Monday, April 2, 2012

The Case Against Requiring Social Network Passwords

No, I'm not finished milking this issue yet. The topic of employers requiring applicants' Facebook passwords at job interviews has generated significant backlash, and a consensus amongst employment law bloggers that it's not cool and potentially not legal (Molly DiBianca joined earlier today).

What is unlawful about it? Generally, the Stored Communications Act prohibits accessing "a facility through which an electronic communication service is provided" without authorization. 18 U.S.C. § 2701(c). In Pietrylo v. Hillstone Restauarant Group, the District Court of New Jersey applied it to an employer who accessed a forum using an employee's MySpace login:
[The Employee] testified that she felt she had to give her password to [her supervisor] because she worked at [the employer] and for [the supervisor]. She further testified that she would not have given [her supervisor] her password if he had not been a manager, and that she would not have given her information to other co-workers. Furthermore, when asked whether she felt that something would happen to her if she did not give [her supervisor] her password, she answered "I felt that I probably would have gotten in trouble." The jury could reasonably infer from such testimony that [the employee's] purported "authorization" was coerced or provided under pressure. As a result, this testimony provided a basis for the jury to infer that [the employer's] accessing of the [MySpace forum] was not, in fact, authorized.
Got that? An employer may be liable under the Stored Communications Act, where a supervisor pressures an employee in to handing over her password (and then using the password to access the service).

It's pretty easy to see how this might extend to the job application process - if the applicant hands over her password was it "coerced" or "under pressure" so as to make subsequent use of the password "unauthorized?"

I say "might" for two reasons: 1. maybe Pietrylo would have come out differently if it was an applicant and not an employee; and 2. one unpublished District of New Jersey opinion hardly resolves the issue. The bottom line is that accessing social networks after pressuring an employee or applicant to log in or hand over a password is risky - and might result in liability.