I have to say, I'm really impressed with Facebook for coming out and making this their issue, instead of just waiting for the applicants and employers to slowly work it out between themselves. In hindsight, it's seems like an obviously smart move (both to impress their userbase and to remove disincentives to use Facebook), but somehow it didn't occur to me that they might join in on the fight. Good for them.
<sarcasm> Plus those employers shouldn't be getting their Facebook background checks for free. FB has to protect it's future revenue streams! </sarcasm>
When FB starts protecting user data from everybody, individuals, business and government, that'll be something. Might even be worth having to wade through your aunt's cats-in-clothing posts.
Require a confirmed court order before any amount of cooperation with authorities, including the acknowledgement that data might exist.
Assign a legal team to investigate all such orders, and proactively seek injunctions against those that overstep their authority.
Require that all government employees and contractors disclose their involvement (not publicly, obviously) and subject those individuals to enhanced scrutiny with regards to unwarranted data mining. Pursue aggressive legal action against the state for any individuals found in violation of this policy.
Of course, any of this would require Facebook or anyone else to treat its users as customers rather than products.
This would be amazing. What I'd also like to know is if LEOs have FB accounts with additional features, or if they have specialized UI where they can query user data. A whistleblower at Verizon a few years ago talked about a paid self-serve web interface they built for law enforcement to query location data because the volume of requests was too much to process manually.
Does the "secret interpretation" of the Patriot Act we keep hearing about include unfettered access to social networks?
People shouldn't be getting roped in by the law because law enforcement has free reign to peruse profiles. As well, infiltrating profiles by 'social hacking' (aka asking to friend someone by having a profile with breasts on it) shouldn't be allowed by law enforcement doing fishing operations.
In other words, communications on Facebook should be considered as private communication. Monetization by anonymous advertising akin to Google's model should be the accepted quid pro quo for usage.
Successfully protecting user data from the government isn't an either/or zero-sum situation, it's a game of inches. They should protect it up to the point at which they are most unable, and not a minute nor filing before.
Avoid collecting potentially sensitive information in the first place, if at all possible.
Collecting and retaining the least possible amount of information about users is good security; it's just bad commercial practice. It also protects your users in case you go out of business and end up sold (or pivoting) into a non-privacy-protecting business model, like what happened with Rapleaf.
FB is indeed probably upset because employers were stupid and started asking applicants for their info directly instead of going behind their backs and asking FB for it instead (which FB would have happily given them ... for a fee, of course).
It's pretty likely FB will quietly roll out a paid background check service (which will be hyper-secretive and kept whisper-quiet) at the same time they are publicly grandstanding about this issue. In the linked article, there is a link to a second article about a US Senator who is currently crusading on this issue. He comes right out and says there will be exceptions for law enforcement, government contractors, and jobs with security clearances. Look for them to extend those exceptions until social media spying is back to being a de-facto part of applying for a job, any job. They're going to legitimize this while pretending to be fighting it.
I actually expected them to do this, because it would've been to their detriment if they didn't. If asking for the employees password became a "thing", people would've started quitting Facebook, or at the very least try to make fake accounts for their employers. But even so, it's still nice to see them actually doing it.
"I have to say, I'm really impressed with Facebook for coming out and making this their issue"
I don't find it impressive or surprising. This is a major issue that would change what people would want to share. No sharing - no facebook. It's obvious that they need to do whatever they can fair, unfair, legal, fud to stop employers from requesting access to a facebook users page.
Another commenter (jerf http://news.ycombinator.com/item?id=3745916 ) brought up the issue of legal standing which I agree with. Facebook probably doesn't have legal standing (that is clear) but the mere fact they are raising the issue will stall the process and give them time to come up with a solution. And instill "carry on as usual nothing to see here" into facebook users.
They are getting out in front of the problem before it spins out of control.
Why wouldn't Facebook have legal standing? They're the ones whose servers are being accessed without authorization (employer does not have authorization to use someone else's credentials).
