Monday, March 26, 2012

That doesn't mean your employer can use your Facebook password

As a Libertarian, I of course believe that employers are free to ask for your Facebook password, and that you are free to refuse. This also could be because I'm a conceited jerk who believes that any employer would be lucky to hire me, so I believe I have the upper hand in the power struggle.

But completely separate from that, giving your employer your Facebook password does not give them the right to use the password. In fact, using the password to logon could be considered a crime, such as "computer fraud and abuse" or "identity theft".

Facebook's current legal terms say this:
You will not share your password, (or in the case of developers, your secret key), let anyone else access your account, or do anything else that might jeopardize the security of your account.

That means you are in violation of those terms if you give your password to your prospective employer. But, hypothetically, Facebook could add to their terms:

A account may be accessed only by its owner, by logging in you agree that you are the person who owns the account.

This makes it clear that logging into somebody else's account is identity theft, which means employers can be prosecuted under existing fraud and abuse laws. Facebook could just monitor multiple logins from a single location of unrelated accounts, and then send the police to go arrest the employer.

Of course, employers can respond by insisting that users log onto their own accounts during the interview process, but this is still an improvement. Presumably if one employer rejects you because those drunken nude party photos, you could remove them before the next job interview.


Anonymous said...

Unfortunately, I think adding such a second term is unlikely as it's not in their (Facebook's) best interest. Case-in-point: A friend of mine's wife has been updating his Facebook page for the past year while he undergoes cancer treatment. We all appreciate the updates, and we would not view it favorably if Facebook suddenly banned such a thing.

Nick42 said...

IANAL, but I'm not sure that using someone's password to login to a system with their permission would be criminal.

The Lori Drew case showed that violating the TOS of a website doesn't mean you've violated the CFAA, which prohibits unauthorized access. So I don't think Facebook could get someone persecuted for violating a TOS stating that only one person can use the account.

Are there any cases where someone has been successfully prosecuted for using another person's login credentials with permission? If so, are there any where there wasn't an employment relationship between the person being prosecuted and the owner of the computer? The courts often use the agency theory to govern the use of an employer's computer in which case access is unauthorized if the use goes against the employer's interests, but I don't think that model is used outside of employment relationships.

Also, in at least one of the stories the employer doing this was a law enforcement agency. Law enforcment officers are explicitly exempted from the CFAA.

Anonymous said...

Another way of looking at this - if one were to give away personal confidential information, i.e. the FB login, what else would the candidate do?

It's an appropriate question to ask, and the right answer is to say "no" - it shows mindfulness as far as being security oriented.

If a candidate were to give me those credentials, they would immediately go into the "do not hire" bucket and the interview would be over.

Kanshii said...

Actually, I think the real issue at hand is the personally identifiable material that is currently illegal to require in an job interview, such as martial status, race, religion, etc. These are often visible or at least attainable via Facebook/social networks. Therefore, any employer asking for the login credentials or requiring users to log in are running afoul of those laws. (At least in the US).

Xylotrupes said...

"I of course believe that employers are free to ask for your Facebook password, and that you are free to refuse."

If it didn't matter to employment, why would they ask? Therefore if they expected you to give them the password and you don't and then subsequently terminate you, how is this different from a boss asking you for your naked pictures (assuming we never had laws against this because we are too Libertarian to impose such laws)? It is not easy to quit your job when you're not in a position of power.