned for further analysis and comment on this important case!  More posts on this case will come after I've had more time to review the details more closely.

Facebook Privacy: More Changes & Controversy (Weigh In!)

In its short life, Facebook has experienced a number of changes to its privacy policy.  You may remember my December post, where I discussed a number of controversial changes being implemented -- perhaps most sigificant at that time:  deeming "publicly available" certain information users once kept private.  As I alluded to in last Thursday's blog post, Facebook is at it again.  This time, Facebook boldly makes its users' interests, "likes," and connections publicly available.

As this PCWorld article points out, Facebook initially gained popularity because of its default privacy restrictions -- when you joined, the default settings generally protected your personal information.  Those were the good ol' days.  As Mr. Tynan says of Facebook today:

The fact is, Facebook has steadily - and quite deliberately - carved away at the privacy protections its service was originally founded upon.  It has essentially created a bait-and-switch scam:  promising one thing but delivering something entirely different.

The Electronic Frontier Foundation offers an enlightening timeline illustrating what it calls Facebook's "eroding privacy policy."  A graphic representation of the changes can be found on Matt McKeon's site.

As Mashable mentions, despite the privacy concerns among users, Facebook's new social plugins have been popping up with increasing frequency across the web.  The plugins let sites add certain Facebook features without making users log in to use them.  For example, readers of my blog can "like" a post by clicking the new button appearing right under the post title.  The plugins were announced less than a month ago, and they already appear on more than 100,000 web sites. 

Facebook claims it's just trying to give users more social and personalized experiences on the web. According to the popular social networking site, its users love the changes and the controversy/criticism comes largely from media and commentators rather than its users.

What do you think?  Are Facebook users really happily opting in to enjoy more social features, or has Facebook duped its users?  Do you think more users will begin dropping Facebook?

Classmates.com Settles Deceptive Advertising Class Action, Still Faces Privacy Class Action, & Dealing with Congressional Investigation to Boot

Classmates.com has agreed to pay up to $9.5 million to users who say they were duped into paying a $15 subscription fee in response to the site's deceptive advertising scheme.

Founded way back in 1995 -- the pre-historic Web 1.0 era -- Classmates.com was one of the first social networking sites. Today, it's perhaps best known for its cheese-tastic ads -- usually involving old yearbook pictures and a little quip along the lines of "She married him?!"

But it was a different marketing tactic that led a California man to file a class action lawsuit against the site for false advertising:  after he signed up for a free membership with the site (which really doesn't let users take advantage of many -- if any -- interesting online tools or networking functions), Classmates.com sent him messages along the lines of "Your classmate is looking for you!" Or, "See who viewed your profile!"

But getting this juicy stuff (is it your junior high crush?! is it that jerk who stood you up on prom night?!) required an upgrade to a paid membership. The problem was, after he forked over the payment, he learned no one was looking for him after all.

Talk about kicking the lonely guy when he's down.

In November of 2008, Anthony Michaels filed a lawsuit against Classmates.com for deceptive advertising, and according to wired.com, now the site (although it denies wrongdoing) has agreed to pay up to $9.5 million in refunds to users who upgraded to a paid membership after seeing those kinds of advertisements.  The proposed settlement awaits court approval.

Classmates.com has long faced criticism for its marketing and advertising, and for years has faced consumer complaints.

Oh, but that's not all.

Classmates.com and its parent company, United Online, (along with other retailers) have also been dealing with a congressional investigation stemming from questionable marketing tactics and complaints from people who found mysterious charges on their credit card invoices.

But wait.  There's more.

Earlier this month, two named plaintiffs filed a class action lawsuit against Classmates.com for recent changes to its privacy policy that resulted in user profile information going public.  The plaintiffs sued Classmates.com for violations of the Electronic Communications Privacy Act (well, the attorneys accidentally referred to it as the Electronic Data Privacy Act), violations of the state consumer protection act, breach of contract, unjust enrichment; it also asks for an injunction.

I guess we can chalk this up as yet another reason so many of us just want to forget our high school years.

School Faces Class Action Lawsuit for Secretly Spying on Kids at Home Via Remote-Controlled Webcams

Let's say a school administrator crawled into your kid's backpack to sneak into your home. 

Creepy McCreeperson?  A Pennsylvania family sure thought so when they experienced the functional equivalent.

The Robbins family filed a federal class action lawsuit against a school district after learning the district used a webcam in a school-issued laptop to secretly spy on their 15-year-old son when he was at home. They've sued for invasion of privacy under state law, violation of the Pennsylvania Wiretapping and Electronic Surveillance Act, and violations of the federal Electronic Communications Privacy Act, Computer Fraud Abuse Act, Stored Communications Act, and the Fourth Amendment.

