By, Zachary Gold and Jeff List
The newest way for employers to vet candidates for jobs is to ask for Facebook usernames, and passwords. Though it is not always limited to current job seekers, there are reports of companies asking current employees for their social media credentials. Employers have been using social media sites such as Facebook and Twitter, and to a lesser degree Google+ to vet employees for some time. Before hiring people it is not uncommon to look at their profile, to see what an employee is like when they are not in the middle of an interview.
Some members of Congress have recently turned their attention from creating jobs to the hiring process itself. Specifically, elected officials are concerned about employers, including public agencies, who ask prospective employees for their Facebook passwords. Employers (95% of them) look at prospective employee’s profiles for obvious reasons: people keep their profiles packed with information about themselves–more information than can be gleaned from a basic personality test. Many recruiters have rejected a potential employee because of information the recruiter found online. Likely, at least in part, for that very reason, many people have made their profiles private, leaving employers in the dark and driving them to ask for user’s passwords.
What is not at all clear is if asking for online credentials is legal for employers. There are a number of potential legal questions raised, for instance, it this an invasion of privacy? By logging on to a website using someone else’s’ credentials are they engaging in fraud? Or Identity theft? What happens if they find out that the prospective candidate is a member of a protected group? None of these questions are easily answered using current laws
Facebook has responded by changing terms of service to make it a violation of Facebook policies to either share or solicit someone’s Facebook password. Facebook even hinted that it may sue companies that ask prospective employees for their passwords, but has since backed off that position, stating that the company “do[es] not have any immediate plans to take legal action against any specific employers.” (http://www.forbes.com/sites/kashmirhill/2012/03/23/facebook-doesnt-want-employers-asking-for-users-passwords/)
Given the amount of sensitive information kept on Facebook and similar websites and the difficulty many applicants may have refusing to hand over their password (as it may mean not getting a job), some policy makers view the law as an “unreasonable violation of privacy.” (http://www.zdnet.com/blog/facebook/senator-vows-to-stop-employers-asking-for-your-facebook-password/10778) Senator Richard Blumenthal is drafting a bill that would ban the practice at issue. While the practice is still legal, though, Facebook sees multiple issues that companies asking for passwords may run into.
First, employers perusing an applicant’s Facebook profile may discover that person is a member of a protected group, opening themselves up to claims of discrimination if the applicant is not hired. Some characteristics may be relatively easy for an employer to deduce during an interview (it may be easy to determine, for example, that a given applicant is elderly, or Hispanic). However, access to an applicant’s Facebook profile could disclose information about the person’s national origin, religion, sexual orientation, and a host of other facets of a person’s identity. Embarrassing photos from college parties are clearly not all that is at issue.
Second, Facebook is concerned about a broader privacy issue than a given user’s profile. Once an employer has access to an applicant’s username and password, it also has the ability to view the profiles of that user’s friends who may also have their profile set to private and who did not agree to have a stranger peruse their profile. Facebook’s Chief Privacy Officer, Erin Egan, noted that “[if] you are a Facebook user, you should never have to share your password, let anyone access your account, or do anything that might jeopardize the security of your account or violate the privacy of your friends.” (Emphasis added) (http://www.theatlantic.com/technology/archive/2012/03/facebook-threatens-legal-action-against-employers-asking-for-your-password/254979/) Ms. Egan has also said that the tech giant will be lobbying Congress in support of legislation preventing employers from requiring employee online credentials. (http://thehill.com/blogs/hillicon-valley/technology/217883-facebook-to-lobby-against-employers-requiring-passwords).
This is not an entirely new issue; in February 2011, the American Civil Liberties Union (ACLU) attempted to intervene on behalf of Officer Robert Collins, who was forced to give his Facebook username and password when he recertified with the Maryland Division of Corrections (DOC). The DOC was looking at employee’s photos and wall posts to ensure the prison guards did not have any affiliation with gangs. After facing scrutiny from the ACLU and others, the Maryland DOC suspended the practice to review the policy. The City of Bozeman, Montana, instituted a similar policy requiring employees to hand in usernames and passwords for all social networking websites–including email clients–in 2009.
