Privacy has been defined as retirement and seclusion, or as “the state of being free from unsanctioned intrusion.” [1] This evokes thoughts of physical space. [2] One may expect to have privacy behind the closed doors of their own home, though a nosey neighbor may be able to peer through a window and violate that expectation of privacy. Privacy is rarely a guarantee, in this high technology age of advanced surveillance, [3] but most people can feel fairly confident that they can secure a certain physical space where they can be alone and undisturbed. What happens, however, when the walls, doors and windows are removed and cyberspace becomes the means by which private acts take place, or private thoughts are divulged? Do people have an expectation of privacy with regard to using the internet socially, and should they? This article will discuss the difficulty of applying traditional privacy tort analysis to online social networks (“OSNs”) such as MySpace, YouTube and Facebook, [4] and offer some thoughts on a recent proposal to amend the analysis to reflect both physical and cyber privacy.
When a “shameful, embarrassing, or otherwise harmful disclosure of personal information” takes place, there is the potential for a lawsuit alleging tortuous public disclosure. Traditionally, there is a four-part analysis for this tort:
"(1) Was the fact disclosed public or private?
(2) If private, was the information otherwise protected by the first amendment?
(3) If private and not constitutionally protected, was the information disclosed to a large number of people by the defendant’s affirmative action?
(4) Finally, would such a widely disseminated disclosure have highly offended a reasonable person?" [5]
Harm, causation and intent are notably absent from this analysis, but have been read into the tort by various courts interpreting the law. [6] The tort has been further narrowed, perhaps out of fear that the average person could find themselves at risk for prosecution while engaging in routine gossip or that speech that should be protected constitutionally will become suspect. [7] An example of this concern can be found in the case of Florida Star v. B.J.F., where the Supreme Court held that there will be a “public concern test” which must be met in order for a case of tortuous public disclosure to be actionable, meaning that “the information at issue must be a matter of public significance or newsworthiness, and its protection ha[s] to ‘further a state interest of the highest order.’” [8] Under the current test, few things are truly actionable under the tort of public disclosure of private facts, especially considering that many things that are a matter of public significance or newsworthiness are also protected by the first amendment. [9] However, for those things that are potentially actionable, the above analysis is inadequate in light of technological advances [10]; since the internet presents new questions regarding what facts are truly public or private, the first prong of the analysis fails to address privacy concerns in cyberspace. A new analysis must therefore be developed.
It may be difficult to apply the traditional public disclosure tort analysis to cyberspace due to the fact that the analysis is heavily linked to the physical realm. [11] The first prong of the traditional test asks whether the disclosed fact was public or private, which begs the question of when a fact is public and when it is private. Is it private simply due to the subject matter of the information – is information of a sexual nature, for example, automatically private? This is not necessarily true. It is difficult to say any information, by its very nature, is private because sensitive information is disclosed all of the time for publicity or other reasons. [12] Physical location also can’t define information as public or private, now that the internet is involved. [13] These are just two examples of why the traditional analysis is no longer adequate.
As a result, it has been proposed by Patricia Sanchez Abril that courts analyze these torts in a new way which would be consistent with all possible settings of tortuous public disclosure, both physical and internet invasions of privacy. [14] She suggests that in order to analyze these cases, the court should take a three step approach. [15] First, the court should define what exactly the disclosed information was, whether it was first amendment protected speech and what the overall accessibility was to the information. [16] Next, the courts should analyze the disclosure itself to determine whether the plaintiff was harmed and whether the alleged perpetrator had “malice intent or motive (i.e., did she breach the plaintiff’s privacy through wrongful or improper means?).” [17] Lastly, the court should look to what the plaintiff’s actions were, including whether the “information [was] originally disclosed in the context of a confidential relationship” and whether the plaintiff took steps to protect the information that was disclosed. [18] Ms. Abril contends that by using this kind of analysis, the court can analyze any public disclosure with a fact-specific approach. [19]
This analysis does seem a more appropriate means of analyzing public disclosure torts, in that it addresses the concerns of intent and harm and translates well to privacy in cyberspace. The first step is adequate to analyze the disclosed information, because it addresses first amendment concerns and assures that protected speech is not chilled by the threat of a private lawsuit. [20] It is also important to analyze the overall accessibility of the information, because if the plaintiff has broadcast the private information on their very own OSN user profile, it was likely accessible to a large audience and therefore the defendant should not be held liable for damages. It has been held that once a person has shared a fact with one or more others, they can no longer hold that information to be private. [21] This is especially true in the digital age, where telling one person could quite literally mean telling the entire world. [22]
The next part of the analysis also seems adequate, in that it addresses the harm that the plaintiff suffered as well as the intent of the discloser, issues that were not addressed in the original restatement analysis. [23] It could be said that anyone who has a private fact disclosed about them was harmed, but this prong of the test would require a severe degree of harm, in order to prevent idle gossip from becoming an actionable offense. This prong allows for a great deal of flexibility and judicial discretion, in that many factors may play into the degree of harm suffered by the plaintiff. While Ms. Abril is attempting to move away from the traditional privacy tort analysis, perhaps the original Restatement language stating that the disclosed information must be “highly offensive to a reasonable person” would be appropriate here in order to give the court some kind of benchmark for what degree of harm must be involved in order for the court to grant relief. [24] In addition, perhaps the size of the audience to which the information was disclosed may be considered. If someone posted harmful information on their OSN profile which only 5 other people have access to (due to privacy settings, etc.), this may be a less serious offense than posting the information on a public OSN profile which has a virtually limitless potential audience. This raises the question of whether any disclosure over the internet should be considered a disclosure to millions of people. One could say that the internet is the largest audience imaginable, yet just because millions of people could have come across the information does not mean that millions of people did. Should any disclosure over the internet be considered a public disclosure to a wide audience? Likely not, and courts will have to do a case-by-case analysis to determine how public the disclosure was in order to determine the true harm to the plaintiff. Intent is also an important factor which Ms. Abril rightly included, because if one person ignorantly spread information about another without meaning to cause harm, their punishment should be far less severe than if it was done maliciously. This may help to assure that only the most serious offenses make it into court – the kind of offenses the U.S. courts presumably intend to deter.
