Go to Archive Menu
archive menu

The Archive

 

 
Click, You're Hired. Or Tracked...
A Report on the Privacy Practices of Monster.com
Copyright © 2001 The Privacy Foundation

By Pam Dixon
Executive Director, The World Privacy Forum
and author of
Job Searching Online for Dummies


 

NOTE from Nick Corcodilos.
I thank Pam Dixon and The Privacy Foundation for their gracious permission to reprint this Report. More important, they deserve our thanks for researching and documenting potential violations of privacy that affect millions of people.  If you don't have time to read this detailed, well-researched Report, you owe it to yourself (and your privacy) to read the Executive Summary. The online career industry has collapsed into a black hole of resumes, controlled by very few players. While there may be nothing illegal here, there is clearly cause for much concern.

The full text of Ms. Dixon's Report, including the Executive Summary and Appendices are printed here. You can learn more about The World Privacy Forum by visiting the web site.

I. Executive Summary

The business of searching for jobs online has grown from a market niche to a multi-billion-dollar, rapidly consolidating industry that relies on the eager search activities — and employment dreams — of millions of job seekers. It has also proven to be the ultimate recession-proof Internet business. As other technology companies flounder, online job search sites remain key resources in the wake of layoffs and uncertain employment prospects.

However, job seekers who post their resumes online face considerable threats to their privacy. Resumes may be stored by online job sites for many years, and may be misused for data mining and even identity theft.

Additionally, corporations that encourage job seekers to send resumes directly to "the corporate website" often fail to tell job seekers that their resumes may also be posted to a third-party resume database for searching by other employers.

Even when no resume has been posted, tracking can occur. Some job sites request personal information from job seekers, such as name, address, age, gender, and work history, then pass that information on to third-party vendors, such as advertisers. Other sites collect information about what city a job seeker is looking for work in and how far up the career ladder that person has climbed; or use advertising networks to create profiles of Web users, including sensitive job search information.

An ongoing analysis by this researcher for the Privacy Foundation has revealed a range of such privacy problems in the online job search industry. This first in a series of reports focuses on the privacy practices of Monster.com, which is owned by TMP Worldwide Inc., a conglomerate that dominates the job search, advertising and placement industry.

TMP, a publicly-traded company (ticker: TMPW), was founded in 1967 and has a market capitalization approaching $5 billion. Based in New York City, TMP is one of the world’s largest advertising organizations and reported revenues of $760.8 million for the six months ended June 30. The company's clients include 90 of the Fortune 100 and 480 of the Fortune 500 companies. On June 1, 2001, TMP itself was added to the S&P 500.

TMP boasts that Monster.com, its flagship property, gives clients access to over 8.6 million unique resumes, a database growing by 25,000 resumes daily. The Website reported more than 26 million unique visitors in July. Monster, based in Maynard, Mass., has a four-year, $100 million deal with AOL (now AOL Time Warner) to be the exclusive provider of job search services to 30 million AOL, CompuServe and other AOL-network associated users.

Meanwhile, TMP/Monster has been rapidly swallowing up competitors. It purchased JobTrak, Simpatix, and Business Technologies — among others — in the year 2000. This year, Monster purchased Management Solutions, a respected placement firm. In May, TMP purchased FlipDog.com, the fifth most trafficked Internet site in online recruiting. As part of the deal, FlipDog owner WhizBang! Labs Inc. is to provide TMP with "additional information extraction services," according to the companies.

The crowning deal occurred in June when HotJobs.com, the second-largest job-search site, agreed to be bought by TMP for $460 million in stock. (The Federal Trade Commission is conducting an anti-trust review of the deal.)

"They probably have more information on people than anyone outside of the federal government," said Bill Vick, president of Recruiters Online Network, referring to TMP/Monster. "They’re smart, they’re savvy, they’ve made the right acquisitions."

TMP/Monster’s dominance in the online job placement industry was confirmed in June when the U.S. Department of Labor entered into a partnership with the company to "help standardize job-hunting on the Internet." According to statements from both parties, the two organizations will "share data" and adopt occupational classification standards, something traditionally done by employment scholars and researchers, not commercial entities with a profit motive. In addition, Monster.com will link to the federal government's own career placement site and cross-list job postings throughout its network.

Given its dominant position in the online job search industry, the privacy practices of TMP/Monster are critical to millions of job seekers who use the company’s services. The present analysis of TMP/Monster is based on the researcher’s seven-year expertise in writing about employment issues; interviews with six former company officials; review of documents; and technical analysis of the tracking features on the Monster.com website. Following are a summary of the findings, which are explained in detail later in the report:

1) To leverage Monster.com’s vast database, company officials have discussed seeking fees from job seekers, as well as selling resume data to marketers.

2) Interviews, as well as details from a copyright lawsuit, indicate that resumes sent to Monster.com — even when deleted at a later date by job seekers — may be saved and parsed for later use.

3) Resumes submitted by job seekers to corporate Websites, such as H&R Block, have been routinely sent to Monster.com without disclosure to job seekers.

