Jamie Williams of EFF writes:
EFF, ACLU, and a coalition of nearly two-dozen civil liberties and advocacy organizations and a union representative are urging the Uniform Law Commission (ULC) to vote down dangerous model employee and student privacy legislation.
The bill, the Employee and Student Online Privacy Protection Act (ESOPPA), is ostensibly aimed at protecting employee and student privacy. But its broad and vaguely worded exceptions and limitations overshadow any protections the bill attempts to provide. As our joint letterexplains, ESOPPA will result in only further invasions of student and employee privacy.
The ULC is a nonpartisan organization dedicated to researching, drafting, and promoting the enactment of uniform state laws, which it drafts and circulates as “models.” The ULC will vote on ESOPPA on July 11 at its annual meeting, and if it passes, the ULC will circulate the bill to legislators across the country in the hope of uniform adoption in all fifty states. But ESOPPA falls far short of its goal and does not live up to the prevailing standard for protecting social media privacy currently being enacted by the states and as required by the U.S. Constitution.
Social media accounts include vast quantities of sensitive personal information. As the U.S. Supreme Court made clear in Riley v. California, searches of digital devices are grave invasions of personal privacy in ways that physical searches could never be. Yet ESOPPA does next to nothing to prevent school administrators and employers—including public school employees and state officials—from coercing or requiring students and employees to turn over private, non-publicly available information from such accounts. The bill not only fails to comport with protections afforded to such sensitive personal communication under the Constitution, but the few protections it purports to provide are ripe for abuse and without measures to ensure accountability.
Furthermore, ESOPPA applies only to students at the college level and beyond, leaving the privacy of students at the high school level and below completely exposed.
That’s why we’re asking the ULC to either address ESOPPA’s deficiencies or reject the bill outright at its upcoming meeting. Other organizations, including the Foundation for Individual Rights in Education (FIRE), have also sent their own letter to the ULC opposing the current draft of ESOPPA.
You can read the full text of the letter below or access a PDF of the original letter here. Special thanks to all of our coalition partners, listed in full below.
July 6, 2016
Members of the Uniform Law Commission
111 N. Wabash Avenue, Suite 1010
Chicago, Illinois 60602
Oppose Unless Amended: Employment and Student Online Privacy Protection Act
As civil liberties groups, advocacy organizations, student and parent rights coalitions, and a union representative, we write to you today to express deep concern over the Employee and Student Online Privacy Protection Act (“ESOPPA”). We appreciate the ULC’s interest in protecting the privacy of employees and students alike, but the version of the bill submitted to the full ULC committee for approval at the upcoming annual meeting fails to accomplish that goal in light of its significant deficiencies. While it purports to protect both employees and students, its broad and vaguely worded exceptions and limitations overshadow any protections the bill attempts to provide—doing next to nothing to prevent school administrators and employers from coercing or requiring students and employees to turn over highly sensitive social media account information. These provisions do not comport with the Fourth or Fifth Amendment, and will result in only further invasions of student and employee privacy.
We ask that you not adopt this bill until these issues have been adequately addressed. If these issues are not addressed, we urge you to reject the proposed bill in its entirety. Three of the bill’s provisions are most problematic:
First, the bill authorizes state employers and public educational institutions to require an employee or student to turn over information related to their social media account, including login information and social media content, based merely on “specific information about the student’s protected personal online account,” in order to (i) ensure compliance with, or investigate non-compliance with, federal or state law or an educational institution policy; or (ii) “to protect against . . . a threat to health or safety[.]”
The U.S. Supreme Court made clear in Riley v. California, 134 S. Ct. 2473 (2014), that searches involving technology and electronic devices are grave invasions of personal privacy in ways that physical searches could never be. That case involved cell phones, which the court recognized as especially important due to the many kinds of information they contain: “Modern cell phones, as a category, implicate privacy concerns far beyond those implicated by the search of a cigarette pack, a wallet, or a purse. . . . The term ‘cell phone’ is itself misleading shorthand; many of these devices are in fact minicomputers that also happen to have the capacity to be used as a telephone.” Id. at 2488–89. Social media accounts contain similarly vast amounts of personal information and implicate the very same concerns. Permitting government agents access to students’ and employees’ social media accounts under the vague terms of the current draft of ESOPPA does not comport with the level of protection afforded to such personal information under the Constitution.
Second, although the bill attempts to limit employers or educational institutions access by requiring that any such entity “reasonably attempts to limit its access to content relevant to the purpose justifying that access[,]” such a limit will prove hollow, as it is not technically or practically possible to segregate “relevant” from irrelevant content until all content is accessed. This provision, coupled with the overbroad grant of authority for employers and schools to compel or coerce employees and students to turn over social media account information, renders ESOPPA ripe for abuse by employers and education institutions alike. And the bill includes no measures to ensure accountability.
Third, the limited privacy protections that ESOPPA claims to provide for students have a glaring deficiency—the bill does not apply to most students. ESOPPA provides purported protections only to students at the college level and beyond, leaving the privacy of students at the high school level and below completely exposed. This is not a trivial concern. Students in secondary school and below use social media to learn about and discuss highly sensitive subjects, such as reproductive choices, sexual orientation, gender identity, and political perspectives. In many communities across this country, exposing a student’s perspective on such topics could not only be embarrassing, but it could also place the student’s safety—or even life—at risk. The only option ESOPPA leaves for non-college students who want privacy protection is to not use social media at all. This “option” would do tremendous damages to one of the most vibrant free speech platforms utilized by young people today. This is not acceptable.
We believe it is possible to create a bill that addresses the concerns raised in this letter, protects student and employee privacy, and grants educational institutions and employers the ability to procure social media account information when required or permitted under law, such as when investigating specific allegations of unlawful harassment in the workplace or specific allegations of unlawful bullying by a student or prospective student of another student. Indeed, the American Civil Liberties Union has worked closely with other advocacy organizations and Internet companies alike on its own model legislation, a version of which was enacted in four states this past legislative session alone. Those laws represent the prevailing standard for protecting social media privacy in 2016. ESOPPA, which is coming out of a three-year planning and drafting process, is already showing its age—and it has not even been voted on by the ULC yet. Unless it is the ULC’s objective to roll back the standard for protecting social media privacy currently being enacted by the states, ESOPPA must be significantly revised before it is adopted. The signatories of this letter fully intend to continue our successful efforts to have true social media privacy bills enacted in the states, and if that requires us to oppose ESOPPA, we certainly will.
In order to ensure that ESOPPA does not impermissibly infringe on employees’ and students’ rights, and to enable us to work with rather than against each other on this important issue, we urge the full ULC Committee to either address these concerns or to reject the bill outright.
Thank you for your time and attention to this matter.
American Civil Liberties Union
American Library Association
Bill of Rights Defense Committee
Center for Democracy & Technology
Center for Digital Democracy
Common Sense Kids Action
Defending Dissent Foundation
Electronic Frontier Foundation
Fight for the Future
Free Speech Coalition
Government Accountability Project
Michelle Castro, SEIU California,
Director of Government Relations
National Coalition Against Censorship
Network for Public Education
Network for Public Education Action
NYS Allies for Public Education
Parent Coalition for Student Privacy
Parents Across America
Privacy Rights Clearinghouse
Restore the Fourth
Safety Net Project of the National Network
to End Domestic Violence
Woodhull Freedom Foundation
World Privacy Forum