Using Open Source Internet Intelligence To Vet Employees


It has become increasingly common for hiring managers, and HR professionals to do a ‘quick search’ on various social networking sites to see what they can find out about a potential new employee. Some employers even are beginning to go as far as asking an employee for their social networking passwords for the purposes of having a look through their account.

These techniques show a growing understanding of both the amount of time spent on-line in the average person’s day (both in and out of the office), and the significance of those actions on both corporate identity and corporate security. Most breaches of information security policy now occur on the internet, including high profile leaks, and corporations are often liable for the actions of employees conducted on their IT infrastructure.

While the recognition of the need to track such things is a step in the right direction, the breadth and scope of an average person’s internet interactions now goes well beyond social media, and indeed, everything from blog sites to forums have become venues where people routinely post inappropriate, illegal, offensive, or potentially damaging information about themselves and/or their employers.

This fact must be coupled with the need in vetting activities to be fair, consistent and equally thorough in all cases, while having a strong awareness of any potential discrimination issues around race, sex, and age, which are not legally allowed in almost every jurisdiction to be a factor in a hiring decision. It is also worth pointing out that in much of Europe, collecting personal data may fall afoul of a data protection legislation.

Any framework for the vetting of potential employees must possess certain traits:

It must pay due attention to the provisions of the Data Protection Act (if in Europe) or US privacy laws, if in the USA and be aware of those laws. Many of the ‘quick looks’ on social media regarding an employee for instance, especially those conducted in Europe become the sole basis for the decision with regards to whether or not to interview an individual. This is a de facto breach of the DPA, unless the subject is informed that this was the case and given the opportunity to have other information considered. Even collecting this information may be considered to fall afoul of the act. In the USA, people have a right to a reasonable standard of privacy. While this generally does not include things contained in public or semi-public posts on the internet, there is little case law on the subject, and so having a solid, consistent framework may be the only sure fire way to avoid liability.

It must be thorough, cover all likely posting locations and consistent across all applicants. This avoids things ‘slipping through the cracks’ but also insures that it is done fairly, considering all public facets of an individual’s character in a holistic context. This thoroughness should include a social network search, a thorough search of forums, and industry locations and a complete check of all known e-mail addresses and on-line aliases.

It should be done with the advanced written permission of the candidate in an open and transparent fashion. The purpose of the activity isn’t to ‘dig the dirt’ on the candidate, but to instead look for evidence of illegal behavior, or instances of inappropriate company IT asset usage in previous employments, as well as any damaging proclivities towards leaking. More often than not, only positive things regarding the individual will be discovered.

It should be a matter of policy that employees in their application are asked to list all their on-line usernames and aliases. It is common practice to ask for any aliases or other name used by the applicant in the ‘real world’, there is no reason this practice should not be extended to the internet in standard job applications.

It should be documented and reported in a complete, professional and non-judgemental fashion. The goal is to gather information, and state the facts, not provide ad-hoc or potentially prejudicial interpretations.

All findings should be discussed with the candidate in detail, in a non-confrontational way to insure that they have a chance to explain their actions. Humour is notoriously difficult to spot on the on-line medium, and many posts could be made in jest, or even by friends using one of their names. Never assume anything. Not only will this protect you from the data being the sole source of the decision (thus mitigating much of the DPA provisions impact) it is also the right thing to do.

It’s important to know who you’re hiring, and a lot of information on the internet can help you form that judgment, but it should always be collected fairly, thoroughly, without regard for race, sex or age and be used only in a legally permissible fashion. If in doubt, it’s always safer to hire a professional.