The Privacy Setting You Can’t Control: With Friends Like These, Who Needs Enemies?
August 18, 2016
鈥淚f you鈥檙e not paying for the product, you are the product.鈥 This phrase has been a popular way to describe the tradeoff we make for utilizing the many free and convenient services available online. While many consumers try to fiercely guard their personal information, it would appear that these attempts are in vain. You鈥檙e only as strong as your weakest link, and every friend or colleague is a potential chink in your armor.
Contacts For Hire
For example, in the past few years, companies began checking the social media profiles of job candidates and employees 鈥 in fact, reported on this trend as far back as 2012. This practice is illegal in a handful of states. However, according to 2016 data from the , some legislation designed to protect job seekers and workers failed in seven states this year, and also failed in 10 states last year. (Legislation is either pending or it has not been introduced in several other states.)
Here鈥檚 the problem with checking social media profiles. Some companies aren鈥檛 just performing a cursory search; they鈥檙e asking for login and password information so they can see everything. In fact, some online job applications won鈥檛 allow individuals to even submit their applications unless they have authorized social media access and provided their usernames and passwords.
If that type of access is downright illegal in some states, isn鈥檛 it at least unethical in the rest of the country? I asked several experts to weigh in on this subject.
According to Tim Sackett, a human resources and recruiting talent pro as well as the president of HRU Technical Resources, most employers are scouring the internet before they make a hiring decision 鈥 whether they tell you or not. 鈥淚 would rather an employee just tell me this is part of the deal - plus, many candidates have their profiles locked down, so if you don't give me access, there is nothing to see,鈥 Sackett said. And he added that 鈥渘othing to see鈥 can be a red flag that causes an employer to question what that person may be trying to hide.
However, from an ethical standpoint, Sackett explained that whether asking for social media login information is right or wrong depends on factors such as the employer, the clients, and the company鈥檚 culture. 鈥淭he answer is to work for a company that doesn鈥檛 have issues with your vices,鈥 said Sackett. 鈥淚f you like to party and post pics with your drunken friends on Saturday night, work for a company that is cool with that. If you and your friends like to dress up like Hello Kitty on your off time, work for a company that is cool with that.鈥
Almost half of the companies in a recent survey by the Society of Human Resource Management admit to using social media to screen applicants, and one-third report that they have disqualified applicants based on the information they found.
Jonathan Westover, associate professor of Organizational Leadership in the Woodbury School of Business at Utah Valley University and a human resource management consultant, agrees that companies are probably looking for red flags. 鈥淲ill the applicant embarrass the company? Are they engaged in behaviors that might lead to poor performance? Hiring managers want to know this before they make a decision.鈥
And Westover thinks it鈥檚 possible that companies are also looking for a strong professional network 鈥 especially in highly-skilled or managerial jobs. 鈥淭hey may leverage candidates with strong networks, such as LinkedIn, in the recruitment and headhunting of other highly-skilled potential workers (for example, in the high tech industry).鈥 But Westover said there are still underlying privacy issues 鈥 and he thinks that this type of access can be abused and used for other purposes.
One of the major concerns is how this information is used, according to Don Mayer, J.D. chair of the Department of Business Ethics and Legal Studies, and professor-in-residence at the Daniels College of Business at the University of Denver. He questions the ethics of this practice because the candidate or employee is not given the opportunity to explain any information or associations that the company may consider to be derogatory.
鈥淢otives may vary, but I鈥檓 not clear on what criteria companies would use to disqualify someone because of their contacts, or because of comments made to friends on social media,鈥 Mayer said. Are psychologists hired to do some sort of psych-analysis of patterns and 鈥榣ikes鈥 from Facebook?鈥
The possibility of disqualifying a candidate based on their list of friends is a serious ethical issue to Karen Young, SPHR, of HR Resolutions. 鈥淚鈥檓 concerned that all of a sudden, a company鈥檚 鈥榲alid business reason鈥 for not hiring an applicant is because someone looked at their Facebook page and saw that some their connections include LGBT, Hispanic and African American friends.鈥
Also, Young believes the social media access requirement may reduce the number of qualified people that would actually complete the application process.
There are other ethical issues regarding this requirement, according to Kate Jones, a partner in the鈥 Kutak Rock law firm. 鈥淧roviding your social media credentials to a potential employer may not only infringe on your privacy, but also the privacy of your friends and contacts on social media,鈥 Jones said.
