How far should organizations go to ensure mobile device privacy?
Last year, facing billions in legal fees, JPMorgan Chase launched a bold plan to combat noncompliant and illegal employee behavior.
The Wall Street behemoth implemented technology to monitor and analyze workers' communications and other activity, with the goal of identifying and stopping potentially damaging behavior before it occurs. The data the firm collects includes emails, internet traffic, instant messages, text messages and phone calls, according to its systems monitoring policy.
Such measures may be necessary in highly regulated industries such as finance, where data breaches, insider trading and collusion can have devastating consequences. But the fact is, IT departments across all industries have the ability to monitor and collect employee data. And thanks to the ubiquity of mobile devices and the rise of BYOD, employers have access to more data -- and more personal data -- than ever before.
"Surveillance is easy to contemplate," says Jeffrey Ritter, an attorney and academic researcher who studies digital information and privacy. "The question is, where do we draw the line?"
The ability of IT departments to monitor workers is nothing new. Before the mobile boom, these capabilities were typically limited to company-issued PCs and their emails, browser histories and network traffic. In theory at least, the amount of personal information that employers could glean from these activities was limited.
Today, as more employees use their own smartphones, tablets and wearables for both work and personal tasks, IT potentially has access to significantly more sensitive data. Modern mobile devices have GPS capabilities, fingerprint scanners, facial recognition software, heartrate monitors and other advanced technologies, all of which collect information that users may not want to share with their employers.
Craig Spiezle, Online Trust Alliance
It's usually possible to disable these features, but it's not always practical. People rely heavily on mobile devices and their advanced features to get through their daily lives, frequently switching between business and personal tasks, both during the workday and after hours.
"There's a blurring of the line," says Craig Spiezle, executive director of the Online Trust Alliance, a nonprofit that promotes privacy protections.
Looking at the law
The Fourth Amendment to the U.S. Constitution gives Americans the right to privacy from unreasonable government intrusion. It does not address the issue of privacy regarding non-government entities -- such as employers, websites and internet service providers.
"The U.S. Constitution is only about the people and government, not the people and Google," says Craig Mathias, founder of the Farpoint Group, a mobile technology analysis firm in Ashland, Mass.
The United States' lack of privacy laws leaves many unresolved questions regarding how employers can access and use employees' personal data. JPMorgan Chase's program aims to solve specific business-related problems, but what happens when employers collect and act upon information that isn't directly work-related, such as where workers go on weekends and who they have relationships with?
Europe has laws in place to address these questions and extend citizens' privacy protections. Some nations there have even attempted to codify the separation of work and personal time; in May, the French government took up a bill that would require companies to set hours when employees are not supposed to check their email. There is little political appetite for similar laws in the United States, and not even a high-profile case of inappropriate employee surveillance is likely to change that, Ritter says.
Employers' access to employee information also raises questions around data ownership. If a worker stores family photos on his phone, and he gets a new job, does his employer have the right to wipe the device and delete those photos when he leaves? Does it matter who owns the phone? Most legal disputes regarding these questions don't make it to trial, so there's no clear answer, but employers and employees alike should keep these issues in mind when managing and using mobile devices for work.
IT's heavy hand
Enterprise mobility management (EMM) has evolved to the point where it can help IT avoid many of these privacy issues altogether.
In the early days of enterprise mobility, the only tool at IT's disposal was mobile device management (MDM). Some of MDM's most popular features allow IT to:
- require and enforce the use of passcodes to protect devices from unauthorized access;
- restrict the installation of certain apps to safeguard devices against malware;
- track the physical location of a device;
- wipe a device's data if it is lost or stolen, or if the employee leaves the company.
Many of the privacy concerns around mobile device usage in the workplace -- Can my boss see where I am at all times? Will IT delete my contacts? -- stem directly from the use of MDM.
"Everybody thinks you can see their text messages, read their Safari history, find out where they're going," says Melanie Seekins, chair of the Credentialed Mobile Device Security Professional organization.
Still, it's not uncommon for employers to require MDM on any smartphone or tablet used for work, even if it accesses just one corporate app, such as email.
"A lot of IT departments use a pretty heavy-handed approach," says Matt Kosht, an IT manager at a utility company in Alaska.
More recently, EMM has evolved to include mobile application management (MAM) and mobile content management (MCM), which allow IT to take a lighter touch. These technologies provide granular control over mobile apps and data, so administrators can secure corporate assets and take their hands off personal assets. This approach benefits both users and admins, most of whom don't care about employees' personal text messages and don't want to worry about deleting their family photos, Seekins says.
MAM is available in several forms. Some products place each corporate app in its own secure wrapper, an extra layer of code that lets IT control who can access the app and what they can do with its data. Others place all corporate apps in one container that IT manages and secures.
There's also the concept of dual-persona MAM, which creates a managed work phone and an unmanaged personal phone on the same device. That technology hasn't caught on because users have to constantly switch between their work and personal environments.
"It's not really practical or feasible for the typical employee," Spiezle says. His organization, the Online Trust Alliance, recommends that people who are really concerned use a separate device for work.
Despite the benefits of MAM and MCM, MDM is still the primary tool in use. Those newer approaches require IT departments to have a solid grasp on the apps their employees use, how they use them and where they store data. And that's just not the case in many organizations, Kosht says.
"Putting an MDM agent in place is a lot easier than going through your data and coming up with a classification strategy," he says. "If you don't know what you have, you're going to lock all the doors and do an overkill solution."
Even early adopters of MAM and MCM will struggle with privacy issues, however, without the proper security and acceptable use policies in place. Employers must clearly state what data they will and will not access on users' devices and explain what they can and cannot do with that information.
Sometimes that's not even possible, depending on what software IT uses.
"It's a reassurance policy more than anything," Seekins says. "It gives [employees] that sense of security."
When developing policies, employers should take the opportunity to reexamine the data they access and reconsider its necessity. A good guideline is, don't collect information you don't need, Mathias says.
"Do everything you can to respect your employees and their information," he says.
"There's a lot of education that needs to go on," she says. "And that's where we fall short."
This article originally appeared in the July/August issue of the Modern Mobility e-zine.
Mobile privacy and security are not one and the same
Amid privacy concerns, mobile security top priority
Fine line between mobile privacy, security