Note: I often find myself wondering if people see the issues I write about on this site as important. There is a disconnect between what lawyers like me regard as important and what ordinary people regard as important so stories about Facebook’s privacy blunders often don’t merit all that much attention from the broader Facebook userbase even though privacy lawyers cringe. This is not one of those stories which should be ignored becasue it could be the forerunner of similar privacy violations going forward.
Why is this story important? It is important because this site and sites like it that make people’s personal information available or exploit it without their informed consent are putting those people at risk. I wrote a post last year titled “Online publicity negates offline privacy” and while the post was more focused on the social Web and what we put into our profiles, JobSpace is the first site I have come across which epitomizes the sort of service that negates users’ offline privacy by recklessly disregarding their online privacy. The information people tend to put into their CVs is intended for a very narrow audience (namely recruiters) and should be carefully protected from disclosure. It is also the sort of information banks and similar security conscious providers request when authenticating their customers over the phone. This is the sort of information that can give criminals access to bank accounts.
One of my contacts alerted me to a site which has a shocking privacy practice. The service, JobSpace, is a free jobs website which allows users to upload their CVs to the site and recruitment agents (and any unregistered visitor to the website, for that matter) to search for and view those CVs. It doesn’t sound unusual until you see the level of detail available to anyone who wants it. I conducted a search on the site and found an alarming amount of personal information about one candidate. Below is a series of screenshots which reveal how easy it is to access personal information like phone numbers, addresses, email addresses and ID numbers.
First I clicked on the link to search for a receptionist in South Africa. I was not logged into the site at all and didn’t create an account.
JobSpace immediately gave me a set of search results with names and locations:
I picked one name from the list and noticed the link to download this person’s CV:
I was able to download this person’s CV in Word. The CV contains the candidate’s phone numbers, address, email address and ID number (I’ve redacted this person’s personal information for the purposes of this post but the CV).
Armed with this information it would be a relatively simple matter for an identity thief to steal this person’s identity and cause terrible financial harm, among other things.
I took a look at another jobs website last year which had objectionable privacy practices of its own and, in that post, I explored the law on privacy and protecting personal information. It is worth reading that post to better understand JobSpace’s privacy practices better.
Job Space respects your personal privacy. By providing certain personal information in the Job Space Application Form, you grant Job Space the worldwide, perpetual and irrevocable right to make this information available to others on the Job Space website. At any time you may remove your personal information from the Job Space website and Job Space’s records by providing your request for its removal, in writing, to Job Space at the following e-mail address: support (at) Job Space.co.za
This clause does not inform users that all personal information they disclose in their CVs will be made publicly available. Given the level of detail any visitor to the website can obtain about the candidates, JobSpace should be taking far greater precautions to limit who can access the information and to make sure that users understand how much personal information they are exposing to the public Web.
This site represents an extreme in personal information abuses. As much as services like Facebook take undue advantage of their users and their personal information, this site is practically a nightmare scenario that exposes its users to identity theft, threatens their personal safety and most likely exposes them to far greater publicity than they could have imagined.
I received an email from Boaz Barak, a Jobspace representative, who advised me as follows:
I represent Job Space (www.jobspace.co.za)
You have written a fair yet currently invalid article about our website’s privacy issues which no longer apply in the present. We have since upgraded our website and no longer offer CV search to the public in this manner.
Please can you remove your article or retitle it to reflect the changes.
I don’t believe in removing my posts and prefer to rather publish an update to keep readers adequately informed. I tried to run a search for “receptionist” on the site to see what would happen and it appears that this functionality requires registration on the site. I didn’t want to hand over any of my personal information so I didn’t pursue this further. I also attempted a Google site search and clicking on resulting links took me to a login or account creation page so it appears that Jobspace has addressed the public search concern, at least where a login is not required.