Hey Employers--My Facebook Password Is None of Your Business
Some employers are demanding that individuals surrender their Facebook credentials as a condition of being hired. The practice is simply ludicrous, so don’t be one of those employers.
Facebook itself has harshly condemned requiring access to users’ private Facebook accounts. The Facebook Statement of Rights and Responsibilities specifically forbids doing so: “You will not share your password, (or in the case of developers, your secret key), let anyone else access your account, or do anything else that might jeopardize the security of your account.”
One of my PCWorld peers believes in the “if you don’t have anything to hide, you have nothing to fear” approach championed by Google’s Eric Schmidt. That’s crap. I’m not doing anything illicit or illegal in my home either, but there’s no way in hell I would give an employer a key to my house to prove it. It’s none of your business.
What would you hope to gain? Is the goal to dig into the employee’s personal life to identify behaviors that might reflect poorly on the company? Is it to monitor personal social media accounts to guard against leaking confidential data? No matter what the “reason”, demanding a Facebook password as a hiring requirement is insane.
Invasion of Privacy
Why would you ask an employee for the password to their personal Facebook account? It’s not any different than requiring an employee to surrender a key to his home or car, or tapping his personal phone line. You could do unannounced inspections where you just walk in to the employee’s house on the weekend to see what’s going on, and search around a bit to see if he's hiding anything.
Whether the goal is to ensure that your employees handle themselves with integrity and don’t partake in activities that would reflect poorly on the company, or to ensure that the employee is not stealing or leaking sensitive information, a key to the house would be just as legitimate of a request as the Facebook password. The Facebook password is a huge invasion of privacy, and one that probably comes with some legal liability for your company.
Breach of Security
Users are routinely told not to share their passwords. Ever. With anyone. It is a mantra that is brainwashed into people’s heads to help them avoid malware and phishing scams. Even within companies, employees should never share their personal passwords even with the IT department or Help Desk.
If you expect employees to have the integrity and discipline not to share their personal password to the company network, you shouldn’t force them to go against the practice of never sharing passwords by requiring the Facebook password. Sharing the Facebook password is a “gateway drug” that puts the security of your whole network at risk. Once you’ve established that it’s a standard practice for your company, your employees are more likely to fall for subsequent password requests.
Just One of Many
Why Facebook? Or--more specificially--why only Facebook? People have accounts on Facebook, Twitter, Google+, LinkedIn, Path, and others. They can call, chat, or video conference with Skype, or share location information on Foursquare. They can post pictures of confidential product plans on Pinterest.
If the goal is to monitor behavior to see who the employee is hanging out with, and what sorts of activities he engages in on his personal time, Facebook is just one of many, many potential outlets for that information. If an employee willingly surrenders his Facebook password to you, he could simply create an alternate Facebook profile where he shares the real dirt, or let the Facebook account stagnate while he resorts to other social media networks to share his personal life with those he actually wants to see it.
If the goal is to ensure that company data or sensitive information is not being leaked through social media, Facebook is just one vector. Granted, Facebook is the most popular and well-known, and it may be a good place to see if users are accidentally sharing information they shouldn’t be. But, if an employee is intentionally trying to extract data from the company, there are plenty of other options you won’t have access to with a Facebook password.
The practice is at least unethical, if not illegal. There is simply no valid reason for an employee to give you his or her Facebook credentials--or any other password for that matter.