4) Monster.com supplies AOL Time Warner, a marketing partner and owner of vast customer databases of its own, with information from job-search activities — including unique resume I.D. numbers from job applicants who post a resume on Monster.com.

5) MonsterTrak, a job site for college students hosted at Monster.com, screens different job opportunities based on where students go to school; and asks students to provide age and gender information without the benefit of a specific privacy policy.

This report does not allege illegalities regarding the privacy practices of TMP/Monster. However, the findings in totality raise critical questions about the company’s business methods and intent, as well as its disclosures to the millions of job seekers who rely on its services.

II. Vendor Response

As is the policy of the Privacy Foundation, these findings were presented to the subject of the report at least 48 hours in advance of publication. In this case, the first contact was made with Monster.com officials on Tuesday, Aug. 28. In addition, officials of the Privacy Foundation and Monster.com discussed the report by phone on Aug. 31 and Sept. 4. On Sept.4, the company provided a final written response to the five statements made in the executive summary above. The company's response is below, along with this link to the Monster.com Privacy Commitment.

Response from Monster.com:

1A) Monster.com has discussed offering additional relevant services (e.g. resume writing) to job seekers in exchange for fees. However, this would never infringe on the privacy of a job seeker. Monster.com does not sell, has never sold, and will never sell personal data to marketers without permission from job seekers.

2A) Resumes that are deleted from the Monster.com database are permanently removed from the system. A job seeker attempting to recover a deleted resume will be unsuccessful. Backup systems, of course, do maintain all records for a period of time in case of system failure. We are not aware of any lawsuits indicating that any deleted resume was saved or parsed for later use.

3A) We host many private label recruiting centers on Monster.com. All resumes submitted by job seekers to a specific company private label website are viewable only by the private label client and the individual job seeker. This resume is not viewable by other companies or the general public on Monster.com.

4A) AOL is provided with the total number of resumes that have been generated on AOL/Monster.com co-branded sites as one part of the business metrics. Unique resume ID numbers identified as coming to Monster.com via the Monster.com/AOL co-branded channel are included within that transmittal; however, this information remains confidential.

[For its part, America Online released this statement on Sept. 4: "America Online does not track or use any personally identifiable information that our users may provide while using Monster.com."]

5A) MonsterTRAK is a new member (June 2001) of the Monster.com network and now abides by Monster.com's privacy policy. Students who register in MonsterTRAK are not required to provide their age or gender. Over 1,200 college career centers utilize MonsterTRAK as their tool to help students find internships and jobs. The business model of MonsterTRAK allows employer customers to post jobs for specific colleges that are part of their college recruiting efforts. In the near future Monster.com will provide a direct link to the Monster.com privacy policy on the MonsterTRAK home page.

III. Searching for Jobs Online: Privacy Need Not Apply

Job seekers have always had to balance privacy versus exposure. On one hand, job seekers must be as public as possible in order to attract interviews and land a job. Yet, many job seekers prefer to keep their search activities from current employers; and to keep detailed work histories, salary information and other sensitive data from third parties.

In the mid-1990s, most online job sites were owned and run by professional recruiters, college career counselors, and other employment industry professionals seeking to innovate Job search sites with 25,000 visitors in a month were considered to be doing very well.

As the Internet and e-commerce boomed throughout the decade, the online job search industry grew with it. Websites were no longer simply a way to help job seekers and employers connect, but became a lucrative business opportunity. A rapid infusion of venture capital and initial public offerings transformed the job search industry. Heavy advertising, including TV spots during the 1999 Super Bowl, drove millions of people to online job search sites. Online job searching became embedded in employment and recruiting practices.

A turning point in the online job search industry came in 1999 when the Online Career Center — an influential early online job site founded in 1993 — merged with TMP's Monster Board, founded in 1994. The combined sites became Monster.com, which immediately took over the leadership position in the online job search space.

The number of human resources professionals that advertise online, and job seekers who search those ads, grows every year. According to a Society of Human Resource Managers (SHRM) survey in January 2001 on job search tactics, 96 percent of respondents used the Internet to look at job ads. Meanwhile, human resource managers relied on the Internet 88 percent of the time to find job candidates.

The ability of online job sites to capture, sort and store a wide variety of data on job seekers is part of their utility for employers. But it simultaneously raises pointed privacy questions for job seekers.

All of the major job search sites track job seekers to varying degrees, according to research and software code analysis conducted as a part of this report. Some sites track for their own marketing and sales purposes; others are partners with third-party Internet advertisers such as DoubleClick. Some say that the tracking of consumers is fine as long as the data is "in aggregate." Yet, this so-called aggregate data on job-search sites can be correlated with resumes with very little effort.

In addition, the online job-search industry is afflicted with the problem of marketing companies gaining illicit access to the resume database. Resumes that are stored in proprietary online databases may be accessed by people other than employers, including marketers or identity thieves. This is what Monster itself discloses about that issue:

Resumes

Since Monster.com is a career site, we give you the option of putting your resume in our database. There are two ways of doing this:

1. You can store your resume in our database, but not allow it to be searchable by potential employers. Not allowing your resume to be searchable means that you can use it to apply for a job online, but employers and recruiters will not have access to search it through our resume database product.

