10 posts categorized "Password Protection Laws"

Question: How is social media like pornography?

Answer: You know it when you see it.

Read on.

Photoshopped monitorThe Washington State legislature has now passed a social media account password protection bill. It goes to the Governor of Washington State, Jay Inslee, now; if Gov. Inslee signs it, it will be a law.

Here's a link to the bill as passed by both houses.

It's getting more complicated than those that have gone before, or at least those of other states which we have looked at here. More complicated in the sense that it doesn't just spell out that it's not okay for employers to demand user names and passwords from employees, but it goes further and expressly specifies that it's not okay to look over an employee's shoulder and watch while she or he logs on to a "personal social networking account." The Washington bill also makes it expressly not okay (well, against the law, assuming the bill is signed and becomes law) for an employer to demand that the employee friend or follow the employer! Take that, LinkedIn!

But here's the biggest surprise: though the Washington bill is eager to list out all varieties of coercion, it doesn't actually craft a defined term for "social media" or "social networking." Courts, presumably, will have to figure out what a "personal social media account" is.

Score one for our graders, who some months back said this was the right way to go (though I also like how Arkansas just went ahead and listed some incumbent players, e.g. Facebook and Twitter, as examples).

Photo: viZZZual.com / Flickr.

Checking in on state social media password laws

Looks like most states either now have or are actively considering laws to protect employees from having to turn over passwords to social media accounts. There's a terrific resource here, published by the National Conference of State Legislatures, that links to the relevant acts or bills and gives 2013 status reports for 35 states. (Here's a link to the NCSL report on 2012 activity.)

Arkansas state capitol

I like what I see in an Arkansas bill that appears to have become law in that state just this week. The Arkansas statute corrects two things that some of our panel of experts on wac6.com found wanting in earlier state statutes:

  • Arkansas' law addresses the possibility that an employer may legitimately have an ownership or other interest in a person's social media account; and
  • it contemplates that email should be protected.

Here's how the new Arkansas statute defines social media:

"(A) 'Social media account' means a personal account with an electronic medium or service where users may create, share, or view user-generated content, including without limitation: (i) Videos; (ii) Photographs; (iii) Blogs; (iv) Podcasts; (v) Messages; (vi) Emails; or (vii) Website profiles or locations.

"(B) 'Social media account' does not include an account: (i) Opened by an employee at the request of an employer; (ii) Provided to an employee by an employer such as a company email account or other software program owned or operated exclusively by an employer; (iii) Setup by an employee on behalf of an employer; or (iv) Setup by an employee to impersonate an employer through the use of the employer's name, logos, or trademarks.

"(C) 'Social media account' includes without limitation an account established with Facebook, Twitter, LinkedIn, MySpace, or Instagram."

Arkansas' definition of social media is that first I've seen that goes ahead and lists out examples of existing, famous services that are supposed to meet the criteria. I think that's a good idea.

Photo of Arkansas Capital by L. Allen Brewer / Flickr.

Social networking password bill introduced in Congress takes different approach than state laws

We've been waiting to see the federal social networking password protection bill. Though it was introduced into the 113th Congress early this month by Representative Eliot Engel, it's taken some time for Congress to get the bill on the Library of Congress "Thomas" site.

PasscodeBut it's up now, and, again, it's called the "Social Networking Online Protection Act," H.R. 537.

A quick Deltaview check of H.R. 537 against the identically named bill introduced by Rep. Engel in the last Congress shows that the two are identical; so, we could have been looking at the prior bill without wasting effort.

In any case, here's what I take to be the gist of it:

"It shall be unlawful for any employer--

"(1) to require or request that an employee or applicant for employment provide the employer with a user name, password, or any other means for accessing a private email account of the employee or applicant or the personal account of the employee or applicant on any social networking website; or

"(2) to discharge, discipline, discriminate against in any manner, or deny employment or promotion to, or threaten to take any such action against, any employee or applicant for employment because--

"(A) the employee or applicant for employment refuses or declines to provide a user name, password, or other means for accessing a private email account of the employee or applicant or the personal account of the employee or applicant on any social networking website; or

"(B) such employee or applicant for employment has filed any complaint or instituted or caused to be instituted any proceeding under or related to this Act or has testified or is about to testify in any such proceeding."

