Speaking at UWM on May 4, 2010

Privacy, Anonymity, and the Importance of Having a Social Media Policy

Are your employees blogging? Tweeting? Using FaceBook, LinkedIn, or BlogHer? Do you have any idea?

If you don’t know, and your company or organization is large enough that you can’t call out “Hey? Are you using any of these things?” and get a verbal answer from everyone, then the answer is probably yes.

And they might not be using it in a way that reflects well on their workplace. For example, the now-Internet-famous Lindsay and her former boss both used Facebook in a way that few employers would find acceptable.

In that example, the boss clearly knew who was posting disparaging remarks about him and about the workplace.

What if she’d been complaining anonymously? On Twitter, there is no identity verification, or even any particular motive for using a personally identifiable username. There, so many people complain that they hate their jobs that someone created a feed to capture all of the “I hate my job” tweets in real time.

I tried to find anonymous complaints, but nearly all of them appeared to be either fully identifiable — first and last name — or partially identifiable — first name + profile photo or location. Some even named the employer!

Still, it isn’t hard to imagine a de-identified or anonymous complaint stream in a social network. Companies and organizations should consider instructing employees not to post disparaging comments about their workplaces anywhere that is generally viewable by members of the public.

These kinds of posts and comments seem like the same kind of “venting when you get home from work” comments that many people engage in, but it is in fact, completely different.

Your competitors can’t show potential clients or recruits a transcript of your employees’ dinner table discussions. Inappropriate verbal comments made to an employee’s friends or family are unlikely to become evidence in a discrimination or harassment complaint. These are searchable, they last indefinitely online, and they very well may result in people losing their jobs.

And although your employees may feel anonymous while complaining about their jobs in social media settings, they need to know that they aren’t really anonymous.

If they said something actionable, you could subpoena Twitter’s records about the account, which at a minimum, include an email address. Very likely it also includes the IP address where the account was first created, or where it was most recently used.

While that isn’t necessarily a good proxy for identity, if a person is using their home computer, it should give you ISP data that could be tracked back to a specific customer account. And if that account belongs to Joe Smith at 123 Main Street, and you have an employee with that name and address, you have a pretty good idea who has been “anonymously” disparaging your company online.

Tempting as it might be, don’t fire them online. Some things really should be done the old fashioned way.

The City of Bozeman Wants Your Password???

I believe that a lot of bad privacy decisions are made by well-intentioned people who don’t understand either how various technologies work, or who don’t understand the easiest, cheapest, and most effective way to protect people’s privacy is to limit the amount of data they collect and retain.

The City of Bozeman, Montana, appears to be guilty of severe over-collection of information. For those persons who apply for and are conditionally offered jobs involving the public trust by for the City of Bozeman, they are required not to merely provide URLS for blogs and FaceBook or Twitter usernames, but also the passwords associated with those accounts. Here’s an interview with the Bozeman City Attorney Greg Sullivan explaining what they collect, from whom, and why.

The Terms of Service for FaceBook specifically indicates, “You will not solicit login information or access an account belonging to someone else” and “You will not share your password, let anyone else access your account, or do anything else that might jeopardize the security of your account.” Violations of those terms have consequences from FaceBook: “If you violate the letter or spirit of this Statement, or otherwise create possible legal exposure for us, we can stop providing all or part of Facebook to you. We will generally try to notify you, but have no obligation to do so.”

Twitter’s Terms of Service are unsurprisingly similar, noting, “You are responsible for keeping your password secure.” Furthermore, they have more forthright consequences: “Violation of any of these agreements will result in the termination of your Twitter.com account.”

Furthermore, Bozeman’s official practice of collecting job applicant social networking password information also includes the retention of that information. Yes, they take your password and they keep it, in allegedly secure HR files.

As someone who once started a new job in an office that had previously housed HR, and found a stack of 50 forgotten personnel files on my desk, I consider that practice highly suspect at best.

Not only shouldn’t Bozeman collect login information in the first place, but they should certainly not retain it after completing the task for which they allegedly need it.

I do think employers have the right to ask for blog and social networking information about potential employees, and to search for information about potential employees online. Those sites are public or quasi-public, and users need to remember that anything they post online might be seen by anyone — a boss, a parent, a child, or a future potential employer.

That doesn’t mean people shouldn’t use social networking sites or blogs, just that those are public spaces every bit as much as the reception area outside of the interview.

One major risk that has not been explored in the discussion of this policy is Bozeman’s claim that they won’t use any information that they are not legally permitted to use, that they find online — ie race, religion, marital or pregnancy status.

Really?

I have a hard time imagining how that gets enforced.

And what about information someone finds about unprotected or potenially unprotected classes like gays and lesbians? Or single mothers? Or people in recovery from drug or alcohol abuse?

What if the decision-maker is of the opinion that people who enjoy violent video games are prone to violence?

Many thanks to Boing Boing, the Missulian, and others for bringing this to the light of day.

Learn from Virginia’s Mistakes

The Washington Post’s Security Fix blog posts an abject horror story:

Hackers last week broke into a Virginia state Web site used by pharmacists to track prescription drug abuse. They deleted records on more than 8 million patients and replaced the site’s homepage with a ransom note demanding $10 million for the return of the records…. (Courtesy of Wikileaks)

Can you imagine? What would happen to your business if more than 8 million customer records were stolen by hackers? What if they were subsequently made public?

Something similar happened last November to Express Scripts, a pharmacy benefit management company, which declined to pay the ransom for their customer data, but is offering a $1 million reward for information leading to the arrest and conviction of the Internet extortionists.

That million dollars is no small loss, but it’s easy to imagine that Express Scripts losses go much further. While individual customers don’t choose which pharmacy benefit management company their employers or other benefit providers use, most Human Resources departments would think twice about extending a contract with a company who had such a huge security breach. Especially since those HR decisionmakers may have experienced personal privacy problems as a result of the breach!

Individual consumers also may question whether or not using the benefit is worthwhile — they might prefer to pay more for an individual prescription in order to protect their privacy.

What are you doing to ensure that your company or organization is safe from this kind of a nightmare?