Are Facebook passwords fair game for employers?

By Scott Bradner

In the last week of March Associated Press published an old story about a job applicant being asked for their Facebook password as part of the review process as if it were a new incident. The story apparently hit a sore point because it was all over the press within a day or so and in short order politicians were posturing and reaching for the limelight by introducing legislation to ban the practice and sending letters to enforcement agencies demanding action. Based on the comments since the story broke it is clear that the specific practice of demanding a applicant's password to a social media site is not common but that there is a common worry that it might.

The ruckus started when the Associated Press reported that two years previously the Maryland Division of Corrections had demanded an officer's Facebook password during a recertification interview. (http://www.statesman.com/business/more-often-employers-asking-job-seekers-for-facebook-2260932.html) Facebook quickly weighed in, said that employers should not be doing this because it violates the Facebook user's privacy and Facebook's terms of use, and seemed to threaten to sue employers that did so (http://www.networkworld.com/news/2012/032312-facebook-warns-employers-not-to-257588.html) - only to drop the threat a few hours later. (http://www.zdnet.com/blog/facebook/facebook-no-plans-to-sue-employers-asking-for-your-password/10802_ )

US Senators Schumer (D-NY) and Blumenthal (D-CT) sent letters to US Attorney General Holder (http://schumer.senate.gov/Newsroom/record.cfm?id=336396) and Equal Employment Opportunity Commission Chair Berrien (http://blumenthal.senate.gov/newsroom/press/release/blumenthal-schumer-employer-demands-for-facebook-and-email-passwords-as-precondition-for-job-interviews-may-be-a-violation-of-federal-law-senators-ask-feds-to-investigate) asking that they investigate if any laws had been broken., and US Representive McHenry (R-NC) said he was drafting legislation banning the practice. (http://thehill.com/blogs/hillicon-valley/technology/218795-republican-preps-bill-to-ban-bosses-from-asking-for-facebook-passwords)

Certainly a lot of fervor - now for a bit of reflection.

Is the practice common? - likely not, very few companies have fessed up to doing this and few employees have come forward to say that it happened to them. But, that said, the majority of companies have been looking at information applicants post on social media sites for years. One survey a few years ago said that 60% of companies had rejected an applicant based on something publicly posted on a social media site. So don't think you are off the hook for that incriminating picture taken at the beach house last summer just because you were not asked for your password.

Is asking for an applicant's password legal? - Maybe not, the Schumer / Blumenthal letter points to some court cases that might indicate that it is illegal.

What messages does such a request send to the applicant? - Clearly the first message is that the company treats its employees as chattel, not as people. The idea that a company would want to root around in an employee's private life should be deeply disturbing to any applicant. I wonder how many of the people asking for passwords would be happy if their own personal life were regularly reviewed by others in the company. Another message is that the company does not care much about information security. Asking for an applicant's password would violate security policies in just about any company with an information security policy since any information security polity worthy of being called an information security policy prohibits the sharing of passwords and blocks employees from asking for user's passwords. Maybe the right response if asked is "Is this a test to see if I am willing to follow the company information security policy? I am, so I will not give you my password."

This type of thing appears to be rare now, and hopefully will remain so but the reaction to the original report clearly indicates that a lot of people have been conditioned to expect the worst when it comes to privacy and dignity in modern society - and that is sad.

disclaimer: Harvard's information security policy (http://www.security.harvard.edu/enterprise-security-policy) includes a policy to not share passwords and I have not heard that recruiters violate the policy so the above set of opinions is my own.