When it comes to demanding Facebook passwords, there needs to be a law protecting consumers

When it comes to demanding Facebook passwords, there needs to be a law protecting consumers

Summary: I call on our Congress to do something useful for a change. Pass a law making it illegal to demand access to any personal login credentials for any online account.


Yesterday, ZDNet covered the story of a school that demanded Facebook login credentials for one of its students. We've been seeing a trend of employers and schools not only demanding to be "friended," but demanding actual login credentials for Facebook.

This must stop. There needs to be a law protecting consumers.

See also: School district demands Facebook password, 12-year-old girl sues

The issue is very simple. The people demanding access to your Facebook accounts can't be trusted. For example, Minnewaska Area Schools demanded login credentials for the student, but there's no guarantee that they are using best practices to protect those credentials. Most likely, the child's login and password will wind up on a PostIt! note living on a physical desktop.

In another case, Officer Robert Collins was required to turn over his Facebook login credentials during a recertification interview with the Maryland Division of Corrections. Here, too, there's no guarantee (or even a requirement) that the people conducting the interview protect the officer's personal login credentials with all due care.

See also: Employer demands Facebook login credentials during interview

There is a clear, but subtle difference between demanding a student, employee, or prospective employee add you to his or her friends list, compared with providing such organizations with full login credentials.

Friending provides a view onto what you're posting on your Facebook account and what you're comfortable sharing with friends. If you're, for example, racist or abusive, that behavior may become evident through your published posts on Facebook, and a prospective employer may choose to opt out of hiring you.

But when your credentials are provided to that employer (or school), you're granting that organization complete, unrestricted access to not only what you've posted, but to the entire status of your account.

Let's take Pat Falk, the principal of Minnewaska Area Schools as an example. Let's give her the benefit of the doubt and assume she would never misuse those credentials. But would she be able to prevent anyone who ever worked in her office from using those credentials? Is she taking full responsibility for the entire online identity of the students' accounts she now has access to?

What about the interviewers at the Maryland Division of Corrections? Facebook now has email. Are they willing to take full responsibility that nobody will ever send an email message or post an entry posing as Officer Collins? What if Officer Collins used his Facebook email as his password reset email for other services, say online banking? Will the Maryland Division of Corrections reimburse Officer Collins if his entire bank account is cleaned out because his email password fell into the wrong hands?

Of course not. And that's why there needs to be a law.

This is a problem that will not go away. And if you think the lawsuits we're seeing now are bad, wait until someone loses their life savings because some over-zealous school district or prospective employer got carried away. The courts will be filled with these things.

I call on our Congress to do something useful for a change. Pass a law making it illegal to demand access to any personal login credentials for any online account.

Such a law will not only benefit consumers, it will protect organizations like Minnewaska Area Schools and Maryland Division of Corrections from liability and costly lawsuits, and it will reduce the caseload for our courts.

Readers, contact your representatives today and demand such a law be passed. To contact your representative, visit The U.S. House of Representatives web site. It's just a click away and it could save you (and the rest of your fellow Americans) tremendous heartache.

Topic: Social Enterprise


David Gewirtz, Distinguished Lecturer at CBS Interactive, is an author, U.S. policy advisor, and computer scientist. He is featured in the History Channel special The President's Book of Secrets and is a member of the National Press Club.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • It's not usual that I agree with you

    But in this I fully agree. NO ONE should be able to demand anyone's login credentials for any online service.
    • Exactly

      Not just Facebook but any online service. What's next? They are going to want access to your bank accounts online credentials, email?

      If the information is posted as public or viewable by some other means then more power to them, but employers, schools, the government all should NOT have the right to ask for your password or demand that you log in so they can inspect your Facebook or other online services.
      • Have you so quickly forgotten

        SOPA and PIPA? All civil liberties and privacy rights are under attack... to make us all safer and stop the bad guys before they can possibly hurt anyone... of course.
    • This is where I think Dave has missed it .....

      The question for me isn't 'how can we trust "them" with this information', for me the question doesn't even get that far.

      Short of a Court Order no one should be compelled to tell anyone what sites they visit let alone their credentials for those sites.

      When I'm on a computer other than my own I stay far away from any sites to which I post, and when on a network other than my own (home) I think two or three times before even checking my email.

      That may seem overly cautious or even paranoid but everyone seems to want to know everything about everyone else, people needing to sue to keep their private lives private and away from prying eyes, a teacher being fired for a picture of her while on vacation in Ireland and hoisting a Ale in an Irish pub ... this is getting ridiculous.

      So yeah, it shouldn't even get as far as 'people being trusted with the information', what makes them think they should have this information in the first place?
  • I generally agree, but...

    David: I generally agree with your comments, but you don't go deep enough. No one (except a judge) can compel you to divulge or allow access to any communications whether they are verbal, electronic or written without your consent. There is no way in hell I would 'friend' a superior on condition of keeping or getting a job.
    That would be the same as allowing unrestricted access to my home or telephone conversations just to name a few.
    You are correct on the pitfalls of giving private information to persons who may not handle it securely. I don't think a law will help as most lawmakers anymore have no problem putting more cracks in the wall of individual privacy rights.
    Displaying your middle finger will be sufficient.
    Porter Jervis
    • not the point

      @Porter not the point that only a judge can *compel* you. What if employment, graduation, etc are contingent upon providing such access?
      • On the surface...

        ... its rather simple. Don't take the job. If you already have the job, make them fire you, then sue.
        Regarding graduation, I wouldn't expect that a college or university would force an already enrolled student to divulge such information, but wouldn't put it past them. If a school stated such information was required prior to enrollment, then the student will have a decision to make, do I sell my soul to the devil?

