Passwords requested for social network sites

LegacyUser

Where I work some of the employees have been discussing the job on Facebook – many of the workers are "friends" with each. Recently two members were found to have said something negative about one of the managers. Now this has turned into a major situation and the manager is talking about dismissal if staff are found defaming the company.

In a effort to clear this up we have all been asked for our Facebook passwords. Although I'm not directly involved I don't want to give up my password. Is there some kind of law that protects my privacy in this situation?

Eoin

That access doesn't sound reasonable at all. Even asking to be facebook friends with your account would be OTT, let alone asking for your logon credentials.

This page might be a good starting point, but it doesn't seem to cover this scenario.

I imagine that at most, they could check what you might post on facebook at work by monitoring the internet traffic, but asking you to give your login details is a bit much. And even then, the office of the Data Protection Commissioner says the following:

The advice of this Office is that every employee has a legitimate right to expect a certain amount of privacy in a work context. The key point is that the employer needs to have a clear policy that is made available to all employees in relation to whether personal use of employee equipment such as email or the internet is allowable. If an employer does not allow any such use then the employee should not use these systems for their own use. Such a policy will allow more ready access to an employee’s email and internet records by an employer as the employee should not be making use of them for a personal purpose. However, even in such circumstances ongoing monitoring is never considered proportionate and access should be in response to a reasonable suspicion.

Hopefully someone can post a link with more explicit wording that you can use.

daheff

Hi Eoin

I think that is just for using the companies infrastructure to access the internet/email.


In the OPs case, somebody could legitimately be using Facebook without using the company infrastructure and still are being required to provide this info.


OP- tell your company to get stuffed. There is no more a case to give the company your Facebook password as there is of giving them the PIN to your ATM card.

Forest Master

This is ridiculous - don't give it out under any circumstances - don't even entertain discussing it. If you get asked for it, say "I wasn't involved in any of the activity or incidents you're looking into, but my solicitor has my password - if you want it, contact him/her".

This is absolute boll*cks & nowhere near enforceable.

kippy

It is moronic for people to be discussion work/mentioning names of people at work on a public forum/facebook and I believe that these kind of things do leave people open to litigation.
That being said - I don't think an emplorer can expect to get passwords for non work accounts off employees however if this goes down the legal route there could be issues.

v300

Tell them you'll need the request in writing on headed company notepaper signed by the HR manager, CEO, or accountable manager, as you'll have to discuss this first with your union / solicitor / representative body first, and once the request iss received in paper form that you'll get back to them with an answer ASAP.

I would reckon you'll never get that request in writing, and if they are as cheeky or stupid to actually issue the letter to you, then you have written evidence you can nail them in court with for abuse, having nicely framed that abuse in context with a solicitor who will place the abuse under under one or more covering Irish laws.

crotalus667

kippy wrote: »

I don't think an emplorer can expect to get passwords for non work accounts off employees however if this goes down the legal route there could be issues.

if you use a company pc/laptop/network you should be aware that your login details are no longer only in your head they are where the company can retreive them, afaik it is still breaking the law to use them, there is also a recored of every page you have visted and that can be pulled up again if the company want to pay the tec expert to do so

kippy

crotalus667 wrote: »

if you use a company pc/laptop/network you should be aware that your login details are no longer only in your head they are where the company can retreive them, afaik it is still breaking the law to use them, there is also a recored of every page you have visted and that can be pulled up again if the company want to pay the tec expert to do so

Indeed, I am aware of that.

TheCosmicFrog

That is a completely unreasonable request and one that they cannot do without first going to the Gardaí, who would more than likely require some form of search warrant in the first place.

Rython

I reckon your completely safe in politely declining. As far as a court would see it, its no different to asking to search your house. Its your private space they have no right to it. If they really have a case for getting in let them get a court order.

Your best port of call for accurate info is to get in touch with the data protection commission, if its protected they'll know for certain.

