
Facebook: Legal action against employers asking for your password - Slimy
http://www.zdnet.com/blog/facebook/facebook-legal-action-against-employers-asking-for-your-password/10768
======
powrtoch
I have to say, I'm really impressed with Facebook for coming out and making
this _their issue_ , instead of just waiting for the applicants and employers
to slowly work it out between themselves. In hindsight, it's seems like an
obviously smart move (both to impress their userbase and to remove
disincentives to use Facebook), but somehow it didn't occur to me that they
might join in on the fight. Good for them.

~~~
benihana
The cynic in me says that facebook is doing this because the employers didn't
go through the proper channels (i.e. pay facebook for that kind of access) and
it's a message: If you want that kind of data, you have to pay for it.

I hope this isn't the case, but facebook doesn't really have a great record
when it comes to privacy.

~~~
jonnathanson
Your cynicism is somewhat warranted, but slightly misplaced.

Facebook is doing this because _not_ doing so would be really bad for
business: i.e., it would threaten the user experience of the site. People
would either quit Facebook, spend less time on it, severely tone down or alter
their usage of it, or create fake profiles for work. Any or all of those
things would be a big detriment to Facebook. So taking a stand on this issue
is both good for business _and_ good for PR.

------
jerf
On what grounds could Facebook sue an employer who asks for your Facebook
password? It isn't immediately obvious they have standing to sue the
employers. Based on what I assume is their terms of service page (closest
thing I could find) [1], it looks like they could sue the _employee_ for
giving away their password, but I don't immediately see any grounds for suing
the employer. There doesn't seem to be anything forbidding you from using
Facebook with somebody else's account at the moment (though look for this to
change any minute).

I'm suspecting this could be posturing to stem the short-term damage while
they try to get a law passed that gives them standing.

The best guess I could come up with is hitting the employer with some sort of
cyber-hacking law, but I wouldn't be comfortable or happy with that sort of
twisting of such a law.

[1]: <http://www.facebook.com/legal/terms>

~~~
nokcha
Facebook may sue under 18 USC § 1030(g)
(<http://www.law.cornell.edu/uscode/text/18/1030#g>) for unauthorized access
to its computer systems if the employer obtains an applicant's password and
then accesses the applicant's account using this password. It is unsettled
whether the applicant's permission alone would be a defense. In fact, may be a
federal crime even if accessing the account was expressly authorized by a
state court; see [http://volokh.com/2011/12/01/judge-orders-plaintiff-to-
give-...](http://volokh.com/2011/12/01/judge-orders-plaintiff-to-give-
defendant-her-facebook-password-so-defendant-can-access-plaintiffs-account-as-
part-of-discovery/)

~~~
smsm42
If the password was voluntarily revealed because you want to be employed and
are ready to provide it as a condition of employment, I don't see how you can
call it "unauthorized access".

Volokh discusses something else - what if the user _does not_ allow the access
voluntarily but is forced by the court (which, unlike employer, is entitled to
use force to compel people to do things) to reveal the password. _Then_ it
would be like breaking into a house on a search warrant or forcing you to open
the safe (this was discussed some time ago here because of other court
decision that said - in TLDR version - that 5th amendment protects passwords).
But that's different situation.

~~~
tedunangst
Facebook decides what constitutes authorized access, not the user. Your right
to access the service is not transferable.

~~~
Maxious
Exactly. Imagine if you had a "Million dollars for the login credentials of
FBI/CIA/DOE employees!" program. Just because the employees want the million
dollars, does not mean the payer is authorised to access those systems.

~~~
smsm42
OK, I guess you have a point, if the information there is not sole property of
the password holder - especially as in the case of FBI, where FBI employee has
access not to his collection of lolcats pics but to something more important.
I guess one could argue on Facebook you can access other's information too, so
it still applies.

------
JGailor
Facebook played the Friend card in their press release, and did it really
well. If you are giving up your Facebook password, you're not just giving up
your information, you're also giving up your friend's information as well.

If any potential employer asks for your Facebook account information, just
inform them that your social network would not appreciate giving out their
information to a 3rd party, and you think it would be a violation of their
trust in you.

~~~
CGamesPlay
The reason that this sort of legal action is necessary is because the kind of
people who are being asked this aren't the kind of people who can walk into
any company in the valley and get another job. In those situations, the
employee doesn't have any cards to play.

~~~
JGailor
I understand your point completely, and I agree with you. It still doesn't
change the fact that when you give up your Facebook account information, you
are not just surrendering up your personal information, you are giving up the
personal information of everyone in your network that has chosen to share with
you. It's a breach of trust with that network.

------
DanI-S
I wish there were someone willing to stand up for us against employment-
related credit checks and drug testing, too.

As a European working in the US, I find it astounding that these utter
invasions of privacy are considered routine. I don't know whether they're
legally acceptable in Europe, but they don't seem to be morally acceptable to
most people.

~~~
quandrum
One thing to remember in the US is that health insurance companies drive a lot
of the drug testing. They offer it for free to employers, and in return get
the benefit of never having (suspected) addicts try to obtain employer based
coverage.

Obviously, this is not a relationship that exists in Europe.

~~~
DanI-S
That's fascinating, disturbing and something I had not considered.

------
DevX101
| “If you are a Facebook user, you should never have to share your password,
_let anyone access your account_ , or do anything that might jeopardize the
security of your account or violate the privacy of your friends,”

What are the legal implications for facebook applications? Are there some
classes of applications that would be affected by this policy? Given enough
permissions, most facebook apps DO access your account and could potentially
violate the privacy of friends.

The facebook position above doesn't seem to be limited to employers, but much
broader based. I could imagine a shady employer saying 'All candidates must
install this (greedy permissions) app to submit an application'. What would be
facebook's position on that?

~~~
jiggy2011
hmm , sounds like a great opportunity for a startup!

Facebook Careers, Installing it allows you to jobsearch, be head hunted and
fill in applications of course it also provides recruiters a huge amount of
info about you.

~~~
freehunter
Like LinkedIn? Where the only information posted is exactly what you want
employers to see?

------
dminor
Clearly what we need is a dummy password that leads to a bland profile where
your "friends" all note how employable you are.

~~~
judofyr
Right, but then the employee will only ask for _both_ your passwords…

~~~
codesuela
not if this is not the default. If they were to implement it they would do it
like Truecrypt where you are able to choose between "normal" encryption and
creating a hidden volume which allows for plausible deniability ( see
[https://en.wikipedia.org/wiki/Plausible_deniability#Use_in_c...](https://en.wikipedia.org/wiki/Plausible_deniability#Use_in_cryptography)
).

------
bburns
Doesn't this fall into the realm of discriminatory interview questions to
begin with? I'm pretty sure a case could be made in a discriminatory hiring
suit without introducing new laws.

~~~
TomatoTomato
This was my first response.

A quick Google search yielded "30 Interview Questions You Can't Ask"

Of the 30, I think about 20 can be learned from someone's Facebook account.

------
balakk
What about employers intercepting SSL connections to spy on social
networking/external email usage on the corporate network? Is that against the
law too? Genuine question.

This is quite prevalent, and they make it very clear in the Acceptable Use
policies that all usage is monitored.

~~~
mvip
If your employer is doing that, it probably a good time to start looking for
another job.

~~~
marshray
Some of those jobs pay really really well.

Plus, you have the option to not access anything you want to keep personal
from the office.

------
davidw
> “If you are a Facebook user, you should never have to share your password,
> let anyone access your account, or do anything that might jeopardize the
> security of your account or violate the privacy of your friends,”

Weren't they, at one time, one of those sites trying to get your Gmail
password/account so they could sniff out who your friends were?

~~~
DevX101
Yes. In fact, I'd argue that privacy invasion played one of the most important
roles in the rapid rise of Facebook and LinkedIn

~~~
drivebyacct2
Privacy invasion? It has always explicitly said "enter your gmail username and
password so we can import your contacts" or something equally obvious and
transparent.

~~~
DevX101
The privacy invasion is for the contacts who never consented to give Facebook
their information.

~~~
kiloaper
Same thing with Viber and other apps. Some of friends use their services and
now they have my contact information and can build up a shadow profile on me.
I consented to none of that. While they may deny that's their intent it
doesn't change the fact they have all that data.

~~~
davidw
Also, it contributes to a culture of "sure, I'll give you my login
information".

------
duck
"You want my FB password? Sure, but please know that if anyone asks for my
company computer account password I will comply with that as well."

~~~
jiggy2011
only for a bar of chocolate!

