I’ve been remiss in posting on the recent stories about potential employers requesting social networking login information in job interviews, but I see that noted cybercrime expert Orin Kerr, a law professor at George Washington University, was on C-SPAN’s Washington Journal this morning, and his comments in the first few minutes of this recording basically sum up what I had to say on this issue: it’s unclear, but such activity may be prohibited by federal law. I just have one additional point to add: although the specific policy result here may seem obvious, the larger question of when use of a dodgily-obtained password violates unauthorized access statutes is actually a much more difficult one.
The civil case Orin refers to in the recording is Pietrylo v. Hillstone Restaurant Group, No. 06-5754 (FSH), 2009 WL 3128420, 2009 U.S. Dist. LEXIS 88702 (D.N.J. Sept. 25, 2009). In Pietrylo, the District of New Jersey upheld a jury verdict against the defendant employer under the Stored Communications Act, 18 U.S.C. § 2701, which prohibits any person from “intentionally access[ing] without authorization a facility through which an electronic communication service is provided . . . and thereby obtain[ing], alter[ing], or prevent[ing] authorized access to a wire or electronic communication while it is in electronic storage in such system.” Pietrylo and other employees participated in a private chat group on MySpace in which they were critical of Hillstone management. One of the managers requested that one of the participants give him her password, which she did, on the reasonable supposition that she “felt that [she] probably would have gotten in trouble” if she refused. The managers then accessed the chat group several times, “even though it was clear on the website that the [chat group] was intended to be private and only accessible to invited members,” and used the information they gathered to fire two employees. The court held that that testimony was sufficient to allow the jury to find that the defendant had intentionally accessed a communication service facility without authorization. In other words, coercing someone to give you a password through the implied threat of termination of their employment if they refuse does not give you authorized access to a website.
But Pietrylo is only one case, and an unpublished one at that. The legal question here, whether the use of borrowed passwords should constitute “unauthorized access,” is actually quite difficult. Courts considering it under the SCA and other unauthorized access statutes, such as the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act, have gone various ways. For example, courts in DMCA cases have come to opposite conclusions, depending, it seems, on how technological the password is. Compare RealNetworks, Inc. v. DVD Copy Control Association, Inc., 2009 U.S. Dist. LEXIS 70503 (Aug. 11, 2009), RealNetworks, Inc. v. Streambox, Inc., 2000 U.S. Dist. LEXIS 1889 (W.D. Wash. Jan. 18, 2000), and 321 Studios v. Metro Goldwyn Mayer Studios, Inc., 307 F. Supp. 2d 1085, 1095 (N.D. Cal. 2004) (use of password or key in automated authentication routine without permission is unauthorized access), with I.M.S. Inquiry Management Systems, Ltd. v. Berkshire Information Systems, Inc., 307 F. Supp. 2d 521 (S.D.N.Y. 2004), and Egilman v. Keller & Heckman, LLP, 401 F. Supp. 2d 105, 113-14 (D.D.C. 2005) (use of typed-in password on website without permission is not unauthorized access).
Indeed, it is a bit difficult to explain why, exactly, password guessing leads to unauthorized access — the Fifth Circuit was forced to explain that seemingly obvious conclusion in United States v. Phillips, 477 F.3d 215 (5th Cir. 2007). The Fifth Circuit’s answer seems to be on the right track: the notion of what constitutes unauthorized access for information or intangibles relies on social convention, just like the notion of unauthorized access for real property. There may not be a sign in front of a store front telling you that access is or is not authorized, for example. Instead, we rely on social cues to give us the necessary information: open doors, lights on or off, the time of day. The difficulty is that use of electronic media is in some cases too new to give way to strong, well-developed intuitions one way or the other — witness the copyright-protection password cases cited above.
But to the extent widespread social conventions matter, opinion seems pretty strong about employers or prospective employers asking for social networking account passwords: people are against it. However the murky concept of “unauthorized access” shakes out in the years to come, employers would be well-advised to avoid taking this issue to a jury for the time being.