The Daily Parker

Politics, Weather, Photography, and the Dog

Disclosing Facebook passwords

Raganwald yesterday posted a facetious resignation outlining the dangers to employers of asking prospective employees to disclose social media information:

I have been interviewing senior hires for the crucial tech lead position on the Fizz Buzz team, and while several walked out in a huff when I asked them to let me look at their Facebook, one young lady smiled and said I could help myself. She logged into her Facebook as I requested, and as I followed the COO’s instructions to scan her timeline and friends list looking for evidence of moral turpitude, I became aware she was writing something on her iPad.

“Taking notes?” I asked politely.

“No,” she smiled, “Emailing a human rights lawyer I know.” To say that the tension in the room could be cut with a knife would be understatement of the highest order. “Oh?” I asked. I waited, and as I am an expert in out-waiting people, she eventually cracked and explained herself.

“If you are surfing my Facebook, you could reasonably be expected to discover that I am a Lesbian. Since discrimination against me on this basis is illegal in Ontario, I am just preparing myself for the possibility that you might refuse to hire me and instead hire someone who is a heterosexual but less qualified in any way. Likewise, if you do hire me, I might need to have your employment contracts disclosed to ensure you aren’t paying me less than any male and/or heterosexual colleagues with equivalent responsibilities and experience.”

Three things:

  • He's right on the main point. Looking through employees' Facebook pages uninvited is tricky enough. Determining whether or not to hire someone based on a Facebook page is closer to the line. Forcing the disclosure crosses the line, surveys the land, plants a flag, and invites the natives to kill you in your sleep.
  • Disclosing a password to anyone for any reason is, almost always, a bad idea. Authentication is half of security (the other is authorization, which depends on you being who you say you are). The corollary to authentication is deniability. If you lose control over your Facebook password, you expose yourself to identity theft. To emphasize this point, in our office we routinely prank developers who leave their keyboards unlocked when they leave the room. Walking away at a client site could let clients see other clients' materials, for starters, but it also could allow someone to send email or make Facebook posts in your name.
  • I am proud to report that Illinois is right now passing a law to prohibit this practice. It will probably be signed later this month.
Comments are closed