On June 19, 2009, city manager Chris Kukulski officially apologized (.pdf) for the intrusive application, stating “[t]he extent of our request for a candidate’s password, user name, or other internet information appears to have exceeded that which is acceptable to our community.”

This controversy is another indication that social networking sites and other digital media are coming under greater scrutiny as employers conduct background checks. For example, the application for high-level political positions in the Obama transition phase required applicants to include copies of e-mails that might embarrass the President, copies of all blog posts, a link to one’s Facebook page, and a list of “all aliases or ‘handles’ . . . used to communicate on the Internet.”

The Bozeman application would have required applicants to violate Facebook’s Terms of Use, which state that “You will not share your password, let anyone else access your account, or do anything else that might jeopardize the security of your account.” In addition, Bozeman’s request apparently was limited to obtaining usernames and passwords and did not seek authorization to access applicants’ sites. Consequently, any access by city officials might have run afoul of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030(a)(2)(C), which prohibits intentionally accessing a “protected computer” without authorization.

Links:

• Local news article
• City of Bozeman press release (.pdf)
• New York Times article
• Facebook Terms of Use
• Computer Fraud and Abuse Act, 18 U.S.C. § 1030

In its report, ISPAB indicates that rising threats to privacy and advancements in computer technology and usage are unaddressed by outdated provisions in the Privacy Act. It also suggests that inattention by policymakers and the absence of guidance from the White House has led to a patchwork of inconsistent approaches by federal agencies. The report concludes that these factorhave contributed to the difficulty agencies have experienced in adapting to technological change. ISPAB urges the creating of a “new framework to protect privacy” by making the following recommendations:

• Amend the Privacy Act of 1974 and Section 208 of the E-Government Act of 2002 to improve Government privacy notices and re-define “System of Records” based on function and use of data and not merely possession;
   
• Institute Chief Privacy Officers at all “CFO agencies;”
   
• Institute a Chief Privacy Officers’ Council; and
   
• Develop uniform privacy policies emanating from the OMB.

The Senate Homeland Security and Governmental Affairs Committee report that they intend to modernize the law in this area.

Links:

• The ISPAB Report  "Toward A 21st Century Framework for Federal Government Privacy Policy" (.pdf), also available from the NIST website here (.pdf)
• The Computer Security Resource Center website developed by the Computer Security Division of NIST
• News report regarding possible Senate action.