Emory Corporate Governance and Accountability Review

Shades of Privacy in a Color-Blind System: The Rights and Expectations of Social Media Privacy in the Modern Workforce
Eric Evans Eric C. Evans is a second-year student at Emory University School of Law, primarily interested in practicing transactional law post-graduation. Eric is a graduate of Miami University in Oxford, Ohio, where he studied History and Political Science.

Introduction

For roughly seven in ten Americans, social media is a fact of life, intricately woven into their daily routines. It is used to connect with friends and colleagues, build a professional network, provide a source for current events, share information, and entertain. Of the newest generation of the nation’s workforce, Americans age eighteen to twenty-nine, eighty-eight percent actively maintain at least one social media account. 1Pew Research Center, http://www.pewinternet.org/fact-sheet/social-media/ (last visited Feb. 22, 2018). Seventy-nine percent of Americans age thirty to forty-nine use at least one form of social media, and sixty-four percent of those age fifty to sixty-four are active on a social media platform. 2Id. Only those Americans largely retired from the workforce, age sixty-five and over, are majority non-users of social media. 3Id. In short, social media is ubiquitous in contemporary American culture, and in all likelihood will only increase in popularity, usage, social importance, and available forms as we move forward.

Despite the widespread use, there are shockingly few laws on the books today governing social media related issues in the workplace. You’d be hard pressed to locate statutes that outline how and when employers can use social media to screen job candidates or monitor current employee’s accounts for breaches of company policy. The same goes for finding statutes that provide employees with solid legal protections against employer snooping or discipline based on social media activity.

Part of the reason that these laws don’t exist may be the frantic speed at which social media has grown, which simply outpaced the legislative process. When the Pew Research Center began tracking social media usage in 2005, only about five percent of adult Americans maintained an account; ten years later sixty-five percent did. 4Id. The landmine of complex and interconnected legal issues surrounding social media in the workplace could be another reason for the lack of legal direction. The topic touches on everything from labor law issues related to the rights of employees to engage in “concerted” activity under the National Labor Relations Act, to First Amendment issues related to the right to free speech, to Fourth Amendment issues related to the right against unreasonable search and seizure, and, of course, employee privacy rights.

Recently observed by a court wrestling with statutory and common-law invasion of privacy claims in the context of social media in the workplace, “privacy in social networking is an emerging, but underdeveloped, area of case law.” 5 Ehling v. Monmouth-Ocean Hosp. Serv. Corp., 872 F. Supp. 2d 369, 373 (D.N.J. 2012). See also Robert Sprague, Invasion of Social Networks: Blurring the Line between Personal Life and the Employment Relationship, 50 U. Louisville L. Rev. 1, 13 (2011). This paper will approach social media in the private-sector workplace 6 While public sector employees’ interest in privacy from employer surveillance of their social media activity is not fundamentally different from the privacy concerns of a private employee, public employees enjoy greater rights and protections in this area of the law. The “public employment relationship is governed by certain bodies of law, most notably the Constitution, that do not apply to the private sector.” See Sheila A. Bentzen, Safe for Work? Analyzing the Supreme Court’s Standard of Privacy for Government Employees in Light of City of Ontario v. Quon, 97 Iowa L.Rev. 1283, 1286 (2012). As a result, private employees cannot rely on constitutional guarantees to state claims for social media privacy, as public employees potentially can. Id. from an employee “right to privacy” perspective, and analyze the limited privacy protections U.S. law, through a hodgepodge of statutory and common-law protections, currently provides to employees social media activity. 7 Furthermore, this paper is not concerned with the rights to online privacy employees have on company provided hardware and devices. Under U.S. law, the workplace, and all of its resources, are property of the employer. See Patricia Sánchez Abril, Blurred Boundaries: Social Media Privacy and the Twenty-First-Century Employee, 49 Am. Bus. L.J. 63, 71 (2012). That means that employers have the right to dictate permissive use of the technology they provide employees, and furthermore, monitor employee activity on company provided devices. Id. It will argue that courts are struggling to apply existing law, most of which was created in the context of more traditional forms of electronic communications, to social media, mainly because social media platforms allow users to use varying degrees of privacy in regards to their online activity that the law is not finely calibrated enough distinguish. Furthermore, the paper will argue that squaring up the degrees of social media privacy with the idea that liability for both statutory and common-law invasion of privacy claims turn on court’s binary perception of privacy requires holding that employees who have utilized any privacy settings should be ruled to have taken steps to remove the communication from the online public sphere, and thus has a reasonable and protectable expectation of privacy.

First, a contextual framework will be laid, highlighting some of the most noteworthy forms of social media, but focusing on Facebook. Similarities and differences of Facebook with more traditional forms of communication, like telephone and email, will be discussed. Next, applicability of the Electronic Communications Privacy Act of 1986 (ECPA), which is the primary federal legislation on point in the context of employee’s social media privacy, will be examined. Stretching the ECPA’s antiquated conceptions of electronic communication across the modern contours of Facebook, and its varying degrees of privacy, will conclude the section. The paper will progress into an analysis of employee’s right to social media privacy under the common-law. An examination of how the common-law accounts for Facebook’s varying degrees of privacy will be included. Finally, a discussion of accepted judicial interpretations of the common-law’s “reasonable expectation of privacy” analysis will be contrasted with the expectations of online privacy held by the American workforce.

I. Contextual Framework: Facebook v. “Traditional” Communication

While the list of social media platforms Americans can choose from continues to grow, this paper is principally interested in Facebook. Particularly, how Facebook compares to more traditional forms of communications, and how privacy protections under the Stored Communications Act and the common-law, along with, respectively, their antiquated conceptions of electronic communication and public expectations of privacy, can be stretched across the modern contours of Facebook. Facebook is significant in the context of this topic not only because the majority of existing social media privacy related case-law is comprised of Facebook cases, but also because it has the largest audience of any social media platform in the United States, with roughly 214 million American users as of January 2018. 8Statista, https://www.statista.com/statistics/398136/us-facebook-user-age-groups/ (last visited Mar. 30, 2018).

Facebook continues to dominate the increasingly crowded field of social media, in terms of sheer number of American users, partly because of the growth of smartphone technology and mobile usage. 9Id. A recent study found that Facebook was the most popular social media app of millennials in the United States; more than three-quarters of millennials accessed Facebook from their mobile devices. 10Id. Only among the youngest American demographic group, ages twelve to twenty-four, does Facebook trail another social media site, Snapchat, in total users, though only by three percent. 11Statista, https://www.statista.com/statistics/199242/social-media-and-networking-sites-used-by-us-teenagers/ (last visited Mar. 30, 2018). Still, as of February 2017, the same study found that more Americans in this age bracket use Facebook than Instagram, Twitter, Pinterest, Tumbler, WhatsApp and LinkedIn, the next most popular forms of social media. 12Id.

One of the primary reasons courts are struggling to apply the privacy protections of existing law to social media is because modern social media technology such as Facebook allows users to apply varying degrees of privacy to their online activity that the law, which was created in the context of more traditional forms of communication, is not finely calibrated enough to distinguish between. Compare the privacy settings Facebook users can apply, versus the privacy options available for telephonic communication, or email. On Facebook, an “audience selector tool” appears on virtually every place users can share or post material. 13Facebook, https://www.facebook.com/help/211513702214269?helpref=related (last visited Apr. 5, 2018). The audience selector tool allows users to hand-pick a specific audience for each post they create, ranging from default audience options to completely customizable selections. The settings span from entirely public, so that anyone with a Facebook account can view what was shared or posted, to completely private, under the “Only Me” option, which allows users to post material to their own Facebook timeline that is visible to only them, and that will appear in only their own news feed. 14Id. On the communications privacy spectrum, these two book-ends of Facebook privacy settings are far more extreme than telephonic communications or email have the ability to reach.

