University May Be Liable for Improper Access to Student’s Facebook Photos – Rodriguez v. Widener Univ.
[Post by Venkat Balasubramani]
Rodriguez v. Widener Univ., 12-1226, (E.D. Pa. June 17, 2013)
Rodriguez was enrolled at Widener under the G.I. Bill, and was earning above-average grades. He had some friction with his advisor over their respective views of creationism and evolution, but things came to a head when university administrators allegedly saw an inflammatory email Rodriguez authored and saw images of weapons Rodriguez allegedly posted to his Facebook page. They hauled him into the administration offices, concluded that it was necessary for him to have his mental health evaluated, and had him committed involuntarily for a short period of time, after which he was discharged. After he was cleared to return to school, he was advised that he was suspended due to the discovery of a knife and marijuana in his backpack.
Rodriguez sued. Among other claims, he alleged that the university improperly accessed his electronic communications–his emails and Facebook photos–and in doing so, violates his rights under statutes and common law. Rodriguez also alleged that his advisor made inaccurate statements (while Rodriguez was committed) that Rodriguez threatened to kill the advisor.
With respect to his email, Rodriguez alleged that defendants “went into [his] email and obtained information about [him].” However, the court says that this claim isn’t viable because on its face, the email in question was addressed to defendants. An email addressee by definition cannot have unauthorized access to the email sent to him/her. (It’s unclear as to whether there was a single email or multiple emails, but in resolving this issue, the court discusses a single email.)
His claim around the Facebook photos was a different story. The university argued that the Facebook photos were “accessible to the general public” and the Stored Communications Act doesn’t reach these types of communications, but the court says at the pleading stage that Rodriguez may have a claim. Rodriguez argued that “it remain[ed] to be determined” how the defendants accessed the photos, and the court treats this as a plausible allegation that the photos were accessed improperly.
Rodriguez also asserted a claim for invasion of privacy but the court rejects this claim. According to the court, of the four Restatement privacy torts, the two plausible applicable torts would be public disclosure or private facts and false light. The court says that Rodriguez’s allegations do not satisfy either tort.
The ruling gets at the key question of what Rodriguez must allege under the Iqbal/Twombly pleading standard to make out an SCA claim. (This assumes that the SCA covers photos posted to Facebook that are accessible to a group of individuals. See, Crispin v. Audigier, and a pair of recent cases from Minnesota that address this issue.) Presumably, the university did not hack into his account outright. He makes no allegations that he was pressured to provide the University with the password. He also does not allege that the university engaged in “shoulder surfing”. This leaves the (most likely) possibility that someone on his Facebook feed shared the photos with the university. Given that the court drastically trimmed down Rodriguez’s lawsuit and the bulk of what was left was his claim that the University improperly accessed the Facebook photos, it was somewhat surprising that the court didn’t push Rodriguez’s lawyers on this claim. Granted he is not required to rule out all other possibilities in order to plead his SCA claim, but if in the end it turns out that, as the University alleged, one of his friends indeed shared the photo, the lawsuit would have been a waste of time as far as this claim was concerned. Perhaps the court was being overly cautious in not wanting to resolve a factual dispute at the motion to dismiss stage. On the other hand, maybe the University did not bother attaching to its filings the actual communication forwarding the photo to them. A third possibility is that the court confused something being “publicly available” with content that someone is able to forward or share.
Interestingly, the court does not say that Rodriguez adequately alleged an intrusion of seclusion claim. As difficult as it would be to make out, it raises the perennially interesting issue of what level of privacy someone has when they post material to a small group of online friends. In other words, when, or to what degree, is a social media post “private”? This of course goes all the way back to Moreno v. Hanford Sentinel, a perennial favorite. (See Republishing MySpace Post in Local Paper Might Be Intentional Infliction of Emotional Distress–Moreno v. Hanford Sentinel.)
A final note that many states have recently enacted social media privacy laws and many such laws cover educational institutions. (See, e.g., Big Problems in California’s New Law Restricting Employers’ Access to Employees’ Online Accounts.) Although the facts in this particular case are not clear, on its face, a statute such as the one in California may apply (i.e., to the extent someone was forced to divulge “personal social media information”). Going forward, in these types of cases, expect to see claims under social media privacy laws as well.