Tuesday, April 24, 2012

Asking for a Facebook Password – Malice, Ignorance, or Incompetence?

Recently some governments and businesses have gone the extra mile to distance themselves from the decent and intelligent members of their communities. The growing practice of asking employees or potential employees for their social networking account passwords is being embraced by the ignorant, incompetent, and the malicious at such a rate that laws banning the practice are becoming a necessity. The legislature of Maryland recently became the first state legislature to approve such legislation and Michigan doesn’t appear to be far behind.

Aside from the obvious fact that it is an affront to anyone who ever fought for any country to protect and preserve freedom, there are several reasons why only an incompetent or ignorant business (or government agency) would engage in such a practice.

Legal Liability

At least in the United States, there are some questions that an employer does not ask a potential employee. There are laws against discriminating against people who are members of certain groups. In most cases, asking a potential employees age is not allowed. Asking a person’s sexual orientation or religious beliefs is generally not allowed. By accessing a person’s Facebook account an employer may see information that the employee or potential employee can claim was used to discriminate against them. The employer who asks for a Facebook password lacks the intellect to seek legal advice before doing so, has incredibly poor legal advisers, or lacks the wisdom to accept competent advice.

Security Implications

As I have often written about before, there are two types of people who ask you for your password… thieves and idiots (http://randy-abrams.blogspot.com/2011/12/two-rules-you-damned-well-better-know.html). The reason for this advice is that it is a really bad practice to give out your password to anyone. The employer who asks someone to share their password is encouraging truly horrendous security practices within their organization. The employer who requires a Facebook password also requires that employees be less than competent at security. You might want to carefully consider doing business with another business that engages in such practices as they lack the basic knowledge of security required to keep confidential dealings with you or your business confidential. The core of the company’s culture is the least intelligent security practices. The employer who asks for passwords for personal accounts failed to ask their head of IT for advice, or has an incredibly inept IT “expert”, or simply ignores good advice.

Character Implications

Facebook, Google, and virtually all online services have user agreements that explicitly state that the user agrees not to share their password with anyone. The employer who requires employees or potential employees to share their password is the employer who categorically rejects any employee that keeps their word. The core of that organization’s ethical culture is dishonesty. The employee who stands by their legal agreements is deemed to be unfit for employment. Does this sound like an organization you want to do business with?

Social Implications

The organization that asks for the password to social networking or email accounts is an organization that thumbs their noses at the heroes of their country. This is the organization that tells the family members of soldiers who have died fighting to protect freedoms that they truly do not appreciate the sacrifice and that their lives were wasted fighting for principals that the organization holds as worthless. These are the employers who would tell today’s soldiers that their sacrifices are completely unappreciated.

The Tiny Intellect

One of my all-time favorite sayings is “If you only see one solution, you probably do not understand the problem”. The employer who asks for passwords does not understand much at all. Unless the goal is to violate privacy, there are other ways to approach the problem that the employer is trying to solve using the least intelligent solution.

The Dumbest Argument of All

This is the one that set the ignorant apart from the truly, pathologically stupid. The argument is… “If you have nothing to hide then it isn’t a problem”. This argument assumes that failing to abide by an agreement isn’t a problem, but also demonstrates extreme short-sightedness in another area. Although I may not have anything to hide, it does not mean that I am acting morally, ethically, or even just plain decently by showing emails and messages that others may have sent to me in confidence. While Facebook may arguably not be a great place to send a confidential message to someone, people do share private information and trust that the person they share it with will respect their privacy. The argument “If you have nothing to hide then it isn’t a problem” completely ignores the very real fact that the employee or potential employee has agreed not to share someone else’s information.

Thieves and Idiots

It may be that the employer asking for the password isn’t a thief… I can buy that. It may be that the person isn’t an idiot, but if they are neither a thief nor an idiot, they are so painfully ignorant that it isn’t safe to give them your password and you certainly don’t want to do business with companies where such gross ignorance is embraced by management. In the case of city officials engaging in this behavior, it is a danger to society to have such civil irresponsible people in positions of authority. 

Randy Abrams
Independent Security Analyst

© 2012

No comments:

Post a Comment