        I'm not a litigious person by any definition, but my head boils when I read about this type of stuff. That 12 year old was assaulted. What's worse is a sheriff's deputy was involved!! People need to stand up and push back hard, really hard at this type of harassment.
        Regarding graduation, I wouldn't expect that a college or university would force an already enrolled student to divulge such information, but wouldn't put it past them. If a school stated such information was required prior to enrollment, then the student will have a decision to make, do I sell my soul to the devil?
        Porter Jervis
      • IF as you say

        [b]What if employment, graduation, etc are contingent upon providing such access?[/b] Then we really [i]are[/i] living in a Big Brother society and something needs to change. Tell me what reason would be sufficient for employers, schools, or whoever to have login credentials upon request in order to graduate, to get that job, or for anything else?

        IF there is a warrant involved that is one thing but for someone other than a law enforcement official with a warrant signed by a judge to request such is an intolerable invasion of privacy.
      • Can you prove it?

        "What if employment, graduation, etc are contingent upon providing such access?"

        What Porter and Pete miss is that sure, you can refuse, but they can refuse to hire you. And maybe you have a lawsuit for some kind of discrimination, if you can prove they tried to get you to violate privacy laws. We need to have clear laws in place that say, like so many other race and gender and age protections, "you just can't ask that question."
        big red one
    • Compelling disclosure.

      Even a judge should not have the authority to compel you to self incriminate or disclose your password. We do still live in the United States, don't we?
  • Good luck on that one.

    It may have escaped your attention, but Congress and even local governments have little interest in protecting consumers and common citizens from anything, especially from any action by government authority. All three branches of government have demonstrated their authoritarian leanings in the last thirty years.

    So I expect the opposite will happen, and government will codify the means to which both authorities and corporations can gain access to a private citizen's data through very simple and inexpensive means, without any recourse by the affected person. There are already models of sorts: the credit bureaus, and the extra-legal processes codified by the DMCA that allows privileged parties to demand information and action without the need of a court order.
    terry flores
  • Internet Privacy IS a right. Own it.

    At least in the U.S., Tort Law provides a right to 'solitude and seclusion' and that includes the Internet.

    When entities come demanding access to your private matters, you have to worry.

    Should citizens leave control of their privacy to third party entities?

    The risk is that you loose control of your privacy in the situation David shares today.

    R E T R O S H A R E provides total control of your privacy. Own it.
    Dietrich T. Schmitz *Your
  • Bad idea

    No this should be left up to the states. I would think this type of law would pass quite easily in almost any state. The federal goverment has no business getting its dirty little fingers into this. They would just take a simple privacy law and make it worse with the compliance criteria, plus who wants to give the executive deparment more power.
    • uniformity is required

      Some things, such as copyright law and employee benefit laws only work on a national level. Otherwise employers and others face a nightmare of "patchwork" laws. State A (probably California) bans particular activity as intrusive and State B (likely a Southern state) fully allows it. Multi-state employers have to determine which state's laws apply, etc. The usual result is to take an extremely restrictive approach. Alternatively--as is common in the Wall Street financial sector--employers put in a mandatory arbitration provision. The problem with arbitration is that everything is kept private, there are no appeal rights, and it doesn't set any legal precedent--you literally could have 100 employees at the same company with the exact same issue and each one would have to separately arbitrate and employees 2-100 could not cite the decision in employee 1's case as a standard to use.

      Another problem is that if it is left up to the states, the employers (at least multi-state employers) can just put into their employee manuals/contracts/employer documents that the laws of State X will apply, and even that venue for any disputes is the county of their home office. So, for instance, Texas employees could be required to pursue any suits/arbitration in Maine or Vermont.
      • Get a good lock

        Own your Internet Privacy (global) with:
        R E T R O S H A R E
        Dietrich T. Schmitz *Your
      • Sarcasm: What we really need...

        ...is for the WTO to impose a world-wide comprehensive commercial code on all member states, so that multinationals don't have to deal with the laws of 100+ individual nation states.

        The logic is exactly the same.
        John L. Ries
  • When it comes to demanding Facebook passwords, there needs to be a law prot

    Definitely need a law for this. I see no reason why a school or corrections facility or any other organization should need my account information. I don't have high hopes on getting such a law passed though since it would benefit the citizens and make it harder to prosecute or whatever they want to try.
    Loverock Davidson-
    • Why in the he11 would anyone flag LD's commnt?

      nt . . . .
  • How about just saying "NO"? If I go on an interview

    and a prospective employer asks for anything I find inappropriate I simply say no. I don't yell or raise my voice in any way or fashion. I don't change my facial expressions or body language I just assert my right and say no. What people seem to forget in this day and age and maybe they've always over looked this simple fact I am judging them as much as they are judging me. I am deciding during the interview process if I wish to work for them as much if not more then they are deciding if they want me to work for them. It's a two way street. I've always thought of myself as a business onto myself. I choose everything based on simple business math which is what is best for ME. How will this profit and or benefit ME. I care very little for the organization I end up working for because it's NOT ME... It's just a job after all.

    Pagan jim
    James Quinn
    • and...

      If you've been out of work for 6 months and the bills are piling up, about to lose your home and finally, you get an interview. You really need this job, then they ask for your facebook login and password. Just say no, while in principle is a fantastic idea, is sometimes hard to say.

      That's why there needs to be some sort of severe penalty for employers asking for that information.