Background

In case you haven’t heard, the city of Bozeman, Montana recently modified their City Employee Application asking applicants to hand over usernames and passwords of social networking sites and online communities. Their reasoning? To make their “background check” easier.

“Please list any and all, current personal or business websites, web pages or memberships on any Internet-based chat rooms, social clubs or forums, to include, but not limited to: Facebook, Google, Yahoo, YouTube.com, MySpace, etc.”

There are lines to add your log in and password information (see form). One potential employee contacted went to the local news, who in turn went to the City Attorney, Greg Sullivan, who said:

So, we have positions ranging from fire and police, which require people of high integrity for those positions, all the way down to the lifeguards and the folks that work in city hall here. So we do those types of investigations to make sure the people that we hire have the highest moral character and are a good fit for the City.

The City Manager, Chris Kukulski told KBZK that Bozeman stands by the policy of looking at social network pages of applicants, adding that it’s important for judging the character of future police, fireman and other employees. Absent was any mention of why Bozeman wants the passwords – or the fact that no other cities are asking for account passwords.

This is not only an invasion of privacy (asking for usernames is one thing, asking for passwords is another), but is a serious breach of security. The city is taking on a huge liability should an applicant’s identity be stolen.

Call to Action (URGENT!)

If you want Bozeman to set a precedence that it’s “okay” to request personal passwords you don’t need to do anything. But if you don’t want to give up your passwords to your employer, your school, your bank, etc., YOU NEED TO STAND UP NOW!

The City of Bozeman is holding a regularly scheduled City Commission Meeting. If you are in the area, PLEASE show up and voice your outrage of this policy during the Public Comment section of the meeting (comments are limited to 3 minutes per person).

If you cannot be in attendance you MUST email the City Clerk and request that your message be included in the “packet” that is given to each Commissioner and the Mayor, and becomes part of the Public Record. Your comments will not be read publically, but it will become part of the Public Record.

Send your email to the following people with the subject line “PUBLIC COMMENT: Asking for Personal Passwords is Unacceptable”:

• akissel@bozeman.net
• sulmen@bozeman.net
• agenda@bozeman.net

We want to overwhelm the City Commission and Mayor with as many letters as possible! I’d love for each to have a STACK of paper at Monday’s (June 22nd, 2009) commission meeting, but YOU HAVE TO DO IT NOW! (If, by the time you read this, it’s already past the June 22nd meeting, please find out if Bozeman has reversed this policy, then write to them accordingly.)

Sample Letter

Keep your comments short, to the point, and professional. Feel free to use (and modify) the following if you would like.

CORRESPONDENCE TYPE:

• Public Comment

DISTRIBUTION:

• City Commissioners: Jeff Krauss, Sean Becker, Jeff Rupp, Eric Bryson,
• City Mayor: Kaaren Jacobson 
• City Attorney: Greg Sullivan
• City Manager: Chris Kukulski

SUBJECT:

• Asking for Personal Passwords is Unacceptable

Dear Mayor and Commissioners (et. al.),

As I cannot be physically present at your City Commission Meeting I ask that you read this letter aloud, that it be entered into public record, and a motion or resolution be requested at the conclusion of the reading.

Recently a policy that your city has enacted has come to the attention of the news media, and subsequently brought it to my attention, and the attention of the IT and Computer Security industries.

Your “Consent and Release to Conduct Criminal Background and Reference Checks” asks for applicants to provide network, username, and password information. The latter is totally unacceptable!

Passwords are personal, private keys used to secure personal, private accounts. Asking someone to voluntarily provide you with their passwords is worse than asking applicants to hand over a copy of their home and vehicle keys. Physical keys are manufactured to be unique, and carry a certain level of security with them. Passwords, however, are typically user-generated, and are typically not that secure. Additionally, people tend to “re-use” passwords, thereby potentially exposing access to more than just the provided sites.

Using the same logic, the Mayor and City Commissioners are all public employees who work on City owned and operated computer equipment, therefore these usernames and passwords should be a matter of public record so any member of the public can at any time “inspect” the contents of emails and documents accessible through these accounts. Right?

Of course the answer is no! Public employees on public computers doing a public job should NOT divulge their passwords to anyone! To do otherwise would represent a major violation of trust and ethics!

Asking applicants to turn over their personal passwords under the thinly veiled guise of “background checks” is inappropriate on the part of the City. Any applicant (or current employee) who has voluntarily provided this information poses a SERIOUS security threat to the City.

Both the City Attorney and the City Manager have gone on-the-record supporting this policy; they are wrong to do so.

Yes, background checks are a vitally important part of any job, especially a public one.

Yes, in this day and age those background checks should include checking online sources for information. But this should be limited to what is publically available.

PUBLIC profiles, PUBLIC messages, PUBLIC conversations are all fair game for background checks.

PRIVATE emails, PRIVATE messages, PRIVATE accounts, and PRIVATE information (such as passwords) should not be included in background checks any more than randomly searching PRIVATE homes and PRIVATE vehicles of employees.

What you are doing is wrong. Asking for passwords is inappropriate at best. You are setting a dangerous nation-wide precedent in asking for this information.

I, along with countless other IT, Security, and Computer Professionals around the country and around the world object to what you are doing and STRONGLY URGE you to reconsider and reverse your policy!

I ask that a motion or resolution be made to (1) make a public apology on behalf of the City of Bozeman for asking for passwords in the first place, (2) that the City of Bozeman admits that divulging passwords presents an obvious and unacceptable security threat, and (3) that all applications received which provided password information have been destroyed (or shall be within 24 hours).

I, along with the rest of the IT, Security, and Computer Professionals await your response.

Cordially,

Joe Levi, Internet Professional

Related Articles

• http://www.huffingtonpost.com/lisa-derrick/bozeman-mt-want-a-job-giv_b_217786.html
• http://lafiga.firedoglake.com/2009/06/19/big-brother-in-bozeman-want-a-job-give-us-your-passwords-now/
• http://www.montanasnewsstation.com/Global/story.asp?S=10551414&nav=menu227_3
• http://www.newwest.net/city/article/city_of_bozeman_demands_passwords_from_job_applicants/C396/L396/
• http://digg.com/odd_stuff/Bozeman_MT_wants_your_google_Digg_login_and_password
• http://forum.dvdtalk.com/other-talk/556929-want-work-bozeman-mt-then-give-up-your-social-network-usernames-passwords.html
• http://www.atelier-us.com/internet-usage/article/bozeman-mt-city-job-applicants-give-up-social-site-passwords
• http://www.scribd.com/doc/16552839/Background-Check-Form-Interview-MASTER

Tweet

Was this information helpful? Why not consider a donation to help pay off my mortgage?