Facebook’s Third-Party Doctrine

Yesterday the New York Times reported that, despite assurances to the contrary, Facebook has for years given other tech giants access to our individual Facebook activity and, more concerning, our friends’ identities and activities. Maybe I just have the Fourth Amendment on the brain since I wrote about it on Monday. But although Facebook is a private company not constrained by constitutional limits, these latest revelations seem like more proof that the Fourth Amendment’s third-party doctrine gets fundamental norms of privacy wrong.

For non-lawyers: The third-party doctrine says that once you’ve shared something with another person – even your bank or your telephone company – the default assumption is that you don’t have a reasonable expectation that what you shared will remain private. If you’ve voluntarily shared info with someone whose choices you can’t control, the reasoning goes, the government could just seek the info from that person without your involvement. Their choice to cooperate can’t be a violation of your constitutional rights. If you made it possible for the government to obtain the info through others, you can’t have a reasonable expectation that it’s private.

There are obvious problems with this logic, but the one that most sticks out to me is the casual assumption that no one can be reasonably expected to respect confidentiality, or even discretion. We confide in trusted acquaintances all the time, sometimes expressly in confidence but sometimes just on faith that the acquaintance knows that gossip and indiscretion are bad manners. It just isn’t consistent with how our social communities work to insist that if one person knows, then anyone might as well know. In that vein, I wrote on Monday that just because I put my trash out to the curb or leave the curtains at my home open doesn’t mean I’m ok with people rifling through my garbage bags or peering into my windows. This is not a new idea.

It appears that Facebook understood the basic concept of limited or nuanced sharing as well. Following Federal Trade Commission scrutiny of potentially deceptive trade practices, the company purportedly increased its transparency and user control as to third-party app access. But the latest NYT report says that Facebook also contrived a work-around theory to justify allowing other companies to access data about its users’ posts, contacts, and private messages:

With most of the partnerships, [Facebook’s privacy director] said, [the company’s agreement with the FTC] did not require the social network to secure users’ consent before sharing data because Facebook considered the partners extensions of itself — service providers that allowed users to interact with their Facebook friends. The partners were prohibited from using the personal information for other purposes, he said. “Facebook’s partners don’t get to ignore people’s privacy settings.”

Data privacy experts disputed Facebook’s assertion that most partnerships were exempted from the regulatory requirements, expressing skepticism that businesses as varied as device makers, retailers and search companies would be viewed alike by the agency. “The only common theme is that they are partnerships that would benefit the company in terms of development or growth into an area that they otherwise could not get access to,” said Ashkan Soltani, former chief technologist at the FTC.

[Boldface added.]

Admittedly, this theory can work in select situations. For example, if I share information with married friends, I do so in the knowledge that they may then share it with their spouses because of the special – and formalized – status of marriage. The same rule of etiquette could possibly apply if I know my confidant has an unusually close friend.

But it’s not the norm. The same expectation doesn’t apply to other relationships, especially if the confiding party isn’t aware of the relationship or the nature of it. The NYT’s sources at the FTC seem to think Facebook’s unilateral reframing of its third-party relationships was illegally deceptive, and people generally seem pretty mad about it:

Yet it took the U.S. Supreme Court until just this past summer, in Carpenter v. United States, to recognize just a limited exception for the third-party doctrine for only our location data passively shared with cell phone companies. So why is the third-party doctrine still generally accepted, even post-Carpenter, if we generally object to its fundamental premise? The answer, I think, is because it’s easy to make things so black and white, and as professor Orin Kerr explains, no one has really developed a persuasive alternative theory outside the context of cell phone tracking. Maybe that will change soon.

Categories: News


%d bloggers like this: