Sophos Cloud Optix
Picture it: you are at a job interview, and the interviewer requests that you log into your Facebook account so they can shoulder surf as you lay bare your profile in its entirety.
Worse, what if they ask you to hand over your Facebook username and password?
You might laugh and say I would never do that, but what if you really, really need a job? Many of us are desperate for work at the moment, so it is no surprise that some feel they must comply to avoid being stricken from the candidates’ list.
In the US, this tactic has been used with people applying for police officer or 911 dispatcher roles, according to an AP article. But the report says that it is happening elsewhere too.
The reason that an increasing number of employers want full access to a Facebook account is perhaps due to more of us hiding information from people we aren’t connected with.
Rob MacLeod was shortlisted for a police job in Baltimore when he was asked for his Facebook password. The Spec reports that:
The question startled MacLeod, now a bylaw enforcement officer in Peel Region. He had a personal policy of not sharing his password, no matter the circumstances. So when the request came, MacLeod offered to log in to his Facebook account and then leave the room so the interviewer could browse his page.
But he says the interviewer remained firm — he wanted the password. After a few minutes, MacLeod gave it to him.
MacLeod says he “felt like I was being pressured into doing it. It felt like if I didn’t do it, he would call the recruiter and say, ‘This guy’s not interested in the job'”, he told The Spec.
It is not surprising that this interview technique is riling a number of individuals and groups, including American Civil Liberties Union (ACLU) attorney Catherine Crump, who states:
It’s an invasion of privacy for private employers to insist on looking at people’s private Facebook pages as a condition of employment or consideration in an application process. People are entitled to their private lives. You’d be appalled if your employer insisted on opening up your postal mail to see if there was anything of interest inside. It’s equally out of bounds for an employer to go on a fishing expedition through a person’s private social media account.
And Orin Kerr, Professor of Law at George Washington University, told AP “It’s akin to requiring someone’s house keys… [It’s] an egregious privacy violation.”
One can understand that companies want to do everything they can to ensure that candidates will be a good fit and won’t jeopardize the company, but asking for the keys to their personal Facebook account seems many, many steps too far.
So, if you are out looking for a job, here are some tips to consider:
- Sanitise your account before you start applying for any jobs. Look for compromising messages, pictures, messages on walls, and remove or hide anything that you wouldn’t want a prospective employer to see
- You can quote Facebook’s legal terms, which clearly state that
You will not share your password, let anyone else access your account, or do anything else that might jeopardize the security of your account.
Explain that you are a law-abiding citizen, and you can in no way break this binding contract with Facebook.
- Hacker Factor author Neal Krawetz provides some advice, including exposing the company by anonymously posting online that they made this request during the interview. He also suggests that you consider suing them if you do not get the job.
- Tell them you don’t use Facebook. Review your settings on your How You Connect page under Facebook’s ‘Privacy settings’, you can tweak these, as shown below.
This means that an employer won’t find you during a search. Even friends of friends won’t see you listed. The problem here of course is that you are lying, but my view is that human rights to privacy are a little more important than a white lie.
What do you think?
Related article: Read what happened Next…
Check out our Facebook page, where over 170,000 people regularly share information on threats and discuss the latest security news.
Another alternative is to flush facebook entirely. If you need a job to survive, you can certainly afford to ditch facebook. The world was fine before facebook 🙂
Or change your password the minute you get home from the interview.
Or change your facebook name.
Scorched earth. It works everytime. Except for the cockroaches, they survive.
I AGREE. I DUMPED MY FACEBOOK ACCOUNT, 2 YEARS AGO. SECOND BEST THING, I EVER DID. YOU ASK WHAT THE FIRST BEST THING I EVER DID ? I DON'T REMEMBER !!!