2. If you allow your resume to be searchable, then all employers and recruiters who pay for access to our resume database product will have access to your resume. We use our best efforts to grant access to this database only to paying employers, recruiters, hiring managers, headhunters, and human resource professionals, but cannot guarantee that other parties will not, without our consent, gain access to this database. You may remove your resume from our searchable database at any time. However, employers and recruiters who have paid for access to the database, and other parties who have otherwise gained access to the database, may have retained a copy of your resume in their own files or databases. We are not responsible for the retention, use, or privacy of resumes in these instances, or for the use or privacy of resumes by any of such parties while resumes are in the database.

IV. How Monster.com Works

Job seekers using Monster.com for the first time can look for jobs without posting a resume. Some jobs postings offer the option of applying by e-mail or other direct company contact. Some do not. But in each case, job seekers are always given the option to "apply online" through Monster.

To apply online, cookies must be enabled in the user’s computer browser. After "Apply Online" has been selected, job seekers are directed to create a "My Monster" account. Creating the account requires first and last name, country, zip code, e-mail address, user name and password. A career level designation is also required, such as executive, student, etc.

After this personal information is given, an account is created, and job seekers may apply online through Monster. They may also create and store up to five resumes using the Monster resume builder, which requires that job seekers type resume information into detailed forms page by page. Resumes may be activated (that is, seen by employers) or deactivated (not seen by employers) through the My Monster account. Another option is for job seekers to suppress the contact information in the resume, such as name, address, and phone number. This is called the "confidential" option.

In its privacy policy, Monster notes that the information you give to the site can be used for further contact, but that you can opt out of that contact if desired.

The policy further states: "Monster.com allows you to change or correct your personal information at any time. To do so, simply log into your My Monster account, go to your account profile, and you will find options for editing the information you have submitted."

From the My Monster area, Monster also gives job seekers the option to view, edit, delete, duplicate, activate, renew, or deactivate resumes. Resumes are deactivated (removed from view) automatically one year from post date.

As stated earlier, Monster.com claims to give its clients access to over 8.6 million unique resumes, a database growing by 25,000 resumes daily. Employers and recruiters pay to post jobs on Monster.com, and to access the resume database through a variety of search criteria.

V. TMP/Monster.com Business Strategy and Privacy Practices

In October 2000, a Monster.com memo from Hans Gieskes, then the president of Monster.com, was circulated to all of the company’s employees, according to several former employees who received the memo. One of the bullet points stated that Monster.com’s top goals for the year 2001 included finding a way to increase international exposure. (The company has aggressively pursued that goal. Monster’s acquisition of Jobline increased Monster's total number of European sites to 14; its international sites to 21; as well as introducing five European countries to its services: Sweden, Norway, Denmark, Switzerland and Finland.)

Another bullet point in the same memo stated that a top goal was to find a way to charge the job seeker money.

This would launch a radical change in the job-search industry. With few exceptions, most "offline" job search companies charge the employer, not the job seeker. This is also currently true of Monster.com and most other job search sites. Given Monster.com’s dominance in the industry, charging job seekers would be a lucrative business opportunity — but a potential hardship for those seeking employment.

[In its response on Sept. 4, Monster.com said that the company would only consider charging job seekers for "value-added" services going forward, such as resume writing.]

Former executives and employees at Monster.com interviewed for this report say furthermore that TMP and Monster.com executives have been highly focused on "monetizing the job seeker," that is, seeking to mine the value of resume data by potentially selling it to marketing firms.

A former high-ranking Monster.com executive (who has requested anonymity for fear of reprisals) recalls that discussions about selling job seekers’ resume data took place at a meeting held in the fall of 1997 in New York City at the TMP Headquarters. The meeting was attended by Jeffrey C. Taylor, the CEO of TMP and Monster.com.

"Taylor was always saying that the most valuable personal data was contained in the resume database, and that we could cash that in," says the source, who attended the meeting. "There is not any question that there were people within TMP who knew of the discussions and knew of what was going on. There was some internal concern within TMP of the legality of selling resume data."

Another former Monster executive (who also requested anonymity) cited similar discussions about Monster.com’s intentions. "The resumes are for future use — I’ve heard that said," according to the source. "Around the Maynard (Mass.) office it was brought up that the value of the resume database was to sell the information in the future."

Even if Monster had sold resume data, or intends to do so in the future, the legality of that appears unclear, according to legal experts. "There are privacy laws in most states, and they go against unreasonable invasion of privacy," said Jerry Cohen, a partner and chair of the Boston law firm Perkins, Smith & Cohen, LLP Science & Technology Group. "But when a person goes onto a job board listing, they waive privacy because they want their resume circulated for employment purposes."

