According to the press release :

Effective at 12:00 p.m. today, Friday June 19, 2009, the City of Bozeman permanently ceased the practice of requesting candidates selected for City positions under a provisional job offer to provide user names and passwords for the candidate’s internet sites.

They said in a memo to the mayor and city commission that it was an honest mistake and that they believed it was consistent with their core values. I believe them. And I give them some credit for realizing the severity of the situation they created for themselves and acting quickly to fix it.

But they still don’t get it. City Manager Chris Kukulski made a point that only certain staff had access. They still don’t appear to understand the risks associated with asking for that information, using it or securing it. Which brings me to…

After reading the press release and the memo I was also concerned that they were still not addressing how the information they already have on hand is stored and secured, but that concern is addressed in the video of the press conference (WMV) with City Manager Chris Kukulski.

“Yes, that is protected, confidential information and it is held in the same cabinet, in the same information where all other protected human resource or personnel items are.”

The information is safe in the cabinet. I guess I’m relieved. But I hope it’s a sturdy cabinet.

Ars Technica reports that the city of Bozeman, Mont. is asking job applicants for their user names and passwords to all web services and communities in order to perform pre-employment screening.* Applicants are required to sign a form that says:

“Please list any and all, current personal or business websites, web pages or memberships on any Internet-based chat rooms, social clubs or forums, to include, but not limited to: Facebook, Google, Yahoo, YouTube.com, MySpace, etc.”**

This is a monumentally bad idea.

Under U.S. law, employers must not discriminate against members of several protected classes. Having direct access to a prospective employee’s account gives access to a limitless supply of risky information.

Everything is connected.

You can use your Google, Yahoo or Facebook*** account with to log in to countless web sites, so even if the city of Bozeman isn’t explicitly asking for access, they would have the credentials to access a mind-boggling amount of personal information.

Let’s say you apply for a job and give your prospective employer your Google login information. That gives them access to your e-mail, including access to any correspondence with other prospective employers, your chat history, your search history, your image library, your calendar, your address book, the RSS feeds you subscribe to, the locations you’ve mapped, your health information,**** administrative control of your blog, your news alerts….

There’s no end to the number of ways that one account could be abused. The city of Bozeman wants access to all your accounts.

“One thing that’s important for folks to understand about what we look for is none of the things that the federal constitution lists as protected things, we don’t use those,” city attorney Greg Sullivan told KBZK. We don’t use those? I’d like to hear how that argument stands up when the first discrimination suit is filed.

That’s not all.

Bozeman is asking for access to current business web sites as well. Can they really be asking applicants who are employed elsewhere to give the city access to their company business systems? If they are, then the the city is selecting employees based in part on their willingness to violate their employment agreements and provide unauthorized access to confidential business information.

According to KBZK, city attorney Sullivan said that no one has ever removed his or her name from consideration for a job due to the request. It appears that the city of Bozeman wants to hire people who are absolutely clueless about data privacy and no regard for confidentiality — and put them in charge of protecting applicants’ login data.

This can’t end well.

But wait, there’s more.

There’s nothing on the form to suggest that the city of Bozeman is asking for passwords to access to online banking or other financial data, but by asking for account data like Google and Yahoo that gives access to e-mail, they’re essentially asking for the ability to obtain personal financial data. With access to e-mail, someone can take over your bank account and transfer your funds elsewhere before you realize what’s happening.

But let’s assume for a moment that all city employees are beyond reproach. By compiling user names and passwords, they’re creating a honey pot for identity thieves. Let’s hope the city of Bozeman has world-class data security programs in place***** because that much personal information is sure to attract unwanted attention.

I have to stop. I’m stunned by the staggering lack of judgment behind the city of Bozeman’s decision and the potential spiderweb of unintended consequences.

Photo credit: Mirko Macari

1. * Local TV station KBZK broke the story. The Associated Press has picked it up as well.
2. ** Heh. Three lines for any and all logins. Three pages, maybe?
3. *** Among others. I wonder if they’re asking for OpenID credentials as well.
4. **** Assuming anyone actually uses Google Health. Bear with me. I’m making a point.
5. ***** I know this is a stretch, since it appears that the city only wants to hire rubes who don’t know or care about privacy or data security.