JobSpace: a privacy nightmare for job seekers

Note: I often find myself wondering if people see the issues I write about on this site as important. There is a disconnect between what lawyers like me regard as important and what ordinary people regard as important so stories about Facebook’s privacy blunders often don’t merit all that much attention from the broader Facebook userbase even though privacy lawyers cringe. This is not one of those stories which should be ignored becasue it could be the forerunner of similar privacy violations going forward.

Why is this story important? It is important because this site and sites like it that make people’s personal information available or exploit it without their informed consent are putting those people at risk. I wrote a post last year titled “Online publicity negates offline privacy” and while the post was more focused on the social Web and what we put into our profiles, JobSpace is the first site I have come across which epitomizes the sort of service that negates users’ offline privacy by recklessly disregarding their online privacy. The information people tend to put into their CVs is intended for a very narrow audience (namely recruiters) and should be carefully protected from disclosure. It is also the sort of information banks and similar security conscious providers request when authenticating their customers over the phone. This is the sort of information that can give criminals access to bank accounts.

One of my contacts alerted me to a site which has a shocking privacy practice. The service, JobSpace, is a free jobs website which allows users to upload their CVs to the site and recruitment agents (and any unregistered visitor to the website, for that matter) to search for and view those CVs. It doesn’t sound unusual until you see the level of detail available to anyone who wants it. I conducted a search on the site and found an alarming amount of personal information about one candidate. Below is a series of screenshots which reveal how easy it is to access personal information like phone numbers, addresses, email addresses and ID numbers.

First I clicked on the link to search for a receptionist in South Africa. I was not logged into the site at all and didn’t create an account.

JobSpace 1

JobSpace immediately gave me a set of search results with names and locations:

JobSpace 2

I picked one name from the list and noticed the link to download this person’s CV:

JobSpace 3

I was able to download this person’s CV in Word. The CV contains the candidate’s phone numbers, address, email address and ID number (I’ve redacted this person’s personal information for the purposes of this post but the CV).

JobSpace Candidate CV

Armed with this information it would be a relatively simple matter for an identity thief to steal this person’s identity and cause terrible financial harm, among other things.

I took a look at another jobs website last year which had objectionable privacy practices of its own and, in that post, I explored the law on privacy and protecting personal information. It is worth reading that post to better understand JobSpace’s privacy practices better.

The cornerstone of a website’s privacy practice should be its privacy policy which is intended to inform visitors and users what personal information sites collect and what is done with that personal information. If the visitor or user agrees to this, the site proprietor has informed consent to collect and process that personal information. This is the extent of JobSpace’s privacy policy:

PRIVACY

Job Space respects your personal privacy. By providing certain personal information in the Job Space Application Form, you grant Job Space the worldwide, perpetual and irrevocable right to make this information available to others on the Job Space website. At any time you may remove your personal information from the Job Space website and Job Space’s records by providing your request for its removal, in writing, to Job Space at the following e-mail address: support (at) Job Space.co.za

 

As a privacy policy it is grossly inadequate and the license JobSpace takes in respect of users’ personal information is highly problematic, in part, because the “permission” the user grants JobSpace is perpetual and irrevocable. I have my doubts whether this provision is even enforceable but a user would need to challenge JobSpace in order to reach that conclusion. By that time the user’s (and every other user’s) personal information will have been made available publicly and is probably searchable too.

This clause does not inform users that all personal information they disclose in their CVs will be made publicly available. Given the level of detail any visitor to the website can obtain about the candidates, JobSpace should be taking far greater precautions to limit who can access the information and to make sure that users understand how much personal information they are exposing to the public Web.

This site represents an extreme in personal information abuses. As much as services like Facebook take undue advantage of their users and their personal information, this site is practically a nightmare scenario that exposes its users to identity theft, threatens their personal safety and most likely exposes them to far greater publicity than they could have imagined.

Leave a Reply

Your email address will not be published. Required fields are marked *