Questionable practices related to organizational scrutiny of the social networking activity of individuals has received a great deal of press recently. This post provides food for thought for individuals and organizations engaging in these practices (or considering doing so) to reconsider their choices and pursue better alternatives. It also provides additional resources that offer deeper discussions on this and related issues.
About a month ago MSNBC published an article entitled Govt. Agencies, Colleges Demand Applicants' Facebook Passwords, which was followed by this Associated Press article that ran in a variety of publications. The focus of the stories was on people in positions of authority (e.g., recruiters, hiring managers, coaches) requiring access to privately-designated areas of social networking accounts so they could look for information, activities, and/or relationships that might create risk for an organization, such as gang-related activity, racial prejudice, or a tendency toward violence.
The pieces spawned a number of follow-up stories and blog posts (including this one from me) and incited hundreds of mostly negative comments from readers. Much of the discussion, especially from readers, focused on the employer practice of asking job candidates to provide login credentials for their social network accounts – particularly Facebook – as a condition of the recruitment and selection process. What got lost in much of the kerfuffle over this extremely rare practice is the need to discuss practices that are far more commonplace and occupy grayer areas of right and wrong. These practices include shoulder screening (asking a person to log in and then viewing content and relationships they’ve designated as private); friending job candidates, employees and students for the purposes of keeping tabs on them; and browsing an individual’s account without their knowledge or consent.
I’ve contributed my thoughts to a number of discussions over the past few weeks and have written several in-depth pieces about the practice of social screening and related issues since the fall of 2010. As I continue to read and think about these issues and the best approaches to addressing them, seven considerations have emerged that are worth highlighting and reiterating. This post captures those considerations, providing food for thought for individuals and organizations currently engaging in questionable practices (or thinking about them) to reconsider their choices and pursue better alternatives. I also provide additional resources that offer deeper discussions on this and related issues.
As always, I welcome comments and questions and invite healthy and constructive dialogue.
- Courtney Shelton Hunt, PhD
"Not Illegal” doesn't mean “Ethical”
Some people assert that engaging in various forms of social scrutiny is acceptable because there are no laws forbidding it. Given how long it takes us to develop rules (in terms of both policies and laws) for the challenges we face in both organizations and societies, we should be wary of relying too literally on what is/is not legal to guide our actions. History is replete with examples of laws emerging in response to ethical failures, many of which caused a great deal of harm before they were stopped.
By the same token, we can’t rely on people’s individual morals and values to help them determine proper behavior. Individual morality varies widely, not just in terms of specific values, but also in terms of moral maturity and sophistication. Rather, we should rely on our collective sense of right and wrong, which helps us define normative expectations for acceptable/unacceptable behavior. When we face circumstances that present new ethical challenges, we must rely on our shared ethical foundations to determine the new norms that should emerge. One of those collective norms, which was evident in the responses to the news about login credentials, is that we all have a right to privacy – not just in the physical world, but in cyberspace. If we wouldn’t ask someone for the keys to their home, why do we think it’s appropriate to ask them to give us the keys to their social network accounts?
Just because You Can, Doesn't Mean You Should
Digital data is so pervasive and easy to access that it’s tempting to adopt the mentality of “anything goes” and “everything’s fair game.” It’s challenging, to say the least, to resist the urge to snoop around and dig for digital dirt. But when we create “physical world” analogs for our cyber activity, the dubiousness of these practices should become evident immediately. For example, most recruiters, hiring managers, teachers, coaches and academic officials would never consider:
- Following an individual and eavesdropping on their personal conversations, even in public spaces.
- Staking out an individual’s home, watching who comes and goes.
- “Spillover spying” on an individual’s family and friends, whose actions have little to no relationship with the organization and pose few if any risks.
- Wandering around a person’s home, checking out their property, looking through their windows, or going through their mail and/or their garbage.
- Entering the individual’s home (even if the door is open or unlocked) and rummaging through drawers, examining photo albums, checking out their movie and music collections, reading their personal correspondence.
Similarly, they wouldn’t consider it appropriate to access an individual’s email activity, their online banking information, or other digital activity outside of social media. The same standards should apply to all of an individual’s personal information and activity, regardless of where it resides.
