IL Follows Suit: Employers Right To Ask For Social Media Passwords Codified Into Law
from the digital-homes dept
Just a few weeks back we relayed the news that Washington State was seeking to codify into law an employer's right to ask for the social media passwords of their employees. I continue to be amazed both at why such a law was considered in the first place, as well as why there hasn't been more backlash against it. That said, I imagine the answer to the latter has something to do with the idea that employees and prospective employees could deny that request, so perhaps some people think that there's little to no impact overall. This, on its face, is obviously silly. Were there going to be no impact to denying the request, employers would never make it in the first place. You have to imagine that an employee, and to a larger extent an applicant, is going to face enormous pressure to give the key to their personal sites away, whether that pressure is real or imagined.
However, since the bill hasn't been challenged in the court of public opinion, others are now beginning to follow suit. Such is the case in Illinois, where the state House passed a bill this week, sponsored by Jim Durkin, that gives employers there the same rights. And, of course, it's all done in the name of protecting the workplace.
The Illinois House passed a bill today that would allow employers to request access to employees' personal web accounts used for business purposes, like Facebook and other social networking sites. As if people aren't paranoid enough already. To be clear, the bill does not mandate that employees supply the information, and no one could be fired or penalized for noncompliance. The idea is to allow employers the opportunity to investigate employee misconduct, protect trade secrets, and prevent workplace violence by monitoring online activities. Even without it being mandatory to share your login and password, you could imagine a boss putting a subordinate under some uncomfortable pressure.A challenge to everyone, if I may. If you were able to somehow catalog and characterize every single instance of employee misconduct, trade secret revealing, and workplace violence, exactly what percentage of them would you guess could have been prevented by proactive investigation of social media? Further, what percentage of such cases are such that the key evidence that would conclude any investigation into them would be only made available with a social media password? These are the kinds of answers with which I would expect proponents of such laws to be beating us over the head, yet you never seem to see any data in the reports. It all essentially comes down to, "We need to give employers the right to ask for social media passwords, because violence, scary internet, and children."
Do you know why we highlight when stupid criminals spurt their stupid juices all over the internet? Because they're the vast exception, not the rule. Creating the kind of animosity between employers and employees such as this bill will do is an awful over-reaction to those stories.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: illinois, jim durkin, social media, washington state
Reader Comments
Subscribe: RSS
View by: Time | Thread
Still, I do want to see ppl challenging such idiocy on Constitutional grounds.
[ link to this | view in chronology ]
Re:
What if you don't have social media account?
Is rejecting someone on that basis count as discrimination based on social behavior?
What if you deny having said account?
What constitutes "social media account"? FB? Twitter? Deviantart? FurAffinity? Redtube?...
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
None of the questions you raised even come close to the most serious question, especially in regard to applicants and employment law.
There are various federal and state laws that prohibit employers from asking or raising a whole host of issues during an pre-employment interview. Things such as family status, ethnicity, religion, etc. cannot be the basis for an employment decision. However, being forced during an interview to allow the company to peruse your Facebook account basically does an end-run around all of that and gives the employer a voluminous amount of information to which it is not legally entitled.
> What if you don't have social media account?
I know of several police departments in the Southern California area that require applicants to allow them to peruse their Facebook accounts and if an applicant doesn't have one, they assume it was either deleted prior to applying or the applicant purposely never opened one in the first place because the applicant had something he/she didn't want them to know about.
Not having a Facebook account is pretty much a black mark on your application that you have to work hard to overcome.
[ link to this | view in chronology ]
Re: Re: Re:
At the very least they will settle with me to save money. I'd make a business model out of this and charge $5000-$10000 depending on the size of the company.
[ link to this | view in chronology ]
Re:
Why the hell not?!
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
The only idiocy I see is believing there's a Constitutional basis for a challenge.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
I have a relative who is a senior personnel officer at a large company. They use social media ALL the time to evaluate candidates.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
> site? Are they disadvantaged for making a
> choice not to be on one? There is a serious
> issue of equal opportunity here if candidates
> are evaluated differently.
All candidates are evaluated differently all the time. Social media doesn't change that.
If you and I are applying for job at Company X and you have a masters degree and I don't, we will be be evaluated differently if Company X values post-graduate work.
