Facebook boasts more than 900 million active users, all storing their personal photos, information and messages on the site. Friends are made, lost and communicated with all around the world. But how would you feel if your pictures, acquaintance circles and comments were used to judge you in a job interview?
Increasingly, US employers are requesting Facebook login information from prospective and current employees – a practice that has caused a backlash among privacy advocates. Political figures and rights groups are adamant that a person’s digital footprint should be protected. Others believe the practice raises the possibility of employee discrimination and issues surrounding online security.
Facebook initially spoke out against the practice at the end of March 2012, saying it had received "a distressing increase in reports of employers or others seeking to gain inappropriate access to people’s Facebook profiles or private information".
The company has made it clear that it does not support any requests for accessing another person’s personal information, and indeed doing so is a direct violation of Facebook’s Statement of Rights and Responsibilities. It also said it was willing to take legal action against any threats that put user security at risk.
"Facebook takes your privacy seriously," says Erin Egan, the firm’s chief privacy officer. "We’ll take action to protect the privacy and security of our users, whether by engaging policymakers or, where appropriate, by initiating legal action, including by shutting down applications that abuse their privileges."
Egan pointed out, however, that employers should be aware of unforeseen issues.
"It also may cause problems for the employers that they are not anticipating," she says. "For example, if an employer sees on Facebook that someone is a member of a protected group (e.g. over a certain age etc.), that employer may open themselves up to claims of discrimination if they don’t hire that person."
Politicians in the US have already taken a stance against the practice. Democratic Senators Richard Blumenthal and Charles Schumer requested the US Equal Employment Opportunity Commission (EEOC) and the US Department of Justice (DOJ) begin an investigation into whether it is a violation of federal law.
"Employers have no right to ask job applicants for their house keys or to read their diaries – why should they be able to ask them for their Facebook passwords and gain unwarranted access to a trove of private information about what we like, what messages we send to people or who we are friends with?" Schumer says.
He believes that each individual should be able to determine what type of information about them is available: "In an age where more and more of our personal information – and our private social interactions – are online, it is vital that all individuals be allowed to determine for themselves what personal information they want to make public, and protect personal information from their would-be employers.
"This is especially important during the job-seeking process, when all the power is on one side of the fence."
Democratic Congressman Ed Perlmutter, who has introduced a proposal to the Federal Communications Commission Reform act that would give Facebook the right to regulate the issue, raises another potential security risk.
"Employers essentially can act as impostors and assume the identity of an employee and continually access, monitor and even manipulate an employee’s personal social activities and opinions. That’s simply a step too far," he says.
Security fears
Bimal Parmar, marketing VP for security firm Faronics, says the practice is a clear violation of privacy and can have detrimental effects on staff online security.
"Not only is this an undeniable invasion of privacy, but by attempting to find out every personal detail – which is rarely relevant to an ability to do the job anyway – employers are jeopardising both the security of the employee and the firm itself. This comes down to the fact that individuals and companies are unaware of the specific security threats their personal information can pose," says Parmar.
He believes that individuals are already too willing to give out personal information, and this behaviour will only be encouraged by employers expecting access to employee social media profiles.
"In depressed economic climates and tight job markets, companies feel they can get away with this sort of intrusion, as opposed to taking the time to properly assess and profile the right candidate, which is what they are paid to do," says Parmar.
"A recent survey we undertook revealed that nearly a third of individuals are already willing to divulge a password, bank account number or mother’s maiden name to strangers, which is only going to be encouraged if an individual thinks a potential job depends on it.
"Everything a company needs to know about a potential employee should be on their LinkedIn page."
Carole Theriault, a senior security consultant at Sophos, says the practice puts users at high risk for having rogue applications or their account security settings being unknowingly altered.
"With another person having the ability to access your account, your account’s security settings could be changed or rogue applications could be downloaded," she says.
Much of the focus has been on how applicants are affected, but the security of every ‘friend’ or social connection on the site is also compromised.
"It puts all of your Facebook contacts at risk, as your employer will be available to access their profiles. And that is not what they agreed to by connecting with you on the site," says Theriault. "I even go as far as to think it should be illegal for employers or potential employers to request Facebook credentials."
In a recent Naked Security poll, a whopping 91% agreed.
UK laws are unclear
Sarah Veale, head of equality and employment rights for the UK’s Trade Union Congress (TUC), believes we may soon see similar behaviour from employers in the UK. "If interviewers in the US are adopting this practice of asking prospective staff for access to their Facebook accounts, they will start doing it over here," says Veale.
However, the extent of the practice would not be certain, as UK employment laws are different to those of the US, Veale explains.
"Existing UK law is different from that in the US regarding data protection, human rights and contractual law, so it is not clear to what extent the UK would follow the US in the absence of specific legislation on media privacy."
Potentially, such behaviour could put employers in breach of the UK’s Data Protection Act, as it could be seen as demanding ‘excessive’ information about an individual.
The EU is also looking at revising its ageing Data Protection Directive (1995). It produced a draft European Data Protection Regulation earlier in the year, which would take into account modern media such as social networks. It has been looking mostly at rights that protect the individual, such as the right to be forgotten and the right to transfer your social media information to rival networks.
It is unclear how much these measures would incorporate issues such as employer intrusion, but historically the European Court of Human Rights has given such laws a very broad interpretation in its jurisprudence, rather than US laws’ more ad hoc application.
Kathryn Wynn, a senior associate at law firm Pinsent Masons, says: "The UK is unlikely to follow the US on employment or privacy matters because the UK laws are largely based on EU laws.
"Unlike in the US there is a fundamental right to privacy, and so there is no need for specific legislation making it illegal for companies to demand access to employee logins on social media sites, as it is unlikely that this would ever be compliant under existing privacy laws."
Yet other legal experts believe that asking applicants for their social media logins does not infringe upon their privacy, and are happy to argue that anything posted in a ‘public’ forum, such as Facebook, is fair game.
"The practice of asking candidates for their Facebook login would not in itself breach or violate an employee’s or applicant’s right to privacy. It is open for them both to refuse to give the information," says Vanessa Hogan, senior associate at law firm Hogan Lovells.
"Equally, to the extent that information about the employee or candidate is available on a publicly accessible site, either’s right to privacy won’t be infringed."
While there are no test cases or examples to work from yet in the UK, US politicians are proposing a new bill, called the Social Networking Online Protection Act (SNOPA), which would make it illegal for employers to ask job candidates or current employees for Facebook passwords and usernames. Educational institutions would also be banned from asking students for login information.
Whether the bill will be successful is unclear. Social media law is a fairly new area and the legal system has never moved as quickly as the internet. However, it is clear that employers need to look at their social media policies and define the line between appropriate, and inappropriate, uses of social media.
"Organisations are well advised to implement social media policies highlighting the blurred boundary between professional and personal use of social media and that use of social media in a way that is detrimental to the organisation could result in disciplinary action," says Wynn.
However, creating social media policies does not give a company the right to access employee accounts.
"It is, of course, important to have well-drafted social media policies and internet usage policies," says Hogan. "That said, having such policies does not give employers free reign over employees’ private information – online or otherwise."
Until a clear legal framework is in place concerning social media data and its privacy implications, it will continue to keep politicians, legal experts and rights activists busy.