An opinion piece regarding a possible US law change raises fascinating ethical questions about privacy rights. Whereas employers have some interest in what their employees are saying and doing in their personal/non-work time, employees also have reasonable expectations of privacy concerning their private lives:
OPINION: On the battlefield of the Internet, the Privacy Platoon struck a clanging blow against the Transparency Brigade last week, when two members of Congress introduced the Social Networking Online Protection Act.
The bill would bar employers from demanding job applicants' Facebook passwords - which recently has become an issue: The ACLU's Maryland branch championed the case of a Baltimore man who says he was told that his prospective bosses needed to make sure he wasn't in a gang.
"We need a federal statute to protect all Americans across the country," Rep. Eliot Engel, D-N.Y., a co-sponsor, wrote on his Web page. "We must draw the line somewhere and define what is private."
Although the opinion piece concerns job applicants, the ethical issue is much wider, for example during employment, in sensitive/trusted positions especially (e.g. any industry segment that routinely conducts intrusive 'positive vetting' - now there's an oxymoron!). It also potentially extends to other insiders (e.g. consultants) and perhaps outsiders (e.g. the marketing department may have legitimate concerns about the brand damage caused by a customer's adverse comments on a semi-private blog), and in the reverse sense too (e.g. shouldn't employees have full access to all emails and personnel records concerning them, even though the employer may consider them private and sensitive?).
My take on this is that 'the line needs to be drawn' but exactly where the line goes depends on the context and the specific situation, making it very difficult to lay down universal rules on this. Notions such as equitability and fairness seem to appy, but good luck if you are trying to define them in formal policies. Making law in this area may be the most awkward and perhaps expensive way of dealing with the issues, but on the other hand there is an inherent imbalance in the power of the individual versus that of the organization, or for that matter the state (e.g. the issue of people being coerced into revealing their passwords and encryption codes 'for reasons of national security'). Legislation may be needed as a backstop against unethical or oppressive organizations.
This may be one of those situations where guidelines, principles and examples are a better way of clarifying the issues and intent than formal policies or laws, leaving the final decisions over the appropriateness or otherwise of potentially intrusive or privacy-threatening demands to those involved. Case studies, for instance, are a good way to get people to think and talk about the issues, making this a good topic for security awareness programs.
Caveat: I am neither a lawyer nor a privacy expert. I'm raising it here to set you thinking about the issues, not show you The Way.
Regards,
Gary
www.NoticeBored.com security awareness
www.ISO27001security.com ISO27k
www.SecurityMetametrics.com security metrics