They are getting the credentials by asking the potential employee for them. So it's not without authorization.
Even if they wanted to build a case of coercion or duress they would need the cooperation of the employee to do this. And most importantly what is the specific harm done to facebook by this individual action? If I give you my facebook credentials and you login what damage has been done (to facebook in my specific case)?
If I was the opposing attorney I would raise the issue of whether they police and take action when people share their passwords in other cases. My guess is they have never taken action on something like this in the past.
And as far as changing their TOS what are they going to say? We forbid you from sharing your password with an employer (some might want to do this for some reason) or we forbid you to share with anyone? And if that is the case they have to police all sharing of passwords which, with hundreds of millions of users is simply not going to happen.
Say you let me have a copy of your house key (in case you lock yourself out or sometimes I come in to water your plants maybe watch a little TV and you are cool with both of those). Someone then asks me for the key, and I let them have a copy of it. Do they have your permission to enter your house at all? I sorta think not.
Permission to enter with a key does not necessarily transfer with possession of the key.
How do you get an analogy between a facebook password (which you pick by the way not them) and "copy of your house key"?
The analogy would be you rent a house and are given a key. And then you can give that key to someone else (like the cleaning person). You can also give the key to someone on Airbnb but that might be prohibited by other language ("you can't rent").
Your key example would be "does the employer have the right to give your password (which you gave them) to someone else". The answer to that is obviously "no" unless you told them it is ok to do.
Your Facebook user name and password is exactly like your copy of a key that lets you into their house. Your having picked the character strings used doesn't matter. You are entering their system when you use that key.
Them letting you put a bit of your furniture in their house (i.e. content you own) doesn't mean the house itself is yours. Nor does it mean that your permission to enter their system necessarily transfers to other people even given that you happen to give those other people a copy of the key.
It's probably not productive to use poor analogies here.
Accessing a computer system without authorization from the owner of that system is a crime. Facebook doesn't give authorization for employers to access their employee's accounts on their system, and explicitly forbids their users from transferring their own authorization to others.
As far as I can see, there is simply no way to construe an employer's access as authorized by the owner of the system i.e. Facebook.
"Hey Larry, here's my health insurance card. You can use it, I give you permission."
As soon as you think about this in the context of a paid service, who can grant authorization becomes very clear. The fact that Facebook is providing a free service should not change a thing. It's still their service.
Paid service? An analogy might be a paid hosting service. In that case there is no restriction on who you can give your password to to access say, your, website hosting or domain registration or similar service. Or to make changes or see what is going on there. After all, it's your content. Unless I am missing something which says facebook owns your content once you upload it.
And actually this issues has been settled (you own it):
"You are responsible for maintaining the confidentiality of both your password and your account and are fully responsible for all activities that occur under your password and your account."
Now while 1and1 probably has some language that restricts your ability to resell something (same as you can't resell your cable connection) allowing someone to login (like your web designer?) to view what you have is most certainly not prohibited.
So if your employer said "I want your password to your webhosting account" I don't believe the web host would have standing and/or a cause of action.
>...(you) are fully responsible for all activities that occur under your password and your account
and Facebook's version, which goes:
>You will not share your password, (or in the case of developers, your secret key), let anyone else access your account...
One says you're responsible for whatever happens on your account, the other explicitly says not to share your password. Kind of different, wouldn't you say?
It's worth mentioning that letting randoms into your Facebook account isn't only playing chicken with your account security, you're also playing with the security of everyone you have friended, who implicitly trust that the only person on the account is the person who's name is on it.
That is something you do not have the right to do on an ethical level, let alone a legal one.
The standard for "having standing" legally is quite low: To file a lawsuit in court, you have to be someone directly affected by the legal dispute you are suing about[1].
Is Facebook directly affected? Yes - people access their servers.
Harm, authorization etc etc can all be argued in the case, but there is no doubt at all that Facebook does have standing here.
Its an issue that can lead to a chain reaction. Facebook is protecting itself by protecting its users.
