At Southern New Hampshire University, administrators have a disconcerting — and mandatory — request for student organizations: Give us the passwords to your social media accounts.
But don’t worry. They promise to only use them for good.
According to a report from the New Hampshire Union Leader, all SNHU student organizations are required to provide administrators with the email address and passwords for their social media accounts on a paper form. The university’s rationale seems benign enough — maybe even benevolent: Because the leadership of student organizations can change from semester-to-semester or year-to-year, passwords get lost and social media accounts go dormant, frustrating student efforts to build a community with staying power.
Yet, the university’s solution may carry greater risks than warranted by the problem. In an email shared with FIRE, a SNHU administrator writes that the policy’s “main purpose [is] to enable smooth transitions” between new leaders and prevent “dead pages” — accounts that can no longer be used because they can’t be accessed. And the password-release form says the information “will not be used to change any content on your page.” In the email, the administrator sought to assuage concerns for student privacy and autonomy, explaining that the passwords “will not be used to monitor content or remove posts.”
Then come the parentheses: “(unless it is a dire circumstance).”
That’s an enormous asterisk.
What counts as a “dire circumstance” is left to the imagination. What administrators consider “dire” or to what extent they would monitor these accounts is unclear, but, at a minimum, students who know that administrators might be watching their messages might avoid using social media to organize or communicate, or temper what they discuss.
The dynamics of an online presence can change dramatically when an administrator could be surreptitiously watching your direct messages. As we’ve explained in the past, surveillance chills all manner of speech, particularly threatening speech critical of the university or speech organizing protests or demonstrations.
As a private institution, SNHU isn’t obliged to recognize a right to freedom of expression by virtue of the First Amendment. It nevertheless does so in its policies, and should be held to that promise. That means administrators should avoid undercutting that right through policies or practices that needlessly chill students’ expressive rights or channels.
Alternative avenues to demanding passwords
Continuity of social media pages for student groups can be a frustrating problem when graduating members forget or refuse to turn over management credentials. It’s also not a problem unique to college students, and social media companies have developed a number of good solutions.
Alternatively, schools can create a generic email account for the student group itself and require that social media accounts for the groups be tied to the group email. That way, as students graduate, the email account can be transferred by the school to the new leadership, and the new students can use it to recover the password themselves. In fact, SNHU’s policy does require that the social media accounts be linked to an SNHU email address.
Where there are alternative means to accomplish the same goal — continuity of social media accounts — without risking a chill on student expression, universities should take the less-chilling path. But even were that not enough, this policy is impractical and creates additional risks in password security. A password is only as secure as the most vulnerable link, or least careful person, in the chain. This policy establishes new links in the chain. As SNHU’s webpage on cyber security helpfully observes:
Breaches don’t just take the form of someone hacking into a server. They can also involve customer lists sent through unencrypted email, a password written on a sticky notes in a cubicle, or a company laptop stolen from a worker’s car.
Or maybe passwords written on a paper form.
The above solutions can effectively address the problem without posing a threat to the expressive rights of students. And to be sure, SNHU’s problem is not a novel one. It’s also one administrators have handled with varying degrees of success. We’ve seen administrators demand the login information of students’ social media, and we’ve supported legislation to curb that practice. Given that there are alternative methods of accomplishing the university’s goal without chilling student expression or creating security hazards, SNHU shouldn’t be asking students to hand over the keys to their communications.