Don’t Manage Employee Online Activities By Requiring Their IDs & Passwords!

I read a story about a city government agency actually asking job applicants to provide their IDs and passwords for any online social networking type of site they participate in…

Bozeman City job requirement raises privacy concerns
Absolutely crazy.
I can understand their concern about hiring someone who may be doing unsavory things online, but asking all applicants, or current personnel, to provide such information is a blatant and concerning invasion of privacy, not to mention a very bad security practice. There are many other ways to deal with what is considered as unacceptable employee activities.
Here are some excerpts from the report:

“Applying for a job with the City of Bozeman? You may be asked to provide more personal information than you expected.
That was the case for one person who applied for employment with the City. The anonymous viewer emailed the news station recently to express concern with a component of the city’s background check policy, which states that to be considered for a job applicants must provide log-in information and passwords for social network sites in which they participate.
The requirement is included on a waiver statement applicants must sign, giving the City permission to conduct an investigation into the person’s “background, references, character, past employment, education, credit history, criminal or police records.”
“Please list any and all, current personal or business websites, web pages or memberships on any Internet-based chat rooms, social clubs or forums, to include, but not limited to: Facebook, Google, Yahoo,, MySpace, etc.,” the City form states. There are then three lines where applicants can list the Web sites, their user names and log-in information and their passwords.”

Doing background checks are understandable, and for many positions of responsibility and authorization, a sound due diligence practice.
However, asking anyone to share their user IDs and passwords is not only a huge privacy problem, it is also a violation of standard and internationally-accepted information security practices to never share IDs and passwords with anyone. No sharing of work IDs/passwords, and no sharing of personal IDs/passwords. No sharing. Period.
Asking for IDs/passwords SHOULD NOT and CANNOT be considered as a valid background check type of activity.
Most, and possibly all, of the social networking sites for which the city of Bozeman is demanding to have IDs and passwords have terms of use agreements that state members must not share IDs/passwords in order to protect their own personal information. So, Bozeman is now forcing unknown numbers of people to break these agreements in addition to breaking basic, long-accepted information security precautions.

“Another concern the applicant raised was that by providing the City with a Facebook user name and password the City not only has access to the applicant’s page but also to the pages belonging to all of the applicant’s Facebook “friends.””

A very good point.
Also consider that the insider threat is one of the most insidious and hard to defend against. Giving who-knows-how-many people within the Bozeman government access to all applicants’ IDs/passwords…and note here that many to most of these applicants will not be hired by the ciy…is not only a huge privacy breach waiting to happen; it’s like an invitation to not only a large number of different breaches, but also unlimited and ongoing civil suits related to the bad things that will likely happen that the city of Bozeman has now put itself into a position of being a valid reason for those bad things happening as a result of having all those IDs and passwords.
Asking for IDs and passwords of job applicants so the hiring city can look through all the applicants’ online accounts…it still blows my mind that a city, and the city’s lawyer, would actually approve of such a bone-headed activity! Even if the applicants signed waivers, I can’t imagine that the waivers would absolve the city in court if and when bad things happen to any of those applicants’ accounts. And if any of those sites that prohibited ID/password sharing decided to act upon the violations.
It’s almost as bad as employers asking job applicants for the keys to the applicants’ homes and cars so they can go through them and peek in every nook and corner to see if there is anything around that they disapprove of. Ewwww.
To address the risks of employees doing things online that could negatively impact an organization, the organization needs to:

  1. Have policies in place that clearly list the unacceptable online activities, as applicable for the organization, such as:
  2. a) Personnel must not post client, co-worker or business information or PII on social networking sites or through other Web 2.0 technologies
    b) Personnel must not post the organization’s logo, trademark, etc. on social networking sites or through other Web 2.0 technologies
    c) Etc.

  3. If there is mission critical information that may possibly be leaked, establish documented procedures, performed by job roles with these responsibilities within their job descriptions, to monitor the Internet for such information.
  4. Establish safeguards and controls to keep sensitive information from leaving the organization’s network, and to catch when such attempts are made.
  5. Provide regular training and ongoing awareness communications about the threats, vulnerabilities, and resulting risks of using Web 2.0 technologies and sites, and the reasons why personnel need to be concerned and take precautions, not only to protect the business, but also to protect themselves, families and friends.

It will be very interesting to see how long this egregious invasion of privacy and demonstrably bad security activity continues at the City of Bozeman. I wonder, will any changes in their current practices make the news?

Tags: , , , , , , , , , ,

Leave a Reply