A telephone user is simply unable to connect everyone in the world who owns a telephone onto a single phone call to communicate something, unlike a Facebook user’s ability to post material publically, that anyone with a Facebook account can view. Furthermore, while a Facebook post can remain online and publically viewable indefinitely, a telephone conversation is instantaneous. Unless telephonic communication is recorded, it only exists during the moments it is being spoken, further limiting how public it can become. Email communication is more similar to telephonic communication than Facebook, in terms of its most extreme degrees of the privacy settings. While email communication can exist on email servers indefinitely, similar to Facebook posts, there is no conceivable way to make an email message viewable to anyone and everyone in the world with an email account, using email technology alone.

Additionally, a vast array of intermediate privacy settings exist on Facebook. For instance, the “Friends (+ friends of anyone tagged)” 15 In the context of this section of the paper, the terms “Facebook friends” and “friends” will be used interchangeably, however both refer specifically to Facebook friends, meaning the people that users of Facebook add as “friends” to their Facebook account. option allows users to post and share material with their Facebook friends, and if they choose to tag 16 “Tagging” someone on Facebook identifies them in a post, photo, or status update that you share. A tag may also notify that person that you have mentioned them or referred to them in a post or a photo, and provide a link back to their profile. See Facebook, https://www.facebook.com/help/124970597582337/ (last visited Apr. 6, 2018). anyone in the post, the audience expands to also include the tagged person’s friends 17Facebook, https://www.facebook.com/help/211513702214269?helpref=related (last visited Apr. 5, 2018). If users do not want their photograph or post to be visible to the friends of the people they tag, they can adjust their settings in the audience selector tool and uncheck the “Friends of those tagged” box. 18Id. Similarly, another setting allows users to post and share material with their Facebook friends, which in turn the friends of the user’s friends—who may not be friends with the user—can view. 19Id. Facebook also allows users to bypass the default privacy options completely, and customize their settings. Users can selectively share something with specific people or hide it from specific people. 20Id. Users can also share material with specific friend lists they create, or hide posts from specific friend lists. 21Id.

Theoretically, email technology can mimic the “Friends (+ friends of anyone tagged)” or “Friends (+ friends or friends”) Facebook options, via user’s ability to create contacts lists and forward emails to accounts not addressed on the original email message. Unlike these Facebook settings, however, email does not allow users to send a message to a group, and then restrict the ability of the recipients to forward the message on to other contacts. Once communications have been transmitted via email, the original sender has no ability to control what the recipient does with that communication, which is dissimilar to Facebook. Telephonic communication offers even fewer options than email in this regard, with virtually no available equivalent to these Facebook privacy settings, with the exception of user’s ability to selectively block other telephone numbers.

Finally, and in addition to the voluminous menu of privacy settings a user can choose from, it is also possible for Facebook users to retroactively alter their privacy settings, after they have already shared or posted something. For instance, users have the ability to change who a post is shared with and viewable to after the material has already been posted or shared, to effectively both expand or retract the material’s audience. 22Id. Furthermore, users can remove tags from posts they’ve been tagged in by other users, or even select the “Tag Review” setting which allows users to approve or dismiss tags that other users add to their posts. 23Id. Telephonic and email technology offer no meaningfully equivalent options to retroactively alter the privacy protections granted to communication that has already been transmitted. Once a call has been placed or an email sent, there is simply no way to change the recipients of the communication.

While countless other combinations of privacy settings exist on Facebook, these examples should suffice to demonstrate that Facebook, representative of modern social media, allows users to employ varying degrees of privacy in regards to their communication, degrees that do not exist in more traditional forms of communication. Since the most potent legal protections for employee social media privacy rights are derived from laws created in the context of technology such as telephonic communication, courts are struggling to apply existing law to modern social media. Unfortunately, courts are forced to apply the clunky current law to Facebook and other modern forms of social media with increasing regularity, as the practice of monitoring employee social media activity has become more common-place for employers.

Many would agree that employers should have some limited ability to scrutinize employee’s social media activity. After all, employers can be damaged from purely private online employee conduct, and should be aware of situations where employees use social media to harass co-workers or customers, disclose trade secrets, or degrade the company brand. Still, these situations do not represent the norm for how employees use social media. There are far more instances where employers seem to cross the line aggressively monitoring employee’s social media and disciplining or discharging an employee for off-the-clock activity on quasi-private social media accounts that seem unrelated to what employers should be able to scrutinize. 24 Karin Mika, The Benefit of Adopting Comprehensive Standards of Monitoring Employee Technology use in the Workplace, Cornell HR Review (Sept. 22, 2012) http://www.cornellhrreview.org/the-benefit-of-adopting-comprehensive-standards-of-monitoring-employee-technology-use-in-the-workplace/. In most of these situations, “neither the employer nor the employee is truly certain of what his/her rights or obligations are.” 25Id. However, “it is usually the employee who suffers the consequences when the employer decides that an activity discovered through electronic monitoring is something that should be subject to discipline or discharge.” 26Id.

II. Electronic Communications Privacy Act of 1986

The primary federal legislation that can be applied to govern employee’s social media privacy is the Electronic Communications Privacy Act of 1986 (ECPA). Congress passed the ECPA because, even by 1986, “electronic communication development ha[d] far outpaced the development of the law in the area of constitutionally-based privacy protections for those communications.” 27 State v. Johnson, 2017 Tenn. Crim. App. LEXIS 271, 65 (Crim. App. Apr. 12, 2017). In its broadest form, the ECPA makes it a crime for anyone to “intentionally access without authorization a facility through which an electronic communication service is provided” or “intentionally exceed an authorization to access that facility” and use that access to “obtain, alter, or prevent authorized access to a wire of electronic communication while it is in electronic storage in such system. 28 18 U.S.C.§2701(a) (1986). As courts have recognized, the preceding provision is inapplicable “to conduct authorized…by the person or entity providing a wire or electronic communication service; …. By a user of that service with respect to a communication of or intended for that user.” 29 18 U.S.C.§2701(c) (1986).

Unfortunately, the ECPA, which has two parts, the Wire Tap Act (Title I) and the Stored Communications Act (Title II), serves more as broad guideposts than bright-line boundaries to employee privacy rights in the context of social media. This is largely attributable to the fact that the law was enacted before the internet existed, and undoubtedly with little foresight into how it’s protections would be utilized in the workplace with respect to social media privacy. Indeed, courts have recognized that “the Stored Communications Act is best understood by considering its operation and purpose in light of the technology that existed in 1986” because it “is not built around clear principals that are intended to easily accommodate future changes in technology; instead, Congress chose to draft a complex statute based on the operation of early computer networks.” 30 State v. Johnson, at 66. Other courts have complained about the difficulties of applying the ECPA to modern technology, and have openly admitted that “courts have struggled to analyze problems involving modern technology within the confines of this [ECPA] statutory framework, often with unsatisfying results.” 31 Konop v. Hawaiian Airlines, Inc., 302 F.3d 868, 874 (9th Cir. 2002).

