The Ethics of Social Media Cyber-Sleuthing

social media

Without a doubt, social media and social networking sites like Facebook, Twitter, LinkedIn, and countless others have become indispensable tools in conducting background investigations, due diligence, employment pre-screening, and other types of investigations. Pursuit Magazine recently had a good two-part series that covered not just pointers to some lesser-known social media sites, but also discussed the importance of adequately capturing and presenting the information found on these sites.

The articles also highlighted some ethical and legal issues around gathering such information, advising, for example, against using shady techniques like pretexting and password cracking to gain access to protected material. Additionally, in Canada, a number of laws – notably human rights and privacy laws – govern the types of information that may be gathered on social media and elsewhere, the methods used for gathering the information, and the decisions made based on the information.

To stay on the side of the law, it is crucial for organizations and investigators to exercise caution when researching, collecting, and disclosing personal information about individuals. The Information and Privacy Commissioner of British Columbia has released some guidelines for social media background checks (PDF), identifying some pitfalls and issues to keep in mind:

  • Accuracy of information (Is it the right profile? Was the profile created by the individual himself or herself? Is the information current?)
  • Collecting irrelevant or too much information
  • Over-reliance on consent

Exercising good judgment when trawling social media sites isn’t just a matter of law and ethics; it can also save the organization from embarrassment, a lesson that the Toronto Star learned the hard way when it published false allegations against an Ontario MPP based on an old Facebook photo. The newspaper issued a rare front-page apology, citing an “egregious lapse” of standards.

Photo source: Jason Howie, Flickr

Free Speech and Privacy at Work

When can an employee’s off-duty web postings or other activities be reasonably monitored and controlled by an employer in order to protect the business? This has been a recurring question since the rise of the public internet and especially of social media. This article does a nice job of reviewing the case law and dissecting the issues of privacy, free speech, and employer loyalty with regard to online postings, and notes that:

It is fair to say that although technology has changed the playing field, the principles with respect to off-duty conduct in Canada have not changed. As long as employees must remain subordinate and loyal to their employer, there are limits to what they can express, even on their own devices and even if they are off-duty.

While an employer can never completely control the online behaviour of its employees, it can manage the delicate balance between protecting the business and respecting the rights of employees to privacy and free speech by putting in place “a well-drafted and well-communicated policy which clearly identifies acceptable workplace practices and use of company equipment as well as personal equipment, both at work and off work.”

Recent Developments in Privacy Law

In Canada, we have some of the most stringent privacy legislation in the world, and in my public records research, I’m constantly coming up against privacy laws that complicate my work and keep me from finding as much information about private citizens as I’d like. As a private citizen myself, however, I’m grateful for these laws, which seem to get strengthened whenever they’re challenged in the courts.

Even with police searches, the trend seems to be toward recognizing privacy interests. In a recent ruling, for example, the Supreme Court of Canada declared unanimously that a specific search warrant  is required to search the contents of a personal computer or cellphone. The Court drew a distinction between computers, which contain a large amount of personal information, and other types of receptacles in the home. When it comes to privacy concerns, the computer must be treated as a separate place:

In effect, the privacy interests at stake when computers are searched require that those devices be treated, to a certain extent, as a separate place. Prior authorization of searches is a cornerstone of our search and seizure law. The purpose of the prior authorization process is to balance the privacy interest of the individual against the interest of the state in investigating criminal activity before the state intrusion occurs. Only a specific, prior authorization to search a computer found in the place of search ensures that the authorizing justice has considered the full range of the distinctive privacy concerns raised by computer searches and, having done so, has decided that this threshold has been reached in the circumstances of a particular proposed search. 

In another recent decision, however, the Supreme Court highlighted the importance of freedom of speech when it conflicts with privacy concerns. In a case that involved a union photographing and videotaping people crossing a picket line during a strike, the Court struck down Alberta’s privacy legislation. The Court stressed the basic importance of freedom of expression in the context of labour disputes, saying the law imposed undue restrictions on the union’s ability to communicate and promote its case during a legal strike. It gave the province a year to make appropriate changes.

Meanwhile, Manitoba, which recently enacted its Privacy Information Protection and Identity Theft Prevention Act (“PIPITPA”), may also have to make some changes, as it based its legislation on the Alberta model. Manitoba is now the fourth Canadian province to enact general private sector privacy protection legislation (the others are British Columbia, Alberta and Quebec), the key feature of which is the breach notification provision: an organization must notify affected individuals if personal information under the organization’s control is lost, accessed or disclosed without authorization.

Finally, this news is a good reminder that being in contravention of privacy laws can cost businesses: the Federal Court recently ordered Bell Canada to pay $21,000 in damages in connection with conducting a credit check on a customer without consent.

Wondering about the various public and private sector privacy legislations in Canada? This site has a good overview.