Legal Analysis and Commentary from Justia
Posted In Technology Law

Can Employers Legally Ask You for Your Facebook Password When You Apply for a Job? Why Congress and the States Should Prohibit This Practice

Have you ever gone to a job interview and had a prospective employer ask to see letters you’ve written to friends or family members, or your family photo albums?  Have prospective employers asked for the key to your apartment so that they can snoop around? The answer to these questions should, of course, be “No.”  Yet, as the Associated Press reported last week, employers—both public and private—are increasingly asking job applicants to do the equivalent, by turning over their Facebook user IDs and passwords as part of the interview process.

This development should be alarming to job seekers—as it seems quite intrusive for someone who has not even hired you to be able to quickly see your friends and family, learn about your religious and political affiliations, find out about any support group meetings you attend, and access other intimate information about your life.

While Facebook is not completely private, it has felt sufficiently private to encourage users to post personal details—details that they assumed would not be used for job decisions.  After all, Facebook has allowed us to decide who our “friends” will be for Facebook purposes, thus putting us in the role of gatekeeper.  Now, with would-be employers asking for passwords, that gatekeeper role appears to have been somewhat illusory.  Moreover, with Facebook’s new Timeline feature, employers who review would-be employees’ Facebook accounts will have access to information from their remote pasts, as well as from the present.

In response to this new employer practice, two U.S. Senators have asked the Justice Department and the federal Equal Employment Opportunity Commission (EEOC) to investigate whether such practices violate federal law.  Moreover, some state legislators are introducing bills focused on doing the same with respect to state law.

In this column, I will discuss these efforts to prohibit employers from accessing Facebook pages as part of the interview and selection process.  I will also outline and analyze some of the possible reasons why that practice may be illegal under existing state law.  Ultimately, I conclude that legislative action in this area would be wise—and I note that Facebook itself appears to welcome such action.

The Problem of Employers’ Asking for Facebook Passwords Has Sparked Congressional Concern

Senators Chuck Schumer (D-NY) and Richard Blumenthal (D-CT) are calling on the Department of Justice and the EEOC to launch investigations into whether the practice of asking for Facebook passwords during job interviews violates federal law.  It appears that the answer to this question may vary depending on whether the entity asking for the passwords is the government, or a private business.  With the law currently murky, the Senators aim to fill in any gaps, in order to better protect employee privacy.

In a statement, Senator Schumer justified his investigation as follows:  “In an age where more and more of our personal information—and our private social interactions—are online, it is vital that all individuals be allowed to determine for themselves what personal information they want to make public and protect personal information from their would-be employers. This is especially important during the job-seeking process, when all the power is on one side of the fence.”

Is Asking for Facebook Passwords Currently Illegal?

Does the practice of asking for Facebook passwords already violate federal law?  The answer is unclear—and may depend on whether the practice of asking for the passwords is, or is not, deemed to be analogous to currently-permitted employer practices, such as running background checks on potential employees and using private investigative (PI) firms and data brokers.

One could argue that the analogy breaks down because such information is compiled based on publicly available information that is obtained through legwork (in the case of PI firms), or by accessing public records or commercial databases (in the case of background checks).  Here, however, an employer is compelling individuals to disclose the key to their own personal communications.

Will Employers’ Asking for Facebook Passwords Facilitate Illegal Discrimination?

A Facebook executive has cautioned that if an employer discovers on Facebook that a job applicant is a member of a protected group for anti-discrimination purposes, the employer might be vulnerable to claims of discrimination if it doesn’t ultimately hire that person.

Facebook pages often reveal race, religion, ethnic background, sexual orientation, marital status, and age.  Yet federal law prohibits employers from discriminating based on gender, race, and religion; and state and local laws protect employees from discrimination based on sexual orientation, political affiliation, and even, in some cases, appearance.

It would be impossible for all job applicants to sanitize their Facebook pages in a way that would make them employer-proof in terms of potential discrimination, and unfair to ask them to do so.  Thus, limits must be placed on employers. Under current law, employers are prohibited from asking certain questions in an interview.  They should also be prohibited from using Facebook as an end run around those prohibitions.

When Employers Ask for Facebook Passwords, Are They Violating Federal Statutes Relating to Unauthorized Access of Computer Information?

Employers who use a would-be employee’s user ID to log onto Facebook may not only be courting a discrimination suit, but also violating federal statutes relating to unauthorized access to computers and electronically-stored information

Senators Schumer and Blumenthal are determining whether this practice violates the Stored Communications Act (SCA), or the Computer Fraud and Abuse Act (CFAA). Those two acts, respectively, prohibit intentional access to electronic information without authorization, and prohibit intentional access to a computer, without authorization, to obtain information.

While it may appear that a job seeker is “voluntarily” giving over his or her password as part of his or her candidacy, the senators wonder whether “requiring applicants to provide login credentials to secure social media websites and then using those credentials to access private information stored on those sites may be unduly coercive and therefore constitute unauthorized access under both SCA and the CFAA.”

