Md. prisons: Job applicants don't have to supply Facebook passwords (for now)

State ACLU chapter cheers 45-day suspension, alleges privacy infringements

Maryland prison authorities have temporarily suspended their policy of requiring prospective and current employees to provide their Facebook passwords and login information after a complaint from the Maryland chapter of the American Civil Liberties Union.

The Maryland Department of Public Safety and Correctional Services notified the ACLU on Feb. 22 that the policy has been suspended for 45 days in light of privacy concerns the group raised.

Maryland Public Safety Secretary Gary Maynard said the policy was instituted to help identify job applicants and prison workers seeking recertification who may have affiliations with illegal gang activity.


Related coverage:

How to stop Facebook friends from tracking you

National Guard Bureau tells what not to write on Facebook


“The department’s efforts to explore an applicant’s behavior on social media networks stems not from a desire to invade personal privacy but rather from a legitimate and serious concern with the infiltration of gangs in our prisons,” Maynard wrote to the ACLU branch Feb. 22.

“This is a newly emerging area of the law, and in light of that, I agree that we must be convinced of the practice’s utility as well as be mindful of the path we are taking,” Maynard wrote.

The ACLU initially notified Maynard on Jan. 25 of concerns about the experience of corrections supply officer Robert Collins, who was ordered to supply his Facebook login information during a recertification interview. Collins was told at the time that the request was based on departmental policy and applied to all new applicants and recertifications, said Meredith Curtis, an ACLU-Maryland spokeswoman.

“While the ACLU appreciates the DOC’s need to ensure that corrections applicants and employees are not engaged in illegal activities, the demand for an officer’s personal Facebook password simply goes too far,” Deborah Jeon, legal director for the ACLU of Maryland, said in a statement. “It is equivalent to a demand that officers permit the government to listen in on their personal telephone calls as a condition of employment.”

In April of 2010, Collins took personal leave of absence from his job with the state's corrections department after three years of employment. When applying for recertification in November to return to work, he was asked for the Facebook user name and password and was told it was a standard requirement, the ACLU Maryland branch said.

“I understood the investigator to be saying that I had no choice but to hand over my Facebook login and password if I wanted to continue my employment with the division of corrections,” Collins said in a statement released by the ACLU Maryland branch.

The ACLU's Maryland branch believes that the practice is illegal under the Federal Stored Communications Act and under Maryland laws that prohibit access to stored electronic communications without valid authorization, Curtis said. The prison department’s policy also would have allowed inappropriate access to Facebook postings of friends of the applicants or of the corrections workers seeking recertification, Curtis added.

No other agencies in Maryland are reporting similar practices, Curtis said.

“We are certainly glad the policy has been suspended, and we will be watching closely and we’re willing to work with them to ensure the policy protects their privacy and the privacy of their Facebook friends,” Curtis said.



About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

inside gcn

  • automated security (Oskari Porkka/Shutterstock.com)

    How to create a secure cyber environment

Reader Comments

Mon, Feb 28, 2011 TN

Number one: any employer, regardless of agency mission or agency sensitivity, etc., should be required to have a "probable cause" due to other information discovered by the usual background checking activities and also to have a "search warrant" issued before looking into a person's social networking accounts. I am sure if they present a judge with photographic evidence of a potential employee or a re-certification candidate meeting with known gang members, they would have no trouble getting a "search warrant" with which they should have access through the service provider, not via the person's private password. Number two: one should never put any personally identifying information on any social networking account for any reason whatsoever. Too many ways it could be taken out of context or misused.

Fri, Feb 25, 2011 BADpenguin

That is a good point, IT Security Dude.

Thu, Feb 24, 2011 IT Security Dude

It's clear that this policy was thought up by people with no real understanding of how this policy could have affected a court case. Good security policy dictates that passwords are never to be shared. One of the reasons for this is something known as non-repudiation. If one and only one person has access to an account, then that person cannot claim that someone else did some illegal activity on their account. The moment the employer requires the employee share their password, the employee now has plausible deny-ability for any illegal posts. "No Judge, I didn't make any threats against the President, that must have been my boss."

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group