Employers make 'facebook background check' hiring policy
-> FB users/prospective employees become more conscious of this
-> User engagement drops as users are more careful about posting anything under the sun
-> FB loses
Honestly, this protects them more then anybody else. If this "behavior" became norm for employers, people would begin simply deleting their Facebook accounts in droves.
Facebook is valuable, but not "that" valuable where people would sacrifice a potential job opportunity in favor of keeping their Facebook profile.
That being said, I do like that Facebook has weighed in and it favors an individuals right to privacy.
I agree. This was a damn good way of handling the situation: taking care of it head-on instead of watching from the sidelines and hoping things get better. I didn't think they would do much (except for maybe a blog post about how you shouldn't give your password to anyone or something similar), but this is totally beyond what I expected.
The cynic in me says that facebook is doing this because the employers didn't go through the proper channels (i.e. pay facebook for that kind of access) and it's a message: If you want that kind of data, you have to pay for it.
I hope this isn't the case, but facebook doesn't really have a great record when it comes to privacy.
Your cynicism is somewhat warranted, but slightly misplaced.
Facebook is doing this because not doing so would be really bad for business: i.e., it would threaten the user experience of the site. People would either quit Facebook, spend less time on it, severely tone down or alter their usage of it, or create fake profiles for work. Any or all of those things would be a big detriment to Facebook. So taking a stand on this issue is both good for business and good for PR.
I don't think Facebook would want to sell its data so obviously just offering users' profiles to any business that comes and pays. This would be too bold of a move.
On what grounds could Facebook sue an employer who asks for your Facebook password? It isn't immediately obvious they have standing to sue the employers. Based on what I assume is their terms of service page (closest thing I could find) [1], it looks like they could sue the employee for giving away their password, but I don't immediately see any grounds for suing the employer. There doesn't seem to be anything forbidding you from using Facebook with somebody else's account at the moment (though look for this to change any minute).
I'm suspecting this could be posturing to stem the short-term damage while they try to get a law passed that gives them standing.
The best guess I could come up with is hitting the employer with some sort of cyber-hacking law, but I wouldn't be comfortable or happy with that sort of twisting of such a law.
Facebook may sue under 18 USC § 1030(g) (http://www.law.cornell.edu/uscode/text/18/1030#g) for unauthorized access to its computer systems if the employer obtains an applicant's password and then accesses the applicant's account using this password. It is unsettled whether the applicant's permission alone would be a defense. In fact, may be a federal crime even if accessing the account was expressly authorized by a state court; see http://volokh.com/2011/12/01/judge-orders-plaintiff-to-give-...
If the password was voluntarily revealed because you want to be employed and are ready to provide it as a condition of employment, I don't see how you can call it "unauthorized access".
Volokh discusses something else - what if the user does not allow the access voluntarily but is forced by the court (which, unlike employer, is entitled to use force to compel people to do things) to reveal the password. Then it would be like breaking into a house on a search warrant or forcing you to open the safe (this was discussed some time ago here because of other court decision that said - in TLDR version - that 5th amendment protects passwords). But that's different situation.
Exactly. Imagine if you had a "Million dollars for the login credentials of FBI/CIA/DOE employees!" program. Just because the employees want the million dollars, does not mean the payer is authorised to access those systems.
OK, I guess you have a point, if the information there is not sole property of the password holder - especially as in the case of FBI, where FBI employee has access not to his collection of lolcats pics but to something more important. I guess one could argue on Facebook you can access other's information too, so it still applies.
Nobody has rights to hold particular job, it's an agreement between employer and employee. If the employer requires you to wear a suit as a condition to employment, you can choose either to comply or keep the jeans and tshirt and find another job, both decisions voluntary. Same with other requirements. Some of course are not legal - so, unless you work in very special industry, having sex with coworkers is not a legal condition - but I don't see Facebook mentioned anywhere there.
In other words, if the employer (Tortfeasor, Inc.) asks you to reveal your password, they're asking you to violate Facebook's TOS, which could be considered a contract you've entered into with Facebook, so Facebook could have grounds to sue the employer.
