IL Follows Suit: Employers Right To Ask For Social Media Passwords Codified Into Law

from the digital-homes dept

Just a few weeks back we relayed the news that Washington State was seeking to codify into law an employer’s right to ask for the social media passwords of their employees. I continue to be amazed both at why such a law was considered in the first place, as well as why there hasn’t been more backlash against it. That said, I imagine the answer to the latter has something to do with the idea that employees and prospective employees could deny that request, so perhaps some people think that there’s little to no impact overall. This, on its face, is obviously silly. Were there going to be no impact to denying the request, employers would never make it in the first place. You have to imagine that an employee, and to a larger extent an applicant, is going to face enormous pressure to give the key to their personal sites away, whether that pressure is real or imagined.

However, since the bill hasn’t been challenged in the court of public opinion, others are now beginning to follow suit. Such is the case in Illinois, where the state House passed a bill this week, sponsored by Jim Durkin, that gives employers there the same rights. And, of course, it’s all done in the name of protecting the workplace.

The Illinois House passed a bill today that would allow employers to request access to employees’ personal web accounts used for business purposes, like Facebook and other social networking sites. As if people aren’t paranoid enough already. To be clear, the bill does not mandate that employees supply the information, and no one could be fired or penalized for noncompliance. The idea is to allow employers the opportunity to investigate employee misconduct, protect trade secrets, and prevent workplace violence by monitoring online activities. Even without it being mandatory to share your login and password, you could imagine a boss putting a subordinate under some uncomfortable pressure.

A challenge to everyone, if I may. If you were able to somehow catalog and characterize every single instance of employee misconduct, trade secret revealing, and workplace violence, exactly what percentage of them would you guess could have been prevented by proactive investigation of social media? Further, what percentage of such cases are such that the key evidence that would conclude any investigation into them would be only made available with a social media password? These are the kinds of answers with which I would expect proponents of such laws to be beating us over the head, yet you never seem to see any data in the reports. It all essentially comes down to, “We need to give employers the right to ask for social media passwords, because violence, scary internet, and children.”

Do you know why we highlight when stupid criminals spurt their stupid juices all over the internet? Because they’re the vast exception, not the rule. Creating the kind of animosity between employers and employees such as this bill will do is an awful over-reaction to those stories.

Filed Under: , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “IL Follows Suit: Employers Right To Ask For Social Media Passwords Codified Into Law”

Subscribe: RSS Leave a comment
96 Comments
btr1701 (profile) says:

Re: Re: Re:

Also raises a series of questions:

None of the questions you raised even come close to the most serious question, especially in regard to applicants and employment law.

There are various federal and state laws that prohibit employers from asking or raising a whole host of issues during an pre-employment interview. Things such as family status, ethnicity, religion, etc. cannot be the basis for an employment decision. However, being forced during an interview to allow the company to peruse your Facebook account basically does an end-run around all of that and gives the employer a voluminous amount of information to which it is not legally entitled.

What if you don’t have social media account?

I know of several police departments in the Southern California area that require applicants to allow them to peruse their Facebook accounts and if an applicant doesn’t have one, they assume it was either deleted prior to applying or the applicant purposely never opened one in the first place because the applicant had something he/she didn’t want them to know about.

Not having a Facebook account is pretty much a black mark on your application that you have to work hard to overcome.

Anonymous Coward says:

Re: Re: Re: Re:

I would gleefully allow them access and then when i didn’t get the job i would sue the shit out of them for disqualifying me because i am How could they prove that they didn’t gather that info from the social media site and then use it to disqualify me?

At the very least they will settle with me to save money. I’d make a business model out of this and charge $5000-$10000 depending on the size of the company.

Anonymous Coward says:

Re: Re: Re: Re:

While their may be some privacy rights by statute, like HIPA- there are few, if any that protects an employee or applicant from an employer. I know many union agreements address employee privacy issues, but few employers will give up their ability to snoop unilaterally.