Cohen’s views are echoed by several attorneys specializing in employment law. The privacy of resume databases is a gray area, at best. To date, no significant lawsuits have been brought against the search sites for such alleged privacy violations.

A separate issue regards the length of time that resumes are kept in Monster.com databases. Several sources allege that some recruiters are occasionally given access to old, inactive resumes that job seekers have requested be removed from the database. "Anything that Monster gets in, Monster keeps," says a former Monster.com executive.

If true, this is a problem for job seekers. A job seeker who posts a resume to a resume database and then asks for the resume to be deleted or inactivated rightly expects to have that resume permanently removed from use and destroyed.

According to Monster.com’s privacy policy:

…You may remove your resume from our searchable database at any time... .

VI. Acquiring the Technology of Datamining at Monster.com

Arity Corp., based in Concord, Mass., produces linguistic and knowledge representation software for companies such as FedEx and Monster.com. The company filed a copyright infringement suit against TMP Worldwide and Monster.com on April 5, 2000, in U.S. District Court of Massachusetts. It led to a temporary restraining order against Monster.com from using Arity’s proprietary "Resume to XML Parser Software."

In the complaint, Arity alleged that Monster.com had requested Arity to build software that could take a resume and convert it into an XML (machine readable) document. This would allow the resume information to be parsed and used in many different ways. (According to Monster employees interviewed for this report, the Arity software was used to convert many years’ worth of old resumes to a format that would allow the resumes to be transferred to new databases.)

In the court documents, Arity claimed that Monster.com had not paid for the technology, but was still using it actively as of about October 1999. The case was settled by TMP/Monster in Arity’s favor, though the sum of the settlement was not disclosed in court documents. Peter Gabel, the president and co-founder of Arity, declined to discuss details of the case when contacted by this researcher. Gabel did, however, confirm the initial event that sparked the lawsuit.

"In the fall of 1999 we got a phone call from a Monster.com engineer requesting support," said Gabel. "He was trying to use our proprietary software to parse 800,000 old resumes."

An April 1998 contract between Arity and TMP/Monster that was included in the lawsuit sheds light on TMP/Monster practices. On page 16 of the "Custom Database Management System Development Agreement," TMP/Monster requested that Arity build resume collection tools that would go out on the Web and collect resumes posted on various Websites, including resumes posted on Websites put up by individuals. The technology was to collect the resumes and put them in the Monster database. The agreement reads, in part…

"Arity will design "Webbots" that gather resumes from the Web. The Webbots will be written in Java. The essential idea is to have some Webbots that generate resume "suspects" which are URLs to pages that probably contain resumes. There are several sources of such suspects including focused querying of search engines using keywords that narrowly search for resumes, wandering through personal pages, and mining new groups and resume sites.

"The main webbot will retrieve pages from URLs that are suspected to be resumes and perform simple tests to verify whether the page is indeed a resume, contains another suspected link to a resume, or is a dry hole. The pages that are found to be resumes will be stored along with the URL, the path of the URLs that were used to find it, some indication of its limitation of use if any (ie possible copyright or trade limitations), and timestamp."

Many job seekers who have posted resumes on personal home pages would presumably resist the idea of having their resumes put into the Monster.com resume database without their consent.

VII. Feeding Monster from "Private Label" Corporate Websites

Job seekers who post a resume online can find themselves losing control of their information — and sometimes pay the price by losing their jobs. Fortune magazine, back in May 1999, reported on employers who have fired — or in some cases, try to "salvage" — employees whose resumes were posted on sites such as Monster.com.

Because of these and similar press reports, some job seekers now avoid posting resumes in third-party databases. Yet, job seekers have another peril to consider, according to new information discovered in preparing this report. Posting a resume privately at some corporate Web sites may actually get your resume into the Monster.com resume database — without your knowledge.

For example, a job seeker who posts a resume at Adecco International’s corporate Web site [www.adecco.com] is also posting the resume to Monster.com and creating a Monster.com profile. The profile is then available at Adecco.com, Monster.com, and all other private label sites. This is done without disclosure on the Adecco or Monster.com site.

Former employees of Monster.com confirmed in separate interviews that corporations that have a "corporate affiliate" relationship with Monster.com — internally called "private labels" of Monster.com — transfer job seeker resumes and profiles to Monster.com without disclosing this. Technical analysis of a selection of independent corporate sites backed up the claims of these employees.

A private label company is one that has paid Monster.com to manage its corporate resume posting process. This is a common business arrangement. For example, The Wall Street Journal’s CareerJournal site is "powered by" CareerCast, which means that CareerCast does the job search data work. This relationship is posted clearly on the site and is discussed in the privacy policy at the site.

The relationship is not so clear with Monster, whose private label partners include Sony Electronics; Travelers Property Casualty and Travelers Life and Annuity; Snelling Personnel Services; Blockbuster; H&R Block; Adecco; and Tyco, among others. The connection to Monster.com is almost never disclosed by these companies on their websites, and URLs used by Monster affiliates do not reveal the relationship.