According to the complaint (which Philly.com posted online), the school surreptitiously spied on students by remotely activating the webcams installed on the laptops the Lower Merion School District issued to them.

The family learned about the remote spying in November of 2009, when an assistant prinicipal told their son, Blake, that she believed he “was engaged in improper behavior in his home, and cited as evidence a photograph from the Webcam embedded in [his] personal laptop issued by the School District.”

The school posted a response on its website, essentially admitting the laptops' webcams can be remotely activated, but saying it was meant to be used for security purposes -- to track down a lost or stolen piece of equipment.

(Thanks to Bret D. for the tip on this story!)

Update: One More Buzz Kill For Google This Week

Yesterday's post discussed the rough week Google has had since launching Google Buzz, its new social networking service offered through Gmail. 

Google's week just got a little bit worse.

This morning, news sources report that a federal class action lawsuit has been filed by a Florida woman in San Jose.  The complaint alleges Google illegally shared users' personal information via Google Buzz without their consent.

Privacy Concerns Are All the Buzz

Google jumped on the social media bandwagon, but it's not going as well as Google had hoped.

Last week, Google launched Google Buzz, a social media service built right into Gmail, Google’s webmail tool.

Cue: immediate backlash from many users and privacy experts alike.

Initially, Google Buzz auto-populated a social network for Gmail users based on a user’s frequent contacts, potentially revealing relationships the user would rather not publicly announce. Buzz also automatically linked up other Google services (Google Reader, for example).

In response to user privacy worries, Google announced changes to Buzz twice within the first four days of its launch.

Despite those changes, the Electronic Privacy Information Center filed a complaint with the Federal Trade Commission yesterday, for what it called unfair and deceptive trade practices. In its complaint, EPIC asks the FTC to investigate Google Buzz for business practices it believes “violated user privacy expectations, diminished user privacy, contradicted Google’s own privacy policy, and may have also violated federal wiretap laws.” (In December, EPIC filed a similar complaint against Facebook after the popular social networking site changed its privacy settings.).

CBC News has also reported that the Office of the Privacy Commissioner of Canada will be taking a closer look at Google Buzz due to increasing privacy concerns, as well.

The woes don’t stop there. CNET News reports that security experts identified a security problem with the Buzz for Mobile service, making Google Buzz accounts susceptible to hacking. Although Google has already corrected the problem, this was just one more snag Google didn’t anticipate.

Yikes.  That's one rough week, Google.

Privacy: Facebook Legal Department Hopes for Guidance from Court

So, what exactly are Facebook's legal duties with respect to protecting the privacy of its 350 million users? 

Well, Facebook isn't even sure.  And the popular social networking site would like a court to explain that to all of us.

Click here for a write-up discussing the keynote address at LegalTech New York:  "Facebook:  Perspectives on Corporate eDiscovery and Social Media," delivered by Facebook's deputy general counsel, Mark Howitson.

New Article: Workplace Consequences of Electronic Exhibitionism and Voyeurism

William A. Herbert, New York State Public Employment Relations Board Deputy Chair, brought to my attention a recent article he authored, “Workplace Consequences of Electronic Exhibitionism and Voyeurism,” which may be downloaded at the Social Science Research Network. A number of authors and commentators have tackled various legal issues related to social media, privacy, and the workplace, but Herbert’s commentary offers a particularly insightful discussion with its special emphasis on the social psychological aspects of the world of Web 2.0. 

"Despite the general reluctance to bare all through old media, new communicative technologies are leading, if not encouraging, individuals to engage in an unprecedented degree of exhibitionism about their personal lives, thoughts and activities to a virtual worldwide audience. Frequently, such communications relate directly or indirectly to work or co-workers and have the potential for causing negative employment consequences." - William A. Herbert in "Workplace Consequences of Electronic Exhibitionism and Voyeurism"

For other posts related to social media and the workplace, click here.

Hijacked Online Accounts Pose Threat of ID Theft

A recent article discusses privacy issues and identity theft risks associated with social networking sites and social media -- including pending legislation aimed at strengthening data security and privacy measures to protect users' personal and financial information.  Check out the full story here:


Hijacked Facebook accounts pose threat of ID theft - Pittsburgh Tribune-Review

New Facebook Privacy Policy May Catch Some Users by Surprise

Facebook updated its privacy policy last week, and the social networking site has come under fire for what many consider to be the site’s gradual deterioration of privacy protection.