As the senators point out, two courts have previously found that when supervisors request employee login credentials, and use them to access otherwise private information, they may be subject to civil liability under the SCA. Two key cases are Pietrylo v. Hillstone Restaurant Group, a 2009 case from the District of New Jersey; and Konop v. Hawaiian Airlines, Inc., a 2002 case from the U.S. Court of Appeals for the Ninth Circuit.

In Pietrylo, the more recent case, two employees created a MySpace page for the purpose of airing grievances against their employer in a more secure environment that was password-protected, and invited other employees—but not managers—to join.  Two managers learned of the site and requested a password from an employee.  Eventually, the employee gave them her login information. The managers logged on to the site on several occasions and then fired the website’s creators for violating the restaurant’s policies and hurting employee morale.

The central issue at trial was whether the employee was coerced into giving the managers her log-in ID and password information to permit them to enter the site.  In light of the employee’s testimony, the court found that the jury had reasonably concluded that the managers had not been authorized to enter the site, and thus refused to overturn the verdict.

Although these cases involved current employees, the courts’ reasoning does not clearly distinguish between employees and applicants.  Given Facebook’s Terms of Service (ToS) and the civil case law, the Department of Justice has been asked to issue a legal opinion about prospective employees, as well.  Since prospective employees, by definition, do not have an established work relationship with the employer and have not used company computers to make postings, it would seem that the argument that requiring them to give over their Facebook passwords is a violation of the SCA would be even stronger.

State Governments, Too, Are Taking Action to Bar Employers From Asking for Social Media Passwords

Meanwhile, Maryland and Illinois are considering bills that would bar public agencies for asking for social media passwords.

And similarly, in California, Democratic Sen. Leland Yee introduced a bill that would prohibit employers from asking current employees or job applicants for their social-media user names or passwords. The California bill also would stop employers from requiring that they must have access to employees’ and applicants’ social-media content, in order to bar employers from requesting printouts of that content.

In Massachusetts, state Democratic Rep. Cheryl Coakly-Rivera also filed a similar bill last Friday.  Her bill would expand the prohibitions on what employers can ask applicants to provide, to include personal email.

All of these efforts are commendable, and it’s good to see that legislators are taking applicant and employee privacy seriously.

Facebook’s Response:  Perhaps Surprisingly, It Sides With the Legislators

At times, Facebook has been at odds with state and federal regulators over various privacy issues.  In this case, however, Facebook appears to see eye-to-eye with legislators.

Thus, last Friday, Facebook warned employers not to ask job applicants for their Facebook passwords in order to poke around on their profiles.  Indeed, Facebook threatened legal action against applications that violate its longstanding policy against sharing passwords.

In a blog post, Erin Egan, Facebook’s Director of Privacy, said that the practice “undermines the privacy expectations and the security” of the user and his Facebook friends. Egan said that Facebook users should never have to share their passwords with anyone else.  Not sharing passwords is a basic tenet of online conduct. Aside from privacy concerns, Facebook also considers the practice a security risk.  Once you have given out your password, how can you ensure that the person who views your page does not use it to commit identity theft or to impersonate you?

Given Facebook’s response and its ToS, it would seem that a consensus is developing among lawmakers and the key social media company that it is not okay for employers to sneak a peek at our Facebook pages.

That stance is also consistent with the White House’s recently-issued Consumer Privacy Bill of Rights—which I wrote about in a recent column regarding Target’s use of consumer information.  The Consumer Privacy Bill of Rights speaks of respect for context as being part of any set of rights a consumer has when companies retain the consumer’s data and other information.  And in the context of Facebook, consumers certainly did not expect that disclosing their Facebook posts would become a routine part of their job applications.

Employers Will Still Look at Your Public Facebook Profile if They Can’t Access Your Private Postings

As of now—when the legality of an employer’s asking for an applicant’s Facebook password is still in flux—it would be prudent for Facebook users to review their walls and Timelines and delete any information they think might be prejudicial in an employment setting.

And even if the law changes, we all will still face risks with respect to frequent use of social media.  A survey released by Microsoft Research in 2010 noted that 70 percent of employment recruiters admitted that they had ruled our job applicants based on information they found online.  If you haven’t checked your Facebook privacy settings lately, now might be a good time to do so, if you are looking for a job.  Employers also turn to a company known as Social Intelligence Corporation (SocialIntel) to do a “credit check” of your social-media activity.  Put simply, the company combs through your publicly-available Facebook and Twitter postings and other online activity, collecting information for use by potential employers.

SocialIntel is subject to the federal Fair Credit Reporting Act, but as a result, it can keep an archive of your social-media activities for seven years.  The information stored is to be used explicitly for background checks but will be captured/archived even if you have deleted it from your accounts.  And the company also boasts that it screens information to ensure that it does not violate federal laws, including anti-discrimination laws.

So scrub your Facebook page; be careful as to what you Tweet; and if necessary, hire a company that helps you to repair your online reputation and locates negative information about you that exists in cyberspace.

