In case you’ve not paid attention to the news recently, there has been a barrage of stories (over 1500 turned up in a quick online search) about organizations asking job applicants and employees for their Facebook, Twitter, LinkedIn and other social networking passwords.
It’s a hot topic folks! I’ve listed a bunch of them at the end of this post. Compelled password disclosure is a very bad idea for organizations to do for many reasons.
Here are six that should be compelling to business management:
- It may be illegal. Depending upon the geographic locations for where the business is located, and the associated country, state and local laws, there may be laws against requiring this type of information from job applicants and current employees. It may also be against some industry laws and/or standards. If there are not laws now, there could be very soon (e.g., there is proposed legislation in Illinois and Maryland that would forbid public agencies from asking for access to social networks). Do you really want to face fines, sanctions and other penalties because of implementing a completely poorly thought-out?
- It may violate the company’s own established policies. Most businesses have their own employee privacy policies. Some may indicate that they will not ask for such information about personal activities. Or, the wording could put information such as social media passwords off limits. Civil actions could ensue.
- It *IS* violating the terms of service for social networking sites. Don’t laugh. Even though the social networks themselves seem to commonly violate their own terms of service (and they have many legal cases they are currently embroiled in as a result) you are likely asking your employees to violate a legally binding contract by asking for their password. For example, the Facebook Registration and Account Security requirement #8 states, “You will not share your password, (or in the case of developers, your secret key), let anyone else access your account, or do anything else that might jeopardize the security of your account.” Facebook even announced today they would consider taking legal action against companies for requiring passwords to be shared with them.
- It can alienate employees. As reported in dozens of the articles over the past week, many employees provide their passwords to their employers because they fear losing their jobs if they don’t. This does not engender happy employees. It may even result in retaliatory actions. Do business leaders really want their employees to work for them under this type of duress, possibly plotting how to peer into all the bosses’ personal activities?
- It will almost surely result in bad PR. Just look at the list below of the companies that have been outed as Facebook and Twitter password usurpers. How could it damage your brand if you are known as the company that wants to snoop through their employees’ YouTube, LinkedIn and Facebook pages? If your business depends upon consumer trust it could result in significant damage.
- It is a clear invasion of privacy. Would you ask for the keys to all your employees’ homes so you could enter at any time and see what they are doing within their home? To see not only their activities, but also watch what they are doing online? This is not much different. If you want to make sure employees have not done anything that could potentially damage the company, there are many other actions businesses can take that do not infringe so blatantly upon personal privacy. This really is the most significant of all the reasons to not require passwords, simply from a business (and human) ethics perspective.
I could go on, but aren’t these enough to compel any smart and wise business leader to not think about, or discontinue if they are currently doing this despicable practice?
So, what should businesses with concerns about inappropriate online activity do?
Well, if you’re concerned about online activities of employees that could be impacting the business (and those are valid concerns) asking for everyone’s social network passwords is not the answer. Neither is forcing them to login to their accounts in front of you, and then commandeering their account and inspecting very nook and cranny of their digital world. (Such action reminds me of the bully in grade school twisting another child’s arm until he cries, “Uncle!”) C’mon business leaders! Give yourself a whack on the side of your head and think!
Instead, you need to have an internal social media policy, and provide training for your employees about the policies, why you have them (from a business perspective), and associated enforcement activities. No, you should NOT have one of the policies be that “Everyone must give us their social network passwords.” Geesh! Whack up the side of your head! Instead you need to have policies that cover the following, and worded to fit your particular organization:
- Workers should not post information, including any types of images or audio, about co-workers, customers, or business plans or other strategic or confidential business information on their social networking sites.
- Workers should not provide advice or consulting help representing the business through their personal social network accounts.
- The business may perform online social network searches, as it determines is appropriate, to determine if inappropriate business information has been posted and is publicly accessible.
- Depending on the business, it may also be appropriate to ask employees to sign non-disparagement types of contracts for online activities.
These types policies are necessary in organizations of all sizes, including small and midsize businesses in addition to large organizations.
It is appropriate and reasonable to have policies that address the appropriate use of business information and associated assets, and that relate to business activities. It is not reasonable to ask employees to open their personal life for business management inspection. This is the 21st century, after all.
Recent news of compelled provisioning of passwords
If business leaders are still not convinced, just read through a few of the recent (past couple of days) news stories about organizations asking job applicants and employees for their Facebook, Twitter, and other types of social networking passwords (just do a search, you can find over 1500 more):
- Resume, Cover Letter And Your Facebook Password?
- Job seekers getting asked for Facebook passwords
- Job Seekers Asked For Facebook Passwords: Debate Roars
- Facebook: Your password or your job?
- The uncomfortable interview question: What’s your Facebook password? (Employers Demanding Facebook Passwords Aren’t Making Any Friends)
- Forking over a Facebook password to an employer?
- ACLU: Facebook password isn’t your boss’ business
- NJ Lawmaker Wants To Keep Employers From Demanding Jobseekers’ Facebook Passwords
- Employers Want Facebook Passwords
Companies reported as requesting social network passwords
Here are a few of the organizations getting bad press for their requests for social network passwords:
- Maryland Department of Public Safety and Correctional Services
- Bozeman, Montana
- McLean County, Illinois
- Spotsylvania County, Virginia Sheriff’s Department
Most so far have been public and government organizations. However, all types of businesses are considering it, which may someday come as a surprise to their employees.
Bottom line: Asking job applicants and personnel to provide their personal social network password is a very bad business decision.
Oh, and lest you forget, sharing passwords is a BAD SECURITY PRACTICE any way! (Thanks for that reminder, Mike Dunham).
Cross-posted from Privacy Professor