If I have extensive real-world experience in running a business and you don't, we will be be evaluated differently if Company X values that type of experience.
And if Company X values people who know and use social media, they will evaluate candidates who don't even have accounts differently than those who do.
There's nothing illegal or immoral about it.
[ link to this | view in chronology ]
Re: Re: Re:
Whatever that right may be under the Constitition, it only applies to citizens vs. the government. You have a constitutional right to privacy from the government, not your private employer.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
Law enforcement follows the constitution because law enforcement is government action.
[ link to this | view in chronology ]
Re: Re: Re: Re:
its really if a state can pass a law that says they have that right.
as to the legality of companies placing you in a situation where you either give your logins up.. is that something that has really been tested before? i dont think it has but im sure someone will correct me if im not wrong..
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
I don't see the constitutional problem there, either, although if that's the point of the law, then it's pointless.
My reasoning is this: employers already have the right by default. There is no need for a law saying so. Passing such a law is just reaffirming an existing right, not creating a new one, so there would be no Constitutional issue. Only an issue of the whole thing being a pointless waste of time.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
my employer can (and does) say you cannot express political viewpoints with customers... but the government cannot say that I cannot express political viewpoints with customers.
what the government CAN do is say that my employer may set limitations which are within reason as to what topics i may or may not discuss during the course of my work related duties.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
> employer may set limitations which are within
> reason as to what topics i may or may not
> discuss during the course of my work related
> duties.
It can't even do that. That would be a violation of your employer's 1st Amendment rights.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
> issue is not if companies can force you to
> give up those logins in return for employment.
> its really if a state can pass a law that says
> they have that right.
If it's not an enumerated power of Congress under Article I, Section 8, then the power belongs to the state and/or local governments per the 10th Amendment.
[ link to this | view in chronology ]
Re: Re: Re:
> supposed to follow the Constitution? Heck,
> even law enforcement need warrants to go to
> such lengths. Are you mad?
I can't tell if you're being sarcastic or not, but assuming you aren't, and that you're a U.S. citizen, it's a stinging indictment of our educational system that you'd even ask that question. (If you're not a U.S. citizen, then disregard.)
The Constitution only legally prohibits the GOVERNMENT from doing certain things, like infringing freedom of speech, or searching a home without a warrant. It has no application or restraint upon conduct between private parties. The only part of the Constitution that regulates conduct between one citizen and another is the 13th Amendment's prohibition of slavery.
So in answer to your question, no, companies are not supposed to (nor are they required to) follow the Constitution.
[ link to this | view in chronology ]
Re: Re:
The employee/employer relationship is much closer to the feudal system than it is to consenting adults entering a mutually beneficial business arrangement.
[ link to this | view in chronology ]
Re: unconstitutional
it seems like a nothing law, the employer had a right to ask for pretty much anything they want. like non smokers, drug testing, etc.
they are, bizarrely, stopped from asking your age.
but, I imagine the 1st amendment protects the employers right to ask for any info they want.
a person always has the right to refuse.
and another employer can market the fact that they support employee privacy and have a hiring advantage..
I don't see how this law is at all unconstitutional.
if anything, it seems like a 'nothing law' which already affirms a right the employer already had.
[ link to this | view in chronology ]
Re: Re: unconstitutional
No, they're not. They are prohibited from discriminating because of age and so they shy away from asking to avoid accusations of discrimination, but they can ask.
While you're right, I don't see how this is unconstitutional, I do have to pick this nit:
In practice, things like this never work that way. This reasoning has been put forward to justify all kinds of employer abuses and it never actually pans out. Except that employers get to abuse.
[ link to this | view in chronology ]
Re: unconstitutional
I know of someone suing over that very thing now.
Although this whole idea of "personal work accounts" is problematic as it blurs the line between your personal and your work life. Accounts used for work should always be the property of your employer and there should be no possibility for ambiguity.
If there is any question then the company has failed to manage things properly.
[ link to this | view in chronology ]
Re: Re: unconstitutional
[ link to this | view in chronology ]
Re:
HOW DARE YOU! Have you forgotten the sacred Second Amendment?
[ link to this | view in chronology ]
Response to: Ninja on Apr 30th, 2013 @ 4:24am
This is absolutely not right. But it's not unconstitutional.
[ link to this | view in chronology ]
Re:
> idiocy on Constitutional grounds.
