Slashdot Mirror
Employee-Owned Devices Muddy Data Privacy Rights
snydeq writes "As companies increasingly enable employees to bring their own devices into business environments, significant legal questions remain regarding the data consumed and created on these employee-owned technologies. 'Strictly speaking, employees have no privacy rights for what's transmitted on company equipment, but employers don't necessarily have access rights to what's transmitted on employees' own devices, such as smartphones, tablets, and home PCs. Also unclear are the rights for information that moves between personal and corporate devices, such as between one employee who uses her own Android and an employee who uses the corporate-issued iPhone. ... This confusion extends to trade secrets and other confidential data, as well as to e-discovery. When employees store company data on their personal devices, that could invalidate the trade secrets, as they've left the employer's control. Given that email clients such as Outlook and Apple Mail store local copies (again, on smartphones, tablets, and home PCs) of server-based email, theoretically many companies' trade secrets are no longer secret.'"
Who profits by muddied waters? Wasn't this all figured out decades ago when employees got home telephones and occasionally talked business on them?
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
If InfoWorld cannot get enough hits on his articles by themselves (see other discussions here) then why does Slashdot have to link to them?
How to thwart the high priests of IT
http://it.slashdot.org/story/11/12/18/2154224/how-to-thwart-the-high-priests-in-it
Seriously?
Forget that; I want clarification on the right of the corporation to invade our privacy. They shouldn't be able to "steal" your computer and clone the whole thing just to find out if you emailed the competition some secret!
Information is not property. Once you let them redefine reality you've conceded to their terms of battle.
Democracy Now! - uncensored, anti-establishment news
I've kind of felt that personal devices like phones and such should be treated as extensions of your own mind. For example, they should be covered by the fifth amendment.
This means, from a trade secret standpoint, that transmission of the secret from your device to an unrelated third party should be treated as if you personally wrote out the trade secret and sent it. And if your device was hacked, it should be legally treated the same as if you were conned into revealing the trade secret. But you employer should have absolutely no rights with regards to examining what's on your device. It should be treated as a black box.
Need a Python, C++, Unix, Linux develop
A few recent submissions to Slashdot have been from end users complaining about miserly IT overlords refusing to allow personal devices onto the network, and telling the end users "No you can't." These articles were all written from the manager's standpoint, whereby they figured if their use of their personal devices was going to allow them to be more productive, then there was no reason to say they couldn't use them. Right? Well, the legal issues surrounding them are a very good way to say "wrong." Between all the compliance issues and security risks that personal devices entail, the legal headaches and challenges that could ensue if something goes awry should be enough of a deterrent for most businesses.
Occasionally living proof of the Ballmer peak.
There are a few things that the users who want company (email/data/whatever) on their personal (iCrap/PC/whatever) don't think about.
1) Is the remote wipe functionality such that if I have to zap your device it will only nuke the company data? Are you willing to lose ALL the data on your phone? I've heard about folks suing their employers over this.
2) If I suspect you're up to no good and you're using a company device I can take that device and conduct forensic analysis on it. If it's your personal device I can't force you to surrender it.
3) Are you willing to pay for whatever security software IT mandates?
I know there are some Mobile Device Management packages out there working on this, and hopefully the best practices will all be sorted out soon. However coming up with these best practices (and buying the software/etc to support them) is not free. So to the employee they think "Hey, this doesn't cost you anything! I bought the phone!" But they don't see the TCO at all.
"Where quality is like a dead stinking rat - you just can't miss it."
That series of articles was written by the same guy writing this article.
Which are exactly the points that everyone here brought up in response to those previous articles.
And those reasons are the reasons why companies do NOT do what he claims that they ARE DOING now (and the point of his previous articles).
Who "owns" the work you do for the company on your personal computer? What rights does the company have to your personal computer when you leave?
Why even get into a discussion of that? The company issues you a laptop to use at home and you are supposed to use that laptop for company work. When you leave, the company gets the laptop back.
No questions. No problems.
But simple solutions like that do not generate articles about how companies are allowing employees to bring whatever they want into the company and connect it to the company's private data.
Even though he had not interviewed a SINGLE CIO from any company in the health-care industry stating that they did what he claimed they did.
