2003 Job Search Privacy Study: Core Job Site Privacy Issues
The following issues are highly relevant to job applicant privacy as found in the research conducted for this study.
A. Collection of Job Seeker Data at Job Sites
Job and employment sites consistently collect robust, rich information from job seekers. Most sites collect the following kinds of information from job seekers:
- phone number
- educational level
- future educational plans
- geographic location
- years on the job
- willingness to travel or relocate.
Some sites may request gender or race to comply with EEO regulations. Some sites may request a date of birth as well. Only a handful of sites in the study collected SSNs. However, those sites had significant reach. For example, USAJOBS, the US Government’s Web site, requests SSN when job seekers want to post a resume.
All or part of the aforementioned data, plus the information contained in the resume is what job sites typically collect from job seekers looking for jobs.
In recent years, some job sites have begun selling services such as resume distribution to job seekers. When this is the case, then these sites also may collect credit card data.
Some employers may also gather personality profiles from job seekers via an online application form. Sports Authority is an example of an employer that collects this type of data.
Even when a job seeker simply browses through a job site looking at job ads without registering or posting a resume, the sites may still collect certain pieces of data from job seekers such as types of jobs searched for, where, and so on. This type of collection is usually accomplished through a combination of depositing cookies and using page referrals, and may be stopped by consumers who are aware of the activity.
Some “pass through” sites, such as DirectEmployers.com, stand as an exception to the large quantities of personal data collected at employment sites in that these sites gather almost zero job seeker data; the goal there is to send job seekers to the corporate Web site where the job is located. Another pass-through site is Jobs.com. Jobs.com, though, is slightly different in that it takes job seekers to job ads posted on a third party commercial Web site.
Few online businesses provide as rich and steady of a supply of detailed consumer data as job sites do. The “pass through” sites prove that most sites could be gathering much less information from job seekers.
B. Use of SSN at Job Sites
In this study, the sites that requested Social Security Numbers included government, state, and teacher (state –run) sites. Commercial sites related to Unicru also requested job seeker SSN and date of birth. While only a handful of sites requested this information, the sites that did request it had a very broad reach.
Specifically, USAJOBS.opm.gov and StudentJobs.gov allowed applicants to browse job ads without divulging an SSN.  However, to post a resume on the sites, research found that job seekers had to disclose SSN. According to an OPM press release, just from August 4 to 20th of 2003, job seekers created more than 51,000 resumes on the site,  which gives a fair idea of the impact of the SSN request at the USAJOBS site.
EdJoin (a site for California Teachers) allowed voluntary disclosure of SSN. CalJobs (www.caljobs.ca.gov ) , the site for California State jobs, requested disclosure of job seeker SSN and date of birth prior to looking at a job ad.
Sports Authority is operating Unicru-run employment application kiosks and a matching Web site. Unicru processes approximately one applicant per second, or an estimated 6 million applicants per year who must go through that process.
So, just in this study, the sites that require SSN for application impact well over 6 million people per year.
C. Use of EEO and ADA Information Online
Research has found that online job sites have been highly inconsistent with how Equal Employment Opportunity (EEO) information is applied. Overall, sites tend to be more careful and consistent with Americans with Disabilities Act (ADA) issues.
Title VII of the Civil Rights Act of 1964 prohibits employment discrimination based on race, color, religion, sex, or national origin.  The rules for applying the provisions of Title VII requires employers or employment agencies to state that any information related to EEO questions is completely voluntary. The employer must also state that the information will not be included in a jobseeker’s application to the employer.
By far the site with the clearest compliance with these provisions is Unicru’s as seen at Sports Authority. This is what its EEO notice looked like at SportsAuthority.com:
The following questions are completely voluntary. To comply with government regulations we must make a good faith effort to record this information on our applicants. Your answers will not be made available to anyone involved in the hiring process. What is your race?
American Indian or Alaska Native
Black or African American
Hispanic or Latino
Native Hawaiian/ Other Pacific Islander Caucasian or White
This is a faultless application of EEO guidelines in an online application environment. But few sites go this far. For example, when Job.com asks for gender and date of birth, there is not an EEO notice stating that giving the gender information is voluntary. This kind of request is actually not uncommon at online job sites.