I have a relative who is a senior personnel officer at a large company. They use social media ALL the time to evaluate candidates.

btr1701 (profile) says:

Re: Re: Re:3 Re:

And if a candidate is not on a social media
site? Are they disadvantaged for making a
choice not to be on one? There is a serious
issue of equal opportunity here if candidates
are evaluated differently.

All candidates are evaluated differently all the time. Social media doesn’t change that.

If you and I are applying for job at Company X and you have a masters degree and I don’t, we will be be evaluated differently if Company X values post-graduate work.

If I have extensive real-world experience in running a business and you don’t, we will be be evaluated differently if Company X values that type of experience.

And if Company X values people who know and use social media, they will evaluate candidates who don’t even have accounts differently than those who do.

There’s nothing illegal or immoral about it.

harbingerofdoom (profile) says:

Re: Re: Re:2 Re:

it would seem to me that the constitutional issue is not if companies can force you to give up those logins in return for employment.
its really if a state can pass a law that says they have that right.

as to the legality of companies placing you in a situation where you either give your logins up.. is that something that has really been tested before? i dont think it has but im sure someone will correct me if im not wrong..

John Fenderson (profile) says:

Re: Re: Re:3 Re:

its really if a state can pass a law that says they have that right

I don’t see the constitutional problem there, either, although if that’s the point of the law, then it’s pointless.

My reasoning is this: employers already have the right by default. There is no need for a law saying so. Passing such a law is just reaffirming an existing right, not creating a new one, so there would be no Constitutional issue. Only an issue of the whole thing being a pointless waste of time.

harbingerofdoom (profile) says:

Re: Re: Re:4 Re:

a bit of an apples and oranges thing though isnt it?

my employer can (and does) say you cannot express political viewpoints with customers… but the government cannot say that I cannot express political viewpoints with customers.

what the government CAN do is say that my employer may set limitations which are within reason as to what topics i may or may not discuss during the course of my work related duties.

btr1701 (profile) says:

Re: Re: Re:3 Re:

it would seem to me that the constitutional
issue is not if companies can force you to
give up those logins in return for employment.
its really if a state can pass a law that says
they have that right.

If it’s not an enumerated power of Congress under Article I, Section 8, then the power belongs to the state and/or local governments per the 10th Amendment.

btr1701 (profile) says:

Re: Re: Re: Re:

Are you implying that the companies aren’t
supposed to follow the Constitution? Heck,
even law enforcement need warrants to go to
such lengths. Are you mad?

I can’t tell if you’re being sarcastic or not, but assuming you aren’t, and that you’re a U.S. citizen, it’s a stinging indictment of our educational system that you’d even ask that question. (If you’re not a U.S. citizen, then disregard.)

The Constitution only legally prohibits the GOVERNMENT from doing certain things, like infringing freedom of speech, or searching a home without a warrant. It has no application or restraint upon conduct between private parties. The only part of the Constitution that regulates conduct between one citizen and another is the 13th Amendment’s prohibition of slavery.

So in answer to your question, no, companies are not supposed to (nor are they required to) follow the Constitution.

Jesse (profile) says:

Re: Re: Re:

The problem is, and it’s not exactly constitutional, is that we haven’t really left the feudal era in the employment context, where employers are viewed as lords and employees peasants (almost property).

The employee/employer relationship is much closer to the feudal system than it is to consenting adults entering a mutually beneficial business arrangement.

bob (profile) says:

Re: unconstitutional

how is the law unconstitutional?
it seems like a nothing law, the employer had a right to ask for pretty much anything they want. like non smokers, drug testing, etc.
they are, bizarrely, stopped from asking your age.
but, I imagine the 1st amendment protects the employers right to ask for any info they want.
a person always has the right to refuse.
and another employer can market the fact that they support employee privacy and have a hiring advantage..
I don’t see how this law is at all unconstitutional.
if anything, it seems like a ‘nothing law’ which already affirms a right the employer already had.

