Maryland Corrections Agency Demanding All Social Media Passwords Of Potential Hires

from the privacy? dept

You may recall back in 2009 that we wrote about how the city of Bozeman, Montana was requiring people who applied for jobs with the city to cough up all of their social networking usernames and passwords, so that city employees could log in and look around. Beyond being positively ridiculous, this seemed like a huge invasion of privacy. After an awful lot of public ridicule, the city (wisely) decided to drop the requirement, and claim the whole idea had been a “mistake.”

Apparently not everyone in local government was paying attention.

The ACLU is apparently taking on the case of a Maryland man who applied to be “re-certified” for a job with the Maryland Department of Corrections, after he had taken a brief leave. As a part of the interview process, he was required to hand over his Facebook password. Apparently, the Department of Corrections is now requiring all social media account info, including passwords, as a part of their “background check” process. In at least this case, the guy in question was told not to change his password for a few months — leading to all sorts of questions about what private info state officials might look into while logged into his account. The ACLU sent a letter (pdf) to the Maryland Corrections Dept. noting that it believed the policy was “a frightening and illegal invasion of privacy,” and a clear violation of the Stored Communications Act. The ACLU letter also demanded that the Maryland Department of Corrections rescind this policy.

It appears that Maryland’s response to all of this has been to totally ignore the letter. The ACLU waited three weeks, and after receiving no response at all, has gone public with the story. I would imagine that a lawsuit will soon follow.

Filed Under: , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Maryland Corrections Agency Demanding All Social Media Passwords Of Potential Hires”

Subscribe: RSS Leave a comment
Brendan (profile) says:

Setup fake/dummy account?

Sounds like it’s time to start having duplicate accounts. A real one that you actually use, and a dummy one that you don’t use, but is populated with enough boilerplate info so that it could be considered real.

Just name, a few photos and a few likes/connections/maybe even friends.

Turn over the credentials to the decoy account.

Now, I fully disagree with these types of policies. The real solution is for the employer to not ask for this info, but as long as they’re going to ask (and people need work), let’s do what we can to protect ourselves.

Christopher Gizzi (profile) says:

Drug Test?

Is revealing online passwords the next drug test? Taking drugs is illegal and testing for drug use is not. How is this different? How is scanning one’s Facebook stream not “testing” for illegal activity?

I’m not in favor of giving passwords out. I wouldn’t apply to a job that asked me to give that information out or told me not to change my password. But that’s my choice. And I could refuse a drug test for employment if I wanted to – and not be offered the job as a result.

I’m all in favor of the ACLU successfully challenging a rule that I think will only serve to reduce the number of qualified applicants available to the MD Correctional System. But how is this social media test any different than a drug test?

Anonymous Coward says:

Another frightening prospect...

…is what about those of us who really don’t have Facebook, Twitter, et al. accounts? Will we be perceived as being evasive, or even outright lying? After all “Oh, I don’t have a Facebook account” is something that could be said by anyone, regardless if they have an account or not.

Miff (profile) says:

Re: Another frightening prospect...

Since I don’t use my real name online, I was thinking about setting up a Facebook account in my real name, but not ever use it except to post the occasional really boring and pointless update such as “out of milk”, and never friend anyone.

Then when someone accuses me of just setting up the account for the interview, I point out thatI’ve had it for months.

Christopher Gizzi (profile) says:

Drug Test?

On the point about applied THEN asked… its no different than a drug test at any other place of employment. I applied to a job then was told to take a drug test. You don’t always know if a company has a drug testing policy before applying or not.

And again, I fail to see how this is different. If one’s Facebook stream shows you doing or taking something illegal, then how is this test isn’t the same as a drug test.

Perhaps its not as defensible in court as a drug test if you were to not get hired (or fired) but it could be construed as another test for illegal activity. And in a correctional facility, don’t you want that?

Anonymous Coward says:

Drug Test?

“But how is this social media test any different than a drug test?”
Where is the line? Require you to hand over your GPS so the can check if you were speeding or visiting shady neighborhoods, demand your medical records to see your health history looking for STDs other bad habits. Demand your banking and credit card history …. ?

We willingly give up our privacy in little bits, that become bytes, that non-linearly become kilo-mega-giga-tera-peta-yottabytes. I value my privacy not because I have something to hide, I value my privacy and as a citizen of the United States of America, I’m not willing to give these up for a job or for our government to eliminate risk for me.

Anonymous Coward says:

Another frightening prospect...

… I was wondering about this too. I have experienced the “OH … you don’t have a Facebook account? … Why??” accompanied by the suspicious looks.
At work “You are not on Linkdin?” with a quizzical look.

