Slashdot Mirror
When Your Company Remote-Wipes Your Personal Phone
Xenographic writes "NPR has a story about someone whose personal iPhone got remotely wiped by their employer. It was actually a mistake, but it was something of a surprise because they didn't believe they had given their employer any kind of access to do that. This may already be very familiar to Microsoft Exchange admins, but the problem was her iPhone's integration with MS Exchange automatically gives the server admin access to do remote wipes. All you have to do is configure the phone to receive email from an MS Exchange server and the server admin can wipe your phone at will. The phone wasn't bricked, even though absolutely all of its data was wiped, because the data could be restored from backup, assuming that someone had remembered to make one. But this also works on other devices like iPads, Blackberry phones, and other smartphones that integrate with MS Exchange. So if you read your work email on your personal phone or tablet, you might want to make sure that you keep backups, just in case."
Is this meaning that the Mails were deleted on the server?
No, that wouldn't wipe a phone or raise questions about it being bricked if not for backups. Did you even read the summary?
This is more like the inverse or the equal-and-opposite of (previous?) MS e-mail clients that would automatically execute code from unknown sources as a "feature". Instead of an MS e-mail client it's an MS e-mail server, and instead of downloading and executing code automatically without asking the user to confirm it wipes the phone automatically without asking the user to confirm.
The solution is a simple one. If a company requires you to use a phone for business purposes that will be sending/receiving business e-mails and subject to remote wiping by that company, then that company needs to issue phones to their employees that may not be used for non-business purposes. Then there wouldn't be any problems with a company wiping a phone that is actually company property.
It is a miracle that curiosity survives formal education. - Einstein
I don't think most folks are shocked at the remote wipe capability - they just expected that it would be confined to the exchange data only, not the MP3's, games, photos, etc.
I don't think most people read it but when you think about the type of proprietary (and often confidential) data your email inbox has, you have to understand why the company does it.
That's a perfectly acceptable policy for any company that provides smart phones to its employees. I don't know if it's true with your company, but I would consider that an overreach if you want me to connect my personal phone with your network and give you the ability to delete all of my pictures and other personal data solely at your discretion. I'm sure you would understand why the owner would find that objectionable.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
What do you do to protect your employees interests in not having their own data annihilated by accident?
Also, are you expecting employees to take work with them, using their own devices; or is the company willing to bare the costs of either providing a device or the work not being done?
It would seem most unusual to me for an employer to require their employees to provide expensive equipment for company use, and with the agreement that the company may treat it as its own.
FGD 135
http://en.wiktionary.org/wiki/spick-and-span
Also, from the wikipedia article on the product, someone did try boycotting it in 1999 (http://en.wikipedia.org/wiki/Spic_and_Span). I think that's stupid. "Spick and Span" was first recorded in the 16th century. "Spic" has only existed since early 1900s, wasn't documented until 1910, and even then was documented as "spiggoty" as a slur against Italians. I'd say it's pretty safe to say that when "Spic and Span" was created (1933 in Ohio), "spic" being a slur wasn't even on the radar for them.
I think the situation is similar to the word "niggardly" (http://en.wikipedia.org/wiki/Controversies_about_the_word_%22niggardly%22). People see something that, without any context (context like the spelling of the word or idiom...), could be conceived as racist. People take offense as something because of their own ignorance.
The problem is, you're not being color-blind. You're seeing color issues where there aren't any. You're trying to get people riled up at racism that isn't even there. You're not helping to stop racism, but you are helping to chill language and communication and encourage ignorance. You have, by trying to be on the right side of something, wound up on the wrong side of everything.
And there goes my karma...
No trespassing. Violators will be shot. Survivors will be shot again.
I have the same thing here. I always inform staff that I can and will wipe their phones. At their request, and that they should inform me at once if they lose of have their phone stolen.
My personal iphone is connected to a gmail account that I forward a copy of all my work email.
That way I get work email, but it is still my account.