Jones also explained that when applicants share their login credentials, they鈥檙e making a conscious decision to do so. 鈥淏ut your friends and contacts on social media do not have an opportunity to make that choice.鈥 Jones said they might have chosen to share certain information only with certain friends and contacts. 鈥淪haring your login credentials may affect your friends鈥 privacy,鈥 she warned.
But should the bulk of the ethical blame rest on the job seeker or the potential employer? After all, no one is forcing applicants to agree to these terms. They can choose to terminate the application process and seek employment elsewhere. But is that a realistic expectation?
Keith Swisher, ethics consultant at Swisher P.C., thinks it鈥檚 an abuse of the potential employer鈥檚 power. 鈥淧eople need jobs, and employers should not exploit that need by, for example, requiring access to private communications.鈥 Regarding employees, Swisher says, 鈥淧erformance interviews, probationary periods or on-the-job observations would provide far more accurate and less intrusive information than the screening of private, out-of-office communications and associations.鈥
Shadow Profiles
In 2015, reported that Facebook secured a patent that would allow banks to determine a potential borrower鈥檚 creditworthiness by analyzing the credit ratings of the individual鈥檚 social media connections. If the average credit rating of the individual鈥檚 friends happened to be below the minimum credit score, the individual鈥檚 application would be rejected 鈥 even if that person had good credit. Fortunately, Facebook decided against proceeding with the project.
Facebook also creates 鈥渟hadow profiles鈥 based on the information provided by an individual鈥檚 friends. For example, let鈥檚 say you鈥檙e a Facebook user, but you鈥檝e given the company the email address you use for junk mail, and you鈥檝e never supplied other information, such as your phone number.
However, if your friends have ever used Facebook鈥檚 鈥渇ind friends鈥 feature and allowed Facebook to scan their mobile phone contacts, all of this information is stored on Facebook鈥檚 servers. In other words, Facebook may have all of your email addresses and phone numbers stored in a shadow profile.
Facebook isn鈥檛 alone in this practice. One day, M. Forrest Abouelnasr was exchanging emails with a friend, and the friend switched to his business address. A few days later, when Abouelnasr was on LinkedIn, he noticed that this friend鈥檚 name popped up as someone he may know and want to connect with 鈥 although the two were already LinkedIn connections.
Abouelnasr realized that LinkedIn assumed the new email address belonged to a different person who didn鈥檛 have a LinkedIn account, and he wanted to know how LinkedIn was able to track his email contacts. In his , Abouelnasr shares the transcript of his conversation with LinkedIn鈥檚 customer service department.
When I contacted Abouelnasr about his experience, he told me at first, the rep erroneously stated that if a user had LinkedIn open and also had their mail server open (Gmail, Yahoo, etc.), LinkedIn would grab those email contacts. 鈥淭his is impossible, and the company representative later corrected the mistake, saying that instead what the company actually does is collect a user鈥檚 smartphone contacts when the LinkedIn app is installed on their smartphone.鈥
How many users upload their contacts to various apps without stopping to consider that their friends and colleagues may not want their personal information exposed to a third-party? How many users stop to obtain permission?
But is it really such a big deal that LinkedIn, Google, Facebook and other companies are collecting information on people from their friends and without their knowledge? Mayer said he believes it is a big deal. 鈥淚n terms of trustworthiness 鈥 which is a core ethical value to most people, and even to many corporations striving to be more ethical 鈥 this is not an entirely straightforward process,鈥 he said. Also, Mayer stresses that companies don鈥檛 really explain what they intend to do with the information.
Among other things, we now know that companies sell information to data brokers. A CBS News revealed that Acxiom, the largest data broker, has roughly 1,000 tidbits of data on over 200 million Americans. On top of that, Acxiom 鈥 along with thousands of other data brokers 鈥 sells various types of lists to other companies. Some of these lists might include people with gambling habits, gun owners, members of LGBT organizations, or patients with specific medical conditions. These groupings, and an assortment of other information, help advertisers market to specific individuals. But not all of the information is used for advertising. The information is also sold to insurance companies, banks, hospitals, schools and other organizations to help them make risk assessments.
This brings us back to the weakest link: You can take every conceivable precaution to protect your privacy, but be advised that it only takes one friend or colleague 鈥 through sheer carelessness, willful ignorance, the desire for convenience or the lure of a job 鈥 to create a vulnerability that companies can, and will, exploit.
