Slashdot Mirror

← Back to Stories (view on slashdot.org)

Employee-Owned Devices Muddy Data Privacy Rights

Posted by timothy on from the ownership-is-theft dept.

snydeq writes "As companies increasingly enable employees to bring their own devices into business environments, significant legal questions remain regarding the data consumed and created on these employee-owned technologies. 'Strictly speaking, employees have no privacy rights for what's transmitted on company equipment, but employers don't necessarily have access rights to what's transmitted on employees' own devices, such as smartphones, tablets, and home PCs. Also unclear are the rights for information that moves between personal and corporate devices, such as between one employee who uses her own Android and an employee who uses the corporate-issued iPhone. ... This confusion extends to trade secrets and other confidential data, as well as to e-discovery. When employees store company data on their personal devices, that could invalidate the trade secrets, as they've left the employer's control. Given that email clients such as Outlook and Apple Mail store local copies (again, on smartphones, tablets, and home PCs) of server-based email, theoretically many companies' trade secrets are no longer secret.'"

9 of 165 comments (clear)

  1. Who profits by muddied waters? by vlm · · Score: 4, Interesting

    Who profits by muddied waters? Wasn't this all figured out decades ago when employees got home telephones and occasionally talked business on them?

    --
    "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    1. Re:Who profits by muddied waters? by vlm · · Score: 5, Interesting

      Back then you couldn't just connect a phone to another device and retrieve and make public everything that was transmitted on it.

      Sure you could. Darn near 30 years ago my father had a terminal at home hooked up to a printer. And 40 years ago my grandfather had a reel to reel tape recorder hooked up to the phone (business purposes, something about dictation services and the then new concept of documenting conference calls with engineering consultants). This is old old old old case law. So I ask again, who profits by dredging this up and muddying the waters with a fake sheen of newness?

      See the thing about IT/CS, is there's never really anything new, its just all recycled over and over, everything, and the noobs always think they as the youth of American are the ones who invented it. There is some old saying about every generation of teenagers think they're the first generation to invent 1) rebellion and 2) music and 3) sex and everyone old enough to see the pattern just laughs.

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
  2. UK Information Commissioner Office issues guidance by Rob+the+Roadie · · Score: 4, Interesting

    ICO issues guidance about private emails, reminding the public sector that the Freedom of Information Act covers private emails if they are used for business matters.

    "Christopher Graham, the information commissioner, said: "It should not come as a surprise to public authorities to have the clarification that information held in private email accounts can be subject to freedom of information law if it relates to official business."

    Not really a device thing... but related none the less.

  3. where's the muddiness? by Cederic · · Score: 4, Interesting

    Life is pretty fucking simple:
    - the company's data belongs to the company
    - the individual's data belongs to the individual
    - customers' data belongs to the customers and is protected by law

    So don't allow customer data onto insecure personal devices, decide whether you'll allow company data onto those devices and accept that your employees will have data you don't control on them.

    Shit, I work for a bank, I can think of a dozen ways of permitting end user computing in the office without breaking any FSA regulations, the law or unreasonably jeopardising the company.

  4. Re:Why link to another Galen Gruman article? by Moryath · · Score: 4, Interesting

    What's really funny is that Galen "I'm a fucking moron" Gruman just wrote this second article, which was the answer to why those supposed "high priests" - really, IT people trying to implement the policies put forth by PHB's high up the chain and legal teams trying to stop the risk of trade secrets going out the door - did the things he didn't like in the first article.

  5. Re:Simple, really by vlm · · Score: 4, Interesting

    ...ABSOLUTELY NO DEVICES NOT COMPANY SUPPLIED ON THE NETWORK. If the company is counting on trade-secret status for things like customer lists...

    Funny you should mention this, to work around that agony, at a previous financial services employer, the field techs had the customer site data in plain text email as attachments, which the field circus techs had access to via internet webmail. Boss/supvr was gatekeeper and responsible for email forwarding the most recent customer data snapshot to any of his techs that requested it from him.

    The problem with hollywood movie plot based security is that it usually completely misses the mark of real security issues. If it takes 30 minutes of biometric and two factor security to get some data, what happens in the real world is one tech will simply txt message another tech asking him to email the info he needs to his gmail.

    --
    "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
  6. Trade secrets and lack of control by Todd+Knarr · · Score: 2, Interesting

    I think the argument that trade secrets are revealed because the employee's device is outside the company's control is somewhat invalid. The device may be outside the company's direct control, but technically so is the employee's brain and mouth. The employee, however, is within the company's control, thanks to the agreement the employee signed about how they'd handle the company's secrets. Since the employee's device is within the employee's control, and the employee's agreed to handle secrets in an appropriate way, the company's got sufficient indirect control to keep the secrets secret. If that weren't the case then telling the employee the secret in the first place would expose it, since the employee's mind isn't under the company's direct control and the only control exerted is the same agreement about how the employee will handle those secrets.

    Cloud storage is another matter, but solving that will require a massive change in the law: making it so my e-mail is mine, period, and you can't serve a subpoena on the server operator to gain access to my e-mail, you have to serve the subpoena on me.

  7. Re:Things folks don't think about. by germansausage · · Score: 3, Interesting

    We have a mail app for our (employee owned) iphones which encrypts the message store on the phone, and can be remotely wiped. It's not quite as functional as the built in apple mail app but it's good enough. If you want company mail on your personal phone you have to use the app. You can still have your own personal mail accounts, if we nuke the company mail, (by revoking the encryption key) your personal mail is untouched. Company pays for the app. Employee purchases and owns phone, company splits cost of voice and data plan 50/50 with employee and pays for work related long distance calls. It is sensible, and works ok.

  8. I find it remarkably odd... by bratwiz · · Score: 3, Interesting

    I find it remarkably odd that people are spending any time at all considering how to protect company secrets when companies spend practically none of their own time thinking of ways to protect ours...