Why are you not part of the hive? There must be something wrong with you, what are you hiding?

V says:


Interesting how the government demanding a password is essentially asking you to violate the terms of service of any social networking site – which usually, if not always, requires that you not share your account information with anyone.

So what does that say about an applicant who complies…. that they can’t honor an agreement.

Yes… liars make great employees.

pixelpusher220 (profile) says:

Drug Test?

You could make a (quite weak IMO) argument that if you want to apply for a job you maybe should have to ‘friend’ the company so that they can view your private friend only feed.

There is no justification for given them your passwords.

If you were required to drive for a job, would you feel ok giving the company a copy of your car keys? They can just drop by and take your care whenever they might need to check out that it wasn’t illegally modified?

Anonymous Coward says:

At least a drug test, at least here in Texas, is a conditional offer of a position. If you get to the point where they ask you for one, they are not legally allowed to turn you down if you pass. I learned this from the HR rep for a local horrible retailer my wife was working for at the time. Asking for passwords however, should be considered criminal due to recent cases where violating the TOS of a social website were considered to be breaking the law.

Chosen Reject (profile) says:

Drug Test?

One difference is that when you take a drug test, they could contaminate your blood/urine with drugs and thus say you were unfit to be hired. However, that wouldn’t actually put drugs in you. On the other hand, if you give them your username and password, they could very easily do bad things to your accounts.

I’m not saying either scenario is likely.

Another difference is that your blood/urine aren’t going to the employer directly for them to run any tests willy-nilly, checking your genes for genetic disorders or what have you. It goes to a lab that (presumably) tests it only for drugs and then reports back to the employer with a yea or nay. Whereas giving passwords over to the employer allows them to check anything and everything.

As an example, let’s say an applicant used to do drugs, but hasn’t for many years. Their facebook profile and history may show that, but obviously their blood/urine will not.

Josh in CharlotteNC (profile) says:

Drug Test?

But how is this social media test any different than a drug test?

There are no laws against using social media.

Its also different in the same way that a physical search for drugs at Customs is significantly different than a Customs agent wanting to copy all the data off you laptop and smartphone to peruse at their leisure.

In fact, I’d say requiring full and ongoing access to your Facebook account is actually worse. It goes against freedom of speech, freedom of association, and is pretty clearly in violation of the Fourth Amendment. The chilling effect of knowing that both the government and your boss has access to what you say to your friends and family is severe.

Cloksin (profile) says:

Drug Test?


You can’t see how this is different from a drug test? How about you give up your bank account username and password, just to see if you’re making any illegal transactions. Then sit at home and wonder why you have no money left.

Let me explain it like this, you take illegal drugs, your judgement is impaired, you go to work while impaired, and you make some sort of mistake. Maybe it causes someone to get injured, or causes your employer to lose thousands of dollars. To try and prevent this they do a pre-employment drug screen. If you fail, you are not offered the job. What they are testing for is whether you have any illicit substances in your system.

To say that this drug test is the same as offering up your username and password for a social media site is the same as (given the technology actually existed) allowing your prospective employer to take over your body, telling you that you aren’t allowed to lock them out for a couple of months. While they are in your body they can walk through life impersonating you, doing things that you have no control over, for which you will feel the ramifications of further down the line.

If you really want to compare this to a pre-employment drug screen you have to realize that the drug screen only allows the tester to see the results of a given action, not have the power to alter that action. In the social media example this would equate to the tester being able to see the result of something you do on a given site, not having the power to do something in your name on that site. Giving up your credentials for the site would allow them to do just that. Pissing in a cup does not allow the tester to take the drugs for you.

btr1701 (profile) says:

If this policy is upheld, it seems to me if I was one of these employees, I’d just close down my Facebook account altogether, then restart it at some later date.

It also seems like this would be a violation of Facebook’s terms of service, which say you can’t login as anyone other than yourself and you can’t share your password with anyone. And since the federal government insisted in the Lori Drew case that violating a web site’s terms of service is equivalent to “computer hacking”, it seems like the State of Maryland may be soliciting a federal felony here, as well.

chris harrison (profile) says:

Drug Test?

The difference between this and a drug test is so obvious that it didn’t need to be stated, and could only be missed by someone missing it intentionally.

A drug test looks for ONLY the specified illegal behavior, that is, use of the drugs being tested for. You agree to take it with full informed consent – You know what they’re looking for, and you know whether or not you’ve engaged in the behavior being tested for (even if you think you can beat the test).