------
lutorm
I fail to see how "my password is under an NDA" could not be a sufficient
response to this silliness. Are they _really_ making breach of contract a
necessary condition for employment?

~~~
marshray
If you're unemployed and need a job, the choice between defending Facebook's
NDA and putting food on the table is obvious. I doubt most people even realize
that somewhere in Facebook's ToS it says they mustn't disclose their password.

------
keithpeter
If anyone in the US is looking for models for privacy legislation, we have
some okish ones in Europe

[http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:...](http://eur-
lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML)

Human readable version

<https://en.wikipedia.org/wiki/Data_Protection_Directive>

Have fun over there

------
brownbat
I think lawyers should just fight this with current anti-discrimination law.

Your Facebook profile potentially contains clues about your national origin,
religion, family status, and age (relevant if you're near 40).

Few employers are stupid enough to ask a woman if she's married in an
interview.* Looking at Facebook can be the same thing.

* Policy guidance for employers urges them to avoid these issues (for good reason): [http://web.uflib.ufl.edu/pers/develop/departmentalinterviewi...](http://web.uflib.ufl.edu/pers/develop/departmentalinterviewingguide3.htm) ; [http://www.businesslink.gov.uk/bdotg/action/detail?itemId=10...](http://www.businesslink.gov.uk/bdotg/action/detail?itemId=1073792193&type=RESOURCES)

------
cletus
Good for Facebook for standing up against this sort of thing.

I have mixed feelings about the whole account access thing though.

On the one hand, I do think it's entirely unreasonable for your employer to
have your password. There are certain exceptions to this (eg anything
requiring Top Secret clearance?).

On the other hand, my personal view is nothing on the Internet is truly
private. If you want it to remain private, you shouldn't put it on the
Internet in any form, otherwise it's just a privacy policy change or a
security breach or a bug away from being exposed.

~~~
jiggy2011
This is true, however if you treat _everything_ on the Internet as public then
that removes many possible uses for it.

The internet is fast becoming the _only_ communication channel so not using it
for anything private will rapidly become impossible.

------
djb_hackernews
Who is actually asking for FB passwords? I doubt anyone actually is, and if
they are it's part of a scam involving the promise of employment to desperate
people.

~~~
jonknee
If what I've read is true, lots of places. A school teacher in my area just
got fired for making a student give access to his/her Facebook account which
the teacher used to punish students who had talked about the teacher.

I've read about police and city agencies requiring social networking passwords
to be given up. Same for departments of corrections. Here's a photo of a job
application for a clerical position at a police dept:
<http://i.imgur.com/hWsZT.jpg> (From this reddit thread:
[http://www.reddit.com/r/WTF/comments/mtenb/wife_came_across_...](http://www.reddit.com/r/WTF/comments/mtenb/wife_came_across_this_on_a_job_application/))

It's apparently quite common. The real kicker is when they also include a non-
disparagement agreement in the hiring process, so that they can easily fire
you for non-publicly posting about your job.

~~~
simonbrown
I have accounts on around 200 sites. Would I need to list every single one?

------
brownbat
I'm honestly a little disapointed in the ACLU on this issue. Facebook is doing
a good thing taking it on, but the ACLU is bringing this up on behalf of
Robert Collins. In the Robert Collins case,(1) the employer (the MD Dept of
Corrections) hoped Facebook would reveal "gang affiliations." Race based
discrimination alarm bells should be ringing! The best interests of your
client are to politely remind the MD DoC that Baltimore juries are especially
sensitive to discrimination issues and tend to be very skeptical of
enforcement/corrections management.(2) Collins should walk away with a blank
check under current law. ACLU is rolling the dice on some new "right to
privacy for things you publicly posted" instead. I think it's the wrong way
and wrong time for them to argue for that.

(1) [http://www.aclu.org/blog/technology-and-liberty/want-job-
pas...](http://www.aclu.org/blog/technology-and-liberty/want-job-password-
please)

(2) <http://www.guardian.co.uk/media/2008/sep/06/wire>

------
jmilloy
I'm wondering if, instead, an employer created a facebook app that asked for
maximum access, and asked their employees to authorize it. It might no longer
be unauthorized access/tortious interference.

