Ars Technica reports that the city of Bozeman, Mont. is asking job applicants for their user names and passwords to all web services and communities in order to perform pre-employment screening.* Applicants are required to sign a form 
that says:
“Please list any and all, current personal or business websites, web pages or memberships on any Internet-based chat rooms, social clubs or forums, to include, but not limited to: Facebook, Google, Yahoo, YouTube.com, MySpace, etc.”**
This is a monumentally bad idea.
Under U.S. law, employers must not discriminate against members of several protected classes. Having direct access to a prospective employee’s account gives access to a limitless supply of risky information.
Everything is connected.
You can use your Google, Yahoo or Facebook*** account with to log in to countless web sites, so even if the city of Bozeman isn’t explicitly asking for access, they would have the credentials to access a mind-boggling amount of personal information.
Let’s say you apply for a job and give your prospective employer your Google login information. That gives them access to your e-mail, including access to any correspondence with other prospective employers, your chat history, your search history, your image library, your calendar, your address book, the RSS feeds you subscribe to, the locations you’ve mapped, your health information,**** administrative control of your blog, your news alerts….
There’s no end to the number of ways that one account could be abused. The city of Bozeman wants access to all your accounts.
“One thing that’s important for folks to understand about what we look for is none of the things that the federal constitution lists as protected things, we don’t use those,” city attorney Greg Sullivan told KBZK. We don’t use those? I’d like to hear how that argument stands up when the first discrimination suit is filed.
That’s not all.
Bozeman is asking for access to current business web sites as well. Can they really be asking applicants who are employed elsewhere to give the city access to their company business systems? If they are, then the the city is selecting employees based in part on their willingness to violate their employment agreements and provide unauthorized access to confidential business information.
According to KBZK, city attorney Sullivan said that no one has ever removed his or her name from consideration for a job due to the request. It appears that the city of Bozeman wants to hire people who are absolutely clueless about data privacy and no regard for confidentiality — and put them in charge of protecting applicants’ login data.
This can’t end well.
But wait, there’s more.
There’s nothing on the form to suggest that the city of Bozeman is asking for passwords to access to online banking or other financial data, but by asking for account data like Google and Yahoo that gives access to e-mail, they’re essentially asking for the ability to obtain personal financial data. With access to e-mail, someone can take over your bank account and transfer your funds elsewhere before you realize what’s happening.
But let’s assume for a moment that all city employees are beyond reproach. By compiling user names and passwords, they’re creating a honey pot for identity thieves. Let’s hope the city of Bozeman has world-class data security programs in place***** because that much personal information is sure to attract unwanted attention.
I have to stop. I’m stunned by the staggering lack of judgment behind the city of Bozeman’s decision and the potential spiderweb of unintended consequences.
Photo credit: Mirko Macari
Notes:- * Local TV station KBZK broke the story. The Associated Press has picked it up as well. [↩]
- ** Heh. Three lines for any and all logins. Three pages, maybe? [↩]
- *** Among others. I wonder if they’re asking for OpenID credentials as well. [↩]
- **** Assuming anyone actually uses Google Health. Bear with me. I’m making a point. [↩]
- ***** I know this is a stretch, since it appears that the city only wants to hire rubes who don’t know or care about privacy or data security. [↩]
Yeah, Bozeman just reaped a huge harvest of PR nightmare.
Now THIS really is worthy of Bozeman.
I’m willing to bet they have no idea what can of worms they opened…
If they didn’t before, they sure do now that AP picked up the story.
Yes, a tough lesson.
What were they thinking?
Doesn’t sound like they were thinking.
Pretty good post. I just found your site and wanted to say
that I have really enjoyed browsing your posts. Any way
I’ll be subscribing to your feed and I hope you write again soon!
Thank you.