Slashdot Mirror
Employee-Owned Devices Muddy Data Privacy Rights
snydeq writes "As companies increasingly enable employees to bring their own devices into business environments, significant legal questions remain regarding the data consumed and created on these employee-owned technologies. 'Strictly speaking, employees have no privacy rights for what's transmitted on company equipment, but employers don't necessarily have access rights to what's transmitted on employees' own devices, such as smartphones, tablets, and home PCs. Also unclear are the rights for information that moves between personal and corporate devices, such as between one employee who uses her own Android and an employee who uses the corporate-issued iPhone. ... This confusion extends to trade secrets and other confidential data, as well as to e-discovery. When employees store company data on their personal devices, that could invalidate the trade secrets, as they've left the employer's control. Given that email clients such as Outlook and Apple Mail store local copies (again, on smartphones, tablets, and home PCs) of server-based email, theoretically many companies' trade secrets are no longer secret.'"
Who profits by muddied waters? Wasn't this all figured out decades ago when employees got home telephones and occasionally talked business on them?
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
If InfoWorld cannot get enough hits on his articles by themselves (see other discussions here) then why does Slashdot have to link to them?
How to thwart the high priests of IT
http://it.slashdot.org/story/11/12/18/2154224/how-to-thwart-the-high-priests-in-it
Seriously?
Forget that; I want clarification on the right of the corporation to invade our privacy. They shouldn't be able to "steal" your computer and clone the whole thing just to find out if you emailed the competition some secret!
Information is not property. Once you let them redefine reality you've conceded to their terms of battle.
Democracy Now! - uncensored, anti-establishment news
I've kind of felt that personal devices like phones and such should be treated as extensions of your own mind. For example, they should be covered by the fifth amendment.
This means, from a trade secret standpoint, that transmission of the secret from your device to an unrelated third party should be treated as if you personally wrote out the trade secret and sent it. And if your device was hacked, it should be legally treated the same as if you were conned into revealing the trade secret. But you employer should have absolutely no rights with regards to examining what's on your device. It should be treated as a black box.
Need a Python, C++, Unix, Linux develop
A few recent submissions to Slashdot have been from end users complaining about miserly IT overlords refusing to allow personal devices onto the network, and telling the end users "No you can't." These articles were all written from the manager's standpoint, whereby they figured if their use of their personal devices was going to allow them to be more productive, then there was no reason to say they couldn't use them. Right? Well, the legal issues surrounding them are a very good way to say "wrong." Between all the compliance issues and security risks that personal devices entail, the legal headaches and challenges that could ensue if something goes awry should be enough of a deterrent for most businesses.
Occasionally living proof of the Ballmer peak.
There are a few things that the users who want company (email/data/whatever) on their personal (iCrap/PC/whatever) don't think about.
1) Is the remote wipe functionality such that if I have to zap your device it will only nuke the company data? Are you willing to lose ALL the data on your phone? I've heard about folks suing their employers over this.
2) If I suspect you're up to no good and you're using a company device I can take that device and conduct forensic analysis on it. If it's your personal device I can't force you to surrender it.
3) Are you willing to pay for whatever security software IT mandates?
I know there are some Mobile Device Management packages out there working on this, and hopefully the best practices will all be sorted out soon. However coming up with these best practices (and buying the software/etc to support them) is not free. So to the employee they think "Hey, this doesn't cost you anything! I bought the phone!" But they don't see the TCO at all.
"Where quality is like a dead stinking rat - you just can't miss it."
That series of articles was written by the same guy writing this article.
Which are exactly the points that everyone here brought up in response to those previous articles.
And those reasons are the reasons why companies do NOT do what he claims that they ARE DOING now (and the point of his previous articles).
Who "owns" the work you do for the company on your personal computer? What rights does the company have to your personal computer when you leave?
Why even get into a discussion of that? The company issues you a laptop to use at home and you are supposed to use that laptop for company work. When you leave, the company gets the laptop back.
No questions. No problems.
But simple solutions like that do not generate articles about how companies are allowing employees to bring whatever they want into the company and connect it to the company's private data.
Even though he had not interviewed a SINGLE CIO from any company in the health-care industry stating that they did what he claimed they did.
Many large companies have very simple policies about this for this very reason: ABSOLUTELY NO DEVICES NOT COMPANY SUPPLIED ON THE NETWORK. If the company is counting on trade-secret status for things like customer lists of course this is going to be in jeopardy once the customer list is loaded onto a non-corporate-owned device. It is at least going to open the door sufficiently that it is going to be very expensive to litigate in the future.
You can easily envision the employee with the customer list on their personally-owned phone walking into their new employer with what they feel is a leg up on all the other sales people. It's on their phone, it is their list of contacts that they have been dealing with for years and now they can offer them new stuff from their new employer. Why not, right? Well, if you do it with paper you are going to get sued. My guess is that if you do it with your phone it is going to be a lot more complicated than it would have been before.
