Controversy Erupts Over Employer Requests For Facebook Passwords
Like it or not, what you do online will be of interest to someone looking to hire you.
Over the past week or so, attention has been drawn to what is apparently a new phenomenon in the employment world, employers who ask prospective employees for access to their Facebook or other online accounts as part of the job application process:
When Justin Bassett interviewed for a job, he was stunned when the interviewer asked for something more than his experience and references: his Facebook username and password.
The New York statistician had finished answering a few character questions when the interviewer turned to peruse his Facebook page. Because she couldn’t see his private profile, she asked him for his login information.
Bassett refused and withdrew his application. But other job candidates are confronting the same question, and some can’t afford to say “no.”
“It’s akin to requiring someone’s house keys,” said Orin Kerr, a George Washington University law professor who calls it “an egregious privacy violation.”
Companies that don’t ask for passwords to vet applicants have taken other steps — such as asking applicants to “friend” human-resource managers.
This seems to be the latest development in a trend that has expanded gradually as the Internet itself and social networking in particular have become a more common part of every day life. To put it simply, we now live in a world where anything you say or do online is going to be discovered by anyone willing to type your name into a Google Search Box, or look you up on Facebook or Twitter. For this reason, many people choose to remain at least semi-anonymous online, or at least to keep their social networking profiles open only to people they know and have approved for access. It’s an understandable decision, of course. For some people its a professional necessity that’s either required by their employer (I am personally aware of several people in professional or sensitive, non-government positions who keep their online persona’s anonymous for this reason). For others, it’s a matter of personal safety given the all-too-common existence of online stalkers who have brought their behavior into the real world.
The question becomes whether prospective employers can, or should be able to, require job applicants to break that anonymity and reveal their online personas. For one thing, I think it depends on what kind of job we’re talking about. If, for example, it’s a position involving access to sensitive information, or a position of trust, then requiring that an applicant reveal this side of themselves isn’t unnecessarily unreasonable. In that regard, one is led to wonder the extent to which information like this is routinely required to be revealed as part of an application for a government security clearance. If you’re applying for a position as a janitor, though, the argument on behalf of the employer being able to make such a request strikes me as being far weaker.
Not surprisingly, these reports have led at least two Senators to call for Federal agencies to investigate the practice, and Facebook itself is chiming to say that the practice violates its own Terms of Service:
Facebook follows the news just like you do. And it’s been paying attention to the weird and worrying new trend that employers have asked prospective employees for their Facebook passwords during the hiring process.
Today, Facebook, in the name of “protecting your passwords and privacy,” has made it a violation of its Statement of Rights and Responsibilities to “share or solicit a Facebook password.”
“We don’t think employers should be asking prospective employees to provide their passwords because we don’t think it’s right the thing to do,” Erin Egan, Facebook’s Chief Privacy Officer, explains. “But it also may cause problems for the employers that they are not anticipating. For example, if an employer sees on Facebook that someone is a member of a protected group (e.g. over a certain age, etc.) that employer may open themselves up to claims of discrimination if they don’t hire that person.”
But! It’s not just that sharing or soliciting passwords is now a violation of Facebook’s terms of service. There’s more. “We’ll take action to protect the privacy and security of our users,” Egan notes, “whether by engaging policymakers or, where appropriate, by initiating legal action, including by shutting down applications that abuse their privileges.”
In other words: It looks like Facebook is considering suing the parties who ask for its users’ passwords.
I’m not at all sure what legal basis would have for suing a third party for requesting a password from a user and, in fact, under the very language of the Terms of Service, the person who would be in violation in this situation would be the prospective employee who shared the password, not the person they shared the password with. In fact, the only legal action that Facebook would be able to take in such a situation would be to terminate or suspend the user’s Facebook account. What legal basis they would have for proceeding against the employer is unclear, and what the damages would be absent some statute that prohibits the action. No such law appears to exist anywhere in the country at the moment.
