Dear Attorney General Holder,

We write concerning reports in the media that some employers are requiring job applicants to provide their usernames and passwords to social networking sites like Facebook as part of the hiring process.

We urge the DOJ to investigate whether this practice violates the Stored Communication Act or the Computer Fraud and Abuse Act. The SCA prohibits intentional access to electronic information without authorization or intentionally exceeding that authorization, 18 U.S.C. § 2701, and the CFAA prohibits intentional access to a computer without authorization to obtain information, 18 U.S.C. § 1030(a)(2)(C). Requiring applicants to provide login credentials to secure social media websites and then using those credentials to access private information stored on those sites may be unduly coercive and therefore constitute unauthorized access under both SCA and the CFAA.

Two courts have found that when supervisors request employee login credentials, and access otherwise private information with those credentials, that those supervisors may be subject to civil liability under the SCA. See Pietrylo v. Hillstone Restaurant Group, 2009 WL 3128420 (D.N.J. 2009); Konop v. Hawaiian Airlines, Inc., 302 F.3d 868 (9th Cir. 2002). Although these cases involved current employees, the courts’ reasoning does not clearly distinguish between employees and applicants. Given Facebook terms of service and the civil case law, we strongly urge the Department to investigate and issue a legal opinion as to whether requesting and using prospective employees’ social network passwords violates current federal law.