Can Employers Legally Ask You for Your Facebook Password When You Apply for a Job? Why Congress and the States Should Prohibit This Practice

Posted in: Technology Law

Have you ever gone to a job interview and had a prospective employer ask to see letters you’ve written to friends or family members, or your family photo albums?  Have prospective employers asked for the key to your apartment so that they can snoop around? The answer to these questions should, of course, be “No.”  Yet, as the Associated Press reported last week, employers—both public and private—are increasingly asking job applicants to do the equivalent, by turning over their Facebook user IDs and passwords as part of the interview process.

This development should be alarming to job seekers—as it seems quite intrusive for someone who has not even hired you to be able to quickly see your friends and family, learn about your religious and political affiliations, find out about any support group meetings you attend, and access other intimate information about your life.

While Facebook is not completely private, it has felt sufficiently private to encourage users to post personal details—details that they assumed would not be used for job decisions.  After all, Facebook has allowed us to decide who our “friends” will be for Facebook purposes, thus putting us in the role of gatekeeper.  Now, with would-be employers asking for passwords, that gatekeeper role appears to have been somewhat illusory.  Moreover, with Facebook’s new Timeline feature, employers who review would-be employees’ Facebook accounts will have access to information from their remote pasts, as well as from the present.

In response to this new employer practice, two U.S. Senators have asked the Justice Department and the federal Equal Employment Opportunity Commission (EEOC) to investigate whether such practices violate federal law.  Moreover, some state legislators are introducing bills focused on doing the same with respect to state law.

In this column, I will discuss these efforts to prohibit employers from accessing Facebook pages as part of the interview and selection process.  I will also outline and analyze some of the possible reasons why that practice may be illegal under existing state law.  Ultimately, I conclude that legislative action in this area would be wise—and I note that Facebook itself appears to welcome such action.

The Problem of Employers’ Asking for Facebook Passwords Has Sparked Congressional Concern

Senators Chuck Schumer (D-NY) and Richard Blumenthal (D-CT) are calling on the Department of Justice and the EEOC to launch investigations into whether the practice of asking for Facebook passwords during job interviews violates federal law.  It appears that the answer to this question may vary depending on whether the entity asking for the passwords is the government, or a private business.  With the law currently murky, the Senators aim to fill in any gaps, in order to better protect employee privacy.

In a statement, Senator Schumer justified his investigation as follows:  “In an age where more and more of our personal information—and our private social interactions—are online, it is vital that all individuals be allowed to determine for themselves what personal information they want to make public and protect personal information from their would-be employers. This is especially important during the job-seeking process, when all the power is on one side of the fence.”

Is Asking for Facebook Passwords Currently Illegal?

Does the practice of asking for Facebook passwords already violate federal law?  The answer is unclear—and may depend on whether the practice of asking for the passwords is, or is not, deemed to be analogous to currently-permitted employer practices, such as running background checks on potential employees and using private investigative (PI) firms and data brokers.

One could argue that the analogy breaks down because such information is compiled based on publicly available information that is obtained through legwork (in the case of PI firms), or by accessing public records or commercial databases (in the case of background checks).  Here, however, an employer is compelling individuals to disclose the key to their own personal communications.

Will Employers’ Asking for Facebook Passwords Facilitate Illegal Discrimination?

A Facebook executive has cautioned that if an employer discovers on Facebook that a job applicant is a member of a protected group for anti-discrimination purposes, the employer might be vulnerable to claims of discrimination if it doesn’t ultimately hire that person.

Facebook pages often reveal race, religion, ethnic background, sexual orientation, marital status, and age.  Yet federal law prohibits employers from discriminating based on gender, race, and religion; and state and local laws protect employees from discrimination based on sexual orientation, political affiliation, and even, in some cases, appearance.

It would be impossible for all job applicants to sanitize their Facebook pages in a way that would make them employer-proof in terms of potential discrimination, and unfair to ask them to do so.  Thus, limits must be placed on employers. Under current law, employers are prohibited from asking certain questions in an interview.  They should also be prohibited from using Facebook as an end run around those prohibitions.

When Employers Ask for Facebook Passwords, Are They Violating Federal Statutes Relating to Unauthorized Access of Computer Information?

Employers who use a would-be employee’s user ID to log onto Facebook may not only be courting a discrimination suit, but also violating federal statutes relating to unauthorized access to computers and electronically-stored information

Senators Schumer and Blumenthal are determining whether this practice violates the Stored Communications Act (SCA), or the Computer Fraud and Abuse Act (CFAA). Those two acts, respectively, prohibit intentional access to electronic information without authorization, and prohibit intentional access to a computer, without authorization, to obtain information.

While it may appear that a job seeker is “voluntarily” giving over his or her password as part of his or her candidacy, the senators wonder whether “requiring applicants to provide login credentials to secure social media websites and then using those credentials to access private information stored on those sites may be unduly coercive and therefore constitute unauthorized access under both SCA and the CFAA.”

