Facebook Blocks Demand for Contents of Deceased User’s Account

On September 20, 2012, Facebook obtained a court order blocking a demand to turn over the contents of a deceased user’s Facebook account. The executor of Sahar Daftary’s estate requested a subpoena to compel Facebook to turn over the decedent’s Facebook account contents as part of a coroner’s inquest to determine her cause of death. According to the court records, the executor disputes that Ms. Daftary committed suicide and “believes that her Facebook account contains critical evidence showing her actual state of mind in the days leading up to her death.” However, the court held that the Stored Communications Act’s privacy rights protect the account contents, and Facebook cannot be compelled to turn over the contents in a civil action.

At first glance, this may appear to be a surprising result. However, I believe this case was decided correctly under the Stored Communications Act. Also, while one key question was not answered by the court in this order, I believe this case is ultimately beneficial to other families and fiduciaries seeking e–mails or other contents of an incapacitated or deceased user’s online accounts. To explain why, let’s first examine the privacy rights under the Stored Communications Act, and then I’ll explain my thoughts about this new Facebook ruling.

Stored Communications Act

The Stored Communications Act (also known as the “Stored Wire and Electronic Communications Act”) is part of the Electronic Communications Privacy Act of 1986. The Stored Communications Act is codified in 18 U.S.C. §§ 2701 through 2712. Among other things, the Stored Communications Act creates privacy rights to protect the contents of certain electronic communications and files from disclosure by certain service providers.

Without going too far into the technical details, in general, the protections under the Stored Communications Act depend on:

1. Whether the request or demand for information is made by a governmental entity (e.g., in a law enforcement investigation) or by some other person or entity (e.g., in a civil lawsuit);
2. Whether the company provides services to the public (e.g., Facebook, Google, Yahoo!, Microsoft, and Apple provide services to the public) or whether the services are not publicly available (e.g., an employer that provides e–mail accounts only to its employees);
3. Whether the request or demand is for the contents of the electronic communications and files (e.g., the body and subject line of an e–mail) or whether the request or demand is for noncontent information (e.g., the user’s name, address, connection records, length of service, type of service, network/IP address, and the means and source of payment for the service);
4. Whether access to the contents of the electronic communications and files are “restricted in some fashion” or are “completely public”; and
5. Whether the company provides an “electronic communications service” (ECS) or a “remote computing service” (RCS).

For more a more detailed description of the Stored Communications Act, I recommend reading A User’s Guide to the Stored Communications Act, and a Legislator’s Guide to Amending It by Orin S. Kerr.

Estate Administration Example

Let’s walk through an example involving the administration a deceased user’s estate to better understand how the Stored Communications Act applies. Let’s assume the decedent had: (1) a free e–mail account (it doesn’t matter if it’s a Google Gmail account, a Microsoft Hotmail account, or a Yahoo! Mail account); (2) a Facebook account; and (3) an employer–provided e–mail account. Also, let’s assume we have a duly–appointed executor with authority to act on behalf the decedent’s estate (an executor also is referred to as a personal representative of the estate or as an estate administrator).

First, if there is a law enforcement investigation involved regarding the decedent (e.g., a murder investigation involving the decedent’s death or a crime for which the decedent is being investigated), then a governmental entity might want to review the e–mail or Facebook account contents. Under § 2703 of the Stored Communications Act, a governmental entity can compel the disclosure of contents of electronic communications and files protected under the Stored Communications Act by following the proper procedures for the type of information requested from each provider (e.g., a search warrant, subpoena, etc.). That’s beyond the scope of our example, so I’m not going to walk through those procedures.

In our example, the executor of the decedent’s estate is not a governmental entity. So, there are three main options for the executor to obtain the contents of the two e–mail accounts and the Facebook account:

1. Ask each provider for a copy of the deceased user’s account contents;
2. File a civil lawsuit against the provider to try to compel the provider to turn over the deceased user’s account contents; and
3. Use the decedent’s username and password (if you have them) to access the decedent’s e–mail and Facebook accounts to directly obtain a copy of the account contents.

The first option is what I generally recommend. The duly–appointed executor of the decedent’s estate (or, for an incapacitated user’s accounts, the duly–appointed guardian, conservator, or attorney–in–fact under a durable power of attorney) asks the provider for a copy of the account contents and furnishes documentation to the provider showing the fiduciary’s authority (e.g., a copy of the durable power of attorney or a certified copy of the court documents appointing the guardian, conservator, or executor to act on behalf of the living user or of the deceased user’s estate). If the user is deceased, I recommend also furnishing a certified copy of the death certificate to the provider. The executor of a decedent’s estate stands in the shoes of the decedent, so, for purposes of our example, the executor should be able to provide “lawful consent” on behalf of the decedent to divulge the contents of the decedent’s accounts. I will say more about “lawful consent” below (and why the September 20, 2012, Facebook order mentioned above is relevant to this). The second option for the executor—file a civil lawsuit against the provider—does not work if the Stored Communications Act applies. A civil action cannot require (see § 2703) a provider to disclose the contents of electronic communications and files protected under the Stored Communications Act, but the provider may voluntarily disclose the contents if one of the exceptions under § 2702(b) is met. Again, I will say more about the “lawful consent” exception below. The third option for the executor—use the decedent’s username and password to access the account directly—might be construed as “unauthorized access” under a state or federal criminal law. I’ve written previously (here and here) about whether it’s a crime for fiduciaries to access a decedent’s online accounts, and the chilling effect those criminal laws have on fiduciaries trying to carry out their duties of gathering a deceased person’s assets, paying debts and expenses, and distributing the remaining assets. Since option two doesn’t work if the Stored Communications Act applies and option three might be construed as a criminal act, that leaves the duly–appointed executor (or other fiduciary) with option one as the clear choice: ask each provider for a copy of the deceased user’s account contents and provide appropriate documentation to back up the request.

