Accordingly, we solicited supplemental briefing concerning the proper interpretation of section 2702. In that briefing, all parties now concede that communications configured by the social media user to be public fall within section 2702(b)(3)'s lawful consent exception to section 2702's prohibition, and, as a result, may be disclosed by a provider. As we will explain, this concession is well taken in light of the relevant statutory language and legislative history.
The parties differ, however, concerning the scope of the statutory lawful consent exception as applied in this setting. Defendants emphasize that even those social media communications configured by the user to be restricted to certain recipients can easily be shared widely by those recipients and become public. Accordingly, they argue that when any restricted communication is sent to a "large group" of friends or followers the communication should be deemed to be public and hence disclosable by the provider under the Act's lawful consent exception. On this point we reject defendants' broad view and instead agree with providers that restricted communications sent to numerous recipients cannot be deemed to be public-and do not fall within the lawful consent exception. Yet we disagree with providers' assertion that the Act affords them "discretion" to defy an otherwise proper criminal subpoena seeking public communications.
In light of these determinations we conclude that the Court of Appeal was correct to the extent it found the subpoenas unenforceable under the Act with respect to communications addressed to specific persons, and other communications that were and have remained configured by the registered user to be restricted. But we conclude the court's determination was erroneous to the extent it held section 2702 also bars disclosure by providers of communications that were configured by the registered user to be public, and that remained so configured at the time the subpoenas were issued. As we construe section 2702(b)(3)'s lawful consent exception, a provider must disclose any such communication pursuant to a subpoena that is authorized under state law.
Ultimately, whether any given communication sought by the subpoenas in this case falls within the lawful consent exception of section 2702(b)(3), and
We will direct the Court of Appeal to remand the matter to the trial court to permit the parties to appropriately further develop the record so that the trial court
I. FACTS AND LOWER COURT PROCEEDINGS
A. Grand Jury Proceedings and Indictment 2
According to testimony before the grand jury, at midday on June 24, 2013, Jaquan Rice, Jr., was killed and his girlfriend, B.K., a minor, was seriously injured in a drive-by shooting at a bus stop in the Bayview district of San Francisco. Various surveillance videos showed a vehicle and someone firing a handgun from the rear window on the driver's side. A second person was depicted leaving the vehicle from the rear passenger-side door and firing a gun with a large attached magazine.
Witnesses identified defendant Derrick Hunter's 14-year-old brother, Quincy, as one of the shooters. During questioning in the early morning hours after the events, police homicide detectives told Quincy that they had "pulled all Instagram ... [and] Facebook stuff," and were aware that he knew the shooting victim. Quincy related that the victim had "tagged" him on Instagram in a video featuring guns. The detectives responded that they had been "working all day" on the matter and had "seen those posts." Quincy admitted that he shot the victim six times-and asserted that the victim "would have done the same thing to us." 3
Quincy stated that "Nina," his girlfriend's sister, had provided the car in which he, his brother, and one other male had driven. Within a few minutes
Renesha was codefendant Lee Sullivan's then girlfriend. She had rented the car used in the shooting and gave varying accounts of the events. According to her testimony before the grand jury, during the course of multiple interviews on the day and night of the killings, she initially "just made up names and stuff." Eventually she told the police that defendant Derrick Hunter and his younger brother Quincy were among those who had borrowed her car. Renesha did not mention defendant Sullivan's name until a few days later, when she "told them the truth about [Sullivan]," and that he had been involved along with the Hunter brothers.
Renesha related that on the day of the shooting she had driven with Sullivan and the Hunter brothers to a parking lot where they "got out and walked to Quincy['s] house." She explained that Sullivan told her the three young men were going to a store. Renesha recalled that she replied she would remain at the house and talk to her sister. She testified that Sullivan had not been wearing gloves when he and the others initially approached her to borrow the car, but she noticed that he was wearing gloves when they came out of
In presenting the case to the grand jury, the prosecution contended that defendants and Quincy were members of Big Block, a criminal street gang, and that Rice was killed for two reasons: (1) Rice was a member of West Mob, a rival gang, and (2) Rice had publicly threatened defendant Derrick Hunter's younger brother Quincy on social media. Inspector Leonard Broberg, a gang
Defendants were indicted and are presently charged with the murder of Rice and the attempted murder of B.K. They also face various gang and firearm enhancements. ( Pen. Code, §§ 187, 664, 186.22, subd. (b)(1), 12022, subd. (a), 12022.53, subds. (d) & (e)(1).)
B. Description of the Subpoenas
Prior to trial, in late 2014, both defendants served subpoenas duces tecum ( Pen. Code, § 1326, subd. (b) ) on Twitter. Defendant Sullivan's subpoena sought "[a]ny
Only defendant Sullivan served subpoenas on Facebook and Instagram. The Facebook
Sullivan's subpoena served on Instagram similarly sought "[a]ny and all public and private content," including deleted material, published by Rice and Renesha Lee, each of whom was again identified by photocopied screen shots showing their account information. 5 In all relevant respects the demands for record, content, and authentication information tracked the demands directed to the other social media providers.
C. Providers' Responses to the Subpoenas
Counsel for Facebook and its subsidiary Instagram responded to the Sullivan subpoenas by a single letter in December 2014, asserting that as providers governed by federal statute (the SCA), they are precluded under that law from divulging the requested stored communications. The letter stated that under the SCA only the government may compel covered providers to divulge such stored content. Accordingly, the letter recommended that defense counsel instead seek the requested information directly from the account holder or from "any party to the communication"-persons who, unlike a covered provider, are "not bound by the SCA." Alternatively, the letter suggested that defense counsel might "work[ ] with the prosecutor to
Eventually all three providers moved to quash the subpoenas. They reiterated the assertions in their letters that defendants might try to obtain the requested information directly from the social media user who posted the communication, or from any recipient
7
-or perhaps via an additional search warrant issued by the prosecution.
8
They also
D. Defendants' Opposition to the Motions to Quash
Defendants opposed the motions to quash, 9 but they did not contest providers' assertion that section 2702(a) prohibits providers from disclosing any of the sought communications-even those configured by the registered user to be public. Nor did defendants challenge providers' assertion that none of section 2702(b)'s exceptions apply in this case. Instead, defendants argued that their federal constitutional rights under the Fifth and Sixth Amendments to a fair trial, to present a complete defense, and to cross-examine witnesses support their subpoenas and render the SCA unconstitutional to the extent it purports to afford providers a basis to refuse to comply with their subpoenas. Defendants acknowledged that no court had ever so held, and asked the trial court to be the first in the nation to do so.
Defendants presented offers of proof concerning the information sought from the various accounts. The prosecution had secured from Facebook and Instagram some of the available social media communications attributed to Rice and, as obligated, had shared that information with defendants in the course of discovery.