The last prong is very important, in that it analyzes the behavior of the plaintiff his or herself to assure that they took appropriate actions to keep their information private. This shifts a burden to the plaintiff to take steps to protect their information through privacy settings, passwords, etc. [25] The plaintiff can demonstrate a reasonable expectation of privacy by working to protect their information. [26] This prong serves two purposes: (1) it reduces the risk that this lawsuit will end up in court in the first place because increased measures were taken to protect the information, and (2) it also boosts the plaintiff’s case in the event of a disclosure.
Ms. Abril’s analysis is, therefore, a great way for courts to analyze public disclosures. This multi-factor test may not lead to incredibly consistent results due to the fact-specific nature of the analysis, but it gives courts a list of important concerns that will at the very least assure that the plaintiffs and defendants rights are being considered and fairly weighed, even when privacy over the internet is at issue rather than privacy within physical boundaries.
Today more information is available than ever before, which was made possible by the advent of the internet. People use the internet as a way to promote themselves to a large audience and perhaps even form lasting friendships and romantic relationships. [27] The internet can be a useful tool in furthering social endeavors, but this is a double-edged sword. One poll found that 55% of people ages 12-17 had a MySpace account – a staggering figure. [28] The default mode on MySpace and Facebook accounts is to make all of the information on the page public and available to anyone who wants to see it. Knowing this, people must take extra care to protect information from an unwanted audience. For example, employers are increasingly performing OSN searches of potential employees, and using the information they find to make employment decisions. [29] Users need to take some easy yet effective steps to minimize their risk of public disclosure of private information, since a legal remedy is expensive and difficult to win. One can protect themselves by raising the privacy settings on the MySpace or other account to only allow certain people, such as friends and relatives, to see the profile. [30] One can also minimize the amount of information on the profile, such as eliminating addresses, last names, and other information that is very specific to the user. [31] The moral of the story is to be careful about what information is available to the public on OSNs, because one never knows who is watching. There can and should be laws protecting privacy where there are no walls or ceilings, but until privacy laws are changed to reflect expectations both in the physical and cyber realms, perhaps there can be no reasonable expectation of privacy with respect to information over the internet.
Sources
[1] Dictionary.com, Entry on "Privacy", http://dictionary.reference.com/browse/privacy (last visited Mar. 12, 2008).
[2] Patricia S. Abril, Recasting Privacy Torts in a Spaceless World, 21 HARV. J. L. & TECH. 1, 2 (2007).
[3] See, e.g., Catherine Komp, GPS Surveilance Creeps into Daily Life, THE NEW STANDARD, Nov. 14, 2006, available at http://newstandardnews.net/content/index.cfm/items/3886 (last visited Mar. 12, 2008).
[4] See Abril, supra note 2, at 3 ("Traditionally, privacy has be inextricably linked to physical space.").
[5] W. PAGE KEETON, et al., PROSSER AND KEETON ON THE LAW OF TORTS 173 (5th ed. 1984).
[6] Abril, supra note 2, at 9-10.
[7] See, id. at 10-11.
[8] Id. at 11 (quoting Florida Star v. B.J.F., 491 U.S. 524, 533 (1989))
[9] See James C. Goodale, The First Amendment and Freedom of the Press, 1STAMENDMENT.COM,http://www.1stamendment.com/PentagonPapersFreedomofthePress.htm (last visited Mar. 12, 2008) ("The Supreme Court has held that if the press 'lawfully obtains truthful information about a matter of public significance then [the government] may not constitutionally punish publication of the information, absent a need to further a state interest of the highest order'" (quoting Smith v. Daily Mail Publishing Co., 443 U.S. 97 (1979)).
[10] See generally Abril, supra note 2 (discussing the need for a new framework to analyze privacy torts, which can be applied to both physical and cyber invasions of privacy).
[11] Id. at 3.
[12] Id. at 21.
[13] Id. at 17-20.
[14] See generally, id.
[15] Abril, supra note 2, at 28.
[16] Id.
[17] Id.
[18] Id.
[19] Id.
[20] Abril, supra note 2, at 28.
[21] Patricia S. Abril, A (My)Space of One's Own: On Privacy and Online Social Networks, 6 NW. J. Tech. & INTELL. PROP. 73, 80 (2007).
[22] Id.
[23] Abril, supra note 2, at 9-10.
[24] KEETON, supra note 5, at 173.
[25] Abril, supra note 2, at 45.
[26] Abril, supra note 2, at 41 ("Courts have repeatedly looked to plaintiffs’ outward manifestations and behavior to determine whether they had true and reasonable expectations of privacy.")
[27] E.g., EHarmony, www.eharmony.com (last visited Mar. 12, 2008).
[28] Abril, supra note 2, at 13.
[29] See Abril Myspace, supra note 21, at 75 ("A person’s digital dossier can betray him in the physical world, resulting in harms like the denial or loss of employment, shame and embarrassment, denigration of reputation, or merely exposure in an unwanted light.")
[30] See Abril, supra note 2, at 14.
[31] Id.