Tag: Internet Privacy

Facebook Passwords, Privacy and the Lack of Legal Protection

Posted on April 19, 2012

Reports that some employers are requiring job candidates to hand over their Facebook log on information have caused an outcry over perceived violations of personal privacy — and even calls for a federal investigation by some members of Congress.

But U.S. job seekers and the currently employed as well  should exercise caution, according to Wharton legal studies and business ethics professor Janice Bellace. She says in the U.S., anyone trying to challenge such a practice in court would have almost no legal ground to stand on. “People think they have more rights than they actually have; they seem to think they have rights that are just not there,” she says.

For example, she notes that employment law for decades has said that non-unionized workers could always be fired for taking actions that publicly disparage their employers. But 30 years ago, doing so was relatively complicated, and catching workers in the act was just as difficult. “When I was in law school, we used to read about cases where it did happen because it was so unusual,” Bellace recalls. “If you were talking to your friends about how much you hated your boss, you probably did it face-to-face. Although technically, under the law you might have gotten in trouble, nobody ever knew about it.”

But social media has been a game changer. “Technology has made it so much simpler for employees to get into trouble,” Bellace says. Years ago, an employee might have written a letter to a newspaper tearing apart an employer, “but it took time to sit down and type it out. Now you can Tweet it so simply. People say things before their mind stops them and says, ‘What am I doing?’”

The law is equally devoid of traction for potential employees who might be asked to provide access to their Facebook accounts, Bellace notes. “It has always been the case that employers could ask others about you for a reference and, if you refuse to give them names, they can refuse to hire you,” she says. “I’m not saying it’s right or wrong, but it’s the state of the law.”

So why are the current incidents causing such an uproar? “Employees think that their private life is protected by some right of privacy and that either a current or potential employer shouldn’t be able to invade their private lives.” But, legally, in the U.S. there is little guarantee of that, Bellace says.

“Parts of the Bill of Rights refer to the right of the citizen or person against the state,” she notes. “No state can come into your house and ask to read your diary or computer files without a search warrant. It doesn’t say anything about an employer.” Last week, Maryland legislators passed what is believed to be a first of its kind bill that prohibits employers from requiring job applicants to hand over access to private social media accounts. States including California, Michigan, Minnesota and Illinois are considering similar legislation. Bellace says that she knows of no previous state law that explicitly offers this right of privacy, nor any case law that would support an argument in court, “although we may begin to see that.”

She points out that circumstances are very different in other countries where statutes exist that recognize an individual’s right to privacy. In Germany, for example, laws date back to the post World War II era when officials there sought to ensure that people could not be fired from their jobs for aspects of their personal lives, as they had been under the Nazi regime. A few years ago, Bellace attended a conference in Australia and recalls that the organization later couldn’t get a list of attendees from the Australian firm it hired to plan the convention because the law in that country prohibits the sharing of data without permission from the individual.

“Some of these countries developed laws before social media took off,” she notes. “That adds an interesting wrinkle in those countries because they are building on a foundation of law that says you own your information.”

Bellace says even people in the U.S. who try to sue an employer – one who has asked for access to social media accounts — on the grounds of discriminatory hiring practices (because the accounts may contain information such as an applicant’s age or race) may have trouble making a case. The employer could argue that it is asking all job candidates to provide the access and thus applying the policy broadly, Bellace points out, and if that is the case, the job seeker would have to prove that the company violated the law after checking out the entire applicant pool, which could be harder to prove.

“How do you know why others didn’t get hired? How do you know why you didn’t get hired?” Bellace asks. “That’s why employment lawsuits are so hard to bring.”

She predicts that there will eventually be further changes in the law “because younger people used to interacting with others online through social media will be more disturbed by what they view as an unreasonable intrusion into their private lives and therefore may propose legislation.” But Bellace adds that it will be some time “before people completely coalesce around this notion that you have a right to a private life and privacy in online communications.”

Featured Professors:
Posted in Business Ethics, Knowledge@Wharton Today, Law and Public Policy | Also tagged , , | Leave a comment

Internet Privacy Takes a Hit, Again

Posted on February 20, 2012

Google, according to a report in The Wall Street Journal last week, has not been playing fair when it comes to upholding its own privacy standards.

The company has been tracking “web-browsing habits of people using Safari browser software even if [users] intended for that kind of monitoring to be blocked,” the Journal article noted, adding that this behavior has led three U.S. congressmen to ask for a Federal Trade Commission investigation. The article also pointed out the company last year signed a privacy settlement with the FTC after the commission charged it with using “deceptive tactics and violating its own privacy promises to consumers” when it launched its Buzz social network.

