Six Good Reasons Not to Ask for Social Media Passwords

Thursday, April 05, 2012

Rebecca Herold

65be44ae7088566069cc3bef454174a7

In case you’ve not paid attention to the news recently, there has been a barrage of stories (over 1500 turned up in a quick online search) about organizations asking job applicants and employees for their Facebook, Twitter, LinkedIn and other social networking passwords. 

It’s a hot topic folks! I’ve listed a bunch of them at the end of this post.  Compelled password disclosure is a very bad idea for organizations to do for many reasons. 

Here are six that should be compelling to business management:

  • It may be illegal.  Depending upon the geographic locations for where the business is located, and the associated country, state and local laws, there may be laws against requiring this type of information from job applicants and current employees.  It may also be against some industry laws and/or standards. If there are not laws now, there could be very soon (e.g., there is proposed legislation in Illinois and Maryland that would forbid public agencies from asking for access to social networks).  Do you really want to face fines, sanctions and other penalties because of implementing a completely poorly thought-out?
  • It may violate the company’s own established policies.  Most businesses have their own employee privacy policies.  Some may indicate that they will not ask for such information about personal activities.  Or, the wording could put information such as social media passwords off limits.  Civil actions could ensue.
  • It can alienate employees.  As reported in dozens of the articles over the past week, many employees provide their passwords to their employers because they fear losing their jobs if they don’t.  This does not engender happy employees. It may even result in retaliatory actions.  Do business leaders really want their employees to work for them under this type of duress, possibly plotting how to peer into all the bosses’ personal activities?
  • It will almost surely result in bad PR.  Just look at the list below of the companies that have been outed as Facebook and Twitter password usurpers.  How could it damage your brand if you are known as the company that wants to snoop through their employees’ YouTube, LinkedIn and Facebook pages?  If your business depends upon consumer trust it could result in significant damage.
  • It is a clear invasion of privacy.  Would you ask for the keys to all your employees’ homes so you could enter at any time and see what they are doing within their home?  To see not only their activities, but also watch what they are doing online?  This is not much different. If you want to make sure employees have not done anything that could potentially damage the company, there are many other actions businesses can take that do not infringe so blatantly upon personal privacy.  This really is the most significant of all the reasons to not require passwords, simply from a business (and human) ethics perspective.

I could go on, but aren’t these enough to compel any smart and wise business leader to not think about, or discontinue if they are currently doing this despicable practice?

So, what should businesses with concerns about inappropriate online activity do?

Well, if you’re concerned about online activities of employees that could be impacting the business (and those are valid concerns) asking for everyone’s social network passwords is not the answer.  Neither is forcing them to login to their accounts in front of you, and then commandeering their account and inspecting very nook and cranny of their digital world.  (Such action reminds me of the bully in grade school twisting another child’s arm until he cries, “Uncle!”)  C’mon business leaders!  Give yourself a whack on the side of your head and think!

Instead, you need to have an internal social media policy, and provide training for your employees about the policies, why you have them (from a business perspective), and associated enforcement activities.  No, you should NOT have one of the policies be that “Everyone must give us their social network passwords.”  Geesh!  Whack up the side of your head!  Instead you need to have policies that cover the following, and worded to fit your particular organization:

  • Workers should not post information, including any types of images or audio, about co-workers, customers, or business plans or other strategic or confidential business information on their social networking sites.
  • Workers should not provide advice or consulting help representing the business through their personal social network accounts.
  • The business may perform online social network searches, as it determines is appropriate, to determine if inappropriate business information has been posted and is publicly accessible.
  • Depending on the business, it may also be appropriate to ask employees to sign non-disparagement types of contracts for online activities.

These types policies are necessary in organizations of all sizes, including small and midsize businesses in addition to large organizations.

It is appropriate and reasonable to have policies that address the appropriate use of business information and associated assets, and that relate to business activities.  It is not reasonable to ask employees to open their personal life for business management inspection.  This is the 21st century, after all.

Recent news of compelled provisioning of passwords

If business leaders are still not convinced, just read through a few of the recent (past couple of days) news stories about organizations asking job applicants and employees for their Facebook, Twitter, and other types of social networking passwords (just do a search, you can find over 1500 more):

Companies reported as requesting social network passwords

Here are a few of the organizations getting bad press for their requests for social network passwords:

  • Maryland Department of Public Safety and Correctional Services
  • Bozeman, Montana
  • McLean County, Illinois
  • Spotsylvania County, Virginia Sheriff’s Department
  • Sears

Most so far have been public and government organizations.  However, all types of businesses are considering it, which may someday come as a surprise to their employees.

Bottom line: Asking job applicants and personnel to provide their personal social network password is a very bad business decision.

Oh, and lest you forget, sharing passwords is a BAD SECURITY PRACTICE any way! (Thanks for that reminder, Mike Dunham).

Cross-posted from Privacy Professor

Possibly Related Articles:
6989
Policy
Information Security
Legal Passwords Privacy Compliance Enterprise Security Social Media Employees Policies and Procedures
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.