Michael Becker writes about journalism, new media and digital culture in general.

UPDATED City of Bozeman asks for online passwords for job applicant background checks

By Michael Becker | Published: June 18, 2009

This entry is part 1 of 18 in the series Bozeman Privacy Fiasco

A story from local CBS affiliate KBZK is generating a little ire this morning. It seems a concerned and anonymous e-mailer pointed out to the news station that the City of Bozeman, on its criminal background search consent form, asks applicants to list their personal and business Web sites, Web pages and any memberships to online social groups or chat rooms. This includes providing the city with usernames and passwords, presumably so city employees can log in and check to make sure you’re morally acceptable.

The story aired at 10 p.m. It may have aired at 5:30 p.m. too, but I wasn’t watching the new then. The point it, it’s spreading a bit on Twitter this morning and it was linked on Boing Boing last night.

UPDATE: Slashdot, Read/Write Web, and several other sites have picked up on the story too. There’s some lively commentary on all sites concerned, to say the least.

I went back to the KBZK site and watched the “uncut” version of the interview a reporter did with city attorney Greg Sullivan. I transcribed most of what Sullivan had to say. It’s pasted below.

Sullivan: “The city does that for several reasons. The primary reason is hat all the positions that the city hires and all the employees that we have, we view their work for the city as a public trust to uphold the public’s trust in what we do every day.

“So we have positions ranging from fire and police, which require people of high integrity to have those positions, all the way down to lifeguards and the folks that work at city hall here. So we do those types of investigations to make sure that the people that we have have the highest moral character and are a good fit for the city.”

At this point, Sullivan points out that there are city employees who were hired before the city began asking for social networking information on its criminal background check waiver. From what he understands, he said, the city began asking for that information three or four years ago, “as soon as those social networking sites became popular.”

The reporter reads the state constitution’s right to privacy clause and asks Sullivan to respond.

“The right of privacy applies to every single person in their daily lives in regard to state action in Montana. It’s one of the most important rights that we as individuals have. The city takes upholding those privacy rights incredibly seriously.

“So what we’re looking at here is a balance to that right to privacy with the needs that the city has to ensure that the employees that are brought on and that work for the city have the high level of integrity and will protect that public trust.

“What we’re doing is, essentially, we’re balancing the individual’s right of privacy with the need for the city to ensure that we have the best employees we can. In ensuring the privacy, we do that by the, background checks are one tool that we use, along with reference checks, the application itself, and some other things.

“That tool that we use [social network checks] only occurs when a provisional job offer is made. So we don’t do those investigations on the social networking sites at the beginning of the process, but only once we’ve gone through the entire interview process. We get to a point where they’re one of the final candidates, and we make a provisional job offer. Then we do that background check.

“The other important thing here is that prior to doing that actual investigation, we make sure that that person knows that we’re about to do that. And then they knowingly will consent to us doing search.”

The reporter notes that the anonymous e-mail that brought this to the station’s attention was no so much concerned about giving the city the addresses of social networking profiles. Instead, that person was more concerned about giving the city the usernames and passwords. Sullivan responds:

“In order for us to get access to the chosen candidate’s information, we need to be able to view their page. And so that’s the way we’ve chosen to go about doing it. As far as we know, there’s no other way to get into their specific Facebook page.

“One thing that’s important, too, is that once we ask for that password and we do the review, that password is protected. We don’t share that password with anybody. We keep it in a secure personnel file. And it never goes anywhere beyond that. So it’s kept private. We ensure that in this balancing of the public trust with our employees and the person’s privacy interest, we make sure that every step of the way we’re cognizant of protecting the privacy.

“One thing that’s important for people to understand about what we look for is that none of the things that the federal constitution or the state constitution lists as protected things, we don’t use those, we won’t gather information based on the person’s race, their age, their marital status, things like that. We don’t use those in our hiring decisions. What we’re looking for are very specific things that go toward that person’s character and their ability to uphold the public trust. It’s important for the public to understand, we’re looking for very specific information, not putting out this broad brush stroke of trying to find out all sorts of information about this person that we’re not able to use or shouldn’t use in the hiring process.”

Sullivan said that he had not heard of any employee getting that far into the application and interview process and then rejecting the provisional job offer because the city asked for his or her passwords.

He also said the city uses its investigations into a person’s social networking sites as “a source of character judgement” and he went on to look at only one example, police officer candidates:

“If a candidate is showing things in their past that were evidence of criminal behavior that would raise flags with us about whether that police officer would be a good candidate to protect the City of Bozeman.”