In the course of research, researchers became aware of a document that discussed Monster.com’s use of the FastWeb site for hiring part-time workers. This potentially places FastWeb in the category of an employment agency, which would require the site to give EEO notice regarding the voluntary submission of racial, gender, religious, and nationality information. It would also, according to the current rules, require that FastWeb keep the TitleVII data separate from a user’s application.
The EEO guidelines are being stretched by new technologies and the new online application environment. The EEO regulations either need to be updated for electronic mediums, or the old guidelines need to be reaffirmed and applied in the new mediums.
D. Job Site Responses to Consumer Privacy Queries
The goals of the privacy query test were to determine:
How sites responded to consumer privacy queries
A very basic email  was crafted to test the privacy-related help a consumer might receive at the job search sites. A question about SSNs was added for sites that collected that information. For sites that possibly marketed information to advertisers, slight variations in the email were made to accommodate this aspect. The email was sent using an email address that was not easily identifiable as belonging to either a privacy organization or privacy researchers.
The queries went out September 16, 2003. The first responses began to arrive within approximately one hour. The last response researchers received arrived September 30, 2003. The test officially concluded October 15, 2003. Researchers sent repeat queries to unresponsive sites up until November 7, 2003.
There was some attrition in this study due to spam filtering, mail bouncebacks, and other unavoidable technical glitches. Even taking that into account, it is clear that the job sites took the consumer query seriously. Most sites replied to researchers in under two days, which is quite rapid by most standards.
1. Specific Site Responses
a. The following job sites sent personal emails back to researchers’ privacy queries in under 6 hours.
- IM Diversity
b. The following sites sent an auto-reply response in under 6 hours:
- *TrueCareers – site followed up with additional reply later.
- **CareerBuilder The autoresponse CareerBuilder sent within 6 hours came after it had already sent a personal response to researchers’ privacy query email. The autoresponse from CareerBuilder requested that the researcher fill out a followup customer satisfaction survey.
- *FedJobs.gov (USAJOBS) – site followed up with additional reply later.
- *CollegeRecruiter – site followed up with additional reply later.
c. The following sites sent a response within 6 to 24 hours:
- FedJobs.gov USAJOBS
d. The following sites sent a response in over 48 hours:
- FedJobs – Federal Research Service.
- OPM –
- WorkStream Inc. (6 Figure Jobs
2. Unresponsive Sites / Technical Issues
Researchers conducted the privacy email query test for several purposes. One was to see the responses. But the test was also conducted to see if the email addresses companies listed on privacy policies were accurate. Before the test was conducted, researchers included in the methodology the fact that new site addresses were not to be searched out and tried, which would create a lack of fairness for those sites that had listed accurate addresses in their privacy policies.
a. The following are sites, when after being emailed and retested, did not bounce back replies to researchers:
- Saludos.com –Email was sent to info@Saludos.com.
- Vault – Email was sent to email@example.com
- Careersite – Email was sent to firstname.lastname@example.org
- Ocjobs – Email was sent to email@example.com
- Careerexplorer – Email was sent to firstname.lastname@example.org
b. Very few total addresses in this study came back as undeliverable to researchers. Those
that did are included in the list below.
- Andrew.email@example.com **
* Researchers retested and checked all of these messages for accuracy. Email addresses were tested more than one time after a bounce.
* *After researchers completed the email test, Adecco completed a major Adecco USA site redesign that addressed the response problems.
***Idealist’s email system was down during the test period.
E. Use of Third Party Cookies at Job and Career Sites
The use of third party cookies  has grown at career and job-related sites.
For background, cookies are bits of information that can be sent to a computer. A Web site an individual is visiting can send a cookie, and so can a company that has a banner advertisement on a page of the site. For example, if an individual is visiting the Web site www.abc.com, a cookie from www.12345678.com would be considered a third party cookie. Third party cookies come from sites other than those an individual has directly navigated to.
Third party cookies may expire anywhere from one day to several decades. Cookies that take more than 6 months to expire are called long term tracking cookies, or persistent cookies. Many of the companies that use persistent cookies are national advertising companies. These companies, because they are using cookies across many sites, are able to develop broad consumer profiles based on Web behaviors if the tracking cookies are accepted and left on. 
Most large job search sites have relationships with one or more national advertising networks, including DoubleClick, Advertising.com, Omniture, or others. Privacy notices at these sites often provide mundane descriptions of cookie use, frequently explaining that cookies serve to make using the site more efficient. 
Research disclosed that third party cookies are being used in the resume upload areas of career sites.  This provides information to the advertisers that the consumer has likely uploaded a resume and is likely actively looking for a job. Financial advertisers desiring to sell loans may be very interested in finding the people who are out of work. 
Many believe that since cookies generally only collect computer IP addresses, that cookie data is anonymous.
That is actually not always true. If a user at any point has accepted a third party long term tracking cookie and then has filled in a survey, a Web form (including online job forms at third party career sites) or has purchased something online at a site using the advertiser that set the cookie, depending on the privacy practices of that site, the users IP address may have been correlated or “matched” to the person’s name, home address, and other information the user filled in.
A recent issue complicating the collection and storage of user IP addresses in persistent cookies by national advertisers are the new legal uses for that IP address. The RIAA v. Verizon lawsuit  paved the way for copyright owner s to subpoena personal records connected to specific IP addresses by showing only the most minimal justification. If a marketing company has collected users IP addresses, it may now express that it has a copyright concern, and legitimately subpoena the user information attached to that IP address. If a user has not already supplied personal information to an advertiser, it is still no longer that difficult to acquire.
The practice of setting persistent cookies on resume pages should ideally be discontinued. And all job sites allowing cookies from member companies of the NAI Principles need to familiarize themselves with those agreements and provide direct links to the NAI opt-out notice.
Meanwhile, consumers should know that some types of cookies are not the innocent residents of hard drives that job sites insist them to be.
F. NAI Principles: Is Industry Self-Regulation Working at the Job Sites?
The NAI Principles were forged between the FTC and a group of national advertisers in 2001. The idea was for the advertisers to self-regulate their online consumer profiling activities, and thus forestall legislation. As part of that self-regulations, the advertising networks designed an “opt-out” cookie, which if a user downloaded, would stop the consumer from being tracked by the company. Advertisers were to provide links to the opt-out cookies in privacy policies on affected Web sites.
Currently, almost no career-related site using third party cookies of NAI members  actually links to the appropriate opt-out pages. It appears that self-regulation is not working well, at least not at the online job search sites.
Of the 13 companies in the study that needed to provide one or more opt-out links, only two fully did so.
1. Provided opt-out link:
• CareerBuilder: provided Omniture opt-out link.
• Vault: provided NAI opt-out link.
2. Did not provide opt-out link:
- 6FigureJobs: ValueClick, no opt out link.
- CaliforniaJobs.com: Fastclick, no opt-out link.
- CareerSite: Omniture, no opt out link.
- CollegeRecruiter: Doubleclick, no opt out link.
- College Grad Job Hunter: Doubleclick, Advertising.com. Opt out is available for
Doubleclick, but not for Advertising.com.
- DICE: Doubleclick, no opt-out link
- HireDiversity: Doubleclick, Bluestreak; neither linked to opt-out.
- Job.com: advertising.com, no opt-out
- Monster.com: Doubleclick, atdmt, BlueStreak; no opt-out links.
- MonsterDiversity: Bluestreak; no opt-out link.
G. Get Versus Post Requests on Job Search Sites
Web browsers do one thing very well: they provide a friendly graphic interface for individuals to use as they search Web sites. But behind the pretty graphics, browser commands coded into Web pages may be used to put job seeker information entered into Web forms into a browser’s URL bar. Once that information is in the URL bar, the information can then be picked up by advertisers that have a presence on that same page.
This “picking up” of job search data generally grabs job search keywords, salary, location, willingness to relocate, and the specific jobs a person looks at, and when. Any words or items job seekers fill into a Web form can be captured.
This kind of information spill is occurring very frequently on job search sites. It may strike some as “small potatoes” in terms of data. But these not-insignificant data pieces may be combined with other bits of data across many Web sites, particularly by national ad networks . The final result of this kind of profiling may be an unnervingly accurate portrait of the computer user in question.
1. How it works
Web sites may gather information from Web forms two fundamental ways. The site may get the information by using something called a POST request, which simply grabs the information from a Web form and sends it to the Web site a user is visiting.
Or the site may get the information using a GET request. A GET request in the HTML code takes the information that has been entered into Web forms and places it in the URL, or Web address, of the following page. This is where a job seeker who has entered job search information can get into trouble.
While it sounds very simple, it is actually a negative privacy practice to put job search keywords or data into the URL bar. Any information placed in the URL may be freely picked up by advertisers with banner ads on that same page.
For example, CollegeGradJobHunter has a page on which job seekers may click on specific jobs that interest them. At the time of research, the page contained banners served by Advertising.com, a national advertising company that deposits long-term cookies that may track consumers over many years as they browse the Web.
A banner ad is able to pick up any GET requests, and any information that shows in the URL string, or box on the top of the browser window. On the CollegeGradJobHunter page, Advertising.com was delivered a “referrer string” or a line of code that gave it information that a person with a specific computer address was looking at an accounting job.
This is what the URL string, or URL showing in the browser window, looked like:
It worth mentioning again that if a person has filled in a Web form, a survey, or has in some other way provided their name and email to a site with Advertising.com cookies, then Advertising.com may be able to correlate the “anonymous” data about searching for an accounting job with a name, address, or email address.
This use of GET requests is fairly common. Researchers found GET requests at sites from large to small. At Job.com, researchers searched for a job using the keyword Accounting. Researchers found that Job.com used a GET request to throw the information up into the URL box, or string.
The GET request looked like this:
<form action=”/jobsearch/index.cfm” method=”get”>
The code above is directing the information in the Web form to be placed in the browsers URL box. The address that showed up in the URL box in the browser after doing the keyword search looked like this:
Note that at the end of the URL, the keyword accounting shows up clearly. And on the very next page, an ad banner from jobclicks.net took up the information in an i frame, and off it went to jobclicks.net to add a little bit of data to an ever expanding profile of an accountant searching for jobs online.
=’ + browDateTime + ‘&keywords=G5,I0,accounting,” width=468 height=60
Marginwidth=0 Marginheight=0 Hspace=0 Vspace=0 Frameborder=0
Finally, after posting a resume on the Job.com site, the following URL was placed in the URL box with a GET request:
http://www.job.com/jobsearch/index.cfm?tid=applyOnline.cfm&s=2&i=272542&o =29&catBox=0&StBox=5&SalBox=0&key1=accounting&pCity=&pTitle=&sType=1&jc=0 &lst=0&jobchan=&stUsing=0&ns=0&stFresh=60&resPg=20&vMode=x&sCol=1&sDir=1
The URL address, which could be retrieved by a banner ad, clearly shows that someone had applied online for a job, what kind of job they applied for, and what city the job was in. If there are no third parties on the same page as this URL string, then all is well. But if there are any third parties at all, then there is a data spill.
The spilling of job seeker information through GET requests is unnecessary. Job sites may display ads without giving the advertising networks sensitive job seeker information that can be used to create a consumer profile of that job seeker. Switching to POST requests would go far in enabling consumers to search for jobs without spilling keywords and other information about their job search interests.
H. Anonymous Access to Job Sites
There are no known sites intentionally blocking anonymizing services. Those sites that did not allow true anonymizing services, still allowed the use of proxies. 
If a job site posted ads containing complete employer contact information, and especially an email link to an employer’s email address, researchers were able to look for jobs anonymously and then apply online anonymously. Given the third party tracking occurring at some of the job sites, this is an excellent option for job seekers to take.
For a comprehensive list of anonymizing sites and services, please see the EPIC page which maintains a good list. <http://www.epic.org/privacy/tools.html> . Scroll down to “Surf Anonymously.”
I. Trust and Seal Programs on the Job Sites
Seal programs have a particular importance in the online job search arena. Job seekers using Web sites to look for jobs are asked to give up detailed, personally identifiable information to these businesses. More and more, job seekers are also paying for extra services such as “resume upgrades” at these same sites, increasing the privacy and security risks by adding financial data into their data mix.
Seal programs such as those offered by TRUST-e and the BBB’s Online division are part of the solution for consumers. These programs can help job seekers make informed business and privacy decisions prior to releasing personal information. Of particular help is the BBB program which has a long-standing , well-oiled complaint reporting system already established from its physical BBB bureaus located throughout the United States. Consumers may look at the past numbers and types of consumer complaints and have an effective, unbiased means to gauge a business’ approach to consumers.
Researchers found that a very small percentage of sites were members of any seal program. Those members of the job and career industry that have joined seal programs and are in good standing deserve credit and praise, especially given the strikingly low overall membership among this sector.