10
Regarding the information concerning Rice's communications, defendants asserted that review of the full range of content from those various accounts is required in order to "locate exculpatory evidence" and to confront and cross-examine Inspector Broberg, in order to challenge his assertion that the shooting was gang related. In support defendants cited Broberg's grand jury testimony and attached examples of five
Although the prosecution had secured and shared
some
of Rice's Facebook communications and a portion of the Instagram posts attributed to him, the prosecution had not sought from providers the social media communications of their key witness, Renesha Lee. Nevertheless, it appears from the record that at least one of Renesha Lee's Twitter accounts was public and contained numerous tweets that were accessible to defense counsel. Counsel evidently accessed that account and identified content that, they asserted, indicated a strong likelihood that other similar, yet undiscovered-and possibly deleted-communications might exist. Defendants alleged
In support of these assertions defendants' opposition appended, as an exhibit, photocopied screen shots of what was represented as two of Renesha Lee's Twitter accounts. They quoted a September 2013 tweet showing a photograph of a hand holding a gun and making specific threats: "I got da. 30 wit dat extend clip..... BIIIITCH I WILL COME 2YA FRONT DOOR....." Various other tweets from both accounts suggested a similar theme. Defendants asserted their need for and intention to use these and any other similar tweets, posts, comments, or messages, including deleted content, made by Renesha Lee on Twitter, Facebook, or Instagram, in order to impeach her anticipated testimony at trial. Defense counsel stated that, despite diligent efforts, Renesha Lee could not be located to be served with a subpoena duces tecum.
E. The Hearing on the Motions to Quash
The first session of the bifurcated hearing on the motions to quash was held in early January 2015. The trial court began by explaining that, in light of the pleadings, it was inclined to find the sought material "critical" to the defense against the pending charges, and to conclude that "defendants have a
The trial court next addressed Twitter's assertion that any "deleted contents" would "not [be] reasonably available" and hence providers would "not ... be able to produce deleted contents or authenticate deleted content." The court expressed skepticism concerning Twitter's assertion that it would be unable to produce deleted content, observing:
In its subsequent brief Twitter reiterated its assertion that section 2702 of the SCA fails to "distinguish between 'private' and 'public' content for purposes of its restrictions on providers' disclosure" and it maintained that "service providers are prohibited from producing
any
content, regardless of status." Facebook and Instagram asserted in their own subsequent brief that section 2702 of the SCA bars the requested discovery and that the Act "contains no exception for criminal defense subpoenas." Consistent with their broad assertion that no exception applied under section 2702, they did not address whether any of the sought communications had been configured by the account holder to be public or private/restricted. Twitter, by contrast, directly confronted that issue in its own final supplemental responsive brief, noting
In response, defendants contested the assertions by Facebook and Instagram that defendants could gain access to the sought communications by other means. 13 They argued that unless providers are ordered to comply with the subpoenas, they will be deprived of the information they need and also will be hampered in their effort to "persuade a jury that the records in question originated from Ms. Lee's social media accounts."
After considering the additional briefing, in late January 2015 the trial court confirmed its earlier conclusions, commenting that it would be "untenable" to deny the requested material to defendants. The court further explored with the parties the issues of deleted communications and burdens that compliance would impose
F. The Trial Court's Ruling on the Motions to Quash
The trial court finalized its tentative rulings, denying all three motions to quash and ordering that providers submit all of the sought materials for its in camera review by a deadline in late February 2015. 14 The court stated that it understood providers might seek writ review challenging its oral production order, and recognized that the Court of Appeal might stay its production order.
After discussing the need for a preservation order (see post , fn. 47), the court vacated the trial date, which had been set for the next day. All parties agreed to reconvene in early March, after the trial court had an opportunity to conduct in camera review of the information that the providers had been ordered to produce, or alternatively at a later date pending resolution of the writ proceeding providers intended to file contesting the court's oral production order.
G. The Writ of Mandate Proceeding
Providers jointly filed a petition for a writ of mandate in the Court of Appeal contending that the trial court abused its discretion in denying the motions to quash. They asked the appellate court to "preserve the status quo" by issuing an immediate stay of the trial court's production order and planned in camera review. That court stayed the trial court's production order and issued an order to show cause asking why the relief sought in the petition should not be granted.
After full briefing and oral argument, the Court of Appeal filed an opinion concluding that the SCA barred enforcement of defendants' pretrial subpoenas and rejecting defendants' arguments that the Act violated their rights under the Fifth and Sixth Amendments to the federal Constitution. Reviewing the relevant case law with respect to the constitutional claims, the appellate court concluded: "The consistent and clear teaching of both United States Supreme Court and California Supreme Court jurisprudence is that a criminal
II. PROPER INTERPRETATION OF THE STORED COMMUNICATIONS ACT
Because the parties agreed in the trial court that the SCA precluded providers from
In their initial briefing in this court, the parties again proceeded on the assumption that the litigation raised only constitutional issues, and they debated the merits of defendants' constitutional contentions. Defendants reiterated the view that their federal constitutional right to due process under the Fifth Amendment, and their confrontation, compulsory process, and effective assistance of counsel rights under the Sixth Amendment, require that the Act be declared unconstitutional to the extent it precludes the enforcement of their subpoenas in this case. They candidly recognized that case authority supporting their position is sparse. Ultimately, they suggested that we should overrule or distinguish our own decisions (especially
People v. Hammon
(1997)
As mentioned, our initial review of the SCA and the relevant legislative history of the pertinent provisions, as well as prior judicial decisions addressing related issues, led us to question the validity of the statutory interpretation of the SCA on which
As explicated post , part III.A., in the ensuing supplemental briefing all parties concede that section 2702(b)(3)'s lawful consent exception permits providers to disclose public communications. In order to understand the relevant provisions of the SCA and why we also conclude that the statute should be so construed, it is appropriate to review the Act's general history, the language of the relevant statutory provisions, the specific legislative history of those provisions, and prior relevant case law.
A. The SCA-History and General Background
Congress enacted the Electronic Communications Privacy Act in 1986. (ECPA; Pub.L. No. 99-508,
Prior to the ECPA's enactment, the respective judiciary committees of the House of Representatives and the Senate prepared detailed reports concerning the legislation.
B. Key Provisions of the SCA
1. Rules regarding unauthorized access to stored communications: Sections 2701 and 2511(2)(g)(i)
Section 2701(a) provides that, subject to specified exceptions, "whoever ... intentionally accesses without authorization a facility through which an electronic communication
2. Rules prohibiting disclosure by service providers and listing exceptions under which providers are permitted to disclose "communications" or "customer records": Section 2702
Section 2702 addresses disclosure by certain covered service providers-and by
The next two subsections of section 2702-(b) and (c)-list exceptions to the general prohibition on disclosure by a service provider set forth in subsection (a). Subsection (b) describes eight circumstances under which a provider "may divulge the contents of a communication." As relevant here, subparts (1)-(3) of subsection (b) permit disclosure: (1) "to an addressee or intended recipient of such communication or an agent of such addressee or intended recipient"; (2) pursuant to section 2703, which, as described below, permits a "governmental entity" to compel a covered provider to disclose stored communications by search warrant, subpoena or court order; and (3) "with the lawful consent of the originator or an addressee or intended recipient of such communication, or the subscriber in the case of [a] remote computing service" (italics added). As explained below, some of the communications sought under the subpoenas at issue here may fall within the lawful consent exception set forth in section 2702(b)(3). 22
Finally, subsection (c) of section 2702 describes six circumstances under which a covered provider may divulge
non-content information
-that is, any "record or other information pertaining to a subscriber or to a customer of such service (not including the contents of communications...)."
