Maryland Becomes First State To OK Facebook Password Protection Bill
ANNAPOLIS, Md. (AP) — Maryland is poised to become the first state to ban employers from demanding applicants or workers hand over their log-in information for social media sites like Facebook.
The measure, which handily passed the legislature earlier this month, keeps managers from snooping on password-protected content, a practice advocates of the bill say violates privacy and intimidates job seekers and employees.
Robert Collins, a former corrections officer in Maryland, said he was asked for his Facebook account information while being recertified for his job following a leave of absence.
Collins, who lives in Baltimore, complied with the request, but said he felt embarrassed and violated as an interviewer roamed his private messages, pictures and posts.
"It almost seemed that my compliance was compulsory," Collins said.
The voluntary social media screening for correctional officers, not all employees, is a natural extension of an already "inherently intrusive" background check for people working in law enforcement, said Rick Binetti, executive director of communications for the Maryland Department of Public Safety and Correctional Services.
The practice was used to screen people who would be working in jails for possible illegal activity and gang affiliations.
"I'm sure if you asked a correctional officer if they were working alongside someone who was known to show gang signs on their social media, that would create an uncomfortable working situation for them," Binetti said.
A review by the corrections department last year assessed 2,689 applications, showing that seven candidates were rejected in part because of information found on their social media profiles.
Another candidate was rejected for the job solely because of content on a social media profile.
That candidate, along with others, used social media profiles that contained images of them showing known gang signs, according to the review.
In April 2011, a few months after the American Civil Liberties Union complained on behalf of Collins, the department issued a revised policy that asked job candidates to voluntarily participate in the review of social media use during their interview. The new policy stops short of asking for log-in or password information.
It is impossible to know exactly how often employers ask to tap into prospective workers' accounts, but Bradley Shear, a Bethesda, Md.-based social media attorney, said he believes it is happening more and more frequently.
Only a handful of clients have contacted him because an employer asked to test drive their accounts, but Shear said many more cases of social media snooping exist. Those asked to turn over their information are just afraid to come forward.
"If you're not willing to go public, the problem persists," he said. "If you're not willing to be a whistleblower, if you're not going to come forward, it's not going to stop."
Collins, who no longer works for the Department of Corrections and is pursuing a degree in nursing, said he has talked to other people who have also been required to hand over their account information, but "they didn't think anything of it."
While the Maryland legislation is the first of its kind, lawmakers in at least seven other states have introduced legislation to limit employer access to social media user names and passwords, according to the National Conference of State Legislatures.
It is unclear if the measure will become law because Democratic Gov. Martin O'Malley is still reviewing which legislation he will sign, a spokeswoman for the governor's office said.
A companion bill that would have kept colleges and universities from requiring that students disclose account information passed the Maryland Senate, but saw no movement in the House of Delegates.
Democratic U.S. Sens. Chuck Schumer of New York and Richard Blumenthal of Connecticut have also asked Attorney General Eric Holder to investigate whether asking for log-in information during job interviews violates federal law.
Allie Bohm, an advocacy and policy strategist for the ACLU, says the practice of asking to surf someone's social media profile is akin to asking for the key to their house and going through their mail.
"We don't want to create a situation where employers think it's appropriate just because it's online," Bohm said.
Shear, who pushed for the Maryland legislation, said giving employers access to password-protected information not only violates people's privacy, but hampers technology development, which relies on users to trust the security of the websites.
"There's a whole generation of future leaders where they're going to be our elected leaders, our judges, our lawyers, our business people," Shear said. "Do we really want all those people to think it's OK for the government to see our private content without any warrant or subpoena or anything like that?"
Facebook director for state public policy Will Castleberry applauded the bill.
"Asking employees or job applicants for their passwords is wrong," he said in a statement.
Business representatives, including the Maryland Chamber of Commerce, argue that the bill is bad for business and that requests for log information are very rare.
While media have reported a few handful of instances around the country of employers asking for passwords, using third-party software to spy on profiles and requesting that applicants "friend" managers in order to vet their accounts, the practice is not widespread, said Elizabeth Torphy-Donzella, a labor and employment attorney with Baltimore-based Shawe Rosenthal LLP.
"I do not have one client that to my knowledge asked someone for their Facebook page and most of my clients would not even think of that," she said.
