We sense intuitively that employers asking for our Facebook passwords is wrong. The law, currently, isn't sure what to do.


Last week, Representative Ed Perlmutter, Democrat from Colorado, proposed an amendment to H.R. 3309, the Federal Communications Commission Process Reform Act of 2012, in reaction to news of employers, prospective and otherwise, demanding the passwords of employees' social media accounts. The amendment, colorfully shorthanded "MIND YOUR OWN BUSINESS ON PASSWORDS," would have prohibited employers from demanding workers' social networking usernames and passwords -- and would have allowed the FCC to intervene on behalf of employees and their privacy.

It would have codified, in other words, the notion that one's social media identity is an extension of one's broader identity, with the privacy protections (such as they are) that come along with the analogy.

A day after it was proposed, the amendment was voted down -- almost entirely along party lines -- thus closing one door to social media privacy legislation, at least on the national level. (There are similar social media privacy laws -- full bills, rather than amendments -- currently being proposed in the legislatures of Illinois, Maryland, and Michigan.)

But that's not the end of the story. In fact, it's just the beginning. It may well turn out that the concerns associated with demands for social media passwords -- and, along with them, demands for email passwords, and, generally, demands that would seem to violate employee privacy -- will first be legislated not, actually, through legislation, but through the courts. 

Take the case of R.S., a 12-year-old Minnesota girl who is suing her school district after it punished her for comments she made on Facebook. (The ACLU, arguing on her behalf, claims that the punishments were a violation not only of her First Amendment rights, but also of her Fourth Amendment guarantee against unreasonable search and seizure.) Or take Kimberly Hester, a teacher's aide in Michigan, who is currently engaged in a legal battle with the school district that suspended her after she posted a questionable picture of a coworker to her Facebook page. (The picture? An image of "a co-worker's pants around her ankles and a pair of shoes, with the caption 'Thinking of you.'") A parent -- a Facebook friend of Hester's -- saw the photo and complained; the school reacted; its administration proceeded to ask Hester (three times) for access to her Facebook account. Each time, Hester refused, later explaining, "I would not, still to this day, let them in my Facebook. And I don't think it's okay for an employer to ask you."

Many of us would agree with Hester. What makes her story so fascinating, though, is that the law, as it currently stands, does not. Beyond social media sites' own terms of service -- and Facebook has threatened its own action against employers who ask for employees' passwords -- there's nothing on the books that stipulates, in specific terms, which privacy claims we hold on behalf of our online selves. Facebook is fast; the legal system is slow. If Hester's battle goes anywhere beyond a simple settlement (and here's hoping!), its arguments will have to rely on precedent.

Which makes you wonder: What would be the precedents for a case like this? What, actually, is the analog version of an authority figure asking, casually but insistently, to know your Facebook password? Most of us, I think, find the practice of password-snooping intuitively wrong. But: Why? If there's been a violation, what, actually, has been violated? Is one's Facebook profile akin to one's person, monolithic and portable? Or is it more akin to one's home -- a separate social space within which one has a reasonable expectation of privacy? Or is it both at the same time? Or neither?

Over at the ACLU, the attorney Catherine Crump has compared password-snooping to the famously criminal practice that is opening someone else's mail. ("You'd be appalled if your employer insisted on opening up your postal mail to see if there was anything of interest inside," she notes. "It's equally out of bounds for an employer to go on a fishing expedition through a person's private social media account.") GW law professor Orin Kerr, on the other hand, argues that asking for someone's password is like demanding their house keys. (One way that analogy works: The level of violation a key request entails depends entirely on what -- and whom -- you keep in your house. Same deal for your Facebook account, since the more you've invested in it, the more you'll care if people go snooping.)

There are arguments on the other side, too, of course. Employers, the University of Pennsylvania law professor Anita Allen pointed out to me, are within their rights to require drug tests and personality tests of their employees. There's reason to suggest that -- just as students have a reduced expectation of privacy while they're at school -- employees have a reduced expectation of privacy while they're at work. (Or, indeed, while applying for work.) Employment, and the social dynamics it brings with it, may well carry their own compromises when it comes to privacy claims.

The question is what kind of entity Facebook is, and whether -- and how -- Facebook privacy differs from, you know, privacy privacy. Snooping in someone's Facebook profile is unlike a drug or personality test in that it implicates one's family and friends. It is unlike reading someone's mail in that it paints a holistic portrait of that someone's identity. It is unlike wandering through someone's house in that it presents that someone's identity as a narrative, meaningful and revealing, rather than a collection of objects. But Facebook is like a home in that it houses your loved ones. It is like a home in that it is divided, purposely and definitively, from the open web. It is an expression of yourself. And it is, in the deepest way, yours.

In some ways, it's a good thing that the Perlmutter amendment failed. It's more interesting, and perhaps more subtle -- if vastly, vastly more inefficient -- to make our determinations about the brave new world of social media privacy through the courts rather than through Congress. To what extent can employees reasonably expect that their social media selves -- so implicitly performative, so explicitly public -- hold claims to privacy? To what extent do the employers of public figures "own" those figures' social media accounts? To what extent is it acceptable for schools to punish their students for what they say, on Facebook, at home? Who owns, ultimately, our digital selves, and who decides whether those selves are at core public or private? These are questions we'll likely be answering together, painstakingly, case by case by case.

We want to hear what you think about this article. Submit a letter to the editor or write to letters@theatlantic.com.