Earlier this month, we talked about employers violating the privacy of potential employees by demanding access to their social media pages (such as Facebook) by requiring they reveal their user ID and password. Facebook has finally weighed in on this officially, and it warrants a closer inspection of what's going on here.
Facebook's Chief Privacy Officer, Erin Egan, posted Protecting Your Passwords and Your Privacy last week, addressing the official position of Facebook on the issue. One part of that post said:
If you are a Facebook user, you should never have to share your password, let anyone access your account, or do anything that might jeopardize the security of your account or violate the privacy of your friends.
Let's look at this from a hypothetical viewpoint for a minute. Assume that you have a friend on Facebook who is a medical marijuana patient. This has become a battleground between state and Federal law enforcements. Some states have created protections for these patients and the practice of medical marijuana use in general, while the Federal position is often one of iron-fist enforcement. Soon after your job interview, in which human resources made you log into your Facebook account so they could "investigate" your character, your friend is arrested by the DEA agents. Your friend now has a valid reason to file suit against the company, whether you were hired or not, for violating their privacy.
Something else that these companies may have overlooked is the fact that their own Facebook presence could be blocked. In this age of digital advertising, many companies now have a Facebook page, which means they are subject to the same Rights and Responsibilities you are as an individual user. One of those terms is "You will not solicit login information or access an account belonging to someone else." Doing so can result in termination of your Facebook account.
The problem has already seen interest at the Federal level. An amendment was proposed in the Federal Communications Commission Process Reform Act of 2012 (HR 3309) that stated:
Nothing in this Act or any amendment made by this Act shall be construed to limit or restrict the ability of the Federal Communications Commission to adopt a rule or to amend an existing rule to protect online privacy, including requirements in such rule that prohibit licensees or regulated entities from mandating that job applicants or employees disclose confidential passwords to social networking websites.
This amendment was voted down by House republicans. The general feel in mainstream media is that this was a political move along party lines. However, republicans also said that they saw the need for such legislation, and would look at other proposals that would provide such protections. Officially, they felt this amendment to HR 3309 was insufficient to address the issue. The upshot is that we can expect a Federal law to be presented which will more directly address this issue.
One reader posted a response to a blog about this, asking what justification your Guide has in saying the practice is illegal. In simple terms, the pieces are already in place. Information such as login IDs, passwords, key generators and other "access devices" have been identified as private information which must be protected in laws dealing with financial institutions. Similar definitions appear in other laws that do not deal with money, however. Some states have even determined that user IDs and passwords are considered property of the state government. Among other things, making this determination enables government agencies to prosecute hackers who breach their security by means of ID/password of another user.
The fact that these practices have not yet seen the inside of a courtroom simply means your Guide is making a legal prediction: if someone actually brings the case to court, employers will quickly find that the law does not support this practice. There will hopefully be fines involved as well for privacy violations.
Until the Federal government or state governments put actual laws in place that specifically outlaw this practice, however, companies can and will continue to demand potential employees to open up their social media pages for scrutiny as part of the hiring process. Perhaps the best defense against this practice is for job applicants to report potential employers who violate the terms and conditions set out by Facebook.
When companies start losing their Facebook presence, they may reconsider their policies and procedures that require you to give them private information that has nothing to do with your ability to do the job.