Particularly troubling:  the popular social networking site touted the changes as giving users more control over their information. To the contrary, the changes actually seem to reduce the amount of control users have over the privacy of their information.

Certain privacy settings seem to have been lost altogether. Perhaps the most glaring example is that some information users used to be able to keep private is now considered “publicly available.” Under the old settings, a user could edit her “basic information” privacy settings to prevent disclosure of everything but her name and networks to which she belonged. This option no longer exists, and Facebook now says “your name, profile photo, list of friends and pages you are a fan of, gender, geographic region, and networks you belong to are considered publicly available to everyone.” In other words, you can’t “opt out” of sharing this information and no privacy settings let you prevent its disclosure. Anyone who looks at your profile will be able to see this info (and so can any application you or your friends use).

Users should also be aware, Facebook's "recommended settings" probably lead many users to share more information than they mean to.

It seems even Facebook CEO Mark Zuckerberg couldn’t figure out the new privacy settings, as many news sources are reporting that he’s tinkered with his settings more than once following implementation of the new policy. He even (seemingly inadvertently) let his whole profile -- pictures and all -- "go public" for a short time.  Whoops! 

Bottom line, Facebook seems to be pushing users to share more information than they want to or mean to. After all, indexing more information helps Facebook in the real-time search battle against sites like Twitter. The problem for Facebook:  as opposed to other sites with the more "show all, to all" default settings, most of Facebook's users joined its social network because of its more protective privacy options and default settings. 

The ACLU offers a detailed analysis of various aspects of the new policy, and interested Facebook users may want to check out that resource to ensure they're not sharing more than intended.  And this blog offers a helpful guide on how to restore some privacy to Facebook profiles.

Law Professor Sues Blog for $22 Million

An African American law professor has sued Above the Law, a popular legal blog that published a series of posts about Professor Donald Marvin Jones (who it dubbed "The Nutty Professor") following his 2007 arrest on suspicion of soliciting an undercover officer for sex.

The professor claims the blog's posts constituted racism, portrayed him in a false light, invaded his privacy, and infringed the school's copyright on his faculty photo. Jones seeks $22 million in damages.

More on the story here: Law professor sues legal blog for $22m in damages - Legalweek

Considerations for Employers Before Disciplining or Discharging Employees for Online Social Networking Activity

Today, I spoke at a seminar focused on "Employee Documentation and Discharge in Iowa and Nebraska," along with two shareholders in the Dickinson, Mackaman, Tyler, & Hagen employment law practice group, Ann Holden Kendell and Rebecca Boyd Dublinske. In addition to some general topics, I covered a segment focused on adverse employment action in response to employees’ use of social networking web sites. The attendees seemed interested in the topic, so I’ll post some tidbits from that presentation here.

(Note that in an earlier post, I discussed risks employers might face in accessing online profiles of potential employees during the recruiting process. Some of those risks also arise in the context of addressing the issue of online activity of current employees.)

We all know Web 2.0 has dramatically changed our understanding of communication, interaction, and technology. As social networking sites become more and more popular, employers realize more and more employees use these sites. Many employees comment about their work, their employer, or their co-workers online. Sometimes these comments can have serious repercussions for the employer. What an employee does online may:

• Hurt the employer’s reputation, or disparage the company or its officers;
• Disclose proprietary information (maybe even inadvertently);
• Result in vicarious liability for the employer (for example, supervisor harassment via Facebook); or
• Otherwise violate company policies.

The general rule in most U.S. jurisdictions is at-will employment – which allows private sector employers to discipline or fire at-will employees for any or no reason (such as violation of company policy based on online activity). Some exceptions to the doctrine exist, however, and might limit an employer’s ability to respond to employee activity online. Some things to consider before reacting to employees’ use of social networking websites:

• How employer accesses the information. Depending on the circumstances, how an employer accessed the offending information might result in liability for the employer, or perhaps undermine the investigation that led to adverse action in the first place. For example, I’ve mentioned that accessing an online profile or social networking group when the user has taken advantage of certain privacy settings might result in an invasion of privacy claim under either state or federal law.

• Employment or Union Agreements. In other words, make sure it’s really at-will employment. Employers should be sure discipline or termination wouldn’t be violating the terms of any agreements that are in place.

• Discrimination. Similar to concerns in the context of hiring, a social network profile often reveals an employee’s protected status(es). People document their religious beliefs, age, sexual orientation (protected in some states, including Iowa!), and on and on . . . Employers might access information they wouldn’t otherwise know about. And once they see it, there’s no undoing it. Discipline taken after the employer becomes aware of a protected status might support an employee’s later claim that improper considerations – rather than performance – influenced the decision to discipline. Employers should also consider whether a particular disciplinary action might suggest a selective enforcement issue.