What grounds would those be?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Of course, we're still the only state without concealed carry law.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Response to: Anonymous Coward on Apr 30th, 2013 @ 5:32am
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
With the frequency in which users reuse passwords for multiple accounts, asking for your social media password is like asking for a security breach. Now someone may have the same login credentials as your other accounts, such as email, messaging, dating, gaming, cloud storage, and other sites.
Part of that problem is reusing passwords, but the larger problem is how every website requires a unique set of credentials.
But back on topic, since someone now has access to multiple accounts, you have to go change the password on those other accounts. Exactly the same steps taken if there was a huge data breach. They are the same in my eyes.
I don't think asking for your password should be illegal, but nor do I think it should be made into law. That only encourages the behavior. It should, however, be illegal to deny someone employment for not giving your password.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Response to: Anonymous Coward on Apr 30th, 2013 @ 5:42am
What next? Bring in your diary so I can read it?
[ link to this | view in chronology ]
Now, they are paying the price.
[ link to this | view in chronology ]
There IL employers can ask employees to violate the law
[ link to this | view in chronology ]
Re: There IL employers can ask employees to violate the law
[ link to this | view in chronology ]
Re: There IL employers can ask employees to violate the law
[ link to this | view in chronology ]
Re: Re: There IL employers can ask employees to violate the law
[ link to this | view in chronology ]
Re: Re: Re: There IL employers can ask employees to violate the law
[ link to this | view in chronology ]
Re: There IL employers can ask employees to violate the law
Not to mention that Facebook includes the answers to such unaskable questions as:
Race
Nationality
Maiden Name
Age
Disabilities
Religion
[ link to this | view in chronology ]
Re: Re: There IL employers can ask employees to violate the law
Race
Nationality
Maiden Name
Age
Disabilities
Religion
Only if you put them there.
[ link to this | view in chronology ]
Re: Re: Re: There IL employers can ask employees to violate the law
[ link to this | view in chronology ]
Re: There IL employers can ask employees to violate the law
[ link to this | view in chronology ]
Re: There IL employers can ask employees to violate the law
[ link to this | view in chronology ]
Re: There IL employers can ask employees to violate the law
http://www.ilga.gov/legislation/fulltext.asp?DocName=&SessionId=85&GA=98&DocTyp eId=HB&DocNum=1047&GAID=12&LegID=71494&SpecSess=&Session=
[ link to this | view in chronology ]
I don't want your facebook password
I don't even see how it would be helpful. I don't care what you did last weekend, I care how you perform at work on Monday. I'll figure that out soon enough.
[ link to this | view in chronology ]
Wait, what?
I'm confused. Personal/business, which is it? Can you have two accounts? Personal/Personal and Personal/Business?
[ link to this | view in chronology ]
Re: Wait, what?
[ link to this | view in chronology ]
Police State
[ link to this | view in chronology ]
The law is a violation of CFAA, which makes it illegal under the constitution
Logging into someone else's account or 'stealing' their password like this is illegal under the broadly written CFAA.
[ link to this | view in chronology ]
Factual errors in the article
The bill is not yet "codified into law". As your own source points out, the bill passed the Illinois House, and the Illinois Senate will now consider it. Further, the bill also only refers to social media accounts used for business, and not personal Internet accounts. Finally, the prohibition against retaliation for refusing to disclose passwords only applies to requests or demands for login credentials directed to personal Internet accounts, and not to business social media accounts.
[ link to this | view in chronology ]
Re: Factual errors in the article
Nobody said it was. The words "codified" and "codify" are modified by "ask" and "seek", indicating future behavior.
That is not entirely accurate IMHO. The bill's synopsis includes: "an employer may request or require an employee to disclose any user name, password, or other means for accessing an electronic communications device supplied or paid for in whole or in part by the employer or accounts or services provided by the employer or by virtue of the employee's employment relationship with the employer or that the employee uses for business purposes". The key portion is the last seven words. That will be used as justification to get any passwords and account information, on the grounds that they have no idea if an account was used "for business purposes" without first examining the account.
[ link to this | view in chronology ]
Re: Re: Factual errors in the article
[ link to this | view in chronology ]
Re: Re: Factual errors in the article
[ link to this | view in chronology ]
Re: Re: Re: Factual errors in the article
So, what's the intent of this law? I'm very confused.