Torphy-Donzella, who worked with the Maryland Chamber of Commerce to oppose the bill, said it takes away important access for employers who need to investigate harassment claims and other misconduct.
"It was drafted in a manner that didn't take account of legitimate employer needs to request access to employee Facebook pages," she said.
But Shear argues that the legislation is good for businesses because it prevents them from being liable for information, such as criminal or harassing behavior, that they could discover when reviewing employee profiles.
"There's no good reason to do this," Shear said. "If you're in HR and you're doing it, you're creating tremendous legal liability for your company."Flip through the slideshow (below) to see what you should never post on Facebook.
Your Birth Date And Place
While it might be nice to hear from Facebook well-wishers on your birthday, you should think twice before posting your full birthday. Beth Givens, executive director of the <a href="http://www.privacyrights.org/" target="_hplink">Privacy Rights Clearinghouse</a> <a href="http://finance.yahoo.com/family-home/article/110674/6-things-you-should-never-reveal-on-facebook">advises</a> that revealing your exact birthday and your place of birth is like handing over your financial security to thieves. Furthermore, Carnegie Mellon researchers recently <a href="http://arstechnica.com/tech-policy/news/2009/07/social-insecurity-numbers-open-to-hacking.ars" target="_hplink">discovered</a> that they could reconstruct social security numbers using an individual's birthday and place of birth. Rather than remove your birthday entirely, you could enter a date that's just a few days off from your real birthday.
Your Mother's Maiden Name
"Your mother’s maiden name is an especially valuable bit of information, not least since it’s often the answer to security questions on many sites," writes the <em><a href="http://bucks.blogs.nytimes.com/2010/10/12/what-not-to-tell-facebook-friends/?src=tptw" target="_hplink">New York Times</a></em>. Credit card companies, your wireless service provider, and numerous other firms frequently rely on this tidbit to protect your personal information.
Your Home Address
Publicizing your home address enables everyone and anyone with whom you've shared that information to see where you live, from exes to employers. Opening up in this way could have negative repercussions: for example, there have been instances in which <a href="http://www.huffingtonpost.com/2010/02/17/please-rob-me-site-tells_n_465966.html" target="_hplink">burglars have used Facebook to target users</a> who said they were not at home.
Your Long Trips Away From Home
Don't post status updates that mention when you will be away from home, <a href="http://bucks.blogs.nytimes.com/2010/09/15/dont-tell-facebook-friends-that-youre-going-away/" target="_hplink">advises</a> <em>New York Times</em> columnist Ron Lieber. When you broadcast your vacation dates, you might be telling untrustworthy Facebook "friends" that your house is empty and unwatched. "[R]emind 'friends' that you have an alarm or a guard dog," Lieber writes.
Your Short Trips Away From Home
Although new features like Facebook Places encourage you to check in during outings and broadcast your location (be it at a restaurant, park, or store), you might think twice even before sharing information about shorter departures from your home. "Don’t post messages such as 'out for a run' or 'at the mall shopping for my sweetie,'" Identity Theft 911 <a href="http://identitytheft911.com/company/press/release.ext?sp=11132" target="_hplink">cautions</a>. "Thieves could use that information to physically break in your house."
Your Inappropriate Photos
By now, nearly everyone knows that racy, illicit, or otherwise incriminating photos posted on Facebook can cost you a job (or worse). But even deleted photos could come back to haunt you. Ars Technica recently <a href="http://arstechnica.com/web/news/2010/10/facebook-may-be-making-strides.ars" target="_hplink">discovered</a> that Facebook's servers can store deleted photos for an unspecified amount of time. "It's possible," a Facebook spokesperson <a href="http://arstechnica.com/web/news/2010/10/facebook-may-be-making-strides.ars" target="_hplink">told</a> Ars Technica, "that someone who previously had access to a photo and saved the direct URL from our content delivery network partner could still access the photo."
Flubbing on your tax returns? Can't stand your boss? Pulled a 'dine and dash?' Don't tell Facebook. The site's privacy settings allow you to control with whom you share certain information--for example, you can create a Group that consists only of your closest friends--but, once posted, it can be hard to erase proof of your illicit or illegal activities, and difficult to keep it from spreading. There are countless examples of workers getting the axe for oversharing on Facebook, as well as many instances in which <a href="http://www.huffingtonpost.com/2010/08/16/arrested-over-facebook-po_n_683160.html" target="_hplink">people have been arrested</a> for information they shared on the social networking site. (Click <a href="http://www.huffingtonpost.com/2010/07/26/fired-over-facebook-posts_n_659170.html" target="_hplink">here</a> to see a few examples of Facebook posts that got people canned.)
