Yesterday, ZDNet covered the story of a school that demanded Facebook login credentials for one of its students. We've been seeing a trend of employers and schools not only demanding to be "friended," but demanding actual login credentials for Facebook.
This must stop. There needs to be a law protecting consumers.
The issue is very simple. The people demanding access to your Facebook accounts can't be trusted. For example, Minnewaska Area Schools demanded login credentials for the student, but there's no guarantee that they are using best practices to protect those credentials. Most likely, the child's login and password will wind up on a PostIt! note living on a physical desktop.
In another case, Officer Robert Collins was required to turn over his Facebook login credentials during a recertification interview with the Maryland Division of Corrections. Here, too, there's no guarantee (or even a requirement) that the people conducting the interview protect the officer's personal login credentials with all due care.
There is a clear, but subtle difference between demanding a student, employee, or prospective employee add you to his or her friends list, compared with providing such organizations with full login credentials.
Friending provides a view onto what you're posting on your Facebook account and what you're comfortable sharing with friends. If you're, for example, racist or abusive, that behavior may become evident through your published posts on Facebook, and a prospective employer may choose to opt out of hiring you.
But when your credentials are provided to that employer (or school), you're granting that organization complete, unrestricted access to not only what you've posted, but to the entire status of your account.
Let's take Pat Falk, the principal of Minnewaska Area Schools as an example. Let's give her the benefit of the doubt and assume she would never misuse those credentials. But would she be able to prevent anyone who ever worked in her office from using those credentials? Is she taking full responsibility for the entire online identity of the students' accounts she now has access to?
What about the interviewers at the Maryland Division of Corrections? Facebook now has email. Are they willing to take full responsibility that nobody will ever send an email message or post an entry posing as Officer Collins? What if Officer Collins used his Facebook email as his password reset email for other services, say online banking? Will the Maryland Division of Corrections reimburse Officer Collins if his entire bank account is cleaned out because his email password fell into the wrong hands?
Of course not. And that's why there needs to be a law.
This is a problem that will not go away. And if you think the lawsuits we're seeing now are bad, wait until someone loses their life savings because some over-zealous school district or prospective employer got carried away. The courts will be filled with these things.
I call on our Congress to do something useful for a change. Pass a law making it illegal to demand access to any personal login credentials for any online account.
Such a law will not only benefit consumers, it will protect organizations like Minnewaska Area Schools and Maryland Division of Corrections from liability and costly lawsuits, and it will reduce the caseload for our courts.
Readers, contact your representatives today and demand such a law be passed. To contact your representative, visit The U.S. House of Representatives web site. It's just a click away and it could save you (and the rest of your fellow Americans) tremendous heartache.