A large part of the problem is that some companies simply do not understand the ramifications of having their supposedly private, secret information scattered about. They plug in a wireless router on the internal network without thinking it through, perhaps comforted by the knowedge that they used the best 26-character WEP password they could think up.The president brings in a iPad into a completely Windows-centric environment and wants to be able to use it with company data - not knowing that the application makes a static copy of the entire database on the device.
Yes, there are some nice nifty devices out there that the company hasn't seen fit to buy yet. That doesn't mean they should be on the network. And the whole question of user-owned devices being securely within the trade-secret umbrella or not is one that will only be resolved through a lot of court cases. And some people would do very well to remember that it isn't the successful business that gets to be one of the "first" in litigation.
ICO issues guidance about private emails, reminding the public sector that the Freedom of Information Act covers private emails if they are used for business matters.
"Christopher Graham, the information commissioner, said: "It should not come as a surprise to public authorities to have the clarification that information held in private email accounts can be subject to freedom of information law if it relates to official business."
Not really a device thing... but related none the less.
Life is pretty fucking simple:
- the company's data belongs to the company
- the individual's data belongs to the individual
- customers' data belongs to the customers and is protected by law
So don't allow customer data onto insecure personal devices, decide whether you'll allow company data onto those devices and accept that your employees will have data you don't control on them.
Shit, I work for a bank, I can think of a dozen ways of permitting end user computing in the office without breaking any FSA regulations, the law or unreasonably jeopardising the company.
You can not own the information..
I don't know if you can own information, but there is definitely a concept of secrets and privacy. Your own thoughts should be protected so that you can think freely without fear. By extension, it's reasonable to imagine that companies should be allowed to have trade secrets. Just as it would be upsetting if people set up a scaffolding half a mile away and directed a super long zoom lens into your bedroom; even if they did it from their own property; it's reasonable to allow companies some ability to protect trade secrets.
It seems to me that this, where you are restricting the right of someone to spy on information which is held primarily by the company, is on much stronger ground than copyright, where you try to restrict someone else from saying something which is already in their mind.
=~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
The employee may unwittingly do so. People don't accidentally blurt out trade secrets, but many people do opt to download and run the occasional Trojan, many run buggy software or software that un-buggily treats some types of caches as not particularly sensitive, or they send home PC's unencrypted drive platters back to manufacturers, or run proprietary software where you (nor they) simply don't have any way of knowing what all it does, or -- countless other things.
You can say it was still their responsibility to not do those things, but that doesn't really help you much, once your secret it out anyway, not to mention most of the time you won't know which one did it.
The point is that it's less secure, whether or not the end you feel satisfied that you have someone to blame.
It's all well and good to say "they have a responsibility" but when you tell them they're not allowed to any mainstream OS, or take advantage of equipment warranties on their personal equipment, suddenly you're the bad guy and "unreasonable."
It's not just an issue of protecting "trade secrets", but of protecting customer information in compliance with law and being able to prove that corporate decisions are made in compliance with law without collusion and back-room deals.
Most employees (including a HUGE segment of the Slashdot crowd) do not understand the fundamental reason companies do NOT want you using "personal devices" to do business, but to use the company-provided equipment instead.
The company's obligation to legal and ethical requirements to protect and manage data FAR outstrip your desire to use your iToy at the office.
I do not fail; I succeed at finding out what does not work.
No, COMPANY email is trade secret. Why are people paying their own money to buy hardware and software for work-use is beyond me. Sure the company won't buy you the latest shiny i-crap from grApple but is it worth it to get sued for breaking NDAs and industrial espionage? You want toys, you buy it yourself and use it for home and off-work.You want to work? Get your company to pay for it and return it to them when you leave the company. The end.
I find it remarkably odd that people are spending any time at all considering how to protect company secrets when companies spend practically none of their own time thinking of ways to protect ours...
For the same reason why they went to a great deal of trouble to secure a Blackberry for President Obama to use. Professionals of all stripes have become attached to one piece of equipment or another that they depend on to be productive (or more productive.) It's not about "toys" as much as it's about the professional employee trying to retain the tools that help him or her to do the job most effectively. The employer's standard tools might be adequate but if the employee is capable of providing 10% more on familiar equipment, why force the employee to switch? Liability, lawsuits, NDA's, espionage, blah, blah, blah. All of that is a lot of FEAR. I'll admit, my first reaction when I heard about employees bringing their own equipment to work was to think, "stupid employees." But the more I've thought about it, the more that I think that it's about the employee and the employer asking the question, "How can we do the most for our customers?" instead of asking "How can we cover our cowardly asses?"
If I had to do a lot of calculations everyday, I'd probably provide my own calculator. If I were working in a kitchen, I'd probably provide my own knife. If somebody's job requires a lot of communication, why should it seem so strange that they want to provide their own smart phone?
Virtue finds and chooses the mean.
Aristotle, Ethica Nichomachea