As the senators point out, two courts have previously found that when supervisors request employee login credentials, and use them to access otherwise private information, they may be subject to civil liability under the SCA. Two key cases are Pietrylo v. Hillstone Restaurant Group, a 2009 case from the District of New Jersey; and Konop v. Hawaiian Airlines, Inc., a 2002 case from the U.S. Court of Appeals for the Ninth Circuit.

In Pietrylo, the more recent case, two employees created a MySpace page for the purpose of airing grievances against their employer in a more secure environment that was password-protected, and invited other employees—but not managers—to join.  Two managers learned of the site and requested a password from an employee.  Eventually, the employee gave them her login information. The managers logged on to the site on several occasions and then fired the website’s creators for violating the restaurant’s policies and hurting employee morale.

The central issue at trial was whether the employee was coerced into giving the managers her log-in ID and password information to permit them to enter the site.  In light of the employee’s testimony, the court found that the jury had reasonably concluded that the managers had not been authorized to enter the site, and thus refused to overturn the verdict.

Although these cases involved current employees, the courts’ reasoning does not clearly distinguish between employees and applicants.  Given Facebook’s Terms of Service (ToS) and the civil case law, the Department of Justice has been asked to issue a legal opinion about prospective employees, as well.  Since prospective employees, by definition, do not have an established work relationship with the employer and have not used company computers to make postings, it would seem that the argument that requiring them to give over their Facebook passwords is a violation of the SCA would be even stronger.

State Governments, Too, Are Taking Action to Bar Employers From Asking for Social Media Passwords

Meanwhile, Maryland and Illinois are considering bills that would bar public agencies for asking for social media passwords.

And similarly, in California, Democratic Sen. Leland Yee introduced a bill that would prohibit employers from asking current employees or job applicants for their social-media user names or passwords. The California bill also would stop employers from requiring that they must have access to employees’ and applicants’ social-media content, in order to bar employers from requesting printouts of that content.

In Massachusetts, state Democratic Rep. Cheryl Coakly-Rivera also filed a similar bill last Friday.  Her bill would expand the prohibitions on what employers can ask applicants to provide, to include personal email.

All of these efforts are commendable, and it’s good to see that legislators are taking applicant and employee privacy seriously.

Facebook’s Response:  Perhaps Surprisingly, It Sides With the Legislators

At times, Facebook has been at odds with state and federal regulators over various privacy issues.  In this case, however, Facebook appears to see eye-to-eye with legislators.

Thus, last Friday, Facebook warned employers not to ask job applicants for their Facebook passwords in order to poke around on their profiles.  Indeed, Facebook threatened legal action against applications that violate its longstanding policy against sharing passwords.

In a blog post, Erin Egan, Facebook’s Director of Privacy, said that the practice “undermines the privacy expectations and the security” of the user and his Facebook friends. Egan said that Facebook users should never have to share their passwords with anyone else.  Not sharing passwords is a basic tenet of online conduct. Aside from privacy concerns, Facebook also considers the practice a security risk.  Once you have given out your password, how can you ensure that the person who views your page does not use it to commit identity theft or to impersonate you?

Given Facebook’s response and its ToS, it would seem that a consensus is developing among lawmakers and the key social media company that it is not okay for employers to sneak a peek at our Facebook pages.

That stance is also consistent with the White House’s recently-issued Consumer Privacy Bill of Rights—which I wrote about in a recent column regarding Target’s use of consumer information.  The Consumer Privacy Bill of Rights speaks of respect for context as being part of any set of rights a consumer has when companies retain the consumer’s data and other information.  And in the context of Facebook, consumers certainly did not expect that disclosing their Facebook posts would become a routine part of their job applications.

Employers Will Still Look at Your Public Facebook Profile if They Can’t Access Your Private Postings

As of now—when the legality of an employer’s asking for an applicant’s Facebook password is still in flux—it would be prudent for Facebook users to review their walls and Timelines and delete any information they think might be prejudicial in an employment setting.

And even if the law changes, we all will still face risks with respect to frequent use of social media.  A survey released by Microsoft Research in 2010 noted that 70 percent of employment recruiters admitted that they had ruled our job applicants based on information they found online.  If you haven’t checked your Facebook privacy settings lately, now might be a good time to do so, if you are looking for a job.  Employers also turn to a company known as Social Intelligence Corporation (SocialIntel) to do a “credit check” of your social-media activity.  Put simply, the company combs through your publicly-available Facebook and Twitter postings and other online activity, collecting information for use by potential employers.

SocialIntel is subject to the federal Fair Credit Reporting Act, but as a result, it can keep an archive of your social-media activities for seven years.  The information stored is to be used explicitly for background checks but will be captured/archived even if you have deleted it from your accounts.  And the company also boasts that it screens information to ensure that it does not violate federal laws, including anti-discrimination laws.

So scrub your Facebook page; be careful as to what you Tweet; and if necessary, hire a company that helps you to repair your online reputation and locates negative information about you that exists in cyberspace.

Posted in: Technology Law