The Wire Tap Act (WTA), which prohibits the interception, use, or disclosure of electronic communications while in transmission, has very limited application to employee privacy, especially with respect to social media. 32 Abril, supra note 7, at 80. This is partially due to exceptions written into the statute. For instance, the WTA “does not apply to communications made through an electronic communication system that is readily accessible to the general public.” 33Id. As follows, if an employee makes communication publically available via social media, then the law does not prohibit employers from the intercepting, viewing, or disclosing the electronic communications while in transmission. Analysis of what it means for social media communications to be “publically available” is treated more fully in the discussion of the ECPA that follows, however at this juncture it’s enough to note that courts generally hold that employees who have failed to utilize any of the privacy settings of a social media platform have effectively made all of their communications on that platform publically available.

Another significant exception to the WTA states that it’s not unlawful for “a provider of wire or electronic communication service…to intercept, disclose, or use that communication in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service.” 34 18 U.S.C. § 2511(2)(a)(i) (1986). Simply put, an employer who provides internet access and company devices for work-related purposes may lawfully access and monitor all communication transmitted thereby. 35 Abril, supra note 7, at 80. Thirdly, the WTA permits interception and use of employee’s electronic communications so long as the employer has obtained consent, either expressly or impliedly. 36Id. There is a low bar for employers obtaining implied consent; courts have inferred consent merely from employees who continued in the terms of their employment after having been notified that their communications were subject to surveillance. 37Id. at 81. Finally, and most obviously limiting to employee’s utilization of the WTA to provide social media privacy, the law only applies to electronic communications in transit, not in storage. 38 18 U.S.C. § 2511(1)(b) (1986). Since a Facebook message is transmitted virtually instantly, unlike, say, a telephone conversation, this feature of the statute effectively forecloses employees from deriving any online privacy benefits from the WTA.

The case of Konop v. Hawaiian Airlines, Inc. is a demonstration of the limited utility of the WTA as a protector of employee’s online privacy. 39 Konop, 302 F.3d at 876. The case emanated from a website that Konop, a pilot for Hawaiian Airlines, created and maintained, where he posted comments critical of his employer, its officers, and the incumbent union. 40Id. at 872. Konop personally controlled access to his website by requiring pre-authorized visitors, primarily other Hawaiian Airlines pilots, to log in with a user name and password. 41Id. The website allowed access when the name of an authorized person was entered along with a password, and the user clicked the “submit” button on the screen indicting acceptance of terms and conditions. 42Id. at 873. The terms and conditions specifically prohibited any member of Hawaiian Airlines management from viewing the website, as well as any authorized user from disclosing the website’s contents. 43Id. At some point, the Hawaiian Airlines vice president requested from two of Konop’s co-workers, both of whom had been granted authorized access by Konop, for permission to use their login credentials. 44Id. The pilots consented, despite neither having previously accessed the website. 45Id. Konop argued that his manager’s conduct constituted an interception of electronic communication, in violation of the WTA. 46Id. at 876.

The court easily determined that Konop’s website qualified as “electronic communication” under the WTA’s definition. 47Id. See also 18 U.S.C. § 2510(12) (1986) (Electronic communication is defined as “[A]ny transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system.”). The thrust of Konop’s WTA claim rested on whether his website had been “intercepted” by the Hawaiian Airlines vice president, when he intentionally logged onto Konop’s password-protected website using the credentials of the authorized pilots. 48 Konop, 302 F.3d at 876. The court recognized that “intercept” was defined broadly by the WTA, as “the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device,” and that standing alone, this definition “would seem to suggest that an individual ‘intercepts’ an electronic communication merely by acquiring its contents, regardless of the circumstances.” 49Id. Regardless, the court held that Congress intended a far narrower definition of “intercept,” at least with regard to electronic communications. 50Id.

Instead, the court defined “intercept” as “acquisition contemporaneous with transmission,” and agreed with previous precedent that in regard to “cases concerning ‘electronic communication,’ the definition of which specifically includes ‘transfers’ and specifically excludes ‘storage’ … it is natural to except non-contemporaneous retrievals from the scope of the Wire Tap Act.” 51Id. at 877. More practically, the court noted that its narrow judicial interpretation of the term “intercept” was consistent with the ordinary meaning of the term intercept, which is defined by Webster’s as to “stop, seize, or interrupt in progress or course before arrival.” 52Id. at 878. The court ultimately held that for a website such as Konop’s “to be intercepted in violation of the Wire Tap Act, it must be acquired during transmission, not while it is in electronic storage.” 53Id. However, since the manager’s viewed the website when it was merely in “electronic storage,” i.e. the website had already been created and was essentially just sitting on a computer server, the website was never “intercepted” under the WTA, and Konop’s claim on this count failed. 54Id.

Title II of the ECPA, the Stored Communications Act (SCA), has sporadically proved more helpful to employees in establishing legally respected social media privacy protections from their employers. This portion of the ECPA, which Congress enacted with the primary intention of protecting privacy related to electronic messaging, “forbids the intentional and unauthorized access” of stored electronic communications. 55 Jessica K. Fink, In Defense of Snooping Employers, 16 U. Pa. J. Bus. L. 551, 557. Under the SCA, whoever “(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or (2) intentionally exceeds an authorization to access that facility; and thereby obtains, alters or prevents the authorized access to a wire or electronic communications while in electronic storage in such a system” shall be liable for civil damages. 56 See Ehling v. Monmouth-Ocean Hosp. Serv. Corp., 961 F. Supp. 2d 659, 666–67 (D.N.J. 2013). See also 18 U.S.C. § 2701(a) (1986); 18 U.S.C. § 2707 (1986). As one of the most significant exceptions, the statute further provides that it shall not be unlawful to “access an electronic communication made through an electronic communication system, that is configured so that such electronic communication is readily accessible to the general public.” 57Id. at 667. See also 18 U.S.C. § 2511(2)(g)(i) (1986). Additionally, it should be recognized that courts have generally held the exceptions of the WTA to apply to the SCA. 58 Mika, supra note 24.

Congress enacted the SCA “because the advent of the Internet presented a host of potential privacy breaches that the Fourth Amendment does not address.” 59 Quon v. Arch Wireless Operating Co., Inc., 529 F.3d 892, 900 (9th Cir. 2008). Legislative history of the SCA suggests that “Congress wanted to protect electronic communications that are configured to be private” and address the “growing problem of unauthorized persons deliberately gaining access to electronic or wire communications that are not intended to be available to the public.” 60 Ehling at 666. While at first glance these goals sound readily applicable to private social media activity, it should be recognized that Congress originally intended for the SCA to be aimed at government law enforcement activity. 61 Crispin v. Christian Audigier, Inc., 717 F. Supp. 2d 965, 972 (C.D. Cal. 2010). As courts have highlighted, the legislation “creates a set of Fourth Amendment-like privacy protections by statute, regulating the relationship between government investigators” and those in possession of “users’ private information.” 62Id. at 972. The SCA’s original framing around protection from government overreaching is just one factor the frustrates court’s application of the SCA to social media.

Despite that the SCA stands as some of the only federal legislation on point to govern employee’s online privacy in the context of social media, because the framework of the statute relies on 1986 technology, some courts continue to question the nuances of the SCA’s application to social media platforms. 63 State v. Johnson, at 78. One of those courts, the Ninth Circuit in Konop v. Hawaiian Airlines, acknowledged that the application of the SCA “is a complex, often convoluted, area of law… ill-suited to address modern forms of communication.” 64 Konop, 302 F.3d at 874. The underlying issue courts have wrestled with is whether or not various forms of social media qualify as “electronic communications” transmitted and held by an “electronic communication service” under the SCA’s definition.

