A recent court decision has added support to the idea that there
is no privacy on the internet.
United States v. Meregildo, defendant Melvin Colon moved to
suppress evidence seized from his Facebook account pursuant to a
search warrant. Colon did not challenge the issuing
court's decision that the search warrant application was
supported by probable cause. Rather, he challenged the
government's method of collecting evidence to show probable
cause in its application for the search warrant. Colon's
Facebook privacy settings allowed only his Facebook
"friends" to view his profile. One of these
"friends," who happened to be a cooperating witness,
allowed the government to use his account to access
Colon's profile. The government then collected
information from Colon's profile to use as evidence of probable
cause to support the search warrant.
The Court denied Colon's motion to suppress, reasoning that
he had no reasonable expectation of privacy in the information he
allowed his Facebook friends to view. Therefore, it ruled,
the government may access this information through a cooperating
witness without violating the Fourth Amendment. The Court
compared Colon's Facebook profile to a number of other areas in
which courts have found no reasonable expectation of privacy.
For example, the Court emphasized that an email sender loses the
expectation of privacy when the email is delivered. The Court
concluded that "[w]hile Colon undoubtedly believed that his
Facebook profile would not be shared with law enforcement, he had
no justifiable expectation that his "friends" would keep
his profile private."
The Court's decision may have important implications for
civil discovery. For example, the Stored Communications Act
prohibits companies providing electronic communication services
from disclosing a user's private information without the
user's consent. There is no exception
for civil subpoenas. Facebook, therefore, regularly moves to
quash civil subpoenas seeking such information. The Meregildo
decision, however, opens the door for an argument that a Facebook
user's personal information, wall posts, photos, etc. are
not private information under the Act if they are
shared with the user's friends. If that were the case,
Facebook would be legally obligated to withhold only that
information that a user keeps completely private. Such an
interpretation would produce a sea of change in the information
available during civil discovery.
The 2010 theft of an unencrypted laptop containing confidential health care information made front-page news in 2013, not because a huge number of patients were affected, but for the exact opposite reason.
Any company that collects personal data from consumers should take proactive steps to have appropriate legal counsel review its data security practices, as well as its terms of service or privacy practices, to identify any potential problem areas.
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published on its website a series of factsheets designed to educate consumers unfamiliar with their rights under the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy and Security Rules.