« How NOT to Build a Security Program | Main | Fiction Review: Tetraktys by Ari Juels »

Privacy Doghouse: City of Bozeman, MT

Update: Jules Polonetsky at The Future of Privacy Forum wonders "Could Bozeman Montana city officials be prosecuted for Facebook snooping?"

Well, well, well. My adopted home state is in the news late this week, and for good reason. Apparently the geniuses at town hall in Bozeman decided that, as part of their "background check," they would not only ask what sites people were on, but also what their usernames AND passwords were (see good aggregation of media coverage here). While I can certainly understand and appreciate a desire to compel full disclosure of online activities that may negatively impact the city, this is clearly a case of people just not understanding fundamental privacy practices.

Do they also request house keys?

Perhaps the best concrete example I can give to demonstrate how ridiculous this request is would be as such: asking for username and password to social networking sites is akin to asking me for my house keys with the intent to search my home. In no uncertain terms, the City of Bozeman is completely out of line for requiring such access to make a hiring decision. While it's unclear the extent to which this information might be used, one need only be reminded of anti-discrimination (EOE) hiring laws to see the slippery slope.

More disconcerting to me is that the notion that someone thinks that they actually need this level of personal, private information to make a hiring decision. If you cannot get a good read off of an in-person interview or two, plus a decent background check, then you probably shouldn't be in a position to hire people.

Do they request permission to access?

Behind the initial visceral reaction, my next thought is whether or not the applicant signs an agreement authorizing the City of Bozeman to actually access those accounts. I'm no lawyer, but it seems to me that simply having the login information is neither implicit nor explicit consent to then access that account. It might be a fine bone of contention, but I think it's an important distinction to draw. In the New School of Privacy, authorization is as important, if not more important, than access itself.

Have they heard of "Google"?

This is, I think, the big "duh" question: why do they need this information disclosed? Forget about the username/password request, why do they need an applicant to tell them what accounts they have? A simple Google search on various combinations a person's name should be more than adequate. If you can't figure out who someone is from Googling, then there's a good chance only their friends are going to know who they are.

I have to believe that the city is being driven by some sort of liability concern, but there are clearly better ways to tackle this beast.

Who performs their background checks?

One question I have is on the background check itself. Is the city performing one on its own, or have they outsourced it to a 3rd party (which seems more likely)? If they're performing one on their own, then I would suggest they outsource to a professional agency. I realize there is a cost consideration here, but let's get serious for a moment and realize that the background check should only be run on candidates who have accepted an offer, not on every applicant. This cost should be straight-forward to control.

If the city is already outsourcing to a 3rd party, then I'm really curious, because this agency should be able to find public info about the applicant already. Did they ask for this other information? Somehow I doubt it...

How are these forms protected?

The more blatant question is how the data is protected once gathered, along with the question of if this reflects how they handle sensitive data in general. I'm not going to go into the concerns because they're obvious and over-discussed already, but it's a valid question to be asked.


How dumb can you get? Was this decision made without consulting the city attorney? Is there adequate justification? This situation strikes me as someone going a bit too far in what they perceive as their "job" around "due diligence." Hopefully they'll retract their app and come to grips with reality.


TrackBack URL for this entry:

Comments (1)

Remind me never to work for the City of Bozeman.

Your point about Google is spot-on. My company did a very thorough background check before my hiring; in fact, the 3rd party agent was on the phone with me when he found my website. Both he and the HR department looked over all the public faces I have out there, which is fine and more power to them, but I doubt it had much to do in my hiring decision (besides any obvious red flags).

Frankly, my company knows what I have out there and they don't care, because it's my personal life. I'd say that anyone who won't treat you the same as an employee deserves to be passed over.

(with the exception of employment that has "reputation, public and private" as a requirement to its qualifications, such as that of a politician, etc.)

Post a comment


This page contains a single entry from the blog posted on June 19, 2009 4:26 PM.

The previous post in this blog was How NOT to Build a Security Program.

The next post in this blog is Fiction Review: Tetraktys by Ari Juels.

Many more can be found on the main index page or by looking through the archives.

Creative Commons License
This weblog is licensed under a Creative Commons License.