You'd have to ask a lawyer about the odds of Facebook winning such a suit, and what the damages might be. I'm just a programmer who gets his legal knowledge from Wikipedia.
IANAL, but, my take on this is: Asking the password itself should be none of facebook's business. However, as soon as the employer logs in with the password, they become subject to the TOS as well. The TOS for example contain this clause: You will not use Facebook to do anything unlawful. I don't know if that is enough, but Facebook can also change their TOS. And the lawsuit would pretty good PR for Facebook and pretty bad PR for the employer regardless of the outcome.
"The Court found that since the prohibition on botting was a prohibition related to Blizzard's copyright interest in WoW, users of Glider infringed Blizzard's copyright when played the game in violation of the license. The Court believed MDY to be encouraging and profiting from this copyright infringement, and therefore found MDY secondarily liable for the infringement"
While apparently successful in this case, that would appear to be a gross misuse of copyright and this layman would say that Blizzard got lucky and the judgement as precedent sounds fragile.
I wouldn't agree with that characterization. GPL terms only apply to redistributors. If you receive GPL software, it's yours. It is only if you want to do something that copyright requires you to have permission to do that the GPL actually kicks in. If you never redistribute the software, the GPL actually lays zero constraints on you.
This is in contrast to conventional EULAs, which forbid you from using the software until you agree to them (basically forbidding you to "receive" the software), and forbid you from any form of redistribution. The case hythloday cites is a EULA issue.
There's nothing abusive about how the GPL uses copyright law. If you violate the GPL and redistribute the software anyhow, that simply means that you are redistributing software without the consent of the owner, which is a very direct copyright violation, not a strange penumbric emanation or anything.
And reversed on appeal:
"To recover for copyright infringement based on breach of
a license agreement, (1) the copying must exceed the scope of the defendant’s license and (2) the copyright owner’s complaint must be grounded in an exclusive right of copyright(e.g., unlawful reproduction or distribution)".
Facebook played the Friend card in their press release, and did it really well. If you are giving up your Facebook password, you're not just giving up your information, you're also giving up your friend's information as well.
If any potential employer asks for your Facebook account information, just inform them that your social network would not appreciate giving out their information to a 3rd party, and you think it would be a violation of their trust in you.
The reason that this sort of legal action is necessary is because the kind of people who are being asked this aren't the kind of people who can walk into any company in the valley and get another job. In those situations, the employee doesn't have any cards to play.
I understand your point completely, and I agree with you. It still doesn't change the fact that when you give up your Facebook account information, you are not just surrendering up your personal information, you are giving up the personal information of everyone in your network that has chosen to share with you. It's a breach of trust with that network.
If an employer asks for my Facebook password (or equivalent, as I don't use Facebook), I plan to tell them that I don't appreciate being asked to give out my information. I don't want to work for a company where I need to put spin on an argument to have them not violate my privacy.
It's also about law enforcement jobs where they might hold it against you if you refuse. You have a right to refuse, but then they can just deny you the job because you "obviously" have something to hide.
I wish there were someone willing to stand up for us against employment-related credit checks and drug testing, too.
As a European working in the US, I find it astounding that these utter invasions of privacy are considered routine. I don't know whether they're legally acceptable in Europe, but they don't seem to be morally acceptable to most people.
One thing to remember in the US is that health insurance companies drive a lot of the drug testing. They offer it for free to employers, and in return get the benefit of never having (suspected) addicts try to obtain employer based coverage.
Obviously, this is not a relationship that exists in Europe.
They are legal certainly in the UK , perhaps less common.
Credit checks are fairly common though, especially for finance type institutions
Drug testing is uncommon outside the military however I did work for an IT outsourcing company who were threatening to bring it in at one point as it was standard practice in their US offices.
Never did it while I was there though, if they had they would have lost about 50% of their staff.
