Risk
10/1/2012
09:58 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

California Passes Tough Social Media Privacy Laws

Employers and colleges in the state now forbidden from demanding social media logins and related material from applicants.

California jobseekers with a penchant for the semi-scandalous can breathe a sigh of relief--sanitized Facebook accounts are no longer a prerequisite to employment. Thanks to two bills signed into law Thursday, businesses and schools throughout the Golden State are now prohibited from demanding that applicants share social media credentials and related private content.

In a gesture that fit the occasion, Governor Jerry Brown used a number of social media platforms to announce that he'd signed the legislation. The bills--AB-1844, which bars employers from demanding social media-related material, and SB-1349, which defines a similar policy for colleges and prospective students--were authored by state representatives in the tech-rich Bay Area and will go into effect January 1.

The vetting of social media content first national drew attention in February 2011, when a Maryland corrections officer revealed that he'd been required to provide his Facebook user name and password as part of a recertification process. The practice proved incendiary; opposing parties included purveyors of legal but off-color online antics, job applicants put off by the invasive request, the ACLU, and--in a move that raised eyebrows due to the company's sometimes nebulous privacy policies--Facebook itself.

[ California lawmakers have been busy. See Google Autonomous Cars Get Green Light In California. ]

Despite debates, the use of social networks for hiring purposes has been fairly widespread. A CareerBuilder survey found that around two-fifths of polled employers were using social networking tools to screen candidates as of last spring. This figure was down 18% relative to a 2009 version of the same study, suggesting the tactic might be losing favor. An additional 11% of the 2012 respondents reported plans to incorporate social media into hiring policies, however, so such conclusions are speculative. A Eurocom Worldwide study released around the same time drew comparable conclusions.

Whatever the rate of adoption, the policies have impacted hiring decisions. The Eurocom study found that around 20% of executives had chosen not to hire someone based on his or her social media profile. CareerBuilder, meanwhile, found that 12% of the companies that screen social networks do so expressly to look for undesirable behavior. This figure might undersell the real impact, as many respondents reported using social networks for goals so broad as to include virtually anything--such as assessing whether a candidate is "well-rounded."

Though rejected applicants attract headlines, hiring processes that include social media checks have actually helped some people find work; CareerBuilder found, for example, that 29% of the companies that check online profiles have found reasons to hire someone while doing so. A study in the Journal of Applied Psychology, meanwhile, somewhat validated the vetting technique, concluding that assessments drawn from social media screenings correlate with actual workplace performance. The researchers argued that more research is necessary, however.

Washington, D.C.-based attorney Bradley Shear served as an adviser to the California bills' respective authors and has frequently analyzed the use of social media monitoring in his blog. In an interview, he said difficulties with social media predate the employer-driven controversies. Universities, he stated, had already been using reputation monitoring services such as UDiligence and Varisty Monitor to keep tabs on high-profile student athletes. He characterized the practice as "very troubling" and potentially in violation of some laws, but countered that it took broader privacy concerns and Constitutional objections to foment public debate.

Indeed, California state Sen. Leland Yee, author of SB-1349, cited such broad concerns as an impetus for new legislation in a May interview with KQED Public Radio, declaring that even if social networks contain information in which employers might have legitimate interest, they also contain information that businesses are legally forbidden from collecting, such as religious affiliation and sexual orientation.

Shear described the monitoring of student athletes as emblematic of why California's new laws benefit not only privacy advocates but also businesses and institutions. "With access comes responsibility," he asserted, explaining that if an individual whose profile is being watched commits a crime, the monitors could be criminally liable if they're found to have overlooked or neglected warning signs expressed in social media. Others have similarly questioned whether employers might be vulnerable to lawsuits from rejected applicants who allege discrimination.

Shear also stated that economic dangers are implicit when hiring managers include social media in the application process. To combat perceived privacy intrusions and maximize appeal to employers, many candidates create false, anodyne accounts that skew social networks' respective user figures. This trend, he said, distorts advertising data, negatively impacting the bottom line of not only the social networking services but also the companies that rely on them for marketing strategies. Other jobseekers that simply opt to stop using social media, he said, only exacerbate this phenomenon.

The new laws are "common sense from both privacy and litigation perspectives," Shear asserted, because "they shield [businesses] against potential litigants." He said AB-1844 and SB-1349 are ultimately "pro-privacy, pro-business, and pro-technology" because they strike a proper balance among all parties' individual concerns.

Maryland and Illinois have adopted similar laws that extend only to employees, and Delaware passed legislation that applies only to students' social media accounts. When California's new restrictions become enforceable in 2013, the state will boast the most comprehensive set of regulations.

This status might be fleeting, however; several more states are considering laws of their own, and SNOPA, a federal-level version, is currently working its way through Congress.

Social media make the customer more powerful than ever. Here's how to listen and react. Also in the new, all-digital The Customer Really Comes First issue of The BrainYard: The right tools can help smooth over the rough edges in your social business architecture. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Deb Donston-Miller
50%
50%
Deb Donston-Miller,
User Rank: Apprentice
10/3/2012 | 11:36:24 PM
re: California Passes Tough Social Media Privacy Laws
I think it is good that laws are being passed preventing employers from asking for (or demanding) the keys to job candidates' social kingdoms, but many companies are looking at how candidates present themselves online--what kind of social "equity" they have built up in terms of friends/followers/followees/content developed/content shared. Of course, this kind of information isn't relevant for all jobs--maybe not even most--but I think it's relevant for an increasing number of positions.

Deb Donston-Miller
Contributing Editor, The BrainYard
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2208
Published: 2014-12-28
CRLF injection vulnerability in the LightProcess protocol implementation in hphp/util/light-process.cpp in Facebook HipHop Virtual Machine (HHVM) before 2.4.2 allows remote attackers to execute arbitrary commands by entering a \n (newline) character before the end of a string.

CVE-2014-2209
Published: 2014-12-28
Facebook HipHop Virtual Machine (HHVM) before 3.1.0 does not drop supplemental group memberships within hphp/util/capability.cpp and hphp/util/light-process.cpp, which allows remote attackers to bypass intended access restrictions by leveraging group permissions for a file or directory.

CVE-2014-5386
Published: 2014-12-28
The mcrypt_create_iv function in hphp/runtime/ext/mcrypt/ext_mcrypt.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 does not seed the random number generator, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging the use of a single initial...

CVE-2014-6228
Published: 2014-12-28
Integer overflow in the string_chunk_split function in hphp/runtime/base/zend-string.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted arguments to the chunk_split ...

CVE-2014-6229
Published: 2014-12-28
The HashContext class in hphp/runtime/ext/ext_hash.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 incorrectly expects that a certain key string uses '\0' for termination, which allows remote attackers to obtain sensitive information by leveraging read access beyond the end of the string,...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.