I’m not sure, though, that new laws are the answer here. In the end, employers have a right to screen the people they hire as they see fit and to refuse to hire them if there’s something in their background that they believe would not be in the employer’s best interest, or which potentially makes the employee untrustworthy. Barring employers from using this particular method to discover more about their prospective employees is just going to mean they’ll find other ways to do it because, like it or not, what you do online will impact your job prospects:
One in five technology firms has rejected a job applicant because of his or her social media profile, according to a Eurocom Worldwide Survey.
The annual study had previously found that almost 40 percent of respondents checked out potential employee’s profiles on social media sites, but this is the first year that companies had confirmed that they had rejected applicants based on their digital presence.
“The 21st century human is learning that every action leaves an indelible digital trail. In the years ahead many of us will be challenged by what we are making public in various social forums today,” said Mads Christensen, network director at Eurocom Worldwide.
“The face the one in five applicants disqualify themselves from an interview because of content in the social media sphere is a warning to job seekers and a true indicator of the digital reality we now live in.”
Or, as Jazz Shaw puts it:
Personally, I think this falls back on an old rule of thumb in the internet age. If you need to work for a living or do anything outside of your online life, you simply can’t take anonymity for granted. Don’t put anything out on the web unless you’d be comfortable having your family, your enemies and – yes – even your employer or prospective boss seeing it. Because odds are, sooner or later, they will.
Indeed.
UPDATE (James Joyner): I addressed this issue over a year ago, taking the opposite position, in a post titled “Want A Job? Give Us Your Facebook Password.”
While I think the prospective employee has a lower expectation of privacy when applying for a government job, especially a particularly sensitive one like military, intelligence, and law enforcement positions, there are limits. And, I’m sorry, “If you don’t like it, don’t apply to work there” has some limits, too.
Should employers Google the names of prospective employees and perhaps check out their public Facebook and Twitter profiles? For many white collar jobs, I think that’s reasonable. But accessing private information seems out of bounds. Indeed, if they can demand to look at the inside of yourFacebook account, why not your Gmail account?
Additionally, as noted in the ensuing discussion, employers may inadvertently run afoul of existing employment law with this practice. It’s illegal for employers to ask prospective employees about their marital status, whether they have children, or any number of other issues. Yet, that information will often be immediately available on one’s Facebook page.
I agree that one has to recognize that whatever one puts online can be found, That is different to me, however, than employers asking for passwords to accounts. That strikes me as utterly out of bounds unless one is applying for a job that requires a security clearance.
Aside from the fact that obtaining unauthorized access to a computer system in this manner is both a federal felony and a felony in many states, access to the private sections of a facebook profile could reveal all sorts of things (marital status, religious beliefs, political affiliations, etc.) that it’s against the law to inquire about in jobs interviews.
So it seems to me the companies are creating a huge liability issue here.
Not to mention that the companie might like to remember that during a job interview, they are being evaluated as a potential employer as much as the applicant is being evaluated as a potential employee.
Should they be able to request your email password? And if not, what do you see the difference as being?
@Steven L. Taylor:
Then they’ll just ask employers to accept a Friend Request, thus accomplishing the same thing.
@Stormy Dragon:
Excellent point.
@Stormy Dragon:
If I give someone my password and sign an agreement that says they are permitted to use it for some limited purpose, then it is not “unauthorized access” as that term is typically used in the laws you describe.
@Stormy Dragon:
So could Googling someone’s name or noticing that they have a wedding band on their finger, or a necklace with the Star of David around their neck
@Doug Mataconis: I don’t see how they have the right to that request. It hits the same issues as Stormy Dragon notes: martial status, sexual orientation, political views, etc.
Should an employer have the right to request to visit my house, meet my friends, and attend my social functions?
@Steven L. Taylor:
The people doing security clearance reviews aren’t allowed to ask you for passwords.
@Doug Mataconis: But that’s public knowledge (and I wore my wedding ring to job interviews, too-but the employer could not ask about it). I have wedding photos on my public Flickr account. Those were my choices. Access to accounts is a whole other level of intrusion.
@Steven L. Taylor:
Your question assumes that a “private” Facebook profile is the same as the private aspects of someone’s law. I’m not sure that it is and I am even less sure that there should be a law about this.
@Doug Mataconis:
It is if you don’t have the authority to grant that permission, which in the case of Facebook you don’t.
@Doug Mataconis: Why? Why shouldn’t something that I consciously choose to indicate as “private” not be treated as private within a reasonable understanding of private?
Google me all you like, but if I have consciously placed information behind a wall, an employer should have no anticipation of being allowed to access that information whether it be Facebook, Flickr, my e-mail accounts, my bank accounts, my credit card accounts or whatever else is accessible online.
I’m not at all sure what legal basis would have for suing a third party for requesting a password from a user and, in fact, under the very language of the Terms of Service, the person who would be in violation in this situation would be the prospective employee who shared the password, not the person they shared the password with. … What legal basis they would have for proceeding against the employer is unclear, and what the damages would be absent some statute that prohibits the action. No such law appears to exist anywhere in the country at the moment.
There is a legal cause of action called tortious interference with contractual relations — basically, intentionally causing someone else to break a contract. For example, if company A has a confidentiality agreement with its top research scientist, and company B pays the scientist a lot of money to reveal company A’s research results and plans, company A could sue company B for tortious interference.
Presumably, Facebook has something like this in mind: Facebook has a contract with its users embodied in the Terms of Service that prohibits password sharing, and if an employer causes the user to violate the Terms of Service by requiring them to share their password, Facebook could sue the employer for tortious interference.
I note that in at least some states, simply intentionally causing someone to breach a contract is not enough to state a claim for tortious interference — a plaintiff has to show that the interference was accomplished by some improper means or had some improper motivation behind it. For example, suppose I am the ground beef supplier to Burger King, and you convince Burger King that your ground beef is cheaper and better quality, and Burger King drops my contract. Presumably I shouldn’t be able to sue you for tortious interference for simply competing in the market. The “improper means or motive” requirement might pose a problem for Facebook’s claim: employers will doubtless argue that they have sensible reasons for asking for an employee’s password.
@Stormy Dragon:
You are assuming that the Terms of Service actually constitute a binding contract. That’s not clear either.
@Steven L. Taylor:
You can choose to do that. I’m just not sure the law should say that a prospective employer shouldn’t be able to refuse to hire someone who doesn’t comply with such a request.
@Doug Mataconis:
For the sake of argument: why not? If an employer can be forbidden from asking any number of personal questions, why it is problematic to add this category to the list? I see this as a liberty question for the individual.
@Steven L. Taylor:
Is there such a thing as a “liberty interest” vis a vis private individuals as opposed to the state? I’m not sure, and the problem with a law like this is that it opens to the door to the idea of a law that says employers cannot Google their job applicants.
@Doug Mataconis:
We should at least be clear on one thing, requesting the acceptance a Friend Request and asking for a password are two different things. The latter gives them access to reams of personal correspondence. It also gives them access to the phone numbers, addresses, and email addresses of people that you know. People that did not surrender their right to privacy by applying for a job (or publishing their contact information with a TOS that did *not* include employers of your friends getting that information).
@Doug Mataconis: Well, where do you draw the line, then? I’m seeing this more from the viewpoint of someone in software. Let’s say that in FB you can send a private message to an individual. (I don’t use FB, so I’m not sure if one can do that or not, in reality, but let’s assume so.) How is this different from e-mail? In that case, then should employers request e-mail passwords? If they can request that, then how about the password to my wireless network? What about voicemail password?
For what it’s worth, my stance on this is that Googling for anything public is fine, but asking for account passwords is going too far. Accepting friend requests is somewhere in the middle.
Sorry, Doug, I’m going to disagree with you entirely on this one and side with Joyner, Stormy, and Steven. This is just an absurd and unacceptable request, akin to demanding the password to someone’s Gmail account. Would you give that up? I certainly wouldn’t. If I say its “private,” it’s private.
