• PC World
• »Software
• »Browsers & Add-Ons

Job seekers who go to online sites seeking employment run a considerable risk of having their confidential information improperly sold, shared, or used for profiling purposes.

That is the finding of a year-long study into the privacy practices of online job sites, released yesterday by The World Privacy Forum, a newly formed nonprofit organization that focuses on privacy rights.

The study of more than 70 online job sites, employment kiosks, resume databases, and resume distribution services uncovered several issues of concern to job seekers, including the sharing and sale of their personal data and the undisclosed tracking and profiling of users, according to researcher Pam Dixon.

"We really need a whole new way of talking with job seekers about how they can look for jobs and not get [their personal information] tracked, diced, and sliced in multiple ways," Dixon says.

Problems Cited

Among the privacy problems identified in the survey were the following:

• There appeared to be little effort to restrict the collection of data at online job sites. Sites routinely asked job seekers to provide a substantial personal information, sometimes including Social Security number and date of birth, before they could submit applications.
• There were no consistent policies governing the collection and use of ethnic and racial information.
• The use of third-party persistent cookies has increased. A job seeker's confidential data frequently changed hands, going to third parties and advertisers.
• Even when they gave consent, job seekers may not have realized the extent to which job sites used their data because these sites have become very sophisticated about finding legal ways to share job-seeker data.</

The rapid proliferation of employment application kiosks inside malls and retail stores presents another problem from a privacy standpoint, Dixon says. Few have any privacy policies that explain how Social Security numbers, birth dates, and other pieces of personal information will be used or stored.

Mixed Policies

For instance, Portland Oregon-based Unicru, one of the largest operators of such kiosks, didn't post privacy policies at any of its kiosks before, during, or after personal information was collected, Dixon says. Unicru's list of clients includes CVS, Universal Studios, and Blockbuster.

A Unicru spokesperson says that the company's practices meet legal guidelines.

"Unicru fully meets all federal guidelines with regard to hiring for each of its customers. While there are no current rules or regulations requiring a privacy statement on a job application, Unicru does recommend to its customers, as a best practice, that they have such a policy," she says. Unicru processes on average one job application every second.

In some cases, job sites used information that it collected for one purpose to serve other purposes. FastWeb.com, a major scholarship search service owned by Monster, for instance, collected ethnic, nationality, and religious information from students, which it then shared with potential employers looking to fill positions based on diversity.

A spokesperson from FastWeb says that in all instances where the site passes such information on to a prospective employer, it does so only with the full consent of the students involved.

"We have looked into this in depth. We ensure that we are compliant with every issue in question," the spokesperson says.

Aggregators Scrutinized

The privacy policies of companies that maintain personnel databases used for employee recruitment are also suspect, Dixon says.

Eliyon Technologies of Cambridge, Massachusetts, for example, has compiled a database of more than 16 million names from more than 1 million companies. The database contains detailed profiles of individuals that Eliyon sells to client companies, including 25 Fortune 100 firms.

But Eliyon doesn't have a formal privacy policy, doesn't offer an opt-out policy, and doesn't give individuals a chance to correct the information in the database, Dixon says. In at least one case during the study, personal information--including the names of children--was included in an individual profile.

Eliyon CEO Jonathan Stern dismisses concerns about the security of the personal information it stores, saying that the database consists entirely of publicly available information gathered in Google-like fashion from multiple Internet sources. All the company does is search the Web for public mentions and records pertaining to an individual, he says. In fact, some records that are publicly available, such as legal records, aren't included in the individual profiles, he adds.

Despite such concerns, the news isn't all bad, according to Dixon.

Since the most recent previous survey, which was conducted in 2001, several things have improved, Dixon says. Most job sites now post privacy policies and have a fairly good process for responding to privacy-related queries. In addition, fewer sites require users to register prior to providing access to job advertisements, and more sites allow anonymous access to job listings.