Hacker News new | comments | show | ask | jobs | submit login
Illinois moves to legalise employer access to workers' social media accounts (aljazeera.com)
91 points by ramisms 1422 days ago | hide | past | web | 60 comments | favorite



This isn't even as close to as bad as it made out to be. From the full text of ILCS after amendment:

(b)(1)It shall be unlawful for any employer to request or require any employee or prospective employee to provide any user name and password, password, or other means of authentication to gain access to the employee's or prospective employee's personal internet account.

(2)An employer may request or require an employee to disclose any user name and password, password, or other means of authentication for accessing any accounts or services provided by the employer or by virtue of the employee's employment relationship with the employer or that the employee uses for business purposes.

Note: Paragraph 1 retains the ban on asking for account information for personal accounts, and paragraph 2 authorizes asking for the info for business/employeer provided accounts.

So, unlike the headline, in fact this bill moves to legalize access to the businesses social media accounts.


Beyond that, the law creates a huge disincentive to ever asking for credentials for anything except the brightest of bright-line cases, because from the moment your employee refuses the credentials, you can't fire them for anything but cause without incurring a significant lawsuit risk.

The people talking about how a company could argue that their (say) Twitter account was a business account seem to miss the fact that such an argument takes place in court.


I get what you are saying, and I now agree that it's a net plus for employees.

However, I still worry about possible misinterpretation of the clause involving business use of personal accounts. I don't trust lawyers or judges. Sure, court decisions are probably correct well over 90% of the time, but that's just not good enough for me.


> I don't trust lawyers or judges. Sure, court decisions are probably correct well over 90% of the time, but that's just not good enough for me.

So now that you've rejected the lawmaking and justice systems wholesale, what do you propose to put instead?


Its not that I reject them wholesale, its that both systems desperately need to be fixed. I'll admit, I don't have the solution, but that doesn't mean one doesn't exist.


Thanks for that. I think this is a good law. If I'm working for you, this means you don't get access to my personal accounts. If you're working for me, this means you can't lock me out of accounts that I'm paying you to use.

The only place this law causes friction is when employees are either using personal accounts for business purposes or business accounts for personal purposes. It's a good law because it encourages a separation of the personal and professional spheres of one's life.


>The only place this law causes friction is when employees are either using personal accounts for business purposes or business accounts for personal purposes.

Right, which you shouldn't be doing so that you retain that clear separation.


>"or that the employee uses for business purposes."

This is the part that fucks the whole thing up. It's too vulnerable to misinterpretation or abuse.


Using an unauthorized Internet application to conduct business for your company was already something that could get you fired. The law doesn't authorize employers to break into your accounts; you presumably retain "quitting" as a recourse to turning over account information.


Of course, but when you see how many laughably horrible decisions our courts make on a regular basis, it wouldn't be all that surprising for a company to argue that your personal account was used for business purposes for a variety of reasons. For example, the mere mention of your employer's name on a site like Linkedin, or perhaps a developer that is known to work at a prominent company who maintains a programming blog.

It's also already a prosecutable offense to lock your company out of a business related account, so what is the point of establishing more legislation?


Laws that create prosecutable offenses in the ILCS say things like "Any person failing to comply with $(CLAUSE) shall be guilty of a $(CRIME_LEVEL)". This one obviously does not do that.

The reason for the legislation is that Illinois companies are specifically not permitted to demand credentials for personal social media accounts; it creates an exception to at-will employment in Illinois that would enable you to sue your employer if you were terminated incident to refusing credentials.


> Of course, but when you see how many laughably horrible decisions our courts make on a regular basis,

Only if you let HN and reddit rashly interpret your court decisions for you...

> It's also already a prosecutable offense to lock your company out of a business related account, so what is the point of establishing more legislation?

Because by itself, the previous language created an ambiguous situation. All the new bill does is clarify that the ban on asking for login credentials for a personal account doesn't override the offense of locking your company out of a business-related account.


The most vulnerable example would be retweets of your company's tweets using your own personal account. Retweeting mental barriers are so low (even compared to FB likes and shares) that a huge fraction of people would be caught under such an umbrella.


> retweets ... using your own personal account.

No, I think it's pretty clear. Once information is publish via the company's twitter account, it becomes public information. It would be a very long stretch for retweeting public information to change the nature of a personal account to fall under this law.

Not to mention, Illinois' has notoriously labor friendly courts (I live in IL). While landing in court is an obvious problem for the employee to defend/prosecute, the reputation/record of IL labor courts make it an even steeper hill for an employeer to climb than for the employee.


Hmm, how about things like tweeting links to your company's blog, your company's product, or your company's documentation? This probably happens a little bit less frequently but enough for us to at least take a cursory look.

While I would hope that most startups are above this kind of behavior, since startups tend to ask their people to use their personal accounts for marketing purposes, I have to at least have some concern...


Like I said downthread, reading the statute in the airless vacuum of a message board, it's easy to try to poke holes in it.

In reality, anything that amounts of an exception to the at-will doctrine creates an enormous minefield for employers. Terminated employees are very frequently disgruntled and can be counted on, over time, in the large, to bring meritless cases. Employers who want to survive without being stuck up for settlements are going to become very process-bound for how they handle credentials.

Think of it this way: worst-case downside to employee from this law: early termination. Downside to employer: horrifically expensive legal debacle.


According to the various quotes I've read there's no "non-public information" requirement.. just the vague "for business purposes" part.

While Twitter is the obvious example, what about a Github account? I've patched bugs or merged pull requests for my employer's projects from my own account. Would that qualify?


You should be careful about letting your employers' code hit your personal Github site for other reasons; an employer who wants to make it difficult for you to get a new business started can use IP issues to accomplish that.

Personal Github accounts are already a little bit fraught for that reason. The Illinois statute revision doesn't change the calculus; if you're an IL employee with a Github account you care about, you (a) don't want to be working for anyone who demands credentials to it, and (b) now have an avenue to extract a few tens of thousands of dollars from that employer should they ever be dumb enough to ask and then fire you.


I think the only litmus test necessary is that the account name use the companies name in someway. i.e. If your company is Acme Anvil Co and the terms Acme or Anvil are in the username (or vanity url, etc), in someway, then it qualifies as a business account. Barring that, any social media accounts should be viewed as personal, even if the following amassed under that account came by virtue of employment with the company in question.


Strongly disagree.

ANY type of legalized access to employee social media accounts is bad. Period.

Yet this is what we get when we freely throw any of our personal information online.


It legalizes asking for accounts, in very limited circumstances, in a manner that makes is extraordinarily risk simply to ask. It doesn't legalize seizing accounts.

You get that under at-will employment, there's a UNIVERSE of unreasonable requests employers can make that will permit them to fire you directly, right?


What's your point here?

It still legalizes asking for accounts and there's still room for misinterpretation.


My point is that the misinterpretation is catastrophically riskier for the employer than the employee. This is as it should be, but isn't something the author of this article (or many commenters here) seem to recognize. Some commenters even hint at a belief that employers can directly access employee accounts on third party services, which is not an action accommodated by Illinois law.


Since the article linked is mostly twitter reactions, here's the actual text of the bill:

http://www.ilga.gov/legislation/billstatus.asp?DocNum=1047&#...

and a better article:

http://blogs.suntimes.com/politics/2013/04/illinois_house_ap...

The bill specifically says that the employer cannot fire someone for NOT giving up their facebook password or whatever, so that's good at least (however unenforceable it might be)


They can't fire you for not giving up the password, but they can sure find a different reason to fire you. If somebody is working in a $10/hour job and is concerned about their ability to find another job, I don't think that "protection" will amount to anything.

Serfdom is a somewhat appropriate term, if your actions are monitored and controlled 24x7.

If I were Facebook, et al, I would be opposing this with everything I had. Nothing will hurt Facebook more than people being concerned that posting on it will negatively impact their jobs.


No, this is completely wrong: if you are asked for credentials, and you refuse to provide them, and you're fired afterwards for what your employer claims is an unrelated reason, you can sue your employer alleging that you were fired in retaliation; that is why the law specifically says it's "unlawful" to demand those credentials.

By your logic, no anti-discrimination law is enforceable either, because you'd have to be a complete nitwit to actually tell an employee they were being fired for being a woman, or African American. In practice, employers always make up excuses for unlawful termination.

Also, in practice, each of these exceptions to at-will employment is a vast gaping constantly-looming risk for employers, since litigation is extraordinarily expensive and terminated employees are extremely quick to threaten suit. I've seen meritless discrimination suits brought at previous employers; they're settled immediately no matter how wrong they are.

So the net effect of laws like this is to create an incentive for employers to be extremely careful and process-bound for how they handle credentials, because credentials in Illinois are officially an employment law minefield.


