Password Protection Act

Password Protection ActA group of Senators and Representatives has introduced legislation to ban the growing practice of employers (and prospective employers) demanding that employees hand over their personal Facebook account passwords. Only the state of Maryland currently has a ban in place against this practice. The proposed federal legislation would make this ban nationwide.

The Password Protection Act (PPA) prohibits employers from requiring current or prospective employees to divulge their personal Facebook and other passwords as a condition of employment. It also prohibits retaliation against employees or employment candidates for refusing to provide passwords on demand. Limited exceptions are provided for firms and employees that work with national security data.

Employers are allowed to set up office-based social networking on a voluntary basis, and set policies for employer-provided computer systems. Employers are also allowed to sanction employees for theft of organizational data.

Facebook, whose own record on privacy is best described as spotty, has mentioned the possibility of legal action against employers, but has not made direct threats to sue them. Social networks fear they will be undermined if users feel that the boss is looking over their shoulder.

HR departments have an understandable desire to fully vet employees and prospective employees. Yahoo's CEO mishaps underlined the problems that failure to vet employees can lead to, even at the highest level.

But compromising personal passwords is a bad idea. And the proposed legislation protects security as well as personal privacy. To take a simple case, if prospective employers can demand passwords they are empowered to snoop into the social profiles of other firms' employees – anyone who has applied to them for a job.

More broadly, the ability to obtain passwords on demand undermines the entire concept of password-based security. Security and privacy are closely linked, and undermining privacy ends up undermining security as well.

The security principles set forth in industry standard ISO/IEC 27002 provide a framework for effective security, built around the cycle of Plan, Do, Check, and Act (PDCA). Many good security products are on the market, but all are designed to meet specific threats – and will not block other threats. At GRT Corp. our security philosophy is built around these words by noted security expert Dr. Bruce Schneier: "Security is not a product, but a process."