23
As
As alluded to above, section 2703 governs compelled disclosure by covered providers to a "governmental entity." It sets forth the rules under which law enforcement entities may compel ECS and RCS providers to disclose private as well as public communications made by users and stored by covered service providers. 25
C. House and Senate Reports Concerning the Relevant Provisions
The 1986 congressional reports took special note of then-existing electronic bulletin boards-early analogues to the social media platforms at issue here. In the course of these discussions, the respective judiciary committees focused on the configuration of posts as being private or public and indicated an understanding that section 2701, governing unauthorized access to communications, was intended to cover and protect only private and not public posts. Significantly, the reports indicated the same understanding regarding section 2702's ban on provider disclosure of electronic communications, as reflected in that section's lawful consent exception to the ban.
The extensive House Report, issued first, repeatedly focused on the public/private theme. It did so initially in a passage addressing section 2511(2) of the ECPA, which as noted above states in subsection (g)(i) that it "shall not be unlawful" under either the omnibus ECPA or its SCA subset to "access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public." The committee explained that under this provision, it would be "permissible to intercept electronic communications
The House Report next turned to the provision that we must construe here, section 2702, prohibiting disclosure by covered providers of communications contents. The committee revealed its understanding that the theme of distinguishing between public and private posts carried over from section 2701's access rule and applied as well to section 2702's bar on the divulging of communications by providers.
The report observed that although section 2702(a) articulates a general prohibition on disclosure by a provider, section 2702(b)(3), setting out one of eight exceptions to that rule, permits such a provider to divulge contents "with the lawful consent of the originator or any addressee or intended recipient" of the communication. (House Rep.,
supra
, at p. 66.) The committee explained that, in its view,
implied
lawful consent by a user-and hence permissible disclosure by service providers-would readily be found with regard to communications configured by the user to be accessible to the public. It stressed that consent as contemplated by section 2702(b)(3) "need not take the form of a formal written document of consent." (
Ibid
.) The report viewed consent to disclosure as being implied by a user's act of posting publicly, and/or by a user's acceptance of a provider's
D. Cases Construing the SCA in Light of the House and Senate Reports
Prior decisions have found that Facebook and Twitter qualify as either an ECS
Only a few decisions have construed the relevant provisions of the SCA, and nearly all have concerned civil litigation. Most have focused on claims that a party had obtained unauthorized
access
to stored communications
1. "Unauthorized access" cases interpreting section 2701
Konop v. Hawaiian Airlines, Inc.
(9th Cir. 2002)
More recently, in
Ehling, supra
,
2. "Prohibited disclosure" cases interpreting section 2702
In addition to the civil decisions construing section 2701's
access
rules and recognizing a
a. O'Grady and related cases regarding subpoenas to providers seeking e-mail communications
The first group of decisions addresses requests for disclosure by e-mail providers of their users' e-mail communications. A leading example is
O'Grady, supra
,
b. Viacom and Crispin -regarding subpoenas served on providers seeking social media communications
Two additional section 2702 disclosure cases are more pertinent to our present inquiry because they concerned disclosure by service providers, not of private e-mail, but of social media communications . As explained below, these decisions reflect an understanding that Congress intended section 2702 to prohibit disclosure by providers of only private or restricted, but not public, social media communications.
The first opinion,
Viacom Int'l Inc. v. YouTube Inc.
(S.D.N.Y. 2008)
The second decision,
Crispin, supra,
Accordingly, the court in
Crispin
determined that the dispositive question was whether the posts had been configured by the user as being "sufficiently restricted that they are not readily available to the general public." (
Crispin, supra
,
Applying these principles to the motion to quash the civil subpoenas before it, the
Crispin
court observed that the parties had provided an incomplete record regarding the nature of the various private message services and other posts and comments services offered by those social media entities. Accordingly, the court remanded the matter "so that [the magistrate] can direct the parties to develop a fuller evidentiary record regarding plaintiff's privacy settings and the extent of access allowed to his Facebook [posts] and MySpace comments." (
Crispin, supra
,
In reaching these conclusions
Crispin
relied heavily on the SCA's
access
provisions and related case law-and it focused generally on section 2702's
disclosure
bar without also considering specifically the lawful consent exception set out in section 2702(b)(3). Accordingly, the decision can be read as concluding that if Congress intended to withhold liability under section 2701 concerning those who
access
public communications, Congress must also have intended not to protect those same public communications from
disclosure
by covered providers under section 2702. Under this view, which appears to have been endorsed by some commentators,
29
the Act
As observed
ante
, part II.C., the House Judiciary Committee discussed the public/private distinction articulated under section 2511(2)(g)(i) of the ECPA, and revealed that it viewed that same distinction as carrying over and applying under the related
access
provision of the SCA, section 2701. The House Report then proceeded to describe the
disclosure
provision, section 2702, in a manner showing that it considered the same public/private distinction to apply in that context as well
via the lawful consent exception
E. Conclusion Regarding Section 2702(b)(3)'s Lawful Consent Exception
In light of the foregoing analysis, we conclude that communications configured by a social media user to be public fall within section 2702(b)(3)'s lawful consent exception, presumptively permitting disclosure by a provider.
A. Overview: The Parties' General Agreement in Their Supplemental Briefs That Public Communications May Be Disclosed Under the Lawful Consent Exception; Limitation of Our Analysis to That Statutory Issue; and the Need for Remand to the Trial Court
As alluded to earlier, in supplemental briefs concerning section 2702 filed in response
Nevertheless, both parties urge us to address not only the scope of the lawful consent exception, but also the constitutional issues originally framed and briefed. As alluded to in footnote 31, and as explained below, we find it proper at this point to address only the statutory issues, and not the constitutional claims.
As observed earlier, in the lower court proceedings the parties did not focus on the public/private configuration distinction. The trial court made no determination whether any communication sought by defendants was configured to be public (that is, with regard to the communications before us, one as to which the social media user placed no restriction on who might access it) or, if initially configured as public, was subsequently reconfigured as restricted or deleted. Nor is it clear that the trial court made a sufficient effort to require the parties to explore and create a full record concerning defendants' need for disclosure
from providers
-rather than from others who may have access to the communications. Consequently, at this point it is not apparent that the court had sufficient information by which to assess defendants' need for disclosure from providers when it denied the motions to quash and allowed discovery on a novel constitutional theory. In any event, because
In light of our interpretation of the Act, it is possible that the trial court on remand might find that providers are obligated to comply with the subpoenas at least in part. Accordingly, although we cannot know how significant any sought communication might be in relation to the defense, it is possible that any resulting disclosure may be sufficient to satisfy defendants' interest in obtaining adequate pretrial access to additional electronic communications that are needed for their defense. For these reasons, we will not reach or resolve defendants' constitutional claims at this juncture. Instead, we conclude that a remand to the trial court is appropriate.