Drug testing I've only ever seen for retail jobs and ones where you're responsible for the safety of others, that being said I've not seen very many jobs. I can understand them in those cases as with retail jobs there's a serious problem with drug users since they're usually easy to get jobs that don't require much in the line of skill. For the safety aspect I know that most states have the school bus drivers at least take regular drug tests since it's a serious liability if something were to happen.
Credit checking on the other hand I see as a complete invasion and I'm not convinced it would even give you anything useful, certainly not in this economy and likely not even in a good one.
I can certainly see the reasoning, but it falls apart in application.
A store clerk may be subjected to intrusive medical examination at any time; they are responsible for a few thousand dollar's worth of stock. A Wall Street trader is unlikely to be subjected to drug testing - drug use is, arguably, a part of their culture - despite being responsible for millions of dollars of other people's money.
It probably stems from the idea that people in lower income brackets (possibly with less stable employment) are more likely to be drug users.
For example, casinos drug-screen their employees, but I doubt that such drug screening happens to execs at the casinos who have more power/control over the money that the casino deals in.
I would just assume that execs don't get drug tested because execs are the ones who make these policies in the first place, and why would they drug test themselves?
Wall St does do a lot of drug testing - it gives the bank a get-out with their clients if they can fire an unlucky trader for drug taking. Of course successful ones are never tested.
As Nick Leeson said - nobody calls you a rogue trader when you're winning!
The general pattern in Europe of high youth unemployment, due I gather mostly to the difficulty in firing someone once employed, suggests "Europe" doesn't have all the answers.
We've got a very liquid employment market. Easy to fire means easy to hire, which along with our healthy small business climate means if you've got something many companies would find disqualifying "on paper"* you're still going to be able to find ones that will hire you. Like the one that don't bother with background checks at all, they just see if you work out.
Traditionally we're big on second chances, e.g. move out of town for a fresh start. Things like the net and specifically Facebook are changing that, but there's still more than enough of it to make a big difference.
| “If you are a Facebook user, you should never have to share your password, let anyone access your account, or do anything that might jeopardize the security of your account or violate the privacy of your friends,”
What are the legal implications for facebook applications? Are there some classes of applications that would be affected by this policy? Given enough permissions, most facebook apps DO access your account and could potentially violate the privacy of friends.
The facebook position above doesn't seem to be limited to employers, but much broader based. I could imagine a shady employer saying 'All candidates must install this (greedy permissions) app to submit an application'. What would be facebook's position on that?
hmm , sounds like a great opportunity for a startup!
Facebook Careers, Installing it allows you to jobsearch, be head hunted and fill in applications of course it also provides recruiters a huge amount of info about you.
I think this is an example of somewhere where a legal solution is preferable to "plausible deniability" - at least in terms of ease of use for the majority of FaceBook users :)
not if this is not the default. If they were to implement it they would do it like Truecrypt where you are able to choose between "normal" encryption and creating a hidden volume which allows for plausible deniability ( see https://en.wikipedia.org/wiki/Plausible_deniability#Use_in_c... ).
Doesn't this fall into the realm of discriminatory interview questions to begin with? I'm pretty sure a case could be made in a discriminatory hiring suit without introducing new laws.
What about employers intercepting SSL connections to spy on social networking/external email usage on the corporate network? Is that against the law too? Genuine question.
This is quite prevalent, and they make it very clear in the Acceptable Use policies that all usage is monitored.
IANAL, and I don't live in the US either, but I can tell you that at least here in Brazil the network traffic is the property of the employer, and you have no expectation of privacy while working, so they can do whatever they want with the traffic that is going to their routers.
Why? Anything you do at work is open to your place of employment. I work in network/information security, and while we don't decrypt encrypted connections, we do log employee Internet access and use the data for investigative purposes. Why would an employee have an expectation of privacy from their employer while they are using corporate assets?
Yes, many companies have DLP (data loss prevention) systems what sniff all outbound data watching for information leaks. If you're posting on Facebook at work, it is very likely that your employer can see exactly what you're sending. We just don't care unless it's sensitive data (get back to work).