Rython

TheCosmicFrog wrote: »

That is a completely unreasonable request and one that they cannot do without first going to the Gardaí, who would more than likely require some form of search warrant in the first place.

The Garda would tell them to go jump, its not a criminal matter so the guards have nothing to do with it. A court could grant access in a civil action though.

Solair

Your Facebook account is yours, it has nothing whatsoever to do with your employer. If they want to monitor people's use of Facebook e.g. wasting time at work, then they're can certainly do that on their own network. They can also, with reasonable cause, snoop into company email accounts or telephone logs.

However, your Facebook account is a private account on a third party system (i.e. Facebook) which they have absolutely no rights to access.

It's no different from your HR manager or whoever suggested this demanding your house keys so that he/she can route through your underpants drawer.

First call the Data Protection Commission :

http://www.dataprotection.ie/docs/Contacting_Us/11.htm

Then if you are speaking to the manager:
1) If you're a member of a trade union, call them IMMEDIATELY.
2) Explain that you had nothing to do with it.
3) Put the request in writing (on headed paper and signed by the HR manager) so that you can have it run past a solicitor or hold it against them should they attempt to fire you.

They have no more right to access your Facebook account than anyone on boards.ie or walking down the street has.

If he wants to start defamation proceedings against the person(s) he/she thinks were involved, then he should do that. It will cost a fortune and if he loses he'll have to pay the other person's costs.

Accusing non-involved third parties of defamation could actually be quite a legally dangerous thing for him to do too.

If I were him, I would just make a general statement about it and then back off.

Also, by giving a third party your Facebook password, you are giving them access to information they have no rights to which could mean that you are breeching the Data Protection Act yourself.

Technically speaking, it could be argued that you would be providing complete access to a private network where information about third parties is stored.

In general, anything you put on a social network should be suitable to be "published" as that is exactly what you are doing with it and Facebook is about as private as having a chat in a crowded pub. Even when you think you're in private, you usually aren't.

godspal

Your company sounds quite pompous.

To call a negative comment or reflection defamation is absurd, first of all by stating that it is defamation they are saying that the comment hurt or damaged the companies reputation in a financial way. Secondly, they are saying that what the worker said was untrue.

After that for them to call for your passwords, bollocks to that. Tell them no, you have a right to protect your private information, and you have to right to protect your good name, and anything that could be associated with your good name.
If they threaten you with anything, call their bluff. If they do end up reprimanding you, call a union official, and start legal proceedings.

Another thing you're company should know, is that if they sue any of their employees who use a website, the person can defer legal proceedings, say that they are not the publisher of this information, but rather facebook is. And consequently your company will have to sue facebook.
While this law is incredibly dated and stupid, this is probably the first time I could think of it being used in a positive way.

Eoin

daheff wrote: »

Hi Eoin

I think that is just for using the companies infrastructure to access the internet/email.


In the OPs case, somebody could legitimately be using Facebook without using the company infrastructure and still are being required to provide this info.


OP- tell your company to get stuffed. There is no more a case to give the company your Facebook password as there is of giving them the PIN to your ATM card.

Yep - it was just the closest thing that I could find (and why I said "they could check what you might post on facebook at work").

Solair

All they could look at is whatever traffic passed over their network to Facebook, assuming they could capture / access it.

The most likely data they would have is either:

1) Nothing
or
2) A record of the fact that someone logged into Facebook at a given time. Facebook's passwords are transmitted using HTTPS (encrypted), so they'd be inaccessible anyway.

Plates

crotalus667 wrote: »

there is also a recored of every page you have visted and that can be pulled up again if the company want to pay the tec expert to do so

Including this thread.....which now makes you involved.

Eoin

They could possibly capture the contents of any updates though, as I don't think that's done through SSL.

Anyway, that's beside the point - the OP isn't saying anything about work, and hopefully not using it during work, so there shouldn't be an issue.

It's not reasonable to ask for the logon details, so I'd refuse, or ask that it's given in writing and you'll take it from there, as others have suggested.