In order to provide guidance to the trial court on remand, we discuss two issues regarding the statutory question that have been raised by the parties in their supplemental briefs.
The parties now generally agree that communications configured by a social media user to be public fall within section 2702(b)(3)'s lawful consent exception and presumptively may be disclosed by a provider. Beyond this point of agreement, the parties disagree starkly concerning the proper scope and interpretation of the implied consent exception.
Defendants advance an expansive interpretation of the exception. They argue that a user's implied consent to disclosure by providers under section 2702(b)(3) should be triggered not only by communications configured by the user to be public, but also by those configured by the user to be
restricted
, but nonetheless accessible to a "large group" of friends or followers. Defendants contend that, in practice, social media users "lose[ ] control over dissemination once the information is posted," and can have no reasonable expectation of privacy even with regard to such restricted communications in light of the fact that any authorized recipient can easily copy any communication and share it with others. (Cf.
Moreno v. Hanford Sentinel, Inc
. (2009)
In support, defendants rely primarily on distinguishable decisions finding social media communications discoverable in civil litigation from a social media user, not, as here, from a social media provider. (E.g.,
Fawcett v. Altieri
(N.Y.Sup.Ct. 2013)
Defendants criticize decisions such as
Crispin, supra
,
Providers and amicus curiae Google, LLC (Google), by contrast, assert that a registered user who configures a communication to be viewed by any number of friends or followers-but not by the public generally-evinces an intent
not
to consent to disclosure by a provider under 2702(b)(3), but instead to preserve some degree of privacy. They too
To begin with, we reject defendants' unsupported and rather startling assertion that social media communications and related technology fall categorically outside section 2702(a)'s general prohibition against disclosure by providers to "any person or entity."
32
Nor can we accept defendants' interpretation of section 2702(b)(3)'s lawful consent exception,
In this respect, providers argue, defendants' view "would effectively eliminate expectations of privacy in
all
communications" and hence "would undermine the privacy rights of all users, including those of criminal suspects and defendants. If the SCA excluded electronic communications that are
The policies and FAQs warn registered users that a communication configured as public will generally become, in the words of the House Report, supra , at page 62, "readily accessible to the general public,"
Providers' FAQs warn that even communications configured as restricted still might be shared by an authorized recipient with anyone else.
36
At the
For all of these reasons we reject defendants' proposed broad interpretation of the lawful consent exception. We hold that implied consent to disclosure by a provider is not established merely because a communication was configured by the user to be accessible to a "large group" of friends or followers. 37
Providers contend that to the extent section 2702(b)(3)'s lawful consent exception
As observed earlier, section 2702(a) sets out a general prohibition against disclosure of communications by a service provider; and section 2702(b) lists exceptions under which a provider "may" disclose such communications-including, in subsection (3), communications regarding which a user has lawfully consented to disclosure. As the parties have conceded, such consent is applicable when a user posts a communication configured to be public. Plainly, section 2702(b) merely permits a provider to disclose, and it does not by itself impose a duty or obligation to disclose. Yet providers maintain that by use of the word "may," the section also operates to "ensure that providers would retain the discretion to choose whether to disclose content based on a user's consent"-even in the face of a lawful subpoena. In support, they rely on language in an order by a federal magistrate judge,
In re Facebook, Inc.
(N.D. Cal. 2012)
As explained below, a California Court of Appeal decision,
Negro v. Superior Court
(2014)
As an initial matter, the court in
Negro, supra,
The appellate court in
Negro
continued: "Another federal magistrate judge has observed that 'there should be a clear expression of congressional intent before relevant information essential to the fair resolution of a lawsuit will be deemed absolutely and categorically exempt from discovery and not subject to the powers of the court under [rules governing disclosure]." [Citation.] Congress's use of the word 'may' to frame an exception to the Act's general prohibition on disclosure is not such a 'clear expression of ... intent' as will justify a reading of the Act that categorically immunizes service providers against compulsory civil process where the disclosure sought is excepted on other grounds from the protections afforded by the Act." (
Negro, supra,
Providers do not directly address the logic or substance of the Negro court's analysis quoted above. Instead, they assert, first, that the appellate court's decision is distinguishable because the underlying lawful consent in that case was express, whereas the present case concerns implied consent. This attempt to avoid Negro 's analysis ignores the legislative history described ante , part II.C., disclosing that Congress specifically contemplated that implied lawful consent would satisfy the lawful consent exception. It also is in tension with providers' own concession that implied lawful consent is effective with regard to communications configured by a registered user to be public. (See ante , pt. III.A.)
Alternatively, providers suggest that the SCA should be interpreted to bar the enforcement of any state subpoena that directs service providers to divulge public communications
that the Act permits but does not require them to disclose.
They assert that
Negro
's contrary analysis and conclusion must be
In this respect providers implicitly rely on the fact that section 2703 lists circumstances in which a provider is compelled to disclose to governmental entities-and yet, as the
Negro
court observed, the Act, although preempting state discovery laws that would compel a provider to violate the federal statute, "does not mention" civil (or criminal) subpoenas issued by nongovernmental entities in that section or indeed at all. (
Negro, supra,
D. Additional Issues Raised in the Supplemental Briefs, Some of Which Should Be Explored and Resolved on Remand to the Trial Court
Having addressed the legal issues that can be decided on the present record, we turn to other matters raised in providers' briefs that cannot be resolved at this stage-and some of which must await exploration on remand.
As observed earlier, the subpoenas in this case broadly seek "any and all public and private content." Providers in their supplemental briefs assert variously that "much" or "most" (or all except a "small subset") of the communications sought by the subpoenas were configured by the users to be private or restricted, not public, and hence the lawful consent exception generally will not assist defendants in this case. Because the parties did not acknowledge the relevance and applicability of the lawful consent exception in the trial court, no reliable record was made concerning either registered
As noted, providers concede that they may, pursuant to the lawful consent exception set forth in 2702(b)(3), disclose a post configured by the user to be public. They maintain, however, that the fact a user may have
initially
configured a post for public distribution should not necessarily resolve the question of the applicability of the lawful consent exception. Specifically, providers observe that a communication originally configured to be public subsequently can be reconfigured by the user to
Defendants, by contrast, insist that once a registered social media user configures a communication as public and posts it, triggering section 2702(b)(3)'s lawful consent exception and presumptively allowing disclosure by a provider, the user cannot subsequently revoke that implied consent to disclosure, even if the user promptly reconfigures any post as restricted or deletes the post or closes the account. In support, defendants assert that "any reasonable user knows once you make information publicly available on social media it will be '... broadly and instantly disseminate[d]' ... 'to a wide range of users, customers, and services, including search engines, developers, and publishers ...' just as Twitter advises in its terms of service." 43 Defendants assert that after a public communication has been made so widely available, "[r]evoking consent is as possible as un-ringing a bell."