John Fenderson (profile) says:

Re: Re: unconstitutional

they are, bizarrely, stopped from asking your age

No, they’re not. They are prohibited from discriminating because of age and so they shy away from asking to avoid accusations of discrimination, but they can ask.

While you’re right, I don’t see how this is unconstitutional, I do have to pick this nit:

a person always has the right to refuse.
and another employer can market the fact that they support employee privacy and have a hiring advantage

In practice, things like this never work that way. This reasoning has been put forward to justify all kinds of employer abuses and it never actually pans out. Except that employers get to abuse.

JEDIDIAH says:

Re: Re: Re: unconstitutional

Well. One aspect of this is that social media sites do expose elements of one’s life that touch upon things that are illegal to discriminate over. Not only can you be shunned for your own nuttiness, you can also be shunned for what your family does.

I know of someone suing over that very thing now.

Although this whole idea of “personal work accounts” is problematic as it blurs the line between your personal and your work life. Accounts used for work should always be the property of your employer and there should be no possibility for ambiguity.

If there is any question then the company has failed to manage things properly.

Anonymous Coward says:

Re: Re: unconstitutional

Well, they aren’t allowed to ask about your medical history, sexual orientation, or religious preferences. All of these things can be discussed under privacy using social media (though I’d suggest you don’t if you really want this to remain private, because it’s rather stupid), so asking for social media login information would seem to be a violation of the fair employment laws.

varagix says:

Re: Re: Re:

Wasn’t your state’s congress suppose to get one passed relatively soon? The way I hear it, after their conceal carry ban was ruled unconstitutional, if they don’t get one passed by this June, many people claim that Illinois will go from one of the most restrictive states concerning guns, to one of the laxest (hyperbole mostly, I assume).

Anonymous Coward says:

This trend is starting to bother me.
With the frequency in which users reuse passwords for multiple accounts, asking for your social media password is like asking for a security breach. Now someone may have the same login credentials as your other accounts, such as email, messaging, dating, gaming, cloud storage, and other sites.
Part of that problem is reusing passwords, but the larger problem is how every website requires a unique set of credentials.
But back on topic, since someone now has access to multiple accounts, you have to go change the password on those other accounts. Exactly the same steps taken if there was a huge data breach. They are the same in my eyes.
I don’t think asking for your password should be illegal, but nor do I think it should be made into law. That only encourages the behavior. It should, however, be illegal to deny someone employment for not giving your password.

Larry says:

Re: Response to: Anonymous Coward on Apr 30th, 2013 @ 5:42am

And precisely how do u prove u were denied employment because you refused to give your password? Only by making it illegal for the question to be asked at all can this kind of pernicious intrusion into the private lives of citizens be prevented.
What next? Bring in your diary so I can read it?

Anonymous Coward says:

There IL employers can ask employees to violate the law

The terms-of-service agreements of many sites stipulate that you cannot share your password. Federal legislation (enacted, proposed, pending, etc.) stipulates that breaking a TOS agreement is a felony. Therefore, under such legislation, any IL employer asking an employee for their password (at any site whose TOS forbids sharing it) is asking their employee to commit a felony.

Paul Reinheimer (profile) says:

I don't want your facebook password

As someone who has made several hiring decisions, I don’t want anywhere near a candidate’s facebook account. It’s full of information I can’t ask for: marital status, religion, country of birth, etc. Taking that information, then making a no-hire decision just gives the candidate a great way to claim they were discriminated against. Ain’t nobody got time for that!

I don’t even see how it would be helpful. I don’t care what you did last weekend, I care how you perform at work on Monday. I’ll figure that out soon enough.

Anonymous Coward says:

The law is a violation of CFAA, which makes it illegal under the constitution

The states seem to forget that this is violation of CFAA, which makes it illegal under the constitution because it’s a state law contradicting a federal law.

Logging into someone else’s account or ‘stealing’ their password like this is illegal under the broadly written CFAA.

