It’s amazing what you find on Twitter. Shortly after posting my blog on how Google indexes all of your public tweets, I came across a tweet where someone had applied for a job and the company performed an audit on his tweets. They delivered a 300+ page PDF of all his tweets including a certain profanity.
It turned out that the prospective employer contracted a company called FAMA who trawled Twitter for all his tweets matching a certain criteria and delivered the report.
FAMA claim that it ‘is a talent screening software that helps identify problematic behavior among potential hires and current employees by analyzing publicly available online information‘.
As I said in my previous blog, there are several companies that aggregate publicly available social media posts and deliver them as a product to whoever pays for it. FAMA is the latest one I have found out about.
During the hiring process, companies will do investigations to see if you are the right candidate. They may:
- Take up references
- Contact your current employer
- Do a credit Check (although they should tell you they are doing this)
- Contact your regulator (especially for highly regulated industries e.g. Financial Services)
- Confirm your education record
- Perform a check for a criminal record
- Check your driving record and any driving offenses, especially if you are applying for a job requiring driving.
These background checks are often contracted out to investigation companies and not normally done directly by the employer.
If you are applying for a government job there will also be a security check. Depending on the level of clearance required they may go into your history, past relationships, where you have traveled, political beliefs, membership of political organizations, etc. This may also include investigations involving branches of law enforcement and the intelligence community (e.g. in the UK this might involve the Police, MI5, Special Branch, GCHQ). They can also request medical checks, physiological examinations and polygraph testing depending on the security clearance required.
I have also come across instances where someone has posted something on social media (in this case it was FaceBook) that was critical of their employer. The next day this person received a call from HR asking them to take down the post. This person was leaving the firm at this time, so the company may have been particularly interested in any critical posts. In this case it was likely that a search was done for the company name and relevant social media posts were flagged.
If your post is public, i.e. in plain sight for anyone to see, then it is fare game for these companies to index the posts and deliver reports so long as they don’t break the rules of the hosting company.
What can you do?
Firstly, please think before you post. If your post contains profanities, sexist comments, threats (however veiled), violence, etc. then:
- Think how the person on the receiving end might view it and the damage it might do to their reputation
- Consider the wider implications of Google indexing your post forever
- What this says about you to others, including your employer, prospective employer and maybe even your future father inlaw or partner.
If you want all your social media posts to be kept within a closed group, consider using the privacy settings to limit access. This will effectively stop these companies indexing your posts from the point you enable the privacy controls.
If you are hit by this kind of reporting, you will have to look on the relevant company website for such a policy and a mechanism to remove your data. If you are in the EU this is covered by the GDPR regulations (irrespective of where the company is hosted) and in California by the California Consumer Privacy Act in 2019. There may also be other regulations in your country that cover this.
Is this illegal? – NO, depending on the jurisdiction you are living in and the local laws.
Is it ethical? – Debatable.
Is it in widespread use? – YES!
If I was hiring someone I would want to know more about the person I was hiring and if they were in line with the culture of my company. This is just another tool that can be now be used during the hiring process and after the person is hired. Whether I would use it or not is debatable as there are other ways to find out about people which I have covered in our social engineering guidance.
These reports could also be used by bad actors to find people who are disillusioned with their employer, political party, etc. so that they can target them with social engineering attacks (e.g. Spear Phishing) or try to turn them (possibly using blackmail) into disclosing information or granting access to physical properties.
We often post in haste and regret it later and remove the post. If Google, or one of these aggregation companies, has already found it then it is too late. The down side is that you may not know they have it and that off-the-cuff comment could come back to haunt you.