Providers assert that in light of a registered user's ability to reconfigure communications, "providers may not easily be able to determine the intended audience of a communication at any given point in time" and "it may be difficult for a provider to accurately identify" whether a given communication when posted was public or restricted. Likewise, speaking on providers' behalf, amicus curiae Google avers: "Providers do not routinely maintain records of past privacy settings for each post or message. Lacking such records, it would be
impossible
to determine the privacy configuration that applied when a communication was posted or sent." (Italics added.) Providers also assert that "if a user changes the privacy setting for a communication, a service may not be able to accurately
Providers similarly urge that they should be protected from excessive burdens. As observed
ante
, part II.A., Congress articulated its main purposes in enacting the SCA: affording privacy protections to users while accommodating the legitimate needs of law enforcement. It also articulated a tertiary goal: to avoid discouraging the use and development of new technologies. Providers' briefs characterize this additional purpose as one of "enhanc[ing] the use of communications services and protect[ing] providers from being embroiled as a nonparty in litigation." Amicus curiae on providers' behalf, Google, characterizes this additional purpose even more specifically as "protecting providers from an otherwise limitless burden of responding to requests to disclose their users' communications." Providers rely on dictum in
In light of the statutory scheme, it appears that Congress sought to limit burdens placed on service providers by various means-most obviously, by establishing broad prohibitions and specific exceptions regarding access and disclosure under sections 2701 and 2702, along with rules and procedures pursuant to which the government may compel disclosure under section 2703. With regard to burdens related to disclosure in particular, Congress significantly limited the potential onus on providers by establishing a scheme under which a provider is effectively prohibited from complying with a subpoena issued by a nongovernmental
Of course, any third party or entity-including a social media provider-may defend against a criminal subpoena by establishing that, for example, the proponents can obtain the same information by other means, or that the burden on the third party is not justified under the circumstances. (
City of Alhambra v. Superior Court
(1988)
As noted, providers advanced similar arguments regarding the burden of compliance with the subpoenas in the earlier trial court proceeding. (
Ante
,
We vacate the Court of Appeal's decision and direct that court to remand the matter to the trial court for proceedings consistent with this opinion.
WE CONCUR:
CHIN, J.
CORRIGAN, J.
LIU, J.
CUÉLLAR, J.
KRUGER, J.
YEGAN, J. *
Notes
Associate Justice of the Court of Appeal, Second Appellate District, Division Six, assigned by the Chief Justice pursuant to article VI, section 6 of the California Constitution.
This and the following sections are based on the grand jury transcripts, of which we have taken judicial notice, as well as material in providers' appendix of exhibits-including pretrial moving papers and the transcripts of two sessions of a pretrial hearing.
Ultimately Quincy was tried in juvenile court, found to be responsible for Rice's murder and the attempted murder of B.K., declared a ward of the court, and committed to the Department of Juvenile Justice for a term of 83 years four months to life. Under Welfare and Institutions Code section 607, subdivision (b), however, because of his age at the time of the crimes, he will not be confined beyond his 25th birthday. After the Court of Appeal affirmed in an unpublished opinion (A142771), we granted review (S238077) and held that matter pending disposition of the present litigation.
Toward the end of the proceedings, the prosecutor read to the grand jury some "exculpatory evidence ... that was requested by the defense attorneys in this case be presented to you." The panel was told that two witnesses reported to police that a young woman had been driving the car, and that one witness had identified the driver as Renesha Lee. Yet another witness identified the driver as Quincy Hunter.
It appears from the record that there may have been up to four relevant Instagram accounts, at least one for Renesha Lee and possibly three for Rice. A photocopied screenshot attached as an exhibit to the subpoena pertaining to Renesha Lee indicated the account had four posts, one follower, and eight accounts that the account holder was following. It also shows an image of a padlock, with a notation, "this user is private." According to subsequent pretrial briefing by defendants, "Mr. Rice had multiple social media accounts" and "many ... have been deleted, including accounts gang expert Leonard Broberg relied upon at the grand jury hearing." Moreover, according to that same subsequent briefing, defendants also asserted that "many of [Renesha Lee's social media] accounts have been deleted."
Finally, the letter explained that if defense counsel were to withdraw each subpoena "to the extent it seeks content," Facebook and Instagram might produce "non-content information" regarding the specified accounts, "such as basic subscriber information and [internet protocol] logs"-information that defense counsel might use to contact other parties to the communications, in order to attempt to obtain the information directly from them. ("Basic subscriber information" (more fully described post , fn. 23) and internet protocol logs are forms of record/non-content data that, as implied in the letter, might be employed to identify a recipient of a communication in order to attempt to obtain electronic communications directly from that person.)
In this regard, providers relied on decisions such as
O'Grady v. Superior Court
(2006)
Of course defendants are independently entitled to general criminal discovery, including exculpatory evidence, from the prosecution under Penal Code section 1054.1. Moreover, under authority such as
Brady v. Maryland
(1963)
As the Court of Appeal observed below: "[T]he record before us [makes it unclear whether defendant] Hunter joined in the opposition to the motions to quash below, but he has formally joined in Sullivan's arguments in this court. For simplicity's sake, we refer to the opposition below as that of [d]efendants collectively." We adopt the same approach.
(See ante , fn. 8.) Defendants subsequently asserted, however, that although they have had "access to some of Mr. Rice's social media records through the discovery process that tend to support the prosecution's theory of the case," still they lacked "access to records necessary to present a complete defense and to ensure the right to effective assistance of counsel." Thereafter, in their joint reply brief filed in this court, defendants characterized the prosecution as having declined to obtain all of Rice's various Instagram accounts.
Quincy, in his earlier confession, acknowledged that his brother Derrick was with him in the car when the shooting occurred, but he did not mention Sullivan as being in the car with them. Instead, he asserted that a third person, named Johnson, had been with him and his older brother in the car.
Twitter also stated: "On Twitter, if an account is public, its Tweets are public-a user cannot make individual Tweets public or private on a post-by-post basis." Further, Twitter addressed the trial court's stated concerns regarding retrieval of deleted content. It asserted that even if the SCA permitted it to comply with the subpoenas' demands, still, any "content deleted by the user is not reasonably available to Twitter."
Regarding Rice, defendants noted that because Facebook allows the default to be changed-and posts to be configured as public or private on a post-by-post basis-not all friends might have "content that Mr. Rice decided to withhold from a particular user." As observed ante , footnote 10, defendants conceded that they had access to some of Rice's social media records through the discovery process. But, they insisted, they nevertheless lacked access necessary to present a complete defense. Regarding Renesha Lee's social media records, defendants did not contest Twitter's assertions that one of her Twitter accounts was public and remained open and accessible to all as of the time of the trial court briefing and hearings. Still, defendants asserted, "many of [her other] accounts" (apparently referring especially to the Facebook and Instagram accounts mentioned earlier) "have been deleted," and hence they had no access to them, and yet providers did possess those "inactive and active accounts."
