Slashdot Mirror
Employee-Owned Devices Muddy Data Privacy Rights
snydeq writes "As companies increasingly enable employees to bring their own devices into business environments, significant legal questions remain regarding the data consumed and created on these employee-owned technologies. 'Strictly speaking, employees have no privacy rights for what's transmitted on company equipment, but employers don't necessarily have access rights to what's transmitted on employees' own devices, such as smartphones, tablets, and home PCs. Also unclear are the rights for information that moves between personal and corporate devices, such as between one employee who uses her own Android and an employee who uses the corporate-issued iPhone. ... This confusion extends to trade secrets and other confidential data, as well as to e-discovery. When employees store company data on their personal devices, that could invalidate the trade secrets, as they've left the employer's control. Given that email clients such as Outlook and Apple Mail store local copies (again, on smartphones, tablets, and home PCs) of server-based email, theoretically many companies' trade secrets are no longer secret.'"
Who profits by muddied waters? Wasn't this all figured out decades ago when employees got home telephones and occasionally talked business on them?
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
If InfoWorld cannot get enough hits on his articles by themselves (see other discussions here) then why does Slashdot have to link to them?
How to thwart the high priests of IT
http://it.slashdot.org/story/11/12/18/2154224/how-to-thwart-the-high-priests-in-it
Seriously?
Forget that; I want clarification on the right of the corporation to invade our privacy. They shouldn't be able to "steal" your computer and clone the whole thing just to find out if you emailed the competition some secret!
Information is not property. Once you let them redefine reality you've conceded to their terms of battle.
Democracy Now! - uncensored, anti-establishment news
I've kind of felt that personal devices like phones and such should be treated as extensions of your own mind. For example, they should be covered by the fifth amendment.
This means, from a trade secret standpoint, that transmission of the secret from your device to an unrelated third party should be treated as if you personally wrote out the trade secret and sent it. And if your device was hacked, it should be legally treated the same as if you were conned into revealing the trade secret. But you employer should have absolutely no rights with regards to examining what's on your device. It should be treated as a black box.
Need a Python, C++, Unix, Linux develop
There are a few things that the users who want company (email/data/whatever) on their personal (iCrap/PC/whatever) don't think about.
1) Is the remote wipe functionality such that if I have to zap your device it will only nuke the company data? Are you willing to lose ALL the data on your phone? I've heard about folks suing their employers over this.
2) If I suspect you're up to no good and you're using a company device I can take that device and conduct forensic analysis on it. If it's your personal device I can't force you to surrender it.
3) Are you willing to pay for whatever security software IT mandates?
I know there are some Mobile Device Management packages out there working on this, and hopefully the best practices will all be sorted out soon. However coming up with these best practices (and buying the software/etc to support them) is not free. So to the employee they think "Hey, this doesn't cost you anything! I bought the phone!" But they don't see the TCO at all.
"Where quality is like a dead stinking rat - you just can't miss it."
That series of articles was written by the same guy writing this article.
Which are exactly the points that everyone here brought up in response to those previous articles.
And those reasons are the reasons why companies do NOT do what he claims that they ARE DOING now (and the point of his previous articles).
Who "owns" the work you do for the company on your personal computer? What rights does the company have to your personal computer when you leave?
Why even get into a discussion of that? The company issues you a laptop to use at home and you are supposed to use that laptop for company work. When you leave, the company gets the laptop back.
No questions. No problems.
But simple solutions like that do not generate articles about how companies are allowing employees to bring whatever they want into the company and connect it to the company's private data.
Even though he had not interviewed a SINGLE CIO from any company in the health-care industry stating that they did what he claimed they did.
Many large companies have very simple policies about this for this very reason: ABSOLUTELY NO DEVICES NOT COMPANY SUPPLIED ON THE NETWORK. If the company is counting on trade-secret status for things like customer lists of course this is going to be in jeopardy once the customer list is loaded onto a non-corporate-owned device. It is at least going to open the door sufficiently that it is going to be very expensive to litigate in the future.
You can easily envision the employee with the customer list on their personally-owned phone walking into their new employer with what they feel is a leg up on all the other sales people. It's on their phone, it is their list of contacts that they have been dealing with for years and now they can offer them new stuff from their new employer. Why not, right? Well, if you do it with paper you are going to get sued. My guess is that if you do it with your phone it is going to be a lot more complicated than it would have been before.
A large part of the problem is that some companies simply do not understand the ramifications of having their supposedly private, secret information scattered about. They plug in a wireless router on the internal network without thinking it through, perhaps comforted by the knowedge that they used the best 26-character WEP password they could think up.The president brings in a iPad into a completely Windows-centric environment and wants to be able to use it with company data - not knowing that the application makes a static copy of the entire database on the device.
Yes, there are some nice nifty devices out there that the company hasn't seen fit to buy yet. That doesn't mean they should be on the network. And the whole question of user-owned devices being securely within the trade-secret umbrella or not is one that will only be resolved through a lot of court cases. And some people would do very well to remember that it isn't the successful business that gets to be one of the "first" in litigation.
ICO issues guidance about private emails, reminding the public sector that the Freedom of Information Act covers private emails if they are used for business matters.
"Christopher Graham, the information commissioner, said: "It should not come as a surprise to public authorities to have the clarification that information held in private email accounts can be subject to freedom of information law if it relates to official business."
Not really a device thing... but related none the less.
Life is pretty fucking simple:
- the company's data belongs to the company
- the individual's data belongs to the individual
- customers' data belongs to the customers and is protected by law
So don't allow customer data onto insecure personal devices, decide whether you'll allow company data onto those devices and accept that your employees will have data you don't control on them.
Shit, I work for a bank, I can think of a dozen ways of permitting end user computing in the office without breaking any FSA regulations, the law or unreasonably jeopardising the company.
You can not own the information..
I don't know if you can own information, but there is definitely a concept of secrets and privacy. Your own thoughts should be protected so that you can think freely without fear. By extension, it's reasonable to imagine that companies should be allowed to have trade secrets. Just as it would be upsetting if people set up a scaffolding half a mile away and directed a super long zoom lens into your bedroom; even if they did it from their own property; it's reasonable to allow companies some ability to protect trade secrets.
It seems to me that this, where you are restricting the right of someone to spy on information which is held primarily by the company, is on much stronger ground than copyright, where you try to restrict someone else from saying something which is already in their mind.
=~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
It's not just an issue of protecting "trade secrets", but of protecting customer information in compliance with law and being able to prove that corporate decisions are made in compliance with law without collusion and back-room deals.
Most employees (including a HUGE segment of the Slashdot crowd) do not understand the fundamental reason companies do NOT want you using "personal devices" to do business, but to use the company-provided equipment instead.
The company's obligation to legal and ethical requirements to protect and manage data FAR outstrip your desire to use your iToy at the office.
I do not fail; I succeed at finding out what does not work.
No, COMPANY email is trade secret. Why are people paying their own money to buy hardware and software for work-use is beyond me. Sure the company won't buy you the latest shiny i-crap from grApple but is it worth it to get sued for breaking NDAs and industrial espionage? You want toys, you buy it yourself and use it for home and off-work.You want to work? Get your company to pay for it and return it to them when you leave the company. The end.