Yesterday you may have read some employers are requesting potential employees to turn over their Facebook login and password information. Today the ABA Journal is reporting that two states are considering banning this practice for public employers.
Well, what if I told you this practice might already be illegal under the Computer Fraud and Abuse Act, 18 USC § 1030?
The Computer Fraud and Abuse Act states that anyone who:
(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains–…(C) information from any protected computer if the conduct involved an interstate or foreign communication; …shall be punished as provided in subsection (c) of this section.
The term “exceeds authorized access” means: “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6) (2008).
According to Facebook’s Terms of Service, anyone who uses Facebook must agree that:
You will not provide any false personal information on Facebook, or create an account for anyone other than yourself without permission.
You will not share your password, (or in the case of developers, your secret key), let anyone else access your account, or do anything else that might jeopardize the security of your account.
You will not collect users’ content or information, or otherwise access Facebook, using automated means (such as harvesting bots, robots, spiders, or scrapers) without our permission.
You will not solicit login information or access an account belonging to someone else.
You will not facilitate or encourage any violations of this Statement.
Does this mean that a potential employer who demands your Facebook login is actually breaking the law? I think a person could argue that they are exceeding their authorization by violating Facebook’s Terms of Services. If that’s the case, they might also be encouraging you to break the law.
Keep in mind that Lori Drew was charged and convicted under the Computer Fraud and Abuse Act for violating MySpace’s Terms of Service in connection with Megan Meier’s suicide. (though the conviction was overturned).