Hypercrit

The City of Bozeman privacy fiasco is over. Last week — after a media storm that brought a sledgehammer of bad publicity down on the city — Bozeman suspended its policy of asking job candidates for Web usernames and passwords on its background check form. At its regular meeting Monday, the city commission formally terminated the policy.

In an editorial on Thursday, the Bozeman Daily Chronicle praised the city for admitting its mistake and correcting it. “The policy was a bad one, no doubt about it,” the newspaper wrote. “We get it, and our elected officials get it. Now let’s move on. Certainly, there are more important issues facing this community.”

I hang on that last sentence every time I read the editorial. More important issues facing the Bozeman area? Sure:

• A block of downtown remains in ruins after a gas explosion in March. No one’s sure who to blame. Many downtown property owners were underinsured. People are criticizing the gas company’s response. A handful of people lost their homes. Bozeman’s downtown may never recover.
• Some residents are concerned about the appearance of gravel pits in the county, which have been used to support the area’s — until recently — booming growth. The pits degrade property values and require relatively little government oversight.
• The city bought a historical mansion for millions of dollars and is spending more money to restore it, citing some vague plan for renting it out for private and public events.
• The local housing market is crashing and, along with it, the local construction industry. The bubble-burst is revealing just how hollow the area’s economy has been during the recent boom times.

Surely there are crime, agricultural, environmental, wildlife and outlying community issues too, though I don’t know enough to mention them.

The fact that only two residents came to the city commission meeting to speak about the privacy fiasco might also be an indicator of how (un)important the issue was to the city. Oh, and only one of those speakers stayed on topic, according to the Chronicle’s report.

What happened? Thousands of people railed against the policy from Wednesday night through Monday, yet only two people came out to speak?

It’s possible the issue was overhyped. But I don’t think you can put too much hype on an illegal policy enacted by taxpayer-funded city employees. Actions like that need to be exposed to the cold air of public opinion, enough cold air that the actions shrivel, turn brown and die.

No, hype was not the problem. The problem was that this was really only an issue for the people who use computers and social networking regularly. This was a Web issue. Regular citizens, who might not spend as much time online as the rest of us, weren’t as concerned. “Well, I don’t use those sites, so what do I care?” one of these people might say.

And it does seem like a small matter, especially to the offline crowd, until you realize that small violations of our rights like this can lead to larger violations later. The social networking password thing stayed on that city form for several years before someone found it invasive enough to mention it to the local news media. If the anonymous tipster had decided not to send that e-mail, the policy would still be in effect today.

And when the city can get away with putting an illegal policy on one form — moreover, a policy that most people don’t even know is illegal — then what will stop them from doing it again, from finding another way to invade citizens’ privacy?

Sure, this particular policy was enacted by people who were ignorant of the big picture, people unaware of how that particular column on a city form violated law and abstracter principles that a lot of people think are vital to privacy and liberty.

Sure, the city form was probably written by people who thought they were doing the best thing for the community. I can understand. After all, they must have reasoned, people can be very different online than in person, and it would be good to get a glimpse of that online life to make sure the candidate is not secretly a mass murdering, gay-hating child molester who happens to post items depicting those lifestyle choices to their Facebook profile.

What’s that you say? That sort of information is mostly password-protected? Well, let’s just ask for the passwords. If they really want the job, they’ll give up the information, right? Otherwise, they must have something to hide, and that’s not the kind of person we want working for Bozeman anyhow.

Privacy and rights violations start innocently enough, but once you get away with something, you often try to get away with it again, or get away with something worse. That kind of escalation can be dangerous, especially when it happens in government.

The city now says that the password field on the background check form was not required. Yet the form doesn’t say which fields are optional and which ones are required. It makes no distinction. By that logic, all forms on the field are optional, and by extension, the whole form is optional.

But of course, it’s not really optional, is it? Law requires that public employees go through a background check, so we must work our logic backward. If the check is required, then the form is required; and since no field on the form is indicated to be optional, then all fields must be required. Hence, the city was requiring people to give up their online passwords.

Even without the laws requiring background checks, the form would still be required, at least in the mind of the applicant. If a potential employer gives you a form to fill out and you don’t, that makes a statement, doesn’t it? In fact, withholding information during a job interview process casts doubt on the applicant and decreases his chances for getting the job.

So Bozeman job applicants, probably desperate for a job in these harder than normal times, filled out whatever forms the city put in front of them, thinking it better to comply than to be eliminated from consideration. That seems like extortion to me, and it seems like something we can’t just move on from.

In fact, I would ask the local media and the City of Bozeman itself to begin an in-depth review of every city document to ensure that the city isn’t asking inappropriate questions on any other forms. This situation has shown us that without public oversight, either by concerned citizens or the media or the blogosphere, governments will step over the line, purposefully or not. We need to watch out. Let’s start now.

