Illinois Schools Decide They Can Log Into Kids' Social Media Accounts
An Illinois anti-cyberbullying law that took effect Jan. 1 has the awkward side effect of allowing school districts in the state to demand their students' social media passwords so they can investigate suspected violations of school rules.
Although the law doesn't explicitly give districts the right to collect passwords (it just requires them to have "a process" to investigate whether reported bullying falls under the district's jurisdiction), schools are already interpreting it that way. In a letter to parents obtained by Motherboard, the superintendent of Triad Community Schools Unit District 2 wrote,
"School authorities may require a student or his or her parent/guardian to provide a password or other related account information in order to gain access to his/her account or profile on a social networking website if school authorities have reasonable cause to believe that a student's account on a social networking website contains evidence that a student has violated a school disciplinary rule or procedure."
That district is probably not an isolated case: The language appears to be copied verbatim from an example letter drafted by the Illinois Principals Association.
"If they didn't turn over the password, we would call our district attorneys because they would be in violation of the law," Triad District 2 superintendent Leigh Lewis told Motherboard.
Again, there's nothing explicit in the law that requires students or their parents to give up social media passwords. It would be especially strange if there were, considering that Illinois barred employers from demanding employees' (or prospective employees') passwords in 2012.
A student or parent who handed a Facebook password over to the district would also be in violation of Facebook's terms of service, which forbid letting anyone else access your account. (This also applies to Facebook-owned Instagram, but WhatsApp and YikYak, which kids are more likely to be using these days, don't have similar policies).
Giving up a password may also violate the federal Computer Fraud and Abuse Act, which forbids "unauthorized access," because being coerced into giving up your password may not count as "authorizing" someone to use your account.
It's also being widely reported that universities in the state could use the cyberbullying law to collect passwords, but that appears to be inaccurate. The relevant statute only applies to "school districts, charter schools, and non-public, non-sectarian elementary and secondary schools"—higher education falls under an entirely different section of state code that the anti-cyberbullying bill didn't even touch. There haven't been any reports of universities attempting to apply it to their students.