Also, I'd do "unfriend" any of your colleagues, so work can't browse to you through any other profiles, and also hide as much of your details as possible to people you aren't friends with.

Solair

That's a very good point:

Go into your privacy settings and make sure that everything's setup so only your friends can see it.
Then remove your colleagues. It's quite simple to do.

D-Generate

Delete work colleagues and just say you don't have a Facebook account.

LegacyUser

Hi OP again here. Thank you all for your helpful replies. Just a little more info;

– Yes, the use of company computers isn't an issue, we have limited access to them and most people have smart phones using their own mobile networks.

– The two people involved have refused to give any details, so others that have friended them are being asked for info. This is because the manager has no "friends", he/she has just heard rumors back (I don't really want to go into more specific information).

– I've a dilemma as I don't want to stick out if others are going with it. I'm worried that they'll find something else to reprimand me with.

tricky D

Rython wrote: »

The Garda would tell them to go jump, its not a criminal matter so the guards have nothing to do with it. A court could grant access in a civil action though.

Section 8 court discovery order for DPA protected data.

This thread has some info on this kind of matter: Why keep yourself anonymous?

Eoin

If you don't want to be too confrontational, then you could take the easy way out and set up a new account, like a few random pages and so on. Tell them as a compromise, they can add you as a friend. Then just never touch the account after that.

I know that's not addressing the principle of the issue, but it could make for an easier life.

john178 wrote:

so others that have friended them are being asked for info.

If you're friends with them on facebook, remove them immediately.

Maldini2706

Just for the record, you can't defame a company, you can only defame individuals. This request sounds extremely dodgy, an employer has no right to invade an employee's privacy like this. Your employer could be entering unfair dismissal territory here.

Eoin

I found this on the dataprotection.ie website, which might help:

1.5 What is excessive information?

The Data Protection Acts require that only the minimum necessary personal data should be sought and used to allow for the performance of the function to which it relates. This requires a Data Controller in all situations to be certain that the data that is being sought is appropriate to the reason for which it was sought. A data controller must be able to show that each piece of personal data sought from a person is needed for a legitimate reason. Where data is not needed for the reason for which it was sought this would constitute a breach of the Data Protection Acts.

ROS123

Maldini2706 wrote: »

Just for the record, you can't defame a company, you can only defame individuals. This request sounds extremely dodgy, an employer has no right to invade an employee's privacy like this. Your employer could be entering unfair dismissal territory here.

http://www.takelegaladvice.com/news-and-information/legal-articles/Defamation/Defamation/
Can a company sue for defamation?

An action for defamation can also be brought by: a company, in respect of statements that damage its business reputation.


Dont know whether this applies in Ireland though?

TheCosmicFrog

Very interesting and helpful information in this thread!

sharingan

john178 wrote: »

– I've a dilemma as I don't want to stick out if others are going with it. I'm worried that they'll find something else to reprimand me with.

Most online services do not permit you to share your passwords with any 3rd party.

As a general rule, do not friend work colleagues on social networks for this reason.

Only act on these requests if you get it in writing. Also print of all e-mails. Get it in writing from the original requester and then get it from someone in HR & Legal.

If they decide to escalate this into something nasty, they have to make it official and you have legal recourse then.

Solair

The basic advice:

1) It's a breech of Facebook's T&Cs to divulge your password to a third party.
2) It's possibly a breech of the data protection act (on your part) to do that as your Facebook account contains private information about third parties.
3) It's possibly a breech of the data protection act (on your employer's) part to request or use that information.
4) As what they are requesting is unreasonable, and possibly illegal, if they dismiss anyone they could end up facing unfair dismissal proceedings.

So, in conclusion:

Ignore the request and "defriend" your colleagues on Facebook.
If any pressure is put on you to divulge the password or your job or promotional prospects are impacted upon, contact a solicitor who has expertise in employment law, or your trade union (if you have one).

