I believe that a lot of bad privacy decisions are made by well-intentioned people who don’t understand either how various technologies work, or who don’t understand the easiest, cheapest, and most effective way to protect people’s privacy is to limit the amount of data they collect and retain.
The City of Bozeman, Montana, appears to be guilty of severe over-collection of information. For those persons who apply for and are conditionally offered jobs involving the public trust by for the City of Bozeman, they are required not to merely provide URLS for blogs and FaceBook or Twitter usernames, but also the passwords associated with those accounts. Here’s an interview with the Bozeman City Attorney Greg Sullivan explaining what they collect, from whom, and why.
The Terms of Service for FaceBook specifically indicates, “You will not solicit login information or access an account belonging to someone else” and “You will not share your password, let anyone else access your account, or do anything else that might jeopardize the security of your account.” Violations of those terms have consequences from FaceBook: “If you violate the letter or spirit of this Statement, or otherwise create possible legal exposure for us, we can stop providing all or part of Facebook to you. We will generally try to notify you, but have no obligation to do so.”
Twitter’s Terms of Service are unsurprisingly similar, noting, “You are responsible for keeping your password secure.” Furthermore, they have more forthright consequences: “Violation of any of these agreements will result in the termination of your Twitter.com account.”
Furthermore, Bozeman’s official practice of collecting job applicant social networking password information also includes the retention of that information. Yes, they take your password and they keep it, in allegedly secure HR files.
As someone who once started a new job in an office that had previously housed HR, and found a stack of 50 forgotten personnel files on my desk, I consider that practice highly suspect at best.
Not only shouldn’t Bozeman collect login information in the first place, but they should certainly not retain it after completing the task for which they allegedly need it.
I do think employers have the right to ask for blog and social networking information about potential employees, and to search for information about potential employees online. Those sites are public or quasi-public, and users need to remember that anything they post online might be seen by anyone — a boss, a parent, a child, or a future potential employer.
That doesn’t mean people shouldn’t use social networking sites or blogs, just that those are public spaces every bit as much as the reception area outside of the interview.
One major risk that has not been explored in the discussion of this policy is Bozeman’s claim that they won’t use any information that they are not legally permitted to use, that they find online — ie race, religion, marital or pregnancy status.
Really?
I have a hard time imagining how that gets enforced.
And what about information someone finds about unprotected or potenially unprotected classes like gays and lesbians? Or single mothers? Or people in recovery from drug or alcohol abuse?
What if the decision-maker is of the opinion that people who enjoy violent video games are prone to violence?
Many thanks to Boing Boing, the Missulian, and others for bringing this to the light of day.