2003 Job Search Privacy Study: Core Job Site Privacy Issues

Report home | Read the report (PDF) | Previous section | Next section


The following issues are highly relevant to job applicant privacy as found in the research conducted for this study.


A. Collection of Job Seeker Data at Job Sites

Job and employment sites consistently collect robust, rich information from job seekers. Most sites collect the following kinds of information from job seekers:

  • name
  • address
  • phone number
  • salary
  • educational level
  • future educational plans
  • geographic location
  • years on the job
  • willingness to travel or relocate.

Some sites may request gender or race to comply with EEO regulations. Some sites may request a date of birth as well. Only a handful of sites in the study collected SSNs. However, those sites had significant reach. For example, USAJOBS, the US Government’s Web site, requests SSN when job seekers want to post a resume.

All or part of the aforementioned data, plus the information contained in the resume is what job sites typically collect from job seekers looking for jobs.

In recent years, some job sites have begun selling services such as resume distribution to job seekers. When this is the case, then these sites also may collect credit card data.

Some employers may also gather personality profiles from job seekers via an online application form. Sports Authority is an example of an employer that collects this type of data.

Even when a job seeker simply browses through a job site looking at job ads without registering or posting a resume, the sites may still collect certain pieces of data from job seekers such as types of jobs searched for, where, and so on. This type of collection is usually accomplished through a combination of depositing cookies and using page referrals, and may be stopped by consumers who are aware of the activity.

Some “pass through” sites, such as DirectEmployers.com, stand as an exception to the large quantities of personal data collected at employment sites in that these sites gather almost zero job seeker data; the goal there is to send job seekers to the corporate Web site where the job is located. Another pass-through site is Jobs.com. Jobs.com, though, is slightly different in that it takes job seekers to job ads posted on a third party commercial Web site.

Few online businesses provide as rich and steady of a supply of detailed consumer data as job sites do. The “pass through” sites prove that most sites could be gathering much less information from job seekers.


B. Use of SSN at Job Sites

In this study, the sites that requested Social Security Numbers included government, state, and teacher (state –run) sites. Commercial sites related to Unicru also requested job seeker SSN and date of birth. While only a handful of sites requested this information, the sites that did request it had a very broad reach.

Specifically, USAJOBS.opm.gov and StudentJobs.gov allowed applicants to browse job ads without divulging an SSN. [7] However, to post a resume on the sites, research found that job seekers had to disclose SSN. According to an OPM press release, just from August 4 to 20th of 2003, job seekers created more than 51,000 resumes on the site, [8] which gives a fair idea of the impact of the SSN request at the USAJOBS site.

EdJoin (a site for California Teachers) allowed voluntary disclosure of SSN. CalJobs (www.caljobs.ca.gov ) , the site for California State jobs, requested disclosure of job seeker SSN and date of birth prior to looking at a job ad.

Sports Authority stores, which request job applicant SSN and date of birth prior to accepting even a job application, like the other sites, did so electronically. [9] However, these stores have the distinction of being the only known sites in this study to request an SSN and date of birth from job applicants without also posting a privacy policy governing the use of that data.

Sports Authority is operating Unicru-run employment application kiosks and a matching Web site. Unicru processes approximately one applicant per second, or an estimated 6 million applicants per year who must go through that process.

So, just in this study, the sites that require SSN for application impact well over 6 million people per year.

Given that identity theft has been identified by experts as an “insider job,” [10] it is important for job sites to shift away from the use of SSN as an identifier. In the case of Unicru, which is conducting instant background checks on applicants prior to allowing an applicant to submit an application, it will be important to at the very least encourage this business to adopt the practice of posting a privacy policy at the kiosk and its related Web sites that outlines how the SSN and other information will be stored and handled.


C. Use of EEO and ADA Information Online

Research has found that online job sites have been highly inconsistent with how Equal Employment Opportunity (EEO) information is applied. Overall, sites tend to be more careful and consistent with Americans with Disabilities Act (ADA) issues.

