Court Determines if Data Sought Was (or Was Not) Protected by Law

Facebook User fakespeare999 A/K/A hurtfulsloth (defendant in this action) moved the Court for an order quashing the non-party subpoena duces tecum issued by Jane Doe (plaintiff in this suit) seeking all documents, including IP addresses and login information, concerning User’s Facebook accounts, on the grounds that the subpoena was facially defective and improper under the Stored Communications Act and that service upon User was improper.

User claimed the subpoena sought disclosure of information that was prohibited by the SCA and was overly broad in its reach of “all documents.” User further claimed he was not directly served regarding the disclosure of his information. Instead, the subpoena was served upon Facebook, rendering service improper due to lack of notice.

Doe claimed the subpoena was validly served upon Facebook rather than User, since Facebook had special knowledge of and control over the pertinent information sought, including but not limited to the accounts’ IP addresses, login information, and other basic subscriber information. Through Facebook’s actions, in accordance with their own policy of notifying users prior to turning over such information, Facebook had given notice to User who was thus fully informed of the circumstances and reasons for Doe’s requesting such disclosure.

A party opposing the disclosure sought by a subpoena must, “[w]ithin twenty days of service of a notice or subpoena duces tecum… serve a response which shall state with reasonable particularity the reasons for each objection.”

This action was commenced on December 1, 2020, followed by the subpoena, dated December 10, 2020. User’s motion to quash was filed on February 23, 2021, and therefore was more than twenty days after the date of service. Even if the Court took into account the date which User first became aware of the subpoena through Facebook’s actions, February 2, 2021, the motion was still filed more than twenty days later. User’s motion to quash was denied as it was not filed in a timely manner.

The attorneys appearing for User alleged that they had not been served personally nor otherwise with the summons with notice, or any other pleading filed in the matter to date.

User moved, in the alternative, for a protective order limiting the scope of the materials to be disclosed and setting forth a protocol for the maintenance of confidential information and materials, claiming the material sought in the subpoena was overly broad and in violation of the SCA.

Doe opposed User’s motion, arguing that the IP addresses and login information for User’s accounts were material and necessary to the discovery of evidence regarding the alleged sharing of Doe’s intimate images online, and argued that the information sought was non-content information and did not violate the SCA.

The SCA prohibits an electronic service provider from knowingly divulging to any person or entity the contents of a communication while in electronic storage by that service. Yet there is a distinction between content and non-content information. Content information includes content that, “when used with respect to any wire, oral, or electronic communication, includes any information concerning the substance, purport, or meaning of that communication.” In contrast, logs of account usage, mailer header information (minus the subject line), lists of outgoing e-mail addresses sent from an account, and basic subscriber information are all considered to be non-content information. IP addresses and login information are non-content information as they do not concern the substance or meaning of any communication, but rather they contain specific logs of account usage and other specific subscriber information.

Doe sought non-content information relating to the accounts allegedly owned by User, specifically IP address data, login information, and other basic subscriber information for those accounts. Doe did not express any desire for the disclosure or discovery of messages, posts, or other stored content information connected to such accounts that was protected by the SCA. Caution nevertheless must be exercised so no information was exchanged that may violate User’s privacy rights under the SCA.

The Civil Practice Law and Rules provides that a “court may on motion of any party or of any person from whom or about whom discovery is sought, make a protective order denying, limiting, conditioning or regulating the use of any disclosure device to prevent unreasonable annoyance, expense, embarrassment, disadvantage, or other prejudice to any person or the courts.”

The individual or entity who seeks a protective order bears the initial burden to show either that the discovery sought is irrelevant or that it is obvious the process will not lead to legitimate discovery. So, User was required to demonstrate that adhering to the disclosure demanded in the subpoena would have such result or cause unreasonable cost or prejudice. Only then would the burden shift to Doe to demonstrate that the information sought was material and necessary. Otherwise, so long as the disclosure sought was relevant to the prosecution or defense of an action, it must be provided by the nonparty.

The Court found that User did not meet his burden and was not entitled to a protective order to deny or otherwise limit disclosure. User did not provide the Court with sufficient proof that the disclosure sought by the subpoena was irrelevant to the cause of action, nor was it obvious that no legitimate information would be discovered, or that the information sought would unreasonably prejudice him.

The information requested in the subpoena would not reveal any of User’s personal information, images, or posts, and was limited to only non-content account data and basic subscriber information. Because User did not meet his burden as movant, the burden did not shift to Doe. User’s motion for a protective order limiting the scope of disclosure sought in the subpoena was denied.