“We’ve designed this program to make sure that we protect people’s privacy, that they have knowledge that we’re doing these types of searches, and that we balance that with this public trust.”

On a semi-legal note here, I’d like to point out that MySpace and Facebook, just to name two, expressly forbid you from revealing your password to any third party in their terms of service. By turning over this information, you’re violating those sites’ TOS, and your account could be suspended.

Posted in Ethics, Social Networking | Tagged Ethics, Social Networking | Comments closed

A letter to the Bozeman city attorney

By Michael Becker | Published: June 18, 2009

This entry is part 2 of 18 in the series Bozeman Privacy Fiasco

I e-mailed this to city attorney Greg Sullivan a few minutes ago. I post it here in the hopes that others will send similar e-mails questioning the City of Bozeman’s policy of asking for social networking passwords on a waiver for city job applicants’ criminal background checks. I also sent it to the local newspaper and television station.

Mr. Sullivan,

I watched the KBZK news story about the city’s hiring practices, especially the criminal background check. I’m concerned that asking potential employees for their Web passwords and usernames is an illegal violation of privacy, and I hope you’ll answer a few questions about the policy.

When was the policy enacted? In other words, exactly when did the city begin asking potential employees for their passwords?

Do all potential employees fill out the criminal background check waiver, or only employees who have been provisionally offered a job?

If all employees must fill out the background check waiver, then what happens to the paperwork for the applicants who later do not become city employees? That is to say, how many people have given the city their account names and passwords who did not later get a job with the city? Are their records protected in secure files, as you say the city employees’ records are? Are they shredded, burned, otherwise destroyed?

What impact does it have on a person’s chances of obtaining a city job if that person refuses to fill out that portion of the background check waiver, citing privacy principles? Must a potential employee fill that section out in order to be considered for employment?

What happens if it is discovered that a person lied on that application and listed no Web accounts when, in reality, that person had accounts?

For the people hired to the city before this became a policy: If those people have Facebook accounts or other similar Web service accounts, have they been asked to submit their passwords and usernames to the city to keep on file? Or are those people permitted to have social media accounts without city oversight?

Exactly who gets to see an applicant’s private Web data? Names and titles would be nice to have.

Explain how it can possibly be fair for a person to place trust in city employees and give passwords to their personal Web accounts when the applicant is clearly not trusted to be an adult on those sites? In other words, what makes the city employees fair judges of acceptable behavior on social networking sites?

Have city employees been trained in privacy matters and sensitivity issues when it comes to social networking sites? If training has been done, who did the training, and exactly which city employees received that training. How much did any such training cost the city?

Have city employees been trained to navigate and use every single social networking site that an applicant could list on that waiver, or will the employees be bumbling around in sites they have never heard of before?

How much time does a city employee on a hiring committee spend on each social networking site listed by the applicant? Hours? Minutes?

Is providing such information on the waiver required?

As the KBZK reporter pointed out to you, the state constitution grants Montanans a right to privacy unless the state can show a compelling interest to overcome that right. Please explain why this policy constitutes a “compelling state interest.”

Finally, you said several times in the KBZK interview that the city looks for “very specific information” (you used that wording twice) about applicants. Please list the specific things you look for on those sites. If you have a rubric for determining a person’s trustworthiness, moral character or otherwise acceptability, please attach it to your response.

As a concerned citizen of Bozeman, I hope that you’ll take the time to respond to each of these questions and attach any relevant links, memos, or legal documents explaining this policy.

–Michael Becker

Posted in Ethics, Social Networking | Tagged Ethics, Social Networking | Comments closed

Aggregated media coverage of Bozeman privacy fiasco

By Michael Becker | Published: June 18, 2009

This entry is part 3 of 18 in the series Bozeman Privacy Fiasco

According to KBZK’s afternoon update, Bozeman city attorney Greg Sullivan said he had met with the city’s human resources department and that “the matter is being discussed.” Reporter Dan Boyle’s report goes on to say:

Officials said they are looking into the legality of the requirement. They also said they are looking into Facebook’s policies.

City Manager Chris Kukulski said the city stands by its background check policy. He told KBZK that “it’s important for judging the character of future police, firemen and other employees.”

Kukulski told the Bozeman Daily Chronicle that “the city checks the sites in order to ensure that employees who might be handling taxpayer money, working with children in recreation programs or entering residents’ homes as an emergency services worker are reputable and honest.”

Assistant City Manager Chuck Winn told CBSNews.com, “Before we offer people employment in a public trust position we have a responsibility to do a thorough background check... This is just a component of a thorough background check.”

Winn went on to tell CBS:

“Shame on us if there was information out there available about a person who applied for a job who was a child molester or had some sort of information out there on the Internet that kind of showed those propensities and we didn’t look for it, we didn’t ask, and we hired that person,” Winn said. “In many ways we would have let the public down.“

Winn told CBS that applicants are not required to supply their usernames and passwords, but that there would be repercussions if applicants or employees lied or were deceitful during the hiring process.

Winn said a police officer logs in to check on the social networking sites of people applying for public safety jobs, police and fire. For other jobs, the city’s human resources department logs in.

Winn told the Chronicle that “it’s not about taste or anything” and that “in at least one instance, an applicant’s social-networking site figured into disqualifying the person for a job.” Police Chief Mark Lachapelle told the Chronicle that information from the site (Facebook, I presume) was one component that contributed to the decision. He declined to discuss the case more specifically, citing privacy concerns.

From the CBS article:

Bozeman’s Winn said the city does not want to be the “taste police” and is focused on looking for evidence of illegal activity. “They can log in themselves,” he said. “If not, they can show us what’s on their face page. ‘Yes, I have a face page but I don’t want to show it to you.’ That’s a fine answer. We’ll use other resources out there to do a through background check. We owe it to the public.“

The Associated Press also spoke to Bozeman City Commissioner Jeff Rupp, who said that he was “unaware local officials had implemented the policy, and expects the city commission will be talking about it. But Rupp said it is not as bad as it sounds, since applicants are not scored negatively for refusing to answer the question.”

Rupp told the AP: “I can tell you I would not provide it in an application I submit. [...] I have been told repeatedly it is not scored, and the application is not discarded if not provided.”

The AP also spoke to state Rep. Brady Wiseman (D-Bozeman):

Rep. Brady Wiseman, a Bozeman Democrat, led the state’s fight against the Patriot Act when the Legislature issued a harsh critique of the federal act, arguing it trampled civil liberties and put the government into a position of snooping on citizens.

Wiseman said Bozeman now is going too far.

“Asking for passwords is over the line,” Wiseman said. “I think that this notion opens up a whole new line of debate on privacy.”

CBS also got a comment from an attorney for the Electronic Frontier Foundation:

“I think its indefensibly invasive and likely illegal as a violation of the First Amendment rights of job applicants,” said Kevin Bankston, an EFF attorney. “Essentially they’re conditioning your application for employment on your waiving your First Amendment rights ... and risking the security of your information by requiring you to share your password with them... Where does it stop? How about a photocopy of your diary?“

The Bozeman Daily Chronicle’s story had these comments from the executive director of the Montana ACLU, Scott Crichton:

I would guess that they’re on some shaky legal ground with this and we would certainly welcome (the opportunity) to look at something specific from somebody who’s impacted. [...] It’s like saying, ‘Let me look through your e-mails.’ [...] The city certainly has access to publicly accessible information, but it gets pretty questionable when they start asking for password-protected things that are created to create privacy for communications between your friends and family,” he said. “That seems to be going too far.

The AP spoke to someone else at the ACLU, Amy Cannata:

“I liken it to them saying they want to look at your love letters and your family photos,” said Amy Cannata, with the American Civil Liberties Union of Montana. “I think this policy certainly crosses the privacy line.”

[...]

Cannata, with the ACLU, said her organization has not found another government body that asks for such information. And even though the ACLU has not done a full legal analysis, she said the Bozeman policy doesn’t pass the smell test.

“It’s one thing, and I think totally reasonable, if someone has a public profile to go check it out,” Cannata said.

But private groups and profile could reveal information employers could not legally base hiring decisions on, such as a person’s religion, she added.

“Are they going to go in and look at those things?” Cannata said. “And even if they don’t intend to look at those things, it’s still there for them to see.”

Boyle’s story also said that the city has heard from reporters from National Public Radio, Fox News, CBS and ABC. E-mails were reportedly coming into the city’s accounts at a rate of one each minute from around the world. Web sites like Read-Write Web, Slashdot, CNET, InternetNews.com, The Inquisitr, Ars Technica, Boing Boing, PC Authority, PerezHilton.com and Computer World picked up the story, and the British newspaper The Guardian named Bozeman its privacy villain of the week.

Facebook’s response was posted to an article by Cade Metz in The Register. From Metz’s article:

Facebook is not pleased with the Bozeman situation and plans to contact the City. “This is a violation of Facebook’s Statement of Rights and Responsibilities, which received feedback from users and was ultimately approved in a site-wide vote,” the company tells us. “Our policies prohibit those who use the service from soliciting login information or accessing an account that belongs to someone else. In addition to violating Facebook’s policies, we think this practice violates personal privacy, and we plan to reach out to the City of Bozeman to discuss it with them.”

Ars Technica writer John Timmer noted that the city’s invasion of privacy is ironic, considering the city’s own comprehensive privacy policy on its Web site.

This is especially ironic given that Bozeman’s website has an extensive privacy policy that indicates a significant familiarity with some of the major issues that have cropped up regarding the retention and security of information entrusted to websites.

Timmer concludes his write-up with a good point:

It’s probably safer to ascribe this sort of behavior to cluelessness rather than malice. But the cluelessness is apparently a two-way street, as Sullivan indicated that nobody has objected to the city’s request for login credentials.

Lisa Hoover at Computer World:

It’s not about having anything to hide — because I don’t. It’s about a fundamental right to privacy and the expectation that what I do behind the walls of a passworded site is between me and a Web server. I fully grasp that any time you do something online, you run the risk it will become public information even you think it won’t happen. I’ll be darned, though, if I would willingly turn over the keys to my Internet existence to a random person when there isn’t even the guarantee of a job in return.

A writer at DaniWeb points out that judges have, in some cases, ruled that violating a Web site’s terms of service is an illegal act.

In addition to the privacy aspects—which would enable city employees to post items under the applicant’s name, and make or delete friends—some social networking sites consider passing on passwords to be a violation of their terms of service, which some judges have ruled is a criminal act.

Steven Hodson at The Inquisitr writes:

I can totally understand the City’s desire to protect the integrity of its employees but this kind of invasion is no different than them asking for the keys to your home and coming in whenever they feel like it. Sure it’s plausible to defend this requirement for any public social media accounts – but then they wouldn’t need the passwords – however when it comes to any accounts that we have made private they have no business asking for this information, let alone making it a requirement for a job.

I fixed a font display issue in this post on July 6, 2009, and corrected formatted the first blockquote from Dan Boyle’s report.

Posted in Ethics, Social Networking | Tagged Ethics, Social Networking | Comments closed

Late afternoon Bozeman fiasco update

By Michael Becker | Published: June 18, 2009

This entry is part 4 of 18 in the series Bozeman Privacy Fiasco

As I’ve already written today, the City of Bozeman, Montana, has been doing some questionable stuff when it comes to background checks on job applicants. The city has asked applicants for the usernames and passwords to their social media accounts for “three or four years,” the city attorney told KBZK news on Wednesday.

The news spread from KBZK to Boing Boing and then to other news sites and blogs. And of course thousands of people fanned the fire on Twitter. (I was among them.) Now, KBZK is reporting that the city’s receiving an “e-mail a minute” about the matter, including my own. I was even interviewed by the television station for the follow-up story they’re working on, and I understand that the newspaper will have a full story tomorrow.

I won’t get into the issues in-depth; I’ll save that for a post later tonight. I do want to point to that e-mail-a-minute figure as an example of what can happen when social media kicks into high gear. I started posting about this fiasco at about 10:30 last night, and many, many people joined in — more people from more places around the country than I honestly thought would join in.

As a result, the city is “looking” at their policy, which I think means that we’ll see some changes soon, at least some heavy explanation and maybe even some backpedaling. Whatever the outcome, I think we can say that social networks and their users had an effect on the real world today, an effect I hope makes Bozeman a better place to work.

More to come.

Posted in Ethics, Social Networking | Tagged Ethics, Social Networking | Comments closed

Bozeman backtracks on privacy matters

By Michael Becker | Published: June 20, 2009

This entry is part 5 of 18 in the series Bozeman Privacy Fiasco

In case you haven’t yet heard, the City of Bozeman has rescinded the part of its background check form that asked for applicants’ passwords for social networking and other Web sites.

“The extent of our request for a candidate’s password, user name, or other Internet information appears to have exceeded that which is acceptable to our community,” City Manager Chris Kukulski said in a statement released Friday afternoon.

As of noon on June 19, the city has stopped asking job candidates for their usernames and passwords, and until further notice, the city has suspended its practice of peeking at applicants’ password protected Web information “until the City conducts a more comprehensive evaluation of the practice.” In essence, they won’t snoop using the passwords they have already collected until they talk about it some more.

The city commission will discuss the matter at its meeting Monday night at 6 in the commission room at city hall, 121 N. Rouse Ave. The agenda is scant on details as to just what the commission will discuss, but at least they’re talking about it now.

Posted in Ethics, Social Networking | Tagged Ethics, Social Networking | Comments closed

Recent Comments

Recent Comments

About the author

Becker’s Other Blogs

Pages

Search