I don't know the first thing about facebook app development. Seems like it
could be easy to write up. Is it easy for facebook to kill such apps? Am I
just making things up that don't make sense?

~~~
drbawb
I would think it would have to be "authorized access" according to the scope
of the FB ToS.

Which makes a fair bit of sense, because having an app do it _would_ go
through FBs own privacy control schemes.

So I guess we also have to make sure that employers can't require prospects to
install apps. :/?

------
jacquesm
Suggestion: if your employer asks you for your facebook credentials and you
have other options in terms of employment immediately hand in your
resignation.

Employers that have these sort of practices deserve nothing less than business
failure and I think that if enough key employees pack their bags that they
will sooner or later get the message. Make it plain what the reason for your
resignation is and if you can blog about it, I think that the spotlight of
public opinion should help ram home the message that this sort of behavior is
off-limits.

And that goes for any other service besides facebook as well, your private
affairs are your private affairs, and any employer that wants to stick their
nose in does not deserve your brain power.

------
jamesbritt
_Summary: Facebook wants to protect its users from employers demanding access
to their accounts. The company has clarified, however, that it currently has
no plans to sue such employers._

[http://www.zdnet.com/blog/facebook/facebook-no-plans-to-
sue-...](http://www.zdnet.com/blog/facebook/facebook-no-plans-to-sue-
employers-asking-for-your-password/10802?tag=mantle_skin;content)

<http://news.ycombinator.com/item?id=3749693>

------
soupysoupysoup
Am I wrong in thinking the only thing this does is protect Facebook's
financial interests? Don't they profit from the proper app and ad based mining
and selling of this information anyway? There are so many references to the
underground background checking methods employed by legal abuses of social
networking, wouldn't it take a huge chunk out of their business model to have
individuals simply show the information directly to employers, free of charge?

------
smsm42
I wonder what happened to good old not putting private stuff on facebook? It's
not like you have to use it.

And why this focus on facebook? Is password to gmail or mint.com or
yahoogroups different? It looks like Facebook using lawmaking system as a PR
move. That's definitely a new and creative development - using the Congress as
an advertisement medium - but I don't think it's a welcome one.

~~~
freehunter
_I wonder what happened to good old not putting private stuff on facebook?_

Facebook is built around private stuff. The expectation is that the only
people who will see it are the people who should be seeing it.

 _And why this focus on facebook?_

Because employers are not asking for other passwords as often as Facebook
passwords, and Facebook has a lot more relevant information. Asking for Mint
logins would be a blatant violation of PCI laws.

~~~
smsm42
I don't think Facebook is built around private stuff, I think Facebook is
built around sharing. I also recall Facebook managers stated many times that
they see concept of privacy to be obsolete and harmful. Yes, of course,
Facebook has privacy settings, since that vision is not yet accepted by most
people, but the goal of it is sharing, not hiding (unlike webmail, for
example) - the information on Facebook is by design supposed to be shared with
other people. Of course, the set of these people can be different, but I think
the easiest way to avoid publicizing private information is not publishing it
on the site that is built for sharing and has always promoted sharing.

------
rmc
I'd have always thought that if you were to give out your password, you'd
never be (legally) allowed to access your facebook account again (since you'd
be in breech of the terms of service). And also that the potential employer
would not legally be allowed to access it, since they'd be accessing a
computer system, by pretending to be someone else.

~~~
tjoff
I'd have always thought that the terms of service (that I haven't signed
(checking a check box doesn't count)) couldn't just make something, that
wasn't already, illegal.

If I don't behave to their liking they could of course cancel my account but
that's pretty much it.

~~~
TomatoTomato
Computer Fraud and Abuse Act of 1986 has been stretched such that federal
prosecutors have won convictions based on the theory that violating a
website’s ‘terms of service’ is a crime under this law. However, eventually it
was deemed that this may be too broad a standard, but no clear decision has
been made.

~~~
ErrantX
Someone suggested to me earlier that it might be possible to call it
unauthorised access, which is a crime under that act.

However as you would voluntarily give up the key that becomes complicated; a
court would have to decide that you were given no choice (give up the
password, or give up the job).

~~~
Duff
The question then becomes, are you an accessory to a federal crime by enabling
someone to gain unauthorized access to a computer system?

~~~
ErrantX
No; in much the same way as if the Russian Mafia held you at gun point to hand
over the password :)

------
AsylumWarden
That is why I have a dummy facebook account. Seriously, when I give someone
else access to my account they can then also peer into the lives of my family
and friends many of whom only post with security settings that share only with
Friends or just Family. I've then given away their right to privacy as well.
Uggg....

------
stef25
Idea: Facebook could add an alternate password feature that, if entered only
shows content you can manage in your privacy settings. So just like you could
hide an album from certain friends, you could hide other content (from
yourself) if your alt password is entered. Kind of like plausible deniability
in TrueCrypt.

------
linuxhansl
Honestly, who hands out his/her Facebook password to an employer?!

This is like handing out private photo albums or access to the private email
account. Any employer demanding this from me can happily continue to be an
employer without me as employee (not that I have anything in my FB account
anyway, but it's a matter of principle).

------
oleganza
By taking this legal action Facebook tries to protect itself in the long run.
Imagine if it becomes more common to hand out your account to HR. Quick
enough, people will avoid connecting with each other on that platform and move
to a competing platform where nobody is watching them.

------
kposehn
I figure I'll ask potential employees of mine if they've ever given their
password out instead. If they say yes, I'll say "...why?"

The answer might be much more illuminating than anything an employer would
ever learn from looking at the Facebook account itself.

