April 2012
The Dangers of Asking for Social Network Passwords (28 April 2012)

The Dangers of Asking for Social Network Passwords

28 April 2012

In the last year or so, there’s been a lot of controversy about some employers demanding social network passwords from employees or applicants. There’s even been a bill introduced in Congress to bar the practice. The focus has been the privacy violation implied by such demands: "the legislation could .. protect the privacy of citizens"; "the bill is a win for businesses, schools, and privacy"; etc. Even the author, Rep. Eliot Engel (D-NY), said "this is a matter of personal privacy". All that is true, but they understate the problem; it’s far worse than that, for a number of reasons.

The first issue is that a password gives the holder write access, not just read access, to the account. An employer may perceive some reason for wanting to see what’s on someone’s Facebook page; however, the password lets them change privacy settings, create new content, etc. This is particularly serious in adversarial settings like divorce cases, where one party may be trying to impeach the other’s credibility and suitability as a parent. The judge in the that case did

try to limit the privacy invasiveness of his order by telling the parties not to prank each other.

"Neither party shall visit the website of the other’s social network and post messages purporting to be the other," he included in the order.

I’m glad that Judge Shluger realized that aspect, but as I explain below, there are other ills.

The second issue is that people reuse passwords. Yes, the standard advice is to avoid doing so; most people don’t follow that advice because they can’t remember ℵ0 different passwords for their ℵ0 different web logins. This means that a social network password is often an email password, a bank account password, a work password, and more. Knowing someone’s Facebook password probably gives you access to many other sites.

Even if passwords aren’t directly reused, there’s another problem: logins for social network sites are often used as credentials for other sites. Google is an official provider for NSTIC, the National Strategy for Trusted Identities in Cyberspace. Facebook is pushing its Facebook Connect service. Microsoft Live accounts can be used for access to some medical records. In other words, if you’re logged in to one of these sites, you automatically have the credentials to reach many other sites, including some with very sensitive information. Facebook puts it this way:

Facebook helps you simplify and enhance user registration and sign-in by using Facebook as your login system. Users no longer need to fill in yet another registration form or remember another username and password to use your site. As long as the user is signed into Facebook, they are automatically signed into your site as well. Using Facebook for login provides you with all the information you need to create a social, personalized experience from the moment the user visits your site in their browser.
There are privacy issues there, too (Facebook knows everywhere else you visit), but there’s a serious security problem if a Facebook password is ever disclosed to someone else: that person can also be "automatically signed into [the] site as well."

This is the crux of my concern: knowledge of a social network password lets you in to many other accounts, both directly and indirectly. I strongly suspect that few employers with such policies — more precisely, few of the executives who promulgated the policies at these companies — realize the danger. I also suspect that their attorneys do not realize the technical risks, either. However, it seems very likely that there are some people charged with executing the policies (especially folks in the IT department) who do understand it. There is thus a tremendous liability risk, one that few companies would willingly undertake: that corporate policies have exposed people to serious risks. Is this a chance worth taking?


Update: It’s been pointed out to me that the article I cited on Google’s participation in NSTIC is wrong. Google is not an "official provider" of NSTIC credentials because there no such entities. Rather, it is a "Level of Assurance 1" credential provider for a federated login system for government sites. That program lets you use a Google login for certain low-risk Federal systems. Furthermore, it’s a special Google login, that among other things cannot be used by Google for behavioral marketing. I do not know if such special logins can be used for Google+, and hence whether or not my caveats apply today to Google. If, however, they do become a regular NSTIC provider in the future, everything I wrote above would still stand. And of course, this correction applies only to Google.