Illinois schools can legally demand students' social media passwords

Thanks to a cyberbullying law in Illinois, it's a crime to refuse to hand over students' social media passwords if the school wants them.

Credit: Marc Falardeau

Did you check out the worst passwords of 2014? If you did, then know that could be a 10-year felony under the DOJ’s CFAA proposal. You could also land in prison for a decade if you happened to share the link on any of your social media accounts; at least that’s what EFF attorney Nate Cardozo said before adding, “That’s insane.” And it is.

If you tuned in to President Obama’s 2015 State of the Union speech then you heard him call for better cybersecurity. But many security, civil liberties and attorney experts are concerned about some the accompanying legislative proposals, particularly the President’s proposed amendments (pdf) to the Computer Fraud and Abuse Act (CFAA). The section below is but one example of those proposed changes that mentions passwords:

Proposed CFAA amendment White House

But what about “sharing” a password to a student’s social media account because a school official demanded it? It could happen since Illinois passed 2015 legislation aimed at preventing and prohibiting cyberbullying.

username password iStockphoto

KTVI reported that the new Illinois law to stop cyberbullying, means “school districts and universities in Illinois can demand a student’s social media password. The new law states if a school has a reasonable cause to believe that a student’s account on a social network contains evidence that a student has violated a schools disciplinary rule of policy. Even if it’s posted after school hours.”

Motherboard went a step further by obtaining a copy of a letter sent out to parents, letting them know that the new law means passwords to social networking accounts on “Facebook, Instagram, Twitter,, etc.,” must be provided if the school asks for it. The letter adds:

“School authorities may require a student or his or her parent/guardian to provide a password or other related account information in order to gain access to his/her account or profile on a social networking website if school authorities have reasonable cause to believe that a student’s account on a social networking website contains evidence that a student has violated a school disciplinary rule or procedure.”

What if students, or parents, take the ever-popular “just say no” stance? Triad district superintendent Leigh Lewis told Motherboard, “If they didn't turn over the password, we would call our district attorneys because they would be in violation of the law.”

In 2013, a California school district started paying Geo Listening for social media surveillance of 13,000 students, services that supposedly are for the safety of those students. In 2014, it came to light that an Alabama school district had started monitoring what students posted on social media sites both on and off campus. The school had secretly been using the SAFe program for 18 months, allegedly because the NSA told the school security officer to do so. After it hit the news, we learned that 20 students had been placed in alternative programs, three had been expelled and one student was referred for counseling because of their social media posts.

But that’s not the same thing as requiring students to hand over their passwords. If their parents refuse, then it could result in criminal charges! And sharing passwords could be a crime with CFAA. Man, it’s like having cake and eating it too…which is impossible since the cake is a lie.

Universities and employers have insisted upon passwords in the past, with some states passing laws prohibiting such privacy invasions. NCSL reported that “legislation has been introduced or is pending in at least 28 states.” Ironically, Illinois is one them; Illinois’ Right to Privacy in the Workplace Act forbids employers from requesting or requiring usernames or passwords to workers’ personal online accounts.

Of course, Illinois students are not the schools’ employees. Yet if the proposed changes to CFAA mean that sharing your password for an online service – even with another member of your family could be a felony, then it seems reasonable that students sharing their passwords with a school – or being coerced to do so – would also run afoul of the proposed CFAA amendments. If not then, how about when handing over a password is in direct violations of terms of service accepted when opening an account?

CNET pointed toward section 4.8 of Facebook's legal terms which states, “You will not share your password (or in the case of developers, your secret key), let anyone else access your account, or do anything else that might jeopardize the security of your account.” Of course it also says users under age 13 can’t have a Facebook account.

President Obama mentioned privacy three times during his State of the Union speech. He also has proposed three different ways to protect the privacy of students and safeguard their data: one was the Student Digital Privacy Act; another involved 75 companies that signed the Student Privacy Pledge to protect students “against misuse of their data;” the third dealt with “new tools” for the Department of Education and a “model terms of service” to protect “American children from invasions of privacy.”

Regarding protecting students, and consumers, President Obama told the FTC about a “series of actions to protect the personal information and privacy of our children.” One was the Student Digital Privacy Act; he said, “Data collected on students in the classroom should only be used for educational purposes — to teach our children, not to market to our children...We want to prevent any kind of profiling that outs certain students at a disadvantage as they go through school.”

Cyberbullying is a terrible thing, but making it a crime to refuse handing over a password is extreme. As happened in Alabama’s SAFe program, sooner or later some school official will find digital dirt on students that has nothing to do with cyberbullying. What if it is about sexual orientation or religious preferences? Couldn’t that potentially lead to profiling students?

The Illinois law doesn’t seem constitutional; it also seems to breaking the proposed anti-hacking law amendments. Of course, the changes to the draconian CFAA don’t seem constitutional either.

To end on a positive note…Windows 10 will be offered as a free upgrade for a year to Windows 7, Windows 8.1 and Windows Phone 8.1 users! Hooray!

Cybersecurity market research: Top 15 statistics for 2017