Giving a potential employer full access to your social media does not – it gives a potential employer carte blanche to go fishing through your whole life just because they want to, with no specified purpose or limits. You don’t know what they’re looking FOR, you don’t know what they’re looking AT, and you don’t know WHO is looking or who else they’re sharing your data with, how long they’re retaining it…

Christopher Gizzi (profile) says:

Drug Test?

Wow, that’s a yottabytes! (Sorry, couldn’t resist but you posted great, geeky reply. Not too many people know what a yottabyte is.)

But seriously…

Different industries do ask for more personal information to receive benefit or employment. The adult film industry (by law) tests for STDs and performers can’t work without a clear HIV test. Your car keys aren’t taken but your driver’s license is and your driving record IS checked. People with a history of smoking can be charged a premium for health care.

Our government doesn’t guarantee you a job that has no screening – especially in the private sector. What it does do is help protect a person from discrimination on the basis of things that are beyond their control and some personal choice – race, sex, sexual orientation, etc. You’re free to start your own business if you don’t like the practices and enforce your own hiring rules so long as they don’t discriminate.

But that said, I am in total favor of the ACLU winning this (if they take legal action) – I’m not happy with the slow erosion of our privacy either. But that’s happening because we as a society are asking for more and more Facebook, not because the Feds or private employers are asking for too much. As society becomes more open, it is reasonable to expect employers to ask for this information as part of a background check.

New Mexico Mark says:


It would be interesting to get a copy of the Maryland Correction Agency’s computer use policies. Any well-written policy should include a clause to the effect that employees are not allowed to divulge or share passwords.

If theirs has that policy, it would mean that anyone who was hired while meeting HR policies would then have to be immediately fired for violating IT policies.


Anonymous Coward says:

Done Deal

Ah .. but it is not a done deal.
First the stigma of not wearing your red arm band … Why don’t you have a Facebook account (See above)
And then AH … you used to wear your red arm band and now you took it off. What are you hiding? What is wrong with you?

As Mike always says … if it is on the internet, it is there forever.

jilocasin (profile) says:

Drug Test?

There is no law, unfortunately, that protects your right to keep private what you ingest into your own body. Hell it’s even illegal for you to ingest certain ‘controlled substances’.

There is a constitutional amendment, as well as an implied right to privacy, that protects your freedom to speak, be heard and associate freely.

Therefore, the government, can’t force you to relinquish your rights, and Maryland Correctional is a government agency, except in certain narrowly tailored instances.

It would be the same if they insisted that only practicing Southern Baptists could work for them.

The ACLU is right in this one, and the sooner and firmer that government agencies get the message the better it will be for all of us.

Benny6Toes (profile) says:

State of Maryland form letter to new parents...

Dear Mr and Mrs Smith,

Congratulations on the birth of your new baby! [[insert name of baby]] is a wonderful name. We’re sure your child will accomplish great things and provide you and your family with years of joy and love.

Now that your child has been born, the State of Maryland has created several social media and email accounts for their use over the course of your child’s life.

Until they are old enough to use these services themselves, we encourage you to create posts to share your child’s experiences with your friends and family.

Facebook, twitter, Hotmail, Yahoo!, and gmail account information is listed here:
Facebook: [[insert user id]]
twitter: [[insert user id]]
Hotmail: [[insert user id]]
Yahoo!: [[insert user id]]
gmail: [[insert user id]]

The current password for all 5 accounts is your baby’s name followed by their date of birth in the format MMDDYY. Please login to the accounts and change the passwords as soon as possible to protect your child’s identity.

Please keep in mind that any password changes are transmitted to FICO, Experian, Equifax, TransUnion, and the Maryland Departments of Revenue, Justice, and Motor Vehicles. This is to aid in future credit reporting and background checks and prevent your child’s identity from being stolen.

We assure you that any user account information will be completely secure and will be obscured from any state, federal, or private employee.

Warmest regards on this happy occasion,
[[insert name of current governor]]
[[insert digital signature of current governor]]
Governor, State of Maryland

Jeffery says:

Drug Test?

Couple of things you are missing:

1) No company GIVES a drug test. They hire outside, independent labs to do so. All that is usually required is a little urine or blood.

2) Do you readily give up the keys to your home to an employer to search for “illegal” activities before they hire you? No? They why would you think giving up your social media accounts is any different?

I think it’s always telling that someone wants to claim it’s “like” something else, when it clearly is not like that other thing at all. This is not like taking your blood, this is snooping in on your private conversations with friends and relatives. Thought and conversations are not the same as taking blood to test for drug use (though in my personal opinion that’s pretty invasive, too… what I ingest at home on my time should have no bearing on my employability if I do a good job at work every day).

fogbugzd (profile) says:

Drug Test?