Your employer should also bear in mind that what they are doing could be construed as blackmailing someone to give them log in credentials for a private system. If they are accessing the site with your credentials they have no authorisation to do so, so technically speaking it's hacking.

It's a legal Pandora's box that, if I were them, I would not open!

This is why anyone who is dealing with HR policies should really consider doing a HR qualification!

Inspector Gadget

Wow. This is scary stuff. I am most certainly not a lawyer, before I go on, and have never had a Facebook account (very much on purpose!), and this is one of those situations where I'm damned glad of it.

I just wanted to add something in respect of HTTPS in the workplace (or on any network you don't control, for that matter) - it's possible to intercept HTTPS traffic quite easily if you do a man in the middle attack. The trick is that you have to install a certificate for Facebook (or whoever) in the client's browser which purports to be for your site of choice, and then (with the help of slightly modified DNS records) a device on the network can intercept your traffic, decrypt it, read/store it, and then re-encrypt it and pass it on via HTTPS to Facebook (using the correct details) leaving the user none the wiser.

This does require that the people doing the snooping can install these SSL certs on your work machine in order to appear transparent (your browser will throw an error otherwise, but most people will click through it), but if it's a work machine, it goes without saying that this is possible. For the rest of us, if you're using Firefox, there's a natty add-on called CertificatePatrol that can help warn you about this sort of thing.

The best thing to do is to *NEVER* do anything like that (including posting to boards.ie) from a company machine. I suspect that asking for a request for your password in writing on headed notepaper from a suitably senior figure (whoever that'd be in your company) as you'd need to consult with your solicitor/union rep would be enough to stop anyone with half a brain in their tracks. Usually, the word "solicitor" on its own causes alarm bells. It is important that you do go through with it if they call your pseudo-bluff though; there's no way in hell that this is remotely legal, and I'd get a copy of the EULA/whatever from Facebook and pore over it too; as someone suggested, I don't think it's legal for you to turn over your password to a third party, as someone has already stated.

Solair

I don't think the OP's issue is that the access was carried out over a company's network or from a company's computers. So, I don't think it's anything as complicated as intercepting traffic.

Rather, it seems like a manager in the company suspects that something negative has been said about "a manager" on Facebook and they are trying to access that information indirectly by going through uninvolved friends of colleagues' Facebook accounts.

From what I know of Facebook (and I am open to correction) only the passwords are transmitted using HTTPS. The normal web pages are displayed unencrypted. So, it is probably open to interception without much difficulty.

Inspector Gadget

I'm aware of that, but as someone earlier just said "use HTTPS", I wanted to point out that it won't necessarily help.

As far as I know, as of a couple of months ago following the whole Firesheep thing, it's now possible to SSL for the entire Facebook session, not just the login. Really, it's just Yahoo! Mail of the big services (and before anyone decides to start Yahoo bashing, they are still the largest webmail provider on the planet by a country mile, irrespective of whether they're any good or not) that hasn't caught up on this. Speaking of Firefox plugins, try HTTPS Everywhere (from the EFF) to automatically enforce this.

dlofnep

Tell them to get stuffed - What you do in your private life has nothing to do with work. Tell them that when they start paying you for living your own life, then you'll think about it - until then, piss off.

BaconZombie

I know this is still a "Grey Issues" in Ireland but is 100% illegal in Germany & France due to the way they interpret EU privacy laws.

But technically a reverse proxy they can terminate the SSL {encrypted} connection then log/monitor/modify it in plain-text, re-encrypted it and send it onto the End-Server {Facebook.com}.

And if it's a Company system with the ROOT Cert of the proxy installed you would not even get a popup Cert mismatch so it would look like perfectly secure to the end-user.

As stated above you need to first do the follow:

#Contact HR and request a copy of their "Data Privacy Policy" { Make sure you ask for the copy that was in effect during the time range of the posting to facebook, best to ask for all revisions}

#Contact IT and request a copy of their "Acceptable Usage Policy" { Make sure you ask for the copy that was in effect during the time range of the posting to facebook, best to ask for all revisions}

#Contact the Data Protection Agency.