August 18, 2016
鈥淚f you鈥檙e not paying for the product, you are the product.鈥 This phrase has been a popular way to describe the tradeoff we make for utilizing the many free and convenient services available online. While many consumers try to fiercely guard their personal information, it would appear that these attempts are in vain. You鈥檙e only as strong as your weakest link, and every friend or colleague is a potential chink in your armor.
Contacts For Hire
For example, in the past few years, companies began checking the social media profiles of job candidates and employees 鈥 in fact, reported on this trend as far back as 2012. This practice is illegal in a handful of states. However, according to 2016 data from the , some legislation designed to protect job seekers and workers failed in seven states this year, and also failed in 10 states last year. (Legislation is either pending or it has not been introduced in several other states.)
Here鈥檚 the problem with checking social media profiles. Some companies aren鈥檛 just performing a cursory search; they鈥檙e asking for login and password information so they can see everything. In fact, some online job applications won鈥檛 allow individuals to even submit their applications unless they have authorized social media access and provided their usernames and passwords.
If that type of access is downright illegal in some states, isn鈥檛 it at least unethical in the rest of the country? I asked several experts to weigh in on this subject.
According to Tim Sackett, a human resources and recruiting talent pro as well as the president of HRU Technical Resources, most employers are scouring the internet before they make a hiring decision 鈥 whether they tell you or not. 鈥淚 would rather an employee just tell me this is part of the deal - plus, many candidates have their profiles locked down, so if you don't give me access, there is nothing to see,鈥 Sackett said. And he added that 鈥渘othing to see鈥 can be a red flag that causes an employer to question what that person may be trying to hide.
However, from an ethical standpoint, Sackett explained that whether asking for social media login information is right or wrong depends on factors such as the employer, the clients, and the company鈥檚 culture. 鈥淭he answer is to work for a company that doesn鈥檛 have issues with your vices,鈥 said Sackett. 鈥淚f you like to party and post pics with your drunken friends on Saturday night, work for a company that is cool with that. If you and your friends like to dress up like Hello Kitty on your off time, work for a company that is cool with that.鈥
Almost half of the companies in a recent survey by the Society of Human Resource Management admit to using social media to screen applicants, and one-third report that they have disqualified applicants based on the information they found.
Jonathan Westover, associate professor of Organizational Leadership in the Woodbury School of Business at Utah Valley University and a human resource management consultant, agrees that companies are probably looking for red flags. 鈥淲ill the applicant embarrass the company? Are they engaged in behaviors that might lead to poor performance? Hiring managers want to know this before they make a decision.鈥
And Westover thinks it鈥檚 possible that companies are also looking for a strong professional network 鈥 especially in highly-skilled or managerial jobs. 鈥淭hey may leverage candidates with strong networks, such as LinkedIn, in the recruitment and headhunting of other highly-skilled potential workers (for example, in the high tech industry).鈥 But Westover said there are still underlying privacy issues 鈥 and he thinks that this type of access can be abused and used for other purposes.
One of the major concerns is how this information is used, according to Don Mayer, J.D. chair of the Department of Business Ethics and Legal Studies, and professor-in-residence at the Daniels College of Business at the University of Denver. He questions the ethics of this practice because the candidate or employee is not given the opportunity to explain any information or associations that the company may consider to be derogatory.
鈥淢otives may vary, but I鈥檓 not clear on what criteria companies would use to disqualify someone because of their contacts, or because of comments made to friends on social media,鈥 Mayer said. Are psychologists hired to do some sort of psych-analysis of patterns and 鈥榣ikes鈥 from Facebook?鈥
The possibility of disqualifying a candidate based on their list of friends is a serious ethical issue to Karen Young, SPHR, of HR Resolutions. 鈥淚鈥檓 concerned that all of a sudden, a company鈥檚 鈥榲alid business reason鈥 for not hiring an applicant is because someone looked at their Facebook page and saw that some their connections include LGBT, Hispanic and African American friends.鈥
Also, Young believes the social media access requirement may reduce the number of qualified people that would actually complete the application process.
There are other ethical issues regarding this requirement, according to Kate Jones, a partner in the鈥 Kutak Rock law firm. 鈥淧roviding your social media credentials to a potential employer may not only infringe on your privacy, but also the privacy of your friends and contacts on social media,鈥 Jones said.