------
parvinsingh
Well, you dont need pwd to piggyback into a user's account. Since the
userID/pwd validation is theirs, they can bypass the validation if they want
based on some prefix or suffix in the userID field.

------
laconian
I like this trend of the big Internet companies taking proactice steps to
right the wrongs that are happening in their space. If only more companies had
backbones.

------
EricDeb
Has anyone's employer actually asked for this? I would be extremely offended
if a company asked for my FB password

------
tomp
I support Facebook's stance on this, but I'm also quite surprised!

What happend to their "Share everything with everyone!" policy?

~~~
ErrantX
They changed it ages ago to "Share everything _you want_ with everyone!"

Honestly. I think FB have had a bad rap over the privacy thing - a long time
ago they were very bad. But so were a lot of people, they were just bigger.

Since then (which would have been about 2010, I guess) they've been fairly on
the ball with security issues... and though some people disagree with the
direction they went, they have built in an awful lot of privacy control.

------
codezero
Couldn't an employer just make applicants apply via a Facebook app and get all
the info they want legitimately?

------
shreeshga
Employers want passwords of FB and not LinkedIn accounts? Thats cruel on
LinkedIn.

------
TomatoTomato
You have nothing to fear if you have nothing to hide.

</sarcasm>

------
pentae
Pot, meet kettle.

------
rdl
This is a very reasonable action for Facebook to take to protect its brand and
product.

I'm definitely against random employers asking for a fb password (or rather,
access...there should be a way to give them read only access without the
password, in any case). Just getting the username (to see what is posted
publicly) is more defensible, as is getting deeper access for a security
clearance (my credit report is basically boring; interviewing my friends is
more useful, but I have literally never spoken to any of my neighbors more
than twice each, and never at any length; this is probably not that uncommon).
My Facebook account would be a good way to easily get that information.

~~~
click170
How would giving them read-only access be significantly better than the
current situation of them demanding read-write access? They aren't asking so
they can pretend to be you, they're asking so they can snoop on what you've
posted that isn't public..

~~~
rdl
Because they don't _need_ write access. It's a basic principle of security to
only give people the access they need -- it keeps them honest, and protects
you if they're dishonest or incompetent (or both).

What they should get is actually a snapshot, attested to by Facebook, of the
configuration of the facebook account (data export/data dump) from a time
chosen before you applied for the clearance, assuming Facebook could
reconstruct that. That way I can't remove my anarchist/communist party
friends; they could ask for a snapshot randomly selected in a 0-7 or 0-10 year
interval beforehand.

I actually trust Facebook security (and my personal password management and
computing environment) to be secure against accidental disclosure MORE than I
trust OPM or the OPM contractors who do clearance investigations, and
certainly more than the shitty credit check plus type investigators most
private firms, state/local agencies use. So, giving long-lived access to my
facebook profile (or password) would be a bigger cost than just giving them
the data. (There have been several cases of laptops without full disk
encryption going missing...) Incidentally, it might be interesting to note
that most security clearance investigations are actually processed almost
entirely by contractors working for the government, not by GS employees, since
sometime in the 1990s.

I still don't believe in asking for or giving out FB profile info (beyond
"make sure your public facebook profile is professional", for a public-facing
role; that seems pretty reasonable to me, although what you have in your
friends-locked area is up to you), but if you're going to do it, do it right.

~~~
nknight
They don't need read access, either. This is about an invasion of privacy, not
technical capabilities.

~~~
rdl
There are already cases where people consent to credit and background checks
(fairly thorough; talking to neighbors, friends, etc. at length, for 7-10
years). These are voluntary checks for high level security clearances with the
government.

I don't think it's unreasonable to include online social networking profiles
in that.

Similarly, a court order should be able to get all the data from a profile,
but not to allow the government to masquerade as you by logging in and
actively communicating with others.

This has all been debated during the "key escrow" debate period; even the
government wasn't able to make an argument for signing key escrow, only
encryption key escrow. It's the same issue with a profile.

(I am generally against key escrow, but eliminating some classes of keys from
the debate off the bat was a useful strategy then; it would be more useful
now.)

~~~
nknight
> _There are already cases where people consent to credit and background
> checks (fairly thorough; talking to neighbors, friends, etc. at length, for
> 7-10 years). These are voluntary checks for high level security clearances
> with the government._

The SSBI is not significantly more thorough than has become common for many
private employees, and doesn't find, attempt to find, or care about a great
deal of the personal information that may be found in a Facebook profile.

> _Similarly, a court order should be able to get all the data from a profile,
> but not to allow the government to masquerade as you by logging in and
> actively communicating with others._

Facebook has been providing information in response to court orders for years,
but does not provide the ability to masquerade as the user.