> “If you are a Facebook user, you should never have to share your password, let anyone access your account, or do anything that might jeopardize the security of your account or violate the privacy of your friends,”
Weren't they, at one time, one of those sites trying to get your Gmail password/account so they could sniff out who your friends were?
Yes but what was the reason behind it? They want your password so you can easily lookup who else from your contacts is using FB to simplify & accelerate your network connections' growth. Now, if they would do that AND at the same time make a copy of your emails OR use your emails content to "tag" you as someone who likes/dislikes certain brands/products/etc to better serve you ads now or in the future, that would be totally different jar of wax. AFAIK nothing like that transpired.
Privacy invasion? It has always explicitly said "enter your gmail username and password so we can import your contacts" or something equally obvious and transparent.
What if the user had entered the contact info manually? Still an invasion of privacy?
In the extreme, this position gets really absurd. I never consented to allow gmail to store my email address in my friends' contact lists. At some point, "your" data becomes your friend's data and it's no longer yours to control.
Same thing with Viber and other apps. Some of friends use their services and now they have my contact information and can build up a shadow profile on me. I consented to none of that. While they may deny that's their intent it doesn't change the fact they have all that data.
I fail to see how "my password is under an NDA" could not be a sufficient response to this silliness. Are they really making breach of contract a necessary condition for employment?
If you're unemployed and need a job, the choice between defending Facebook's NDA and putting food on the table is obvious. I doubt most people even realize that somewhere in Facebook's ToS it says they mustn't disclose their password.
Good for Facebook for standing up against this sort of thing.
I have mixed feelings about the whole account access thing though.
On the one hand, I do think it's entirely unreasonable for your employer to have your password. There are certain exceptions to this (eg anything requiring Top Secret clearance?).
On the other hand, my personal view is nothing on the Internet is truly private. If you want it to remain private, you shouldn't put it on the Internet in any form, otherwise it's just a privacy policy change or a security breach or a bug away from being exposed.
How about attacks on privacy that use other channels? I dont quite understand the idea tat if you want to protect your privacy, you should stay away from the internet. This, 1) gives other privacy invaders a free pass, and 2) makes the internet look like a platform incapable of crafting its own laws.
Who is actually asking for FB passwords? I doubt anyone actually is, and if they are it's part of a scam involving the promise of employment to desperate people.
If what I've read is true, lots of places. A school teacher in my area just got fired for making a student give access to his/her Facebook account which the teacher used to punish students who had talked about the teacher.
It's apparently quite common. The real kicker is when they also include a non-disparagement agreement in the hiring process, so that they can easily fire you for non-publicly posting about your job.
Schools are breeding grounds for this sort of thing.
Combine psychotic parents, "cyber bullying" (a crisis de jure), morals clauses in contracts, "think of the children" attitude, and sometimes tyrannical administration, and you get crazy stuff like this.
I'm honestly a little disapointed in the ACLU on this issue. Facebook is doing a good thing taking it on, but the ACLU is bringing this up on behalf of Robert Collins. In the Robert Collins case,(1) the employer (the MD Dept of Corrections) hoped Facebook would reveal "gang affiliations." Race based discrimination alarm bells should be ringing! The best interests of your client are to politely remind the MD DoC that Baltimore juries are especially sensitive to discrimination issues and tend to be very skeptical of enforcement/corrections management.(2) Collins should walk away with a blank check under current law. ACLU is rolling the dice on some new "right to privacy for things you publicly posted" instead. I think it's the wrong way and wrong time for them to argue for that.
I'm wondering if, instead, an employer created a facebook app that asked for maximum access, and asked their employees to authorize it. It might no longer be unauthorized access/tortious interference.
I don't know the first thing about facebook app development. Seems like it could be easy to write up. Is it easy for facebook to kill such apps? Am I just making things up that don't make sense?
Suggestion: if your employer asks you for your facebook credentials and you have other options in terms of employment immediately hand in your resignation.