Jones also explained that when applicants share their login credentials, they鈥檙e making a conscious decision to do so. 鈥淏ut your friends and contacts on social media do not have an opportunity to make that choice.鈥 Jones said they might have chosen to share certain information only with certain friends and contacts. 鈥淪haring your login credentials may affect your friends鈥 privacy,鈥 she warned.
But should the bulk of the ethical blame rest on the job seeker or the potential employer? After all, no one is forcing applicants to agree to these terms. They can choose to terminate the application process and seek employment elsewhere. But is that a realistic expectation?
Keith Swisher, ethics consultant at Swisher P.C., thinks it鈥檚 an abuse of the potential employer鈥檚 power. 鈥淧eople need jobs, and employers should not exploit that need by, for example, requiring access to private communications.鈥 Regarding employees, Swisher says, 鈥淧erformance interviews, probationary periods or on-the-job observations would provide far more accurate and less intrusive information than the screening of private, out-of-office communications and associations.鈥
Shadow Profiles
In 2015, reported that Facebook secured a patent that would allow banks to determine a potential borrower鈥檚 creditworthiness by analyzing the credit ratings of the individual鈥檚 social media connections. If the average credit rating of the individual鈥檚 friends happened to be below the minimum credit score, the individual鈥檚 application would be rejected 鈥 even if that person had good credit. Fortunately, Facebook decided against proceeding with the project.
Facebook also creates 鈥渟hadow profiles鈥 based on the information provided by an individual鈥檚 friends. For example, let鈥檚 say you鈥檙e a Facebook user, but you鈥檝e given the company the email address you use for junk mail, and you鈥檝e never supplied other information, such as your phone number.
However, if your friends have ever used Facebook鈥檚 鈥渇ind friends鈥 feature and allowed Facebook to scan their mobile phone contacts, all of this information is stored on Facebook鈥檚 servers. In other words, Facebook may have all of your email addresses and phone numbers stored in a shadow profile.
Facebook isn鈥檛 alone in this practice. One day, M. Forrest Abouelnasr was exchanging emails with a friend, and the friend switched to his business address. A few days later, when Abouelnasr was on LinkedIn, he noticed that this friend鈥檚 name popped up as someone he may know and want to connect with 鈥 although the two were already LinkedIn connections.
Abouelnasr realized that LinkedIn assumed the new email address belonged to a different person who didn鈥檛 have a LinkedIn account, and he wanted to know how LinkedIn was able to track his email contacts. In his , Abouelnasr shares the transcript of his conversation with LinkedIn鈥檚 customer service department.
When I contacted Abouelnasr about his experience, he told me at first, the rep erroneously stated that if a user had LinkedIn open and also had their mail server open (Gmail, Yahoo, etc.), LinkedIn would grab those email contacts. 鈥淭his is impossible, and the company representative later corrected the mistake, saying that instead what the company actually does is collect a user鈥檚 smartphone contacts when the LinkedIn app is installed on their smartphone.鈥
How many users upload their contacts to various apps without stopping to consider that their friends and colleagues may not want their personal information exposed to a third-party? How many users stop to obtain permission?
But is it really such a big deal that LinkedIn, Google, Facebook and other companies are collecting information on people from their friends and without their knowledge? Mayer said he believes it is a big deal. 鈥淚n terms of trustworthiness 鈥 which is a core ethical value to most people, and even to many corporations striving to be more ethical 鈥 this is not an entirely straightforward process,鈥 he said. Also, Mayer stresses that companies don鈥檛 really explain what they intend to do with the information.
Among other things, we now know that companies sell information to data brokers. A CBS News revealed that Acxiom, the largest data broker, has roughly 1,000 tidbits of data on over 200 million Americans. On top of that, Acxiom 鈥 along with thousands of other data brokers 鈥 sells various types of lists to other companies. Some of these lists might include people with gambling habits, gun owners, members of LGBT organizations, or patients with specific medical conditions. These groupings, and an assortment of other information, help advertisers market to specific individuals. But not all of the information is used for advertising. The information is also sold to insurance companies, banks, hospitals, schools and other organizations to help them make risk assessments.
This brings us back to the weakest link: You can take every conceivable precaution to protect your privacy, but be advised that it only takes one friend or colleague 鈥 through sheer carelessness, willful ignorance, the desire for convenience or the lure of a job 鈥 to create a vulnerability that companies can, and will, exploit.