Facebook and passwords

There’s been reports in the last week or so, particularly from the U.S., where job applicants have been asked to provide their Facebook or other social media passwords to prospective employers.

My recommendation to all my clients, as with any request for any of your passwords, the only correct answer is “No.”

But, since nobody likes hearing “No” in a job interview, it’s a good opporunity to expand on your reasons and the issues surrounding the issue. First off, it’s a violation of Facebook’s Terms of Service, which includes the condition “You will not solicit login information or access an account belonging to someone else.” (section 3.5) and “You will not facilitate or encourage any violations of this Statement.” (section 3.12). So, Facebook may choose to ban the company for asking for your password, or you for assisting them in accessing your account.

Surely, if it’s your account you can authorise it, though? No – that’s covered explicitly in section 4.8: “You will not share your password, (or in the case of developers, your secret key), let anyone else access your account, or do anything else that might jeopardize the security of your account.”

At a more general level, when you joined Facebook, you (explicitly or implicitly) agreed to these terms of use. Fundementally, you made an agreement; you gave your word. If a potential employer is now asking you to turn around and break that agreement, what does it tell you about that company? Can you reasonably expect that they will abide by any agreements or contracts they make with you? If you give them your password, will they be able to trust that you will abide by any agreements you sign with them?

Additionally, whilst it’s always security good practise to use a different password for every system, many people don’t. Have a think about where else you may have used the same password – if you disclose it to someone else, what things might they have access to? Remember that an potential employer will most likely have your email address from your application: Did you use the same password for your webmail account? If you get the job, these same HR people will know your bank account details: did you use that password for your online banking?

They’ll also know your phone number, home address, phone number and date of birth. If your emergency contact is your mother, they may know your mother’s maiden name too. These other pieces of information, which are often used as secondary forms of ID, could also be used in conjuction with your password to gain access to far more infomation than you’ve agreed.

On a more personal level, some of your Facebook friends have no doubt locked down their own privacy settings. They’ve set themselves up so that only their own friends, or friends-of-friends, can see what they post. How about people that have sent you direct messages? It’s information which they’ve asked you to keep confidential. How will they feel if you hand your password over to someone else?

As the saying goes: Treat your password like a toothbrush. Don’t share it with anyone. And every few months, throw it away and get a new one.

Tagged with: , , ,