Facebook logins toxic for employers, violate security and privacy principles

Attention CEOs and HR Managers: Facebook login credentials belonging to current or prospective employees are not something that any employer should request, use, or posses. Why? Apart from the violation of security and privacy principles? The risks far outweigh any benefit you imagine you could gain by logging into a social media account that does not belong to you, even if you have persuaded the account owner to give their consent.

Facebook loginThe practice of asking current or future employees for their Facebook credentials is not only a serious risk for employers, it is one of the most unpleasant HR stories that I’ve encountered since the time a lab technician with scissors created two bald patches on the back of my head to test me for illegal drugs at the request of a prospective employer.

In fact, an employer’s desire to test prospective employees for illegal drug use makes a lot more sense to me than an employer seeking to impersonate someone online and invade their privacy. Such impersonation opens you up to serious liability, both corporate and individual. The fact that you managed to get the consent of the Facebook account holder to log into their account does not mitigate the risks. I think a lot of privacy experts, myself included, would argue that consent given in such an asymmetric context, where an organization offering much needed employment requires consent from an individual who needs a job, does not meet the definition of consent envisioned in the Fair Information Practice Principle of Choice and Consent. (For a detailed breakdown of Generally Accepted Privacy Principles see the AICPA website.)

Of course, Facebook itself is rightly outraged and concerned about employers asking for Facebook logins. While this blog has never hesitated to call out Facebook over privacy concerns, we wholeheartedly commend Facebook’s vigorous defense of users’ privacy against employer encroachment. And the strong stance that Facebook is taking is no less commendable because it contains an element of self-defense (user engagement on Facebook would likely plummet if handing over one’s Facebook credentials became as much a part of the job screening process as handing over your Social Security number for a credit check is today).

How Facebook logins can hurt companies

Let us set aside, for a moment, the concerns of Facebook and its users and consider some scenarios that point up the risks companies face if they do get hold of someone’s Facebook credentials. How about the job applicant that your company decides not to hire even though she did agree to share her Facebook login with you? Since you have no way to force this person to change their password you could be on the hook for bad things that are done with that account.

Maybe the account is used to harass people or commit other unpleasant acts of social media mayhem. When the authorities come calling it would be possible for the account owner to point the finger at you and your company (remember this is someone who may not be happy that they did not get the job). How are you going to prove that it was the account owner and not you that did those things with the account?

And what if the credentials that she shared with you, her email address and password, are valid on other systems, like her email account? She could claim you sent email in her name. I’m not a lawyer but I’ve spent a lot of time studying illegal activity involving computers and I think you can see there are many ways things can go badly when you persuade someone to share with you the keys to a private online space. But you not only open up a Pandora’s box of liability, you also create a very bad precedent if you do hire the person.

Thou shalt not share credentials

Many companies have an information security policy that says “Never share your company network account login credentials with anyone else and never log into the company network with someone else’s credentials.” Imagine how your information security folks are going to teach that policy to people whom your HR department recently badgered into sharing credentials so they could log into a system as someone else. “Please Sir, could you go into more detail on why it is such a bad idea to share account credentials.”

The fact is, there are some categories of information you do not want to have in your possession. Someone else’s account credentials is one such category. I’ve even heard this cited as a reason to avoid some forms of network monitoring in the workplace. If your network monitoring software is collecting personal account credentials and those credentials are sitting in your logs, they could be considered a liability, not to mention a temptation to a less than ethical employee.

Fortunately, the practice of asking employees, current or prospective, for their Facebook credentials, is likely to hit legal obstacles now that Facebook is talking tough on the issue and lawmakers are starting to weigh in (the latter may be fearful that if the trend is not checked now, the media or the electorate will eventually badger them to divulge their social media credentials). CEOs and HR Managers have been warned: Employee and candidate Facebook logins are toxic.

Author Stephen Cobb, ESET

  • Allan Lee

    And also… HR departments had better be ready for a slew of law suits from unsuccessful candidates claiming they didn't get the job because the were illegally discriminated against because of private information about them on Facebook – religious affiliation, sexual orientation, marital state, health or disabilities etc, etc, etc.  good article

  • Stephen Cobb

    Great point Allan. Looks like there will be some serious scrutiny this week as lawmakers have asked the Justice Department to investigate whether employers who require job applicants to hand over confidential passwords to Facebook and other social networking sites are violating federal law: http://www.businessweek.com/news/2012-03-25/lawmakers-call-for-investigation-of-facebook-password-requests

  • biggestbrother

    Facebook is for fools.
    Why have a facebook account? If you have 10 real friends you can send them pictures as an attachment. The rest is celebrity wannabee naive narcissim. That same data can and will be onsold to health insurance companies checking for unhealthy partying or practices, auto insurers, past future and present employers, governments, FBI, CIA, North Korea, China, terrorist groups, (maybe 3rd hand but it will get there via an "advertiser") etc etc etc. To have a real socila login not a pseudonym will soon mark you historically as one of the great morons who bought into this. The smart people dont have a real login on a social network. We move silently, anonymously and with the ability to be different things to different people.

    • David Harley

      I don’t agree with your dismissal of anyone who sees it differently to you as “fools”. I don’t feel the need personally to be totally pseudonymous or anonymous wherever I am online, and frankly mistrust anyone who does. But trust is the whole point: it’s OK for people to buy into the social media thing as long as they make an informed decision as to when and how to say no to having their information acquired and shared. If they don’t understand that, though, it’s not simple indiviudal stupidity. It’s a social problem, with providers, customers, legislators and educators unable to grasp the full implications of a culture based on undiscriminating sharing. Where you and I do think along the same lines, I think, is in thinking that too many people are more trusting online than they would be in offline contexts: most people wouldn’t trust someone who came up to them in the street and said “I want to be your friend: give me your address and DoB…”

  • Jay Foley

    Steven you so nicely put into words what the dangers are for requesting a persons Facebook login information. There are so many reasons that a bad idea, gets picked up and used before someone wakes up to fact that it, is a bad idea.

  • d’lauri bailon

    thanks for the little x-tra push to cancel my account again. i to feel if they are your friends yhey will call and e-mail you oe use the phone. thanks for putting my brains back in place.

  • Honor

    Would the same privacy laws apply if a Teacher harrassed a pupil into giving them the 14 year olds Password and facebook account details.?

Follow us

Copyright © 2017 ESET, All Rights Reserved.