The so-called Snowden effect has some employees looking over their shoulders. Those using their mobile devices for work -- whether company-owned or BYOD -- might assume IT is monitoring their personal activity whether they're on or off the clock. However, users can breathe a sigh of relief because IT spying is not a thing -- at least, not usually.
Yet, in the age of internet spies and hackers, and with bots tracking a user's every move, collecting data for advertising and marketing purposes, it's no wonder employees might be a little paranoid. IT admins often find themselves struggling to balance user privacy with company security or legal requirements.
The terms "security" and "privacy" are often used interchangeably, but each represents a separate and distinct concept. Security refers to the mechanics of maintaining the confidentiality of sensitive information, starting with the physical security of facilities and infrastructure -- including mobile devices -- and continuing with authentication, authorization, encryption of files and network traffic and related management and accounting tasks. Privacy, meanwhile, refers to individuals' rights or expectations to keep their information confidential, shared only with designated individuals or entities. With the rise of the web as we know it today, privacy is virtually nonexistent, and IT spying is a real concern for employees.
However, let's assume user privacy is not dead. And let's start with a key and often-cited regulation, the Fourth Amendment to the U.S. Constitution: "The right of the people to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
That sounds like privacy, right? Not so fast. The Constitution defines the relationship between the people and the national government, and not between the people themselves in any form, including any relationship between an individual and an organization. This applies not only to customers -- so, yes, the user data websites collect is legal, given the user's consent -- but also to employees.
Dispelling the IT spying fear
It's reasonable to assume that an employer is not mobile phone spying or monitoring the nonwork-related activity of its staff, with rare exceptions. It's essential, then, to provide users with a formal division between their information and corporate data. There are three ways companies can go about drawing that line.
Legal. Privacy laws vary widely within political jurisdictions across the globe; therefore, it is vital that organizations maintain compliance regulations in each locale where they have operations. It's also crucial to avoid making legal mistakes with respect to staff privacy; the penalties can be very severe in terms of sanctions, fines and public relations fallout.
What do you know about BYOD endpoint security?
In this six question quiz, test your knowledge of our Security School lesson on managing BYOD endpoint security.
Keeping in mind that the legal landscape is still evolving with respect to privacy, employees can reasonably assume that IT isn't conducting mobile spying and that user privacy is well-protected.
Policies ensure mobile device privacy
HR analytics up employee privacy worries
BYOD policies must keep user privacy in mind