Employers and Schools that Demand Account Passwords and the Future of Cloud Privacy

Passwords 01In 2012, the media erupted with news about employers demanding employees provide them with their social media passwords so the employers could access their accounts. This news took many people by surprise, and it set off a firestorm of public outrage. It even sparked a significant legislative response in the states.

I thought that the practice of demanding passwords was so outrageous that it couldn’t be very common. What kind of company or organization would actually do this? I thought it was a fringe practice done by a few small companies without much awareness of privacy law.

But Bradley Shear, an attorney who has focused extensively on the issue, opened my eyes to the fact that the practice is much more prevalent than I had imagined, and it is an issue that has very important implications as we move more of our personal data to the Cloud.

The Widespread Hunger for Access

Employers are not the only ones demanding social media passwords – schools are doing so too, especially athletic departments in higher education, many of which engage in extensive monitoring of the online activities of student athletes. Some require students to turn over passwords, install special software and apps, or friend coaches on Facebook and other sites. According to an article in USA Today: “As a condition of participating in sports, the schools require athletes to agree to monitoring software being placed on their social media accounts. This software emails alerts to coaches whenever athletes use a word that could embarrass the student, the university or tarnish their images on services such as Twitter, Facebook, YouTube and MySpace.”

Not only are colleges and universities engaging in the practice, but K-12 schools are doing so as well. A MSNBC article discusses the case of a parent’s outrage over school officials demanding access to a 13-year old girl’s Facebook account. According to the mother, “The whole family is exposed in this. . . . Some families communicate through Facebook. What if her aunt was going through a divorce or had an illness? And now there’s these anonymous people reading through this information.”

In addition to private sector employers and schools, public sector employers such as state government agencies are demanding access to online accounts. According to another MSNBC article: “In Maryland, job seekers applying to the state’s Department of Corrections have been asked during interviews to log into their accounts and let an interviewer watch while the potential employee clicks through posts, friends, photos and anything else that might be found behind the privacy wall.”

Legal Implications

For public schools or public-sector employers, demanding such access will likely violate First and Fourth Amendment rights. In one case, a public middle school demanded that a student provide her Facebook login credentials so school officials could view her account. In 2012, a federal district court held that such a practice (based on the facts presented at an early stage in the case) would violate the First and Fourth Amendment. See R.S. ex rel. S.S. v. Minnewaska Area District (Sept. 6, 2012).

Moreover, in certain cases, the practice of demanding access to online data could potentially violate the federal Computer Fraud and Abuse Act (CFAA), which essentially makes it a federal crime to engage in unauthorized access to any computer connected to the Internet or to any website. The CFAA applies not just to public schools and employers but to private ones as well.

Access and the Cloud: The Enormous Potential Consequences

Although most of the current focus on the issue has been on social media account passwords, the issue has far broader implications. Increasingly, people are storing extensive amounts of their data in the Cloud. Employers, schools, and government agencies could demand access to cloud service accounts where people store their entire repository of documents.

For example, Cloud service providers like DropBox and Box are used by many people to backup their entire lifetime’s worth of data – letters, writings, documents, diaries, medical records, photos, music, videos, and more. For employers, schools, and government agencies, why stop at social media when trying to pry into the personal lives of students and employees? Why not examine all the extensive repositories of data people have in the Cloud?

With the rise of the Cloud, demands for account access can turn into the functional equivalent to a demand to see an enormous amount of data about people’s private lives. This is a privacy invasion that could score an 11 on a 10-point scale!

State Legislation

In response to the media attention to the issue, states have engaged in a barrage of legislative activity over the past two years. More than 10 states now have laws, and legislation is pending in about 35 other states. You can follow the activity at the National Conference of State Legislatures. There are three key ways in which these laws differ:

1. In many states, the law covers both employers and schools. But in some, the law only covers employers.

2. Most states that have laws covering schools only cover higher education and do not cover K-12 schools. Michigan is one of the few exceptions which covers both higher education and K-12.

3. In a number of states, the law covers only social media sites. For example, the law in New Mexico applies to an online service where individuals “construct a public or semi-public profile” and “create a list of other users with whom they share a connection within the system.” Other states focus on all personal online accounts or are ambiguous about what types of accounts are covered. For example, Utah’s law applies to any “personal Internet account” which means “any online account that is used by an employee or applicant exclusively for personal communications unrelated to any business purpose of the employer.”

Given the implications, the laws should cover both employers and schools, both higher education and K-12 schools, and should extend to all accounts, not just social media accounts. This latter issue of scope is a very important one for the future of the Cloud. The privacy implications of data in cloud computing are significant, as social media really is just a subset of the Cloud.

As Brad Shear points out, once employers and school officials become fully versed in the laws on this issue and the potential legal liability, they might change their behavior.

The problem is that right now, many employers and school officials do not seem to be fully aware. Access to personal online accounts is an issue that is surprisingly quite deep and widespread. Legislatures are responding, but the danger is that they focus too narrowly and fail to see the larger scope and implications of the issue.

Cross-Posted at LinkedIn

You may also like...

3 Responses

  1. David Glenn says:

    This kind of serious issues should carefully studied and implemented strictly without violating our rights as citizens.

  2. Matt Bodie says:

    Dan — I think there’s also a strong argument that these practices would violate the intrusion upon seclusion tort. These requests seem like clear intentional intrusions, and I think the average person would find them to be highly offensive. I’ve worked on this issue for the Restatement of Employment Law; the latest version recognizes that it is a tort to require the employee to provide information that would otherwise be private if such a requirement is highly offensive (Sec. 7.04; see here: http://www.ali.org/00021333/Employment_Law_TD5_online.pdf). I’m curious to hear if any common-law claims have been brought against this new trend.

  3. PrometheeFeu says:

    Can you clarify as to where you think the CFAA comes in? All the examples you described seem to include authorized access only.

    Also, do you have numbers perhaps which would back up the assertion that these practices are prevalent?