The Facebook Snatchers: Could your Employer Hijack your Account?

Let's assume you are employed, use Facebook, have a decent grasp of privacy settings, and want to occassionally express your opinion. Welcome to Facebook Club. The first rule of Facebook Club is “Do not friend your employers.” The second rule of Facebook Club is “DO NOT friend your employers.” We all know about the tragic consequences that can follow the violation of these simple rules. One click on a friendship request turns your computer into an Orwellian telescreen and suddenly your boss can monitor your “Am I bedridden or at the ballgame” status.

But the government of Bozeman, Montana elected to bypass the covert survellience of social networks. Instead, it opted for the overt. Until last Friday, all applicants for city jobs in Bozeman were required to “list any and all current … memberships on any Internet-based chat rooms, social clubs, or forums, to include, but not limited to: Facebook, Google, Yahoo,, MySpace, etc.” Oh, and after you list your username, be sure to give us your password.

That’s right. A city in Montana demanded unlimited access to the digital identities of its employees in a sort of never-ending background check. According to Greg Sullivan, Bozeman’s city attorney, these investigations “make sure the people that we hire have the highest moral character.” I’m shivering just writing about it. Let’s list just two of the inexhaustible ways this sort of access could be abused:

  • Invites prohibited discrimination since the employer has access to private information that would otherwise be improper to query (e.g. sexual orientation, religion, marital status).
  • Allows the employer to view the information of friends of the applicant, thereby violating their privacy (and causing them to inadvertently break the first and second rules of Facebook club).

Bozeman recently shut down its division of the Thought Police. After receiving an anonymous tip, Montana News Station ran a story on the disclosure policy on June 17. The sheer insanity of the story, which helpfully pointed out that Bozeman’s policy likely violated Art. II Sec X of Montana’s constitution, ensured its rapid dissemination. Soon, denizens of the Twitterverse and the blogosphere began to bombard the city with emails, stating that the city’s approach violated the terms of service of nearly every social networking site. Just about everyone called for the elimination of the policy. Two days later, the policy was no more. And there was much rejoicing.

But I’m not ready to join the dancing ewoks just yet. True, the Twitter-assisted campaign (check #bozeman or #privacy) caused a city in Montana to back down. But I’m not so certain this type of social hijacking won’t be adopted by other agencies. After all, we already know that the CIA is keen to exploit Facebook. Under HIPAA, some employers may force applicants to release their medical records; why not require them to open their digital souls? Recall also that the Montana’s constitution expressly mentions a right to privacy, a clause that is conspicuously absent from the Constitution.

So while I applaud the Twitterati for successfully mobbing a (genuinely) guilty party, I do not think we are out of the woods yet. Next time I am chatting with one of my DC friends on Facebook, I won’t be able to shake the feeling that I might be talking to a doppleganger. I know this sounds like a fear out of a horror movie. But in an atmosphere of domestic surveillance (oh-so-well supervised and properly employed), is this scenario really so farfetched?

(Andrew Moshirnia is a rising second-year law student at Harvard Law School and a CMLP legal intern. He neither laughs nor cries and walks suspiciously straight. This is perfectly normal. Move along.)


Subject Area: