Judge Rules: Privacy Controls on Facebook Insufficient

This post was originally posted on Freedom4All, you can view the original in the Freedom4all archive

As US court has ruled that a woman who posted content to a restricted part of Facebook had “No reasonable expectation that it would remain private”. 

Facebook is often criticised for making too much information public, however on this occasion the woman – Kathleen Romano – had set her profile to be private. Despite this, a Judge has ruled that content previously posted to Ms Romano’s profile is admissible as evidence, even though it had never been publicly accessible and Ms Romano had deleted it from her account! 

The Judge has ordered that Facebook provide the content in question from their backups or archives. Although Facebook is often criticised for retaining deleted information, it is not yet clear whether they have retained the content in question. 

Although Ms Romano had claimed that she suffered permanent injuries and was largely confined to her home and bed, the defence contends that images posted to the social networking site (and later deleted) showed Ms Romano smiling outside her house. 

This case helps bring to light the serious privacy ramifications of both local laws and online services. 

The Facebook Privacy Policy is less than clear on how long data will be retained, even after the user believes they have deleted it. Particularly concerning is the caveat;

We cannot guarantee that only authorized persons will view your information. We cannot ensure that information you share on Facebook will not become publicly available. We are not responsible for third party circumvention of any privacy settings or security measures on Facebook.

Although many users are aware of Facebook’s numerous privacy failings, few will have realised how severely this could impact them. Whilst Facebook is arguably fully deserving of criticism when it comes to privacy, it is true that users must first opt to use Facebook. 

Local laws, however, are largely out of the control of the average individual. When a court is able to rule that a user “has no expectation of privacy”, despite the fact they went to some length to navigate Facebook’s many privacy settings, something is seriously wrong. 

The justification in this case is that the postings “may contradict claims she made about the injuries she sustained” and so can be compelled under New York Discovery Laws. 

We are not disputing the right of Companies/Insurers to protect themselves from potentially fraudulent claims, but the law simply cannot ignore the privacy of others. 

Although the image may appear to contradict the Plaintiff’s claims, it is highly circumstantial – Disabled people are not miserable all the time – and cannot therefore nullify the claim. How is it reasonable, then, that the Plaintiff’s privacy be ignored in favour of a (largely inconsequential) piece of evidence? 

It’s very easy to simply say “if you don’t want something made public, don’t post it to the Internet!”, but consider that the same could easily happen to you. Consider that the Judge has granted access to the Plaintiff’s “current and historical Facebook and MySpace pages and accounts, including all deleted pages and related information ... in all respects.” on the basis of the Defendant’s unsubstantiated claim that photo’s may bolster their case. 


Imagine if you were the plaintiff, the Judge has granted the Defendant full access to your information – perhaps you had an argument with an ex, or even an ‘adult’ conversation with your partner. The Defendant would have full access to this information, purely based on claims that a photo may support their argument. 


The problem here is twofold: 

  1. Local laws fail to adequately protect or respect the individuals right to privacy
  2. Facebook retains deleted data for too long

Facebook do have a business to run, and it’s simply not reasonable to expect them to purge deleted data from historic backups. But it may be reasonable to expect them to review how long they retain backups for – even with a Grandfather- Father-Son system, 90 days seems excessive. 

Local Laws should be changed, and courts should respect the privacy of users. The Judge in this case could easily have opted to view the requested content himself, before deciding whether it was relevant. Instead he granted the Defendant full and unfettered access. 

This is simply not acceptable. 

Unfortunately, this situation will never change unless politicians are reminded (again and again) that their constituents value their privacy. 

Wherever you are in the world, contact your Local Representative and remind them that you value Privacy above all else!