In the past few weeks a few potential employers and schools were reported to have asked for access to the Facebook profile of an applicant or student. These reports are starting to feel like a trend. I think these requests are problematic not just for the Facebook user, but also the employer or administrator asking for access. In short, anyone asking for access to Facebook profiles and/or login credentials is asking users to betray the trust of their network and subjecting all parties involved to the potential deactivation of their Facebook account.
The ACLU spotlighted one recent instance, where an employee with the Maryland Division of Corrections was allegedly asked to hand over his Facebook login credentials to his employer during a recertification interview. The employee saw this as an invasion of privacy because he utilized Facebook’s privacy settings and disclosed sensitive information on his profile, such as religious beliefs and political affiliation. There has been some debate as to whether the request for access was compulsory or optional and the DOC has since suspended the practice for further study.
The practice of asking for access to other’s online communities is not new. City governments and high school cheerleading coaches have requested access to social media profiles. Even the Florida Bar Association has indicated that certain applicants, such as those with a history of substance abuse, might be required to provide access to their social media profiles.
The commentary on these activities has been critical. From a security angle, asking for usernames and passwords is always tricky because individuals notoriously use the same username and password for everything. Someone’s Facebook login credentials could also provide access to their online banking and e-mail account. Some critics have also noted that once someone else is in possession of an individual's username and password,they have the ability to lock out the individual by changing the password.
Normatively, providing access to a Facebook user’s profile doesn’t just threaten a user’s privacy; access to a restricted online community implicates the privacy of everyone in the user’s entire network. Unlike information found by searching Google, most information on Facebook exists only to those with the right credentials (“friends.”). By asking for access to profiles, usernames, and passwords, employers and administrators aren’t just asking for specific information, they are stepping into the shoes of an individual and seeing everything that individual has been authorized to see. That authorization was likely obtained through numerous negotiations (i.e. “friend requests”) whereby users rely on the representation that their “friends” are who they say they are. (The mandated use of real identities is an under-publicized aspect of Facebook’s role in building user trust by helping authenticate the identities of its users). It is probably reasonable to assume that most Facebook users aren’t contemplating a state government accessing their profile when they accept another’s friend request.
Then there’s the myriad of legal implications. Others have done a good job of reviewing the different ways asking for access to someone’s account could be legally problematic. However, I’d like to mention something that has largely been glossed over in the commentary: Facebook expressly forbids this kind of activity in their terms of use. Specifically, users are prohibited from both asking for and granting unauthorized access via usernames and profiles. Facebook makes the integrity of a user’s account a clear priority through a number of provisions:
3. Safety
…5. You will not solicit login information or access an account belonging to someone else.
4. Registration and Account Security
1. You will not provide any false personal information on Facebook, or create an account for anyone other than yourself without permission.
2. You will not create more than one personal profile.
…8. You will not share your password, (or in the case of developers, your secret key), let anyone else access your account, or do anything else that might jeopardize the security of your account.
9. You will not transfer your account (including any page or application you administer) to anyone without first getting our written permission.
5. Protecting Other People’s Rights
1. You will not post content or take any action on Facebook that infringes or violates someone else's rights or otherwise violates the law.
…7. If you collect information from users, you will: obtain their consent, make it clear you (and not Facebook) are the one collecting their information, and post a privacy policy explaining what information you collect and how you will use it.
So what is the impact of these terms? At first blush, they might seem inconsequential for employers. After all, the terms of use are part of the agreement between the user and Facebook, not those asking for access. However, as more businesses, schools, and government entities create Facebook pages themselves, they should be aware that they are jeopardizing their seat at the social media table. Individual employees and administrators who ask for this information and also have a Facebook account are also at risk of the Facebook death penalty – account deactivation. For organizations that invest a significant amount of time in developing a presence on Facebook and rely on the utility to communicate with its network, permanent banishment isn’t a joke.
Additionally, the users themselves are being asked to commit an act that, if discovered, could result in deactivation of their account. This is not a trifling matter. Many
others have documented how important this social utility has become in our lives. For those that rely on Facebook for political purposes, like activists, account deactivation can be particularly harmful. In any event, employers and administrators should be aware that asking users to disclose this information is asking them to breach a contract. This breach could have significant consequences for the user.
Ultimately, Facebook’s terms of use make the solicitation of access to user profiles and login credentials a more complicated endeavor than many organizations might realize. It is worth asking whether this practice is ultimately beneficial for those soliciting access if it puts the applicant or student at risk and erodes the trust that makes online communities a desirable place to disclose information.