A recent ruling in a Pennsylvania trial court shows how vulnerable to discovery even the “private” contents of a social network page can be.

The case is McMillen v. Hummingbird Speedway, Inc. (fn1) The plaintiff, McMillen, was a driver who had alleged that he was injured when he was rear-ended during the cool-down lap of a stock car race. The defendants claimed that posts on the public portion of his Facebook page showed that he had exaggerated his injuries. So they asked the court for his user names and log-in and password information to see if he had made similar statements on the private portions of his Facebook and MySpace pages.

McMillen objected, claiming that communications shared among one’s private friends on a social network site are protected by a “social network privilege.”

The court rejected McMillen’s privilege claim, arguing that social network users have no real expectation of privacy -- because the operators of these sites reserve the right to monitor posts and to share them with others at their discretion. Facebook’s privacy policies stated that it was permitted to disclose private posts in response to subpoenas or court orders or to prevent other harms. MySpace’s terms of use stated that its operators monitored posts and could remove any material that was offensive, illegal or that threatened the safety of others.

According to the court, “when a user communicates through Facebook or MySpace . . . he or she understands and tacitly submits to the possibility that a third-party recipient, i.e., one or more site operators, will also be receiving his or her messages and may further disclose them if the operators deem disclosure to be appropriate. That fact is wholly incommensurate with a claim of confidentiality.”

The law generally does not protect otherwise privileged communications that are made in the presence of third parties. (fn2) So because the webhosts had the right to listen in, this meant that the communications weren’t confidential, and thus weren’t privileged. (fn3)

It is important to note that under this reasoning, the court not only rejected McMillen’s novel claim to a social network privilege, but it also would have rejected claims to well-established privileges, such as the attorney-client, physician-patient and clergy-penitent privileges.

After finding no basis for any privileges on the site, the Court required McMillen to give the plaintiffs the user names and passwords for his social network accounts. Such an order is somewhat unusual. Courts are loathe to require litigants to disclose user names and passwords. Such disclosure can permit an opposing party to view private information from the discloser or from third parties that has no relation to the case. It can also permit an opposing party to alter information or create new posts.

To prevent this from happening in McMillen, the court ordered that the defendants’ attorneys be provided with “read-only” access to the sites, and that the plaintiff’s user names and passwords not be provided to the defendants themselves. Of course, even with such protections, disclosure of user names and passwords carries risk.

The court’s holdings in McMillen are not the last word on the viability of privilege claims for posts on social networking sites. However, for businesses whose employees use such sites, this case should serve as a warning. Posting otherwise confidential information even on private sections of social networks can create a significant risk that claims of confidentiality have been waived.