Saturday, March 31, 2012

So You Wanna Screen Employee's FaceBook Pages?

It used to be, some employers liked to do online background check of job candidates by seeing what people were publicly-posting to the FaceBook, Twitter and other online presences. While creepy, this was all public material, so, you could let it slide. Recently, as people have become more sharing-aware, people are doing things a bit more privately. A once useful resource for info-trolling is becoming less so. What's the reasonable thing to do: realize that a tool is no longer useful and move on to bigger and better things or try to force your way into people's intentionally private lives?

Here's a hint: trolling for things that used to be public gave you a barometer of how much discretion potential hires displayed. as an employer. At this point, it should be more than enough to be able to determine, "this guy understands discretion" or "this guy is completely indescrete". An employer should never try to think that it's their right to rifle through a candidates off-the-clock time.

Here's how I look at it if you go to check up on a candidate and find nothing public on their FB page:

  • The stuff posted to their FaceBook page (etc.) was set to be visible to specific audiences was it was done so for a reason
  • Your insistance on logging into their account gives you more than just a view of the candidate's live, it exposes eveverythin their friends have shared. While it may be arguable that it's reasonable for you to see what your candidate is sharing, it is completely unreasnoabl and unjustifiable to try to see what others are sharing with your candidate. Even if the candidate is willing to give up their own privacy, they have no right to hand over the privacy of their friends and you have no right to demand it and no justifiable reason to business see it.
  • FB is single signon service for a lot of other sites. By demanding access to your candidate's FaceBook profile, you're also demanding access to every site that uses the FaceBook SSO engin. You compromise privacy on all those sites as well - many of which are even less relavant to the suitability of the candidate than what they may be saying on FaceBook.
  • For anyone - employer, employee, job candidate or a retiree - entering credentials on a foreign computer is risky at best. If it ain't your computer, you never know if there's a keylogger installed on that system. Worse, you don't know if any such keyloggers are controlled by the computer owner (the employee or their employer) or whether it's controlled by the creator of malware.
  • Given that FaceBook info is a treasure-trove of information for identity thieves, it exposes ALL of the candidate's other accounts - whether they leverage the FB SSO or not - to informed-cracking attempts ("Bob has a pet dog named 'Sparky': wonder if that's one of his password-recovery answers?").
  • Depending on how an employer is running their computers, it's also possible that the candidate's FaceBook profile may have other kinds of hidden treasures. A sloppy (or privacy-conscious but devious) job candidate may have malware apps in their profile. Logging into that profile may provide a nifty vector for malware to enter your computing environment. And, frankly, if your invasion of your candidates privacy ended up damaging your network, you would absolutely deserve it.

Overall, it seems to me that, if a potential employer asks for FaceBook (et. al.) information, they should be joint and severally liable to the account-owner, any site that uses the FaceBook SSO engin, everyone on the candidate's friends list (directly or indirectly) and to any site breached using information from that snooped-on FaceBook account to guess credential-recovery information. I have to think that a half-competent lawyer is going to be able to arrange quite a respectable class-action suit against the snooping employer. I also have to think that a lot of people are gonna want to help with that effort, as well.

To me, as a smart employer, it just wouldn't be worth any information gained from such snooping when measured against all the potential damage it could create or all of the legal liability it would cause to be assume. Even if the ethics of it are merely questionable, all of the other possibilities just scream, "don't do it".

No comments:

Post a Comment