As the Court of Appeal observed, defendant Hunter apparently did not formally oppose Twitter's motion to quash his subpoena. Nevertheless, the trial court assumed such a motion and denied it on the same basis that it denied the motions to quash defendant Sullivan's subpoenas.
The House Report described privacy protection as "most important," and noted: "[I]f Congress does not act to protect the privacy of our citizens, we may see the gradual erosion of a precious right. Privacy cannot be left to depend solely on physical protection, or it will gradually erode as technology advances." (House Report, supra , at p. 19, fns. omitted.) The Senate Committee expounded on this theme, observing that "computers are used extensively today for the storage and processing of information," and yet because electronic files are "subject to control by a third party computer operator, the information may be subject to no constitutional privacy protection" absent new legislation. (Sen. Rep., supra, at p. 3; accord, House Rep., supra, at pp. 16-19.)
In this latter regard, the House Report, noting the "legal uncertainty" that surrounded the government's legitimate access to such stored information, expressed concern that such conditions may expose law enforcement officers to liability, endanger the admissibility of evidence, encourage some to improperly access communications, and at the same time, "unnecessarily discourage potential customers [from] using such systems." (House Rep., supra , at p. 19.) Similarly, the Senate Report cited the same potential problems, and added that legal uncertainty might not only discourage use of "innovative communications systems" but also "may discourage American businesses from developing new innovative forms of telecommunications and computer technology." (Sen. Rep., supra , at p. 5.)
For example, Congressman Kastenmeier, the bill's primary author, stressed as a governing principle "that what is being protected is the sanctity and privacy of the communication." (132 Cong. Rec. 14879 (1986), at p. 14886.) Senator Leahy, the bill's sponsor in the upper house, repeatedly referred to the need to "update our law to provide a reasonable level of Federal privacy protection to these new forms of communications" in order to address inappropriate acquisition by "overzealous law enforcement agencies, industrial spies, and just plain snoops" of "personal or proprietary communications of others." (132 Cong. Rec. 14599 (1986), at p. 14600.) Cosponsor Senator Mathias described the legislation as "a bill that should enhance privacy protection, promote the development and proliferation of the new communications technologies, and respond to legitimate needs of law enforcement." ( Id ., at p. 14608.)
Congress's conception of the internet more than 30 years ago was, of course, substantially different from the internet that exists today. "The World Wide Web had not been developed, and cloud computing services and online social networks would not exist for nearly a decade. Internet users in 1986 could essentially do three things: (1) download and send e-mail; (2) post messages to online bulletin boards; and (3) upload and store information that they could access on other computers. The definitions and prohibitions listed in the SCA align with these three functions as they existed in 1986. Because Congress has not updated the statute, courts have struggled to apply the SCA in light of the explosive growth of the World Wide Web." (Ward,
Discovering Facebook: Social Network Subpoenas and the Stored Communications Act
(2011)
Section 2707 authorizes a civil action to enforce these and the following provisions of the SCA.
An electronic communication service (ECS) is defined as "any service which provides to users thereof the ability to send or receive wire or electronic communications." (§ 2510(15).)
The term "remote computing service" (RCS) is defined as "the provision to the public of computer storage or processing services by means of an electronic communications system." (§ 2711(2).)
The five other exceptions listed in section 2702(b) include disclosure incidental to the provision of the intended service or protection of the rights or property of the service provider; matters related to child abuse; and disclosure to a law enforcement agency of inadvertently obtained information that appears to pertain to a crime.
Such "non-content" records consist of logs maintained on a network server, as well as "basic subscriber information," including the following: "(A) name; [¶] (B) address; [¶] (C) local and long distance telephone connection records, or records of session times and durations; [¶] (D) length of service (including start date) and types of service utilized; [¶] (E) telephone or instrument number or other subscriber number or identity, including any temporarily assigned network address; and [¶] (F) means and source of payment for such service (including any credit card or bank account number)." (§ 2703(c)(2).)
The five preceding listed exceptions include disclosures of non-content information (1) authorized under compulsion by a "governmental entity" under section 2703; (2) with the lawful consent of the customer or subscriber; (3) as necessary and incidental to the provision of the intended service or protection of the rights or property of the service provider; (4) self-initiated to a law enforcement agency under emergency conditions; or (5) related to child abuse. (§ 2702(c).)
(§ 2703(a) & (b).) As alluded to ante , footnote 23, subsection (c) addresses compelled disclosure to a governmental entity of certain non-content information. Other subsections articulate the requirements of any court order compelling disclosure (§ 2703(d) ), specify that there can be no cause of action against a provider who discloses information pursuant to this chapter (§ 2703(e) ), and impose on providers a requirement to preserve evidence on request of a governmental entity "pending the issuance of a court order or other process" (§ 2703(f)(1) ).
See, e.g.,
Crispin v. Christian Audigier, Inc.
(C.D.Cal. 2010)
The court in
Ehling
observed that the plaintiff user had "approximately 300 Facebook friends" (
The
Crispin
court reasoned: "Although here a large number of [registered] users, i.e., all of plaintiff's Facebook friends, might access the storage and attendant retrieval/display mechanism, the number of users who can view the stored message has no legal significance. Indeed, basing a rule on the number of users who can access information would result in arbitrary line-drawing and likely in the anomalous result that businesses such as law firms, which may have thousands of employees who can access documents in storage, would be excluded from the statute." (
Crispin
,
supra
,
See, e.g.,
Discovering Facebook,
We also briefly note a recent Tennessee intermediate appellate court decision,
State v. Johnson and Williams
(Tenn.Crim.App. 2017)
The court described the evolution of the SCA, extensively quoted sections 2701, 2702 and 2703, and briefly discussed some of the cases cited above, including
Crispin
.
(
Johnson,
In their supplemental brief, providers initially maintain that defendants' failure to challenge providers' proposed statutory interpretation in the lower courts precludes this court from addressing the propriety of that statutory interpretation at this juncture. We reject this contention. It is this court, not defendants, that has raised issues different from those argued below. When this court discovers a possible statutory interpretation question that may obviate the need to address a constitutional claim and solicits supplemental briefing on that issue, the statutory interpretation question is properly before us for resolution. (See Rules of Court, rule 8.516(b)(2) ["The court may decide an issue that is neither raised nor fairly included in the petition or answer if the case presents the issue and the court has given the parties reasonable notice and opportunity to brief and argue it"].) Here we are guided by the familiar principle that we should address and resolve statutory issues prior to, and if possible, instead of, constitutional questions (see, e.g.,
Santa Clara County Local Transportation Authority v. Guardino
(1995)
For similar reasons we reject a somewhat related alternative interpretation of that quoted phrase advanced by amici curiae on behalf of defendants, the California Public Defenders' Association and the Public Defender of Ventura County. Asserting that the phrase "any person or entity" in section 2702(a) should be interpreted to exclude a court, amici curiae propose to interpret that phrase to permit providers to disclose any and all stored communications (no matter how configured) to a trial court for its in camera review-and then, presumably, for the trial court to release at least some of those private communications to defendants.
