Social Media Employment Background Checks: Sounding the Call for Regulation

/

Digital “footprints” on the internet may have an impact both pre-employment and post-employment, and these impacts may disproportionally affect non-mainstream groups whose information is being assessed against standards that are undisclosed and unregulated.  

A recent study (released 21 November) by Alessandro Acquisti and Christina M. Fong of Carnegie Mellon University explores this phenomenon.  Starting with actual information revealed on social media sites, the team created resumes, professional network profiles, and social network profiles.  The resumes were submitted to 4,000 real job opportunities with US employers.  The online profiles were then tweaked by the researchers to be revealing of either religion (Muslim or Christianity) or sexual orientation (homosexual or heterosexual) of the individual, while otherwise equivalent to each other.   

Interestingly, the study did not find that sexual orientation created significant differences in interview requests, but across the US the “Muslim” candidate received 14% fewer interviews than did the “Christian” applicant.  The variation by religious affiliation was especially pronounced when correlated with conservative political indicators by geographical region (areas that favoured conservative candidates in the last national election).  An online component of the study using the same (manipulated) profiles produced similar responses. 

Further, the study suggests that between one in three and one in ten employers were searching online for information about job candidates.

magnifying glass.jpg

This number is at the low end of the scale, but not inconsistent with previous research.  For instance, a 2007 survey of 250 US employers found that 44% of employers used Social Security numbers to check into the backgrounds of job candidates.   2006 survey data from ExecuNet demonstrates a similar pattern, with 77% of executive recruiters using web search engines to research candidates and 35% of those stating that they had ruled candidates out based on the results of those searches.  In 2009, Harris Interactive research showed 45% of employers doing background checks that included social media, while a 2012 Career Builder study showed that two in five employers used social media to check out prospective employees, and of those who did not do so, 11% indicated they planned to start. 

Although the Carnegie Mellon study was focussed on the effect of two narrow characteristics, the authors expressed concern that particular identifiers may not be the only factor exerting an influence on employment decisions. The mere fact a candidate chooses to post such information online may itself lead to inferences and conclusions by prospective employers. 

Acquisti & Fong note that prospective employers who inquire about religious affiliation during an interview open themselves to liability under federal or state equal employment opportunity laws—and also that the US Equal Employment Opportunity Commission has publicly cautioned against the use of online searches to investigate protected characteristics. 

Similarly, in Canada there is no explicit liability in the act of searching, but rather in the issue of whether hiring decisions are being made based on inappropriate criteria.  In other words, it isn’t just a matter of information found in such a search, but also in the (potentially unfair, possibly gendered, classed or sexualized) inferences that may be drawn from the search.

Though the study focussed on pre-employment checks, the issue of online searches does not become moot after an applicant has been hired.  PIPEDA applies to personal information about any federal employee, and other jurisdictions may also cover such information under some legal framework.  This protection is important because online searches may be a tool in disciplinary investigations. 

Self-censorship or meaningful regulation?

The conventional wisdom, of course, is always that individuals must take responsibility for their personal information and should carefully control what information is available online. 

This study is another confirmation that employer (and other institutional) use of online background searches, including social media sites, is an ongoing and increasingly normalized part of the employment relationship.  Given that this information is being accessed and used in pre- and post-employment situations, it is clear that such practices should be examined and regulated. This is necessary to ensure that, at the very least, only information that is correct and relevant will be used, and that the individuals impacted are aware of its collection and use. Mechanisms for the challenge, correction and redress of misinformation need to be established.

This is an emerging and accelerating challenge to individual privacy rights.  Policing the misuse of personal information should not be left as an exclusively individual responsibility – systemic utilization of such information requires a systemic policy and response. 

 

Online Privacy Rights: making it up as we go?

/

In the September 2013 Bland v. Roberts decision, the Fourth US Circuit Court of Appeals ruled that “liking” something on Facebook is free speech and as such should be afforded legal protection. This is good news, and while there has been extensive coverage of the decision, there are important implications for employers and employees that have not yet been fully explored.