It should be noted that some job sites display seals fraudulently. Despite their best efforts, the seal programs have had difficulties with sites that “spoof” or fake the seals. Both the BBB and TRUST-e warn that sites that display spoofed seals may be fraudulent.
As a note, both organizations use “click-to-verify” seals that, when clicked on, take consumers from the Web site displaying the seal directly to an official, verified page on the seal granting organization’s site. For the BBB seals, the seal is dated, and links to customer service reports about the business. TRUST-e uses a list of licensees for verification.
Sites spoofing seals will often take out the link to the seal verification site, so the seal no longer clicks through. Some seal-spoofing sites actually link to the seal organization’s home page to imply that the seal is valid. This is a deceptive practice.
The link to a good BBB seal, for example will look like this:
http://www.bbbonline.org/cks.asp?id=102121314211724370 . Note that the URL contains an id number.
If a site fraudulently displays a BBB seal, the BBB will still hold the offending site to the standards of the seal. Consumers may enter arbitration even in absence of the company displaying the seal inappropriately.
1. Job Site BBB Seal Members in good standing:
2. Job Sites Displaying a BBB Seal in Violation of a Seal Program:
- MonsterTrak.com (Expired Privacy Seal, deceptively linked .)
- ResumeBlaster Expired Reliability Seal.)
- Resume.com (Expired Reliability Seal, link deactivated.)
- JobViper (Expired Reliability Seal, deceptively linked.)
3. TRUST-e members in Good Standing:
J. Scope of SPAM Issues Resulting from Online Job Searching
The dimensions of spam problems resulting from posting a resume online has changed significantly at job sites in the past three years. In the past, just about any resume posted online would attract a good deal of unsolicited email.
However, the larger sites in general and highly security conscious niche sites have cracked down hard on this problem. Monster.com, HotJobs, Medzilla, Craigslist.org, and LegalStaff are among those sites that did not spread a single piece of unsolicited email after a resume was posted on the site. Generally, Internet business models have become much more sophisticated and do not rely on sending advertising emails to make a profit.
That being said, some sites still do have a problem with spam. Much of the spam took the form of “affiliate marketing,” a practice where people send out links suggesting jobseekers visit certain sites. If the jobseeker visits the site, the individual sending the email will make some money from the referral. Some affiliate marketing messages were deceptive, and were made to look as if they were coming from a recruiter.
This problem is especially pervasive among some resume distribution services.
K. Resume Sharing and Cross-Posting Issues
Undisclosed resume sharing among the job sites is not as widespread as it once was. However, the practice has not completely disappeared. Researchers experienced this issue at three sites. SanDiegoJobs.com, CollegeGradJobHunter, and JobWareHouse.
After researchers posted two separate test resumes at SanDiegoJobs.com, both of the resumes were then discovered on JobWareHouse.com. JobWareHouse in fact sent email messages stating that the resumes had been received from San Diego Jobs, and the site was posting the resume for the researchers and providing a logon name and password. JobWareHouse sent one additional email to researchers test resumes from CollegeGradJobHunter stating it had received the resume from an affiliate.
The email trail below shows what happened to the resume posted on CollegeGrad Job Hunter, LanceE7. This test resume was posted August 12, 2003. It received very little email. On October 2, JobWareHouse.com notified the LanceE7 resume that it had received the resume from an affiliate and had set up a user ID and password.
After that time, because of the commingling of the two sites, it became nearly impossible to tell which email came from which site. To give an idea of the resume response pattern, here are the exact results from the first resume posted at CollegeGradJobHunter.com:
Date: Email From:
received resume from affiliate – set up uid and pw
use our services
click to go to www.eorss.com
click to go to employment job center
use “ yourjobsearcher”
Researchers found the cross-posting confusing, even with highly unique resume addresses. Cross-posting resumes should only be done with prior explicit consent from the job seeker. In this sort of situation, a double opt-in is appropriate in order to provide adequate assurances that job seekers have been well-informed of the cross-posting and have in fact agreed to it prior to the time it happens.
It is critical for consumers to keep excellent track of their resumes so they know when this kind of thing has happened to them.
L. Outright Resume Selling and Theft
Researchers found one instance of known, provable resume selling and two instances of known, provable resume theft.
