It’s rare for me to agree with something Facebook does, but this one is a complete no-brainer: they don’t think sharing your passwords is a good thing.
This has been going on for a while in various forms, and not just in Facebook. There’s been lawsuits that demand Twitter account information - not just what was posted by who, but the account passwords too. Most notable of these happened during the Wikileaks investigation.
If password disclosure happens during official investigation, that’s pretty much overboard and condemnable. But at least it’s something that just warrants a stern warning - we can at least trust the officials to employ some care in handling that private information. It’s evidence in an investigation, and it shouldn’t fall into wrong hands. There’s lots of laws in place to ensure that these officials do the right thing, right? If they screw up somehow, heads will roll.
So, of course, what’s more worrying is that similar stuff is actually happening in private sector.
Allow me to illustrate this thing with something that was in the news today: When the recording and movie industry failed to get SOPA - their preferred censorship law - going, they got the ISPs to do their bidding on private.
Aware of the situation, the ordinary Internet users were quite happy to tell their fine legislators that SOPA sucked. The legislators agreed. It’s a rare day to see democracy work as well as it should.
And the recording industry says “ha ha, no, let’s do this shit anyway.”
Here’s the thing: companies want to operate outside of the law. They want a 6-year-old’s idea of anarchy. They think that all they need to do to operate in peace is to make agreements and contracts, and that’s how the world is going to get saved.
But realistically, anarchy only works when we have a group of people who decide what’s best for the people, and people have a visible assurance that these people really are doing their job properly. It never works when it’s a small group of people who decide what’s the best for them, all the while they should be also considering the well-being of a huge group of people.
Society is made up of people. Consumers. If these privately-agreed-upon laws the companies make completely disregard the will of the consumers, you don’t need to be a rocket scientist to see where the problems arise.
So when companies want to conduct investigations on people, we have no reason to believe they are operating with an eye toward the privacy and well-being of the said people. We can only place that trust on the government, because the government is actually subject to the popular demand. We had the good luck of getting the laws up that dictate exactly what can be done.
To the no-brainer part: Why shouldn’t you give your Facebook passwords as a part of a job interview?
Because that’s your identifying information.
Other people and organisations have, under certain limitations, the right to know something about you. Usually, this is rightfully limited to whatever you want to tell them.
But they have no plausible reason to demand identifying information beyond authentication.
If you post a comment on this blog, you can use OpenID. You can supply your blog URL, and hey presto, I know who you are. You have been authenticated by your blog software or OpenID authentication provider. All that I will know as a result is that the comments you posted are, without a reasonable doubt, posted by the same person - or at least they were posted using the same account.
But that authentication process is actually between you and your own blog software or OpenID provider. I don’t give a damn about your password. My blog software doesn’t record it, because it never sees it. All it sees is a positive or negative response from your authentication component: “are you, or are you not, this particular user of this website?”
You notice I never asked what’s on your website. Authentication is completely separate from what you’ve actually done on your website, much as it has nothing to do what you actually post here. What I store here is just your comment, and a URL that identifies you.
So why would anyone demand the actual authentication credentials, when the world works just fine without them? If a police showed up with a warrant and asked me to provide blog comments from user X, I could provide them - though they’re already shown publicly (or deleted) so I have no idea why they would show up in any official capacity anyway.
And if they came with a warrant, I’d at least know what they’re looking for, and what they’re using the information for. And there would be at least some kind of a public record that would show what the information was used for and how that came to pass. That’s what we wanted the public sector to do. That’s how our governments are supposed to work. Power must be used responsibly.
Cmpanies don’t want to disclose that stuff. And with these let’s-just-let-companies-do-some-agreements style ad-hoc legislations, they don’t need to. They want power, but they don’t want the responsibility for it or the public scrutiny.
And they want more information than what’s reasonably required of you. Your authentication credentials, when a simple yes/no answer is sufficient for authentication.
I’m not even going to touch the actual privacy implications here. People will probably cover them well enough in other places.
In conclusion, don’t give people more identifications than is necessary. This should be common sense from computer security standpoint, and companies that don’t get this simple and obvious fact shouldn’t be trusted.