The URL that Monster uses for affiliate sites is "newjobs.com," with variations depending on company name. (Newjobs.com is registered to TMP Interactive in Maynard, Mass., according to the Network Solutions Whois database.) Each job seeker posting a resume to corporate sites with a "newjobs" URL is in fact also sending their resume and profile information to Monster.com. If the job seeker then goes to Monster.com at a later date, he or she will find a profile located on Monster.com using whatever password was used at the corporate site.

Technical analysis of affiliate sites reveals that after a job seeker’s resume information is obtained through a Monster.com private label site, a unique I.D. number is given to the resume. Detailed personal information is stored in a cookie that is then available to Monster.com, and possibly, to TMP and its related job recruitment businesses.

Additionally, sources said that a private label company has to pay an extra fee to keep the resumes truly private. Otherwise, resumes sent to a corporate Web site with an undisclosed affiliation to Monster.com may be made available to other employers or recruiters on Monster.com if the job seeker clicks on a link on the corporate site that is typically titled "Activate this resume." Without access to the Monster.com database it is not possible to confirm these claims.

However, technical analysis appears to confirm the initial transfer of resume data from the private-label sites to Monster.com. Here is an example:

On the H&R Block Web site, a job seeker is presented with the following text about what H&R Block says about applying for a job via its corporate Web site:

Career Management Account

Click here to create an account. We encourage you to create an account to simplify your communication with us and allow us to match your skills with future opportunities within our company. Your information will remain confidential.

If you already have an account, please login.

Nowhere is Monster.com mentioned, alluded to, or even seen in the URL, cookies, or anywhere else. The privacy policy from the job search page was unavailable during the times the site was visited. The following page was listed as the policy, but did not come up: http://hrblock.newjobs.com/universal/privacy_policy.html.

The H&R Block general privacy policy did not contain any reference to its job search or career area, or to Monster.com, and does not disclose that information (including a user profile) sent to the H&R Block Web site may also go to Monster.com servers.

As an illustration, this researcher [using a pseudonym] looked for a job in public relations at H&R Block, and clicked to apply for it online on Aug. 27. A request to create a profile came on screen. The name Penny Brigande was used to create the profile, with an e-mail address of pbrigande@ireland.com. After logging off H&R Block, then visiting the Monster.com site immediately afterward, this researcher was able to find a My Monster profile for pbrigande@ireland.com and "her" resume on file at Monster.com. Logging on to Blockbuster.com and Adecco.com revealed that the Penny Brigande resume and profile was available at those corporate sites, too.

When contacted on Aug. 27, H&R Block confirmed that it did have a private label relationship in place with Monster.com, and referred this researcher to its legal counsel. H&R Block did not confirm or deny details of this research, but did say that it would be terminating its private label arrangement with Monster.com "by the end of the week." A company official said that H&R Block had planned to terminate the arrangement with Monster.com, and that the timing of this inquiry was not related to its decision.

When contacted regarding its private label relationship with Monster.com, a spokesperson for Blockbuster confirmed the private-label relationship with Monster.com. Regarding the issue of job seekers applying for jobs at Blockbuster while unknowingly creating an active MyMonster profile, the company spokeperson said: "The issue is something that had only been recently discovered and we are going to work with Monster to resolve this issue." Later in the day, the spokesperson said, "We don't believe we are obligated to disclose that we're using a third party vendor on our site since the information is confidential and is only sent to Monster.com as part of our agreement with them."

The spokesperson went on to say that Blockbuster believes such third-party relationships are "common," and that Monster "works for them" and is not allowed to use any of the information. The spokesperson also said that a person would need to "actively choose" to allow the resume to be sent to other employers.

Non-disclosure of agency or outsourcing relationships poses a significant problem for job seekers who go to corporate Web sites and apply for jobs. If the corporation has a private label arrangement with Monster, the resume shows up at Monster.com, along with the user profile. The cookies deposited on the job seeker's hard drive are available to Monster.com, and according to interviews with ex-employees, all of the private label resumes and MyMonster profiles are kept and stored.

The risk is that the so-called private resumes may not be so private after all. At a minimum, job seekers deserve disclosure of what is happening to the personal information they provide online. Corporate sites should disclose these relationships clearly and up front before a job seeker applies for a job or creates a profile.

Additionally, Monster.com claims 14 million-plus job seekers have filled out member profiles. What number have come from corporate affiliate sites, created unbeknownst to job seekers? Monster.com should clarify this number in its press reports to note which profiles are coming from which sites.

A detailed technical analysis is available in Appendix A.

VIII. Monster’s Relationship with AOL Time Warner

In December, 1999, TMP Worldwide entered into an exclusive, four-year partnership with AOL in which it would pay $100 million to the world's largest online subscription service. According to statements by AOL at the time, Monster.com would become AOL’s exclusive career-search provider across AOL, AOL Canada, AOL.com, CompuServe, ICQ, Netscape Netcenter, and Digital City.