The court in Crispin v. Christian Audigier, Inc, for instance, held that while the SCA applied to Facebook, only some electronic communications on Facebook were adequately held in storage by an “electronic communication service,” and thus entitled to protection. 65 Crispin, 717 F. Supp. 2d at 980–82. For instance, Facebook wall posts configured to be completely public were held to merit no protection whatsoever from the SCA. 66Id. at 981. Meanwhile, the court in Ehling v. Monouth-Ocean Hospital Service Corporation held that “Facebook wall posts that are configured to be private meet all four criteria” to qualify as electronic communications held by an electronic communications service. 67 Ehling, 961 F. Supp. 2d at 667. Unfortunately, the court in Ehling offered limited insight as to what it meant for Facebook wall posts to be configured as private, or how the analysis might apply to a different set of facts. After significant examination of existing case-law, the court in State v. Johnson agreed with “those courts that have concluded that the Stored Communications Act is applicable to communications shared on social media websites.” 68 State v. Johnson, at 79. And still, other courts have concluded with minimal to no analysis at all that the SCA applies to social media websites. 69People v. Harris, 36 Misc. 3d 613, 945 N.Y.S.2d 505, 511 (Crim. Ct. 2012).

The 2009 case of Pietrylo v. Hillstone Restaurant Group is one of the few, yet most prominent cases involving the SCA and employee’s right to privacy, specifically in regards to social media activity. In the case, which centered on a Myspace page, the court expressed no qualms applying the SCA to the fact pattern; indeed, there was no discussion in the opinion about whether the messages on the private Myspace chatroom qualified as electronic communications transmitted and held by an electronic communication service. Pietrylo, the employee, alleged that his manager violated the SCA when he accessed a password-protected, invitation only Myspace chatroom, which was used by Pietrylo and other employees to vent about work-related issues and complain about their employer. 70 Ralph Carter, Too Much Information!: The Need For Stronger Privacy Protection For the Online Activities of Employers and Applicants, 28 J. Civ. Rts. & Econ. Dev. 291, 300. After a fellow employee and member of the Myspace chatroom revealed the page’s existence to a manager, a different manager asked the employee to disclose her Myspace login credentials so that management could access the private group and review its content. 71Id. at 300. Based solely on the postings in the Myspace chatroom, Pietrlo and another employee were terminated. 72Id.

The employees brought and proceeded to trial on a common law privacy claim and a SCA claim. 73 Pietrylo v. Hillstone Rest. Grp., No. 06-5754 (FSH), 2009 U.S. Dist. LEXIS 88702 (D.N.J. 2009). Pietrylo’s SCA claim, which alleged that the managers “knowingly or intentionally” accessed the chat room without authorization on at least five occasions, turned on whether or not the employee who turned over their passwords willingly authorized management to access the chat room. 74Id. at 2. The jury found that the manager “knowingly or intentionally or purposefully accessed the [private MySpace group] . . . without authorization,” in direct violation of the SCA, despite the fact that the employee and member of the Myspace chatroom actually provided access to the group via her login credentials. 75Id. at 8.

The strong undercurrent of unbalanced bargaining power between the employee who provided the requisite passwords, and the manager who requested the information, was crucial to both the jury and the court. Indeed, the employee’s own testimony was key in establishing that despite the fact that she provided her login credentials, she had not authorized the managers to access the private chat room within the meaning of the SCA. The employee testified that she felt she had to provide the passwords to her managers since she worked for them, she believed she would have been disciplined if she had not relinquished the information, and, ultimately, she would not have given another co-worker the passwords if requested, unless they were a manager. 76Id. at 8–9. As a result, the court held that a jury could reasonably find that the employee “purported authorization was coerced or provided under pressure.” 77Id. at 9. Combined with the jury’s finding that the managers knew they were not authorized to access the Myspace chat room, based on evidence that they understood the online space was a private, password protected, invite only portion of Myspace, and that they received the password through coercion, the court found in favor of Pietrylo on his SCA claim. 78Id.

The 2013 case of Ehling v. Monmouth-Ocean Hospital Service Corporation is another example of a court’s weary and limited application of the SCA to a form a social media. The plaintiff in the case, Ehling, was a registered nurse and paramedic who was employed by the defendant corporation (MONOC) and maintained a Facebook account with roughly 300 Facebook friends. 79 Ehling, 961 F. Supp. 2d at 663. Ehling had selected privacy settings for her account that limited access to her Facebook wall to only her Facebook friends, and specifically did not add any MONOC managers as Facebook friends, though she had added many of her coworkers. 80Id. at 662–63.

Unbeknownst to Ehling, one of her Facebook friends, who was also a coworker and paramedic at MONOC, began taking screenshots of her Facebook wall and providing them to MONOC management. 81Id. Evidence reflected that the coworker independently formulated the idea to provide Ehling’s Facebook posts to a manager, and that the manager never requested to be kept appraised of Ehling’s social media activity. 82Id. During June 2009, Ehling posted the following message to her Facebook wall:

An 88 yr sociopath white supremacist opened fire in the Wash D.C. Holocaust Museum this morning and killed an innocent guard (leaving children). Other guards opened fire. The 88yr old was shot. He survived. I blame the DC paramedics. I want to say something to the DC medics. 1. WHAT WERE YOU THINKING? And 2. This was your opportunity to really make a difference! WTF!!!! And to the other guards…..go to target practice. 83Id.

After management learned of the post, Ehling was temporarily suspended and received a memo stating that MONOC management was concerned that Ehling’s Facebook post reflected a deliberate disregard for patient safety. 84Id. Ehling filed suit, asserting that her employer violated the SCA by improperly accessing her Facebook wall. 85Id.

Unlike the Pietrylo court’s treatment of the SCA’s application to Myspace, the court in Ehling went through an extensive analysis to determine whether the statute could be applied to Facebook. The court summed up the the statute’s coverage as including “(1) electronic communication, (2) that were transmitted via an electronic communication service, (3) that are in electronic storage, and (4) that are not public,” and ultimately held that so long as Facebook wall posts are configured to be private, they meet all four criteria. 86 Id. at 666–67. Under the court’s definition, Facebook users have configured their account and wall posts to be private when they have changed their account settings to limit access to their walls to exclusively their Facebook friends, particular groups or individuals, or of course, only themselves. 87Id. at 668. The court held that when it comes to employee’s Facebook privacy under the ECA, the “critical inquiry is whether Facebook users took steps to limit access to the information on their Facebook walls.” 88Id. Furthermore, privacy protection provided by the statue “does not depend on the number of Facebook friends that a user has.” 89Id. So long as the user has changed their account settings to restrict access to their wall to Facebook friends only, the SCA and all of its privacy protections are applicable, regardless of whether the user has thirty Facebook friends or 3,000.

Despite finding that the SCA’s privacy protections were applicable to Ehling’s Facebook posts, ultimately Ehling’s employer was found not liable under the statute, due to the court’s additional holding that the statute’s “authorized user” exception applied to the facts. 90 Id. at 669. Citing Pietrylo, the court noted that “according to the [Stored Communications Act], if access to a [restricted website] was authorized by a user of that service with respect to a communication of or intended for that user, there is no statutory violation..” 91Id. The court found all three elements of the authorized user exception to be satisfied: “(1) access to the communication was authorized, (2) by a user of that service, (3) with respect to a communication…intended for that user.” 92Id. See also18 U.S.C. § 2701(c)(2) (1986).