In support of their argument that a trial court does not qualify as a person or entity under the statute, amici curiae simply cite
Marbury v. Madison
(1803)
Moreover, as amicus curiae Google notes, if defendants' "premise were correct, a communication shared with only one person would be equally public because a single recipient could share a private communication with the world (and some recipients do).... The ability to share an electronic communication accordingly cannot be the basis for removing privacy protections from content posted with less-than-public privacy settings."
See, e.g., Twitter Privacy Policy, Information Collection and Use/Tweets, Following, Lists, Profile, and other Public Information < http://twitter.com/privacy> [as of May 22, 2018] [the service "broadly and instantly disseminates your public information to a wide range of users, customers, and services, including search engines"]; Facebook Help Center, Appearing in Search Engine Results < https://www.facebook.com/help/392235220834308> [as of May 22, 2018]; Facebook Help Center, What is Public Information? < https://www.facebook.com/help/203805466323736?helpref=faq_content> [as of May 22, 2018]; Instagram Help Center, Controlling Your Visibility < https://help.instagram.com/116024195217477> [as of May 22, 2018]. All internet citations in this opinion are archived by year, docket number and case name at < http://www.courts.ca.gov/38324.htm>.
See, e.g., Google Search, How Search organizes information < https://www.google.com/insidesearch/howsearchworks/crawling-indexing.html> [as of May 22, 2018]; Google Search Console Help, Create Good Titles and Snippets in Search Results < https://support.google.com/webmasters/answer/35624?hl=en> [as of May 22, 2018]. Regarding Twitter's firehose stream, see, e.g., Financial Times Lexicon, Definition of Twitter fire hose < http://lexicon.ft.com/Term?term=Twitter-fire-hose> [as of May 22, 2018].
In addition, the three largest search engines-Google, Bing, and Yahoo!-also display in their results a link to a cached version of the social media user's page. (See, e.g., Google, Search Help/View webpages cached in Google Search Results/How to get a cached link < https://support.google.com/websearch/answer/1687222?hl=en> [as of May 22, 2018].) Google explains that "[c]ached links show you what a webpage looked like the last time Google visited it" and that "Google takes a snapshot of each webpage as a backup in case the current page isn't available. ... If you click on a link that says 'Cached,' you'll see the version of the site that Google stored. ( Ibid .)
Even with regard to communications that a user configures-either initially when sent, or subsequently as reconfigured-to be available to only a defined group (such as followers or friends), any such restriction operates only within the confines of the service and the licensing agreements under which other entities interact with the provider. Providers are generally careful to avoid describing the effect of privacy configuration more broadly. (See, e.g., Facebook Help Center, When someone re-shares something I posted, who can see it? < https://www.facebook.com/help/569567333138410> [as of May 22, 2018] ["When someone clicks Share below your post, they aren't able to share your photos, videos or status updates through Facebook with people who weren't in the audience you originally selected to share with " (italics added, boldface omitted).] ) Accordingly, when a user configures a post to be available to only specifically listed persons, the provider will be able to honor that user's choice only within the service -by disabling those recipients from, in turn, sharing that communication with others within the system through the system's sharing tools. Moreover, all three providers warn users that such configuration protection within each system does not prevent any authorized recipient from employing mechanisms outside the system to copy any post (by, for example, downloading or creating a screen shot) and then sharing the communication with anyone on the internet. (See, e.g., Twitter, About public and protected Tweets/Who can see my Tweets? < https://support.twitter.com/articles/14016> [as of May 22, 2018] ["Keep in mind that when you choose to share content on Twitter with others, this content may be downloaded or shared"].) Indeed, as Twitter advises, even when a user protects communications by restricting them to specific persons, that user's communications might nevertheless be shared by any such person with anyone else. (Twitter Help Center, Twitter Privacy Policy/Information Collection and Use/Direct Messages and Non-Public Communications < https://twitter.com/privacy?lang=en> [as of May 22, 2018] ["When you use features like Direct Messages to communicate privately, please remember that recipients may copy, store, and re-share the contents of your communications"]; see also Facebook, Data Policy/How is this information shared?/Sharing our Services/People you share and communicate with < https://www.facebook.com/policy.php> [as of May 22, 2018] ["people you share and communicate with may download or re-share this content with others on and off our Services"]; Instagram, Privacy Policy/3. Sharing of your information/Parties with whom you may choose to share your User Content < https://help.instagram.com/155833707900388> [as of May 22, 2018] ["Once you have shared User Content or made it public, that User Content may be re-shared by others. ... [¶] If you remove information that you posted to the Service, copies may remain viewable in cached and archived pages of the Service, or if other Users or third parties using the Instagram API [Application Programming Interface] have copied or saved that information."].)
At the same time, we do not endorse the view, expressed by counsel for providers at oral argument, that if it were possible for a registered Facebook user to restrict a communication to "only" all of the other two billion Facebook users, such a communication would not qualify as public under the Act. To our knowledge, no case has endorsed that view and on its face the claim seems rather questionable, particularly inasmuch as Facebook does not generally limit who may join its social media platform. In this regard, we note that what is public under the SCA is not defined by what a social media provider labels as "public."
Nor are we aware of any prior case involving a user who has placed minimal restrictions on a communication within a large social media service (as another hypothetical example, a user who might disseminate a communication to all two billion Facebook users except for one or two people). Although we hold that limiting a communication to a "large group" does not render a post public, and acknowledge that on remand the trial court might find that the public configurations at issue in this case render the resulting communications public under the SCA, we also observe that neither the hypothetical discussed at oral argument nor this additional hypothetical involving minimal restrictions is presented in this case. Therefore, we need not and do not resolve whether such communications would be sufficiently public to imply consent to disclosure under section 2702(b)(3).
The court continued: "Nor do we ... perceive anything in the language of the Act suggesting that Congress intended to grant service providers a blanket immunity from obligations imposed by discovery laws. The Act does not declare civil subpoenas unenforceable;
it does not mention them at all
. As we have said, it
preempts
state discovery laws insofar as they would otherwise compel a service provider to
violate the Act.