Like all of the laws already on the books in six states, the federal bill would protect both employees and job applicants. Unlike most of those state laws, the bill would also protect passwords to email accounts.

What's a "social networking website" under Rep. Engel's bill?

"[A]ny Internet service, platform, or website that provides a user with a distinct account--

"(A) whereby the user can access such account by way of a distinct user name, password, or other means distinct for that user; and

"(B) that is primarily intended for the user to upload, store, and manage user-generated personal content on the service, platform, or website."

Very different from any of the state laws and state bills we have looked at so far. Correct me if I'm wrong, but I think this is the only legislative definition (operative or proposed) that supposes the user-generated nature of content should be distinctive. There is also a vague notion of "intent" in this definition. As I recall, most or many of the state definitions endeavored to describe how a social networking site actually functions, rather than appeal to the uses for which a site was "intended." (Invocations of intention are always punts to the courts.)

I doubt our graders will find the definition of "social networking" in this bill to be adequate.

One thing Venkat Balasubramani, in particular, will like about the definition in Rep. Engel's bill, I think: the qualifier "personal" with respect to the social networking account to be protected from employers. That's a critical distinction to make, insofar as (a) employers have legitimate interests in social networking accounts they own and employees maintain in the course of employment, and (b) many accounts mix business and personal interests.

Features of the federal bill not covered here: the penalties proposed to be imposed or imposable on employers for violating the legislation (is this really a matter for federal law?); and the aspects of the bill that pertain to educational institutions and the protection of student passwords.

Photo: Pieter Ouwerkerk / Flickr.

Social media password protection bills start to sweep the country

Last month we talked a lot about laws a handful of states have passed that address an apparent practice of employers demanding social media user names and passwords from employees and job applicants.

Password gameIt must be a problem state legislators are hearing about, because the cause is picking up steam.

According to the National Conference of State Legislatures, social media password legislation "has been introduced or is pending in at least 25 states in 2013."

Twenty-five states!

Federal legislators want to address the issue, too.

The bill at the federal level is called "the Social Networking Online Protection Act." According to Thomas, it is numbered H.R. 537 and was introduced in the 113th Congress on February 6. As of this morning, Thomas reports that the text of the bill "has not yet been received" from the Government Printing Office. Though the bill may simply be a re-introduction of a bill that died in the prior Congress, let's wait to see the text of H.R. 537.

Also on this topic: yesterday on his and Eric Goldman's blog, Venkat Balasubramani posted on the Washington State social media password protection bill. I like how Venkat keeps a spotlight on the implications of these bills for the social media account ownership issues (is that Twitter account yours or your employer's?) that are playing out in a slew of court cases which he and Eric cover pretty much as they happen.

Thanks to Danan Margason for a heads up about state agendas for 2013 and to Joe Wallin for a heads up about the federal bill.

Photo: Nico Paix / Flickr.

Washington State to consider a social networking password protection law

Washington State legislators have introduced a bill (pdf) in the Washington State Senate that would make it unlawful for employers to ask employees or job applicants for passwords to social networking accounts.

PasswordsIf it passes, Washington will join at least six other states with similar laws.

Five Internet lawyers recently "graded" how those six other states did in defining what should be meant by "social media," "social networking site," or the like, for purposes of their respective statutes.

Comparing the Washington bill against the six state statutes we know of, the Washington bill is model most closely after the Illinois Act.

Here is a link to a redline (pdf) that takes the Illinois Act as the baseline and tracks changes in the Washington Senate bill against that. The comparison highlights how the sponsors of the Washington bill are dropping a couple of exceptions that would benefit employers; presumably the Washington legislators have seen the Illinois bill (or something very much like it) and have deliberately chosen to leave out some of the employer-friendly exceptions?