#Also is this an Irish company and if not are you paid out of a different country since they can effect what laws apply to you and them.

#Ask for all request to be given on company headed paper that is signed and dated by the requester.

EDIT:

Also remember just because something is in a policy and they say you signed it does not mean they are legally allowed to ask for or have that info.
There are a lot of rights you can not legally sign away.

Solair wrote: »

All they could look at is whatever traffic passed over their network to Facebook, assuming they could capture / access it.

The most likely data they would have is either:

1) Nothing
or
2) A record of the fact that someone logged into Facebook at a given time. Facebook's passwords are transmitted using HTTPS (encrypted), so they'd be inaccessible anyway.

HellFireClub

I'm seeing a lot of legal talk on the thead, and I'm going to come at the problem from a different angle....

OP, do you really want to be working in a place where this kind of hopelessly counterproductive paranoia is what a manager is focussing on???

If your particular manager or the management team are spending their time attending to these kind of "problems", who is looking after the actual running of the business???

If I was you, I'd take this as a sign that you are working in the wrong employment. Recession or not, a company with these kind of managerial priorities, where hours of the day are committed to trying to scare and torment staff in this manner, is going nowhere in my opinion.

bbam

dlofnep wrote: »

Tell them to get stuffed - What you do in your private life has nothing to do with work. Tell them that when they start paying you for living your own life, then you'll think about it - until then, piss off.

But if the activity on Facebook happened on company equipment on company time then it is very much their business and they have a right if not a responsibility to investigate into it...

If nothing else the manager could easily claim that he was being bullied by this activity which is happening during company time on company equipment...this would really put pressure on the employer to act.

I wouldn't agree with the passwords being requested and I think some of the previous advice from others on how to respond is appropriate...

My only addition is that if pressure is applied to you for your password you are entitled to see the grounds for this request... they would need some hard evidence that you/your account has been directly involved in the inappropriate activity.

I've seen a similar case where ALL employees accessing a particular site were given verbal warnings..

Max Power1

Solair wrote: »

From what I know of Facebook (and I am open to correction) only the passwords are transmitted using HTTPS. The normal web pages are displayed unencrypted. So, it is probably open to interception without much difficulty.

You can opt to use https or http connection in the account settings.

doolox

.....whats to stop the company using the facebook account to enter libellous remarks in order to set you up for a fall????

Under no circumstances give anyone your password to such systems.

Also never give a password to email etc to anyone in or out of your company, you are responsible for all content on your accounts.

Irish_Elect_Eng

john178 wrote: »

Where I work some of the employees have been discussing the job on Facebook – many of the workers are "friends" with each. Recently two members were found to have said something negative about one of the managers. Now this has turned into a major situation and the manager is talking about dismissal if staff are found defaming the company.

In a effort to clear this up we have all been asked for our Facebook passwords. Although I'm not directly involved I don't want to give up my password. Is there some kind of law that protects my privacy in this situation?

While I appreciate the conversation with respect to privacy etc...

There has been little consideration of the victim in this story, a manager is simply an employee on a higher pay grade and is deserving of the normal consideration of privacy, a safe work environment and no bullying...etc...

The OP posted "Recently two members were found to have said something negative about one of the managers "....So taking it as a fact that they were guilty of bad-mouthing a fellow employee....and that at leas one co-worker was responsible and honest enough to report the abuse to the manager

And "...some of the employees have been discussing the job on ...dismissal if staff are found defaming the company..." .....and taking it that the staff were bad-mouthing the company as well, not unreasonable to assume if they were wiling to bad-mouth a co-worker....

So a worker, that finds out that people that he pays to work are badmouthing him and his company..... I can understand how he makes a mistake and asks for their passwords....and I can also see how he will view the people that correctly deny his access to see if they were joining in...

