This is the fifth in a series of articles on officers’ rights, responsibilities and liabilities for what they post on the Internet. Last month in Are you Prepared to Be Cybervetted we ended with the question of just how deep can departments dig for digital dirt on job applicant and officers.
Give Us Your Username & Password
Consider this job applicant scenario posed by Jared Shelly in a March 2011 online article for Human Resource Executives:
Will you submit to a drug test?
Can you provide a few references?
Would you mind telling us your Facebook username and password?
Shelly’s article, along with numerous others, was sparked by March 2011 headlines that Maryland’s Department of Public Safety and Corrections was requiring applicants to provide their Facebook usernames and passwords. The case broke, however, not with a new job applicant but with a three-year DOC veteran who was re-applying after taking a leave of absence following his mother’s death.
Robert Collins says the department demanded the information. The department said any such information is voluntary, if an applicant refuses it’s not held against them. Either way, the practice upset Collins and the ACLU, who jumped into the case.
Collins provided the information but his take on the experience expressed what I hear from many recruits and officers across the country when it comes to their private Internet postings:
“Here I am, a U.S. citizen who hasn’t broken any laws and hasn’t committed any crimes and I have … an employer looking at my personal communications, my personal posts, my personal pictures [and] looking at my personal identifiable information where my religious beliefs, my political beliefs, my sexuality – all these things are possibly disclosed on this page. … It’s an absolute and total invasion, overreach and overstep on their part. … As officers, we don’t forfeit our civil rights. … You can’t invade someone’s privacy.”
After the media uproar, the department suspended the policy for 45 days to review it. That time hadn’t passed by the writing of this article. Can you hear me now, Maryland DOC and DPS? Rethink your policy or you and other law enforcement agencies nation-wide could end up with politicians setting your vetting guidelines.
Maryland State Senator Ron Young introduced a bill on March 8 that would prohibit employers from requiring job applicants to disclose usernames or passwords for social media sites nor could they threaten to take or take disciplinary action against current employees who refused to disclose the information.
S.B. 971, however, doesn’t prohibit employers from using information from social media sites they otherwise obtain non-fraudulently. Nor does it prohibit employers from asking prospective or current employees to provide the information voluntarily. The status of Young’s bill was still pending as of this writing.
Although this may be breaking news and legislation in Maryland, in the words of Yogi Berra, it must have been déjà vu all over again for Bozeman, Montana.
Maryland Could’ve Learned from Montana
Anthony Zaller, writing for the California Employment Law Report, predicted in 2009 that as more people began to live on the Internet, state legislatures would begin to define what employers could and couldn’t ask for from employees’ private Internet postings. His prediction stemmed from a story out of Bozeman that year.
Bozeman made world-wide headlines and caused a firestorm among privacy groups nearly two years ago by asking city, fire and police job applicants to provide their usernames and passwords to social networking sites. As a result of the outcry, the city said it would likely remove the request but might still require job applicants to “friend” the city so it could see what was posted. In defense of the policy, the assistant city manager stated:
“Shame on us if there was information out there available about a person who applied for a job who was a child molester or had some sort of information out there on the Internet that kind of showed those propensities and we didn’t look for it, we didn’t ask and we hired that person. In many ways we would have let the public down.”
Things heated up. The city council voted to hire an investigator to look into how the controversial policy was initiated by the city’s human resource department. Then the policy got dropped.
Finally, the city manager officially apologized for the intrusions saying they appeared to go beyond what was acceptable to the community. I wonder if the assistant city manager still had a job and how many HR heads rolled.
Legal “Experts” Weigh In
Shelly’s article notes that some legal experts in the U.S. say it’s not illegal to request Facebook usernames and password information from employees and applicants, but it’s rarely done.
Bradley Shearer practices cyber and social media law in D.C. Commenting on the Maryland case, he concluded that the overwhelming majority of employers in the public and private sector should not request or demand an applicant’s or employee’s social media username or password. But he left room for an exception to this rule for, “[H]igh level positions with the CIA, FBI, NSA, Homeland Security, private contractors who hire those with high security clearances, etc.”
Whether such positions will be excepted, along with state and local law enforcement, has yet to be decided by the courts. But if politicians like Maryland’s Sen. Young have anything to say, state legislators may well beat the courts to it. Then it will be left to the courts to decide the constitutionality of any such statutes.
Joseph Beachboard, an employment attorney quoted by Shelly, takes a different view:
“We’ll urinate in a cup or let somebody take our blood as part of an application process. For me that’s, in many ways, a much greater invasion than taking a look at what I put on the Internet.”
Beachboard went on to note that if a company has a drug-testing policy and an applicant doesn’t agree to be tested, it’s perfectly legal not to hire the person.
The ACLU in the Maryland case likened the agency’s practice to requiring an applicant to allow access to personal phone calls. Other privacy rights activists have compared it to requiring you to let an employer read your diary, love letters, or turn over the keys to your home so the employer can browse before hiring, retaining, or promoting you.
Beyond jurisdictional privacy laws and public expectations, I’d like to point out a statute and case ruling relevant to this discussion.
Pietrylo raises the specter that “coercing” employees or job applicants to divulge their passwords or personal emails as a condition of employment may violate 18 U.S.C. 2701. What constitutes coercion is debatable, as demonstrated by the different views of Robert Collins and the Maryland DOC. Additionally, numerous states have their own version of the federal Stored Communications Act, Maryland being one of them.
I’m not a legal expert in this area, but I agree with Katherine Parker, partner and co-head of an employment law counseling group in New York. She concluded we don’t know yet what the legal outcome will be regarding employers requiring employees to hand over social network passwords.
The IACP Weighs In
The International Association of Chiefs of Police (IACP) released a report at the end of last year on cybervetting applicants and employees. The IACP’s position when it comes to usernames and passwords is:
With the consent of applicants, candidates, and incumbents, law enforcement agencies may review online information about these individuals available on websites, where a subject’s password is required to view content. . . . Applicants, candidates, and incumbents may be asked to access password-protected websites so that the recruiter or background investigator can review their profiles, blogs, or other online forums for disqualifying content. . . . Law enforcement agencies should not ask for passwords.
The report also recommends that cybervetting be done by an independent third party. Legally, that’s smart. Like Robert Collins said, cybervetting through private social media postings can reveal applicants’ or employees’ religious beliefs, sexual orientation, political views, plans for having children—all of which can be discriminatory legal landmines. An agency doesn’t want to be in the position of having to prove they didn’t pass over an applicant or officer because of one of these protected reasons. But how many agencies can afford third party cybervetting?
Legalities aside, the wisdom of the IACP’s position in light of the litmus test of Bozeman—an All American City according to the National Civic League— may be questioned. The difference between asking for a password or asking the applicant or officer to access password protected information for review may be one that the public, politicians, applicants and officers don’t accept.
In researching and writing this series I’ve discovered that a lot of Baby Boomers shaping public safety agencies’ policies on social media take the position that you should consider anything you post on the Internet—regardless of your privacy settings—like it was being published in a newspaper.
Younger job applicants and officers view this idea as profoundly out-of-touch and out-of-date. Until this generation gap regarding private and public social postings online is bridged, no agency’s social media policy will actually work within the ranks.
Tune in next month for Hey Brass, Facebook Isn’t a Newspaper!