Title VII of the Civil Rights Act of 1964 prohibits employment discrimination based on race, color, religion, sex, or national origin. [11] The rules for applying the provisions of Title VII requires employers or employment agencies to state that any information related to EEO questions is completely voluntary. The employer must also state that the information will not be included in a jobseeker’s application to the employer.

By far the site with the clearest compliance with these provisions is Unicru’s as seen at Sports Authority. This is what its EEO notice looked like at SportsAuthority.com:

The following questions are completely voluntary. To comply with government regulations we must make a good faith effort to record this information on our applicants. Your answers will not be made available to anyone involved in the hiring process. What is your race?
American Indian or Alaska Native
Black or African American
Hispanic or Latino
Native Hawaiian/ Other Pacific Islander Caucasian or White
Thank you.

This is a faultless application of EEO guidelines in an online application environment. But few sites go this far. For example, when Job.com asks for gender and date of birth, there is not an EEO notice stating that giving the gender information is voluntary. This kind of request is actually not uncommon at online job sites.

FastWeb.com raises more complex EEO questions. FastWeb is a college scholarship search site. The site, which is owned by Monster.com, asks for students’ gender. It also allows students to respond to questions about nationality, religion, and some medical disabilities. These are EEO questions. But the site, being a scholarship search site, does not fall under the category of being an employer or employment agency, which is what would make the TitleVII regulations apply. However, the FastWeb privacy policy notes that if a student opts in, then their information may be shared with a potential employer .

In the course of research, researchers became aware of a document that discussed Monster.com’s use of the FastWeb site for hiring part-time workers. This potentially places FastWeb in the category of an employment agency, which would require the site to give EEO notice regarding the voluntary submission of racial, gender, religious, and nationality information. It would also, according to the current rules, require that FastWeb keep the TitleVII data separate from a user’s application.

The EEO guidelines are being stretched by new technologies and the new online application environment. The EEO regulations either need to be updated for electronic mediums, or the old guidelines need to be reaffirmed and applied in the new mediums.


D. Job Site Responses to Consumer Privacy Queries

As part of the Job Search Privacy Study, researchers conducted a test of email responses to privacy questions. The test was conducted via email without the foreknowledge of the sites. Wherever possible, researchers emailed a query to the email address listed on the site privacy policy.

The goals of the privacy query test were to determine:

How sites responded to consumer privacy queries

The accuracy of the contact information listed on the privacy policy

If a site did not post a privacy policy, the goal was also to determine if the site would give appropriate privacy assurances to consumers.

Researchers compiled a list of the email addresses from the privacy policies at the job sites in the study. For sites that did not post a privacy policy, the email address was taken from the site contact information available at the site or from the most obvious point of contact, for example, an email address listed on the home page or customer support or feedback page.

A very basic email [12] was crafted to test the privacy-related help a consumer might receive at the job search sites. A question about SSNs was added for sites that collected that information. For sites that possibly marketed information to advertisers, slight variations in the email were made to accommodate this aspect. The email was sent using an email address that was not easily identifiable as belonging to either a privacy organization or privacy researchers.

The queries went out September 16, 2003. The first responses began to arrive within approximately one hour. The last response researchers received arrived September 30, 2003. The test officially concluded October 15, 2003. Researchers sent repeat queries to unresponsive sites up until November 7, 2003.

There was some attrition in this study due to spam filtering, mail bouncebacks, and other unavoidable technical glitches. Even taking that into account, it is clear that the job sites took the consumer query seriously. Most sites replied to researchers in under two days, which is quite rapid by most standards.

1. Specific Site Responses

a. The following job sites sent personal emails back to researchers’ privacy queries in under 6 hours.