Okay, not much to say on this post. Just experimenting with Posterous for the first time. We’ll see what turns up as time goes on.

Posted via web from Hypercrit

In case you haven’t yet heard, the City of Bozeman has rescinded the part of its background check form that asked for applicants’ passwords for social networking and other Web sites.

“The extent of our request for a candidate’s password, user name, or other Internet information appears to have exceeded that which is acceptable to our community,” City Manager Chris Kukulski said in a statement released Friday afternoon.

As of noon on June 19, the city has stopped asking job candidates for their usernames and passwords, and until further notice, the city has suspended its practice of peeking at applicants’ password protected Web information “until the City conducts a more comprehensive evaluation of the practice.” In essence, they won’t snoop using the passwords they have already collected until they talk about it some more.

The city commission will discuss the matter at its meeting Monday night at 6 in the commission room at city hall, 121 N. Rouse Ave. The agenda is scant on details as to just what the commission will discuss, but at least they’re talking about it now.

According to KBZK’s afternoon update, Bozeman city attorney Greg Sullivan said he had met with the city’s human resources department and that “the matter is being discussed.” Reporter Dan Boyle’s report goes on to say:

Officials said they are looking into the legality of the requirement. They also said they are looking into Facebook’s policies.

City Manager Chris Kukulski said the city stands by its background check policy. He told KBZK that “it’s important for judging the character of future police, firemen and other employees.”

Kukulski told the Bozeman Daily Chronicle that “the city checks the sites in order to ensure that employees who might be handling taxpayer money, working with children in recreation programs or entering residents’ homes as an emergency services worker are reputable and honest.”

Assistant City Manager Chuck Winn told CBSNews.com, “Before we offer people employment in a public trust position we have a responsibility to do a thorough background check… This is just a component of a thorough background check.”

Winn went on to tell CBS:

“Shame on us if there was information out there available about a person who applied for a job who was a child molester or had some sort of information out there on the Internet that kind of showed those propensities and we didn’t look for it, we didn’t ask, and we hired that person,” Winn said. “In many ways we would have let the public down.”

Winn told CBS that applicants are not required to supply their usernames and passwords, but that there would be repercussions if applicants or employees lied or were deceitful during the hiring process.

Winn said a police officer logs in to check on the social networking sites of people applying for public safety jobs, police and fire. For other jobs, the city’s human resources department logs in.

Winn told the Chronicle that “it’s not about taste or anything” and that “in at least one instance, an applicant’s social-networking site figured into disqualifying the person for a job.” Police Chief Mark Lachapelle told the Chronicle that information from the site (Facebook, I presume) was one component that contributed to the decision. He declined to discuss the case more specifically, citing privacy concerns.

From the CBS article:

Bozeman’s Winn said the city does not want to be the “taste police” and is focused on looking for evidence of illegal activity. “They can log in themselves,” he said. “If not, they can show us what’s on their face page. ‘Yes, I have a face page but I don’t want to show it to you.’ That’s a fine answer. We’ll use other resources out there to do a through background check. We owe it to the public.”

The Associated Press also spoke to Bozeman City Commissioner Jeff Rupp, who said that he was “unaware local officials had implemented the policy, and expects the city commission will be talking about it. But Rupp said it is not as bad as it sounds, since applicants are not scored negatively for refusing to answer the question.”

Rupp told the AP: “I can tell you I would not provide it in an application I submit. […] I have been told repeatedly it is not scored, and the application is not discarded if not provided.”

The AP also spoke to state Rep. Brady Wiseman (D-Bozeman):

Rep. Brady Wiseman, a Bozeman Democrat, led the state’s fight against the Patriot Act when the Legislature issued a harsh critique of the federal act, arguing it trampled civil liberties and put the government into a position of snooping on citizens.

Wiseman said Bozeman now is going too far.

“Asking for passwords is over the line,” Wiseman said. “I think that this notion opens up a whole new line of debate on privacy.”

CBS also got a comment from an attorney for the Electronic Frontier Foundation:

“I think its indefensibly invasive and likely illegal as a violation of the First Amendment rights of job applicants,” said Kevin Bankston, an EFF attorney. “Essentially they’re conditioning your application for employment on your waiving your First Amendment rights … and risking the security of your information by requiring you to share your password with them… Where does it stop? How about a photocopy of your diary?”

The Bozeman Daily Chronicle’s story had these comments from the executive director of the Montana ACLU, Scott Crichton:

I would guess that they’re on some shaky legal ground with this and we would certainly welcome (the opportunity) to look at something specific from somebody who’s impacted. […] It’s like saying, ‘Let me look through your e-mails.’ […] The city certainly has access to publicly accessible information, but it gets pretty questionable when they start asking for password-protected things that are created to create privacy for communications between your friends and family,” he said. “That seems to be going too far.