Sure, I could bring up such a law suit. How many of those $10/hour employees are going to? The intimidation exists, regardless. At-will employment is the reason why you have to be afraid for your job if you don't give up your credentials.

Even if they don't fire you, you've negatively impacted chances of promotion and possibly put yourself on the top of the layoff list. The balance of power in the US is very strongly tipped towards the employer; we really don't need to add more to it.


All of them. It's one of the easiest suits in the world to bring. You could also sue if you were denied promotion after refusing to hand over credentials.

Again: this law tips the balance of power AWAY from employers.


You're talking about a supply side scenario, after they already ask.

The text of the bill instead discusses the demand side "It shall be unlawful for any employer to request".

I am not seeing the punishment this unlawful act would result in. Maybe there isn't one. However, I am not a lawyer and anyone relying on this post for official legal advice is a moron.

On the job, assuming you've actually been out there, for quite a few years its "normal" for coworkers and bosses and such to friend each other and talk smack about each other and the boss. From observation of extensive experience the biggest problem with social media mixing with work tends to be professional contacts both making and reading highly unprofessional comments outside of work resulting in huge raging arguments / battles at work. (edited to emphasize battles between employees not mgmt vs employee. Although this inevitably drags mgmt into it when one employee whines about another's comments online about their religion/ethnicity/orientation/blah make it impossible for them to ever work together again, even though the topic would never have been discussed on company property at any civilized employer. Most of the mgmt where I work would relish a law prohibiting people from work socializing in any manner, especially social media flamewars, outside work.)


> They can't fire you for not giving up the password, but they can sure find a different reason to fire you.

If you work for an employer who does not care about the law, then the law is not going to affect them, this is correct.


Not true! The employer is going to have to care about the law, because it is very cheap for a terminated employer to get an attorney to bring a case under this statute.


Even if the headline had accurately described what this law does, it would have been easily solvable by letting employees report the names and accounts of their bosses to the social networks in question and having the social networks ban those users from using the social network for violating the terms of service. It would be comical if a CEO or manager requires access to an employee's Facebook account and the employee is compelled to give it to them under these laws and the CEO or manager then subsequently loses access to their own Facebook account. They'd backpedal pretty quickly as soon as they lose access to the photos posted by their friends and family.


My take on this is that if I work for, say, the Chicago Tribune as the person responsible for handling a Twitter account (perhaps @ChicagoTribune?), my employer can require me to give them the password for that account.

This does not distress me.

The other significant part, that employers can request account information for accounts "that the employee uses for business purposes" but can't "discharge, discipline, or otherwise penalize or threaten to discharge, discipline, or otherwise penalize an employee for an employee's refusal to disclose" I see as mostly placing requirements on employers: Make sure your staff is not becoming the "face" of your brand with their personal accounts.


Does this trump the CFAA interpretation on violating terms of use (such as giving out your password)?


No one here seems to have mentioned the reason this law is still bad, even if it doesn't apply to personal accounts.

Passwords authenticate you as you. It's preached constantly to people that they DO NOT GIVE PASSWORDS for others to use on their behalf! Even in IT, where people tend to know the implications, the trend is away from common accounts for work and toward individual admin accounts to increase accountability.

If I, for some over riding reason, NEEDED to give a coworker my password for an operational emergency, I would change it as soon as possible. I would never give it to anyone at my company for records keeping or access.


The problem is this: say you are my friend, and you have such a (fuzzily defined) "employer provided" account.

If I have trusted your account, without knowing that it is your business account, my expectation of privacy for personal information I have shared with you is now broken.

It's an easy cop-out to say don't share anything you don't want shared with everyone. Too easy.

I do want to be able to share with just certain friends, and I don't want to unexpectedly have that shared, semi-private, information shared with the company they work for. This is a serious flaw with the bill.


I'm not sure that that's the responsibility of legislation. If you are misled (even unintentionally) as the the nature of the account you are sharing private information with, then the responsibility for having broken the trust lies with your friend. In this senario, you have willingly shared private information with the employer.

Now, wether there should be legal ramifications for such a violation of trust may be a worthwhile questions, but not one that this bill, which only amends an existing law, even even attempting to consider.


I have never understood the issue here. Don't you just say no? And if they require it as a condition of employment, didn't they do you a favor by telling you that you never really wanted to work there anyway?

You don't have a right to whatever boss you want at whatever job you want. Sometimes the boss is an asshole. You do have a right to quit. Use it!