  • CareerBuilder
  • WorkingWorld
  • Net-Temps
  • MonsterTrak
  • NationJob.
  • Workopolis.com
  • Medzilla.com
  • Resume.com
  • EdJoin.org
  • LegalStaff
  • DirectEmployers
  • WetFeet
  • NACELink
  • EDD/CalJobs
  • IM Diversity

b. The following sites sent an auto-reply response in under 6 hours:

  • FlipDog
  • *TrueCareers – site followed up with additional reply later.
  • Monster.com
  • Teachers.net
  • Craigslist.org
  • **CareerBuilder The autoresponse CareerBuilder sent within 6 hours came after it had already sent a personal response to researchers’ privacy query email. The autoresponse from CareerBuilder requested that the researcher fill out a followup customer satisfaction survey.
  • CollegeCentral.com
  • *FedJobs.gov (USAJOBS) – site followed up with additional reply later.
  • *CollegeRecruiter – site followed up with additional reply later.

c. The following sites sent a response within 6 to 24 hours:

  • OPM.gov
  • FedJobs.gov USAJOBS
  • ExecuNet
  • CollegeRecruiter
  • IHire,Inc.
  • FastWeb
  • DICE.com
  • TrueCareers – Sent a detailed SallieMae privacy policy explanation.

d. The following sites sent a response in over 48 hours:

  • FedJobs – Federal Research Service.
  • OPM –
  • HireDiversity.
  • WorkStream Inc. (6 Figure Jobs

2. Unresponsive Sites / Technical Issues

Researchers conducted the privacy email query test for several purposes. One was to see the responses. But the test was also conducted to see if the email addresses companies listed on privacy policies were accurate. Before the test was conducted, researchers included in the methodology the fact that new site addresses were not to be searched out and tried, which would create a lack of fairness for those sites that had listed accurate addresses in their privacy policies.

a. The following are sites, when after being emailed and retested, did not bounce back replies to researchers:

b. Very few total addresses in this study came back as undeliverable to researchers. Those
that did are included in the list below.

* Researchers retested and checked all of these messages for accuracy. Email addresses were tested more than one time after a bounce.

* *After researchers completed the email test, Adecco completed a major Adecco USA site redesign that addressed the response problems.

***Idealist’s email system was down during the test period.


E. Use of Third Party Cookies at Job and Career Sites

The use of third party cookies [13] has grown at career and job-related sites.

For background, cookies are bits of information that can be sent to a computer. A Web site an individual is visiting can send a cookie, and so can a company that has a banner advertisement on a page of the site. For example, if an individual is visiting the Web site www.abc.com, a cookie from www.12345678.com would be considered a third party cookie. Third party cookies come from sites other than those an individual has directly navigated to.

Third party cookies may expire anywhere from one day to several decades. Cookies that take more than 6 months to expire are called long term tracking cookies, or persistent cookies. Many of the companies that use persistent cookies are national advertising companies. These companies, because they are using cookies across many sites, are able to develop broad consumer profiles based on Web behaviors if the tracking cookies are accepted and left on. [14]

Most large job search sites have relationships with one or more national advertising networks, including DoubleClick, Advertising.com, Omniture, or others. Privacy notices at these sites often provide mundane descriptions of cookie use, frequently explaining that cookies serve to make using the site more efficient. [15]

Research disclosed that third party cookies are being used in the resume upload areas of career sites. [16] This provides information to the advertisers that the consumer has likely uploaded a resume and is likely actively looking for a job. Financial advertisers desiring to sell loans may be very interested in finding the people who are out of work. [17]

Many believe that since cookies generally only collect computer IP addresses, that cookie data is anonymous.

That is actually not always true. If a user at any point has accepted a third party long term tracking cookie and then has filled in a survey, a Web form (including online job forms at third party career sites) or has purchased something online at a site using the advertiser that set the cookie, depending on the privacy practices of that site, the users IP address may have been correlated or “matched” to the person’s name, home address, and other information the user filled in.

A recent issue complicating the collection and storage of user IP addresses in persistent cookies by national advertisers are the new legal uses for that IP address. The RIAA v. Verizon lawsuit [18] paved the way for copyright owner s to subpoena personal records connected to specific IP addresses by showing only the most minimal justification. If a marketing company has collected users IP addresses, it may now express that it has a copyright concern, and legitimately subpoena the user information attached to that IP address. If a user has not already supplied personal information to an advertiser, it is still no longer that difficult to acquire.

The practice of setting persistent cookies on resume pages should ideally be discontinued. And all job sites allowing cookies from member companies of the NAI Principles need to familiarize themselves with those agreements and provide direct links to the NAI opt-out notice.

Meanwhile, consumers should know that some types of cookies are not the innocent residents of hard drives that job sites insist them to be.


F. NAI Principles: Is Industry Self-Regulation Working at the Job Sites?

The NAI Principles were forged between the FTC and a group of national advertisers in 2001. The idea was for the advertisers to self-regulate their online consumer profiling activities, and thus forestall legislation. As part of that self-regulations, the advertising networks designed an “opt-out” cookie, which if a user downloaded, would stop the consumer from being tracked by the company. Advertisers were to provide links to the opt-out cookies in privacy policies on affected Web sites.

Currently, almost no career-related site using third party cookies of NAI members [19] actually links to the appropriate opt-out pages. It appears that self-regulation is not working well, at least not at the online job search sites.

Of the 13 companies in the study that needed to provide one or more opt-out links, only two fully did so.

1. Provided opt-out link:

• CareerBuilder: provided Omniture opt-out link.

• Vault: provided NAI opt-out link.

2. Did not provide opt-out link:

  • 6FigureJobs: ValueClick, no opt out link.
  • CaliforniaJobs.com: Fastclick, no opt-out link.
  • CareerJournal: Link to DoubleClick privacy policy instead of required opt-out page.
  • CareerSite: Omniture, no opt out link.
  • CollegeRecruiter: Doubleclick, no opt out link.
  • College Grad Job Hunter: Doubleclick, Advertising.com. Opt out is available for
    Doubleclick, but not for Advertising.com.
  • DICE: Doubleclick, no opt-out link
  • HireDiversity: Doubleclick, Bluestreak; neither linked to opt-out.
  • Job.com: advertising.com, no opt-out
  • Monster.com: Doubleclick, atdmt, BlueStreak; no opt-out links.
  • MonsterDiversity: Bluestreak; no opt-out link.


G. Get Versus Post Requests on Job Search Sites

Web browsers do one thing very well: they provide a friendly graphic interface for individuals to use as they search Web sites. But behind the pretty graphics, browser commands coded into Web pages may be used to put job seeker information entered into Web forms into a browser’s URL bar. Once that information is in the URL bar, the information can then be picked up by advertisers that have a presence on that same page.

This “picking up” of job search data generally grabs job search keywords, salary, location, willingness to relocate, and the specific jobs a person looks at, and when. Any words or items job seekers fill into a Web form can be captured.

This kind of information spill is occurring very frequently on job search sites. It may strike some as “small potatoes” in terms of data. But these not-insignificant data pieces may be combined with other bits of data across many Web sites, particularly by national ad networks . The final result of this kind of profiling may be an unnervingly accurate portrait of the computer user in question.

1. How it works

Web sites may gather information from Web forms two fundamental ways. The site may get the information by using something called a POST request, which simply grabs the information from a Web form and sends it to the Web site a user is visiting.

Or the site may get the information using a GET request. A GET request in the HTML code takes the information that has been entered into Web forms and places it in the URL, or Web address, of the following page. This is where a job seeker who has entered job search information can get into trouble.

While it sounds very simple, it is actually a negative privacy practice to put job search keywords or data into the URL bar. Any information placed in the URL may be freely picked up by advertisers with banner ads on that same page.

For example, CollegeGradJobHunter has a page on which job seekers may click on specific jobs that interest them. At the time of research, the page contained banners served by Advertising.com, a national advertising company that deposits long-term cookies that may track consumers over many years as they browse the Web.

A banner ad is able to pick up any GET requests, and any information that shows in the URL string, or box on the top of the browser window. On the CollegeGradJobHunter page, Advertising.com was delivered a “referrer string” or a line of code that gave it information that a person with a specific computer address was looking at an accounting job.

This is what the URL string, or URL showing in the browser window, looked like:

http://jobs.collegegrad.com/jobdetail.cfm?job=1757120&keywords=accounting %20

It worth mentioning again that if a person has filled in a Web form, a survey, or has in some other way provided their name and email to a site with Advertising.com cookies, then Advertising.com may be able to correlate the “anonymous” data about searching for an accounting job with a name, address, or email address.

This use of GET requests is fairly common. Researchers found GET requests at sites from large to small. At Job.com, researchers searched for a job using the keyword Accounting. Researchers found that Job.com used a GET request to throw the information up into the URL box, or string.

The GET request looked like this:

<form action=”/jobsearch/index.cfm” method=”get”>

The code above is directing the information in the Web form to be placed in the browsers URL box. The address that showed up in the URL box in the browser after doing the keyword search looked like this:

http://www.job.com/jobsearch/index.cfm?tid=search.cfm&stype=1&ca tbox=0&stbox=5&key1=accounting+

Note that at the end of the URL, the keyword accounting shows up clearly. And on the very next page, an ad banner from jobclicks.net took up the information in an i frame, and off it went to jobclicks.net to add a little bit of data to an ever expanding profile of an accountant searching for jobs online.

=’ + browDateTime + ‘&keywords=G5,I0,accounting,” width=468 height=60
Marginwidth=0 Marginheight=0 Hspace=0 Vspace=0 Frameborder=0
// –>

Finally, after posting a resume on the Job.com site, the following URL was placed in the URL box with a GET request:

http://www.job.com/jobsearch/index.cfm?tid=applyOnline.cfm&s=2&i=272542&o =29&catBox=0&StBox=5&SalBox=0&key1=accounting&pCity=&pTitle=&sType=1&jc=0 &lst=0&jobchan=&stUsing=0&ns=0&stFresh=60&resPg=20&vMode=x&sCol=1&sDir=1

The URL address, which could be retrieved by a banner ad, clearly shows that someone had applied online for a job, what kind of job they applied for, and what city the job was in. If there are no third parties on the same page as this URL string, then all is well. But if there are any third parties at all, then there is a data spill.

The spilling of job seeker information through GET requests is unnecessary. Job sites may display ads without giving the advertising networks sensitive job seeker information that can be used to create a consumer profile of that job seeker. Switching to POST requests would go far in enabling consumers to search for jobs without spilling keywords and other information about their job search interests.


H. Anonymous Access to Job Sites

Researchers tested each job site in the study to see if it allowed anonymous access, and if so, researchers tested how much a job seeker could accomplish anonymously. Except for some javascripting issues, 20 most sites do allow anonymous access.

There are no known sites intentionally blocking anonymizing services. Those sites that did not allow true anonymizing services, still allowed the use of proxies. [21]

If a job site posted ads containing complete employer contact information, and especially an email link to an employer’s email address, researchers were able to look for jobs anonymously and then apply online anonymously. Given the third party tracking occurring at some of the job sites, this is an excellent option for job seekers to take.

For a comprehensive list of anonymizing sites and services, please see the EPIC page which maintains a good list. <http://www.epic.org/privacy/tools.html> . Scroll down to “Surf Anonymously.”


I. Trust and Seal Programs on the Job Sites

Seal programs have a particular importance in the online job search arena. Job seekers using Web sites to look for jobs are asked to give up detailed, personally identifiable information to these businesses. More and more, job seekers are also paying for extra services such as “resume upgrades” at these same sites, increasing the privacy and security risks by adding financial data into their data mix.

Seal programs such as those offered by TRUST-e and the BBB’s Online division are part of the solution for consumers. These programs can help job seekers make informed business and privacy decisions prior to releasing personal information. Of particular help is the BBB program which has a long-standing , well-oiled complaint reporting system already established from its physical BBB bureaus located throughout the United States. Consumers may look at the past numbers and types of consumer complaints and have an effective, unbiased means to gauge a business’ approach to consumers.

Researchers found that a very small percentage of sites were members of any seal program. Those members of the job and career industry that have joined seal programs and are in good standing deserve credit and praise, especially given the strikingly low overall membership among this sector.

It should be noted that some job sites display seals fraudulently. Despite their best efforts, the seal programs have had difficulties with sites that “spoof” or fake the seals. Both the BBB and TRUST-e warn that sites that display spoofed seals may be fraudulent.

As a note, both organizations use “click-to-verify” seals that, when clicked on, take consumers from the Web site displaying the seal directly to an official, verified page on the seal granting organization’s site. For the BBB seals, the seal is dated, and links to customer service reports about the business. TRUST-e uses a list of licensees for verification.

Sites spoofing seals will often take out the link to the seal verification site, so the seal no longer clicks through. Some seal-spoofing sites actually link to the seal organization’s home page to imply that the seal is valid. This is a deceptive practice.

The link to a good BBB seal, for example will look like this:

http://www.bbbonline.org/cks.asp?id=102121314211724370 . Note that the URL contains an id number.

If a site fraudulently displays a BBB seal, the BBB will still hold the offending site to the standards of the seal. Consumers may enter arbitration even in absence of the company displaying the seal inappropriately.

1. Job Site BBB Seal Members in good standing:

  • IHire
  • ResumeDirector
  • ResumeXposure
  • ResumeRabbit

2. Job Sites Displaying a BBB Seal in Violation of a Seal Program: 

  • MonsterTrak.com (Expired Privacy Seal, deceptively linked .)
  • ResumeBlaster Expired Reliability Seal.)
  • Resume.com (Expired Reliability Seal, link deactivated.)
  • JobViper (Expired Reliability Seal, deceptively linked.)
  • ResumeBroadcaster.com (Up to date seal, but technical violation of Reliability Seal terms: no posted privacy policy.)

3. TRUST-e members in Good Standing: 

  • WetFeet
  • HotJobs
  • Unicru


J. Scope of SPAM Issues Resulting from Online Job Searching

The dimensions of spam problems resulting from posting a resume online has changed significantly at job sites in the past three years. In the past, just about any resume posted online would attract a good deal of unsolicited email.

However, the larger sites in general and highly security conscious niche sites have cracked down hard on this problem. Monster.com, HotJobs, Medzilla, Craigslist.org, and LegalStaff are among those sites that did not spread a single piece of unsolicited email after a resume was posted on the site. Generally, Internet business models have become much more sophisticated and do not rely on sending advertising emails to make a profit.

That being said, some sites still do have a problem with spam. Much of the spam took the form of “affiliate marketing,” a practice where people send out links suggesting jobseekers visit certain sites. If the jobseeker visits the site, the individual sending the email will make some money from the referral. Some affiliate marketing messages were deceptive, and were made to look as if they were coming from a recruiter.

This problem is especially pervasive among some resume distribution services.


K. Resume Sharing and Cross-Posting Issues

Undisclosed resume sharing among the job sites is not as widespread as it once was. However, the practice has not completely disappeared. Researchers experienced this issue at three sites. SanDiegoJobs.com, CollegeGradJobHunter, and JobWareHouse.

After researchers posted two separate test resumes at SanDiegoJobs.com, both of the resumes were then discovered on JobWareHouse.com. JobWareHouse in fact sent email messages stating that the resumes had been received from San Diego Jobs, and the site was posting the resume for the researchers and providing a logon name and password. JobWareHouse sent one additional email to researchers test resumes from CollegeGradJobHunter stating it had received the resume from an affiliate.

The SanDiegoJobs.com site does not disclose the resume cross-posting to job seekers in its privacy policy. [22] SanDiegoJobs.com is part of a larger network of sites such as Orangecountryjobs.com, etc.

The email trail below shows what happened to the resume posted on CollegeGrad Job Hunter, LanceE7. This test resume was posted August 12, 2003. It received very little email. On October 2, JobWareHouse.com notified the LanceE7 resume that it had received the resume from an affiliate and had set up a user ID and password.

After that time, because of the commingling of the two sites, it became nearly impossible to tell which email came from which site. To give an idea of the resume response pattern, here are the exact results from the first resume posted at CollegeGradJobHunter.com:


Date: Email From:

030827 jfirth@spectranet.ca
030831 seekwork.net
030915 plugincareercenter.com
030929 execs-direct
031002 jobwarehouse.com

031002 jobwarehouse.com
031002 jobwarehouse.com
031002 jobwarehouse.com
031002 jobwarehouse.com
031002 jobwarehouse.com
031004 jobwarehouse.com
031005 jobwarehouse.com
031006 jobwarehouse.com
031006 jobwarehouse.com
031005 execs-direct
031007 resumes2work.com
031007 jobwarehouse.com
031007 jobwatchers.com
031008 jobwarehouse.com
031008 jobwarehouse.com
031008 ammassociates
031009 jobwarehouse.com
031009 job2@ijonn.com
031010 jobwarehouse.com
031010 familyprima.com
031011 jobwarehouse.com
031012 execs-direct
031013 jobwatchers.com
031013 jobguru.com
031013 jobwarehouse.com
031014 careerXpress.org
031020 execs-direct
031021 yahoo.com
031023 execs-direct
031023 jfirth@outer-net.com


use BlastMyResume
visit site
visit site
post here
received resume from affiliate – set up uid and pw
use ResumeRabbit
submit resume
post here
use our services
click to go to www.eorss.com
financial planning
use resumemailman
post here
post here
use ResumeRabbit
click to go to employment job center
use “ yourjobsearcher”
use ResumeRabbit

Researchers found the cross-posting confusing, even with highly unique resume addresses. Cross-posting resumes should only be done with prior explicit consent from the job seeker. In this sort of situation, a double opt-in is appropriate in order to provide adequate assurances that job seekers have been well-informed of the cross-posting and have in fact agreed to it prior to the time it happens.

It is critical for consumers to keep excellent track of their resumes so they know when this kind of thing has happened to them.


L. Outright Resume Selling and Theft

Researchers found one instance of known, provable resume selling and two instances of known, provable resume theft.

In November 2002, HotResumes.com sold 4,941 resumes for .33 cents each to a now- defunct job site called BioTechCareers.com. This invoice was made public and was published as part of a lawsuit against an individual who had purloined resumes from other resume databases, a Mr. Monastra. ( Medzilla vs. Optimum Intelligence et al .) 23The invoice was noted as a “resume sale” and it was marked as paid. [24]

For reference purposes, the HotResumes privacy policy that was posted on its Web site at the time is quoted below in part.

HotResumes.com privacy policy excerpt from February, 2003:

“We do not disclose information about your individual visits to HotResumes.com, or personal information that you provide, such as your name, address, email address, telephone number, credit card number, etc., to any outside parties, except when we believe the law requires it. But, we may record and share aggregated information with our partners.”

HotResumes has since changed its privacy policy. It is unknown if the site is still selling resumes or not.

Beyond the theft of resumes in Medzilla’s and other databases by Optimum Intelligence, one known offline resume heist has occurred. In October, 2003, a company, ELS Locators requested a copy of the file of all New Jersey residents who had applied for unemployment benefits. The company then set up a three-day job fair through New Jersey’s State Department of Labor office. The job applicants attending the fairs gave ELS Locators a $42 fee plus their Social Security Numbers, bank account numbers and credit card information.

In November, Federal authorities contacted New Jersey law enforcement officials and told them that ELS was a fraudulent company that had perpetuated identity theft scams in 15 cities in eight states. [25]

It is critical for job seekers to understand when SSNs should and should not be given prior to an interview. Some legitimate employers (such as Sports Authority and other businesses using Unicru employment application kiosks) require applicants to give up a Social Security Number and date of birth before even filling out an application, but overall, this is rare. However, no employer needs bank account information or credit card numbers upfront.


