What is cyber vetting? Is it legal? Is it ethical?

Published on 31 May 2021

Most people are familiar with the concept of background verification and background checks. Over the past 10 years, an increasing number of employees are examining online behavior and social media posts as part of their verification process. A combination of actions and practices that are conducted by an organization to check the online reputation of a potential employee is referred to as cyber vetting.  In January of this year, the FBI in the United States, cybervet members of the national guard that were called into Washington city during Joe Biden's Presidential Inauguration. This was in wake of the unprecedented capital riot, where a mob of Trump supporters stormed the capitol building to disrupt the election certification process. Investigations after the attack revealed that some of the members of the mob were active army officers and members of civil service. To ensure that the guards being called in to protect the inauguration did not subscribe to conspiracy theories or had ill intent, the FBI cybervet national guard members. The attention surrounding the events in January gave an additional spotlight to what the FBI was doing and introduced the term cyber vetting to a wider audience.

See also: Why is cyber security training for employees necessary?

What exactly is cyber vetting?

When we are active online we start to build an online presence. This presence includes our social media profiles, the content we have shared, blogs that we have posted, any websites that mention us, any comments we have left on content, etc. All of these actions over time contribute to an online reputation. Employers may choose to examine an individual's online reputation for signs that they are not suitable candidates for a particular position. The practice of cyber vetting potential employees has increased significantly over the past decade. According to a survey by Career Builder, 70% of employers use social networking sites to screen candidates for a position. Of those that conduct cyber vetting 57% said they have found content in their screening that made them decide against hiring a candidate[1]. It has become increasingly apparent that how you represent yourself online can have serious real-life consequences. As this practice becomes more commonplace, there are some serious questions being raised, is cyber vetting potential employees legal? Is cyber vetting ethical?

Is cyber vetting legal?

Depending on what country you are in, the legal implications of cyber vetting are different. Below are some of the legal concerns regarding cyber vetting

Prior notice

Practices like credit checks, reference checks, and background checks have been around for a very long time. However, when an organization conducts such a check they have to inform the individual before doing so. Potential employees have a clear understanding of what the organization's screening process will be, when and how these checks will be conducted. Often candidates have to give written permission to an organization to conduct such verification. Candidates can choose not to provide this permission and opt-out of the hiring process. When it comes to cyber vetting this is not the case. An HR professional or manager can simply look for information about a candidate online without informing them beforehand that they will be doing so.

Right to privacy

The other legal concern is related to existing privacy laws. The European Union has GDPR, Brazil has Lei Geral de Proteção de Dados, China has the Personal Information Protection Law (PIPL), over a120 countries around the world have data and information privacy legislation. Cyber vetting falls in a grey zone, the practice may violate the norms set out in these legislations that aim to protect an individual's right to privacy.   

Life outside work

Similar to privacy legislation, most countries have laws in place that protect workers from being penalized for what they choose to do outside working hours. Employees have the freedom to decide how they want to spend their time outside work hours and they cannot be penalized for it. This is why there are legal concerns with cyber vetting. If a business chooses not to hire a candidate because of something they shared on social media does it violate the spirit of the law?

Is cyber vetting ethical?

Along with legal concerns about the practice, there are also ethical issues with  cyber vetting potential employees. As stated above more than half of the employers surveyed by Career Builder who conduct social media and online screenings find objectionable content and decide not to hire a candidate. Some of the reasons employees chose not to hire a candidate include:

  • Candidate posted provocative or inappropriate photographs, videos, or information
  • Posted information about them drinking or using drugs
  • Made discriminatory comments related to race, gender, religion, etc
  • Candidate was linked to criminal behavior: 
  • Candidate lied about qualifications
  • Candidate had poor communication skills
  • Bad-mouthed their previous company or fellow employee
  • Their Screen name was unprofessional
  • Shared confidential information from previous employers
  • Candidate posted too frequently

The ethical issue is that many of the reasons employers choose not to hire a candidate have nothing to do with the candidate's ability to do the job. For example, posting information about drinking, how would this indicate an individual's ability to perform a particular job? The other ethical issue is that some of the parameters employers use are subjective. For instance, posting too frequently, how many times is too frequent? Twice a day, twice a week, twice a month? There are no defined criteria for these parameters and hence they are open to interpretation by the person conducting the screen.

Is cyber vetting necessary?   

With all of the pitfalls, legal and ethical issues surrounding the practice of checking an individual's online presence, the question must be asked, is cyber vetting even necessary? The answer lies in the question why? Why does an employee when to cybervet? Often social media and online information are used for verification, to confirm that information a candidate has mentioned on their resume matches the information available online. This seems to be an acceptable use of cyber vetting. If an organization is utilizing cyber vetting for behavior analysis and determine if a candidate is a cultural fit for their organization, then things start to get murky. There is definitely information about candidates online that employers can use to protect their workforce and identify red flags. The challenge right now is that there are no guidelines and regulations in place. Should employers get consent before cyber vetting potential employees? What information should be analyzed? How much transparency should there be in the process? Do candidates have the right to know if they were rejected based on their online presence? As social media becomes more intertwined with our identities and day-to-day life, we will start to see increased regulation and rules to help protect both employers and employees. Subscribe to whitepapers.online to learn about new industry trends and practices like cyber vetting.

Featured image: Woman photo created by rawpixel.com - www.freepik.com


1. Aug. 2018, "More Than Half of Employers Have Found Content on Social Media That Caused Them NOT to Hire a Candidate", CareerBuilder, [available online] available from: http://press.careerbuilder.com/2018-08-09-More-Than-Half-of-Employers-Have-Found-Content-on-Social-Media-That-Caused-Them-NOT-to-Hire-a-Candidate-According-to-Recent-CareerBuilder-Survey [accessed May 2021]