Is it Really Illegal to Require an Applicant or Employee to Disclose her Password to a "Friends-Only" Facebook Page?

Social Media in Bright Yellow LetteringRecently, the American Civil Liberties Union of Maryland tried to publicly embarrass the Maryland Department of Public Safety and Correctional Services (the “Maryland Corrections Department”) into suspending its practice of asking job applicants to disclose their Facebook password so that the Department could check whether the applicant’s wall or stored e-mail revealed any connection to criminal activity. According to a letter dated January 25, 2011 (pdf), sent by the ACLU to the Maryland Corrections Department, this practice “is illegal under the federal Stored Communications Act (SCA), 18 U.S.C. §§2701-11 and its state analog, Md. Courts & Jud. Proc. Art., §10-4A-01, et seq.” The ACLU’s contention is inaccurate.

Both of the cited statutes prohibit unauthorized access to electronic communications stored at an electronic communications service provider. Even assuming that these statutes apply to content stored on Facebook’s servers (and that point is far from settled), the Maryland Corrections Department did not gain “unauthorized” access to applicants’ Facebook page. Rather, the Department would access information on Facebook only after the applicant authorized such access by providing the Department with the applicant’s password.

The true core of the ACLU's position is the following assertion contained in its January 25, 2011 letter: “[T]here can be little question but that forced ‘authorization,’ such as that demanded of [the applicant by the Maryland Corrections Department], is not proper authorization under the SCA, given the disparate bargaining power of the employer and employee or applicant.” While rhetorically appealing at first blush, this argument assumes too much, especially with respect to applicants.

Applicants are not “forced” to provide authorization. The Maryland Corrections Department emphasized that applicants could refuse to provide their password and may still be eligible for a position. But, even if the Department’s practice were to require disclosure of the password, an applicant who does not want a prospective employer to view his “friends-only” Facebook page would have the choice to refuse the request and hope to get the position or seek employment elsewhere. Indeed, if the ACLU’s contention were correct, then the millions of authorizations for pre-employment background checks and drug screens that have been executed by applicants since those forms of pre-employment investigations became routine also would be invalid.

Notably, the only case cited by the ACLU in support of its position — Pietrylo v. Hillstone Restaurant Group, 29 IER Cases 1438, 2009 WL 312420 (D.N.J. 2009) — involved an employee, not a job applicant. Thus, a court likely would not hold that an employer who gave an applicant a choice between being disqualified from consideration for a position or disclosing her Facebook password violated the federal Stored Communications Act by using the self-disclosed password to access the applicant’s restricted Facebook page.

Of course, there are other reasons why employers should carefully evaluate the practice, not least of which is avoiding the media spotlight that the ACLU often can attract to an issue, as it did in the case of the Maryland Corrections Department. Accessing an applicant’s restricted Facebook page increases the likelihood that an employer will obtain information, such as family medical history (i.e. “genetic information”) or an undisclosed disability, upon which an employer could not lawfully rely in making an employment decision. Employers also need to consider whether and to what extent information obtained from a medium the very purpose of which is to socialize (rather than to build one’s resume) bears any relevance to the hiring decision. Finally, the employer could gain a bad reputation among potential applicants who — however wrongly — believe the employer is acting unlawfully.

The ACLU’s reference to the Pietrylo case and the purportedly “disparate bargaining power between employers and employees” does raise the important question whether an employer who receives a Facebook password from an employee in response to a request gains “forced authorization” to a restricted Facebook page. In Pietrylo, which we have covered in an earlier blog post, an employee admitted at trial that she gave her password to a restricted MySpace page to the management-level employees who accessed the page and were accused by two other employees of violating the federal Stored Communications Act. The employee also testified that she subjectively feared “something bad might happen to her” if she did not disclose her password. The court found this testimony was sufficient to support the jury’s finding that the employee’s authorization was invalid, even though there was no evidence that the managers had threatened the employee in any way whatsoever. Notably, the court did not cite a single case, any language in the SCA itself, any legislative history, nor any other authority in support of its holding. Needless to say, the question remains wide open whether the purportedly “disparate bargaining power of the employer and employee” does, in fact, convert any employee’s apparently voluntary disclosure of a Facebook password into “forced authorization.”

Until the question has been definitively answered, employers have a simple—if “low tech”—work around: ask the employee who otherwise would be asked for a password to print screen shots of material posted on the restricted Facebook page. It is remarkable how many “friends” who are offended by a co-worker’s posts on a restricted Facebook page will voluntarily print that information and turn it over to HR or a manager. Because the federal Stored Communications Act makes it unlawful only to gain unauthorized access to an electronic communication stored at an electronic communications service provider, reading a printed version of a restricted wall post does not implicate the Act.

Employers also should note that the jury in the Pietrylo case rejected the plaintiffs’ invasion of privacy claim, a fact that the ACLU does not mention in its January 25, 2011 letter. The jury apparently found that the plaintiffs could not reasonably expect their posts on the friends only MySpace page to remain private when anyone on the friends list could disclose the contents of the page without restriction. This finding is consistent with the common sense proposition that an employee or applicant cannot reasonably expect privacy when sharing information with dozens, or even hundreds, of friends, none of whom are under an obligation of confidentiality.

Photo credit: Warchi

Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.