Second, to continue applying the Stored Communications Act to our example, let’s look at whether the company holding the contents is providing services to the public. For the free e–mail account and the Facebook account in our example, we know that Google, Microsoft, Yahoo!, and Facebook provide these services to the public. But, the employer–provided e–mail account in our example is different, because the typical employer only provides the e–mail account to employees (and a school that provides accounts only to its students and staff also does not provide services to the public). That difference is important because § 2702(a) of the Stored Communications Act prohibits a company that provides ECS or RCS to the public from divulging the contents of the electronic communications or files unless an exception is met. That statutory prohibition on divulging contents doesn’t apply to a company that does not provide ECS or RCS to the public (e.g., the employer–provided e–mail in our example), because there is a different expectation of privacy for the user. So, the company could voluntarily divulge the employer–provided e–mail account contents or might be compelled in a civil proceeding to turn over those contents—the company can’t use § 2702(a) of the Stored Communications Act as a shield to prevent disclosure. But, there may be other reasons that the company can’t or won’t turn over the employer–provided e–mail account contents, such as: (1) a trade secret protected by state law; (2) a non–compete agreement, a non–disclosure agreement, or the company’s electronic resources policy; (3) “protected health information” under the Health Insurance Portability and Accountability Act of 1996—HIPAA (but, an incapacitated employee’s designated health care agent or a deceased employee’s personal representative has authority to request this information); (4) medical information protected from disclosure by a state law or the Americans with Disabilities Act of 1990; (5) “nonpublc personal information” under the Gramm–Leach–Bliley Act; or (6) some other privacy law or privilege.

Third, in our example, the executor of the deceased user’s estate is looking for the contents of the electronic communications and files. Different protections apply for voluntary and compelled disclosure of “contents” versus the “noncontent information” about the account, especially if a governmental entity is making the demand. For our example, similar exceptions apply under the voluntary disclosure rules for contents and noncontent information. I will say more about the “lawful consent” exception below.

Fourth, we need to consider whether access to the contents of the electronic communications and files in our example are “restricted in some fashion” or are “completely public.” If the contents are completely public, the privacy protections of the Stored Communications Act do not apply. On the other hand, if access to the contents is restricted in some fashion, then the privacy protections of the Stored Communications Act do apply. It’s interesting to think of a user’s “privacy rights” with respect to social networking services, such as a user’s Facebook Wall (or MySpace Comments or Google+ Stream), which can be seen by hundreds or even thousands of “friends.” Do those contents receive privacy protections under the Stored Communications Act? The court in Crispin v. Christian Audigier, Inc., 717 F.Supp.2d 965 (C.D. Cal. 2010), faced this issue and determined that Facebook’s Wall feature and MySpace’s Comments feature are analogous to a restricted–access electronic bulletin board on which friends and family can post messages and news updates. The court in Crispin determined that a user’s Facebook Wall or MySpace Comments postings can have restricted access (receiving privacy protections under the Stored Communications Act) if they are only visible to another person who has been granted access to see the user’s full profile.

Fifth, we look at whether the company provides an “electronic communications service” or a “remote computing service.” Different rules apply for voluntary and compelled disclosure with respect to ECS providers versus RCS providers if a governmental entity is making the demand, but the distinction is less relevant for our example with the executor of a deceased user’s account potentially bringing a civil suit. A single company might be classified as providing just ECS, just RCS, both ECS and RCS, or neither ECS nor RCS. In the Crispin case mentioned above, the court determined that both Facebook and MySpace are ECS providers and RCS providers. With respect to private messaging features of Facebook and MySpace, the court in Crispin determined that these features are analogous to e–mail communications and held that Facebook and MySpace operate as ECS providers with respect to unopened messages and operate as RCS providers with respect to messages that have been opened and retained. The court in Crispin also held that “Facebook and MySpace are ECS providers as respects wall postings and comments and that such communications are in electronic storage. In the alternative, the court holds that the Facebook and MySpace are RCS providers as respects the wall postings and comments.”