• Retaliation. Could the content of an online profile be considered protected activity such that discipline would be against public policy, and hence, illegal? If an employee seems to be complaining about work or an employer, consider whether those complaints might be protected.

• National Labor Relations Act. The NLRA may protect online commentary if, for example, the content could be considered an effort to organize a union, or somehow related to a labor dispute. Employers should consider whether discipline might be considered an unfair labor practice.

• Off-Duty Conduct Statutes or “Lifestyle Discrimination” Statutes. Some states protect an employee’s lawful, off-duty activities. Employers with workers in those states could be pretty limited in how they may react to employees’ online activity.

• First Amendment. Public employers must consider First Amendment implications of disciplining employees based on online speech.

• Inaccurate Information. Although not really a legal consideration, employers should keep in mind that online profiles often contain inaccurate or misleading information. Sarcastic comments or inside jokes may easily be taken out of context or misunderstood. Employees may also have little control over some content in their profiles (i.e., someone else may post a comment on the employee’s Facebook “wall” or photos of the employee).

• Other Practical Implications. For example, consider the public relations issues arising as a result of a “Facebook firing.” Terminations resulting from online activity remain relatively newsworthy, and may garner attention a company would rather avoid by imposing less severe discipline.

This list isn’t all-inclusive, and new issues come up every day. Still, employers would be wise to check with legal counsel before disciplining or discharging an employee for the employee’s conduct online.

Risky (Recruitment) Business? Potential Risks for Employers in Using Social Network Profiles for Candidate Screening

Today, I’m presenting on Web 2.0, social networking, and legal implications in employment at Dickinson, Mackaman, Tyler, & Hagen’s 2009 Employment Law Client Seminar in West Des Moines. As a portion of my segment, I’ll be going over a number of risks employers face when they use social networking sites as part of their hiring or screening process. Potential risks include:

• Incorrect information or information taken out of context. Information in a person’s online profile or “wall” space on Facebook, for example, isn’t always accurate. Neither are assumptions about that information. Keep in mind users sometimes have no control over content others post to their site. Of course, sarcastic comments or inside jokes could easily be taken out of context and misunderstood.

• Reveals information about a candidates’ protected class. Social network profiles include all kinds of protected information: people often list religious beliefs, age, race, gender, sexual orientation (protected in Iowa!), military status, and so on in profile information, for example. It’s risky for employers to get access to this information they wouldn’t otherwise ask about during the hiring process – and information upon which they can’t base hiring decisions. Once an employer sees this stuff, they can’t “un-see” it! Employers may find themselves having to prove a decision to refuse a candidate wasn’t influenced by the information online.

• Invasion of privacy. Depending on the circumstances, checking online profiles could lead to an invasion of privacy claim under various federal or state laws.

• Off-duty conduct discrimination. Some states have laws prohibiting discrimination based on off-duty conduct. If an employer has employees in states with such laws, it could really limit the employer’s ability to use social networking sites as part of the screening process.

• Fair credit reporting laws. If employers use an outside agency to conduct background checks on candidates, they may need to follow consent and disclosure requirements of fair credit reporting laws. The federal Fair Credit Reporting Act is one such law, and states sometimes have similar statutes.

Of course, some might argue employers have a duty to check public profiles available through social networking sites that are freely accessible to minimize risks of later negligent hiring claims. Employers do have a duty to consider all reasonably available information in making hiring decisions, and failure to check online profiles could arguably support a future negligent hiring claim.

Employers should carefully weigh risks and benefits of incorporating social networking checks into its screening process. If employers plan to use social networks as part of their vetting of candidates, they should consider working with counsel in developing an internal policy to govern the process.

Chicago Woman Sues Bullies Over Fake Facebook Profile of Her Son

On September 24, 2009, Laura Cook filed a suit on behalf of her son after four other students created a fake profile of the boy -- with his actual cell phone number, photos, and defamatory remarks. The defendants' posts suggested the boy liked to engage in homosexual acts, and they also sent "disturbing, vulgar and sexual comments to a few girls."

At one point, the fake profile had 580 "friends" -- many who knew the boy. Some of the users recognized the profile as a prank, but some believed it really belonged to Cook's son. This kind of humiliation, broadcast to 580 peers, would be pretty traumatic to any kid -- but because this student participates in athletics at state, regional, and national levels, the damage to his reputation is particularly significant.

Cook alleges five claims: defamation per se, defamation per quod, false light, intentional infliction of emotional distress, and injunctive relief.

