Passwords requested for social network sites

LegacyUser

Where I work some of the employees have been discussing the job on Facebook – many of the workers are "friends" with each. Recently two members were found to have said something negative about one of the managers. Now this has turned into a major situation and the manager is talking about dismissal if staff are found defaming the company.

In a effort to clear this up we have all been asked for our Facebook passwords. Although I'm not directly involved I don't want to give up my password. Is there some kind of law that protects my privacy in this situation?

Eoin

That access doesn't sound reasonable at all. Even asking to be facebook friends with your account would be OTT, let alone asking for your logon credentials.

This page might be a good starting point, but it doesn't seem to cover this scenario.

I imagine that at most, they could check what you might post on facebook at work by monitoring the internet traffic, but asking you to give your login details is a bit much. And even then, the office of the Data Protection Commissioner says the following:

The advice of this Office is that every employee has a legitimate right to expect a certain amount of privacy in a work context. The key point is that the employer needs to have a clear policy that is made available to all employees in relation to whether personal use of employee equipment such as email or the internet is allowable. If an employer does not allow any such use then the employee should not use these systems for their own use. Such a policy will allow more ready access to an employee’s email and internet records by an employer as the employee should not be making use of them for a personal purpose. However, even in such circumstances ongoing monitoring is never considered proportionate and access should be in response to a reasonable suspicion.

Hopefully someone can post a link with more explicit wording that you can use.

daheff

Hi Eoin

I think that is just for using the companies infrastructure to access the internet/email.


In the OPs case, somebody could legitimately be using Facebook without using the company infrastructure and still are being required to provide this info.


OP- tell your company to get stuffed. There is no more a case to give the company your Facebook password as there is of giving them the PIN to your ATM card.

Forest Master

This is ridiculous - don't give it out under any circumstances - don't even entertain discussing it. If you get asked for it, say "I wasn't involved in any of the activity or incidents you're looking into, but my solicitor has my password - if you want it, contact him/her".

This is absolute boll*cks & nowhere near enforceable.

kippy

It is moronic for people to be discussion work/mentioning names of people at work on a public forum/facebook and I believe that these kind of things do leave people open to litigation.
That being said - I don't think an emplorer can expect to get passwords for non work accounts off employees however if this goes down the legal route there could be issues.

v300

Tell them you'll need the request in writing on headed company notepaper signed by the HR manager, CEO, or accountable manager, as you'll have to discuss this first with your union / solicitor / representative body first, and once the request iss received in paper form that you'll get back to them with an answer ASAP.

I would reckon you'll never get that request in writing, and if they are as cheeky or stupid to actually issue the letter to you, then you have written evidence you can nail them in court with for abuse, having nicely framed that abuse in context with a solicitor who will place the abuse under under one or more covering Irish laws.

crotalus667

kippy wrote: »

I don't think an emplorer can expect to get passwords for non work accounts off employees however if this goes down the legal route there could be issues.

if you use a company pc/laptop/network you should be aware that your login details are no longer only in your head they are where the company can retreive them, afaik it is still breaking the law to use them, there is also a recored of every page you have visted and that can be pulled up again if the company want to pay the tec expert to do so

kippy

crotalus667 wrote: »

if you use a company pc/laptop/network you should be aware that your login details are no longer only in your head they are where the company can retreive them, afaik it is still breaking the law to use them, there is also a recored of every page you have visted and that can be pulled up again if the company want to pay the tec expert to do so

Indeed, I am aware of that.

TheCosmicFrog

That is a completely unreasonable request and one that they cannot do without first going to the Gardaí, who would more than likely require some form of search warrant in the first place.

Rython

I reckon your completely safe in politely declining. As far as a court would see it, its no different to asking to search your house. Its your private space they have no right to it. If they really have a case for getting in let them get a court order.

Your best port of call for accurate info is to get in touch with the data protection commission, if its protected they'll know for certain.

Rython

TheCosmicFrog wrote: »

That is a completely unreasonable request and one that they cannot do without first going to the Gardaí, who would more than likely require some form of search warrant in the first place.

The Garda would tell them to go jump, its not a criminal matter so the guards have nothing to do with it. A court could grant access in a civil action though.

Solair

Your Facebook account is yours, it has nothing whatsoever to do with your employer. If they want to monitor people's use of Facebook e.g. wasting time at work, then they're can certainly do that on their own network. They can also, with reasonable cause, snoop into company email accounts or telephone logs.

However, your Facebook account is a private account on a third party system (i.e. Facebook) which they have absolutely no rights to access.

It's no different from your HR manager or whoever suggested this demanding your house keys so that he/she can route through your underpants drawer.

First call the Data Protection Commission :

http://www.dataprotection.ie/docs/Contacting_Us/11.htm

Then if you are speaking to the manager:
1) If you're a member of a trade union, call them IMMEDIATELY.
2) Explain that you had nothing to do with it.
3) Put the request in writing (on headed paper and signed by the HR manager) so that you can have it run past a solicitor or hold it against them should they attempt to fire you.

