Banning Forced Disclosure of Social Network Passwords and the Polygraph Precedent

The Maryland General Assembly has just become the first state legislature to vote to ban employers’ from requiring employees to reveal their Facebook or other social network passwords.  Other states are considering similar bills, and Senators Schumer and Blumenthal are pushing the idea in Congress.

As often happens in privacy debates, there are concerns from industry that well-intentioned laws will have dire consequences — Really Dangerous People might get into positions of trust, so we need to permit employers to force their employees to open up their Facebook accounts to their bosses.

Also, as often happens in privacy debates, people breathlessly debate the issue as though it is completely new and unprecedented.

We do have a precedent, however.  In 1988, Congress enacted the Employee Polygraph Protection Act  (EPPA).  The EPPA says that employers don’t get to know everything an employee is thinking.  Polygraphs are flat-out banned in almost all employment settings.  The law was signed by President Reagan, after Secretary of State George Shultz threatened to resign rather than take one.

The idea behind the EPPA and the new Maryland bill are similar — employees have a private realm where they can think and be a person, outside of the surveillance of the employer.  Imagine a polygraph if your boss asked what you really thought about him/her.  Imagine your social networking activities if your boss got to read your private messages and impromptu thoughts.

For private sector employers, the EPPA has quite narrow exceptions, such as for counter-intelligence, armored car personnel, and employees who are suspected of causing economic loss.  That list of exceptions can be a useful baseline to consider for social network passwords.

In summary — longstanding and bipartisan support to block this sort of intrusion into employees’ private lives.  The social networks themselves support this ban on having employers require the passwords.  I think we should, too.

You may also like...

13 Responses

  1. Anon says:

    But is posting on Facebook really the same thing as having a private, unspoken thought in one’s head? It is one thing for a boss to try to ferret out employees who are thinking bad thoughts. It is quite another for a boss to try to ferret out employees who have the poor judgment of inappropriately discussing things about their employee with their 500 “friends.” If someone on Facebook cares about their privacy, maybe they should just keep things private.

  2. Joseph Slater says:

    Interesting post, but here’s a distinction. At least one of the main motivations for the EPPA was that polygraphs were (and are) much less accurate than most people thought, at least in the context of ferreting out rare but dangerous characteristics of potential employees. The problem of significant numbers of “false positives” and “false negatives” when asking, say, 100 job applicants questions about whether they are sexually attracted to children has no direct analogy to inspecting Facebook pages.

  3. Logan says:


    To a certain extent I agree with your statement but at the same time, employers have hired and fired millions upon millions of employees throughout history without the aid of social networking sites. I’ve personally denied access to employers and will continue to do that as long as they are allowed to ask for it. In some cases, I’ve been hired and in others, I was told to look elsewhere.

    The only scenario I could agree with the employer having the right to access this information would be for positions that require a security clearance for working with or for the government. Having gone through a Top Security SCI screening before, I can’t imagine they’d gain much from my Facebook account (they interview almost everyone you’ve ever met and require a detailed history of your past 15 years I think it was) but I could understand why they’d be asking for it.

  4. Anon With Some Baseline of Technical Knowledge says:

    I am amazed that “anon” at comment 1 is so technically inept that he/she doesn’t seem to understand that the person with the password can also access the private messages sent on the Facebook network to individuals. Moreover, not everyone on Facebook has “500 friends.”

    The tragic thing is: people like 1. anon are probably advising Congressional leaders now.

    Swire is exactly right: This needs to be stopped immediately.

  5. Peter Swire says:

    The password on Facebook gets access to a person’s individual messages/emails to people. Does anyone think that employees should have to hand over the password for all of their personal email accounts?

    Joseph Slater makes an excellent point that one basis for the polygraph law was technical questions about accuracy. But the core of the law, and the reason I believe that Secretary of State Shultz fought so hard on it, is a view that employers can blackmail/abuse/discriminate in how they intrude into an employee’s thoughts. In a world of pervasive social networking, an employer accessing all of those messages sees things that are far outside the scope of the work relationship.

  6. Joseph Slater says:

    I do think it’s a good and interesting comparison.

  7. Anna says:

    The first poster’s position may be a tad extreme, but I do think that there is a kernel of truth there. There is a difference between what one is thinking but not articulating and what one chooses to share with one’s friends through social networking. I think that Judge Kozinski makes a valid point:

  8. Ken Rhodes says:

    “What one chooses to share with friends through social networking” is somewhat a misleading choice of words.

    In the beginning, Facebook was simply an essentially open-forum social site. Yoou “friended” someone and it gave him access to the stuff you posted. Now, however, it now has two categories of private communications–emails and messages. Thus, the disclosure of one’s password is not like “friending” your employer. The password gives access to your private communications. This, then, would be giving the employer the right to your emails and your private messages as well as your posts.

    Because Facebook has always guaranteed that the messages would be held private, this is an attractive feature, bypassing as it does the complex and very insecure transport mechanisms of Internet email. It is, in essence, a “secret drop box” for communiques similar to what we see in spy movies. The expectation of privacy is thus much *higher* than it would be for the same emails being sent from your traditional email account on your ISP to your friend’s email account on his ISP, or to your Facebook email account.

  9. NC Lawyer says:

    Ken, your assessment of the situation is well reasoned. While an employer may have the right to monitor company email or phone calls for propriety, it does not have a right to access all communications that you might have.

  10. First, they pester you with blackberry emails on weekends and now they want access to your Facebook information? The bosses should buzz off. People have a right to privacy and some time for themselves.

  11. Ryan Calo says:


    Interesting post. I wonder whether employers then and today have different motivations. An employer asking for a polygraph is after corroboration—for instance, that the individual is not a thief or a drug addict. An employer asking for access to a social network is probably trying to figure out if the employee will publicly embarrass the organization. They may even be trying to incentivize the employee to clean up his or her profile and wall. (Who wouldn’t do so, knowing an employer intended to look around.)

    Perhaps an equally credible analog, then, at least for government employees, is the oath requirement famously rejected for police officers. I believe it was the Maryland Department of Corrections’ practice of requesting Facebook passwords that sparked the legislative backlash here.



  12. Peter Swire says:

    Responding to Ryan Calo: I think the use of polygraphs was heading down a much broader path than simply the thief/addict questions. Discussion of broad threat of polygraphs and employer power over employees in Alan Westin’s Privacy and Freedom and Long book The Intruders from that period.

    I agree that the oath/loyalty precedent is another helpful one to explain why it is overreaching for employers generally to ask for the social network passwords.