Many large companies have very simple policies about this for this very reason: ABSOLUTELY NO DEVICES NOT COMPANY SUPPLIED ON THE NETWORK. If the company is counting on trade-secret status for things like customer lists of course this is going to be in jeopardy once the customer list is loaded onto a non-corporate-owned device. It is at least going to open the door sufficiently that it is going to be very expensive to litigate in the future.
You can easily envision the employee with the customer list on their personally-owned phone walking into their new employer with what they feel is a leg up on all the other sales people. It's on their phone, it is their list of contacts that they have been dealing with for years and now they can offer them new stuff from their new employer. Why not, right? Well, if you do it with paper you are going to get sued. My guess is that if you do it with your phone it is going to be a lot more complicated than it would have been before.
A large part of the problem is that some companies simply do not understand the ramifications of having their supposedly private, secret information scattered about. They plug in a wireless router on the internal network without thinking it through, perhaps comforted by the knowedge that they used the best 26-character WEP password they could think up.The president brings in a iPad into a completely Windows-centric environment and wants to be able to use it with company data - not knowing that the application makes a static copy of the entire database on the device.
Yes, there are some nice nifty devices out there that the company hasn't seen fit to buy yet. That doesn't mean they should be on the network. And the whole question of user-owned devices being securely within the trade-secret umbrella or not is one that will only be resolved through a lot of court cases. And some people would do very well to remember that it isn't the successful business that gets to be one of the "first" in litigation.
That is a big one as well.
what about companies that make you buy / pay part of the cost of there system??
Now if they are forceing you to buy there system then you should be able to install any game or app you want but what about mixed cases where the company and you both pay for the system who own's it and who has the right to data and out of work use?
ICO issues guidance about private emails, reminding the public sector that the Freedom of Information Act covers private emails if they are used for business matters.
"Christopher Graham, the information commissioner, said: "It should not come as a surprise to public authorities to have the clarification that information held in private email accounts can be subject to freedom of information law if it relates to official business."
Not really a device thing... but related none the less.
A trade secret hasn't left the control of the company just because it is on my personally owned device - as long as I have a legal duty not to pass it on any further. As an employee, I would have that duty, just as any outside company or person under NDA would have.
Life is pretty fucking simple:
- the company's data belongs to the company
- the individual's data belongs to the individual
- customers' data belongs to the customers and is protected by law
So don't allow customer data onto insecure personal devices, decide whether you'll allow company data onto those devices and accept that your employees will have data you don't control on them.
Shit, I work for a bank, I can think of a dozen ways of permitting end user computing in the office without breaking any FSA regulations, the law or unreasonably jeopardising the company.
You can not own the information..
I don't know if you can own information, but there is definitely a concept of secrets and privacy. Your own thoughts should be protected so that you can think freely without fear. By extension, it's reasonable to imagine that companies should be allowed to have trade secrets. Just as it would be upsetting if people set up a scaffolding half a mile away and directed a super long zoom lens into your bedroom; even if they did it from their own property; it's reasonable to allow companies some ability to protect trade secrets.
It seems to me that this, where you are restricting the right of someone to spy on information which is held primarily by the company, is on much stronger ground than copyright, where you try to restrict someone else from saying something which is already in their mind.
=~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
When employees store company data on their personal devices, that could invalidate the trade secrets, as they've left the employer's control.
Bullshit. You might as well claim that trade secrets are invalidated if the employee takes written notes home from a meeting because, after all, "they've left the employer's control". Except that employee still has a legal obligation to not spread those trade secrets to unauthorized parties...
As I've posted before ...
The purpose of corporate IT is to ...
allow company approved people to
access company data
using company approved apps
on company approved hardware
at company approved locations
with company mandated security methods
on the company approved IT budget and staffing level
to keep the company in business and out of court.
And I think that is the core problem there. He is a writer.
It does not matter what device a writer uses to write his articles.
It does not matter what software a writer uses to write his articles (as long as it can do ASCII or whatever).
It does not matter what email app a writer uses to send in his articles.
It does not matter where a writer writes or where he sends in his articles from.
But going from that experience and generalizing to something like the health-care industry ... he's an idiot.
So why does Timothy keep linking to his articles?