"The two companies will create co-branded sites, enabling members and visitors to AOL's Web-based properties to: search for jobs; utilize job search agents, and, in many cases, apply online; submit resumes online; personalize the area to help with their job search; and research companies offering jobs. Monster.com also will make available exclusive offerings to AOL users, such as job fairs and live chats with career consultants," touted a press release.

After the deal was inked, there was one small hitch. Digital City, due to a prior arrangement with HotJobs, still carried HotJobs ads along with Monster.com ads, but that was the only area that the relationship was not exclusive.

According to ex-employees of Monster.com, to facilitate Monster.com’s relationship with AOL, Monster.com sends AOL a copy of its job database every night. AOL in turn "mirrors" or presents its users with a copy of the Monster job database.

What this means to job seekers at AOL.com and other AOL properties is simply that they can search Monster.com jobs without leaving the AOL site. According to sources, AOL is responsible for the ultimate management of the Monster.com database on AOL properties.

While press releases indicated the benefits of partnering with AOL, technical research conducted for this report indicates that there may be a downside, too. Namely, if you are looking for a job on Monster.com, information from your job search activities may be sent to AOL whether you are a member of AOL or not. The information may also be sent to AOL whether you are on one of AOL’s properties — like AOL.com — or not.

For example, if you post a resume on Monster.com, you are given a unique resume I.D. number. Even if you are not a member of AOL, and not on any AOL property at the time, and have not posted the resume to AOL, Monster.com sends AOL that resume number.

For job seekers on AOL-related sites, there are technical reasons why AOL needs to have this information. But for everyone else on the Web, the reason that detailed job search information is given to AOL is unknown. Former employees of Monster.com familiar with the deal allege that AOL required that Monster.com allow it to track any Monster.com visitor as part of the overall business arrangement.

The way Monster.com passes job seekers’ information from non-AOL properties to AOL is through discreet banner advertisements on sensitive areas of the Monster.com site, such as job search and resume posting areas. Even if a job seeker just clicks to look at jobs, various job search data is still sent to AOL servers, because banner ads can and do collect user information through the use of cookies and web bugs.

If a job seeker then posts a resume or creates a profile at Monster.com, they are given a unique resume ID number which is then passed on to AOL servers, even if Monster.com was not accessed via AOL Internet services or via AOL properties at any time.

According to detailed technical analysis of the site using a packet sniffer, Monster.com delivers the following information about its site users to AOL:

  • What city a job seeker is looking for a job in
  • What keywords a job seeker uses to look for a job
  • A unique resume ID number tied to each job seeker
  • The exact jobs a job seeker has looked at via unique job ID numbers

This information sharing is problematic for job seekers who desire to remain completely anonymous to AOL and its parent company, AOL Time Warner. Job seekers who post resumes may understand the tension between needing to be seen and needing to be private, and as such are willing to let go of some privacy to be tracked by a job site.

But almost no job seeker would want a third party, such as AOL, to be given their information without full disclosure. That AOL is getting job seeker information through banner advertisement tracking is sneaky at best, considering that Monster.com’s privacy policy is not terribly clear on these points.

Additionally, with these two pieces of information — the job ID number and the unique resume ID number — it is technically possible, given even a small accidental data spill, for a third party to correlate job seekers’ resume information to the ID numbers.

Again, it bears repeating that ID numbers are attached to all site visitors who post resumes, even if Monster.com is accessed outside of AOL. That means that job seekers are telling AOL what jobs they are looking at, when, and if they have applied for the jobs.

Below is an excerpt from a packet sniffer log showing what the job search data looks like as it goes to Monster.com. The log also shows how Monster.com correlates personal information and tracking data. It is unknown if this correlating data is given at any point to AOL either through the servers, or elsewhere offline. Note that it is normal for a job site to correlate ID numbers with other information. What is unusual is to pass these numbers to third parties such as AOL.

This example below is of Monster’s correlation of job ID numbers, job search information, name, and password. The information in this example is going to Monster.com servers.

14129236
P _ ±1 0{P ? __ HTTP/1.1 302 Object moved
Server: Microsoft-IIS/5.0
Date: Thu, 21 Jun 2001 13:31:12 GMT
Location: /login.asp?NoAuto=1&user=
bethhurley&Password= bethbeth&submit=1&redirect=%2Fapply%2Easp%3Fjobid %3D11752048%26redirect%3Dhttp%253A%252F %252Fjobsearch%252Emonster%252Ecom%252Fjobsearch %252Easp%253Fcy%253DUS%2526brd%253D1%2526lid %253D615%2526fn%253D1%2526q%253Daccounting
Content-Length: 388
Content-Type: text/html
Set-Cookie: rem1=MonKey=822690325228&RemUser= 17291948; expires=Fri, 21-Jun-2002 13:31:12 GMT; domain= .monster.com; path=/
Cache-control: private

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="/login.asp?NoAuto=1&user=
bethhurley&Password= bethbeth&submit=1&redirect=%2Fapply%2Easp% 3Fjobid%3D11752048%26redirect%3Dhttp%253A%252F%252Fjobsearch %252Emonster%252Ecom%252Fjobsearch%252Easp%253Fcy %253DUS%2526brd%253D1%2526lid%253D615%2526fn %253D1%2526q%253Daccounting">here</a>.</body>

The user name of the job seeker in this case, "bethhurley" is highlighted in yellow. The job ID number is highlighted in green, and information about city, state, and keywords used in the job search shows up in pink. The user number shows up in blue. (Further technical analysis is available in Appendix B.)