> didn't they do you a favor by telling you that you never really wanted to work there anyway

I see this bullshit argument time and time again on HN. Not everyone is an intelligent, skilled worker with experience and the ability to pick and choose jobs. The vast majority of people are vying for the same unskilled or barely skilled jobs and are just desperately trying to keep food on the table. ANY legislation that further reduces their bargaining power is abhorrent.


Don't get me wrong; I feel compassion for anybody working a job they don't want to, especially if they are forced to by a combination of economic pressure and a lack of value as an employee, real or perceived.

However, part of building value as an employee (in fact as a human being) is deciding what levels are treatment are unacceptable and standing up against them.

Are you suggesting that someone of less skill or experience has no right (forget legally - morally) to quit their job, even if it means a future of greater economic risk?

If your husband or wife, brother or sister, parent, best friend, roomate - whomever - comes to you and tells you that they are going to have trouble meeting their obligations to you because they quit their unjust job, tell them, "you did the right thing. You need to value yourself and love yourself. I'll do my best to get by until you can pay me back, and I'll help you find a job that respects you in the mean time."

No?


> However, part of building value as an employee (in fact as a human being) is deciding what levels are treatment are unacceptable and standing up against them.

Well that's true, I don't disagree. However, to be valuable on the bottom rung to large companies, you need to either show real management potential (and have a decent manager) - the good option - or simply be as drone-like and exploitable as possible.Are you suggesting that someone of less skill or experience has no right (forget legally - morally) to quit their job, even if it means a future of greater economic risk?

> Are you suggesting that someone of less skill or experience has no right (forget legally - morally) to quit their job, even if it means a future of greater economic risk?

No, I'm suggesting the opposite. However, society enforces the judgement by it's attitude toward the unemployed.

> If your husband or wife, brother or sister, parent, best friend, roomate - whomever - comes to you and tells you that they are going to have trouble meeting their obligations to you because they quit their unjust job, tell them, "you did the right thing. You need to value yourself and love yourself. I'll do my best to get by until you can pay me back, and I'll help you find a job that respects you in the mean time."

Of course, but a lot of these people don't have a support network, or their support network has no ability to financially support them.


Landlords and grocery stores won't care about your once-employer's social media password policy.

You might be able to ask for friends for help, but people are going to ask themselves if it's worth putting their loved ones through hell to keep their password to themselves.

I feel like the "Don't work there!" argument is ignoring the fact that we needed unions to get to where we are with employment practices.


The US baseline is that you can be fired for any reason or no reason. Where is there to go but "up" from that? How do you find a reason to be outraged about this?


I'm outraged by the idea that everyone has the luxury to choose not to take a job to keep their social media private.


That's not at all the choice confronting Illinois workers.


That's why we need lower unemployment: to make employees bargaining position better.

If an employee fears for their job, they will put up with almost anything, whether lawful or not. Employee protection regulations have real bite exactly when they are almost not needed; when employees can just walk away from a job and be certain to find a new one.


I agree with everything you've said, but I don't think the issue is really about those of us who read HN. HN attracts individuals who have a certain amount of both knowledge and job portability beyond that of the average U.S. citizen.

In many cases, an employeer can simply say, "The law allows me to ask for you facebook account information, please give it to me," and the employee wouldn't know otherwise. The original law was meant to ban that activity. The new bill opens up a small loophole so the the employeer can ask for account information for business related accounts.


Has anyone realized that you can simply say to your employer, "No, I don't have a Facebook account."?


So, social media services should allow people to have "under duress" version of the same account. If "duress" password is entered - only predefined, innocent content is shown.


Ilinois workers, welcome to California!


Where there is a substantially similar statute that permits employers to demand credentials to any account pursuant to an investigation of "employee misconduct".

Sheesh.


Really? Source, please.


Try Google. I read the comment I replied to, thought, "I wonder what California says about the same issue", and had the California statute in under a minute.


After review of http://www.leginfo.ca.gov/pub/11-12/bill/asm/ab_1801-1850/ab... I stand corrected. Don't come to California!


California workers, welcome to Chicago!

:)


I heard of this terrible thing called snow...


"Informer" is a great song.


Never heard of "Informer".


Is it legal to do this in California? I personally have my boss and other co-workers on added Facebook - I don't have anything to hide and everyone I work with is freaking awesome so they wouldn't care anyhow; although if I was forced to hand over my information, I'd probably quit - There's plenty of other great companies to work at. But luckily that's not the case, as my employer is awesome.


un-f*ing-believable!




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: