If companies ask job applicants for their usernames and passwords to access their social networking sites, CIOs should put a stop to it. It's for the good of the job applicant and the company. It's also for the good of the CIO, and if that's not enough, it's what Shakespeare would have suggested.
The most recent brouhaha began last week when Associated Press published an article about job applicants being asked by human resources departments of companies and government agencies for their social networking usernames and passwords. For example, one statistician in New York was asked to turn over his log-in information so the interviewer could see his private profile. The statistician refused and withdrew his application, but other applicants sometimes hand over this data.
AP says that asking for usernames and passwords seems more prevalent by government agencies, such as for law enforcement jobs. The article also notes that the city of Bozeman, Montana had asked job applicants for log-in information for their email, personal Websites, and social networking sites. The city has since stopped asking for this information. In 2009, I wrote about this in Internet Evolution, a sister site to Enterprise Efficiency.
So the AP story isn't bringing up a new trend, but it's highlighting what might be an increasing one. With the poor job market, too many employers feel they have the right to ask job applicants for log-in data. Even if organizations aren't asking for usernames and passwords, they sometimes ask applicants to log into their personal sites on a company computer so company executives could see all the information, AP notes.
Facebook -- which certainly isn't a poster child for protecting user privacy -- issued a statement condemning organizations that asked for its log-in credentials. The company said, "This practice undermines the privacy expectations and the security of both the user and the user’s friends. It also potentially exposes the employer who seeks this access to unanticipated legal liability."
Facebook says, "We’ll take action to protect the privacy and security of our users, whether by engaging policymakers or, where appropriate, by initiating legal action, including by shutting down applications that abuse their privileges." Facebook told the blog Ars Technica that it didn't have any immediate plans to sue employers who asked for log-in data.
However, I wouldn't be surprised if Facebook is talking to Senators Richard Blumenthal (D-Conn.) and Charles E. Schumer (D-NY). The senators sent a letter to the US Department of Justice and the US Equal Employment Opportunity Commission, asking them to investigate whether demanding log-in credentials violated any laws. The senators are drafting legislation to close any loopholes allowing employers to ask for such information.
An American Civil Liberties Union lawyer says asking for usernames and passwords is an invasion of privacy, and a Washington, D.C. area lawyer says it violates the First Amendment of the Constitution.
So from a legal standpoint, companies must be cognizant of possible ramifications. If a job applicant's private information influences a decision not to hire the person, under certain circumstances it could be considered discrimination. A woman who posts privately that she's pregnant and isn't hired might have a legal case against the company.
But even putting legal considerations aside, CIOs should demand their organizations not ask for log-in credentials. How often have IT managers railed against employees who left out their usernames passwords for anyone to see? How often have IT managers emphasized the importance of not sharing authentication credentials with anyone?
Should companies even trust a job applicant who would be willing to reveal log-in credentials? It's a security breach. An applicant could agree to log into a company's computer -- without the HR interviewer seeing the username and password -- to allow unrestricted viewing of personal Websites. But the computer could be capturing keystrokes.
CIOs should tell their human resources departments and even their CEOs that it's verboten to request a job applicant's log-in credentials. Asking for this information strikes at the pith and marrow of what IT departments should protect. As Polonius said in Shakespeare's Hamlet: "This above all, to thine own self be true..."