Risk
3/23/2012
01:38 PM
Thomas Claburn
Thomas Claburn
Commentary
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Facebook's Privacy Two-Step On Passwords, Employers

Facebook says sharing your password with a potential employer violates its rules. But will Facebook enforce this rule, when it still doesn't confirm user ages?

Is anyone surprised that it has come to this? Employers have started asking prospective employees for their Facebook passwords so they can learn what job applications won't tell them.

Facebook finds it distressing to hear about this and warns that the practice "undermines the privacy expectations and the security of both the user and the user's friends" and "potentially exposes the employer who seeks this access to unanticipated legal liability."

The company is urging Facebook users to resist such requests--easier said than done when refusal could mean a job offer denied--because password sharing represents a security risk and because sharing or soliciting passwords violates the company's Statement of Rights and Responsibilities.

If Facebook actually enforces its rules and takes legal action against nosy employers, it will be something of a shock, considering all people under 13 who have active Facebook accounts are in violation of Facebook rules.

Some 36% of more than 1,000 parents surveyed by Microsoft Research senior researcher Danah Boyd said their children joined Facebook before turning 13. And some 78% of parents think it is acceptable for their child to violate Facebook's rules. I can corroborate that research: My 12-year-old daughter complains she's the only one in her class who isn't on Facebook.

[ Read Job Seekers Asked For Facebook Passwords: Debate Roars. ]

When Facebook users routinely flout Facebook's rules, is it any wonder employers don't take those rules very seriously?

Facebook says it takes privacy very seriously. But it doesn't take privacy seriously enough to really enforce its rules--it would cost a lot to verify users' ages and it would mean fewer users and less ad revenue.

Facebook doesn't take privacy seriously enough not collect data in the first place. It doesn't take privacy seriously enough to protect your data from Facebook: Its business model is predicated on data.

Privacy is when you have your data. When someone else has your data, you no longer have privacy. You've given your privacy away. If Facebook wanted you to have privacy, it wouldn't have taken it in the first place.

To re-purpose the trite tagline from Field of Dreams, if you gather personal data, they will come. It you store it, they will review it, demand it, or steal it.

Sen. Richard Blumenthal (D-Conn.) says he'll introduce a federal bill to make it illegal for employers to demand Facebook passwords from job applicants. He's obviously never applied for a job with the CIA--if you think scouring Facebook accounts is invasive, try having an intelligence agency interview your associates over the years. You can have all the privacy you want, until someone has reason to look behind the veil.

A law would be better than Facebook's widely ignored and sparingly enforced rules. But it would be addressing the symptom--curiosity--rather than the disease--sharing. No law will prevent people from compromising their futures by posting stupid or potentially embarrassing or socially damaging things online. The "post" button, like a diamond, is forever.

What we really need are repeated lessons to say nothing. Designating Facebook information as "private" won't actually guarantee it remains private.

While a handful of employers may have been clumsy enough to publicly declare their intent to pry, many more businesses and individuals are discreetly googling away and finding out all sorts of things about job applicants, prospective tenants, would-be clients and loan-seekers, potential dates and roommates, next-door neighbors, and next-desk colleagues. And they may not share what they've discovered about your sharing. They'll simply, silently deny you.

If you take your privacy very seriously, watch what you say online, because declarations from others about how seriously they take your privacy won't save you.

The Enterprise 2.0 Conference brings together industry thought leaders to explore the latest innovations in enterprise social software, analytics, and big data tools and technologies. Learn how your business can harness these tools to improve internal business processes and create operational efficiencies. It happens in Boston, June 18-21. Register today!

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7392
Published: 2014-07-22
Gitlist allows remote attackers to execute arbitrary commands via shell metacharacters in a file name to Source/.

CVE-2014-2385
Published: 2014-07-22
Multiple cross-site scripting (XSS) vulnerabilities in the web UI in Sophos Anti-Virus for Linux before 9.6.1 allow local users to inject arbitrary web script or HTML via the (1) newListList:ExcludeFileOnExpression, (2) newListList:ExcludeFilesystems, or (3) newListList:ExcludeMountPaths parameter t...

CVE-2014-3518
Published: 2014-07-22
jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1, does not properly implement the JSR 160 specification, which allows remote attackers to exec...

CVE-2014-3530
Published: 2014-07-22
The org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in PicketLink, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 5.2.0 and 6.2.4, expands entity references, which allows remote attackers to read arbitrary code and possibly have other unspecified impact via...

CVE-2014-4326
Published: 2014-07-22
Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote attackers to execute arbitrary commands via a crafted event in (1) zabbix.rb or (2) nagios_nsca.rb in outputs/.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.