by Daniel J. Solove
In 2012, the media erupted with news about employers demanding employees provide them with their social media passwords so the employers could access their accounts. This news took many people by surprise, and it set off a firestorm of public outrage. It even sparked a significant legislative response in the states.
I thought that the practice of demanding passwords was so outrageous that it couldn’t be very common. What kind of company or organization would actually do this? I thought it was a fringe practice done by a few small companies without much awareness of privacy law.
But Bradley Shear, an attorney who has focused extensively on the issue, opened my eyes to the fact that the practice is much more prevalent than I had imagined, and it is an issue that has very important implications as we move more of our personal data to the Cloud.
The Widespread Hunger for Access
Employers are not the only ones demanding social media passwords – schools are doing so too, especially athletic departments in higher education, many of which engage in extensive monitoring of the online activities of student athletes. Some require students to turn over passwords, install special software and apps, or friend coaches on Facebook and other sites. According to an article in USA Today: “As a condition of participating in sports, the schools require athletes to agree to monitoring software being placed on their social media accounts. This software emails alerts to coaches whenever athletes use a word that could embarrass the student, the university or tarnish their images on services such as Twitter, Facebook, YouTube and MySpace.”
Not only are colleges and universities engaging in the practice, but K-12 schools are doing so as well. A MSNBC article discusses the case of a parent’s outrage over school officials demanding access to a 13-year old girl’s Facebook account. According to the mother, “The whole family is exposed in this. . . . Some families communicate through Facebook. What if her aunt was going through a divorce or had an illness? And now there’s these anonymous people reading through this information.”
In addition to private sector employers and schools, public sector employers such as state government agencies are demanding access to online accounts. According to another MSNBC article: “In Maryland, job seekers applying to the state’s Department of Corrections have been asked during interviews to log into their accounts and let an interviewer watch while the potential employee clicks through posts, friends, photos and anything else that might be found behind the privacy wall.”
For public schools or public-sector employers, demanding such access will likely violate First and Fourth Amendment rights. In one case, a public middle school demanded that a student provide her Facebook login credentials so school officials could view her account. In 2012, a federal district court held that such a practice (based on the facts presented at an early stage in the case) would violate the First and Fourth Amendment. See R.S. ex rel. S.S. v. Minnewaska Area District (Sept. 6, 2012).
Moreover, in certain cases, the practice of demanding access to online data could potentially violate the federal Computer Fraud and Abuse Act (CFAA), which essentially makes it a federal crime to engage in unauthorized access to any computer connected to the Internet or to any website. The CFAA applies not just to public schools and employers but to private ones as well.
Access and the Cloud: The Enormous Potential Consequences
Although most of the current focus on the issue has been on social media account passwords, the issue has far broader implications. Increasingly, people are storing extensive amounts of their data in the Cloud. Employers, schools, and government agencies could demand access to cloud service accounts where people store their entire repository of documents.
For example, Cloud service providers like DropBox and Box are used by many people to backup their entire lifetime’s worth of data – letters, writings, documents, diaries, medical records, photos, music, videos, and more. For employers, schools, and government agencies, why stop at social media when trying to pry into the personal lives of students and employees? Why not examine all the extensive repositories of data people have in the Cloud?
With the rise of the Cloud, demands for account access can turn into the functional equivalent to a demand to see an enormous amount of data about people’s private lives. This is a privacy invasion that could score an 11 on a 10-point scale!
In response to the media attention to the issue, states have engaged in a barrage of legislative activity over the past two years. More than 10 states now have laws, and legislation is pending in about 35 other states. You can follow the activity at the National Conference of State Legislatures. There are three key ways in which these laws differ:
1. In many states, the law covers both employers and schools. But in some, the law only covers employers.
2. Most states that have laws covering schools only cover higher education and do not cover K-12 schools. Michigan is one of the few exceptions which covers both higher education and K-12.
3. In a number of states, the law covers only social media sites. For example, the law in New Mexico applies to an online service where individuals “construct a public or semi-public profile” and “create a list of other users with whom they share a connection within the system.” Other states focus on all personal online accounts or are ambiguous about what types of accounts are covered. For example, Utah’s law applies to any “personal Internet account” which means “any online account that is used by an employee or applicant exclusively for personal communications unrelated to any business purpose of the employer.”
Given the implications, the laws should cover both employers and schools, both higher education and K-12 schools, and should extend to all accounts, not just social media accounts. This latter issue of scope is a very important one for the future of the Cloud. The privacy implications of data in cloud computing are significant, as social media really is just a subset of the Cloud.
As Brad Shear points out, once employers and school officials become fully versed in the laws on this issue and the potential legal liability, they might change their behavior.
The problem is that right now, many employers and school officials do not seem to be fully aware. Access to personal online accounts is an issue that is surprisingly quite deep and widespread. Legislatures are responding, but the danger is that they focus too narrowly and fail to see the larger scope and implications of the issue.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is an “LinkedIn Influencer.” His blog has more than 600,000 followers.
If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
* Professor Solove’s LinkedIn Influencer blog
* Professor Solove’s Twitter Feed
* Professor Solove’s Newsletter