I fully support peoples right to privacy, but I equally support peoples right not to be bad-mouthed in cyber-space by people to cowardly to tell them how they feel to their face...


Every story has two sides, I am just trying to reflect another possible reality... Managers are people too :-)

Owen

I can't find it now, but this exact issue cropped up on slashdot.org a while back, but it was discussed to death with a few hundred comments. It basically wound up advising the OP to tell the company to STFU.

Owen

Ah, turns out I found an article relating to it. An America company requested Facebook passwords for employees, and the ACLU took up the case in the States. About a year later, the company reversed its decision to ask for the passwords :

http://yro.slashdot.org/story/11/02/23/1813242/Employer-Facebook-Password-Requests-Suspended

And the original story :
http://yro.slashdot.org/story/11/02/19/1746256/Employer-Demands-Facebook-Login-From-Job-Applicants

Spacedog

what company do you work for?

name and shame!

Owen

Sounds like my old workplace.

Eoin

Spacedog wrote: »

what company do you work for?

name and shame!

No thanks. We are only getting one side of the story, this isn't a place for witch hunts.

Pembily

Spacedog wrote: »

what company do you work for?

name and shame!

That really wouldn't be the best idea as we only have one side of the story!

I agree with others saying don't give the passwords you have no obligation, defo check out the Data Protection but I also agree with (Irish_Elect_Eng) this manager has been bullied (and yes that is what that is) and while inappropriately he / she is trying to sort out the matter. It is a very grey area and the best practice is to NEVER EVER, EVER mention your work place or anything work related (God I am bored during your working day) on Facebook / Twitter / Boards. BAD, BAD, BAD idea!

godspal

People horrible things about their bosses all the time... Bullied... that's ridiculous.

Saying you boss is a dick over coffee is no different than saying you boss is a dick in cyberspace. However, it was very unprofessional for people to post it on facebook. And it absurd to ask for their password, and log-in details.

@Irish_Elect_Eng:

I equally support peoples right not to be bad-mouthed in cyber-space by people to cowardly to tell them how they feel to their face

I want you to go up to a person in your workplace that you have told other people you don't because of A, B or C, and explain to them in detail why you don't like them, or by your logic you're a coward.

bbam

godspal wrote: »

Saying you boss is a dick over coffee is no different than saying you boss is a dick in cyberspace.

Well, there may be a group of 6 or 8 people over coffee where you share your

On the internet the number of people you are broadcasting to is much greater, potentially thousands could view what is posted and unless removed/censored it will be there for people to go and see for some time...

There is also the double whammy of being disciplined for inappropriate behavior towards another employee AND abuse of the company systems, any good manager would topple both onto you and increase the potential outcome of a disciplinary procedure.

It's also not for anyone to pass judgment on what another person feels is bullying, it's a personal thing... joking to one person is bullying to another.

godspal

@bbam
The original poster said nothing about them using the computers at work for Facebook.

And yes bullying is really only bullying if the person who is suffering the abuse deems it so.

But unfortunately if you are a manager you are going to have to make decisions that some people don't like, and if you can't handle some negative comments from your employees then you shouldn't be a manger.

gline

lol @ asking for facebook passwords.

Does your company even have a HR department? Because if they did the manager would not have asked for those passwords, it has nothing to do with work what-so-ever. You sure the company arent just looking for ways of getting rid of people? I couldnt imagine any professional asking their employee for a password to a personal account on any website...its nuts

I really wouldnt worry about this, there is no way they can force you and if they do, judging from previous comments you can take them to court.

If your cheeky and they dont know your username, give them a fake password but tell them they cant have your username

This is a bit of a warning though, dont use any social site to talk about your job or workplace

Craigels

is the company penneys by any chance ?

Craigels

Bump!

Mrs OBumble

Enough of the bumping.

The employer isn't going to be named here, boards doesn't need the legal hassle of that.

The OP's had plenty of good advice, which is what the thread was for. So I'm closing the thread. Anyone who's got a good reason to open it again is welcome to PM me.