They have no more right to access your Facebook account than anyone on boards.ie or walking down the street has.

If he wants to start defamation proceedings against the person(s) he/she thinks were involved, then he should do that. It will cost a fortune and if he loses he'll have to pay the other person's costs.

Accusing non-involved third parties of defamation could actually be quite a legally dangerous thing for him to do too.

If I were him, I would just make a general statement about it and then back off.

Also, by giving a third party your Facebook password, you are giving them access to information they have no rights to which could mean that you are breeching the Data Protection Act yourself.

Technically speaking, it could be argued that you would be providing complete access to a private network where information about third parties is stored.

In general, anything you put on a social network should be suitable to be "published" as that is exactly what you are doing with it and Facebook is about as private as having a chat in a crowded pub. Even when you think you're in private, you usually aren't.

godspal

Your company sounds quite pompous.

To call a negative comment or reflection defamation is absurd, first of all by stating that it is defamation they are saying that the comment hurt or damaged the companies reputation in a financial way. Secondly, they are saying that what the worker said was untrue.

After that for them to call for your passwords, bollocks to that. Tell them no, you have a right to protect your private information, and you have to right to protect your good name, and anything that could be associated with your good name.
If they threaten you with anything, call their bluff. If they do end up reprimanding you, call a union official, and start legal proceedings.

Another thing you're company should know, is that if they sue any of their employees who use a website, the person can defer legal proceedings, say that they are not the publisher of this information, but rather facebook is. And consequently your company will have to sue facebook.
While this law is incredibly dated and stupid, this is probably the first time I could think of it being used in a positive way.

Eoin

daheff wrote: »

Hi Eoin

I think that is just for using the companies infrastructure to access the internet/email.


In the OPs case, somebody could legitimately be using Facebook without using the company infrastructure and still are being required to provide this info.


OP- tell your company to get stuffed. There is no more a case to give the company your Facebook password as there is of giving them the PIN to your ATM card.

Yep - it was just the closest thing that I could find (and why I said "they could check what you might post on facebook at work").

Solair

All they could look at is whatever traffic passed over their network to Facebook, assuming they could capture / access it.

The most likely data they would have is either:

1) Nothing
or
2) A record of the fact that someone logged into Facebook at a given time. Facebook's passwords are transmitted using HTTPS (encrypted), so they'd be inaccessible anyway.

Plates

crotalus667 wrote: »

there is also a recored of every page you have visted and that can be pulled up again if the company want to pay the tec expert to do so

Including this thread.....which now makes you involved.

Eoin

They could possibly capture the contents of any updates though, as I don't think that's done through SSL.

Anyway, that's beside the point - the OP isn't saying anything about work, and hopefully not using it during work, so there shouldn't be an issue.

It's not reasonable to ask for the logon details, so I'd refuse, or ask that it's given in writing and you'll take it from there, as others have suggested.

Also, I'd do "unfriend" any of your colleagues, so work can't browse to you through any other profiles, and also hide as much of your details as possible to people you aren't friends with.

Solair

That's a very good point:

Go into your privacy settings and make sure that everything's setup so only your friends can see it.
Then remove your colleagues. It's quite simple to do.

D-Generate

Delete work colleagues and just say you don't have a Facebook account.

LegacyUser

Hi OP again here. Thank you all for your helpful replies. Just a little more info;

– Yes, the use of company computers isn't an issue, we have limited access to them and most people have smart phones using their own mobile networks.

– The two people involved have refused to give any details, so others that have friended them are being asked for info. This is because the manager has no "friends", he/she has just heard rumors back (I don't really want to go into more specific information).

– I've a dilemma as I don't want to stick out if others are going with it. I'm worried that they'll find something else to reprimand me with.

tricky D

Rython wrote: »

The Garda would tell them to go jump, its not a criminal matter so the guards have nothing to do with it. A court could grant access in a civil action though.

Section 8 court discovery order for DPA protected data.

This thread has some info on this kind of matter: Why keep yourself anonymous?

Eoin

If you don't want to be too confrontational, then you could take the easy way out and set up a new account, like a few random pages and so on. Tell them as a compromise, they can add you as a friend. Then just never touch the account after that.

I know that's not addressing the principle of the issue, but it could make for an easier life.

john178 wrote:

so others that have friended them are being asked for info.

If you're friends with them on facebook, remove them immediately.

Maldini2706

Just for the record, you can't defame a company, you can only defame individuals. This request sounds extremely dodgy, an employer has no right to invade an employee's privacy like this. Your employer could be entering unfair dismissal territory here.

Eoin

I found this on the dataprotection.ie website, which might help:

1.5 What is excessive information?

The Data Protection Acts require that only the minimum necessary personal data should be sought and used to allow for the performance of the function to which it relates. This requires a Data Controller in all situations to be certain that the data that is being sought is appropriate to the reason for which it was sought. A data controller must be able to show that each piece of personal data sought from a person is needed for a legitimate reason. Where data is not needed for the reason for which it was sought this would constitute a breach of the Data Protection Acts.