Among the express exceptions to be found in one or more of the other state statutes:

  • email;
  • passwords for employer devices;
  • actions taken to facilitate investigations of misconduct or illegal behavior.

I'm noticing different lawyers reacting differently to these laws, depending on whether they feel individual privacy protection should extend to online activities beyond or other than those on Facebook, Twitter, LinkedIn and their ilk.

For instance, Eric Goldman faults the California statute for imprecision; he thinks the California definition of "social media" fails because it can include everything. By contrast, the group of internet lawyers issuing “grades” on this blog generally preferred the statutes that try, like California’s, to protect a broader set of online activities.

I must admit to being skeptical as to whether laws like these are needed. But maybe, with Facebook use being so ubiquitous now, there is actually a problem out there with overreaching employers, something legislators are picking up on.

Related posts on this blog:

Image: Paul O'Rear / Flickr.

Here's how to go about protecting employee passwords the right way

The takeaway from our project to grade legislative definitions of social media may be this: legislatures, don't do it.

You'll get it wrong, you'll define a set of services that may be gone tomorrow, and you'll miss addressing the broader problem.

If you're going to legislate to protect employee internet behavior from overreaching employers, don't get distracted by narrowly defining the genus that would contain Facebook.

Maryland State Senate

It's no accident that the internet lawyers grading the work of California, Delaware,Illinois, Maryland, Michigan and New Jersey prefer Maryland's statute. Maryland chose to avoid defining "social media" or "social networking site." Instead, the Maryland statute focuses on whether the circumstance at hand involves a user name or password, and leaves vague the nature of the account or service to which the user name or password relates.

Pulling the project's critique into sharpest focus is an alternative definition proposed by one of our graders, Kyle Hulten:

“'Personal Internet account' means any personal account for a password protected Internet based service."

Kyle explains his definition this way:

"[I]t’s simple to understand and it’s appropriately broad. I understand there may be some whom are uncomfortable with the ambiguity in the definition of 'personal account' but that’s language I trust a judge can interpret."

The comments of another of our graders, Venkat Balasubramani, contains additional advice to legislatures. It's great stuff, and if you follow how Venkat keeps up on the Technology & Marketing Law Blog with the subject of ownership of social media accounts, you'll know his view is informed by a close reading of all the recent cases on the subject:

"One thing drafters should worry about is whether these laws may unintentionally prevent the employer from trying to get access to mixed accounts (used for both business and personal) that were created or accessed by the employee after the employment relationship commenced. The few 'ownership' disputes over social media accounts that we've seen (along with personal experience) indicate that accounts are typically mixed — there's no clear factual answer of whether the account properly belongs to either the employer or the employee. I think a carveout that somehow makes clear that these statutes are not intended to alter ownership rules would be useful or something to consider."

That's not all. Venkat thinks that legislatures might do well to anticipate mischief resulting from (mis)use of Klout-like services:

" . . .I would consider whether 'social media credit checks' are covered by the statute. If a service aggregates publicly available data and makes certain judgments about you, should this information be off-limits to employers?"

Like Kyle, Venkat also offered thoughts on how to approach drafting legislation in this area:

"I would go with something pretty minimalist. 'A social media account is any network-based service that allows you to post or transmit content that's tied to a profile.' Then maybe box this in with private or public accounts. My qualm with most the of the definitions is that they try to get too granular and in doing this don't account for changes or new services. Also, they don't really do a good job of getting into the private vs. public distinction, which is really the most important thing."

Finally, I want to quote at length the comments of Doug Cornelius, publisher of Compliance Building, which came in after the Tuesday post went to press. Doug says there is a business solution to the problem that may obviate the need for legislatures to intervene:

"I applaud the legislative efforts, although I think they are using lots of energy when there are bigger problems. The problem should be addressed by the social media platforms. Not only should they fix the problem, they can probably turn it into a revenue source.

