Privacy advocates say that, for now, it is legal for a prospective employer, during a job interview, to insist that you log into your Facebook page and then click through your “friends only” posts, photos and messages.

The ACLU put a stop to companies demanding that applicants turn over their login and password credentials, but “shoulder surfing,” as it’s been dubbed, is legal for the time being. Aleecia M. McDonald, a privacy researcher and resident Fellow at the Stanford Center for Internet and Society, says high unemployment makes it hard to stamp out this practice. “When you have a job market where there are more job seekers than hirers, you’re going to see things like demanding to see your Facebook wall because if you say no, someone else is waiting for that interview.”

Paul Stephens, director of policy and advocacy at the Privacy Rights Clearinghouse, doubts that opening up one’s Facebook page to a potential employer is ever voluntary. “The fact of the matter is, in a tight job market, if you’re looking for a job, you’re going to do anything you can to get that job,” he says. “If you feel most of the other applicants are going to be providing this information, you’re probably not going to be willing to say no.”

(MORE: Now Credit Card Companies Want Your DNA)

Stephens suggests that job seekers delete people and pages they think might be objectionable to a potential employer prior to an interview — in fact, this has become pretty standard career-coaching advice.

“Things employers legally cannot ask are available for them to discover on Facebook,” McDonald says. The problem is that it’s almost impossible for a job-seeker to prove in court that he or she was passed over because of a status like race or religion that’s protected by anti-discrimination laws. “We just have to hope that employers are not being influenced by those factors, but all research shows that these things do influence hiring decisions,” she says.

(MORE: Digital Age: Employers, Colleges Insist on Full Facebook Access)

McDonald says most people assume their online privacy is much more protected than it actually is. “In research I’ve done, what we’ve found is that people actually think there are strong laws that protect their privacy online,” she says. “Those laws they think are there actually don’t exist.”

With Facebook in particular, McDonald says, the fact that you initially needed a college email address to join and could only see people in your network gave users an expectation of privacy. This impacted the types of things users were willing to post, prompting them to be more open than they might have been on a public website. Even after Facebook grew and started dismantling that privacy “wall” brick by brick, the idea remained in the public imagination that a person’s page wasn’t exposed to the outside world.

(VIDEO: They Know What You Do: Data Mining on the Internet)

Stephens says this has turned into such a hot-button issue simply because people now are aware of it. “Many privacy violations are just not as apparent,” he says. “I think these are sort of tangible issues that people can get a grasp on, and they’re seeing their privacy violated in a way that seems unconscionable to them.”