That doesn't mean your employer can use your Facebook password

As a Libertarian, I of course believe that employers are free to ask for your Facebook password, and that you are free to refuse. This also could be because I'm a conceited jerk who believes that any employer would be lucky to hire me, so I believe I have the upper hand in the power struggle.

But completely separate from that, giving your employer your Facebook password does not give them the right to use the password. In fact, using the password to logon could be considered a crime, such as "computer fraud and abuse" or "identity theft".

Facebook's current legal terms say this:

You will not share your password, (or in the case of developers, your secret key), let anyone else access your account, or do anything else that might jeopardize the security of your account.

That means you are in violation of those terms if you give your password to your prospective employer. But, hypothetically, Facebook could add to their terms:

A account may be accessed only by its owner, by logging in you agree that you are the person who owns the account.

This makes it clear that logging into somebody else's account is identity theft, which means employers can be prosecuted under existing fraud and abuse laws. Facebook could just monitor multiple logins from a single location of unrelated accounts, and then send the police to go arrest the employer.

Of course, employers can respond by insisting that users log onto their own accounts during the interview process, but this is still an improvement. Presumably if one employer rejects you because those drunken nude party photos, you could remove them before the next job interview.

10 Facebook Don'ts

Facebook is more popular than ever. The site frequently goes through
changes, but how many people use the same schedule of improvements on
their own profile? The new features added to Facebook are opening new
windows for vulnerability. A compromised account is a backdoor to more
serious attacks on email or banking.

Today I will show you 10 things
you should stop doing on Facebook in order to take back your security
and close the open door.

Call Spoofing: So easy, even famous people do it!

A simple but effective call spoofing technique has hit the main stream. Former high profile Dolce & Gabbana publicist Ali Wise used a phone call spoofing service called SpoofCard to listen to her ex-boyfriend's voicemails. The service hides the phone number you're calling from, routes the call through their server, and spoofs the caller ID with any 10-digit number. Several years ago, Paris Hilton was also in the news for allegedly using SpoofCard to listen her friends' voicemails. Voicemail users that do not have a passcode prompt even for calling from their own number are vulnerable to this technique.

I tested the SpoofCard iPhone app, and using only the 'first 5 minutes free' I was able to prove that it does everything it claims. I called myself, spoofing the number with another 10-digit number, and disguised my voice using the built-in voice modifier. The choice of "man" or "woman" isn't good. I would know it wasn't a real voice... Unless I was expecting a call from the DaVinci Virus in Hackers. (But phishing scams are prime for automated messages) The call recording feature works perfectly and portably. With very little effort I had voicemail access without password prompting. The only part that didn't work as expected was routing the call through Google Voice. It came up "Unknown."

Besides listening to voicemails, there are reasons to be concerned. Two weeks ago, Elizabeth Wharton and I led a discussion at the Atlanta chapter meeting of NAISG about Identity Theft using Social Networks. One case in point I experienced personally. The attacker had already obtained the login credentials of a Facebook user in my friends list. They approached me via chat under my friend's name. They claimed that they had been mugged while on a trip to London and wanted to borrow $400 to pay the hotel bill. Since I knew the whereabouts of my friend, the attack ended there. But what if I wasn't so sure? Would a call from my friend's phone convince me? Since many Facebook users keep their phone numbers in their profile, this opens huge door for phishing attackers. Remember that Identity Theft is not attributed to one large vulnerability but rather to dozens of innocuous details displayed freely around the Internet. Being able to appear officially like they're calling from any other number may be the last piece the attacker needs to convince you to give up crucial information.

So should SpoofCard be able to continue this service? Their record shows that they've been keeping their nose clean for years, and even won the lawsuit against 123spoof.com for using "spoof" in their business name. Their website claims the most appropriate use for this tool is in places like doctors offices that want to have multiple numbers but don't want to appear confusing to the customers. While this sounds perfectly reasonable, I question whether this service is the optimal way to do that. They do not support misuse of the product, and "if there is illegal activity and we are served with a subpoena, we will cooperate with the court or law enforcement agency." It looks like for now the responsibility is still in our hands to be smart and protect ourselves with instinct and good judgment. (And take your phone number off the Internet!)