Why Maryland's new "ban employers from asking for Facebook user names and passwords" bill will fail

Before I explain, and my explanation will only take the next two paragraphs, I want to note that I find it incredibly difficult to feel any sort of sympathy for employees who are asked this question and comply. The proper response (even if you don't have a Facebook account) is "fuck you." The dumb response is "here you go, username is bob@bob.com and password is password1." The cowardly response, if the company has heavily implied that you will not have your job much longer if you don't comply (or not be hired in the first place) is the same as the dumb response. You are working for an unethical company, leave. And look, I'm not insensitive to a pragmatist. If you keep the "fuck you" to yourself, but delay with either a "I don't have a Facebook account" lie (make sure you have good privacy settings and an ambiguous avatar to keep the lie going!) or a "I don't remember my password, my browser does at home so I'll give it to you tomorrow" excuse so that you can create a fake facebook account to give the info for instead, and you make use of your delay to search for another job without the hassle of being unemployed while searching, then I'm fine with you. I just don't sympathize with straight obedience to such requests.

Now here's why a law against this won't work. Companies that do ask for these details are unethical. There's nothing wrong with a company Googling employees or prospective employees to see what they can find, but they cross the line when they demand such people hand over that information to them or else. Having established that such companies are unethical, in the face of this law we can infer that they will simply no longer ask.

It is trivial for a company to set up a server that all network traffic in their building must pass through, and they can log it all. Are you never going to check Facebook at work? If you have that level of mental discipline, you wouldn't be working at an unethical company in the first place! Is Facebook using SSL to prevent logging servers from reading your traffic? That's okay, the company's logging server can issue its own SSL certificate instead of Facebook's so that it can read the traffic. The company can even install their certificate on all their company machines as a trusted certificate so that the browser gives no warning. (And even if they didn't, many people ignore such warnings.) Now that they're reading all the traffic you send, they can watch what you do on Facebook and everywhere else, and that's entirely legal. Many companies in their employee handbooks state that there is "no expectation of privacy". Many companies have security cameras monitoring everything, and at minimum content filters to keep employees from watching porn, but they can also set up the system I described of routing and logging all traffic. And since we're dealing with an unethical company, they might even cross the legal boundaries and sign into Facebook as you (having intercepted your username and password when you typed it in, or intercepting your session cookie). Hence whatever goals this legislation intended to achieve will not be achieved.

---

Posted on 2013-01-18 by Jach

Tags: government, morality, security, stupidity

Permalink: https://www.thejach.com/view/id/276

Trackback URL: https://www.thejach.com/view/2013/1/why_marylands_new_ban_employers_from_asking_for_facebook_user_names_and_passwords_bill_will_fail

Back to the top