A cookie that Monster deposited to the computer’s hard drive echoed this information:

rem1
MonKey=822690325228&RemUser=
17291948
monster.com/
0
3905785856
29497639
391427360
29424215
*
17291948
MonKey=3745570186096&LastLogin=6%2F21%2F2001 +8%3A47%3A49+AM
monster.com/
0
3961133568
29424417
2036292768
29424217
*

Many users accept these types of cookies, which are meant to allow site visitors the ease of visiting the site without having to log in every time. This cookie remembers the user number, highlighted in blue, and provides visit information such as time and date of the last Monster.com visit. Monster also uses these cookies to track users in a very detailed way as they search for jobs. Monster correlates the unique user ID, which is connected with the resume, across job searches, job applications, and resume postings.

In terms of resume postings, a packet sniffer log of one of the resume page transactions reveals that each resume is given a unique resume ID number, which is then shared with AOL. Sources within Monster.com revealed in interviews that resumes are indeed given unique ID numbers. Here is the technical proof:

GET /html/7014704/monster?target=_top&height=60&width=468 HTTP/1.1

Accept: */*

Referer: http://my.monster.com/userprofile.asp?
resumeid=14129236&
viewresume=&original=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)
Host: ads.web.aol.com
Connection: Keep-Alive

In this situation, AOL ad servers (See the Host line, in blue) are being sent the resume ID number, which is highlighted in yellow above. They do not appear to have the name of the person, but they do have the resume ID number that ties the resume directly to one unique person, to their resume or resumes, and to the Monster profile which contains their detailed personal information.

It is not clear why AOL servers need the resume ID number of a person applying for a job on Monster.com who is not on any AOL property. Monster.com says it has more than 8.6 million resumes in its database, a significant amount of user data.

Monster.com does not specifically mention that it serves AOL Time Warner banner ads on its site. Monster.com also apparently omits mentioning that resume ID numbers are sent to AOL servers. If Monster.com shares resumes with AOL, the privacy policy also omits mentioning that. Job seekers not accessing Monster.com via AOL properties should be told that certain details of their job searching activities are being sent to AOL.

Here are the relevant portions of the Monster.com privacy policy in regards to its information collection practices:

Information About All Monster.com Visitors In general, we gather information about all of our users collectively, such as what areas users visit most frequently and what services users access the most. We only use such data anonymously and in the aggregate. This information helps us determine what is most beneficial for our users, and how we can continually create a better overall experience for you. We may share this information with our partners, but only in the aggregate, so that they too may understand how Monster.com visitors use our site, so they may create a better overall experience for you, as well.

The paragraph above is accurate, but could disclose more specific information about job searching data that is shared. For example, it would be helpful for job seekers if this privacy policy mentioned that the keywords used to search for jobs, the city, state, and specific jobs looked at are all shared with third parties. As long as a person has not registered with My Monster or submitted a resume, it is likely that the information would remain in the aggregate. But Monster should disclose the specific information it collects from job seekers.

It should be noted that in the past, job seekers did not have to share this information, not even "in aggregate" in order to simply look for a job. This is another case where privacies that exist in a traditional job search may not apply to an online job search.

IX. MonsterTrak Privacy Issues

If you are a student looking for jobs through Monster.com’s MonsterTrak service, you may very well see different job opportunities based on where you go to school. Additionally, to apply online, you will be asked to provide age and gender information without the benefit of a specific privacy policy.

MonsterTrak is a unique college-level job service that serves more than a thousand universities such as UCLA, Fordham University, and the University of Michigan. MonsterTrak is fully integrated into the main Monster.com site, and does not have any significant competitors.

Students attending one of the member colleges and universities can log on to the site by typing in a password. The password is unique to the college or university, and is required in most cases. In some instances, though, a student using a school computer can simply log onto the site without a password.

What MonsterTrak does not reveal is that different jobs are served up to students depending on what colleges they attend. This is done according to passwords that match the colleges. An analysis of MonsterTrak results for two Ivy League schools located 200 miles apart, Brown and Princeton, indicate that some differences of job opportunities appear to be based primarily on geography.

However, geographical differences do not appear to explain other variations. On August 28, this researcher accessed MonsterTrak with permission of two colleges based in San Diego: the University of California (UCSD) and Point Loma Nazarene University. Both institutions are accredited universities, with Point Loma Nazarene being the smaller school.

On the MonsterTrak database, this researcher downloaded job opportunities in various industries at both universities within a 30-minute period on August 28. Because both universities offered majors in business and marketing-related areas, this analysis compared marketing, public relations, and advertising jobs presented to students.