Employers that have these sort of practices deserve nothing less than business failure and I think that if enough key employees pack their bags that they will sooner or later get the message. Make it plain what the reason for your resignation is and if you can blog about it, I think that the spotlight of public opinion should help ram home the message that this sort of behavior is off-limits.
And that goes for any other service besides facebook as well, your private affairs are your private affairs, and any employer that wants to stick their nose in does not deserve your brain power.
Summary: Facebook wants to protect its users from employers demanding access to their accounts. The company has clarified, however, that it currently has no plans to sue such employers.
Am I wrong in thinking the only thing this does is protect Facebook's financial interests? Don't they profit from the proper app and ad based mining and selling of this information anyway? There are so many references to the underground background checking methods employed by legal abuses of social networking, wouldn't it take a huge chunk out of their business model to have individuals simply show the information directly to employers, free of charge?
I wonder what happened to good old not putting private stuff on facebook? It's not like you have to use it.
And why this focus on facebook? Is password to gmail or mint.com or yahoogroups different? It looks like Facebook using lawmaking system as a PR move. That's definitely a new and creative development - using the Congress as an advertisement medium - but I don't think it's a welcome one.
I wonder what happened to good old not putting private stuff on facebook?
Facebook is built around private stuff. The expectation is that the only people who will see it are the people who should be seeing it.
And why this focus on facebook?
Because employers are not asking for other passwords as often as Facebook passwords, and Facebook has a lot more relevant information. Asking for Mint logins would be a blatant violation of PCI laws.
I don't think Facebook is built around private stuff, I think Facebook is built around sharing. I also recall Facebook managers stated many times that they see concept of privacy to be obsolete and harmful. Yes, of course, Facebook has privacy settings, since that vision is not yet accepted by most people, but the goal of it is sharing, not hiding (unlike webmail, for example) - the information on Facebook is by design supposed to be shared with other people. Of course, the set of these people can be different, but I think the easiest way to avoid publicizing private information is not publishing it on the site that is built for sharing and has always promoted sharing.
I'd have always thought that if you were to give out your password, you'd never be (legally) allowed to access your facebook account again (since you'd be in breech of the terms of service). And also that the potential employer would not legally be allowed to access it, since they'd be accessing a computer system, by pretending to be someone else.
I'd have always thought that the terms of service (that I haven't signed (checking a check box doesn't count)) couldn't just make something, that wasn't already, illegal.
If I don't behave to their liking they could of course cancel my account but that's pretty much it.
>I'd have always thought that the terms of service (that I haven't signed (checking a check box doesn't count)) couldn't just make something, that wasn't already, illegal.
A United States District Court considered whether the Computer Fraud and Abuse Act criminalized TOS violations, and the court concluded that such a statute would be unconstitutional as applied in such a situation under the "void for vagueness" doctrine. U.S. v. Lori Drew, 259 F.R.D. 449 (C.D. Cal. 2009).
Computer Fraud and Abuse Act of 1986 has been stretched such that federal prosecutors have won convictions based on the theory that violating a website’s ‘terms of service’ is a crime under this law. However, eventually it was deemed that this may be too broad a standard, but no clear decision has been made.
Someone suggested to me earlier that it might be possible to call it unauthorised access, which is a crime under that act.
However as you would voluntarily give up the key that becomes complicated; a court would have to decide that you were given no choice (give up the password, or give up the job).
That is why I have a dummy facebook account.
Seriously, when I give someone else access to my account they can then also peer into the lives of my family and friends many of whom only post with security settings that share only with Friends or just Family. I've then given away their right to privacy as well. Uggg....
Idea: Facebook could add an alternate password feature that, if entered only shows content you can manage in your privacy settings. So just like you could hide an album from certain friends, you could hide other content (from yourself) if your alt password is entered. Kind of like plausible deniability in TrueCrypt.
Honestly, who hands out his/her Facebook password to an employer?!
This is like handing out private photo albums or access to the private email account. Any employer demanding this from me can happily continue to be an employer without me as employee (not that I have anything in my FB account anyway, but it's a matter of principle).