The Red Jaguar says:

Factual errors in the article

Dear Mr. Masnick,

The bill is not yet “codified into law”. As your own source points out, the bill passed the Illinois House, and the Illinois Senate will now consider it. Further, the bill also only refers to social media accounts used for business, and not personal Internet accounts. Finally, the prohibition against retaliation for refusing to disclose passwords only applies to requests or demands for login credentials directed to personal Internet accounts, and not to business social media accounts.

Mark Murphy (profile) says:

Re: Factual errors in the article

The bill is not yet “codified into law”

Nobody said it was. The words “codified” and “codify” are modified by “ask” and “seek”, indicating future behavior.

Further, the bill also only refers to social media accounts used for business, and not personal Internet accounts.

That is not entirely accurate IMHO. The bill’s synopsis includes: “an employer may request or require an employee to disclose any user name, password, or other means for accessing an electronic communications device supplied or paid for in whole or in part by the employer or accounts or services provided by the employer or by virtue of the employee’s employment relationship with the employer or that the employee uses for business purposes”. The key portion is the last seven words. That will be used as justification to get any passwords and account information, on the grounds that they have no idea if an account was used “for business purposes” without first examining the account.

ChrisB (profile) says:

Re: Re: Factual errors in the article

Did anyone go read the actually read the bill? It says the exact opposite. Of course, if my business has a Facebook account, it is still legal for my boss to check what I’m posting on it. That only makes sense. I’ll post it below so all this ridiculous speculation and gnashing of teeth can end.

b)(1) It shall be unlawful for any employer to request or require any employee or prospective employee to provide any user name and password, password, or other means of authentication to gain access to the employee’s or prospective employee’s personal internet account.

…however, that while engaging in such [lawful internet] monitoring, an employer may not request or require any employee or prospective employee to access the employee’s or prospective employee’s personal internet account for purposes of enabling the employer to observe activity in or the contents of such an account; and provided further that an employer undertaking such monitoring may not request or require any employee or prospective employee to provide any user name and password, password, or other means of authentication to gain access to the employee’s or prospective employee’s personal internet account.

John Fenderson (profile) says:

Re: Re: Re: Factual errors in the article

That makes the law even more nonsensical then. If a facebook account is being used for business purposes, it is owned by the business, not the employee, so the employee would not be disclosing anything that the company does not already have the rights to (and should already have — if they don’t, then they have much bigger problems than whatever is on the facebook account.)

So, what’s the intent of this law? I’m very confused.

Anonymous Coward says:

Re: Factual errors in the article

” the bill also only refers to social media accounts used for business, and not personal Internet accounts.”

So, if I’m an accountant who also has a Zazzle print-on-demand business on the side, I have to give my employer (who uses my services as an accountant) access to my FaceBook account?

Anonymous Coward says:

Actually this could be good for employees!

When abusive employer ask for password for facebook account, and later this account is used for some kind prohibited activity the employee has plausible deniability.

I wonder how much such an employer will like the chance to be
investigated for some kind terror related activities on some of the accounts he obtained passwords for.

Anonymous Coward says:

anyone that backs or agrees with this is a total moron! the only advice, if fighting it is too much trouble, meaning that some people will have to get off their asses and do something, is to make sure that the social media site(s) has a different password to any and everything else done that should be secure. that leads to the problem of when there is a security breach of some description concerning your personal stuff, who is gonna get the blame? the truly amazing things are that people complain about CISPA and other ‘privacy invading laws’ but then are told they have to hand over passwords for their private social media sites. what next? email? monitoring phone calls and txt messages? take it away from the government and law enforcement and then give them to your boss? how fucking stupid is that?

nem says:

Re: Re: what's the problem

So if a copyrighted content is used as a passphrase it ceases to be intellectual property?

Given unlimited characters I could fit an entire Hollywood movie as a password without fear of being prosecuted as passwords are not intellectual property.

Seems either you got it wrong, or there’s an exploitable loop in the intellectual property system.