ROS123

Maldini2706 wrote: »

Just for the record, you can't defame a company, you can only defame individuals. This request sounds extremely dodgy, an employer has no right to invade an employee's privacy like this. Your employer could be entering unfair dismissal territory here.

http://www.takelegaladvice.com/news-and-information/legal-articles/Defamation/Defamation/
Can a company sue for defamation?

An action for defamation can also be brought by: a company, in respect of statements that damage its business reputation.


Dont know whether this applies in Ireland though?

TheCosmicFrog

Very interesting and helpful information in this thread!

sharingan

john178 wrote: »

– I've a dilemma as I don't want to stick out if others are going with it. I'm worried that they'll find something else to reprimand me with.

Most online services do not permit you to share your passwords with any 3rd party.

As a general rule, do not friend work colleagues on social networks for this reason.

Only act on these requests if you get it in writing. Also print of all e-mails. Get it in writing from the original requester and then get it from someone in HR & Legal.

If they decide to escalate this into something nasty, they have to make it official and you have legal recourse then.

Solair

The basic advice:

1) It's a breech of Facebook's T&Cs to divulge your password to a third party.
2) It's possibly a breech of the data protection act (on your part) to do that as your Facebook account contains private information about third parties.
3) It's possibly a breech of the data protection act (on your employer's) part to request or use that information.
4) As what they are requesting is unreasonable, and possibly illegal, if they dismiss anyone they could end up facing unfair dismissal proceedings.

So, in conclusion:

Ignore the request and "defriend" your colleagues on Facebook.
If any pressure is put on you to divulge the password or your job or promotional prospects are impacted upon, contact a solicitor who has expertise in employment law, or your trade union (if you have one).

Your employer should also bear in mind that what they are doing could be construed as blackmailing someone to give them log in credentials for a private system. If they are accessing the site with your credentials they have no authorisation to do so, so technically speaking it's hacking.

It's a legal Pandora's box that, if I were them, I would not open!

This is why anyone who is dealing with HR policies should really consider doing a HR qualification!

Inspector Gadget

Wow. This is scary stuff. I am most certainly not a lawyer, before I go on, and have never had a Facebook account (very much on purpose!), and this is one of those situations where I'm damned glad of it.

I just wanted to add something in respect of HTTPS in the workplace (or on any network you don't control, for that matter) - it's possible to intercept HTTPS traffic quite easily if you do a man in the middle attack. The trick is that you have to install a certificate for Facebook (or whoever) in the client's browser which purports to be for your site of choice, and then (with the help of slightly modified DNS records) a device on the network can intercept your traffic, decrypt it, read/store it, and then re-encrypt it and pass it on via HTTPS to Facebook (using the correct details) leaving the user none the wiser.

This does require that the people doing the snooping can install these SSL certs on your work machine in order to appear transparent (your browser will throw an error otherwise, but most people will click through it), but if it's a work machine, it goes without saying that this is possible. For the rest of us, if you're using Firefox, there's a natty add-on called CertificatePatrol that can help warn you about this sort of thing.

The best thing to do is to *NEVER* do anything like that (including posting to boards.ie) from a company machine. I suspect that asking for a request for your password in writing on headed notepaper from a suitably senior figure (whoever that'd be in your company) as you'd need to consult with your solicitor/union rep would be enough to stop anyone with half a brain in their tracks. Usually, the word "solicitor" on its own causes alarm bells. It is important that you do go through with it if they call your pseudo-bluff though; there's no way in hell that this is remotely legal, and I'd get a copy of the EULA/whatever from Facebook and pore over it too; as someone suggested, I don't think it's legal for you to turn over your password to a third party, as someone has already stated.

Solair

I don't think the OP's issue is that the access was carried out over a company's network or from a company's computers. So, I don't think it's anything as complicated as intercepting traffic.

Rather, it seems like a manager in the company suspects that something negative has been said about "a manager" on Facebook and they are trying to access that information indirectly by going through uninvolved friends of colleagues' Facebook accounts.

From what I know of Facebook (and I am open to correction) only the passwords are transmitted using HTTPS. The normal web pages are displayed unencrypted. So, it is probably open to interception without much difficulty.

Inspector Gadget

I'm aware of that, but as someone earlier just said "use HTTPS", I wanted to point out that it won't necessarily help.

As far as I know, as of a couple of months ago following the whole Firesheep thing, it's now possible to SSL for the entire Facebook session, not just the login. Really, it's just Yahoo! Mail of the big services (and before anyone decides to start Yahoo bashing, they are still the largest webmail provider on the planet by a country mile, irrespective of whether they're any good or not) that hasn't caught up on this. Speaking of Firefox plugins, try HTTPS Everywhere (from the EFF) to automatically enforce this.