As for the breach the Journal found last week, Google responded that it has deleted the tracking files in question and is addressing the congressmen’s concerns.

KnowledgeToday asked two Wharton faculty — Andrea Matwyshyn, professor of legal studies and business ethics, and Shawndra Hill, professor of operations and information management — to comment on this latest incident.

Given all the recent examples of Internet companies chipping away at people’s privacy, how serious is this latest breach?

Matwyshyn: According to press reports of commentary from a Google spokesperson, the company does not necessarily consider its actions to constitute impermissible conduct: Google is alleging that users authorized the company to interact with their data in certain ways and, by implication, that this consent authorized alteration of inconsistent settings on a device, which may have happened in an unanticipated manner. 

Hill: Firms like Google need to take [care] because legal cases regarding privacy breaches can and do go to court. With each breach, Google opens itself up to punishment and a degradation of consumer trust. In this [latest incident], millions of consumers might be affected, which could indeed prove problematic for Google because of the scale of the Safari problem.

What would have led Google to do this? An obvious answer is the increasing competition for ad dollars, but is there another explanation? 

Matwyshyn: This type of error is symptomatic of the broader privacy and security culture wars going on inside all companies, but technology companies in particular. Privacy and security champions and lawyers frequently butt heads internally with engineers over design and consumer protection. In engineering-focused cultures such as Google’s, shipping code usually wins, and privacy/security and consumer protection can be viewed by some internal decision makers as secondary things you “clean up” when they go awry, rather than things companies must design around.   

Hill: It’s possible that better advertising alone is driving the data collection when consumers use the Safari browser. However, it is also possible that Google was not aware of all the consequences of their actions. It is often the case with data collection that you have one intention but that there are other uses that are unforeseen when the data or process for data collection is established. Still, Google should do a better job identifying potential problems before launching new processes.

Is it conceivable that Google didn’t know this was happening?

Matwyshyn: Code is written by humans, for humans.  Yes, it’s entirely conceivable Google didn’t do their homework and anticipate this dynamic. It’s also conceivable that a company might anticipate a dynamic such as this, but would then decide that fixing it is a lower priority than shipping code out fast. A third scenario might be that a company decides this type of dynamic is a feature and not a bug, that their consumer EULA [end user license agreement] grants the right to tweak settings on user devices and that users are unlikely to notice the exact workings of the code.

Do you think Google’s reputation as a “do no evil” site has taken a substantial hit?

Matwyshyn: “Do no evil” was Google’s successful mantra from the 1990s and 2000s. Those days are gone from the standpoint of consumer perception. Although Google’s socially-beneficial pilot programs and philanthropic efforts are commendable, in the 2010s many consumers view Google as an aggressive data aggregator akin to Facebook. Microsoft is the new underdog.

Hill: Google is scheduled to change their privacy settings next month. In addition, they have come under scrutiny regarding other privacy breaches in the past year. While the firm may continue to claim to “do no evil,” their business strategy is certainly changing; no doubt consumer perceptions, and possibly trust, will change as a result. However, other large data driven companies are using behavioral, social network and demographic information to target ads. So, it’s not like there is an alternative (right now) where user data are not being used for advertising and business intelligence.

The main concern for consumers will come when/if Google tries to maximize their advertising dollars at the expense of giving users the most relevant information to answer their search queries.

Three congressmen have called on the FTC to investigate Google over this practice. Are we finally reaching a tipping point where the privacy issue has caused enough concern that the government will mete out serious sanctions/punishment?

Matwyshyn: One possible outcome may be another FTC consent decree expanding the existing mandatory periodic FTC audits…. The organizational impact of FTC audits may be underestimated internally: FTC audits are a disruptive and expensive experience, as Microsoft learned. If this underestimation is the case, and if the privacy lessons from Buzz have not been internalized by the corporate culture, it is unsurprising that another privacy problem has arisen.

Hill: It’s hard to say which case will end up [resulting in a] severe punishment. However, with each case, we get further along into the discussion about what is acceptable and what is not with respect to consumer privacy. The hope, at least from consumers, is that the conversation will evolve into a clear set of rules and regulations that govern how online firms and others can make use of personal data while offering useful, and free, services.

Featured Professors: ,
Posted in Knowledge@Wharton Today | Also tagged , , , , , , , , | Leave a comment