By taking this legal action Facebook tries to protect itself in the long run. Imagine if it becomes more common to hand out your account to HR. Quick enough, people will avoid connecting with each other on that platform and move to a competing platform where nobody is watching them.
Well,
you dont need pwd to piggyback into a user's account. Since the userID/pwd validation is theirs, they can bypass the validation if they want based on some prefix or suffix in the userID field.
I like this trend of the big Internet companies taking proactice steps to right the wrongs that are happening in their space. If only more companies had backbones.
They changed it ages ago to "Share everything you want with everyone!"
Honestly. I think FB have had a bad rap over the privacy thing - a long time ago they were very bad. But so were a lot of people, they were just bigger.
Since then (which would have been about 2010, I guess) they've been fairly on the ball with security issues... and though some people disagree with the direction they went, they have built in an awful lot of privacy control.
This is a very reasonable action for Facebook to take to protect its brand and product.
I'm definitely against random employers asking for a fb password (or rather, access...there should be a way to give them read only access without the password, in any case). Just getting the username (to see what is posted publicly) is more defensible, as is getting deeper access for a security clearance (my credit report is basically boring; interviewing my friends is more useful, but I have literally never spoken to any of my neighbors more than twice each, and never at any length; this is probably not that uncommon). My Facebook account would be a good way to easily get that information.
How would giving them read-only access be significantly better than the current situation of them demanding read-write access? They aren't asking so they can pretend to be you, they're asking so they can snoop on what you've posted that isn't public..
Because they don't need write access. It's a basic principle of security to only give people the access they need -- it keeps them honest, and protects you if they're dishonest or incompetent (or both).
What they should get is actually a snapshot, attested to by Facebook, of the configuration of the facebook account (data export/data dump) from a time chosen before you applied for the clearance, assuming Facebook could reconstruct that. That way I can't remove my anarchist/communist party friends; they could ask for a snapshot randomly selected in a 0-7 or 0-10 year interval beforehand.
I actually trust Facebook security (and my personal password management and computing environment) to be secure against accidental disclosure MORE than I trust OPM or the OPM contractors who do clearance investigations, and certainly more than the shitty credit check plus type investigators most private firms, state/local agencies use. So, giving long-lived access to my facebook profile (or password) would be a bigger cost than just giving them the data. (There have been several cases of laptops without full disk encryption going missing...) Incidentally, it might be interesting to note that most security clearance investigations are actually processed almost entirely by contractors working for the government, not by GS employees, since sometime in the 1990s.
I still don't believe in asking for or giving out FB profile info (beyond "make sure your public facebook profile is professional", for a public-facing role; that seems pretty reasonable to me, although what you have in your friends-locked area is up to you), but if you're going to do it, do it right.
There are already cases where people consent to credit and background checks (fairly thorough; talking to neighbors, friends, etc. at length, for 7-10 years). These are voluntary checks for high level security clearances with the government.
I don't think it's unreasonable to include online social networking profiles in that.
Similarly, a court order should be able to get all the data from a profile, but not to allow the government to masquerade as you by logging in and actively communicating with others.
This has all been debated during the "key escrow" debate period; even the government wasn't able to make an argument for signing key escrow, only encryption key escrow. It's the same issue with a profile.
(I am generally against key escrow, but eliminating some classes of keys from the debate off the bat was a useful strategy then; it would be more useful now.)
> There are already cases where people consent to credit and background checks (fairly thorough; talking to neighbors, friends, etc. at length, for 7-10 years). These are voluntary checks for high level security clearances with the government.
The SSBI is not significantly more thorough than has become common for many private employees, and doesn't find, attempt to find, or care about a great deal of the personal information that may be found in a Facebook profile.
> Similarly, a court order should be able to get all the data from a profile, but not to allow the government to masquerade as you by logging in and actively communicating with others.
Facebook has been providing information in response to court orders for years, but does not provide the ability to masquerade as the user.