Anita RamasastryAnita Ramasastry is the UW Law Foundation Professor of Law at the University of Washington School of Law in Seattle, where she also directs the graduate program on Sustainable International Development. She is also a member of the Law, Technology and Arts Group at at the Law School. Ramasastry writes on law and technology, consumer and commercial law, and international law and globalization.
Posted In Technology Law
Print this page
  • Damask Rose

    Anyone “surprised” by Facebook siding with
    legislators on this issue is blind. 
    Facebook sides with Facebook’s interests.  When those interests are letting Facebook use
    ‘private’ information however Facebook wants, Facebook opposes privacy.  When letting other entities do the same thing
    will have a chilling effect on users posting, and ad viewing, Facebook is all
    for ‘privacy.’  It is not surprising at
    all.  Find the side that is best for
    Facebook’s bottom line, and that’s the side you’ll find Facebook on. 

    • Googover9000

       You’ve read that wrong, it says they sided with the legislators, the two that are trying to ban this practice.  Facebook is even looking to sue employers who do this due to it breaking their terms of service and policy on unauthorized account access.

  • Pingback: Can Employers Ask for Your Facebook Password? | Wage Against The Machine

  • http://www.segalroitman.com/ James A.W. Shaw

    It seems to me that this practice likely violates the Nat’l Labor Relations Act, at least insofar as the practice applies to employees as defined in the Act (as compared to supervisors or managers). An employer violates section 8(a)(1) of the NLRA when it conducts surveillance of employees’ activities, which is basically the result of the password requirement. Many states (such as Massachusetts) have similar protections for public-sector employees.

    • Anonymous

       It has, apparently, been stated by the NLRA Board that surveillance described in the NLRA only applies to the extent that it prohibits concerted action and organization on the part of an employee, not beyond that, so in this case it is not a violation. :/

  • cyn

    if employers when,  what’s next your personal mail.  good bye freedom of speech

  • Pingback: Employers Cross Line by Asking for Facebook Usernames and Passwords « Fair Employment Legal Update

  • Pingback: What To Do When A Prospective Employer Request Your Facebook Login Info? | morgantowninjurylawyer

  • Pingback: ‘Job creep’ | Career Services Blog

  • Anonymous

    Facebook sided with the legislators because if they don’t then anyone who is looking for a career will delete facebook due to their employer’s looking at it. If this happens facebook will lose an exponential amount of their user base which is something they need to happen.

  • Jane Jimmy

    I’m Human Resources Manager, under the employment section in
    Saputo Dairy world Foods Company here in Canada Branch, We are pleased to
    announce to general public We need more workers from all parts of the world to join
    Saputo Dairy Farms world Foods Company
    for further productive, Industrious
    and development measure, Saputo Dairy world Foods Company is looking to
    hire part time staff, Full Time Staff, Contract Staff, professional.Job entails
    Food and Beverage, Coffee, Chocolate, confectionery.

    If you are interested we hereby encouraged you to send your
    Update Curriculum Vitae to our Human Resources Coordinator Officer via Email as
    soon as possible, our email contact saputodairyfarms.info@worker.com

  • http://www.facebook.com/eddiepatin Eddie Patin

    Are you freaking kidding me? Just don’t … volunteer … that … information.
    Go apply somewhere else.

  • Pingback: Facebook Got Me Fired | lisa hope

  • Pingback: Laura Markowski | Super cookies Scare Me

  • Pingback: Module 1 Exercise – Topic 3: Surveillance | ALC201

  • Pingback: Big Data, Data security, privacy and ethical issues of collecting data online. | Michelle DeGirolmo

  • Pingback: Big Data: Security, Privacy and Ethics | KimGoughnour

  • Pingback: Big Data | Patrick's Research Methods Blog

  • Pingback: Facebook Password? No, sorry – I’ll disable it… | Casey's Research Blog

  • Thresh

    4th Amendment of the U.S Constitution. It needs to be enforced in this case.
    Businesses don’t adhere by what is lawfully right, if they feel they can get away without getting caught [Which is nothing new by the way, businesses have been doing the bare minimum for years, and only changing their ways when they get caught and called out for their wrongdoing]. I am not saying all businesses do unlawful actions, I am speaking of the businesses that do. Unless someone stands up for their rights, businesses will continue to walk over you just to see how much they can get away with and make YOU their bitch. Yes it will be difficult, and you may suffer a bit from defying the businesses of what they want, such as not getting hired. The problem is they think they’ll just find another sap that will blindly agree to do whatever they want, and also taking advantage of the current economical state. It’s a “You need us more than we need you, so you’re going to do what we want if you want a job”. I understand rules with reason, but companies who ask for facebook information is a direct example of invading your PRIVACY.

    Retort, say things like “Oh you put it on the internet, therefor it is public”. Do me a favor and go onto my facebook page. See any information? I repeat, do you see any information? No, you don’t. Do you know why? It is my decision to MAKE MY INFORMATION PRIVATE to the public and the only people who may see it are those I CHOOSE.

    It’s a very simple process, stand up for your rights as a group and educate yourselves. Do not let big businesses walk all over you and let them have control of what they want of you.

    That’s my piece.

 

Access this column at http://j.st/Zimj