The nature and extent of publication factors into the damages calculation in defamation actions. Suddenly "580 Facebook friends"-worth of damages probably doesn't seem too funny to these four little bullies anymore.

The story, as reported by the Chicago Sun-Times:
Mother sues over defamatory fake Facebook profile of son :: CHICAGO SUN-TIMES :: Metro & Tri-State

Shared via AddThis

Employer Liability for Accessing Employee's MySpace Group, Part Deux

In yesterday's post on Pietrylo v. Hillstone Restaurant Group, I blogged about an employer that found itself in hot water for accessing an employee's "by invitation only" MySpace group (called the Spectator) by using another employee's login information.  The jury found the restaurant liable under the Stored Communications Act (also known as Title II of the Electronic Communications Privacy Act of 1986).  The plaintiffs in that case also pursued a common law invasion of privacy claim.  Although the plaintiffs lost on that count, there's an important jury finding worth pointing out.

On the invasion of privacy claim ("intrusion upon seclusion"), the jury instructions asked, "Was the Spectator a place of solitude and seclusion which was designed to protect the Plaintiffs' private affairs and concerns?"  To this, the jury responded, "yes."

The instructions went on to ask, "Did the Plaintiffs have a reasonable expectation of privacy in the Spectator?"  Here, the jury answered "no," which left the plaintiffs without a claim.  (The jury didn't go on to determine whether a reasonable person would find it highly offensive, the next element to prove the claim).

This seems a bit curious -- as the two answers appear to be mutually exclusive.  In other jurisdictions, an affirmative answer to the first question would necessarily mean the plaintiffs had a reasonable expectation of privacy in the "thing" intruded.  An invasion of privacy claim for intrusion upon seclusion in Iowa, for example, just has two elements:  (1) an intentional intrusion upon the solitude or seclusion of another, (2) which a reasonable person would find highly offensive. 

However this verdict form might be analyzed, one thing is clear:  a jury may well find that "by invitation only" MySpace groups --as well as other online content with certain privacy controls -- can be a "place of solitude and seclusion" for purposes of an invasion of privacy claim.

Here's the relevant portion of the jury form:

Employer Liability for Accessing Employee's MySpace Group

A jury decided an employer violated the Stored Communications Act (“SCA”) and the parallel state statute when management used an employee’s login information to access the site, awarding compensatory and punitive damages.

According to court documents, two Houston’s restaurant employees, Brian Pietrylo and Doreen Marino, created a private MySpace group called the “Spectator” to (in Brian’s words) “vent about any BS” they dealt with at work. One of the invitees was restaurant greeter, Karen St. Jean. Management apparently caught wind of the web page, and asked Karen for her login information. She voluntarily turned it over to them, and the managers logged on to find all kinds of stuff they weren’t too pleased about:

 Talk of workplace violence (i.e., “The Navajo rug needs to be set on fire”),
 References to illicit drug use (i.e., “If you had to drop acid with one person in Houston[’]s, who would it be?”),
 Offensive name-calling and sexual remarks (i.e., “management dick suckers” and reference to a “rim job,” which apparently involves some kind of anal sex act),
 Disclosure of proprietary business information (i.e., entire wine test on a new wine list that was to be given to the staff)
 Sarcastic and derogatory comments about the quality and standards of Houston’s, as well as its management (i.e., “stupid corporate f---s”).

Houston’s fired Brian and Doreen, and they sued. The jury returned a verdict in favor of Brian and Doreen on their SCA claims, finding that through its managers, Houston’s had knowingly or intentionally accessed the Spectator without authorization.

Following the jury verdict, Houston’s moved for judgment as a matter of law, or alternatively, a new trial. On September 25, 2009, the US District Court for the District of New Jersey issued its opinion denying the motion.

The court said that although Karen voluntarily handed over her login information to them, she testified she would not have turned over her password to any non-managers who asked for it, and she worried she “probably would have gotten in trouble” if she hadn’t complied. Thus, according to the court, a reasonable jury could have decided her purported “authorization” was coerced or pressured. Further, the managers accessed the site on multiple occasions, despite the fact is was clear on the group page that it was meant to be private and accessed only by members. Heck, the way they went about accessing the password-protected MySpace group also suggested they knew they weren’t authorized. Despite the restaurant’s claimed belief its managers pursued access to the Spectator for legitimate business reasons, the jury didn’t believe the way Houston’s tried to protect those interests was proper.

This case reminds employers there are risks in attempting to access employee’s online content – particularly when that access might be considered “unauthorized.” Employers generally should avoid using false information or someone else’s login and password to gain access to any web sites.