Anonymous Coward says:

I’m in IL and I have zero social media accounts hooked to my name just for this reason. I do not connect with family or friends online.

I’ve been asked for it and I simply said look me up I’m not any site. Which may be a lie lol, but hey there is no way for them to ever know unless I decide to tell them.

It’s bullshit that I have to go to such measures to protect myself because I love social networking.. My Facebook alone has been at the limit for ages now. “5k” I love to meet people all over the world, I love to joke around, I love to argue sometimes, and even talk some shit if I’m in the mood.

It’s my business what I do on my time.

If I want to get on Techdirt while I’m at home and make fun of out_of_the_blue my job does not need to know about it.

Boss – Were you making fun of out_of_the_blue again?
Me- Yeah, but he said dolphins taste great dipped in baby seal sauce.
Boss – They do, you’re fired.

Why not... says:

What's good for the goose...

So… wouldn’t we be justified is requesting the Employer for the company’s social media password(s). It comes down to trust if they don’t trust me with theirs… why should I trust them with mine?

Or could I give them a no-longer-valid password…meaning I’ve comlied with their request but since I value security and dutifully changed mypassword the first chance I got.

Would it be acceptable to request their handling procedures of my password to ensure it’s security? I want to know who’s going to eat that scrap of paper I might scrawl it on…

Joe says:

I have an apartment on the east coast that I rent out when I’m not using it and whenever I get an applicant, I stalk them on Facebook/ LinkedIn etc. It’s kept me out of a couple of bad situations (the couple that sounded great on the phone but their FB was full of gangsta parties, tattoos, bitches, blunts and 40’s or the girl who’s profile was entirely full of sexy cosplay costumes which then lead to to her profile on an escort site). I’m amazed at how little thought to privacy people give and how much info is just ‘out there’ by default for anyone with a little knowledge of how to look.

Anonymous Coward says:

There are protections in the law

The bill is at http://www.ilga.gov/legislation/fulltext.asp?DocName=&SessionId=85&GA=98&DocTypeId=HB&DocNum=1047&GAID=12&LegID=71494&SpecSess=&Session=

It’s not as bad as you may think. They can only request information if they gave you the account, or if the account is used for business, or if they have SPECIFIC information that you have something on there about workplace misconduct, or confidential information, or something like that. Under ordinary circumstances, requesting that you give them your Facebook password would be illegal.

The exception for business accounts, however, does go overboard. I think the legislature here figured that if the account is used for business, then it’s both relevant to the employer and the employee wouldn’t be concerned about privacy – how are you going to do much business on a private page? They fail to consider, however, that someone may have a dual-use account. Also, the employer may request the PASSWORD for a business account. This is reasonable for accounts which the business gave to the employee – but totally unreasonable for the employee’s existing business accounts. If I’m working a sideline, perhaps you have the right to inquire about that; but you have NO right to know my passwords for it.

zerostar83 (profile) says:

For once, I have to disagree with where this article is going. I have seen a great example of how a politician would legally get away with refusing to give information used on his personal device/account to do government business because he used his personal device/account even though there was a business one set up for him to use and he chose not to use it. If you use your personal email or facebook for work/business related stuff, then your work should have the right to access their information and be able to track it. I think a law requiring access to accounts that have been used for work/business would force people to seperate personal accounts from work accounts. Simply put, if I use my facebook to do business on behalf of a company, they should have access to their own business.

Ryunosuke (profile) says:

these laws...

these laws are unenforceable due to the nature of social networking sites and programs.

first off, EVERY social network (be it Twitter, Facebook, and MMO’s [yes, MMO’s are a social network in that you interact with other people]) has a clause in their ToS that you cannot nor should not in any circumstances give out your password or account information, and that admins of said network will never ask you for it. This is because of two reasons, 1) It severely undermines network security and the security of the users. and 2) It is against the law in the US for anyone to access another persons account on social networking sites (I believe under the CFAA and by extension Patriot act).

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...