PasswordIn spring of last year, reports began surfacing that some employers were demanding that current and sometimes prospective employees hand over the log-in credentials or otherwise provide access to their various social media accounts. People were outraged. Such invasions of what many perceive as their personal, albeit, online privacy prompted much debating and the writing of a never-ending slew opinion pieces.

Then something very strange appeared to happen: lawmakers seemed to take note of public opinion and act accordingly. A number of state legislatures began drafting bills that would make it illegal for employers to demand access to the social profiles of their employees and job applicants. Now that the year is 2013, those laws are either taking effect or will do so in the coming months.

A national bill, the Social Networking Online Protection Act (SNOPA), was drafted and introduced by Representative Eliot Engle. According to, Engle’s H.R. 5050 has been referred to committee where lawmakers will either kill it, amend it, or pass it through unchanged. It’s hard to say what the chances are that SNOPA will ever become law, but Govtrack gives it a 12 percent chance of making it out of committee and a three percent chance of passage, based on the percent of overall bills to make it out of committee and pass into law, respectively.

If it ever comes out of committee, SNOPA would “…prohibit employers and certain other entities from requiring or requesting that employees and certain other individuals provide a user name, password, or other means for accessing a personal account on any social networking website.”

State laws banning the practice went into effect Jan. 1 in California and Illinois, according to the National Conference of State Legislatures’ annual list of state laws going into effect on Jan. 1. California’s law officially bans “employers from requiring applicants or employees to disclose social media passwords” while Illinois’s makes it “illegal for an employer to request social networking passwords or account information from an employee or applicant.”

Maryland was the first to pass their own version of the law, but they didn’t get a mention in the NCSL report because theirs went into effect upon passage. Maryland’s quickness to act was unsurprising because it was in that state that the controversial practice came to light in the first place.

Shortly after that, Maryland’s neighbor Delaware passed a bill that prohibited public and private schools not only from mandating that students or applicants provide log-in credentials to social media accounts but also banning these institutions from requiring that students and applicants log-in to their accounts to provide them with direct access to the accounts.

In early December New Jersey’s Governor Chris Christie signed a bill that “Prohibits requirement to disclose user name, password, or other means for accessing account or service through electronic communications devises by institutions of higher education.”

Later in December, Michigan Governor Rick Snyder signed a bill into law that protected “the online privacy of Michiganders by prohibiting employers and educational institutions from asking applicants, employees and students for passwords and other account information used to access private internet and email accounts, including social networks like Facebook and Twitter.”

Categories: Privacy, Social Engineering

Comments (4)

  1. Anonymous

    Do these laws also prohibit access to personal accounts of individuals by institutions that obtained credentials by non-consensual means? Such as an employer or a college that captures credentials a person used when on their system or network.

  2. Anonymous

    Through forensic analysis of browser artifacts or by “proxyfying” all web traffic with a product like WebSense.  Both methods are widely used to peer into user traffic in large institutions

  3. Kage

    My understanding is that each state’s law is different.  The California one does not ban information (including passwords) that are obtained from employer-used devices.  So the answer in this case would be no.

    This may be getting off topic, but in my opion, organizations that implement tools utilized to obtain information such as credentials are walking a slippery slope.  In the age of cloud services, many organizations also use secured services that are hosted off site and accessed over the web.  If these organizations also utilize tools to obtain credentials and information passed through, even if secured, these credentials and information must be stored in some form of a database.  If this system or database were to be hacked or the more likely case of a disgruntled employee with access to said database and a grudge, they could potentially get access or do a lot of damage to sensitive and propriatry information that may be stored here in addition to credentials and info for employee access to social media.

    At one of my previous jobs, WebSense was used for the proxy, but it was not used to obtain credentials orinformation, only to block/allow traffic as was deemed allowable by the organization and to track what sites employees were going to for allowed traffic.  They did not want everyone to use social media sites, so instead of spying on employees on social media sites, they just blocked access to these.

    In my opinion there are better ways to protect sensitive and propriatary information than gathering traffic and putting it somewhere to “see” what users are doing as this can also be a security concern.  That all said, many organizations are required to obtain and keep for certain periods of time, all electronic communications, like email and IM.  In these cases, implementing proper solutions can allow this information to be tracked without also tracking credentials.


Comments are closed.