« Things You Oughta Know If You Teach Federal Courts | Main | Wired, and Threatened »

Thursday, March 22, 2012

Facebook, Employers, and the Keys to Your House

This AP news article states that it is increasingly common for employers to ask job seekers for their Facebook passwords. Employers then hunt around in your private information to spot what they perceive as red flags:  "'It's akin to requiring someone's house keys,' said Orin Kerr, a George Washington University law professor and former federal prosecutor who calls it 'an egregious privacy violation.'"

When I saw this piece, entitled "What Should You Do if Your Employer Asks for Your Facebook Password?" (via Frank Pasquale via FB), I expected it to say, "Tell your employer that you are not permitted to give out the password because it would violate the terms of service with Facebook." But the article doesn't say that. Does that mean Facebook allows you to give out your password?  Or are employers simply indifferent to Facebook policies?  I imagine it's the latter.

Suppose employers are ignoring or would ignore such policies.  Could Facebook make it a violation of the terms of service to ask for someone else's Facebook password in hiring and employment contexts? Then, people who are not hired or are fired could report that to Facebook and at least cause trouble for the companies (and possibly HR staff) that may have their own Facebook accounts. Even if employers are prohibited from asking for your password, they could presumably still ask you to login yourself and let them have a look around. But at least having you present when the company takes a tour of your home (to follow Orin's analogy) would make things a little more difficult or awkward for employers. And presumably, terms of service could be crafted to prohibit that as well.

Posted by Adam Kolber on March 22, 2012 at 05:54 AM | Permalink


TrackBack URL for this entry:

Listed below are links to weblogs that reference Facebook, Employers, and the Keys to Your House:


Though there are numerous locksmiths in Chicago, but not all have the high quality expensive machinery that is required to cut blanks. Only the best Chicago locksmith is equipped to cut all types of transponder, laser, high security and cutting spare keys. It is all in a day's work for a reputed Chicago locksmith to create new spares,

Posted by: key blanks | Aug 31, 2012 3:29:14 PM

To clarify, my argument is that it doesn't rely on the TOS: gaining access to Facebook's servers by misrepresenting yourself as someone you're not (especially since Facebook accounts are designed to represent individuals, not just a collection of access rights) would seem to be gaining access beyond what Facebook would authorize you for if you told the truth about who you are. The hypos in which one person is acting as an agent for another would seem to be pretty distinguishable.

And so as to be clear, I don't like the CFAA or how broad it is. But I do think it would be applicable here.

Posted by: Andrew MacKie-Mason | Mar 22, 2012 10:31:39 PM


I don't know of any courts (offhand) that have approved based solely on ToS violations. I suspect there are commenters who would know better (offhand) than do I. I'm also curious if you know of any, because I would like to read the opinions.

That said, the "solely" point is key - often times a website (or computer system's) ToS/AUP are involved in a court's finding, but not the sole basis. (e.g., unauthorized taking of intellectual property is almost always a ToS/AUP violation, but it's also a separate crime.)

Whether the "permission" of a prospective employee would be sufficient to overcome an (a)(2)(C) issue, this is where I see it as being solely a violation of the ToS issue. In order to "obtain" the protected information, the HR employee would actually have to login, not just ask for the password. (I separately out these two acts since an (a)(6) violation theoretically would not require actual access. As you note, the assumption is the access actually happens.) The only thing preventing me from "authorizing" someone else to access my Facebook account is the ToS. Based on the Lori Drew reading of the CFAA, I think it is tough place to reach a criminal conviction for an activity that is *solely* criminal because of a ToS requirement. For example, let's say I am injured in a car accident and temporarily lose the ability to type due to fractured wrists. If I ask my father to answer a Facebook message from my aunt asking about my recovery, am I/is he violating the CFAA? Under your reading, yes, because Facebook's ToS doesn't allow for this. Does such a violation comport with the legislative intent behind the CFAA? Doubtful.

(note: apologies for my shift-key-clumsy finger which reversed the capitalization on my previous comment; Andrew's capitalization of the subsections is correct.)

The problem with a ToS-violation-only approach is that it cannot distinguish between these two acts. Yes, we've drawn some (nice) distinctions in this example (and one can easily can draw a sharper one for the "likely criminal" conduct), but there will be murkier areas. Consider, for example, the teenager who shares their password to have their friend do a status update when the teenager is "grounded" from Internet-enabled devices. Criminal? Probably not. But what about when that friend turns it into a practical joke by posting something unexpected ("unauthorized"). Stupid? Being a bad friend? Probably. Criminal? I have trouble getting there, especially at the felony level. Modify it slightly more, and the friend posts a racially-motivated comment. (Repugnant, but still protected (lawful) speech.) Criminal? Perhaps, under the intent of the CFAA, because now the friend might be doing something "not authorized." But I wouldn't want to try and figure out where to draw that line. And I sure as heck wouldn't want Facebook (or any private entity) doing so via their ToS.

