Monthly Archives: March 2012

Employers Asking for Facebook Passwords

In Protecting Your Passwords and Your Privacy (March 23, 2012), Facebook reports a rise in “employers asking prospective or actual employees to reveal their passwords.” Facebook’s good advice: Don’t do it, whether you’re an employee or an employer.

It’s a bad idea in so many ways, in addition to the obvious intrusion into your privacy:

  • You’d violate the terms of your Facebook account. Facebook’s Statements of Rights and Responsibilities says “You will not share your password” and you will not “let anyone else access your account.” I question the overall ethics of an organization that asks you to violate agreements.
  • It violates the privacy of your friends, too. Friends who thought they were sharing just with you or a limited group would be in for a surprise. And then what if your friend turns out to be someone the employer knows?
  • Virtually every set of privacy/security guidelines available tells you not to share your password. Keeping your passwords to yourself is a widely recognized best practice.
  • Using someone else’s password is identity theft. You’re not just getting access to their info. You are that person, for online purposes. Anything you do with their account will look like that person did it. What if you (as the employer) accidentally delete something on someone’s Facebook account? or post something when you forgot to log out of someone else’s identity?
  • It’s like asking illegal interview questions. As an example, take a look at Steer clear of these 10 illegal job interview questions. Every one of the 10 questions listed there – like family status and plans, religion, and age – is the kind of thing you could find out if you logged in on someone else’s Facebook account.
  • You can become a suspect. Twenty or so years ago, before Facebook of course, we had a team that used a shared ID and password instead of individual IDs. At first, they resisted the idea of moving to individual IDs. (Even that long ago, sharing passwords was recognized as a bad practice, so we stamped it out where we found it.) They didn’t want to hear about best practices or other noble purposes that interfered with their perceived convenience. What finally won them over? “What if something goes wrong, and we find out that account did it? If you use that account, you become a suspect.” That got their attention. They couldn’t get individual accounts fast enough. Bring that forward to Facebook. If an employer has access to the Facebook ID of someone who’s up to no good, the employer becomes a suspect. A malicious Facebook user only has to say, “It wasn’t me, but Company X uses my account too; they did it.”

For my part, I’ve never encountered an employer who dared to ask employees and candidates for their passwords to Facebook or anything else. I’m alarmed that Facebook is reporting an increase.

I don’t have particular heartburn over an employer seeing what you’ve posted publicly. You did, after all, make it public on the Internet, so there’s no expectation of privacy there. An employer who wants to see what you didn’t make public, and who wants not only to see it, but also to use your online identity, is an altogether different matter.


Leave a comment

Filed under Uncategorized

When you’ve got bad news to deliver

Seven Rules to Remember When a Crisis Strikes offers good guidance for organizations in the news, but the guidance also jibes[1] with my own experiences in IT and on the board of directors of a member organization. When you’ve got bad or controversial news to share with your public, be up front about it, now, and address the situation from your audience’s perspective. In the long run, your target audience will think more highly of you if you’re frank, timely, and realistic about bad news. Even if your news won’t trouble most of your audience, you can still lose their confidence if they think you botched your communications to the angry few.

The “Seven Rules” would have been useful in some recent PR fiascos, like the continuing sagas of Susan G. Komen for the Cure and Rush Limbaugh’s comments on Sandra Fluke. Komen and Limbaugh have both lost a lot of support because they didn’t respond to the controversy in a good and timely manner.

In IT and in member organizations, my news has never been on that scale, with nationwide or broader coverage in news media and social media. But even when your public is smaller, sometimes the news will stir their passions and suspicions. You need to tell people what’s going on, as frankly as you can, with an understanding of how this affects them. Got a service outage? Just say so, even if you don’t know the whole story yet. Something sooner is better than everything later.

Did you just make a controversial decision? Say so, and say why, and show that you understand what it means to people. Start the conversation. Don’t wait until the angry mob is at your door with torches and pitchforks.

You aren’t sure it’s time to announce? If you’re wondering, it’s time. If in doubt, send it out.

If the news is something you saw coming because you created it, shame on you if you didn’t plan ahead for the likely PR backlash. I get the impression that Komen disregarded all seven rules when they announced their Planned Parenthood funding decision.

If the news smacked you unexpectedly, like the 2010 BP oil spill, shame on you if you didn’t have a boilerplate communications plan in hand for unscheduled challenges.

The Seven Rules to Remember When a Crisis Strikes are really just good common sense, but only if you take the long view. A natural reaction is to take the short view and try to avoid the initial unpleasantness, but that approach doesn’t pay off in the long run. In the long run, your audience will trust you more if you’re up front with them when you need to be.


[1] Footnote for usage fans: The word in this case is “jibes,” not “jives.” I often hear people use “jive” when “jibe” would have been the correct word.

Leave a comment

Filed under Communications