I think the argument that trade secrets are revealed because the employee's device is outside the company's control is somewhat invalid. The device may be outside the company's direct control, but technically so is the employee's brain and mouth. The employee, however, is within the company's control, thanks to the agreement the employee signed about how they'd handle the company's secrets. Since the employee's device is within the employee's control, and the employee's agreed to handle secrets in an appropriate way, the company's got sufficient indirect control to keep the secrets secret. If that weren't the case then telling the employee the secret in the first place would expose it, since the employee's mind isn't under the company's direct control and the only control exerted is the same agreement about how the employee will handle those secrets.
Cloud storage is another matter, but solving that will require a massive change in the law: making it so my e-mail is mine, period, and you can't serve a subpoena on the server operator to gain access to my e-mail, you have to serve the subpoena on me.
It doesn't muddy the rights. All the potential problems involve unintentional (on the part of the company) release of the information to third parties. The employees are supposed to have access to company information, but aren't allowed to disclose it to third parties without permission.
Probably not. But that is only half the question.
The other half is ... can it leak company information via your wife's "phone, desktop, tablet, work laptop, home laptop, etc".
And for that answer, you have to postulate massive infection on your wife's device. And a Russian cracker on the receiving end. Can that Russian cracker use the information gathered to impersonate your wife and gain access to the company's private data with her credentials?
With a company-owned device, the company can ensure a minimum level of anti-virus / patches / whatever to "prove" in a legal sense that the company took reasonable measure to prevent the breach.
You are forgetting that there are different rules in different jurisdictions. What might work in your state/country might not work in others. That also has to be considered.
-- I ignore anonymous replies to my comments and postings.
I think this is quite straightforward. A company can be responsible for the interfaces that are provided to internal data to none-company devices and the data on company devices. Outside of that the responsibility stops with the end user (employee/customer/guest/consultant/whoever) and the company's usage policies should mirror this and breach of these constitutes breach of contract and therefore liability for damages.
It's not just an issue of protecting "trade secrets", but of protecting customer information in compliance with law and being able to prove that corporate decisions are made in compliance with law without collusion and back-room deals.
Most employees (including a HUGE segment of the Slashdot crowd) do not understand the fundamental reason companies do NOT want you using "personal devices" to do business, but to use the company-provided equipment instead.
The company's obligation to legal and ethical requirements to protect and manage data FAR outstrip your desire to use your iToy at the office.
I do not fail; I succeed at finding out what does not work.
No, COMPANY email is trade secret. Why are people paying their own money to buy hardware and software for work-use is beyond me. Sure the company won't buy you the latest shiny i-crap from grApple but is it worth it to get sued for breaking NDAs and industrial espionage? You want toys, you buy it yourself and use it for home and off-work.You want to work? Get your company to pay for it and return it to them when you leave the company. The end.
this is just because IT can't control it, they start to scream
because this is not reddit.
Not everybody has the talent to be a good author (I don't fool myself). Some writings get muddled, and some responders simply interject confusions. The topic(s) of ‘data privacy rights’, why they are needed, and including who is subject to adhere to regulations concerning them, why they are subject, when they are subject, and the regulations themselves, all deserve to be logically discussed .. . .. .Because there ARE regulations. -Regulations concerning information that a person or other entity may hold [about] another person, or other entity, which, if obtained by an unauthorized 3rd party, could be used in an unauthorized manner. (If you legitimately [authorized] collect and save someone else's information, you have a responsibility to protect that information from unauthorized access, viewing, collection and\or use. And, generally, authorized for your use does not authorize you to authorize any other person or entity.)
The Ops’ title is: - “Employee-Owned Devices Muddy Privacy Rights”
- Business and Tech headlines lately are loaded with mentions about, and references to such things as, “Bring your own device to work(BYOD)”, “Commercialization of Corporate IT”, etc., etc., which talk about employees using their own devices to access work-related assets, for different reasons.
As is pointed-out in various comments above, the persons or entities that are subject to the aforementioned regulations are required to take ‘reasonable steps' to comply with those regulations.
It is NOT reasonable to ‘assume’ an employee’s personal device is and will remain to be ‘in compliance’ with the subject regulations, therefore, it is NOT a ‘reasonable step’ to openly allow employee-owned devices access to the internal information.
