This content is part of the Essential Guide: Mobile endpoint security: What enterprise infosec pros must know now
Manage Learn to apply best practices and optimize your operations.

How user privacy policies can quell IT spying fears

If users feel like somebody's watching them, they could be right, but it's probably not IT spying. Companies need user privacy policies to ease employees' minds and protect data.

The amount of privacy employees can expect varies across organizations, which is why all companies with mobile workers need a user privacy policy.

The so-called Snowden effect has some employees looking over their shoulders. Those using their mobile devices for work -- whether company-owned or BYOD -- might assume IT is monitoring their personal activity whether they're on or off the clock. However, users can breathe a sigh of relief because IT spying is not a thing -- at least, not usually.

Yet, in the age of internet spies and hackers, and with bots tracking a user's every move, collecting data for advertising and marketing purposes, it's no wonder employees might be a little paranoid. IT admins often find themselves struggling to balance user privacy with company security or legal requirements.

The terms "security" and "privacy" are often used interchangeably, but each represents a separate and distinct concept. Security refers to the mechanics of maintaining the confidentiality of sensitive information, starting with the physical security of facilities and infrastructure -- including mobile devices -- and continuing with authentication, authorization, encryption of files and network traffic and related management and accounting tasks. Privacy, meanwhile, refers to individuals' rights or expectations to keep their information confidential, shared only with designated individuals or entities. With the rise of the web as we know it today, privacy is virtually nonexistent, and IT spying is a real concern for employees.

However, let's assume user privacy is not dead. And let's start with a key and often-cited regulation, the Fourth Amendment to the U.S. Constitution: "The right of the people to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

It's essential to provide users with a formal division between their information and corporate data.

That sounds like privacy, right? Not so fast. The Constitution defines the relationship between the people and the national government, and not between the people themselves in any form, including any relationship between an individual and an organization. This applies not only to customers -- so, yes, the user data websites collect is legal, given the user's consent -- but also to employees.

Dispelling the IT spying fear

It's reasonable to assume that an employer is not mobile phone spying or monitoring the nonwork-related activity of its staff, with rare exceptions. It's essential, then, to provide users with a formal division between their information and corporate data. There are three ways companies can go about drawing that line.

Legal. Privacy laws vary widely within political jurisdictions across the globe; therefore, it is vital that organizations maintain compliance regulations in each locale where they have operations. It's also crucial to avoid making legal mistakes with respect to staff privacy; the penalties can be very severe in terms of sanctions, fines and public relations fallout.

What do you know about BYOD endpoint security?

In this six question quiz, test your knowledge of our Security School lesson on managing BYOD endpoint security.

Policy and agreements. It's a good idea, then, with appropriate legal assistance, to establish an organizational privacy policy and appropriate agreements between the organization and the staff, both employees and contractors. The policy should detail what information is collected and what the organization can do with it, in a manner similar to what most web services have today. The agreement can represent acknowledgement and consent by staff subject to the policy, and the wording can be simple enough for inclusion in any master employment agreement -- which should also include policies related to security, acceptable use and BYOD -- already in use.

Management. Finally, operational systems should enforce the user privacy policy. A company's enterprise mobility management service should containerize any information defined as sensitive in the organizational security policy while ignoring any other information on a given device. IT should also never back up or otherwise copy any information that is not in an organizational container, and never brute force wipe a BYOD device.

Keeping in mind that the legal landscape is still evolving with respect to privacy, employees can reasonably assume that IT isn't conducting mobile spying and that user privacy is well-protected.

Next Steps

Policies ensure mobile device privacy

HR analytics up employee privacy worries

BYOD policies must keep user privacy in mind

Dig Deeper on Enterprise mobility strategy and policy