"In the financial services industry, there are regulatory requirements to monitor employees’ interactions with customers. That’s easy to do with platforms controlled by the firm, like email, but difficult with the ever-changing platforms in social media. The solution. The social media platform should allow a company to monitor an employee’s account provided the company pays a monitoring fee. Of course the employee will need to consent to the monitoring. The platform gets a revenue stream and the company gets the monitoring and record-keeping it needs. The employee ends up with 'big brother' but only if the company thinks it’s a big enough problem that it is willing to pay the monitoring fee."

By the way, Doug graded the six legislative efforts, too, and his ranking pretty much matched that of Tuesday's group. Which state do you suppose ranked best with Doug? You guessed it:

"Of the six, I find Maryland’s to be the best. It does not limit its scope to social media. Maryland just uses the term 'personal account or service' but does not try to define it."

My thanks again to  Venkat BalasubramaniJeremy FreelandJay GairsonKyle Hulten and Danan Margason for their work, insight and sense of fun in tackling this project. Thanks to Doug, too, for getting into the spirit and for the terrific contribution.

All of us, I noticed Tuesday and I notice again today, happen to be male. I do want it to be known that several lawyers I asked to participate are female; I guess they didn't have the inclination or else the time to participate.

Picture of Maryland State Senate by Mark Peters / Flickr.

Grading the social media savvy of six state legislatures

Grades are in!

Report cardThe project

Five internet lawyers, Venkat BalasubramaniJeremy Freeland, Jay Gairson, Kyle Hulten and Danan Margason, have independently "graded" how six state legislatures have written up what should be meant by "social media" or "social networking site."

The states - identified as a group in a Wired post earlier this month - are California, Delaware, Illinois, Maryland, Michigan and New Jersey. Each has enacted a law to prohibit employers from requiring employees and job applicants to turn over passwords.

The grades

With no further ado, let's look at how each legislature did, moving from best to worst.


 "(1) Subject to paragraph (2) of this subsection, an employer may not request or require that an employee or applicant disclose any user name, password, or other means for accessing a personal account or service through an electronic communications device. (2) An employer may require an employee to disclose any user name, password, or other means for accessing nonpersonal accounts or services that provide access to the employer’s internal computer or information systems."

Grade: B

Venkat points out that Maryland's is the "'no definition' definition" of social media. Presumably, courts are going to have to decide what is meant by "a personal account or service through an electronic communications device."

But the graders as a group like Maryland's approach the best.

Jay comments in part, "Good job covering almost all of the user's private passwords, and making a solid exemption for when the employer has an ownership interest in the account." Jay's only quibble is that Maryland's approach "restricts itself to a 'personal account,' which means if the new employee has a business the account might not be covered - even if separate from the employer's business."


"As used in this chapter, 'social media' means an electronic service or account, or electronic content, including, but not limited to, videos, still photographs, blogs, video blogs, podcasts, instant and text messages, email, online services or accounts, or Internet Web site profiles or locations."

Grade: B

Of California's definition, Jeremy comments:

"I like it. It addresses just about any content a candidate may have made available over the internet that can’t be located by a searcher without knowledge of a user name. For example, if a candidate regularly shares their political or religious opinions in comments on newspaper articles, but does so under an alias, then even though the comments are publicly available, they couldn’t be associated with the candidate. With this definition, a candidate couldn’t be required to disclose the alias, and couldn’t be associated with his or her comments."

Similarly, Jay finds that the California definition "covers essentially all electronic services and accounts."

Danan perceives a troublesome lack of internal consistency within the statute:

"[T]hroughout the statute the legislature repeatedly refers to 'personal social media,' but the definition above only uses the term 'social media.' (e.g. 'An employer shall not require or request an employee… [to] disclose a username or password for the purpose of accessing personal social media.'). Thus we are left to wonder what 'personal' means. Is there some social media that is not 'personal,' and thus accessible by the employer?"


“'Personal internet account' means an account created via a bounded system established by an internet-based service that requires a user to input or store access information via an electronic device to view, create, utilize, or edit the user’s account information, profile, display, communications, or stored data."

Grade: B-

Michigan's definition is Danan's personal favorite. He comments:

"I really like Michigan’s definition. It’s not limited to 'social media' per se, but it’s a good characterization of the types of sites we want to keep private. Basically, Michigan’s definition includes any site that has a login and a 'profile' of some sort. This includes every social media account, but it also includes bank websites, online ticketing sites, message boards, Dropbox, and virtually every other site somebody could theoretically log into and store private information. This is exactly what legislatures should be trying to protect from employer access."

But Jeremy dissents:

"This is exponentially complex drafting – 4 verbs (view, create, utilize and edit) apply to 5 nouns (account information, profile, display communications, and stored data). I think the principle appears good, but it’s too challenging to apply – more appealing to litigators than in-house counsel trying to establish a compliance program."

New Jersey

“'Social networking website' means an Internet-based service that allows individuals to construct a public or semi-public profile within a bounded system created by the service, create a list of other users with whom they share a connection within the system, and view and navigate their list of connections and those made by others within the system."

Grade: D+

Yep, we've fallen off a cliff now.

Notes Venkat, "It's confusing as to whether any functionality listed in the definition brings a service within the bounds of the statute."

Kyle comments:

"New Jersey’s law doesn’t protect private profiles, nor would it protect email accounts. While social networking sites are all about 'connections,' I think the point of this type of legislation is to protect the privacy of potential employees, so I don’t think it’s wise to limit the protection to sites where you only have information about your social connections."


"For the purposes of this subsection, 'social networking website' means an Internet-based service that allows individuals to: (A) construct a public or semi-public profile within a bounded system, created by the service; (B) create a list of other users with whom they share a connection within the system; and (C) view and navigate their list of connections and those made by others within the system. 'Social networking website' shall not include electronic mail."

Grade: D

Here's Kyle on the Illinois definition:

"Again, I think email should be captured by these statutes. The conjunctive list is better than Delaware’s in the sense that it is clearly demarcated. I also like the fact that there is no ambiguity about whether or not email is protected—even if they did come down on the wrong side of the issue in my opinion. The worst part about this definition is that it doesn’t include private profiles. I assume private profiles are intended to be covered under the 'semi-public' definition, but why they didn’t also explicitly include private profiles is difficult to understand."


"'Social networking site' means an internet-based, personalized, privacy-protected website or application whether free or commercial that allows users to construct a private or semi-private profile site within a bounded system, create a list of other system users who are granted reciprocal access to the individual’s profile site, send and receive email, and share personal content, communications, and contacts."

Grade: D

Delaware and Illinois received the same grade. 

By now it should be clear that our graders, as a group, don't appreciate definitions of social media that are too restrictive. They are bring policy judgments to bear in their grading!

Danan writes:

"I could write an entire essay on the number of sites Delaware’s definition excludes, but let’s start with Twitter. When I follow somebody on Twitter, I am not ‘creating a list of users that are granted reciprocal access.’ No, their access to my profile and tweets was available before I followed them, and unless they follow me back I can’t send a direct message or have any other unique access. On Facebook, too, I cannot ‘create’ a list of users. If I friend somebody they need to actively accept my request. I am not unilaterally creating anything."

Similarly, Jay notes:

"Delaware restricts the definition to peer-to-peer networking sites that grant privacy features. If everything on the site defaults to public, or there is no privacy policy or functions in place, the user has no right to protect his or her password? That does not make any sense at all."

The graders

A few words about each grader:

To follow in a subsequent post: two of our graders take a stab at proposing how they would write a definition of social media.

Photo credit: victoriabernal / Flickr.

Related Posts with Thumbnails