The computer systems we saw on television, Star Trek and the like, will one day govern us; but not yet.
cjacobs001
I find it remarkably odd that people are spending any time at all considering how to protect company secrets when companies spend practically none of their own time thinking of ways to protect ours...
For the same reason why they went to a great deal of trouble to secure a Blackberry for President Obama to use. Professionals of all stripes have become attached to one piece of equipment or another that they depend on to be productive (or more productive.) It's not about "toys" as much as it's about the professional employee trying to retain the tools that help him or her to do the job most effectively. The employer's standard tools might be adequate but if the employee is capable of providing 10% more on familiar equipment, why force the employee to switch? Liability, lawsuits, NDA's, espionage, blah, blah, blah. All of that is a lot of FEAR. I'll admit, my first reaction when I heard about employees bringing their own equipment to work was to think, "stupid employees." But the more I've thought about it, the more that I think that it's about the employee and the employer asking the question, "How can we do the most for our customers?" instead of asking "How can we cover our cowardly asses?"
If I had to do a lot of calculations everyday, I'd probably provide my own calculator. If I were working in a kitchen, I'd probably provide my own knife. If somebody's job requires a lot of communication, why should it seem so strange that they want to provide their own smart phone?
Virtue finds and chooses the mean.
Aristotle, Ethica Nichomachea
It's not just an issue of protecting "trade secrets", but of protecting customer information in compliance with law and being able to prove that corporate decisions are made in compliance with law without collusion and back-room deals.
Most employees (including a HUGE segment of the Slashdot crowd) do not understand the fundamental reason companies do NOT want you using "personal devices" to do business, but to use the company-provided equipment instead.
The company's obligation to legal and ethical requirements to protect and manage data FAR outstrip your desire to use your iToy at the office.
Posted from my iPhone.
There I fixed it for you. ;-)
Keep the Classic Slashdot.
Hat tip for you:
This article is by Galen Gruman, finally getting around to the other side from his "I hate IT, all IT people are stuck up overlords who won't let me have a toy to play Farmville on at work" garbage.
Infoworld has so caught on to his blitherings that they pre-emptively disabled comments on his latest column.
I don't understand why they don't just fire him. He must be related to someone in charge.
Why?
1. I don't want to carry two cell phones with me. If the boss wants me on call after hours, then he can use my own number.
2. I don't use MS. I'll use my mac, with linux running in virtualbox for developement. Yes, if they insist on using some MS programs, I;ll run VB for winsnooze too.
3. I may have different ideas of what software to run than the company does.
How much of this to allow is a company decision. They pay the coin. They set the rules. In many industrial sites here you have to wear Nomex coveralls. Not permitted on the job site without them. I don't choose to work for those outfits.
I walked into a job interview at HP.. My interviewer was wearing a 3 piece suit. Five minutes in, I asked, "Is suit and tie expected wear here?" "Why yes it is" he said, surprised. "I don't want to work here. I don't own a tie, and have no intention of starting now."
Another job wanted me on call with their own cell phone. I demonstrated conclusively with 4 different phones that there was no point. I lived out of cell phone reach. They reluctantly agreed that I could keep the phone at work.
Third Career: Tree Farmer Second Career: Computer Geek First Career: Teacher, Outdoor Instructor, Photographer.
So MY phone runs an imap client. The original data is on a corporate server. The imap server is modified so that 'delete' means 'archive' and thereafter follows whatever data retention policy you have.
The issue with a my phone is this: Do YOU as a company have a right to wipe my phone if I have confidential information on it. Do you have the right to MY iCloud password to check for data.
The problem is one of trust. If you have a reasonable HR depeartment you hire people with integrity. You let them go for sufficient cause. You ask them to delete the information they have on their personal equipment. If you cannot trust them to do this, you have failed earlier in the process.
If, as a company you can't afford to trust people, then:
A. I don't want to work for you.
B. You will have to issue all their stuff. You will also have to have totally locked down equipment with no removeable access storage. You will likely have to run deep packet inspection on all net traffic, as well as traffic analysis. (Why is there so much https traffic between John's comptuter and this one web site, and why is up traffic so much larger than down traffic...)
Third Career: Tree Farmer Second Career: Computer Geek First Career: Teacher, Outdoor Instructor, Photographer.