Sign up to our newsletter
The latest security news direct to your inbox
Attention CEOs and HR Managers: Facebook login credentials belonging to current or prospective employees are not something that any employer should request, use, or posses. Why? Apart from the violation of security and privacy principles? The risks far outweigh any benefit you imagine you could gain by logging into a social media account that does not belong to you, even if you have persuaded the account owner to give their consent.
The practice of asking current or future employees for their Facebook credentials is not only a serious risk for employers, it is one of the most unpleasant HR stories that I’ve encountered since the time a lab technician with scissors created two bald patches on the back of my head to test me for illegal drugs at the request of a prospective employer.
In fact, an employer’s desire to test prospective employees for illegal drug use makes a lot more sense to me than an employer seeking to impersonate someone online and invade their privacy. Such impersonation opens you up to serious liability, both corporate and individual. The fact that you managed to get the consent of the Facebook account holder to log into their account does not mitigate the risks. I think a lot of privacy experts, myself included, would argue that consent given in such an asymmetric context, where an organization offering much needed employment requires consent from an individual who needs a job, does not meet the definition of consent envisioned in the Fair Information Practice Principle of Choice and Consent. (For a detailed breakdown of Generally Accepted Privacy Principles see the AICPA website.)
Of course, Facebook itself is rightly outraged and concerned about employers asking for Facebook logins. While this blog has never hesitated to call out Facebook over privacy concerns, we wholeheartedly commend Facebook’s vigorous defense of users’ privacy against employer encroachment. And the strong stance that Facebook is taking is no less commendable because it contains an element of self-defense (user engagement on Facebook would likely plummet if handing over one’s Facebook credentials became as much a part of the job screening process as handing over your Social Security number for a credit check is today).
Let us set aside, for a moment, the concerns of Facebook and its users and consider some scenarios that point up the risks companies face if they do get hold of someone’s Facebook credentials. How about the job applicant that your company decides not to hire even though she did agree to share her Facebook login with you? Since you have no way to force this person to change their password you could be on the hook for bad things that are done with that account.
Maybe the account is used to harass people or commit other unpleasant acts of social media mayhem. When the authorities come calling it would be possible for the account owner to point the finger at you and your company (remember this is someone who may not be happy that they did not get the job). How are you going to prove that it was the account owner and not you that did those things with the account?
And what if the credentials that she shared with you, her email address and password, are valid on other systems, like her email account? She could claim you sent email in her name. I’m not a lawyer but I’ve spent a lot of time studying illegal activity involving computers and I think you can see there are many ways things can go badly when you persuade someone to share with you the keys to a private online space. But you not only open up a Pandora’s box of liability, you also create a very bad precedent if you do hire the person.
Many companies have an information security policy that says “Never share your company network account login credentials with anyone else and never log into the company network with someone else’s credentials.” Imagine how your information security folks are going to teach that policy to people whom your HR department recently badgered into sharing credentials so they could log into a system as someone else. “Please Sir, could you go into more detail on why it is such a bad idea to share account credentials.”
The fact is, there are some categories of information you do not want to have in your possession. Someone else’s account credentials is one such category. I’ve even heard this cited as a reason to avoid some forms of network monitoring in the workplace. If your network monitoring software is collecting personal account credentials and those credentials are sitting in your logs, they could be considered a liability, not to mention a temptation to a less than ethical employee.
Fortunately, the practice of asking employees, current or prospective, for their Facebook credentials, is likely to hit legal obstacles now that Facebook is talking tough on the issue and lawmakers are starting to weigh in (the latter may be fearful that if the trend is not checked now, the media or the electorate will eventually badger them to divulge their social media credentials). CEOs and HR Managers have been warned: Employee and candidate Facebook logins are toxic.
Author Stephen Cobb, ESET