Our blog has moved! Now redirecting to new blog...

Welcome to the website of the Internet and Intellectual Property Justice Clinic, a University of San Francisco School of Law clinical program that provides legal assistance to parties in intellectual property matters. For more information, see the "About Us" page.

Our website includes commentary from our students on cutting-edge internet law and intellectual property topics. Those posts are listed below, and more are archived under "Pages" on the right. Enjoy!

Right to Privacy on the Internet

By Patrick L.

This note will explore an individual’s legal right to privacy on Facebook.

The right to privacy is rooted in the 4th Amendment to the United States’ Constitution, which protects a person’s legitimate expectations of privacy. U.S. Const. amend. IV. This means that if an individual has both a subjective (actual) and objective (reasonable) expectation of privacy it is an expectation that society will recognize. This right to privacy is accorded to both citizens and non-citizens while on U.S. soil.

In 1986 Congress passed a federal law regulating the privacy of communication. Information posted on a website is subject to regulation under the federal Stored Communications Act (SCA). 18 U.S.C.A. §§ 2701-2712. The SCA permits disclosure of electronic communications that are publicly posted.

In regards to the right of privacy with respect to communications made via an Internet website, such as Facebook, the 9th Circuit has found that the unauthorized viewing of a secured website was an unlawful invasion of privacy. Konop v. Hawaiian Airlines, Inc., 236 F.3d 1035 (9th Cir. 2001). In Konop the website at issue was designed as a secure website requiring a user name and password to which an individual could only get a user name and password from Konop. Konop created the website and granted access to fellow employees of Hawaiian Airlines so they could discuss their experiences working for Hawaiian Airlines. Id. The court found the limited access to the website which could only be granted by the creator of the website to be a distinction from other websites requiring a user name and password. Id. This distinction gave the user’s of the website Konop created a higher expectation of privacy than a website which would allow anyone to create there own user name and password. Id.

Websites that are readily available to the public—websites that anyone can access without a user name or password—do not carry an expectation of privacy regarding electronic communications made through the website. Id. A secured website is one that requires a user to insert a user name and password to access the site. Facebook is a website that requires a user name and password to access the site. However, anyone can create their own user name and password and be granted access to the Facebook website. In Konop the user names and passwords were created by the administrator of the website, who only granted access to the website to certain co-workers.

Facebook’s Privacy Policy

Many websites, including Facebook, have privacy policies designed to protect an individual’s privacy and assure them that information a user posts on the website will not be readily available to anyone on the Internet. Facebook has an extensive privacy policy which can be found by clicking on the word “Privacy” located at the bottom right hand corner of the Facebook page and displayed as a blue hyperlink. Anyone who signs up can become a Facebook user, as long as they are at least 13 years old. Being a Facebook user allows people to stay in touch with friends through posting comments and pictures on a person’s Facebook page, and through live instant-message chatting.

A Facebook user can post as much or as little information about themselves as they want on the profile page. A Facebook user’s profile page is the central part of having a Facebook account where a user can update their status, receive messages from friends, and post pictures. Facebook’s default privacy settings allow other Facebook users to view this information when looking at the profile page. These privacy settings can be changed by each individual user to increase or decrease the access that other Facebook users have to one’s profile page. However, Facebook makes certain information publicly available to everyone: name, profile photo, list of friends, gender and geographic region. This means that even if a user sets their Facebook page to private settings that only allow their Facebook friends to view their page, anyone searching Facebook, or the Internet, can access the publicly available information.

When signing up for Facebook, certain personal information is required, including a user’s name, email, gender, and birth date. Even though it is required, personal information such as an email address, or birth date, can be hidden from other users through optional privacy settings.

The lowest level of privacy setting on a user’s Facebook page is “everyone”. With this setting, Facebook considers all information provided by the user as publicly available. This info is available to anyone through Facebook, through search engines, or even through other websites not affiliated with Facebook.

Facebook is constantly collecting and logging user information. For example, the Facebook website keeps track of all actions a user takes such as adding a friend, joining a group, or creating a photo album. Facebook also collects information from the computer or mobile phone with which a user accesses the site. Facebook collects information on the browser used, IP address, and the other web pages a user visits.

One way user information is utilized by Facebook is to improve services and features and to provide customer support. Facebook also uses a user’s information to contact them with service related announcements when there have been changes to the website, new features have been added, or the privacy policy has been amended. An important—and revenue generating—use of personal information by Facebook is to present advertisements to the user that are personalized based on the information obtained by Facebook.

Facebook states that a user’s information is only shared with third parties when the sharing is permitted by the user based on privacy settings, is reasonably necessary to offer services, or when Facebook is legally required to do so.

Facebook stresses that there are inherent risks in sharing information. Facebook is about sharing information and content with friends, and any of this information is subject to exposure by unauthorized third parties in violation of privacy settings or security measures taken by Facebook. The nature of the internet gives any “hacker” the opportunity to access a Facebook user’s information in violation of the Facebook privacy policy and the privacy settings chosen by an individual user.

Facebook Users Expectation of Privacy

Under the 9th Circuit’s standard for an expectation of privacy in websites such as Facebook, the crucial fact is whether or not the site requires a user name and password given to a user by the creator of the website. Facebook users would most likely not be considered to have an expectation of privacy under this test because anyone can sign up for Facebook by creating their own user name and password. Once a person signs on as a user they need to understand that Facebook is a publicly available resource, which anyone can join, as long as they are at least 13 years old. And, once a person becomes a Facebook user, they can access all of the information of their Facebook friends, as well as the information of any Facebook user whose Facebook page has a privacy setting of “everyone”.

In short, there is no complete privacy for any Facebook user since certain information such as name, date of birth, and email address are publicly available information according to the Facebook privacy policy regardless of the user’s privacy settings. When signing up for a new Facebook account, a user is provided the default privacy settings by Facebook. These default settings allow other Facebook users to access a person’s information, even if they are not Facebook friends.

Even if a user voluntarily chooses to keep their information private through the privacy settings on their page, Facebook’s privacy policy allows the company to share a user’s information with the government or authorities whenever required by law, such as in the course of a police investigation.
Facebook also disclaims any guarantee of privacy. As with any information posted on the internet, Facebook cannot guarantee that a user’s information won’t be accessed by an unauthorized third party hacking into the site and violating the Facebook privacy policy or the law.

At its core Facebook is about a user sharing information and connecting with friends. Based on Facebook’s design for a user to share information, Facebook’s privacy policy, and existing caselaw, a Facebook users best approach is to assume there is no expectation of privacy in anything they post on Facebook.