M. Frequency and Quality of Privacy Policy Notices

Of the job sites studied, almost all of the sites had a posted privacy policy. This marks an improvement from 2001, when the sites were last surveyed for policies. Out of 53 sites that made it into the final study, only 5 did not have posted privacy policies.

The policies on the whole tend to be well-fleshed out, and though few adhere to the full OECD guidelines, they are usually full, one-page policies.

Most of the sites studied provided separate links to privacy policies. However, those links could be a challenge to find.

It is a best practice for job sites to link to a privacy policy on the home page of a site, and on every page where job seeker data is collected.






[7] See: < http://usajobs.opm.gov>. The SSN requirement can be found on the ResumeBuilder < https://my.usajobs.opm.gov/userprofile.asp?resumeid=41595356&original=&builderid=37&view resume= > .

[8] OPM News Release August 22, 2003. “ Over 3 Million visitors to USAJOBS and Over 50,000 Resumes Online.” < http://www.opm.gov/pressrel/2003/CC-USAJOBS2.asp> .

[9] See in-store kiosks, or visit < https://wss1a.unicru.com/hirepro/C149/locator.jsp>

[10] See Federal Trade Commisson- Identity Theft Survey Report, September 2003. < http://www.consumer.gov/idtheft/ >. Also see Written Testimony for U.S. Senate Judiciary Subcommittee
on Technology, Terrorism, and Government Information Senator Jon Kyl, Chairman, July 12, 2000. Testimony by: Beth Givens, Director Privacy Rights Clearinghouse. < http://www.privacyrights.org/ar/id_theft.htm>.

[11] See the EEOC fact sheet for more information < http://www.eeoc.gov/facts/qanda.html >.

[12] The basic email read: “I had some trouble finding your privacy policy. Do you have one? Also, before I post my resume I want to be sure that it will not be shared with anyone but employers. I appreciate your reply and your help.”

[13] For more information about cookies, please see CookieCentral < http://www.cookiecentral.com/ >.

[14] FTC Consumer Profiling Report to Congress See < http://www.ftc.gov/opa/2000/07/onlineprofiling.htm > and < http://www.ftc.gov/os/2000/07/index.htm#27 >

[15] For example, see http://www.localcareers.com/privacy.htm..

[16] For example, Job.com has third party banner ads in its resume posting area from jobclicks.net.

[17] Researchers received approximately a dozen emails soliciting inexpensive loans, credit cards, and other financial offers.

[18] The RIAA vs. Verizon, case file can be found at EFF: < http://www.eff.org/Cases/RIAA_v_Verizon/>.

[19[ The NAI Principles are a self-regulatory scheme adopted by national advertisers. For more about this agreement, please see< http://www.ftc.gov/os/2000/07/index.htm#27 > and < http://www.networkadvertising.org/aboutnai_nai.asp > .

[20] It is not possible to use a true anonymizing service when a site requires Javascripting to be operative. Most anonymizing services turn off Javascripting by default due to privacy and security issues relating to its use.

[21] A proxy is a computer that stands between you and the machine you are accessing. Because of the use of an intermediary machine, you can keep your IP address and geographic location secret. For more on this see < www.junkbuster.com. >

[22] SanDiegojobs.com privacy policy < http://www.sandiegojobs.com/local/privacy.asp > .

[23] Medzilla, Inc. v Optimum Intelligence LLC, et al Case No. CO2-2122R, U.S. District Court for the Western District of Washington at Seattle.

[24] A PDF copy of the invoice is available at <www.worldprivacyforum.org.> . See “Resume Sale.”

[25] See “Hundreds Of Identities Stolen At N.J. Job Fair.” WNBC, Nov. 7, 2003. <http://www.wnbc.com/news/2618945/detail.html>



Roadmap: 2003 Job Search Privacy Study – Job Searching in the Networked Environment: Consumer Privacy Benchmarks: IV. Core Job Site Privacy Issues


Report home | Read the report (PDF) | Previous section | Next section