>> Taking drugs is illegal and testing for drug use is not. How is this different? How is scanning one’s Facebook stream not “testing” for illegal activity?

Presumably a drug test only tests for use of illegal drugs. If you get turned down for a job because of a drug test you can at least challenge the test.

Checking your online persona is entirely different. Are they looking to see whether you “liked” things that are perfectly legal but the government reviewer doesn’t like?

Plus, they now have my password and account credentials, so they can actually alter my material or cause problems. They really don’t like you? Take your password to a public hotspot and send a threatening email to the President or do a hundred other things that cause you trouble.

There are huge differences between a mandatory drug test and surrendering your online persona.

Ben (profile) says:

Facebook friend breach of privacy

Even if you assume that an employer taking a look at an employees profile is ok (it’s not) the fact that you have unfettered access to your friends profiles surely creates some breach of their privacy?

I’m sure Facebook’s own T&Cs mention something along the lines of letting other use your account.

What if my employer uses my password to start spying on my sexy wife’s beach pictures? My daughter’s photos? An old friend who’s a potential new employer?

Anonymous Coward says:

/me is not a troll, I just can’t remember my login information.

Well, maybe my employer got it and changed my password so that I can’t login.

Let me first defend MD Dept of Corrections, first. Department of Corrections is concerned with incarcerated people. A plausible reason for demanding this information from its employees and potential employees is, of course, background information.

Corrections employees can, and probably have, formed relationships with the inmates, and monitoring their social interactions online with inmates, their friends, and their relatives, CAN indicate that the employee is having n improper relationship, and I don’t necessarily mean one of a sexual nature, with inmates.

The problem is, that there is this federal agency called the Office of Personnel Management, and background checks fall in with their line of responsibilities ( and although the process costs the government a huge amount of money each year, it is certainly necessary to help weed out those who may not be suited for government employment.

I do believe that this was a misguided attempt to help ensure public safety. I do believe that at not time, should anyone be required to submit passwords of any kind, to anyone, for any reason.

That being said, to obtain a Top Secret Security Clearance with Sensitive Compartmented Information eligibility and access, one is not (at least not military or contractors) required to divulge this information.

A more appropriate way to do this might be to create employer accounts and require employees to declare their employment, allowing the employers to see each emplyee’s wall posts, friends, likes, etc. Except, there’s still the high probability that employees will still be discriminated upon for their personal views which have nothing to do with the jobs they perform.

Oh, and lets not forget that anyone who declares their employment with any company in particular can now be targeted by that affiliation. In the Army, we called not broadcasting personal and professional information a part of Force Protection. I suppose it could be modified to be called Workforce Protection in the civilian world.

I hope ACLU files suit and wins, no matter what Maryland’s stance is, now that this is public.

Anyone for an amendment to the Privacy Act?

Jackie (profile) says:

Re: Passwords

Naw…Corrections doesn’t need your password to check up on your Facebook account. What corrections should be doing is warning you to close out your facebook account. And they should probably give lessons to employees about how to set up and use aliased accounts.
I was a prison librarian and one day one of the inmates ,where I worked (maximum security), sent or had sent a holiday card. Then I had a public phone number and it was relatively easy for this inmate to get my address. Nothing came of it. The inmate was in for burglaries, but I realized that it was a hazard. I was living in a gated community with private police and far outside the cities. If I hadn’t been, perhaps I would have felt more vulnerable.

Mikael (profile) says:

Maryland decided to stop asking for Facebook passwords for 45 days

The linked article from says they’ve decided to stop asking for facebook passwords for 45 days.

“Update 2/22, 5:11pm: The Maryland Department of Public Safety and Correctional Services has suspended the practice of asking for Facebook login information for 45 days, according to an email they sent to The Atlantic.”

Anonymous Coward says:

Another frightening prospect...

I’ve been worrying about this sort of thing happening to me. I use my computer mostly for gaming, and I could care less about Zynga’s so-called “games”, so I’ve never bothered with Facebook. What’s going to happen if a potential employer asks to see my Facebook account, and I respond, “Uh, I don’t… have one?”
I guess in the end, Sally Floyd had the last laugh. You’re now a non-person if you ignore social networking.

Loralai (profile) says:

Drug Test?

How is it different than a drug test you ask? A drug test is to find out if an applicant is using illegal substances. I totally understand not wanting to hire a drug addict to work in a jail. Social networking sites are not illegal. There is a big difference, and I can’t believe you don’t see it. Just like the Montana case, this too will be dropped amid all of the publicity. Thank goodness for the ACLU

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...