That’s because you don’t have Facebook to remind you 😉
I have done just that. I deleted my facebook account after reading about that here on Sophos pages. I just decided I didn't want to be a facebook sheep anylonger. But before that article on Sophos, I was already sick and tired about facebook's way of making privacy difficult for everyone. They have hidden the "Delete account" button so good, it's almost impossible to find, -plus many of their other privacy settings which facebook are forced to have, but do not like you use, is also more or less hidden. The Sophos article helped me decide what I should have done long time ago:
**Delete Account***
I will never return to facebook…
Not only "Should be" but I think there's a strong case to be made that it _is_ to ask for this information as it may compel a candidate to hand over information about their sexuality or religious beliefs – information that an employer is strictly prohibited from asking about during interview under anti discrimination laws.
I don't have anything on my Facebook page or in my profile that would prohibit me form getting any job but I do feel this is an invasion of privacy. I think corporations are taking advantage of the current economic situation and high unemployment rates to snoop on prospective employees. If they ask for my Facebook password I should be able to ask that they provide the username and password for the person who will be my supervisor so I can ensure I am going to work for a quality person.
I don't need to work for that sort of jerk to survive, thanks very much.
In Finland we have this called common sense. And, oh, also, LAW. Here it is illegal for employee to search ANY information about you from the web prior to job interview (or after that). Proving they did could be tricky but still.
You americanos are hilarious.
I understand in Finland that the employers there might be able to check your information and it is the Law, but don't you want your privacy, even if you are not hiding something
What? He said it's *illegal* for them to search for information on you.
I don't believe it should be illegal to request it, just like it isn't illegal to ask for someone's car keys, however it should be illegal to not consider a candidate for a job based on their refusal to accept the request.
Absolutely agree.
As another alternative, create a second facebook account with the same name and different email address, and use that to create a picture of the person you want them to think you are.
Sure I'll give a prospective employer my Facebook ID and password – right after they give me the id and password for their CEO's email account! Fair is fair
Deactivate the account before the interview so you can truthfully say you don't have Facebook. You can always reactivate it once you get the job.
I know if something happens to my job and I have to start interviewing again, knowing this, I just might start deactivating the account before interviewing if they're going to be starting this BS.
You could also gain some time to clean up your profile by telling that you don't remember the password and have to look it up in your password manager on your home computer.
Tell them to put this request in writing.
yes, the perfect line to use — so simple, yet so powerful.
GOOD answer!
Dear Mr. Smith,
As you requested, we are putting into writing what we discussed at our interview with you. Accordingly, we record that we do not have an opening for you at this time.
Sincerely,
Consolidated Douchebags Inc.
Just create a second Facebook profile for prospective employers.
If I was asked at an interview to give up any password, I would think it was a test to check I understood information security- if a candidate for a Police job gives away a password to someone interviewing them, then they would probably be the type of person to give away a password when the “IT Dept” call.
It is a bad choice for employers to request this information. If they learn from a candidate's FB page that the candidate has a protected characteristic (disability, religion, etc.) that they are legally prohibited from asking about in an interview, and then do not offer the candidate the position, they are setting themselves up for a lawsuit.
Hope so. Hope one happens soon. This is the sort of thing some halfwit reptile in HR (or "Personnel", to give it a sensible name) thinks up, then every other idiot in the same role hears about and starts doing.
It's distressing to me, that so many of the smartest people have their employment managed by some of the stupidest.
I can see a doubling of Facebook's user base coming up. Everybody's account, and everybody's fake work account. Would be a nice way of misleading the company, if they're stupid enough to believe what they read on Facebook.
They are setting themselves up for a lawsuit IF it can be proved that employer discriminated on the basis of that, and also IF the person seeking the job could afford to sue. Few have those resources, and employers know this.
You can also tell the person interviewing you that not only would you be in breach of contract if you gave them your login details, but they too would be breaking facebook's terms and conditions if they used that information…
From Facebooks T&C:
"You will not solicit login information or access an account belonging to someone else."
I'd terminate the interview immediately, mentioning privacy laws and common decency. My privacy is more important than their money.