In November 2002, HotResumes.com sold 4,941 resumes for .33 cents each to a now- defunct job site called BioTechCareers.com. This invoice was made public and was published as part of a lawsuit against an individual who had purloined resumes from other resume databases, a Mr. Monastra. ( Medzilla vs. Optimum Intelligence et al .) 23The invoice was noted as a “resume sale” and it was marked as paid. 
“We do not disclose information about your individual visits to HotResumes.com, or personal information that you provide, such as your name, address, email address, telephone number, credit card number, etc., to any outside parties, except when we believe the law requires it. But, we may record and share aggregated information with our partners.”
Beyond the theft of resumes in Medzilla’s and other databases by Optimum Intelligence, one known offline resume heist has occurred. In October, 2003, a company, ELS Locators requested a copy of the file of all New Jersey residents who had applied for unemployment benefits. The company then set up a three-day job fair through New Jersey’s State Department of Labor office. The job applicants attending the fairs gave ELS Locators a $42 fee plus their Social Security Numbers, bank account numbers and credit card information.
In November, Federal authorities contacted New Jersey law enforcement officials and told them that ELS was a fraudulent company that had perpetuated identity theft scams in 15 cities in eight states. 
It is critical for job seekers to understand when SSNs should and should not be given prior to an interview. Some legitimate employers (such as Sports Authority and other businesses using Unicru employment application kiosks) require applicants to give up a Social Security Number and date of birth before even filling out an application, but overall, this is rare. However, no employer needs bank account information or credit card numbers upfront.
The policies on the whole tend to be well-fleshed out, and though few adhere to the full OECD guidelines, they are usually full, one-page policies.
Most of the sites studied provided separate links to privacy policies. However, those links could be a challenge to find.
 See: < http://usajobs.opm.gov>. The SSN requirement can be found on the ResumeBuilder < https://my.usajobs.opm.gov/userprofile.asp?resumeid=41595356&original=&builderid=37&view resume= > .
 OPM News Release August 22, 2003. “ Over 3 Million visitors to USAJOBS and Over 50,000 Resumes Online.” < http://www.opm.gov/pressrel/2003/CC-USAJOBS2.asp> .
 See in-store kiosks, or visit < https://wss1a.unicru.com/hirepro/C149/locator.jsp>
 See Federal Trade Commisson- Identity Theft Survey Report, September 2003. < http://www.consumer.gov/idtheft/ >. Also see Written Testimony for U.S. Senate Judiciary Subcommittee
on Technology, Terrorism, and Government Information Senator Jon Kyl, Chairman, July 12, 2000. Testimony by: Beth Givens, Director Privacy Rights Clearinghouse. < http://www.privacyrights.org/ar/id_theft.htm>.
 See the EEOC fact sheet for more information < http://www.eeoc.gov/facts/qanda.html >.
 For more information about cookies, please see CookieCentral < http://www.cookiecentral.com/ >.
 FTC Consumer Profiling Report to Congress See < http://www.ftc.gov/opa/2000/07/onlineprofiling.htm > and < http://www.ftc.gov/os/2000/07/index.htm#27 >
 For example, see http://www.localcareers.com/privacy.htm..
 For example, Job.com has third party banner ads in its resume posting area from jobclicks.net.
 Researchers received approximately a dozen emails soliciting inexpensive loans, credit cards, and other financial offers.
 The RIAA vs. Verizon, case file can be found at EFF: < http://www.eff.org/Cases/RIAA_v_Verizon/>.
[19[ The NAI Principles are a self-regulatory scheme adopted by national advertisers. For more about this agreement, please see< http://www.ftc.gov/os/2000/07/index.htm#27 > and < http://www.networkadvertising.org/aboutnai_nai.asp > .
 A proxy is a computer that stands between you and the machine you are accessing. Because of the use of an intermediary machine, you can keep your IP address and geographic location secret. For more on this see < www.junkbuster.com. >
 Medzilla, Inc. v Optimum Intelligence LLC, et al Case No. CO2-2122R, U.S. District Court for the Western District of Washington at Seattle.
 A PDF copy of the invoice is available at <www.worldprivacyforum.org.> . See “Resume Sale.”
 See “Hundreds Of Identities Stolen At N.J. Job Fair.” WNBC, Nov. 7, 2003. <http://www.wnbc.com/news/2618945/detail.html>
Roadmap: 2003 Job Search Privacy Study – Job Searching in the Networked Environment: Consumer Privacy Benchmarks: IV. Core Job Site Privacy Issues