The question is how far can an employer go in using information gleaned from social media sites against present and future employees?

Bland v. Roberts: about the case

The case was brought by employees at a Virginia Sheriff’s office whose jobs had been terminated.  The former employees claimed that their terminations were retaliation for them “like”-ing the campaign page of the Sheriff’s (defeated) opponent during the election.  Even though the action was a single “click”, the Court determined that it was sufficiently substantive speech to warrant constitutional protection.

Social media checks v. rights of employees

This decision has major implications for the current practice of social media checks of potential and current employees.

More and more that more and more employers are conducting online social media background checks in addition to criminal record and credit bureau checks (where permitted).  A 2007 survey of 250 US employers found that 44% of employers used social media to examine the profiles of job candidates.  Survey data from ExecuNet in 2006 shows a similar pattern, with 77% of executive recruiters using web search engines to research candidates and 35% stating that they had ruled candidates out based on the results of those searches.

Legal and ethical implications of social media checks

Federal and provincial human rights legislation in Canada stipulates that decisions about employment (among other things) must not be made on the basis of discrimination for protected grounds. Employers and potential employers are required to guard against making decisions based on discriminatory grounds.  These have been refined through legislation and expanded by court decisions to include: age, sex, gender presentation, national or ethnic identity, sexual orientation, race, and family status.   

surveillance.jpg

Social media checks can glean information actually shared by a user (accurate or not), but also can fuel inferences (potentially unfair, gendered, classed or sexualized) drawn from online activities. 

For example, review of a given Facebook page may show (depending on the individual privacy settings applied):  statuses, comments from friends and other users, photographs (uploaded by the subject and by others), as well as collected “likes” and group memberships.  These can be used to draw inferences (accurate or not) about political views, sexual orientation, lifestyle and various other factors that could play into decisions about hiring, discipline or a variety of other issues concerning the individual. 

Online space is still private space

The issue of social media profile reviews is becoming an increasingly contentious one. An employer should have no more right to rifle through someone’s private online profile than through one’s purse or wallet. With the Bland v. Roberts ruling and its recognition of Facebook speech as deserving of constitutional protection, important progress has been made in establishing that online privacy is a right and its protection is a responsibility.

BYOD: "bring your own device" & privacy

/

margin notes:

  • The phone you carry with you every day might not be "yours". It reports on where you go and the information on it—personal or not— may not be private.

 

  • You wouldn't expect your employer to have the right to watch you when you use a toilet they own, why is it okay to watch you what you do on the phone? 

 

  • We are increasingly expected to be available/accessible via technology for work 24/7—as the lines between personal and professional time are blurring, individual privacy is being sacrificed. 
privacyeraser.jpg

The days of 9-5 jobs seem to be long gone for many of us. 

Emails, phone calls, consultations with clients or with team members who are dealing with clients – these are increasingly a regular feature of life whether we are in the office or out of it, during “office hours” or not.  As Dr. Melissa Gregg notes

For those in large organisations, mobile and wireless devices deliver new forms of imposition and surveillance as much as they do efficiency or freedom, and with email increasingly considered an entrenched part of organisational culture, ordinary workers are finding it necessary to develop their own tactics to manage a constant expectation that they will be available through the screen, if not in person.

 

Given the constant expectation of availability, employees are increasingly using smartphones, tablets and the like.   It is important to note, however, that just as the work day is now bleeding into personal time, so too do personal communications use and work communications use become increasingly blended.  Whether the smartphone or tablet is issued by an employer or belongs to the employee, the fact remains that often work and personal communications take place on the same device(s).    This phenomenon is discussed under the term “BYOD” (Bring Your Own Device).   In this piece, that term will be used whether the device is in fact supplied by the employer or is a device owned by the employee but being used for work purposes.

This collapse of the professional and the personal creates issues and concerns for both parties to the relationship.