If they can't see my profile through a public search, they have as much right to view it as they have the right to go through my mail, listen to my personal calls and voice mail. Which is to say none. Further, my age, race, religion, sexual orientation and other information that may be in my Facebook profile are not items that an interviewer is legally allowed to ask for in most situations. As a result, asking for access to Facebook should be prohibited on those grounds as well.
I would simpy refuse if they asked for me to provide it, advising that I am not going to be pressured into breaking not only the T&C's of Facebook, I will not be breeching my freinds privacy & trust, and that my Ethics are stronger than that.
Fortunatly I've not been asked for this kind of information in the UK yet.
I would be tempted to lodge a concern with the company they are acting against the Computer Misuse Act, though I'm not sure if there is a US Equivalent?
Oh well guess i wouldn't get the job. I don't have a profile on facebook only a name and a few photos,But i'll be damned if i would let them or any one elce that i don't know have my password.
I strongly recommend AGAINST lying in an interview, even if it's a question that you don't believe they have the right to ask. They still might agree to consider you if you refuse to give them the information, but if they discover that you were untruthful, you'll be automatically disqualified.
My solution is that my facebook name is nothing like my real name, my userpic is never my face, and is tightly locked in the "friends" solution listed above – and even if it DID come up an employer would have to search for a name which looks nothing like my real one.
You can then safely say you don't even have one. Just don't get caught surfing at work.
You can certainly use the T&C statement that Facebook requires you to adhere to as a reason not to release the information. It is breach of contract.
As various people have pointed out above this type of request exposes the company to numerous legal risks.
Even searching a person’s public pages can create problems because it can expose the person making the hiring decision to information they are not allowed to request. For example you can’t ask “are you pregnant?” but that’s something you might discover on a Facebook page. Companies who do these type of searches often ask legal to do it for them and tell them whether there is anything relevant. If the process is done properly, it puts a firewall between the person reviewing public social networking information and the person making the hiring decision.
Asking for and using the username and password is just plain stupid. It’s not just a violation of Facebook’s terms and conditions; it’s a federal crime. The interviewee could file a complaint with the Justice Department and the FTC.
Let's go for something that affects both genders equally.
"How old are you?" (your birthdate is a required part of your profile, and wouldn't be hidden if they log in as you)
"What religion are you?"
You’re absolutely correct. An prospective employee can sue the company for using such tactics. I wouldn’t allow access to my Facebook account to anyone. This type of tactic has “lawsuit” written all over it, and I would refuse to work for any company who uses such unethical tactics. It should be illegal for any company to request access to anyone’a Facebook account, and that they face hefty fines for invasion of privacy.
Looking for information that they legally prohibited from asking IS EXACTLY why they want to look at a prospective employee's FB.
If your profile uses the new "Timeline", Facebook no longer offers the first option of limiting who can search for you by your username.
https://www.facebook.com/help/privacy/basic-contr…
We have just looked into this and it *looks* like the setting still works under the new timeline. If you select the who can look you up with your email address or mobile phone number option and you select Just Friends, it seems to do the same thing as it does currently and block people finding you by name….
no problem – my FB username is the (fictional) name of my character in an mmo that's associated with a free throwaway email address. All my FB settings are set to not show to anyone but me, and all the 'private' info inside my FB profile is bogus, and there is only one friend connected who's FB account is also setup and set the same way. They can search all they want, my name is not in FB anywhere except where it happens to match someone else who isn't me.
We shouldn’t have to go through the trouble of creating a “second” Facebook or deactivating one because a possible employer is trying to loophole their way out of asking questions. If they want information from us, that’s what the interview is for. To ask questions. It’s an invasion of privacy and Facebook has nothing to do with your qualifications for the job.
I agree with you 100%, but when the only way to apply with a certain company was to give them access to Facebook, I created a new page. I have been looking for work much too long. It felt asking prospective employers into my messy house for tea. You had to wonder if the dog had dragged your underwear out.
