August 18, 2016

“If you’re not paying for the product, you are the product.” This phrase has been a popular way to describe the tradeoff we make for utilizing the many free and convenient services available online. While many consumers try to fiercely guard their personal information, it would appear that these attempts are in vain. You’re only as strong as your weakest link, and every friend or colleague is a potential chink in your armor.

Contacts For Hire

For example, in the past few years, companies began checking the social media profiles of job candidates and employees – in fact, Mashable reported on this trend as far back as 2012. This practice is illegal in a handful of states. However, according to 2016 data from the National Conference of State Legislatures, some legislation designed to protect job seekers and workers failed in seven states this year, and also failed in 10 states last year. (Legislation is either pending or it has not been introduced in several other states.)

Here’s the problem with checking social media profiles. Some companies aren’t just performing a cursory search; they’re asking for login and password information so they can see everything. In fact, some online job applications won’t allow individuals to even submit their applications unless they have authorized social media access and provided their usernames and passwords.

If that type of access is downright illegal in some states, isn’t it at least unethical in the rest of the country? I asked several experts to weigh in on this subject.

According to Tim Sackett, a human resources and recruiting talent pro as well as the president of HRU Technical Resources, most employers are scouring the internet before they make a hiring decision – whether they tell you or not. “I would rather an employee just tell me this is part of the deal - plus, many candidates have their profiles locked down, so if you don't give me access, there is nothing to see,” Sackett said. And he added that “nothing to see” can be a red flag that causes an employer to question what that person may be trying to hide.

However, from an ethical standpoint, Sackett explained that whether asking for social media login information is right or wrong depends on factors such as the employer, the clients, and the company’s culture. “The answer is to work for a company that doesn’t have issues with your vices,” said Sackett. “If you like to party and post pics with your drunken friends on Saturday night, work for a company that is cool with that. If you and your friends like to dress up like Hello Kitty on your off time, work for a company that is cool with that.”

Almost half of the companies in a recent survey by the Society of Human Resource Management admit to using social media to screen applicants, and one-third report that they have disqualified applicants based on the information they found.

Jonathan Westover, associate professor of Organizational Leadership in the Woodbury School of Business at Utah Valley University and a human resource management consultant, agrees that companies are probably looking for red flags. “Will the applicant embarrass the company? Are they engaged in behaviors that might lead to poor performance? Hiring managers want to know this before they make a decision.”

And Westover thinks it’s possible that companies are also looking for a strong professional network – especially in highly-skilled or managerial jobs. “They may leverage candidates with strong networks, such as LinkedIn, in the recruitment and headhunting of other highly-skilled potential workers (for example, in the high tech industry).” But Westover said there are still underlying privacy issues – and he thinks that this type of access can be abused and used for other purposes.

One of the major concerns is how this information is used, according to Don Mayer, J.D. chair of the Department of Business Ethics and Legal Studies, and professor-in-residence at the Daniels College of Business at the University of Denver. He questions the ethics of this practice because the candidate or employee is not given the opportunity to explain any information or associations that the company may consider to be derogatory.

“Motives may vary, but I’m not clear on what criteria companies would use to disqualify someone because of their contacts, or because of comments made to friends on social media,” Mayer said. Are psychologists hired to do some sort of psych-analysis of patterns and ‘likes’ from Facebook?”

The possibility of disqualifying a candidate based on their list of friends is a serious ethical issue to Karen Young, SPHR, of HR Resolutions. “I’m concerned that all of a sudden, a company’s ‘valid business reason’ for not hiring an applicant is because someone looked at their Facebook page and saw that some their connections include LGBT, Hispanic and African American friends.”

Also, Young believes the social media access requirement may reduce the number of qualified people that would actually complete the application process.

There are other ethical issues regarding this requirement, according to Kate Jones, a partner in the
 Kutak Rock law firm. “Providing your social media credentials to a potential employer may not only infringe on your privacy, but also the privacy of your friends and contacts on social media,” Jones said.

Jones also explained that when applicants share their login credentials, they’re making a conscious decision to do so. “But your friends and contacts on social media do not have an opportunity to make that choice.” Jones said they might have chosen to share certain information only with certain friends and contacts. “Sharing your login credentials may affect your friends’ privacy,” she warned.

