Home / Blogs

The Dangers of Asking for Social Network Passwords

In the last year or so, there’s been a lot of controversy about some employers demanding social network passwords from employees or applicants. There’s even been a bill introduced in Congress to bar the practice. The focus has been the privacy violation implied by such demands: “the legislation could .. protect the privacy of citizens”; “the bill is a win for businesses, schools, and privacy”; etc. Even the author, Rep. Eliot Engel (D-NY), said “this is a matter of personal privacy”. All that is true, but they understate the problem; it’s far worse than that, for a number of reasons.

The first issue is that a password gives the holder write access, not just read access, to the account. An employer may perceive some reason for wanting to see what’s on someone’s Facebook page; however, the password lets them change privacy settings, create new content, etc. This is particularly serious in adversarial settings like divorce cases, where one party may be trying to impeach the other’s credibility and suitability as a parent. The judge in the that case did

try to limit the privacy invasiveness of his order by telling theparties not to prank each other.

“Neither party shall visit the website of the other’s social network and post messages purporting to be the other,” he included in the order.

I’m glad that Judge Shluger realized that aspect, but as I explain below, there are other ills.

The second issue is that people reuse passwords. Yes, the standard advice is to avoid doing so; most people don’t follow that advice because they can’t remember ℵ0 different passwords for their ℵ0 different web logins. This means that a social network password is often an email password, a bank account password, a work password, and more. Knowing someone’s Facebook password probably gives you access to many other sites.

Even if passwords aren’t directly reused, there’s another problem: logins for social network sites are often used as credentials for other sites. Google is an official provider for NSTIC, the National Strategy for Trusted Identities in Cyberspace. Facebook is pushing its Facebook Connect service. Microsoft Live accounts can be used for access to some medical records. In other words, if you’re logged in to one of these sites, you automatically have the credentials to reach many other sites, including some with very sensitive information. Facebook puts it this way:

Facebook helps you simplify and enhance user registration and sign-in by using Facebook as your login system. Users no longer need to fill in yet another registration form or remember another username and password to use your site. As long as the user is signed into Facebook, they are automatically signed into your site as well. Using Facebook for login provides you with all the information you need to create a social, personalized experience from the moment the user visits your site in their browser.

There are privacy issues there, too (Facebook knows everywhere else you visit), but there’s a serious security problem if a Facebook password is ever disclosed to someone else: that person can also be “automatically signed into [the] site as well.”

This is the crux of my concern: knowledge of a social network password lets you in to many other accounts, both directly and indirectly. I strongly suspect that few employers with such policies—more precisely, few of the executives who promulgated the policies at these companies—realize the danger. I also suspect that their attorneys do not realize the technical risks, either. However, it seems very likely that there are some people charged with executing the policies (especially folks in the IT department) who do understand it. There is thus a tremendous liability risk, one that few companies would willingly undertake: that corporate policies have exposed people to serious risks. Is this a chance worth taking?

By Steven Bellovin, Professor of Computer Science at Columbia University

Bellovin is the co-author of Firewalls and Internet Security: Repelling the Wily Hacker, and holds several patents on cryptographic and network protocols. He has served on many National Research Council study committees, including those on information systems trustworthiness, the privacy implications of authentication technologies, and cybersecurity research needs.

Visit Page

Filed Under

Comments

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byCSC

New TLDs

Sponsored byRadix

Cybersecurity

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

DNS

Sponsored byDNIB.com

IPv4 Markets

Sponsored byIPv4.Global