While true that Ehling’s Facebook wall was “private,” access to her post was authorized because her employer accessed it via one of Ehling’s own Facebook friends who was permitted to view Ehling’s wall post by virtue of Ehling’s self-selected privacy settings. 93 Ehling, 961 F. Supp. 2d at 669. Unlike in Pietrylo, this access was not coerced; Ehling’s mangers never asked for the screenshot of the post. 94Id. at 670. The second prong of the authorized user exception was clearly satisfied, since it was undisputed that the coworker who took the screenshots of Ehling’s post’s was a Facebook user with a registered Facebook account. 95Id. Finally, the court reasoned that the Facebook post at issue was “intended for that user,” since Ehling selected the privacy settings for her Facebook wall, and by making her wall posts visible to Facebook friends, Ehling intended the coworker to view it. 96Id. In summary, the court held that while “non-public Facebook wall posts are covered by the Stored Communications Act,” under these facts, the “authorized user” exception applied because Ehling’s employer did not directly access her private Facebook wall, but rather Ehling’s coworker, who was one of her Facebook friends to whom her wall was was viewable, ultimately accessed the posts. 97Id. at 669 and 671.

The case of Konop v. Hawaiian Airlines, previously examined in the context of the WTA, illustrates a set of facts that, unlike in Ehling, failed to meet the elements of the authorized user exception to the SCA. 98 Konop, 302 F.3d at 880. In addition to his WTA claim, Konop argued that by viewing his secure website, the Hawaiian Airlines vice president “accessed a stored electronic communication without authorization in violation of the Stored Communications Act.” 99Id. at 879. While the facts were clear that the vice president had intentionally accessed Konop’s website, without permission, Hawaiian Airlines’ liability turned on whether or not it was exempt from liability under the authorized user exception. 100Id. at 880.

The court highlighted that the plain language of the authorized user exception is “unambiguous.” 101Id. Indeed, the exception indicates that only a “user” of the service can authorize a third party’s access to the communication, and the statute defines “user” as “one who 1) uses the service and 2) is duly authorized to do so.” 102Id. Though both of the pilots who consented to the vice president’s use of their login credentials were eligible to view Konop’s website, neither had actually accessed it themselves. 103Id. Therefore, neither were “users” of the website within the definition of the statute at the time they authorized the vice president to view Konop’s website. 104Id. Ultimately, the authorized user exception could not exempt Hawaiian Airlines from liability under the SCA. 105Id.

Despite Konop shining brightly as one of the rare instances where the SCA has successfully protected an employee’s online privacy from their employer, the court was careful to temper the expectations of future use of the statute in cases involving modern technology. The court observed that “Courts have struggled to analyze problems involving modern technology within the confines of this statutory framework,” and furthermore lamented, “until Congress brings the laws in line with modern technology, protection of the Internet and websites such as Konop’s will remain a confusing and uncertain area of law.” 106Id. at 874. Indeed, Konop’s successful use of the SCA was merely to protect the privacy of his webpage, a more traditional form of electronic communication in comparison to a modern social media platform like Facebook. Due to the additional layers of privacy Facebook offers, the authorized user exception of the statute likely would have thwarted Konop from deriving any privacy protections from the statute had his online comments been posted to a private Facebook group. 107 That is, If the court ruled the SCA applicable to a Facebook group message in the first place. Unlike on a private webpage, to be added into a private Facebook group, a Facebook account is requisite, thus everyone added into the group would likely be held a “user” of Facebook.

Konop, Ehling, and Pietrylo all demonstrate that while the SCA has potential to provide statutory privacy protection to employees’ social media activity, because it was created in the context of more traditional forms of electronic communications, courts have struggled to apply the statute to social media. These struggles can mainly be attributed to the fact that modern social media platforms, such as Facebook, allow users to employ varying degrees of privacy in regards to their online activity that the statute is not finely calibrated enough distinguish between. Unlike telephonic communication or email, both older forms of technology that the SCA is better equipped to provide privacy protection to, a Facebook post usually do not fit squarely within the “private” or “public” framework of the statute.

The Ehling court’s application of the ECPA to Facebook should become the framework of precedent that binds future courts; that is, so long as users have configured their Facebook accounts and communication to be private, then all of the SCA’s privacy protections should be applicative. 108 Ehling, 961 F. Supp. 2d at 666–67. Stretching the Ehling holding further, however, future courts should hold that Facebook communication is configured to be private if the user has taken any steps whatsoever to limit its audience beyond the completely “public” setting. Until Congress amends the statute, this would be the most consistent and judicially efficient approach to the SCA’s application to Facebook privacy issues within the SCA’s current framework, which is ill-equipped to distinguish between multiple degrees of privacy.

Facebook privacy settings are not binary, and courts are naïve to pretend that users have the opportunity to decide if they would like to configure that accounts as either “private” or “public.” While the Ehling court went beyond this black-and-white approach, holding that Facebook users have configured their walls to be private when they restrict access to it to their friends, this rule is still too murky. 109Id. With Facebook’s vast array of intermediate privacy settings, merely restricting a Facebook wall to friends does not answer whether friends of friends have access, or if everyone tagged in posts to the wall have access, or a number of other privacy issues. Thus, the best solution under the SCA’s current framework is for future courts to hold that Facebook communication is private if the user has taken any steps whatsoever to limit its audience beyond the completely “public” setting.

III. Common-Law Right to Privacy

According to the Second Restatement of Torts, “one who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the intrusion would be highly offensive to a reasonable person.” 110 Restatement (Second) of Torts § 652B. Given that the “intentional intrusion” prong is typically more amenable to clear and obvious demarcation, liability for invasion of privacy under the common-law typically turns on the reasonable expectation of privacy analysis. Unfortunately, where a particular fact has been shared with one or more persons, as is usually the case when common-law privacy protections intersect social media, “American courts seem to lack a coherent, consistent methodology for determining whether an individual has a reasonable expectation of privacy.” 111 Lior Jacob Strahilevitz, A Social Networks Theory of Privacy, 72 U. Chi. L. Rev. 919, 921. Instead, under the common-law framework, courts have fixated on the “abstract, circular, and highly indeterminate question of whether a plaintiff reasonably expected that information about himself would remain private after he shared it with one or more persons.” 112Id.

Adapting the definition of privacy to steadily progressing communication technology has been another sticking point in the application of the common-law’s invasion of privacy analysis to social media. Indeed, as crucial as the “reasonable expectation of privacy” analysis is to the success of any invasion of privacy claim, privacy law in the United States has traditionally been defined by physical boundaries, and is “firmly rooted in the experience of physical space and its surrounding normative circumstances.” 113 Abril, supra note 7, at 64–65. Nonetheless, as technology evolves, so do the societal expectations of privacy. As the United States Supreme Court recently observed in a case which required it to weigh the privacy expectations of an employee in the context of text messaging, “rapid changes in the dynamics of communication and information transmission [are] evident not just in the technology itself but in what society accepts as proper behavior.” 114 City of Ontario v. Quon, 560 U.S. 746, 784 (2010).

