Risk
3/23/2012
01:38 PM
Thomas Claburn
Thomas Claburn
Commentary
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Facebook's Privacy Two-Step On Passwords, Employers

Facebook says sharing your password with a potential employer violates its rules. But will Facebook enforce this rule, when it still doesn't confirm user ages?

Is anyone surprised that it has come to this? Employers have started asking prospective employees for their Facebook passwords so they can learn what job applications won't tell them.

Facebook finds it distressing to hear about this and warns that the practice "undermines the privacy expectations and the security of both the user and the user's friends" and "potentially exposes the employer who seeks this access to unanticipated legal liability."

The company is urging Facebook users to resist such requests--easier said than done when refusal could mean a job offer denied--because password sharing represents a security risk and because sharing or soliciting passwords violates the company's Statement of Rights and Responsibilities.

If Facebook actually enforces its rules and takes legal action against nosy employers, it will be something of a shock, considering all people under 13 who have active Facebook accounts are in violation of Facebook rules.

Some 36% of more than 1,000 parents surveyed by Microsoft Research senior researcher Danah Boyd said their children joined Facebook before turning 13. And some 78% of parents think it is acceptable for their child to violate Facebook's rules. I can corroborate that research: My 12-year-old daughter complains she's the only one in her class who isn't on Facebook.

[ Read Job Seekers Asked For Facebook Passwords: Debate Roars. ]

When Facebook users routinely flout Facebook's rules, is it any wonder employers don't take those rules very seriously?

Facebook says it takes privacy very seriously. But it doesn't take privacy seriously enough to really enforce its rules--it would cost a lot to verify users' ages and it would mean fewer users and less ad revenue.

Facebook doesn't take privacy seriously enough not collect data in the first place. It doesn't take privacy seriously enough to protect your data from Facebook: Its business model is predicated on data.

Privacy is when you have your data. When someone else has your data, you no longer have privacy. You've given your privacy away. If Facebook wanted you to have privacy, it wouldn't have taken it in the first place.

To re-purpose the trite tagline from Field of Dreams, if you gather personal data, they will come. It you store it, they will review it, demand it, or steal it.

Sen. Richard Blumenthal (D-Conn.) says he'll introduce a federal bill to make it illegal for employers to demand Facebook passwords from job applicants. He's obviously never applied for a job with the CIA--if you think scouring Facebook accounts is invasive, try having an intelligence agency interview your associates over the years. You can have all the privacy you want, until someone has reason to look behind the veil.

A law would be better than Facebook's widely ignored and sparingly enforced rules. But it would be addressing the symptom--curiosity--rather than the disease--sharing. No law will prevent people from compromising their futures by posting stupid or potentially embarrassing or socially damaging things online. The "post" button, like a diamond, is forever.

What we really need are repeated lessons to say nothing. Designating Facebook information as "private" won't actually guarantee it remains private.

While a handful of employers may have been clumsy enough to publicly declare their intent to pry, many more businesses and individuals are discreetly googling away and finding out all sorts of things about job applicants, prospective tenants, would-be clients and loan-seekers, potential dates and roommates, next-door neighbors, and next-desk colleagues. And they may not share what they've discovered about your sharing. They'll simply, silently deny you.

If you take your privacy very seriously, watch what you say online, because declarations from others about how seriously they take your privacy won't save you.

The Enterprise 2.0 Conference brings together industry thought leaders to explore the latest innovations in enterprise social software, analytics, and big data tools and technologies. Learn how your business can harness these tools to improve internal business processes and create operational efficiencies. It happens in Boston, June 18-21. Register today!

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0993
Published: 2014-09-15
Buffer overflow in the Vcl.Graphics.TPicture.Bitmap implementation in the Visual Component Library (VCL) in Embarcadero Delphi XE6 20.0.15596.9843 and C++ Builder XE6 20.0.15596.9843 allows remote attackers to execute arbitrary code via a crafted BMP file.

CVE-2014-2375
Published: 2014-09-15
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to read or write to arbitrary files, and obtain sensitive information or cause a denial of service (disk consumption), via the CSV export feature.

CVE-2014-2376
Published: 2014-09-15
SQL injection vulnerability in Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVE-2014-2377
Published: 2014-09-15
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to discover full pathnames via an application tag.

CVE-2014-3077
Published: 2014-09-15
IBM SONAS and System Storage Storwize V7000 Unified (aka V7000U) 1.3.x and 1.4.x before 1.4.3.4 store the chkauth password in the audit log, which allows local users to obtain sensitive information by reading this log file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
CISO Insider: An Interview with James Christiansen, Vice President, Information Risk Management, Office of the CISO, Accuvant