Based on the discussion above, for our example, the free e–mail account and the Facebook account have statutory privacy protections under the Stored Communications Act. So, both the company providing the free e–mail account (e.g., Google, Microsoft, Yahoo!, etc.) and Facebook are prohibited by § 2702(a) of the Stored Communications Act from divulging the contents of the electronic communications or files unless an exception is met. If the Stored Communications Act applies and an exception is met under § 2702(b), then the provider may voluntarily divulge the contents but cannot be compelled to divulge the contents in a civil suit. As discussed above, the prohibition against voluntary disclosure under § 2702(a) of the Stored Communications Act does not apply to the employer–provided e–mail contents. With respect to the free e–mail account and the Facebook account, to which the Stored Communications Act does apply, the exception for voluntary disclosure under § 2702(b)(3) is relevant: a provider “may divulge the contents of a communication…with the lawful consent of the originator or an addressee or intended recipient of such communication, or the subscriber in the case of remote computing service.”

With that “lawful consent” exception under § 2702(b)(3) in mind, the key question is whether the duly–appointed executor of a deceased user’s estate (or other fiduciary for a living user) can provide “lawful consent” so that the provider may voluntarily divulge the contents for purposes of § 2702 of the Stored Communications Act.

Conclusions From the September 20, 2012, Facebook Ruling

Finally, this key question brings us back to the September 20, 2012, court order blocking a demand to turn over the contents of a deceased user’s Facebook account. As I mentioned above, the executor of Sahar Daftary’s estate asked the court to compel Facebook to turn over the decedent’s Facebook account contents as part of a coroner’s inquest to determine her cause of death. From the discussion above, the Stored Communications Act applies, § 2702(a) prevents Facebook from divulging the contents unless an exception is met, and Facebook cannot be compelled to divulge the contents in a civil suit. In its Motion to Quash Subpoena in a Civil Case filed on August 6, 2012, and in its Reply In Support of Motion to Quash Subpoena in a Civil Case filed on August 27, 2012, Facebook asserts that it is not clear that the executor’s consent satisfies the Stored Communications Act’s exception for “lawful consent” under § 2702(b)(3). Facebook argues that different jurisdictions may vest different powers in executors, so this would “impose excessive burdens and risks on Facebook and other service providers.” Facebook also argues that “it would be far too burdensome to require service providers to analyze the law of the relevant jurisdiction each time an administrator asserted the right to consent on behalf of a deceased user. It would also be patently unfair. Service providers are subject to serious penalties for wrongful disclosure.” But, I believe a reasonable counterpoint to this argument by Facebook is that banks and brokerage companies need to deal with fiduciaries on a routine basis, and they’ve figured out a way to make that process work effectively.

To its credit, Facebook offered a reasonable middle ground stating “Facebook would not object if the Court (1) holds that Anisa Daftary may provide lawful consent under Section 2702 of the SCA to the disclosure of communications in Sahar’s account, and (2) orders Facebook to disclose the reasonably accessible communications sought by Applicants.” In this case, Anisa Daftary is both the mother of Sahar Daftary (the deceased Facebook user) and the executor of her estate. However, because the Stored Communications Act applies and the provider cannot be compelled to divulge the contents in a civil suit, the September 20, 2012, order states that the court lacks jurisdiction to address whether the executor of the deceased user’s estate may offer consent so that Facebook may disclose the records voluntarily (the court notes that it would be an impermissible advisory opinion).

So, with all that being said, why do I believe that this case is ultimately beneficial to family members and fiduciaries seeking e–mails or other contents of an incapacitated or deceased user’s online accounts? Because I think the court’s order should give comfort to Facebook and other online account providers to voluntarily disclose an incapacitated or deceased user’s account contents. Facebook mentioned in its pleadings the chilling effect of the Stored Communications Act’s prohibitions (and penalties) on voluntary disclosure of contents unless an exception is met. While the court did not answer the question of whether, as a matter of law, the executor of a deceased user’s estate (or a duly–appointed fiduciary acting on behalf of an incapacitated user) may provide “lawful consent” under § 2702, the final sentence of the court’s opinion suggests what the answer should be. The court said “Of course, nothing prevents Facebook from concluding on its own that Applicants have standing to consent on Sahar’s behalf and providing the requested materials voluntarily.” I want to be clear: this sentence is not a determination of the court that others can rely on—it is only obiter dictum. Still, I believe this sentence is ultimately beneficial because it strongly suggests (to me) that this court would not oppose the executor of a deceased user’s estate providing “lawful consent” under § 2702 of the Stored Communications Act. And, this court—the U.S. District Court, Northern District of California—is especially important because the Terms of Service Agreement for Facebook (section 16.1) provides that any disputes must be resolved in a court located in Santa Clara County, California (which is within the boundaries of the U.S. District Court, Northern District of California). In addition, the U.S. District Court, Northern District of California, is the chosen federal court jurisdiction under the Terms of Service Agreement for Apple, Google, LinkedIn (section 8.1), Twitter (section 12.B), WordPress, Yahoo! (section 27), and YouTube (section 14). So, the final sentence from this court’s order, even though it isn’t binding authority, should give comfort to some of the major online account service providers because this court is the key jurisdiction for these providers in the event of a dispute. A notable exception to that list of providers is Microsoft, which selects Washington state for its dispute resolution provision.