It is this preemption that excuses service providers from complying with process seeking disclosures forbidden by the Act. But nothing in the Act suggests that service providers remain shielded from state discovery laws when the disclosures sought are
not
forbidden by the Act." (
Negro, supra,
To the extent dictum in
Johnson,
At the time relevant in this case, it appears that each provider's default setting for registered users was public, meaning that unless the user configured communications to be private, they were public. (Regarding Twitter, see Twitter Privacy Policy/Information Collection and Use/Tweets, Following, Lists, Profile, and other Public Information < http://twitter.com/privacy> [as of May 22, 2018]; regarding Facebook, see Electronic Frontier Foundation, Facebook's Eroding Privacy Policy: A Timeline (Apr. 28, 2010) < https://www.eff.org/deeplinks/2010/04/facebook-timeline> [as of May 22, 2018] [observing that in November 2009, Facebook reset user privacy default settings to public]; see also Facebook Newsroom, Making it Easier to Share With Who You Want (May 22, 2014) < http://newsroom.fb.com/news/2014/05/making-it-easier-to-share-with-who-you-want/> [as of May 22, 2018] [noting that in mid-2014-well after most of the communications at issue in this litigation were sent-Facebook again changed its privacy policy default, reverting, for new users, from public to friends, and giving existing users new tools to help ensure that they post publicly only when they intend to do so]; regarding Instagram, see Instagram Help Center, Controlling Your Visibility/Setting Your Photos and Videos to Private < https://help.instagram.com/116024195217477> [as of May 22, 2018].)
From what we can glean from the record, it appears that Renesha Lee may not have changed the default on one of her Twitter accounts and made her tweets and/or any replies private. (See ante , pt. I.D. and related discussion.) The record does not address the configuration of Renesha Lee's Facebook communications. Finally, regarding Instagram, the record suggests that Renesha may have configured one Instagram account to be private. In addition, the record suggests that she may have had, and deleted, multiple additional accounts with some or all of the social media providers. The configurations of these additional accounts are unknown. (See ante , fn. 5.) Regarding victim Rice, the limited record suggests that he had accounts, perhaps multiple, and of unknown configuration, with Facebook and Instagram-and that some if not all of those accounts (including at least one relied upon by the prosecution's gang expert) have been closed. ( Ibid .)
In this regard Facebook tells users: "If you accidentally share a post with the wrong audience, you can always change it." (Facebook, Privacy Basics/Manage Your Privacy < https://www.facebook.com/about/basics/manage-your-privacy/posts#6> [as of May 22, 2018]; see also Facebook Help Center, How can I adjust my privacy settings? < https://www.facebook.com/help/193677450678703?helpref=related> [as of May 22, 2018] ["You can view and adjust your privacy settings at any time"].) Twitter allows an account to be changed from unprotected to protected and vice versa, and states: "If you at one time had public Tweets (before protecting your Tweets), those Tweets will no longer be public on Twitter, or appear in public Twitter search results [within the provider's system]. Instead, your Tweets will only be viewable and searchable on Twitter by you and your followers." (Twitter Help Center, About public and protected Tweets/What happens when I change my Tweets from public to protected? < https://support.twitter.com/articles/14016#> [as of May 22, 2018].) At the same time, Twitter explains, the opposite also occurs: "If you later change your account settings to no longer protect your Tweets, Tweets that were previously protected will become public and may be indexed by third-party search engines." (Twitter Help Center, Why are my Tweets appearing on Google after deleting or protecting them?/Protected Tweets < https://support.twitter.com/articles/15349#> [as of May 22, 2018].) Finally, Instagram also allows an account to be changed from the default (public) to private, and vice versa. (Instagram Help Center, Privacy Settings & Information/Privacy settings/How do I set my photos and videos to private so that only approved followers can see them? < https://help.instagram.com/196883487377501/?helpref=hc_fnav> [as of May 22, 2018].)
Amicus curiae Google hypothesizes that any given communication originally configured as public, or any subsequent reverse reconfiguration of a communication from restricted to public, might conceivably be undertaken not by a registered user him- or herself, but by a person or entity who uses or hacks the user's account. Any such action, Google argues, should be viewed as not constituting implied consent to disclosure by a provider. We agree, and observe that the trial court on remand will be in a position to permit providers to attempt to establish, as a preliminary matter, that a given communication was configured, reconfigured, or deleted, by someone other than the registered account owner without authority of the owner.
See ante , footnote 34.
In support providers cite
Van Patten v. Vertical Fitness Group, LLC
(9th Cir. 2017)
In this regard, providers warn users, the acts of reconfiguration or deletion (or even account closure) do not reach outside the provider's system and prevent third parties that may have indexed and cached any communication from continuing to make a given communication available in its prior form to anyone on the internet. For example, Facebook notes that in that situation it has no "control over content that has already been indexed and cached in search engines" and it offers the same advice as do Instagram and Twitter to their own registered users: in order to "request the immediate removal of [a particular] search listing, you will have to contact the specific search engine's support team." (Facebook Help Center, Appearing in Search Engine Results/I'm showing up in the results of other search engines even though I've chosen not to < https://www.facebook.com/help/392235220834308/?helpref=hc_fnav> [as of May 22, 2018].) And yet even if a user identifies each search engine that displays the communication and seeks expedited recognition of any reconfiguration or deletion, the providers indicate that the most that can be said is that any given search engine will "eventually index updated ... information" to reflect any reconfiguration protection or post deletion. (Twitter Help Center, Why are my Tweets appearing on Google after deleting or protecting them?/How and when to send Google a request to remove information < https://support.twitter.com/articles/15349#> [as of May 22, 2018].) Indeed, Instagram observes that there is no such thing as immediate reconfiguration or deletion of a public communication that has become available on a search engine; instead, "[i]t may take some time for these [other third party search engine] sites and Google to re-index and remove" a given communication "even if you delete your account." (Instagram Help Center, Controlling Your Visibility/Instagram Privacy on the Web/How can I remove my images from Google search < https://help.instagram.com/116024195217477> [as of May 22, 2018].)
In a related vein, providers observe that they stand in jeopardy of incurring civil liability under section 2707 of the Act if they knowingly or intentionally violate the SCA. But that section by its terms contemplates liability only for a provider that violates the Act "with a knowing or intentional state of mind." ( Id ., subd. (a).) Moreover, the statute provides a safe harbor for a provider who, in "good faith," relies on "a court ... order." ( Id ., subd. (e)(1).)
The trial court on remand might also consider two additional and somewhat related legal issues that have been only generally alluded to in the briefing to date in this case, but which are highlighted in our January 17, 2018 order granting review in the related matter of
Facebook, Inc., v. Superior Court
(
Touchstone
) (2017)
Finally, yet another matter, not discussed in the parties' briefs, may require consideration on remand. As alluded to
ante
, part I.F., after the trial court confirmed its production ruling, counsel for defendant Sullivan asked that providers be ordered to preserve all data at issue in this case. The court stated that it would not immediately issue an oral preservation order because it wanted the parties to first work out among themselves language addressing the providers' preservation obligations, and stated: "You will have to draft something and submit it, and see if you can reach an agreement. And if you get competing orders, we will have to have another hearing about that." The record before us, however, contains no preservation order; no mention of such an order appears in the briefs; and the superior court docket for each case, as to which we have taken judicial notice, reflects no such order. (See, e.g.,
Williams v. Russ
(2008)