Back in February, Emily Marshall blogged about the "Social Networking Online Protection Act" (or SNOPA) that was recently reintroduced to Congress. This bill would prevent employers from forcing employees to hand over their social networking passwords as a condition of employment. While there isn't any current federal protection against this, several states have taken the task upon themselves, with 14 states introducing and 6 states passing this type of law in 2012. I agree with Emily's contention that this is common sense legislation. My home state of Washington seems to disagree. They introduced SB 6637 in April of 2012 and it hasn't been heard of since. Continuing the tradition, they introduced the extraordinarily similar SB 5211 this January, which has now made it out of committee and might just become a real boy someday.
Now you might be thinking that another state maybe, possibly, potentially passing a similar bill to a lot of other states is hardly a sexy topic for this blog. And you'd be right, if it were not Washington state. This past Thursday, techdirt let me know that Washington found a way to mess this up: amending SB 5211 to give employers a new right to request social networking passwords. Now, as it turns out, techdirt's reporting was a bit late; the amendment was withdrawn on April 3rd. Regardless, the mere fact that the amendment was proposed gives us an opportunity to study how privacy law could go bad (and to mourn for the alternate world in which this passed).
The text of SB 5211 makes it unlawful for pretty much anyone to require their employees to give them their personal social networking password or to let them access the employee's account. It creates a civil action awarding a $500 penalty plus any actual damages and attorneys fees if the employee wins and award the employer reasonable expenses and attorneys' fees with the suit turns out to be frivolous. The Amendment added an exception; if it is conducting an investigation, an employer can go ahead and demand a password or access to an employee's personal account if:
The investigation is undertaken in response to receipt of specific information about the employee or prospective employee's activity on his or her personal account or profile;
The purpose of the investigation is to: ensure compliance with applicable laws, regulatory requirements, or prohibitions against work-related employee misconduct; or investigate an allegation of unauthorized transfer of an employer's proprietary information, confidential information, or financial data;
The employer informs the employee or prospective employee of the purpose of the investigation, describes the information for which the employer will search, and permits the employee or prospective employee to be present during the search;
The employer requires the employee or prospective employee to share the activity or content that was reported;
The scope of the search does not exceed the purpose of the investigation; and
The employer maintains any information obtained as confidential, unless the information may be relevant to a criminal investigation.
On the one hand, it does attempt to appear reasonable. The scope is somewhat narrow, there has to be specific information, and the information is kept confidential. But on the other hand, the state would have directly endorsed employer intrusion into their employee's private accounts as part of a bill designed to protect employees from exactly that. To use one of those terrible analogies that judges love, your employer cannot force you to let them into your home and rifle through your personal journals and written correspondence because they expect to find evidence of employee malfeasance, but this law would let them do the same to your hidden group posts and messages on Facebook. If you don't like it, you can quit or be fired and you would have no recourse.
Aside from being terrible policy, such a provision could also violate federal law. The techdirt article points out that, if willingly violating a website's terms of service counts as accessing a protected computer without authorization/exceeding authorized access, this scheme could lead to rampant CFAA violations. Facebook, for example, includes in its terms of service that "[y]ou will not share your password (or in the case of developers, your secret key), let anyone else access your account, or do anything else that might jeopardize the security of your account." Is the CFAA violated when your employer proceeds to access your account in breach of Facebook's terms? United States v. Drew suggests that it might not, but that doesn't foreclose the possibility that this law would have thrown employers from the frying pan into the fire by giving state approval to an action resulting in federal violations.
Fortunately, the law is going forward without this amendment, but one has to raise one's eyebrows when one of the most liberal states in the nation even considers such a bill. If New Amsterdam can think about it, then perhaps someone else will actually do it. This may seem like a First World Problem™, but I can't imagine any worker anywhere would be all that thrilled about their employer having the right to listen in when that worker privately complained to their buddies.
No comments:
Post a Comment