Grades are in!
Five internet lawyers, Venkat Balasubramani
, Jeremy Freeland
, Jay Gairson
, Kyle Hulten
and Danan Margason
, have independently "graded" how six state legislatures have written up what should be meant by "social media" or "social networking site."
The states - identified as a group in a Wired post earlier this month - are California, Delaware, Illinois, Maryland, Michigan and New Jersey. Each has enacted a law to prohibit employers from requiring employees and job applicants to turn over passwords.
With no further ado, let's look at how each legislature did, moving from best to worst.
"(1) Subject to paragraph (2) of this subsection, an employer may not request or require that an employee or applicant disclose any user name, password, or other means for accessing a personal account or service through an electronic communications device. (2) An employer may require an employee to disclose any user name, password, or other means for accessing nonpersonal accounts or services that provide access to the employer’s internal computer or information systems."
Venkat points out that Maryland's is the "'no definition' definition" of social media. Presumably, courts are going to have to decide what is meant by "a personal account or service through an electronic communications device."
But the graders as a group like Maryland's approach the best.
Jay comments in part, "Good job covering almost all of the user's private passwords, and making a solid exemption for when the employer has an ownership interest in the account." Jay's only quibble is that Maryland's approach "restricts itself to a 'personal account,' which means if the new employee has a business the account might not be covered - even if separate from the employer's business."
"As used in this chapter, 'social media' means an electronic service or account, or electronic content, including, but not limited to, videos, still photographs, blogs, video blogs, podcasts, instant and text messages, email, online services or accounts, or Internet Web site profiles or locations."
Of California's definition, Jeremy comments:
"I like it. It addresses just about any content a candidate may have made available over the internet that can’t be located by a searcher without knowledge of a user name. For example, if a candidate regularly shares their political or religious opinions in comments on newspaper articles, but does so under an alias, then even though the comments are publicly available, they couldn’t be associated with the candidate. With this definition, a candidate couldn’t be required to disclose the alias, and couldn’t be associated with his or her comments."
Similarly, Jay finds that the California definition "covers essentially all electronic services and accounts."
Danan perceives a troublesome lack of internal consistency within the statute:
"[T]hroughout the statute the legislature repeatedly refers to 'personal social media,' but the definition above only uses the term 'social media.' (e.g. 'An employer shall not require or request an employee… [to] disclose a username or password for the purpose of accessing personal social media.'). Thus we are left to wonder what 'personal' means. Is there some social media that is not 'personal,' and thus accessible by the employer?"
“'Personal internet account' means an account created via a bounded system established by an internet-based service that requires a user to input or store access information via an electronic device to view, create, utilize, or edit the user’s account information, profile, display, communications, or stored data."
Michigan's definition is Danan's personal favorite. He comments:
"I really like Michigan’s definition. It’s not limited to 'social media' per se, but it’s a good characterization of the types of sites we want to keep private. Basically, Michigan’s definition includes any site that has a login and a 'profile' of some sort. This includes every social media account, but it also includes bank websites, online ticketing sites, message boards, Dropbox, and virtually every other site somebody could theoretically log into and store private information. This is exactly what legislatures should be trying to protect from employer access."
But Jeremy dissents:
"This is exponentially complex drafting – 4 verbs (view, create, utilize and edit) apply to 5 nouns (account information, profile, display communications, and stored data). I think the principle appears good, but it’s too challenging to apply – more appealing to litigators than in-house counsel trying to establish a compliance program."
“'Social networking website' means an Internet-based service that allows individuals to construct a public or semi-public profile within a bounded system created by the service, create a list of other users with whom they share a connection within the system, and view and navigate their list of connections and those made by others within the system."
Yep, we've fallen off a cliff now.
Notes Venkat, "It's confusing as to whether any functionality listed in the definition brings a service within the bounds of the statute."
"New Jersey’s law doesn’t protect private profiles, nor would it protect email accounts. While social networking sites are all about 'connections,' I think the point of this type of legislation is to protect the privacy of potential employees, so I don’t think it’s wise to limit the protection to sites where you only have information about your social connections."
"For the purposes of this subsection, 'social networking website' means an Internet-based service that allows individuals to: (A) construct a public or semi-public profile within a bounded system, created by the service; (B) create a list of other users with whom they share a connection within the system; and (C) view and navigate their list of connections and those made by others within the system. 'Social networking website' shall not include electronic mail."
Here's Kyle on the Illinois definition:
"Again, I think email should be captured by these statutes. The conjunctive list is better than Delaware’s in the sense that it is clearly demarcated. I also like the fact
that there is no ambiguity about whether or not email is protected—even if they
did come down on the wrong side of the issue in my opinion. The worst part
about this definition is that it doesn’t include private profiles. I assume
private profiles are intended to be covered under the 'semi-public' definition,
but why they didn’t also explicitly include private profiles is difficult to
"'Social networking site' means an internet-based, personalized, privacy-protected website or application whether free or commercial that allows users to construct a private or semi-private profile site within a bounded system, create a list of other system users who are granted reciprocal access to the individual’s profile site, send and receive email, and share personal content, communications, and contacts."
Delaware and Illinois received the same grade.
By now it should be clear that our graders, as a group, don't appreciate definitions of social media that are too restrictive. They are bring policy judgments to bear in their grading!
"I could write an entire essay on the number of sites Delaware’s definition excludes, but let’s start with Twitter. When I follow somebody on Twitter, I am not ‘creating a list of users that are granted reciprocal access.’ No, their access to my profile and tweets was available before I followed them, and unless they follow me back I can’t send a direct message or have any other unique access. On Facebook, too, I cannot ‘create’ a list of users. If I friend somebody they need to actively accept my request. I am not unilaterally creating anything."
Similarly, Jay notes:
"Delaware restricts the definition to peer-to-peer networking sites that grant
functions in place, the user has no right to protect his or her password? That does not make any
sense at all."
A few words about each grader:
To follow in a subsequent post: two of our graders take a stab at proposing how they would write a definition of social media.
Photo credit: victoriabernal / Flickr.