If I were God, wouldn't I protect my churches from acts of me?
Then don't connect your personal phone to the company network.
It's that simple. It's the company's data, not your personal data, and they have measures in place to protect it. If you don't want to abide by those measures, you don't have to.
At least in the US, if you're required to provide equipment required by your job, and your employer doesn't pay for it, then you can write it off on against your personal tax burden. So if you find yourself in that rare situation where work requires you have a smartphone, and won't pay for it, get one separate than your private phone and save on your taxes at the end of the year.
I'm out of my mind right now, but feel free to leave a message.....
I only give my personal phone to selected people in my company. That would be my boss and with the explicit notice that it is a private number and should only be used in case of emergencies.
If they want me to have a device to connect to their system, they should provide me with one. Just like I expect them to provide a desk and a chair to sit on. Then it is theirs and they can do with it as they please and at the end of employment, they will get it back.
Their device, their rules. My device, my rules.
Don't fight for your country, if your country does not fight for you.
That's a massive security breach, one I wouldn't allow on my network. You may want to check your corporate policies and make sure your still inline or you could be fired.
letting an idiot know they are an idiot is not a game... it's a responsibility. - by Kristopeit, M. D. (1892582)
It's the company's data, not your personal data, and they have measures in place to protect it.
No it's not. He was talking about them wiping all your personal data. "Measures in place" to protect company's data that also wipe your personal data are a bit creepy.
"I don't care about the Constitution!" --Bill O'Reilly, November 17, 2009
It's just like having a personal laptop. Would you bind your personal machine to the company's AD environment, giving them full administrative control? No? Then don't use your personal machine on their network. Use a company-provided machine, or a work-dedicated machine that you can write off on your tax return.
I use my personal machine at work every day. I connect via standard protocols like ssh and smb, and never give up admin control, nor would I ordinarily do so. If they explicitly asked me to, I would say no, buy me a company machine instead, but if they said, "hey, if you install this software you can connect to our email servers" I don't really think it would occur to me to go check if the ordinary behavior of that software gives them root on my box. That wouldn't even occur to me.
"I don't care about the Constitution!" --Bill O'Reilly, November 17, 2009
Of course one reason such "massive security breaches" happen is that companies have stupidly draconian policies which make "normal" operation so annoying/dangerous that clueful employees bypass it as a matter of course.
Yeah, they can threaten "you might be fired!", but threats are very rarely effective unless they coincide with common sense — which policies like "we can wipe whatever we want!" don't.
I suppose the larger the company, the more likely they are to choose "draconian/bluster" over working with the employees to find an agreeable technical solution...
We live, as we dream -- alone....
I have the same thing here. I always inform staff that I can and will wipe their phones. At their request, and that they should inform me at once if they lose of have their phone stolen.
My personal iphone is connected to a gmail account that I forward a copy of all my work email.
That way I get work email, but it is still my account.
I guess I'll pile on, too...
Depending on where you live and what you do, HIPAA has some exciting new personal liability built right in at no extra charge! So when that claims processor blasts PHI out to the wrong e-mail list, you, sir, have just transferred and stored it in a manner that will have you in court by yourself. Just you in the "Little Old Lady Victim vs. Evil (your name here)" By this time your employment will be a distant memory and your former company has no obligation to defend you. Depending on the company's policies and compliance they will get dinged, but that is a cost of doing business and a separate process that has nothing to do with your personal liability. Have you planned financially for that scenario?
So if you want remote access to your corporate mail, you do it on a company-supplied device and accept they have full control. If you want the convenience of using your personal phone with their exchange server, you accept that this includes the remote wipe nuclear option. The company gets to choose the policies for securing its own data, you get to choose if you bring your personal device to the party or not. It only becomes a problem if a company does something dumb like mandates you use personal phones to connect to their exchange environment and in my experience this pretty much never happens: it's people who go "Oh cool, my iPhone does Exchange! " and connect it to their corporate network for convenience that'll be affected by this.