Originally, I thought it would be wise to protect you, the interviewee, by allowing you to refuse the request with no repercussions. I thought allowing the interviewer to ask you for your password would be fine, as long as you has a legal opt out.
One possible response….
“I’m sorry Mr Interviewer, my Facebook password is only on my Yubikey and I have left it at home. Sorry, but I have no idea what the password is, as I never have to type it in any more.”
Indeed, I genuinely don't know my Facebook password because it was generated by and is stored in a password storage program. I just copy and paste it into the field without seeing it.
If I was sitting in an interview and was holding in my lap a journal and the prospective employer said, "Is that a journal you have there? May I read through it?" I think asking to read your facebook account would be the exact same thing. It is a personal electronic diary of your day to day activities. If you wanted total strangers to read it you would have your settings set to public. This is a complete invasion of privacy!
Possibly employers could tell interviewees that they have a policy of termination if anything is posted about the company or employees that defames the character of such. A firm reminder to keep your page solidly private. Oh but that's a whole other court case involving the First Amendment and freedom of speech.
You're mixing issues here: the first ammendment applies to the government taking an action based on political speech; it does not apply to administrative or civil action taken by a private company or individual in response to defamitory speech.
I agree with what some other have already: It already is illegal for prospective employers to make such a request. By law, they can't delve into matters such as family status and religion, and for most of us (certainly for me) that sort of information is readily available through logging into a person's Facebook account.
And, frankly, if anyone were to make such a request of me, I'd consider filing a complaint if I felt that in any way my rejection were due to my refusal of the request.
It's already illegal to ask someone's age, marital status, sexual preference etc… If you make it clear that these are apparent from your profile, how is asking for your Facebook log in any different?
Sexual Orientation. It's not a preference.
Seriously, if employers are so paranoid that they must request such information, it's a sign that there is something seriously wrong with that employer. Despite all the precautions, hiring someone is always a risk. I'm sometimes amazed at how some interviewers want a guarantee on a person when there really isn't one.
The issue is not just invasion of MY privacy but also invasion of the privacy of those who are friends on my account. I'm sorry, there's no way I am going to risk my friends privacy just so a company can decide if what I do in my off time is good enough for me to work for them.
It's already illegal to do this. In the US, you cannot ask for details on someone's age, marital/family status, birthplace, affiliations, etc during an interview. This is all information that is available on a person's Facebook profile.
People who are forced to reveal their Facebook information should file a complaint with the Equal Opportunity Employment Commission http://www.eeoc.gov/facts/howtofil.html
Just keep your profile private, and say you don't use Facebook… You won't appear in any search results 🙂
The problem with that is that Facebook search is one of the best parts of Facebook. I have had many people I 'lost' through the years find me. It's great.
Hmmmm, wonder what comes next?
Then, hopefully in language I would use with my grandmother, I'd offer to friend him and let him see what's there. Beyond that, no, they will do reference and background checks, and a drug test; if that's not enough, too bad. I'd walk out, and that's coming from someone who lost her job 20 months ago. I might send a letter to the head of HR or the company manager/owner stating what happened in the interview and asking if that is standard procedure (it may be an interviewer error). If it is the way they roll, well by golly, I'd get the word out.
Don't use the utter tripe which is Facebook.
Asking for direct access to someones account is going too far. I can see an employer creating a company account that you would have to friend so they can see your profile. I have seen people get fired for posting information about co-workers or confidential information in which they should be fired. I also have seen people get fired for using twitter in which they released confidential or private information to the public. At some point and time the person that puts the information out there has to be responsible for their actions.
I will allow my new employer to "friend" me on facebook but access to my password will not happen. Security is not a game played lightly. I know that Law Enforcement is most likley already on my friends list pretending to be a pritty girl in a two piece or somthing like that, you get the idea. I have nothing to hide and if that's how they wish to spend our tax money then so be it, let them violate the TOS, my password is mine. lol and I just changed it again, lol
If you do give your password, then don't forget to change it immediately after the interview. Insist on watching them accessing your profile and/or providing a keystrioke log.