Two Wrongs Don't Make a Right
Many people try to explain or justify social scrutiny by emphasizing that they’re looking for red flags that would indicate an individual might bring harm to other individuals, either inside or outside an organization, and/or damage the organization’s reputation or brand. They see their efforts as part of a defensible risk management strategy.
Every organization has a right to protect itself, its brand, and its stakeholders, but that doesn’t give them carte blanche to engage in pre-emptive actions that can themselves cause harm, not just to the individuals whose actions they’re scrutinizing, but also to the organization and individuals they’re ostensibly trying to protect.
Remember the Law of Unintended Consequences
Many of the activities intended to manage risk create risks themselves, some of which can be greater than the initially-targeted risks. Poking around an individual’s social media activity is like opening up Pandora’s box. Some of the biggest risks include:
- Accessing protected-class information (e.g., race, religion, age) and/or protected speech (e.g., whistle-blowing and concerted activity), and/or becoming aware of lawful off-duty conduct (e.g., drinking, smoking, political activity)
- Viewing activity for which you have a duty to report (e.g., stealing, underage drinking, harassment, threats of violence)
If a prospective or current employer takes an adverse action against an individual (e.g., not hiring them, denying a promotion), it could be fairly easy for that individual to provide prima facie evidence that they may have been discriminated against based on their protected class status, their protected speech, and/or lawful off-duty conduct. The burden would then shift to the employer to prove that the adverse action was based on defensible factors.
And if an individual were to cause harm to him/herself and/or someone else, the resulting investigation would very quickly evolve into questions about what certain authorities knew, or should have known, that could have prevented the harmful act. It’s hard to claim plausible deniability when you’ve friended a job candidate, subordinate, or student and/or there’s clear evidence that you’ve explored their social media account.
Is Turnabout Fair Play?
How would hiring managers, recruiters, teachers, coaches and others in positions of power and authority feel having their own activities scrutinized to the degree they may be subjecting others? Would they pass their own tests? Do they have no skeletons in their closets? Are they completely open books?
Similarly, how would they feel if they were subject to “spillover spying” themselves, when the activity of someone in their digital networks is being scrutinized? Would they want to be informed that information and activities they’ve designated as private are being reviewed? Would they want to be asked for their consent first? Would they provide that consent?
Simply put, we need to think about the Golden Rule and consider the potential hypocrisy of subjecting other people to a set of standards we could never live up to ourselves, or a set of actions we would find objectionable if they were applied to us or our loved ones.
You Reap What You Sow
Requiring access to an individual’s personal information and activities is inherently distrustful, which breeds further distrust and undermines both the longevity and the quality of relationships. That in turn is likely to impair individual performance, diminish morale, and create/perpetuate a dysfunctional organizational culture.
When that distrust is evident even before a relationship begins, it increases the likelihood that an organization won’t be seen as an employer or school of choice, thereby undermining its efforts to win the war for professional, academic, and athletic talent.
If You're Going to Do It, Do it Right
Managing Digital Era risks is critically important for organizations of all types. To do it right, organizations must employ ethical, legally-defensible approaches. Those approaches begin with making sure there are justifiable and organizationally- or job-relevant reasons to scrutinize certain social media accounts and digital activities of individuals. Although we are still defining best practices in this area, there is emerging consensus that we should:
- Focus on information and activities that are generally perceived and/or intended to be public.
- Balance the need to protect the organization and its brand with the individual rights of candidates, employees and students.
- Develop sound policies and procedures for accessing and reviewing social media activities of employees and students, both before and after they join the organization.
- Create and implement sound and legally-defensible social media policies and make sure both individuals and people in positions of authority are properly trained about what they mean and how to comply with them.
This post focused on individuals and organizations employing social scrutiny tactics; however, they are not the only players who need to take responsibility for their actions. It’s also incumbent upon every individual to ensure their privacy settings are current and to be continuously cognizant of how their cyber activity reflects on them and their professional brands. I addressed those responsibilities in a recent post, Dressing for Success in Cyberspace: Giving Yourself a Digital Make-Over. And in the coming weeks I plan to publish updated guidance for both candidates and employers/recruiters. Although these pieces focus on the screening of job candidates, the underlying principles and logic can also be applied to current employees and prospective/current students.
Subscribe to the blog (via RSS, email or other means) to be sure you’re notified when these and related posts are published in the future.
Please share other resources you have found valuable. Thanks!