In all three cases, a ToS-violation-only reading the CFAA would criminalize these actions. As noted above, however, I wouldn't want to try and draw the lines as to when it becomes criminal.

Posted by: David Thaw | Mar 22, 2012 9:57:51 PM

David, I don't know a lot about the CFAA. Most of what I do know about it comes from VC posts. But my impression is that there are other courts which have approved of violation-of-TOS prosecutions. Am I wrong about that?

But even if it weren't in the TOS, misrepresenting your information to Facebook (by logging in as someone else) would seem to pretty obviously fit within 'exceeding authorized access.' The 'permission' of the prospective employee wouldn't seem to be enough, since pretending to be that person gives you access to other people's private information as well. It seems like that could be prosecuted under 1030(a)(2)(C). (By the way, I'm assuming that access actually happens, not just the request.)

Am I missing something?

Posted by: Andrew MacKie-Mason | Mar 22, 2012 9:14:50 PM


While certainly not binding on all (or even any) courts, Judge Wu's opinion in U.S. v. Lori Drew, 259 F.R.D. 449 (C.D. Cal. 2009) (Decision on Defendant's F.R. Crim. P. 29(c) Motion) [PDF] disapproves CFAA criminal convictions based solely on ToS violations.

My instinct is that Facebook wouldn't want to spend the money to seek civil damages, and they would have trouble convincing an U.S. Attorney to prosecute based solely on an HR request. It would be difficult to meet the statutory requirements without someone from the company actually accessing the information which, still only satisfies the bare minimum for 18 U.S.C. s. 1030(A)(2)(a) under the broad interpretation. (A)(4) seems unlikely to trigger for lack of fraud exceeding the $5,000 threshold, and (A)(5) seems unlikely because I have difficulty seeing a voluntarily-given password satisfying this requirement (especially given (A)(6)). (A)(6), while a good candidate on its face, seems problematic because of the "intent to defraud" and "trafficking" requirements (we're back to the voluntary handing-over issue here). (The other subsections of (A) don't seem to apply.)

While perhaps not leaving an adequate remedy in federal law, I tend to agree with this approach to interpreting the CFAA. For me, the most compelling part of the argument is that allowing criminal actions to sustain based solely on ToS violations places too much (prosecutorial?) discretion into the hands of private actors - entities that may, at any time and without notice, change their ToS to "criminalize" certain activity. Even if the vagueness issues could be addressed (and I'm not sure they can), this issue still remains unsolvable to me.

Posted by: David Thaw | Mar 22, 2012 7:44:17 PM

@problem: I only had in mind circumstances where a company has a FB page or where individual HR representatives have FB pages. But I don't think that's such a rare scenario these days.

Posted by: Adam Kolber | Mar 22, 2012 7:29:09 PM

Under current broad interpretations of the CFAA, an HR person who violated the terms of service and accessed someone else's account could be prosecuted for unauthorized access. And it probably wouldn't even require that broad an interpretation.

Posted by: Andrew MacKie-Mason | Mar 22, 2012 6:52:06 PM

unless the asker is also a facebook user how is she bound by the terms of service?

Posted by: problem | Mar 22, 2012 3:54:16 PM

Thanks Andrew.I must have been posting a little too early this morning!

It does seem, though, like a person who was miffed at a company (for not being hired or for being fired)could contact FB and report that the company or HR person violated the terms of service. Susannah's comment would seem to longer apply once a person has been passed over for a job or terminated. I don't know anything about how Facebook handles such allegations, but one would think the risk of action by Facebook would be something of a disincentive for a company or HR person to solict the prohibited information.

Posted by: Adam Kolber | Mar 22, 2012 2:40:29 PM

From the AP:

"Facebook declined to comment except for issuing a brief statement declaring that the site forbids "anyone from soliciting the login information or accessing an account belonging to someone else."

"Giving out Facebook login information also violates the social network's terms of service. But those terms have questionable legal weight, and experts say the legality of asking for such information remains murky."

Posted by: Andrew MacKie-Mason | Mar 22, 2012 10:13:25 AM

This is unfortunately not a problem of law or policy (or Facebook policies), but of interpersonal power dynamics shaped by the fact that one person needs a job and the other has a job to give.

Posted by: Susannah Pollvogt | Mar 22, 2012 9:37:16 AM

The comments to this entry are closed.