Better still, change the pssword before the interview to something completely different from all your private passwords. That will take some management, as it is far easier to set up a new account password for yourself than to set up an account for someone else or group with a password that dosen't bear any relationship to one you might use.
I'd assume it was a trick question and would say so, because surely one would assume an employer to be looking for trustworthy employees able to keep confidentialities in the work place.
Should someone who is willing to give away their own secrets and even break the terms of a user agreement based on the possibility of a reward, in this case the offer of a job and the financial gain that may go with that be trusted with secrets and confidentialities in the work place?
Of course if they didn't agree and continued to pursue the pass word, I suppose I'd assume I was dealing with an idiot and probably wouldn't want to work for such a person anyway. lol
Interviewers are asking you to facilitate a crime and are committing one themsleves
by asking for your username and password. They are guilty of Criminal Solicitation by
asking you to commit Criminal Facilitation, so they can commit crimes like Computer
Trespass, Unauthorized Access, Wiretapping, and violations of State and Federal law
by the company and its employees.
These are ALL felonies with serious fines and prison time. Tell the interviewer this
and ask them if they'd rather work for the Bureau of Prisons instead, then ask to see
their boss immediately. If not available escalate the issue asking to see the next one
higher up, until someone in authority like an executive officer has to answer for this.
Tell the interviewer if he/she doesn't comply, you will call the police and FBI then file
a criminal complaint against them and the company under the Penal Laws and the
United States Codes.
Finally tell the interviewer if you're not hired, you will file complaints with the EEOC and
U.S. Dept. of Justice for violating your civil rights.
So now I am not being interviewed for my skills, but for personal aspects?
The first error in thinking here is that we all use Facebook in different levels of intensity and for different purposes. I for example might use Facebook purely to stay in contact with my family living in other countries, somebody else uses it only to play games, somebody else uses it by doing anything you can think of, ie keeping contact with their families and friends, playing games, belong to different pages, etc, etc, etc. Because of this you are starting to have disparate levels of "insight" into different applicants, ie, you are not being compared at the same level (competence etc) which in some countries as already being argued as being illegal, as all applicants are supposed to be compared equally on even keel – ie send me your CV, give me a presentation, etc.
In the same vein, before anybody looks at MY Facebook page, they will first have to look into all other existing employees' Facebook pages during the interview process as well, otherwise again they are not being consistent. And I as the interviewee then also want full access to the interviewer's Facebook page, as this might then make me decide that I don't WANT to work there after all.
As other people have also already indicated, what prevents an applicant from having a nice, sterile Facebook page that makes them look like the ideal applicant, but also a different page where they ACTUALLY mess around, and this person might also perform activities that the interviewer does not agree with? There is no way the prospective employer will know about that in any case. And let us say for example that I am a complete agnostic/atheist/etc and it is portrayed in my FB pages, so certain of my actions I consider to be 100% acceptable (and it is in a wider community), but it is in contradiction to what my Bible-bashing interviewer thinks – even though my private life does not have any effect to my work-ethics and does not affect how I interact with colleagues, etc? But this is now held against me in interview because of this invasion of my private life?
If a company thinks that they have that right to invasion of privacy, I assume the next thing is for male bosses to have full access to female cloakrooms – at the end of the day, actually – they will have more right to that, as the cloakrooms are after all business property whereas Facebook is not?
You do not need to be consistent in your hiring policy. It may change over time and you do not have to apply it retrospectively. And thank god for that. I am a senior engineer but having read a few job adverts for junior positions in my own team, I know I would not get my own job.
If someone *does* request a password and one is provided to them, doesn't that also mean that they could continue surfing the persons FB whenever they wanted to? I would assume that one's pw could be changed, but the whole thing is creepy.
When I first saw this thread I thought it was a joke – a hoax.
People really need to take their on-line security far more seriously than they apparently do.
