The use of geolocation and geofencing services can have serious employee privacy implications that business leaders and IT professionals should not ignore.
When an organization uses location-based mobile device management (MDM) to track smartphones and tablets, it has access to a wide range of intimate details about their users: the clinics they go to, the churches they belong to, the clubs they join, the stores where they shop. A company can gain insight into a person's sleep habits, politics, health and all sorts of behaviors.
That's not to say an organization is necessarily interested in this information. Most IT types care only that their resources remain safe. But the ability to monitor a device to collect and store location data is its own Pandora's box.
The risks of location-based MDM
Whether owned by the company or by employees, mobile devices are personal extensions of their users -- something they have by their sides day and night. This dependence can cause a dilemma for organizations trying to manage devices and trying to ensure corporate security. Even when the company owns the device, users have an expectation of privacy, and they cringe at the idea of Big Brother IT knowing their every move. If an organization does not tread carefully, it could face serious consequences.
When a company uses mobile geofencing and geolocation services in conjunction with MDM, it tracks the locations of its managed devices in real time and maintains a history of that information. This approach helps IT keep corporate data secure, either by finding lost devices (through geolocation) or by preventing data access from unauthorized locations (through geofencing). But with this kind of data collection, the possibility exists for personal information to be used for other purposes.
For example, someone in management might want to dig into an employee's political leanings or religious affiliations. Or a vindictive employee might access the data to threaten or discredit a co-worker.
If the data falls into criminal hands, users can face even more serious risks. An individual with less-than-honorable intentions can easily deduce when a user will be home, when that home will be empty, along with any number of other personal details.
Privacy laws in flux
Governments and federal agencies are taking notice of how much location data is being collected and how it's being used.
Last year, the Federal Trade Commission's Mobile Privacy Disclosures report encouraged developers to include privacy policies with their apps and obtain user consent before collecting location data and other sensitive information. Earlier this year, the European Union's Article 29 Working Party reiterated that organizations must be explicit about how it plans to use such data. And a bill working its way through the U.S. Congress would prohibit apps from collecting or storing location data without a user's informed consent.
It's difficult to say how the data privacy movement will affect location-based MDM in the enterprise. A company might require workers to consent to tracking in order to use mobile devices to conduct business. But management needs to be very careful about strong-arming their workers, especially if tracking them during off hours.
To date, laws in the U.S. have tended to favor employers, but most laws have not kept up with technology and can vary from state to state. In Europe, privacy laws tend to fall on the side of the employee. Yet laws related to privacy and technology are in flux everywhere, with much of these waters still being tested.
Protecting users and your business
Mobility is still relatively new in the enterprise, and it's made all the more complicated by the rapidly changing nature of technology. Organizations need to protect their resources, and location-based mobile device management can be a powerful tool. On the other hand, employees concerned about their privacy may end up resenting employers and lacking concern for protecting corporate resources -- not to mention the potential legal ramifications.
Whatever an organization does, the key is communication, backed up by clear and accessible policies, plus straightforward procedures for obtaining user consent whenever location data is collected. Above all, organizations must carefully protect and audit that data to ensure users' privacy cannot be compromised.