Unfortunately for employees asserting privacy rights against their employers, the common-law affords even less concrete protection than the ECPA in instances where password-protected or privately shared social media information is improperly accessed. A demonstration of this dichotomy appears in Pietrylo v. Hillstone Restaurant Group, the 2009 case examined earlier in the context of the SCA. In the case, Pietrylo, an employee, alleged that his manager accessed a secure and password-protected Myspace chatroom without authorization. As discussed, the jury found that the manager violated the SCA because he had knowingly, intentionally, or purposefully accessed the private, invite-only, password-protected Myspace chatroom without authorization, since he ultimately obtained its password through coercion. 115 Pietrylo v. Hillstone Rest. Grp., No. 06-5754 (FSH), 2009 U.S. Dist. LEXIS 88702, at 2 (D.N.J. 2009). Curiously, however, the jury found against Pietrylo for his common-law invasion of privacy claim. 116Id.

Pietrylo argued that by viewing the employee’s private Myspace chatroom, the manager intruded on their “seclusion or solitude, and/or private affairs,” and this intrusion would be highly offensive to a reasonable person. 117 Pietrylo v. Hillstone Rest. Grp., No. 06-5754 (FSH), 2008 U.S. Dist. LEXIS 108834, at 19 (D.N.J. 2008). The manager, on the other hand, claimed that Pietrylo and his fellow employees did not have a reasonable expectation, on an objective standard, that the webpage would remain private. 118Id. The court observed that the invasion of privacy must offend a reasonable person, and that expectations of privacy are established by general social norms; in other words, the employees’ subjective belief that something was private is irrelevant. 119Id. at 19–20. Oddly, the jury found that the employees’ password-protected Myspace chatroom was “a place of solitude and seclusion which was designed to protect [the employees’] private affairs,” yet nonetheless also found that the employees’ did not, under the common-law, have a reasonable expectation of privacy in the chatroom. 120 Carter, supra note 70, at 309–10. As one scholar pointed out, “In effect, the jury determined that the company improperly accessed the Myspace page without consent on the [Stored Communications Act] claim, but that it was not reasonable for [employees] to expect that their consent would be required to access their place of solitude and seclusion which was designed to protect their private affairs and concerns as to the common-law privacy claim.” 121Id. at 310.

The case of Maremont v. Susan Fredman Designs Group is another instance where an employee’s common-law invasion of privacy claim turned on a court’s “reasonable expectation of privacy” analysis. In the case, Maremont, a former director of marketing and public relations for the defendant, an interior design firm, brought suit against her former employer asserting a handful of claims related to the employers alleged unauthorized use of her personal social media accounts, including violation of her common-law right to privacy. 122 Maremont v. Susan Fredman Design Grp., Ltd., No. 10 C 7811, 2011 U.S. Dist. LEXIS 140446, at 4–5 (N.D. Ill. 2011). The claim stemmed from a car accident that left Maremont seriously injured and hospitalized for an extended period. 123Id. at 5. It was during this period of hospitalization, Maremont alleged, that her employer accessed and used her personal Twitter and Facebook accounts without her authorization on a number of occasions to promote its business. 124Id. Maremont contended that the employer continued to post from her personal accounts, even after she asked it to refrain from doing so. 125Id.

The court construed the common-law intrusion upon seclusion claim to contain four distinct elements: “(1) an unauthorized intrusion into seclusion; (2) the intrusion would be highly offensive to a reasonable person; (3) the matter intruded upon was private; and (4) the intrusion caused the plaintiffs anguish and suffering.” 126Id. at 20. Expanding on the third element, it was observed that Maremont had to show that she attempted to “keep private facts private,” because “persons cannot reasonably maintain an expectation of privacy in that which they display openly.” 127Id. After rattling off a series of facts—that Maremont had a Twitter following of over a thousand people, that she targeted her posts on social media to the design community, and that her posts were often linked to the company’s public blog—the court granted the employer’s motion for summary judgment. 128Id. Despite highlighting earlier that Maremont’s personal Twitter and Facebook accounts were not for the benefit of her employer, and that the folder which contained her account access information, although stored on a company-provided computer, was locked and password-protected, the court held that Maremont’s Facebook and Twitter accounts were not private, and furthermore, that she had not attempted to keep any such facts private. 129Id. at 5, 20–21.

Courts have also been unsympathetic to employee’s mistaken belief’s that their social media activity was private. The 2012 case of Sumien v. Careflite is yet another example of a court limiting the scope of social media privacy under the common-law. 130 Sumien v. Careflite, Tex. App. LEXIS 5331, 1 (July 5, 2012). In the case, Sumien, employed as an emergency medical technician of the defendant corporation, argued that his termination for an inflammatory Facebook post gave rise to a common-law claim of intrusion upon seclusion. 131Id. at 1–2. Sumien asserted that when he wrote the Facebook post at issue, which he posted on a Facebook friend and fellow co-worker’s private wall, he was not aware that in addition to his own Facebook friend’s, his friend’s Facebook friends could also view his post. 132Id. at 6.

While the court observed that Sumien presented sufficient evidence to prove that he misunderstood the friend’s Facebook privacy settings, did not know who had access to the friend’s wall, and furthermore did not know that his employer could view his comment, the misunderstanding was his own fault. 133Id. Ultimately, the court held that there was no intrusion into Sumien’s seclusion, because the employer viewed the post on a Facebook wall which it had access to. 134Id.

In many recent cases where common-law invasion of privacy torts have been applied to social media, the restrictive view courts have taken of the “reasonable expectation of privacy” analysis has proved to be inadequate protection to the online privacy rights of employees. It is evident that the fact-dependent nature of inquires as to whether a reasonable expectation of privacy exists leaves employees with incredibly limited privacy protections in regards to their social media activity. 135 Carter, supra note 70, at 310. Indeed, many courts seem to believe that privacy is a “dead letter” in the new age of technology. 136Id. Proponents of this argument point out that social media is designed for the purpose of sharing information. Indeed, it’s true that many users of social media are willing to share a multitude of personal details about their lives on the networks, from photographs of themselves, to their physical location, to contact information like cell phone numbers and email addresses. Yet, as other courts have recognized, the fact that an event is not “wholly private does not mean that an individual has no interest in limiting disclosure or dissemination of the information.” 137 United States Department of Justice v Reporters Committee for Freedom of the Press, 489 US 749, 770 (1989).

Despite that some courts seem to believe that social media users have abandoned any reasonable expectation of privacy, the primary users of social media tend to strongly disagree. 138 Carter, supra note 70, at 310. For instance, studies suggest that users of social media “are becoming increasingly concerned about the protection accorded to their online personae and are more often availing themselves of the sites’ privacy settings.” 139Id. at 311, citing Mary Madden and Aaron Smith, Reputation Management and Social Media, Pew Research Center (May 26, 2010), http://pewinternet.org/~/media//Files/Reports/2010 /PIP_Reputation_Management_with_ topline.pdf (noting that “71% of social networking users ages 18-29 have changed the privacy settings on their profile to limit what they share with others online” and “55% of SNS users ages 50-64 have changed the default settings”). A Pew research study found that few teens embrace a completely public approach in maintaining their social media accounts, but instead “take an array of steps to restrict and prune their profiles.” 140 Mary Madden, Amanda Lenhart, Sandra Cortesi, Urs Gasser, Maeve Duggan, Aaron Smith and Meredith Beaton, Teens, Social Media, and Privacy, Pew Research Center (May 21, 2013), http://www.pewinternet.org/2013/05/21/teens-social-media-and-privacy/. The same study found that roughly sixty percent of teens active on Facebook have set their profiles to “private” so that only their friends can view it, and another twenty-five percent have “partially private” profiles, set so that friends of their friends can see what they post. 141Id. Only 14% of those surveyed left their Facebook profile fully public. 142Id.

