The decision is Largent v. Reed (Pa. Common Pleas Nov. 8, 2011), and it involves a discovery request by the defendant in a civil case arising from a car accident. The defendant has filed a Motion to Compel Facebook Login Information in an effort to look through the plaintif’s account for evidence that she was exaggerating her injuries. Judge Walsh grants the request, ruling:
Plaintiff . . . must turn over her Facebook login information to Defense counsel within 14 days of the date of the attached Order. Defense counsel is allotted a 21-day window in which to inspect [Plaintiff]’s profile. After the window closes, Plaintiff may change her password to prevent any further access to her account by Defense counsel.
Judge Walsh spends pages 10-12 considering how the Stored Communications Act applies to this situation, and given that he relies on an article I wrote, let me offer a quick comment. Judge Walsh writes that the Stored Communications Act isn’t implicated because the defendant seeks information directly from the plaintiff. As a result, neither the defendant nor the plaintiff is a regulated entity (known as an “RCS” or an “ECS”) under the statute:
In this case, [Defendant] seeks the information directly from [Plaintiff]. The SCA does not apply because [Defendant] is not an entity regulated by the SCA. She is neither an RCS nor an ECS, and accessing Facebook or the Internet via a home computer, smartphone, laptop, or other means does not render her an RCS or ECS. See Kerr, 72 Geo. Wash. L. Rev, at 1214. She cannot claim the protection of the SCA, because that Act does not apply to her. “The SCA is not a catch-all statute designed to protect the privacy of stored Internet communications.” Id. Rather, it only applies to the enumerated entities. Largent being neither an ECS nor an RCS, the SCA does not protect her Facebook profile from discovery.
While it’s true that neither the plaintiff nor the defendant are regulated entities under the statute, Facebook clearly is. Facebook is an ECS provider in some ways and an RCS provider in other ways. As a result, the privacy of Facebook communications are protected by 18 U.S.C. 2701 of the Stored Communications Act, which protects ECS providers, in addition to 18 U.S.C. 1030, the Computer Fraud and Abuse Act, which protects all computers generally. Both of these statutes prohibit accessing electronic accounts without authorization or in excess of authorizaton. So while ordering the plaintiff to disclose her password to the defendant doesn’t itself violate the SCA or the CFAA, it’s at least an open question whether the defendant’s future act of accessing the plaintiff’s account might violate those statutes.
As with many questions of the CFAA (and related provisions of the SCA), it hinges on what “authorization” means. Here’s the question: If Facebook says that only the individual account holder can access the account; the individual account holder refuses to voluntarily disclose the password; and someone else accesses the account only because the account holder was forced by a judge to disclose the password, is the “someone else’s” access authorized or not? Put another way, what governs authorization: The views of Facebook and the views of the account holder, or the views of the trial judge who granted the discovery request? It’s not an easy question, creating a significant risk that granting the motion to compel invites the movant to commit a federal crime in the course of discovery.