Recently some governments and businesses have gone the extra
mile to distance themselves from the decent and intelligent members of their communities.
The growing practice of asking employees or potential employees for their
social networking account passwords is being embraced by the ignorant,
incompetent, and the malicious at such a rate that laws banning the practice
are becoming a necessity. The legislature of Maryland recently became the first
state legislature to approve such legislation and Michigan doesn’t appear to be
far behind.
Aside from the obvious fact that it is an affront to anyone
who ever fought for any country to protect and preserve freedom, there are
several reasons why only an incompetent or ignorant business (or government
agency) would engage in such a practice.
Legal Liability
At least in the United States, there are some questions that
an employer does not ask a potential employee. There are laws against
discriminating against people who are members of certain groups. In most cases,
asking a potential employees age is not allowed. Asking a person’s sexual orientation
or religious beliefs is generally not allowed. By accessing a person’s Facebook
account an employer may see information that the employee or potential employee
can claim was used to discriminate against them. The employer who asks for a
Facebook password lacks the intellect to seek legal advice before doing so, has
incredibly poor legal advisers, or lacks the wisdom to accept competent advice.
Security Implications
As I have often written about before, there are two types of
people who ask you for your password… thieves and idiots (http://randy-abrams.blogspot.com/2011/12/two-rules-you-damned-well-better-know.html).
The reason for this advice is that it is a really bad practice to give out your
password to anyone. The employer who asks someone to share their password is
encouraging truly horrendous security practices within their organization. The employer
who requires a Facebook password also requires that employees be less than competent
at security. You might want to carefully consider doing business with another
business that engages in such practices as they lack the basic knowledge of
security required to keep confidential dealings with you or your business
confidential. The core of the company’s culture is the least intelligent
security practices. The employer who asks for passwords for personal accounts failed
to ask their head of IT for advice, or has an incredibly inept IT “expert”, or
simply ignores good advice.
Character Implications
Facebook, Google, and virtually all online services have
user agreements that explicitly state that the user agrees not to share their
password with anyone. The employer who requires employees or potential
employees to share their password is the employer who categorically rejects any
employee that keeps their word. The core of that organization’s ethical culture
is dishonesty. The employee who stands by their legal agreements is deemed to
be unfit for employment. Does this sound like an organization you want to do
business with?
Social Implications
The organization that asks for the password to social
networking or email accounts is an organization that thumbs their noses at the heroes
of their country. This is the organization that tells the family members of
soldiers who have died fighting to protect freedoms that they truly do not
appreciate the sacrifice and that their lives were wasted fighting for principals
that the organization holds as worthless. These are the employers who would
tell today’s soldiers that their sacrifices are completely unappreciated.
The Tiny Intellect
One of my all-time favorite sayings is “If you only see one
solution, you probably do not understand the problem”. The employer who asks
for passwords does not understand much at all. Unless the goal is to violate
privacy, there are other ways to approach the problem that the employer is
trying to solve using the least intelligent solution.
The Dumbest Argument of All
This is the one that set the ignorant apart from the truly, pathologically
stupid. The argument is… “If you have nothing to hide then it isn’t a problem”.
This argument assumes that failing to abide by an agreement isn’t a problem,
but also demonstrates extreme short-sightedness in another area. Although I may
not have anything to hide, it does not mean that I am acting morally,
ethically, or even just plain decently by showing emails and messages that
others may have sent to me in confidence. While Facebook may arguably not be a
great place to send a confidential message to someone, people do share private
information and trust that the person they share it with will respect their
privacy. The argument “If you have nothing to hide then it isn’t a problem”
completely ignores the very real fact that the employee or potential employee
has agreed not to share someone else’s information.
Thieves and Idiots
Randy Abrams
Independent Security Analyst
© 2012
No comments:
Post a Comment