Furthermore, Americans generally hold strong views about the importance of privacy in their everyday lives, and the majority believe it’s important “that they be able to maintain privacy and confidentially in commonplace activities.” 143 Marry Madden and Lee Raine, Americans’ Attitudes About Privacy, Security and Surveillance, Pew Research Center (May 20, 2015), http://www.pewinternet.org/2015/05/20/americans-attitudes-about-privacy-security-and-surveillance/. Given the prevalence of social media, it is arguably a commonplace activity. A 2015 study concluded that ninety-three percent of adult Americans agree that being in control of who can obtain information about them is important. 144Id. Additionally, ninety percent say it’s important to them to be able to control what information is collected about them, and eighty-eight percent say it’s important to them that they not have someone watch them without their permission. 145Id. At the same time, ninety-three percent of adult Americans say it’s important to them to be able to share confidential matters with someone they trust. 146Id.

These statistics brightly illustrate that some information, for instance a post in a private Facebook group message, “might be created in solitude, but remain, by common parlance, private even when shared to some extent.” 147 Strahilevitz, supra note 111, at 923. People constantly disclose information they consider intimate or private about themselves to third parties, yet “harbor strong subjective expectations of privacy when doing so.” 148Id. at 925. (For example, “Millions of Americans participate in twelve-step programs and support groups, where it has become completely normal to disclose to a score of strangers one’s status as an alcoholic, bulimic, child abuse victim, heroin addict, AIDS sufferer, or gambler . . . We are, in short, constantly disclosing embarrassing information about ourselves to third parties, yet we often harbor strong subjective expectations of privacy when doing so. By creating causes of action for invasion of privacy, most jurisdictions have determined that the benefits associated with fostering this intimacy justify the costs of constraining communication.”) Even the Supreme Court has acknowledged that the “unsophisticated” conception of information privacy that “information ceases to be private the moment is it shared with a second person” is “much too cramped for a society of social beings.” 149Id. at 923. Considering that most courts follow the rule that “expectations of privacy are established by general social norms,” there is a growing discord between what are becoming “general social norms” and court’s views of “reasonable expectations of privacy” in the context of social media. 150 White v. White, 344 N.J. Super. 211, 223, 781 A.2d 85 (Ch. Div. 2001).

Conclusion

Social media’s entwinement into the experience of the modern American workforce is imminent, if the irrevocable entanglement hasn’t already occurred. The vast majority of the workforce today is active on at least one form of social media, with the newest members accounting for disproportionately higher participation levels, and the oldest members, rapidly retiring from the workforce, participating least. 151Pew Research Center, http://www.pewinternet.org/fact-sheet/social-media/ (last visited Feb. 22, 2018). Given its prevalence, and undoubtedly its significance in the lives of most employees, the privacy protections our legal system currently provides to social media, through a hodgepodge of statutes and common law torts, is inadequate to protect employees modern expectations of privacy.

The most insulating federal statute of social media privacy, the SCA, was enacted before the internet existed, and is neither designed or equipped to adequately protect employee’s social media privacy. Significantly, it is not always certain that courts will hold the statute applicable to all forms of social media activity. Unless the employee has changed their account settings to make their communication “private,” or private enough to satisfy the particular court, they will likely derive no protection for the SCA. While the SCA has potential to provide federal statutory privacy protections social media, one of the primary reasons courts are struggling to apply it to social media is because modern technology such as Facebook allows users to utlize varying degrees of privacy that the law, which was created in the context of more traditional forms of communication, is not finely calibrated enough to distinguish between.

The common-law affords even less concrete protection than the SCA in instances where password-protected or privately shared online social media information is improperly accessed. In many recent cases where common-law invasion of privacy torts have intersected with social media, the restrictive view courts have taken of the “reasonable expectation of privacy” analysis has proved to be insufficient protection for the online privacy rights. Courts lack a consistent and workable framework for determining whether an individual has a reasonable expectation of privacy with regards to information that has been shared with one or more persons. Additionally, the common-law’s definition of privacy is largely based on physical boundaries incongruent with the technological world that exists today, and specifically application to social media. Finally, court’s often conservative expectations of privacy are more aligned with traditional forms of technology, in contrast to the more inclusive expectations of privacy generally held by the current workforce. Squaring up the degrees of social media privacy with the idea that liability for both statutory and common-law invasion of privacy claims turn on court’s binary perception of privacy requires holding that employees who have utilized any privacy settings should be ruled to have taken steps to remove the communication from the online public sphere, and thus has a reasonable and protectable expectation of privacy.

Footnotes

1Pew Research Center, http://www.pewinternet.org/fact-sheet/social-media/ (last visited Feb. 22, 2018).

2Id.

3Id.

4Id.

5 Ehling v. Monmouth-Ocean Hosp. Serv. Corp., 872 F. Supp. 2d 369, 373 (D.N.J. 2012). See also Robert Sprague, Invasion of Social Networks: Blurring the Line between Personal Life and the Employment Relationship, 50 U. Louisville L. Rev. 1, 13 (2011).

6 While public sector employees’ interest in privacy from employer surveillance of their social media activity is not fundamentally different from the privacy concerns of a private employee, public employees enjoy greater rights and protections in this area of the law. The “public employment relationship is governed by certain bodies of law, most notably the Constitution, that do not apply to the private sector.” See Sheila A. Bentzen, Safe for Work? Analyzing the Supreme Court’s Standard of Privacy for Government Employees in Light of City of Ontario v. Quon, 97 Iowa L.Rev. 1283, 1286 (2012). As a result, private employees cannot rely on constitutional guarantees to state claims for social media privacy, as public employees potentially can. Id.

7 Furthermore, this paper is not concerned with the rights to online privacy employees have on company provided hardware and devices. Under U.S. law, the workplace, and all of its resources, are property of the employer. See Patricia Sánchez Abril, Blurred Boundaries: Social Media Privacy and the Twenty-First-Century Employee, 49 Am. Bus. L.J. 63, 71 (2012). That means that employers have the right to dictate permissive use of the technology they provide employees, and furthermore, monitor employee activity on company provided devices. Id.

8Statista, https://www.statista.com/statistics/398136/us-facebook-user-age-groups/ (last visited Mar. 30, 2018).

9Id.

10Id.

11Statista, https://www.statista.com/statistics/199242/social-media-and-networking-sites-used-by-us-teenagers/ (last visited Mar. 30, 2018).

12Id.

13Facebook, https://www.facebook.com/help/211513702214269?helpref=related (last visited Apr. 5, 2018).

14Id.

15 In the context of this section of the paper, the terms “Facebook friends” and “friends” will be used interchangeably, however both refer specifically to Facebook friends, meaning the people that users of Facebook add as “friends” to their Facebook account.

16 “Tagging” someone on Facebook identifies them in a post, photo, or status update that you share. A tag may also notify that person that you have mentioned them or referred to them in a post or a photo, and provide a link back to their profile. See Facebook, https://www.facebook.com/help/124970597582337/ (last visited Apr. 6, 2018).

17Facebook, https://www.facebook.com/help/211513702214269?helpref=related (last visited Apr. 5, 2018).

18Id.

19Id.

20Id.

21Id.

22Id.

23Id.

