Risk
3/23/2012
01:38 PM
Thomas Claburn
Thomas Claburn
Commentary
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Facebook's Privacy Two-Step On Passwords, Employers

Facebook says sharing your password with a potential employer violates its rules. But will Facebook enforce this rule, when it still doesn't confirm user ages?

Is anyone surprised that it has come to this? Employers have started asking prospective employees for their Facebook passwords so they can learn what job applications won't tell them.

Facebook finds it distressing to hear about this and warns that the practice "undermines the privacy expectations and the security of both the user and the user's friends" and "potentially exposes the employer who seeks this access to unanticipated legal liability."

The company is urging Facebook users to resist such requests--easier said than done when refusal could mean a job offer denied--because password sharing represents a security risk and because sharing or soliciting passwords violates the company's Statement of Rights and Responsibilities.

If Facebook actually enforces its rules and takes legal action against nosy employers, it will be something of a shock, considering all people under 13 who have active Facebook accounts are in violation of Facebook rules.

Some 36% of more than 1,000 parents surveyed by Microsoft Research senior researcher Danah Boyd said their children joined Facebook before turning 13. And some 78% of parents think it is acceptable for their child to violate Facebook's rules. I can corroborate that research: My 12-year-old daughter complains she's the only one in her class who isn't on Facebook.

[ Read Job Seekers Asked For Facebook Passwords: Debate Roars. ]

When Facebook users routinely flout Facebook's rules, is it any wonder employers don't take those rules very seriously?

Facebook says it takes privacy very seriously. But it doesn't take privacy seriously enough to really enforce its rules--it would cost a lot to verify users' ages and it would mean fewer users and less ad revenue.

Facebook doesn't take privacy seriously enough not collect data in the first place. It doesn't take privacy seriously enough to protect your data from Facebook: Its business model is predicated on data.

Privacy is when you have your data. When someone else has your data, you no longer have privacy. You've given your privacy away. If Facebook wanted you to have privacy, it wouldn't have taken it in the first place.

To re-purpose the trite tagline from Field of Dreams, if you gather personal data, they will come. It you store it, they will review it, demand it, or steal it.

Sen. Richard Blumenthal (D-Conn.) says he'll introduce a federal bill to make it illegal for employers to demand Facebook passwords from job applicants. He's obviously never applied for a job with the CIA--if you think scouring Facebook accounts is invasive, try having an intelligence agency interview your associates over the years. You can have all the privacy you want, until someone has reason to look behind the veil.

A law would be better than Facebook's widely ignored and sparingly enforced rules. But it would be addressing the symptom--curiosity--rather than the disease--sharing. No law will prevent people from compromising their futures by posting stupid or potentially embarrassing or socially damaging things online. The "post" button, like a diamond, is forever.

What we really need are repeated lessons to say nothing. Designating Facebook information as "private" won't actually guarantee it remains private.

While a handful of employers may have been clumsy enough to publicly declare their intent to pry, many more businesses and individuals are discreetly googling away and finding out all sorts of things about job applicants, prospective tenants, would-be clients and loan-seekers, potential dates and roommates, next-door neighbors, and next-desk colleagues. And they may not share what they've discovered about your sharing. They'll simply, silently deny you.

If you take your privacy very seriously, watch what you say online, because declarations from others about how seriously they take your privacy won't save you.

The Enterprise 2.0 Conference brings together industry thought leaders to explore the latest innovations in enterprise social software, analytics, and big data tools and technologies. Learn how your business can harness these tools to improve internal business processes and create operational efficiencies. It happens in Boston, June 18-21. Register today!

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8802
Published: 2015-01-23
The Pie Register plugin before 2.0.14 for WordPress does not properly restrict access to certain functions in pie-register.php, which allows remote attackers to (1) add a user by uploading a crafted CSV file or (2) activate a user account via a verifyit action.

CVE-2014-9623
Published: 2015-01-23
OpenStack Glance 2014.2.x through 2014.2.1, 2014.1.3, and earlier allows remote authenticated users to bypass the storage quote and cause a denial of service (disk consumption) by deleting an image in the saving state.

CVE-2014-9638
Published: 2015-01-23
oggenc in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (divide-by-zero error and crash) via a WAV file with the number of channels set to zero.

CVE-2014-9639
Published: 2015-01-23
Integer overflow in oggenc in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (crash) via a crafted number of channels in a WAV file, which triggers an out-of-bounds memory access.

CVE-2014-9640
Published: 2015-01-23
oggenc/oggenc.c in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted raw file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.