Your Phone Number
Watch where you post your phone number. Include it in your profile and, depending on your privacy settings, even your most distant Facebook "friends" (think exes, elementary school contacts, friends-of-friends) might be able to access it and give you a ring. Sharing it with Facebook Pages can also get you in trouble. Developer Tom Scott created an app called <a href="http://www.huffingtonpost.com/2010/05/24/evil-facebook-app-exposes_n_587144.html" target="_hplink">Evil</a> that displays phone numbers published anywhere on Facebook. <a href="http://www.huffingtonpost.com/2010/05/24/evil-facebook-app-exposes_n_587144.html" target="_hplink">According to Scott</a>, "There are uncountable numbers of groups on Facebook called 'lost my phone!!!!! need ur numbers!!!!!' [...] Most of them are marked as 'public', and a lot of folks don't understand what that means in Facebook's context -- to Facebook, 'public' means everyone in the world, whether they're a Facebook member or not."
Your Vacation Countdown
<a href="http://finance.yahoo.com/family-home/article/110674/6-things-you-should-never-reveal-on-facebook" target="_hplink">CBSMoneyWatch.com</a> warns social network users that counting down the days to a vacation can be as negligent as stating how many days the vacation will last. "There may be a better way to say 'Rob me, please' than posting something along the lines of: 'Count-down to Maui! Two days and Ritz Carlton, here we come!' on [a social networking site]. But it's hard to think of one. Post the photos on Facebook when you return, if you like. But don't invite criminals in by telling them specifically when you'll be gone," MoneyWatch <a href="http://finance.yahoo.com/family-home/article/110674/6-things-you-should-never-reveal-on-facebook" target="_hplink">writes</a>.
Your Child's Name
Identity thieves also target children. "Don't use a child's name in photo tags or captions," <a href="http://www.consumerreports.org/cro/magazine-archive/2010/june/electronics-computers/social-insecurity/7-things-to-stop-doing-on-facebook/index.htm" target="_hplink">writes</a> Consumer Reports. "If someone else does, delete it by clicking on Remove Tag. If your child isn't on Facebook and someone includes his or her name in a caption, ask that person to remove the name."
Your 'Risky' Behavior
CBSMoneyWatch.com <a href="http://moneywatch.bnet.com/saving-money/blog/devil-details/6-things-you-should-never-reveal-on-facebook/2360/?tag=content;col1" target="_hplink">writes</a>: <blockquote>You take your classic Camaro out for street racing, soar above the hills in a hang glider, or smoke like a chimney? Insurers are increasingly turning to the web to figure out whether their applicants and customers are putting their lives or property at risk, according to Insure.com.</blockquote> There have been additional <a href="http://www.huffingtonpost.com/2010/02/22/facebook-twitter-users-co_n_471548.html" target="_hplink">reports</a> that insurance companies may adjust users' premiums based what they post to Facebook. Given that criminals are turning to high-tech tools like Google Street View and Facebook to target victims, "I wouldn't be surprised if, as social media grow in popularity and more location-based applications come to fore, insurance providers consider these in their pricing of an individual's risk," <a href="http://www.huffingtonpost.com/2010/02/22/facebook-twitter-users-co_n_471548.html" target="_hplink">says</a> Darren Black, head of home insurance for Confused.com.
The Layout Of Your Home
<a href="http://identitytheft911.com/company/press/release.ext?sp=11132" target="_hplink">Identity Theft 911</a> reminds Facebook users never to post photos that reveal the layout of an apartment or home and the valuables therein.
Your Profile On Public Search
Do you want your Facebook profile--even bare-bones information like your gender, name, and profile picture--appearing in a Google search? If not, you should should block your profile from appearing in search engine results. Consumer Reports <a href="http://www.consumerreports.org/cro/magazine-archive/2010/june/electronics-computers/social-insecurity/7-things-to-stop-doing-on-facebook/index.htm" target="_blank">advises</a> that doing so will "help prevent strangers from accessing your page." To change this privacy setting, go to Privacy Settings under Account, then Sharing on Facebook.
How To Remove Yourself From Facebook Ads