Recent new stories from the Associated Press and Wired report that some employers are asking interviewees to give up their Facebook password so that they can check for objectionable content. Plenty of people are outraged about the obvious privacy violation, but allowing a potential employer to view your account is only the beginning of what someone can do with your Facebook password.
Anyone who has your Facebook password can not only read your private information, but also read your friends’ private information that they only share with friends. I have at least one Facebook friend who has had problems with an anonymous stalker. While it is unlikely that the person interviewing you for a job is the stalker, how well do you really know them after a 30 minute interview? You really have no way of knowing if the interviewer is going to write your username and password on a Post-It note and put it on the office whiteboard for everyone to see.
I may be comfortable giving up the information on my Facebook page, but it is a violation of my friend’s trust to give a stranger access to their information without at least giving them the opportunity to prevent it.
Beyond just reading people’s private information, an interviewer who gets your password can do all the bad things that a criminal can do after cracking your account. For example, they can:
- Post anything they want to your Facebook wall or the walls of any of your friends,
- Send private messages to your Facebook friends on your behalf,
- Log in to other sites that allow authentication with Facebook credentials,
- Create new accounts on your behalf at sites that use Facebook authentication, and
- Install Facebook applications in your account (which may further compromise your privacy, even if you change your password).
In most cases, unapproved postings will just lead to embarrassment. On professional sites, like LinkedIn and Stackoverflow, inappropriate material could could hurt your reputation in the online community enough to prevent you from getting a job elsewhere. In an extreme case, they might post child pornography in an attempt to get you arrested. You could probably prove that the post did not come from your computer, but you could have to defend yourself against civil or criminal charges.
There is a good reason that security principles say that you should never tell anyone your password — as soon as you tell someone your password, you lose control of the account. Demanding interviewees to give passwords to interviewers conditions employees to give up their passwords when asked by anyone with apparent authority. This kind of practice usually ends up with an employee sending a password through email to an attacker who demanded it.
If you are asked to surrender a password in an interview and you do not feel like you can outright refuse because you need the job, you should at least explain the risks to the interviewer. If they expect to have continuous access to your account (i.e., you cannot change the password as soon as you leave the office) you should definitely ask to see the part of their security practices document that describes how your password will be protected, who will have access to it, and under what circumstances.
Bill Dieter's Blog 