Passwords should not be shared. At all.
So exactly what is this FACEBOOK stuff people always talk about? I know I live under a rock but if I need to get a hold of someone I still use a phone (a landline at that), I still write actual physical letters and send them with stamps. The cell phone I own I will use only if the vehicle I'm driving breaks down. I still buy foldable paper maps. I still take photographs with a camera. Yes I do have computers a Compaq Presario and an equally old eMac. Both still working just fine.
What I don't need, is to be is so connected that every little thought and misdeed needs to be sent out to everyone I know automatically and traced by any hacker or agency.
There is a very simple solution. I created a domain that is made up of 32 random characters. Then at my hosting provider I created an email address that is also made up of 32 random characters also. So when I got asked for my Facebook log on credentials I hand them a business card that has my 68 character logon and my 40 character password, that has been printend in a 10 point non-serif font, with only one space between the two. It resembles a PGP key block rather than a username and password. So now the person is sitting there looking at 109 random characters with no clue on what to do. I did the same thing for my facebook username URL ( http://www.facebook.com/<user name> ) I created a 59 letter username. Then when I am asked to friend a company profile I always tell them to send me a request and hand them another card with the extremely long nasty looking username url that is again listed in 10 point non-serif font.
If' you're being interviewed for a job at NSA, you might as well figure they either already KNOW your FB login and password, or it isn't the agency you thought it was. They'll directly interview all the friends you've ever known back to your childhood anyway.
If you tell them you don't have Facebook,what do you tell them when they ask why your name,date of birth ¤t address all appear on a Facebook account?
I think the idea is that you hide your Facebook profile from public view, and from being searched for by folks who aren’t already your fb friends.
Why bother with any alternatives such as hiding information. It's no employer's business what I do on Facebook or any other social media. The only thing they need to know is whether or not I can perform the job. I wouldn't work for any company who wants keys to my home or passwords to any social media sites I use. Are they going to give me their passwords or keys to their home so I can "spy" on them? Think NOT! What an absolute load of BS.
Contemptible.
Unacceptable.
In breach of fundamental IT Policies, if he complied the interviewer should be disciplined on the spot. How can that employee be trusted with his company password?
This is not 'fine' under any circumstances. Not without a legal subpeona at the very least.
Facebook is just one of many social networking systems, did they not also ask for his Bebo password, MySpace password, Hotmail, Gmail, Tumblr, Flickr and Harmony Central access? Or retrieve his Geocities account?
Doesn’t matter what’s on your page, nobody has any reason to access this information. I think Sophos stated most of them with their follow these… Also I have stated many times our (USA) legislators need to be more up on evolution of software and how to protect the general populous. Many data items are not protected by law, and need to be viewed the same as we feel about the information we ship around. I totally agree with the rules you agree to with Facebook. Would some police department like you to break an agreement, with them as they are asking you to break with Facebook? Also, what if you don’t have a social account? Many don’t and it isn’t really social if you aren’t physically with someone.
So it would seem your poll on whether it should be illegal to be a scumbag corporate personal info raper is somewhat redundant.
since it's been clearly pointed out in these commentaries why it is already illegal.
since most people have a natural healthy aversion to pulling out a gun and shooting a (information) thief;
therefore i suspect this tyype of corporate criminality will continue, and these ethically
barren interviewers will be analagous to airport security hoodlums.
the equivalent of legal criminals.
I'd love to know who the 8% of people are who think it shouldn't be illegal for employers to request this info. No doubt either pushovers or people requesting the information themselves.
This is an outright invasion of privacy. If I was asked for this in a job interview I'd immediate tick myself off the candidate list by the response I would give the employer! I don't even understand how there is a discussion on this mater. It's wrong, full stop.
I don’t use facebook, I know how security works. But if I ever get asked that question, it’s a simple “No, and I don’t want to work for a company that will treat it’s employees like this.” And I politely thank them for their time, and end the interview.