In 20 years, though, this will likely be a non-issue. Everyone will have said stupid sh*t on Facebook, or will have seen this and decided it wasn’t worth the bother. Either way, there won’t be any point to actually checking anybody’s private accounts and it will become a thing of the past.
This is just like employers doing illegal credit checks on people. They have gotten away with it, because no one has ever protested that method. I don’t see where a person’s credit worthiness has to do with getting a job. Used to be that what was written down on a job application was fine and dandy with most employers, except the government jobs that require extra screening ie CIA, FBI etc.
@Doug Mataconis: Just because they’re a private organization doesn’t mean they’re permitted to intrude into someone’s personal life, Doug. Sure, you could say that because the employee doesn’t agree, he doesn’t have to work there, but then why should the employer be getting into their personal life in the first place? There has to be a line drawn. Googling is fine, because that collects public information, but public and private are two totally separate worlds.
Maybe some sort of tortious interference with contract claim?
@Steven L. Taylor: IF a job requires a security clearance, then the process of obtaining that clearance is a separate one, requiring the filling out of forms and a background investigation by professional investigators. It is not done by the HR department by some HR toad mucking around on people’s Facebook accounts. It may be a non-sequitur but this idea that someone who employs you has the right to access your life outside of the job site or control you in some way seems to be increasing in recent years. This needs to be nipped in the bud.
When I was a manager I learned that right behind termination, hiring was the biggest liability bug-a-boo when dealing with employees. I suspect this practice will stop once people win a few lawsuits against employers that attempt to apply this practice. I would suspect that lawsuits over this would likely result in information the potential employer could find out that they could not legally ask during an interview. As Stormy pointed out there are some taboo subjects in a hiring interview.
I would also suspect some enterprising individuals could ‘salt’ their facebook page with such information, then use that to sue the company when they weren’t hired.
@Scott: About the security clearance issue: all I really meant was that the notion that serious scrutiny of one’s personal life when seeking employment is usually only permissible in cases where a security clearance is involved.
Agreed.
Personally I would never give a job to anyone who would give up their password to me just because I asked. I would think they would be far too easy to pressure into giving up my companies secrets.
@Doug Mataconis:
Yes, I think there very much is. Surely anti-discrimination laws fit into this category.
Did not segregationist practices by private entities impede the liberty of blacks in the past? Did it not impede not only their daily lives but also their ability to pursue livelihoods? Just because an entity is privately owned does not mean that it cannot engage in activities that impede the liberty of private citizens, especially if a group of actors behave in a similar fashion.
I’d like to hear what Doug would say if lawyers were required to hand over all passwords in order to practice law, you know, just to be sure that they are on the straight and narrow. Don’t like it? Well, with luck the local grocery store has easier standards. For now.
And where are all the usual right-wing voices that haunt this blog? What happens when the (ahem) rights of employers clash with the rights of citizens to keep people off their backs?
@Stan25: Are those pre-employment credit checks illegal? Could you point me to a law that forbids them?
I’m not arguing in favor of them, necessarily, but I’m not aware of any law that actually prohibits them.
@Kit: I suppose, as a libertarian, I could count as right-wing, though I always felt I was somewhat on the left side of the movement.
Simple fix. Post a few photos of yourself in a bathing suit in one of your picture galleries. Take it in your back yard, not at a public place. When someone asks for your password, say “I’m sorry, but I have a photo of myself in a bathing suit posted on Facebook that I am not comfortable sharing with a stranger.”
Then make sure you have one of the leading firms dealing with sexual harassment litigation on speed dial. Call them from the interview and say, “I am at a job interview, and they are demanding I give them access to private photos of myself in a bathing suit as a condition of employment.” Than ask the interviewer “can I get your name again? Yes, and what is your title? Who do you report to?”
Things should get pretty interesting from there…
@Kit:
I’m not sure how much you can derive from a post early on a Sunday afternoon versus a weekday post.