Senator Blumenthal (D-Conn.) is planning on introducing a bill to make this practice illegal, but it technically already is. The Justice Department considers using a social networking website in violation of the terms of service a federal crime. The Justice Department has said that those violations would not be prosecuted. While Sen. Blumenthal believes this is a federal issue, state representatives are beginning to take action. A Chicago Democrat has already introduced a bill to ban employers from asking for such information in Illinois.
There are two federal laws already on the books that might affect employers asking for this kind of access, the Stored Communications act, or the Computer Fraud and Abuse Act. However, those acts refer to accessing information, or accounts without permission of the owner of the account. The Stored Communications Act refers to both access without permission, or intentionally exceeding authorization to access. If the employer is given the information however, it is hard to show that it is unauthorized. The Computer Fraud and Abuse Act, on the other hand requires that there be intent to defraud, or cause harm. Employers would argue that there is neither harm, nor intent to defraud in the accessing of employee information. Unless the prospective employer were to post information to the profile, it is hard to see how they could be prosecuted under such a law.
The Illinois bill, HB 3782, which is still waiting for a vote by the full Illinois House, has gained eleven co-sponsors since introduced by Rep. La Shawn K. Ford, would make it illegal for employers to ask prospective employees for their password or account information for social networking sites. A similar bill in January 2012 in Maryland, HB 364 (also not yet voted on), would make it illegal for employers to require employees to provide usernames and passwords.
Expect Sen. Blumenthal’s bill to be a bit more complicated than the state bills. He plans on including exceptions for federal and local law enforcement agencies and national security departments (though not, it seems, private companies with government contracts for highly classified work). The Senator believes that the practice constitutes an unreasonable invasion of privacy, especially considering that employers have other ways to find the information. They routinely look at Facebook profiles before making hiring, or interview decisions. Some companies try some more surreptitious means, such as “friending” them on Facebook hoping to get better access to information on their profile. (http://www.forbes.com/sites/erikamorphy/2012/03/25/never-mind-about-that-facebook-password-employers-there-are-other-less-creepy-ways-to-find-out-what-you-want-to-know/?feed=rss_home)
Should it matter the type of position that you are applying for? What if a person is applying to serve as a spokesperson, the “face of the company” as it were? In such a situation, where a person’s reputation may be closely associated with that of the company they work for, is their online reputation less important than other public information? Senior sales managers are generally successful as much due to their reputation, and persona as their knowledge. Employers may hire them for that reputation, and in that situation, they may have a duty to investigate fully a highly paid potential employee’s online persona. Failure to do so could potentially breach a duty to their company.
The issue of online privacy is certainly not going to be put behind us anytime soon. But, given the public’s reaction to reports that employers are beginning to require this information from prospective employees (70% are against it according to a recent Rassmussen Reports poll) and the ACLU’s success in getting the policy suspended in Maryland, it is probably safe to assume the practice will not last much longer. At the very least, as the economy improves and job applicants have more choices, applicants will have an easier time saying no to employers they consider overly intrusive and will simply go elsewhere.
Sources
http://www.businessweek.com/managing/content/apr2010/ca20100415_757558_page_3.htm
http://www.informationweek.com/news/security/privacy/232700169
http://www.wired.com/wiredenterprise/2012/03/facebook-password-employers/
http://www.zdnet.com/blog/facebook/employer-demands-facebook-login-credentials-during-interview/327
http://www.theregister.co.uk/2009/06/18/american_burg_and_facebook/
http://mlis.state.md.us/2012rs/bills/hb/hb0364f.pdf
http://mlis.state.md.us/2012rs/billfile/hb0364.htm
http://www.newsday.com/classifieds/jobs/should-an-employer-ask-for-facebook-password-1.3598076
18 U.S.C.A. § 1030
18 U.S.C.A. § 2701
http://www.politico.com/news/stories/0312/74325.html
http://www.politico.com/news/stories/0312/74395.html