For UCSD students, those looking for marketing, PR, and advertising jobs had 34 opportunities. Of the 34 job ads offered to UCSD students via MonsterTrak, 19 jobs were not offered to Point Loma students and 15 of the job ads were offered to students at both schools. Four jobs on the Point Loma site were not offered to UCSD students. The Point Loma students had 19 total opportunities to look at.

Considering that both of these schools are located geographically in San Diego, the differences in job advertisements for students looking in the same field with the same search parameters was puzzling. While L’Oreal, based in New York City, advertised to students in both schools for marketing managers, the City of San Diego offered an advertisement for a "Corporate Partnership Intern" only to UCSD students. The internship was to be carried out in San Diego. Also, Nielsen Media Research offered a bilingual interviewer/recruiter position only to UCSD students. On the other hand, a job in merchandising at the San Francisco Opera was offered just to Point Loma students in this section of MonsterTrak.

Whatever the reason for the differences, students using MonsterTrak deserve to know up front that they are seeing different job opportunities based on where they go to school. (Students interviewed for this report have found a way around this system: they exchange passwords so that they, and friends at other colleges, can gain access to the widest number of job listings.)

A separate issue is the lack of a specific privacy policy on MonsterTrak, even on pages inside the password-protected areas of the site. This, even though the site asks for personal information such as name, address, phone number, major, college, grade point average, as well as gender and race descriptions.

While MonsterTrak states that race and gender information is not given to employers, no promises are made about who else or what other entities may have access to that highly sensitive information. These two paragraphs appear in the section asking for demographic information:

"Your registration/user profile is not accessible by employers. Please fill out the form completely. If you do not have information for a specific field, please leave it blank. Mandatory fields are marked in red with an asterisk (*).

"NOTE: Gender and ethnicity data is used by Career Centers for aggregate reporting purposes only. This information will not be viewed or searched by employers."

There is a choice available for "do not wish to provide" on the gender and race questions. Nevertheless, the question remains whether this kind of sensitive data should be collected from students. While having the data in aggregate may be helpful to some employers, the risk of data spills in this situation may not be worth the benefit created by asking the questions in the first place.

X. Conclusion and Recommendations

The online job search industry, and TMP/Monster in particular, have helped tens of thousands of people to find employment. However, if job seekers and the personal information they provide becomes a commodity without adequate privacy protections, online sites may lose job seeker trust and a valuable tool will be tarnished.

The following recommendations would be good first steps toward alleviating some of the concerns regarding Monster.com and TMP Worldwide:

  • As part of the FTC review of the Monster.com acquisition of HotJobs, the company should be asked about intentions to sell resume data now or in the future.
  • In TMP/Monster acquisitions involving the transfer of resume databases, the company should seek permission of individuals who have previously posted resumes before any resume is added or transferred to TMP/Monster databases or used in any way by TMP/Monster.
  • When a job seeker deletes a resume, the resume should be removed from all online and offline servers and databases, with no backup logs kept of the resume that could be parsed or used later.
  • Monster.com should require private label corporate sites to fully disclose the use of Monster.com as an agent; and give job seekers the choice to opt in or out of having their resume data stored on Monster.com servers.
  • Unique resume ID numbers should not be passed to AOL Time Warner unless a person is at an AOL property. In addition, AOL Time Warner banner ads that have tracking features should be removed from all sensitive areas of the Monster.com site, including the profile creation, resume creation and resume posting areas.
  • A thorough privacy policy should be posted at MonsterTrak. In addition, age and gender information should not be collected. MonsterTrak should disclose that different campuses receive different job postings.

Appendix A
Appendix B

Please tell us what you think of this article.


Pam Dixon, Executive Director of The World Privacy Forum, is also a Research Fellow at The Privacy Foundation. Pam is an award-winning author, journalist, and speaker recognized for her contributions in the area of technology as it affects the arts, education, business, and the workplace. Her book, Job Searching Online for Dummies, earned top reviews and was cited by the Los Angeles Times as the top “Job Search Book of the Year.“ Based in California, Dixon is the New Media columnist for the San Diego Union-Tribune. Her website is www.pamdixon.com.


To learn more about privacy on the Internet, please visit The World Privacy Forum. For more about online job hunting, see Job-Netting and Internet Job Boards: Hello, anybody home?

 

The contents of this site are Copyright (c) 1995-2013 North Bridge Group, Inc.
All rights reserved. This material is for personal use only. Republication and redissemination, including posting to news groups, is expressly prohibited without prior written consent. Ask The Headhunter, Fearless Job Hunting, the ATH logo and other ATH titles are trademarks or registered trademarks of North Bridge Group, Inc. and Nick A. Corcodilos.

User agreement, legal information and disclaimer.

Visit the Ask The Headhunter Blog and sign up for your free subscription to the weekly Ask The Headhunter Newslettter.

We welcome comments and
suggestions. Please email to
Ask The Headhunter.