Social networks seek workplace privacy protections

The debate over access to people’s Facebook and Twitter profiles is heating up, as a number of legislators seek to ban employers from forcing people to disclose their access credentials. But at the same time, intelligence and law enforcement agencies report that they’re starting to troll social networks for suspicious activity. Should job applicants be required to submit their Facebook username and password to prospective employers, or step through their posts and photographs while an interviewer “shoulder surfs”? That Maryland Department of Public Safety and Correctional Services requirement for anyone interviewing—or recertifying—for a job, ostensibly to look for gang affiliations, drew international attention in part because it highlighted the existing disparity between people’s embrace of social networking and the apparent lack of privacy protections afforded to such communications, at least in the workplace. Department of Corrections Officer Robert Collins said he felt he had to comply with the request—he needed a job—which was made during his reinstatement interview, following a leave of absence he took after his mother died. But Collins also reported the practice to the American Civil Liberties Union of Maryland, which alleged in a complaint that the requirement violated the Stored Communications Act (SCA). While other legal experts have said that it’s not clear whether the law applies to social media, the corrections department has backed off. But the department wasn’t alone in its demand for applicants’ Facebook passwords. Similar demands have been made by everyone from the city of Bozeman, MT, and the McLean County Sheriff's Office in Illinois, to an Ontario law enforcement agency and a New York lobbying firm. The bigger issue is that legal privacy protections often lag advances in communications technology. For example, under current workplace laws, discounting jobs that require a security clearance, employers in the United States—and many other countries—can’t require job applicants to submit to a polygraph test. In addition, employers are prohibited from discriminating on the basis of race, religion, security, age, marital status, sexual orientation, disability, national origin or veteran status, which is why most employers studiously avoid any related questions during job interviews. But imagine what trawling a Facebook profile might reveal. No wonder Facebook has decried social media background checks involving private data. “If you are a Facebook user, you should never have to share your password, let anyone access your account or do anything that might jeopardize the security of your account or violate the privacy of your friends,” said Facebook Director of Privacy and Public Policy Erin Egan last month in a blog post. She also warned that employers might be legally liable for having improperly accessed Facebook communications involving a person’s race, sex or other protected information, as well as for violating the social network’s terms of service, which specifically prohibit users from sharing their passwords. The Maryland case, amongst others, has led many legislators to begin rethinking privacy protections for the social media age. Already, the Maryland House and Senate have passed bipartisan legislation—set to take effect October 1—that protects employees against such practices, even when labeled as “voluntary,” as well as any retaliation for failing to share social network access credentials. Other states—including California, Illinois, Michigan, New Jersey, New York and Washington—are weighing similar legislation, as is Congress. What’s the story outside of the United States? Attorney David Fraser, who runs the Canadian Privacy Law Blog, has said that a “patchwork” of laws covers Canadian workplace privacy. While the country’s privacy laws require that any collection of personal information be reasonable in nature, Alberta has warned any company that tries to vet people via Facebook or Twitter to “take a really careful look” at the law, suggesting that it will be watching such practices closely. Likewise, British Columbia has published a detailed set of guidelines for social media background checks. Outside of North America, many privacy officials are likewise urging caution. “We would have serious concerns if employers were regularly asking employees for their Facebook login details in the UK,” said a spokesperson for Britain’s Information Commissioner’s Office by phone. He emphasized that the country’s Data Protection Act prohibits the storing of “excessive” personal information. The embrace of Facebook, Twitter, Google+, Flickr and their social media ilk has triggered sharp privacy questions beyond the workplace realm too. New European regulations, introduced in January, would extend “right to be forgotten” rules to personal data stored by any business that markets to EU citizens. In other words, anyone who cancels their Twitter account could demand that the microblogging platform remove every post they’ve ever made, “without delay.” But law enforcement demands could add a wrinkle. In Britain, for example, government officials have been pushing service providers to retain subscribers’ communications, including Facebook and Twitter messages. Related debates have been influenced in part by last year’s riots in England, which were coordinated—at least in part—using social networks. Meanwhile, the U.S. Department of Homeland Security already monitors social networks. Likewise, the FBI in January issued a request for information to contractors for its own social media monitoring system. That revelation, perhaps predictably, led to a privacy outcry, with civil rights groups questioning whether the bureau should be trawling people’s Facebook profiles. Since then, however, FBI Special Agent Ganpat “Gunner” Wagh said at a conference that the bureau works hard to balance privacy concerns with the need to monitor social networks during some types of investigations. He also said the FBI—in close consultation with its in-house attorneys—only conducts targeted, deep dives of social networks during the course of an investigation. Given the popularity of social networks, not to mention their self-surveillance side effect, should the bureau’s moves be surprising? Cyber investigations, notably, used to focus only on online crimes. But with everyone today carrying a laptop or cell phone, investigators say that almost any case might have a cyber-investigation component. Likewise, it’s no wonder that for major cases, law enforcement agencies want to study social networks to gain a clearer picture of suspects’ activities. The related “ripped from the headlines” cop-show angle writes itself: Amurder suspect gets exonerated because he checked into a restaurant with Foursquare then sent food snaps to Instagram at the time of a murder. Obviously, that example isn’t real. But as more people mirror their everyday thoughts and activities on social networks, expect the related privacy demands—notably, to keep people’s private social media communications private, barring a court order—to intensify.  