[ link to this | view in chronology ]
Re: Factual errors in the article
[ link to this | view in chronology ]
Re: Re: Factual errors in the article
[ link to this | view in chronology ]
Re: Factual errors in the article
So, if I'm an accountant who also has a Zazzle print-on-demand business on the side, I have to give my employer (who uses my services as an accountant) access to my FaceBook account?
[ link to this | view in chronology ]
Actually this could be good for employees!
I wonder how much such an employer will like the chance to be
investigated for some kind terror related activities on some of the accounts he obtained passwords for.
[ link to this | view in chronology ]
Re: Actually this could be good for employees!
2. Post instructions for bomb making in wall
3. Accuse employer of tampering with user's wall, and terrorist activities.
4. Fun!
[ link to this | view in chronology ]
Re: Re: Actually this could be good for employees!
[ link to this | view in chronology ]
Thank God for the EU human rights
[ link to this | view in chronology ]
Re: Thank God for the EU human rights
I'd advise staying on your toes, not being complacent.
[ link to this | view in chronology ]
Since politicians work for the people...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
what's the problem
[ link to this | view in chronology ]
Re: what's the problem
[ link to this | view in chronology ]
Re: Re: what's the problem
Given unlimited characters I could fit an entire Hollywood movie as a password without fear of being prosecuted as passwords are not intellectual property.
Seems either you got it wrong, or there's an exploitable loop in the intellectual property system.
[ link to this | view in chronology ]
Re: Re: Re: what's the problem
Just one thing: copyright's purpose (in it's current form) is to control the publication and distribution of creative content.
Do you really want to distribute your password?
[ link to this | view in chronology ]
Re: what's the problem
[ link to this | view in chronology ]
[ link to this | view in chronology ]
"used for business"
[ link to this | view in chronology ]
2 Factor Authentication
[ link to this | view in chronology ]
who do the politicians work for?
[ link to this | view in chronology ]
why
[ link to this | view in chronology ]
[ link to this | view in chronology ]
I've been asked for it and I simply said look me up I'm not any site. Which may be a lie lol, but hey there is no way for them to ever know unless I decide to tell them.
It's bullshit that I have to go to such measures to protect myself because I love social networking.. My Facebook alone has been at the limit for ages now. "5k" I love to meet people all over the world, I love to joke around, I love to argue sometimes, and even talk some shit if I'm in the mood.
It's my business what I do on my time.
If I want to get on Techdirt while I'm at home and make fun of out_of_the_blue my job does not need to know about it.
Boss - Were you making fun of out_of_the_blue again?
Me- Yeah, but he said dolphins taste great dipped in baby seal sauce.
Boss - They do, you're fired.
[ link to this | view in chronology ]
What's good for the goose...
Or could I give them a no-longer-valid password...meaning I've comlied with their request but since I value security and dutifully changed mypassword the first chance I got.
Would it be acceptable to request their handling procedures of my password to ensure it's security? I want to know who's going to eat that scrap of paper I might scrawl it on...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
There are protections in the law
It's not as bad as you may think. They can only request information if they gave you the account, or if the account is used for business, or if they have SPECIFIC information that you have something on there about workplace misconduct, or confidential information, or something like that. Under ordinary circumstances, requesting that you give them your Facebook password would be illegal.
The exception for business accounts, however, does go overboard. I think the legislature here figured that if the account is used for business, then it's both relevant to the employer and the employee wouldn't be concerned about privacy - how are you going to do much business on a private page? They fail to consider, however, that someone may have a dual-use account. Also, the employer may request the PASSWORD for a business account. This is reasonable for accounts which the business gave to the employee - but totally unreasonable for the employee's existing business accounts. If I'm working a sideline, perhaps you have the right to inquire about that; but you have NO right to know my passwords for it.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
these laws...
first off, EVERY social network (be it Twitter, Facebook, and MMO's [yes, MMO's are a social network in that you interact with other people]) has a clause in their ToS that you cannot nor should not in any circumstances give out your password or account information, and that admins of said network will never ask you for it. This is because of two reasons, 1) It severely undermines network security and the security of the users. and 2) It is against the law in the US for anyone to access another persons account on social networking sites (I believe under the CFAA and by extension Patriot act).
[ link to this | view in chronology ]