For the employees, it is the risk of exposing personal information to the employer as well as the possibility that the employer might be able to use such information for disciplinary or other purposes.  In a recent online survey of employees in the US,UK and Germany, MobileIron found while 80% of respondents were using personal devices for work, on average only about 30% of employees “completely trust their employer to keep personal information private and not use it against them in any way.”  As for what information was actually accessible to employers, 41% of those surveyed believed that employers had no access to the information on their device, 15% simply weren’t sure what information was accessible, and fully 44% were confident that employers could see data but were unsure what specific data might be accessed or reviewed.    When asked about the level of concern for various types of information that was or might be on the device, respondents indicated that:

  • Personal email and attachments: 66%
  • Texts: 63%
  • Personal contacts: 59%
  • Photos: 58%
  • Videos: 57%
  • Voicemails: 55%
  • All the information contained in all the mobile apps: 54%
  • Details of phone calls and internet usage: 53%
  • Location: 48%
  • List of all the apps on the device: 46%
  • List of just the apps used for work: 29%
  • The information in the apps used for work: 29%
  • Company email and attachments: 21%
  • Company contacts: 20%

Employers are also at risk. 

Employers are responsible for the security and safeguarding of information, and therefore must in the first place be aware of the issue in the first place.  Workplaces may well have policies in place explicitly forbidding the use of work devices for personal communications, but this does not guarantee the policy will be adhered to.  A survey conducted by Aruba Networks found that approximately 17% of 3,500 EMEA employees failed to declare their personal devices to their IT department – it is impossible for IT departments to ensure proper upgrades and security to devices of which they are not even aware.  This of course presumes that IT departments do have in place procedures for dealing with such devices and guarding against data loss or leakage  – a recent Acronis survey showed that only 31% of companies even mandated a password or key lock on such personal devices, while only 21% wiped company data from the device when an employee leaves the company. 

That same Acronis survey revealed even more gaps in business understanding and treatment of BYOD – first of all, 30% of organizations were still forbidding personal devices from accessing the network.  Of the others, only 40% had any kind of personal device policy in place.   Finally, whether there were actual policies in place or not, over 80% of organizations revealed that they had not developed or provided any training to employees about BYOD privacy risks.  The failure to do so, of course, assists in the perpetuation of the problem, since failure to educate only exacerbates employee ignorance of risks, failure to declare devices to IT, and uncertainty and concern about employer access to information on the device.

 

It should be noted that while the Supreme Court of Canada has not yet had occasion to consider BYOD explicitly, in 2012’s  R v Cole  decision which dealt with a teacher’s work computer on which a file of pornography was discovered the Court was willing to find that the teacher’s subjective expectation of privacy was reasonable in the circumstances (although ultimately the illegally obtained evidence was admitted).  Again in this case while we see a Court wrestling with various public policy issues, writing for the majority, Justice Fish noted that:

[2]    Computers that are reasonably used for personal purposes — whether found in the workplace or the home — contain information that is meaningful, intimate, and touching on the user’s biographical core.  Vis-à-vis the state, everyone in Canada is constitutionally entitled to expect privacy in personal information of this kind.
[3]     While workplace policies and practices may diminish an individual’s expectation of privacy in a work computer, these sorts of operational realities do not in themselves remove the expectation entirely: The nature of the information at stake exposes the likes, interests, thoughts, activities, ideas, and searches for information of the individual user.

What then should an employee do to protect her privacy on a shared workplace/personal use device?  Well, when meeting a friend after work the other day I was surprised when she set down both a Blackberry and a smartphone on the table, and seemed to alternate her use between them.  Eventually she explained that the Blackberry was work-issued and she used it only for that purpose.  The smartphone, on the other hand, was her personal device and she said the monthly plan was a small price to pay to be sure of the security of both her own personal communications and those of her organization. 

It may be a hassle to tote more than one device around with us, but until there are better policies, procedures and understandings in place around BYOD, it may be the best approach.