But should the bulk of the ethical blame rest on the job seeker or the potential employer? After all, no one is forcing applicants to agree to these terms. They can choose to terminate the application process and seek employment elsewhere. But is that a realistic expectation?

Keith Swisher, ethics consultant at Swisher P.C., thinks it’s an abuse of the potential employer’s power. “People need jobs, and employers should not exploit that need by, for example, requiring access to private communications.” Regarding employees, Swisher says, “Performance interviews, probationary periods or on-the-job observations would provide far more accurate and less intrusive information than the screening of private, out-of-office communications and associations.”

Shadow Profiles

In 2015, The Atlantic reported that Facebook secured a patent that would allow banks to determine a potential borrower’s creditworthiness by analyzing the credit ratings of the individual’s social media connections. If the average credit rating of the individual’s friends happened to be below the minimum credit score, the individual’s application would be rejected – even if that person had good credit. Fortunately, Facebook decided against proceeding with the project.

Facebook also creates “shadow profiles” based on the information provided by an individual’s friends. For example, let’s say you’re a Facebook user, but you’ve given the company the email address you use for junk mail, and you’ve never supplied other information, such as your phone number.

However, if your friends have ever used Facebook’s “find friends” feature and allowed Facebook to scan their mobile phone contacts, all of this information is stored on Facebook’s servers. In other words, Facebook may have all of your email addresses and phone numbers stored in a shadow profile.

Facebook isn’t alone in this practice. One day, M. Forrest Abouelnasr was exchanging emails with a friend, and the friend switched to his business address. A few days later, when Abouelnasr was on LinkedIn, he noticed that this friend’s name popped up as someone he may know and want to connect with – although the two were already LinkedIn connections.

Abouelnasr realized that LinkedIn assumed the new email address belonged to a different person who didn’t have a LinkedIn account, and he wanted to know how LinkedIn was able to track his email contacts. In his blog, Abouelnasr shares the transcript of his conversation with LinkedIn’s customer service department.

When I contacted Abouelnasr about his experience, he told me at first, the rep erroneously stated that if a user had LinkedIn open and also had their mail server open (Gmail, Yahoo, etc.), LinkedIn would grab those email contacts. “This is impossible, and the company representative later corrected the mistake, saying that instead what the company actually does is collect a user’s smartphone contacts when the LinkedIn app is installed on their smartphone.”

How many users upload their contacts to various apps without stopping to consider that their friends and colleagues may not want their personal information exposed to a third-party? How many users stop to obtain permission?

But is it really such a big deal that LinkedIn, Google, Facebook and other companies are collecting information on people from their friends and without their knowledge? Mayer said he believes it is a big deal. “In terms of trustworthiness – which is a core ethical value to most people, and even to many corporations striving to be more ethical – this is not an entirely straightforward process,” he said. Also, Mayer stresses that companies don’t really explain what they intend to do with the information.

Among other things, we now know that companies sell information to data brokers. A CBS News report revealed that Acxiom, the largest data broker, has roughly 1,000 tidbits of data on over 200 million Americans. On top of that, Acxiom – along with thousands of other data brokers – sells various types of lists to other companies. Some of these lists might include people with gambling habits, gun owners, members of LGBT organizations, or patients with specific medical conditions. These groupings, and an assortment of other information, help advertisers market to specific individuals. But not all of the information is used for advertising. The information is also sold to insurance companies, banks, hospitals, schools and other organizations to help them make risk assessments.

This brings us back to the weakest link: You can take every conceivable precaution to protect your privacy, but be advised that it only takes one friend or colleague – through sheer carelessness, willful ignorance, the desire for convenience or the lure of a job – to create a vulnerability that companies can, and will, exploit.

Terri Williams 
writes for a variety of clients including USA Today, Yahoo, U.S. News & World Report, The Houston Chronicle, Investopedia, and Robert Half. She has a Bachelor of Arts in English from the University of Alabama at Birmingham. Follow her on Twitter @Territoryone.