The AP spoke to someone else at the ACLU, Amy Cannata:

“I liken it to them saying they want to look at your love letters and your family photos,” said Amy Cannata, with the American Civil Liberties Union of Montana. “I think this policy certainly crosses the privacy line.”

[…]

Cannata, with the ACLU, said her organization has not found another government body that asks for such information. And even though the ACLU has not done a full legal analysis, she said the Bozeman policy doesn’t pass the smell test.

“It’s one thing, and I think totally reasonable, if someone has a public profile to go check it out,” Cannata said.

But private groups and profile could reveal information employers could not legally base hiring decisions on, such as a person’s religion, she added.

“Are they going to go in and look at those things?” Cannata said. “And even if they don’t intend to look at those things, it’s still there for them to see.”

Boyle’s story also said that the city has heard from reporters from National Public Radio, Fox News, CBS and ABC. E-mails were reportedly coming into the city’s accounts at a rate of one each minute from around the world. Web sites like Read-Write Web, Slashdot, CNET, InternetNews.com, The Inquisitr, Ars Technica, Boing Boing, PC Authority, PerezHilton.com and Computer World picked up the story, and the British newspaper The Guardian named Bozeman its privacy villain of the week.

Facebook’s response was posted to an article by Cade Metz in The Register. From Metz’s article:

Facebook is not pleased with the Bozeman situation and plans to contact the City. “This is a violation of Facebook’s Statement of Rights and Responsibilities, which received feedback from users and was ultimately approved in a site-wide vote,” the company tells us. “Our policies prohibit those who use the service from soliciting login information or accessing an account that belongs to someone else. In addition to violating Facebook’s policies, we think this practice violates personal privacy, and we plan to reach out to the City of Bozeman to discuss it with them.”

Ars Technica writer John Timmer noted that the city’s invasion of privacy is ironic, considering the city’s own comprehensive privacy policy on its Web site.

This is especially ironic given that Bozeman’s website has an extensive privacy policy that indicates a significant familiarity with some of the major issues that have cropped up regarding the retention and security of information entrusted to websites.

Timmer concludes his write-up with a good point:

It’s probably safer to ascribe this sort of behavior to cluelessness rather than malice. But the cluelessness is apparently a two-way street, as Sullivan indicated that nobody has objected to the city’s request for login credentials.

Lisa Hoover at Computer World:

It’s not about having anything to hide — because I don’t. It’s about a fundamental right to privacy and the expectation that what I do behind the walls of a passworded site is between me and a Web server. I fully grasp that any time you do something online, you run the risk it will become public information even you think it won’t happen. I’ll be darned, though, if I would willingly turn over the keys to my Internet existence to a random person when there isn’t even the guarantee of a job in return.

A writer at DaniWeb points out that judges have, in some cases, ruled that violating a Web site’s terms of service is an illegal act.

In addition to the privacy aspects—which would enable city employees to post items under the applicant’s name, and make or delete friends—some social networking sites consider passing on passwords to be a violation of their terms of service, which some judges have ruled is a criminal act.

Steven Hodson at The Inquisitr writes:

I can totally understand the City’s desire to protect the integrity of its employees but this kind of invasion is no different than them asking for the keys to your home and coming in whenever they feel like it. Sure it’s plausible to defend this requirement for any public social media accounts – but then they wouldn’t need the passwords – however when it comes to any accounts that we have made private they have no business asking for this information, let alone making it a requirement for a job.

As I’ve already written today, the City of Bozeman, Montana, has been doing some questionable stuff when it comes to background checks on job applicants. The city has asked applicants for the usernames and passwords to their social media accounts for “three or four years,” the city attorney told KBZK news on Wednesday.

The news spread from KBZK to Boing Boing and then to other news sites and blogs. And of course thousands of people fanned the fire on Twitter. (I was among them.) Now, KBZK is reporting that the city’s receiving an “e-mail a minute” about the matter, including my own. I was even interviewed by the television station for the follow-up story they’re working on, and I understand that the newspaper will have a full story tomorrow.

I won’t get into the issues in-depth; I’ll save that for a post later tonight. I do want to point to that e-mail-a-minute figure as an example of what can happen when social media kicks into high gear. I started posting about this fiasco at about 10:30 last night, and many, many people joined in — more people from more places around the country than I honestly thought would join in.

As a result, the city is “looking” at their policy, which I think means that we’ll see some changes soon, at least some heavy explanation and maybe even some backpedaling. Whatever the outcome, I think we can say that social networks and their users had an effect on the real world today, an effect I hope makes Bozeman a better place to work.

More to come.