In Protecting Your Passwords and Your Privacy (March 23, 2012), Facebook reports a rise in “employers asking prospective or actual employees to reveal their passwords.” Facebook’s good advice: Don’t do it, whether you’re an employee or an employer.
It’s a bad idea in so many ways, in addition to the obvious intrusion into your privacy:
- You’d violate the terms of your Facebook account. Facebook’s Statements of Rights and Responsibilities says “You will not share your password” and you will not “let anyone else access your account.” I question the overall ethics of an organization that asks you to violate agreements.
- It violates the privacy of your friends, too. Friends who thought they were sharing just with you or a limited group would be in for a surprise. And then what if your friend turns out to be someone the employer knows?
- Virtually every set of privacy/security guidelines available tells you not to share your password. Keeping your passwords to yourself is a widely recognized best practice.
- Using someone else’s password is identity theft. You’re not just getting access to their info. You are that person, for online purposes. Anything you do with their account will look like that person did it. What if you (as the employer) accidentally delete something on someone’s Facebook account? or post something when you forgot to log out of someone else’s identity?
- It’s like asking illegal interview questions. As an example, take a look at Steer clear of these 10 illegal job interview questions. Every one of the 10 questions listed there – like family status and plans, religion, and age – is the kind of thing you could find out if you logged in on someone else’s Facebook account.
- You can become a suspect. Twenty or so years ago, before Facebook of course, we had a team that used a shared ID and password instead of individual IDs. At first, they resisted the idea of moving to individual IDs. (Even that long ago, sharing passwords was recognized as a bad practice, so we stamped it out where we found it.) They didn’t want to hear about best practices or other noble purposes that interfered with their perceived convenience. What finally won them over? “What if something goes wrong, and we find out that account did it? If you use that account, you become a suspect.” That got their attention. They couldn’t get individual accounts fast enough. Bring that forward to Facebook. If an employer has access to the Facebook ID of someone who’s up to no good, the employer becomes a suspect. A malicious Facebook user only has to say, “It wasn’t me, but Company X uses my account too; they did it.”
For my part, I’ve never encountered an employer who dared to ask employees and candidates for their passwords to Facebook or anything else. I’m alarmed that Facebook is reporting an increase.
I don’t have particular heartburn over an employer seeing what you’ve posted publicly. You did, after all, make it public on the Internet, so there’s no expectation of privacy there. An employer who wants to see what you didn’t make public, and who wants not only to see it, but also to use your online identity, is an altogether different matter.