I have a lot of trouble accepting any sort of libertarianism that favors the rights of entities over the rights of individuals as anything other than authoritarianism.
“Is there such a thing as a “liberty interest” vis a vis private individuals as opposed to the state?”
I agree with Gromit. It’s a strange crop of libertarians we are growing.
Even assuming this would be legal it would be a monumentally bad practice for employers to go down this road. I strongly would advise any employer client of mine not to do this. There is a huge law of unintended consequences problem. To wit:
If you gain access to an applicant’s Facebook account, for example, it’s likely in doing so that you’ll obtain various info that flatly would be illegal to obtain during a job interview, e.g., religion, marital status, physical disabilities, etc. Then if you don’t hire that applicant you’re handing over to a plaintiff’s attorney on a silver platter a claim for discriminatory failure to hire under Title VII and state law counterparts. Here in California the state law counterpart is known as FEHA and it includes sexual orientation as a protected category, which in the context of Facebook investigations in many instances will be indicated. Wrongful failure to hire claims are difficult to defend and they cost a lot of money to defend. The cons greatly outweigh the theoretical pros.
There are numerous long-established and legal means to vet job applicants: pre-employment drug screens, credit checks, criminal database checks, reference checks, etc.
Asking for passwords to social media accounts inevitably will create a lot more problems than it’ll solve. The first rule of being a management-side labor and employment attorney is don’t cause your client to lose money. The second rule is don’t forget Rule No. 1.
Hmm. You recently claimed you are an oil company executive. Are you an attorney today?
@Doug Mataconis:
Would you like to be counsel for the party arguing that the TOS is not a binding contract?
Is it just a year ago that people were arguing in these pages that net-(pseudo)anonymity was a pointless precaution?
sam,
Are you familiar with the concept of a contract of adhesion? Or, for that matter, the general principles of contract law?
There’s so many issues with this. One big one is not just the person turning over their password, but all their friends that have their information set to “friends only”. Now that information is made available to this company doing the hiring.
I have also read of places asking for all email accounts and passwords. This one really gets me. Once an employer has that then they can easily gain access to things like online banking. I can’t believe employers would even open themselves to this kind of liability.
@Doug Mataconis:
Contracts of adhesion are not automatically invalid. Are you arguing that Facebook’s expectation that you not start giving your account credentials to third parties qualifies as unconscionable?
@Stormy Dragon:
More over, does that work both ways? Is it unconscionable for my employer to expect that I not share my credentials to the corporate intranet with third parties?
Clearly if I gave that information out, they’d be perfectly justified in firing me and possibly suing me if my decision resulted in damage to their business interests. Facebook has the right to exactly the same expectation.
My first thought on this: I’m too valuable for an employer to risk not hiring over this. I’m good at what I do, and financially stable enough to tell any employer who asked for this to “shove it”. Well, then there’s the fact that I don’t even have a Facebook account.
But I understand other people may not be in the same position, and to be honest, if they can ask for your Facebook password, what couldn’t they ask for? If you’re gonna defend this, you might as well defend the practice of requiring BJs from female applicants.
Suspending the employer’s FB account would likely get their attention.
@Trumwill:
Exactly. Beyond “access”, a password is essentially handing over the foundation of online personhood. It’s not only the ability to *see* information, but the ability to change it, and to — for all intents and purposes — become the individual online.
@Trumwill:
I note that @Doug Mataconis: has not answered this rather pertinent question. And considering that research shows that Facebook messaging is increasingly being used for personal correspondence, this is a critical issue.
Likewise, taking this to a logical extreme, why shouldn’t an employer be able to request all of your online passwords (email, cloud storage, etc). For example, LinkedIn accounts should be pretty important as well — it’s good to know if your employee’s are looking for work or researching your competitors.
And at what point should employers start to ask employee’s to give them access to their mail and a set of spare keys to their house?
@ I note that @Doug Mataconis: has not answered this rather pertinent question.
I think he has made his position fairly clear. A job applicant should approach a prospective employer hat in hand, on bended knee…