24 Karin Mika, The Benefit of Adopting Comprehensive Standards of Monitoring Employee Technology use in the Workplace, Cornell HR Review (Sept. 22, 2012) http://www.cornellhrreview.org/the-benefit-of-adopting-comprehensive-standards-of-monitoring-employee-technology-use-in-the-workplace/.

25Id.

26Id.

27 State v. Johnson, 2017 Tenn. Crim. App. LEXIS 271, 65 (Crim. App. Apr. 12, 2017).

28 18 U.S.C.§2701(a) (1986).

29 18 U.S.C.§2701(c) (1986).

30 State v. Johnson, at 66.

31 Konop v. Hawaiian Airlines, Inc., 302 F.3d 868, 874 (9th Cir. 2002).

32 Abril, supra note 7, at 80.

33Id.

34 18 U.S.C. § 2511(2)(a)(i) (1986).

35 Abril, supra note 7, at 80.

36Id.

37Id. at 81.

38 18 U.S.C. § 2511(1)(b) (1986).

39 Konop, 302 F.3d at 876.

40Id. at 872.

41Id.

42Id. at 873.

43Id.

44Id.

45Id.

46Id. at 876.

47Id. See also 18 U.S.C. § 2510(12) (1986) (Electronic communication is defined as “[A]ny transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system.”).

48 Konop, 302 F.3d at 876.

49Id.

50Id.

51Id. at 877.

52Id. at 878.

53Id.

54Id.

55 Jessica K. Fink, In Defense of Snooping Employers, 16 U. Pa. J. Bus. L. 551, 557.

56 See Ehling v. Monmouth-Ocean Hosp. Serv. Corp., 961 F. Supp. 2d 659, 666–67 (D.N.J. 2013). See also 18 U.S.C. § 2701(a) (1986); 18 U.S.C. § 2707 (1986).

57Id. at 667. See also 18 U.S.C. § 2511(2)(g)(i) (1986).

58 Mika, supra note 24.

59 Quon v. Arch Wireless Operating Co., Inc., 529 F.3d 892, 900 (9th Cir. 2008).

60 Ehling at 666.

61 Crispin v. Christian Audigier, Inc., 717 F. Supp. 2d 965, 972 (C.D. Cal. 2010).

62Id. at 972.

63 State v. Johnson, at 78.

64 Konop, 302 F.3d at 874.

65 Crispin, 717 F. Supp. 2d at 980–82.

66Id. at 981.

67 Ehling, 961 F. Supp. 2d at 667.

68 State v. Johnson, at 79.

69People v. Harris, 36 Misc. 3d 613, 945 N.Y.S.2d 505, 511 (Crim. Ct. 2012).

70 Ralph Carter, Too Much Information!: The Need For Stronger Privacy Protection For the Online Activities of Employers and Applicants, 28 J. Civ. Rts. & Econ. Dev. 291, 300.

71Id. at 300.

72Id.

73 Pietrylo v. Hillstone Rest. Grp., No. 06-5754 (FSH), 2009 U.S. Dist. LEXIS 88702 (D.N.J. 2009).

74Id. at 2.

75Id. at 8.

76Id. at 8–9.

77Id. at 9.

78Id.

79 Ehling, 961 F. Supp. 2d at 663.

80Id. at 662–63.

81Id.

82Id.

83Id.

84Id.

85Id.

86 Id. at 666–67.

87Id. at 668.

88Id.

89Id.

90 Id. at 669.

91Id.

92Id. See also18 U.S.C. § 2701(c)(2) (1986).

93 Ehling, 961 F. Supp. 2d at 669.

94Id. at 670.

95Id.

96Id.

97Id. at 669 and 671.

98 Konop, 302 F.3d at 880.

99Id. at 879.

100Id. at 880.

101Id.

102Id.

103Id.

104Id.

105Id.

106Id. at 874.

107 That is, If the court ruled the SCA applicable to a Facebook group message in the first place.

108 Ehling, 961 F. Supp. 2d at 666–67.

109Id.

110 Restatement (Second) of Torts § 652B.

111 Lior Jacob Strahilevitz, A Social Networks Theory of Privacy, 72 U. Chi. L. Rev. 919, 921.

112Id.

113 Abril, supra note 7, at 64–65.

114 City of Ontario v. Quon, 560 U.S. 746, 784 (2010).

115 Pietrylo v. Hillstone Rest. Grp., No. 06-5754 (FSH), 2009 U.S. Dist. LEXIS 88702, at 2 (D.N.J. 2009).

116Id.

117 Pietrylo v. Hillstone Rest. Grp., No. 06-5754 (FSH), 2008 U.S. Dist. LEXIS 108834, at 19 (D.N.J. 2008).

118Id.

119Id. at 19–20.

120 Carter, supra note 70, at 309–10.

121Id. at 310.

122 Maremont v. Susan Fredman Design Grp., Ltd., No. 10 C 7811, 2011 U.S. Dist. LEXIS 140446, at 4–5 (N.D. Ill. 2011).

123Id. at 5.

124Id.

125Id.

126Id. at 20.

127Id.

128Id.

129Id. at 5, 20–21.

130 Sumien v. Careflite, Tex. App. LEXIS 5331, 1 (July 5, 2012).

131Id. at 1–2.

132Id. at 6.

133Id.

134Id.

135 Carter, supra note 70, at 310.

136Id.

137 United States Department of Justice v Reporters Committee for Freedom of the Press, 489 US 749, 770 (1989).

138 Carter, supra note 70, at 310.

139Id. at 311, citing Mary Madden and Aaron Smith, Reputation Management and Social Media, Pew Research Center (May 26, 2010), http://pewinternet.org/~/media//Files/Reports/2010 /PIP_Reputation_Management_with_ topline.pdf (noting that “71% of social networking users ages 18-29 have changed the privacy settings on their profile to limit what they share with others online” and “55% of SNS users ages 50-64 have changed the default settings”).

140 Mary Madden, Amanda Lenhart, Sandra Cortesi, Urs Gasser, Maeve Duggan, Aaron Smith and Meredith Beaton, Teens, Social Media, and Privacy, Pew Research Center (May 21, 2013), http://www.pewinternet.org/2013/05/21/teens-social-media-and-privacy/.

141Id.

142Id.

143 Marry Madden and Lee Raine, Americans’ Attitudes About Privacy, Security and Surveillance, Pew Research Center (May 20, 2015), http://www.pewinternet.org/2015/05/20/americans-attitudes-about-privacy-security-and-surveillance/.

144Id.

145Id.

146Id.

147 Strahilevitz, supra note 111, at 923.

148Id. at 925. (For example, “Millions of Americans participate in twelve-step programs and support groups, where it has become completely normal to disclose to a score of strangers one’s status as an alcoholic, bulimic, child abuse victim, heroin addict, AIDS sufferer, or gambler . . . We are, in short, constantly disclosing embarrassing information about ourselves to third parties, yet we often harbor strong subjective expectations of privacy when doing so. By creating causes of action for invasion of privacy, most jurisdictions have determined that the benefits associated with fostering this intimacy justify the costs of constraining communication.”)

149Id. at 923.

150 White v. White, 344 N.J. Super. 211, 223, 781 A.2d 85 (Ch. Div. 2001).

151Pew Research Center, http://www.pewinternet.org/fact-sheet/social-media/ (last visited Feb. 22, 2018).

Eric C. Evans is a second-year student at Emory University School of Law, primarily interested in practicing transactional law post-graduation. Eric is a graduate of Miami University in Oxford, Ohio, where he studied History and Political Science.