---

Legislative roundup: Social media

By Kasia S. Park, University of Maine School of Law In response to increasing reports of employers asking employees and job applicants for their Facebook user names and passwords, 10 U.S. states have introduced legislation that would bar this practice. The bills would prohibit employers from requesting or requiring employees or prospective employees to disclose information to access social media or electronic accounts. The bills vary in scope regarding who they would protect and what types of electronic accounts to which the prohibition would apply. There will likely be federal legislation introduced in the near future as well. Sen. Richard Blumenthal (D-CT) has announced plans to introduce an analogous federal bill and Rep. Patrick McHenry (R-NC) is drafting similar legislation. Furthermore, Sen. Blumenthal and Sen. Charles Schumer (D-NY) have asked Attorney General Eric Holder to investigate whether this practice violates federal law, specifically the Stored Communications Act and/or the Computer Fraud and Abuse Act. The senators are calling on the Department of Justice and the U.S. Equal Employment Opportunity Commission to launch investigations. CaliforniaAssembly Bill 1844 would prohibit employers from requiring a prospective employee to disclose a user name or account password to access a personal social media account. It is pending before the Assembly Judiciary Committee. Senate Bill 1349 would go a step further; it would prohibit postsecondary educational institutions and employers from requiring or formally requesting a student or employee—or a prospective student or employee—to disclose the user name or password for a personal social media account. It is pending before the Senate Education Committee. IllinoisHouse Bill 3782 would amend the Right to Privacy in the Workplace Act to prohibit an employer from asking any employee or prospective employee to provide any password or other related account information in order to gain access to a social networking website. The bill is currently pending with the Senate. Maryland On April 10, Maryland became the first state to pass a bill to keep social media passwords safe from employers or potential employers. The legislation, Senate Bill 433 and House Bill 964, prohibits an employer from requesting or requiring that an employee or applicant disclose a user name or password for accessing electronic communications devices. The bill also protects employers by prohibiting employees from downloading an employer’s proprietary information of financial data to a personal website or account. MichiganHouse Bill 5523, the Social Network Account Privacy Act, prohibits employers and educational institutions from requiring disclosure of information that allows access to social networking accounts. If passed, the bill would protect employees, prospective employees, students and prospective students. The bill is currently pending in the House Committee on Energy and Technology. Minnesota A bill (H.F. No. 2963) is pending before the House that would prohibit employers from requiring, as a condition for employment or consideration of employment, an employee or prospective employee to provide a password or other account information in order to gain access to the employee’s or prospective employee’s social networking website. Missouri House Bill 2060 prohibits employers from requesting or requiring an employee or applicant to disclose information to access a personal account or service though an electronic communications device. The bill is currently pending with the House. New YorkSenate Bill 6831 prohibits employers from requesting or requiring an employee or applicant to disclose information to access a personal account or service though an electronic communications device. The bill is currently pending with the Senate Labor Committee. South CarolinaHouse Bill 5105 prohibits employers from requesting a password or other related information in order to gain access to an employee’s or prospective employee’s profile or account on a social networking website. The bill is currently pending before the House Judiciary Committee. Washington Sen. Steven Hobbs (D-Lake Stevens) introduced the “Facebook bill” (S.B. 6637) which would prohibit employers from requesting a password from a current or prospective employee for the purpose of gaining access to a social networking site.