BYOD: "bring your own device" & privacy

/

margin notes:

  • The phone you carry with you every day might not be "yours". It reports on where you go and the information on it—personal or not— may not be private.

 

  • You wouldn't expect your employer to have the right to watch you when you use a toilet they own, why is it okay to watch you what you do on the phone? 

 

  • We are increasingly expected to be available/accessible via technology for work 24/7—as the lines between personal and professional time are blurring, individual privacy is being sacrificed. 
privacyeraser.jpg

The days of 9-5 jobs seem to be long gone for many of us. 

Emails, phone calls, consultations with clients or with team members who are dealing with clients – these are increasingly a regular feature of life whether we are in the office or out of it, during “office hours” or not.  As Dr. Melissa Gregg notes

For those in large organisations, mobile and wireless devices deliver new forms of imposition and surveillance as much as they do efficiency or freedom, and with email increasingly considered an entrenched part of organisational culture, ordinary workers are finding it necessary to develop their own tactics to manage a constant expectation that they will be available through the screen, if not in person.

 

Given the constant expectation of availability, employees are increasingly using smartphones, tablets and the like.   It is important to note, however, that just as the work day is now bleeding into personal time, so too do personal communications use and work communications use become increasingly blended.  Whether the smartphone or tablet is issued by an employer or belongs to the employee, the fact remains that often work and personal communications take place on the same device(s).    This phenomenon is discussed under the term “BYOD” (Bring Your Own Device).   In this piece, that term will be used whether the device is in fact supplied by the employer or is a device owned by the employee but being used for work purposes.

This collapse of the professional and the personal creates issues and concerns for both parties to the relationship.

For the employees, it is the risk of exposing personal information to the employer as well as the possibility that the employer might be able to use such information for disciplinary or other purposes.  In a recent online survey of employees in the US,UK and Germany, MobileIron found while 80% of respondents were using personal devices for work, on average only about 30% of employees “completely trust their employer to keep personal information private and not use it against them in any way.”  As for what information was actually accessible to employers, 41% of those surveyed believed that employers had no access to the information on their device, 15% simply weren’t sure what information was accessible, and fully 44% were confident that employers could see data but were unsure what specific data might be accessed or reviewed.    When asked about the level of concern for various types of information that was or might be on the device, respondents indicated that:

  • Personal email and attachments: 66%
  • Texts: 63%
  • Personal contacts: 59%
  • Photos: 58%
  • Videos: 57%
  • Voicemails: 55%
  • All the information contained in all the mobile apps: 54%
  • Details of phone calls and internet usage: 53%
  • Location: 48%
  • List of all the apps on the device: 46%
  • List of just the apps used for work: 29%
  • The information in the apps used for work: 29%
  • Company email and attachments: 21%
  • Company contacts: 20%

Employers are also at risk. 

Employers are responsible for the security and safeguarding of information, and therefore must in the first place be aware of the issue in the first place.  Workplaces may well have policies in place explicitly forbidding the use of work devices for personal communications, but this does not guarantee the policy will be adhered to.  A survey conducted by Aruba Networks found that approximately 17% of 3,500 EMEA employees failed to declare their personal devices to their IT department – it is impossible for IT departments to ensure proper upgrades and security to devices of which they are not even aware.  This of course presumes that IT departments do have in place procedures for dealing with such devices and guarding against data loss or leakage  – a recent Acronis survey showed that only 31% of companies even mandated a password or key lock on such personal devices, while only 21% wiped company data from the device when an employee leaves the company. 

That same Acronis survey revealed even more gaps in business understanding and treatment of BYOD – first of all, 30% of organizations were still forbidding personal devices from accessing the network.  Of the others, only 40% had any kind of personal device policy in place.   Finally, whether there were actual policies in place or not, over 80% of organizations revealed that they had not developed or provided any training to employees about BYOD privacy risks.  The failure to do so, of course, assists in the perpetuation of the problem, since failure to educate only exacerbates employee ignorance of risks, failure to declare devices to IT, and uncertainty and concern about employer access to information on the device.

 

It should be noted that while the Supreme Court of Canada has not yet had occasion to consider BYOD explicitly, in 2012’s  R v Cole  decision which dealt with a teacher’s work computer on which a file of pornography was discovered the Court was willing to find that the teacher’s subjective expectation of privacy was reasonable in the circumstances (although ultimately the illegally obtained evidence was admitted).  Again in this case while we see a Court wrestling with various public policy issues, writing for the majority, Justice Fish noted that:

[2]    Computers that are reasonably used for personal purposes — whether found in the workplace or the home — contain information that is meaningful, intimate, and touching on the user’s biographical core.  Vis-à-vis the state, everyone in Canada is constitutionally entitled to expect privacy in personal information of this kind.
[3]     While workplace policies and practices may diminish an individual’s expectation of privacy in a work computer, these sorts of operational realities do not in themselves remove the expectation entirely: The nature of the information at stake exposes the likes, interests, thoughts, activities, ideas, and searches for information of the individual user.

What then should an employee do to protect her privacy on a shared workplace/personal use device?  Well, when meeting a friend after work the other day I was surprised when she set down both a Blackberry and a smartphone on the table, and seemed to alternate her use between them.  Eventually she explained that the Blackberry was work-issued and she used it only for that purpose.  The smartphone, on the other hand, was her personal device and she said the monthly plan was a small price to pay to be sure of the security of both her own personal communications and those of her organization. 

It may be a hassle to tote more than one device around with us, but until there are better policies, procedures and understandings in place around BYOD, it may be the best approach.

The First Rule of Fight Club: Understanding Context in Interpreting Online Information

/

margin notes

  • Whether we use privacy settings or not, each of us has some culturally/ subculturally developed expectation of privacy and the limits of information sharing.  These govern the expectations of privacy we apply to our online thoughts and behaviours.

 

  • We dress and speak differently with friends than in a job interview – those distinctions get lost when online statements are re-viewed out of context.   Does the act of doing something online rather than offline really transform every utterance into a truthful and reliable reflection of who we are?

 

  • Let’s not criminalize thoughtlessness, nor make it into a weight to be carried for the rest of someone’s life.

 

We have all heard the various cautions about watching what we put online for fear of repercussions. 

When we think of those repercussions, however, we most often think of administrative decisions – the impact on a job seeker or university applicant of a racy photo, troubling tweet or similar artifact.   There are other potential repercussions — more immediate, more serious and more lasting. Some troubling examples:

An Ontario man ranted online that the Children’s Aid Society that had apprehended his son deserved a suicide attack and was charged criminally.
 
A 15-year-old who had tweeted that if George Zimmerman was found not guilty he’d “shoot everyone in Zion…and ill [sic] get away wit [sic] it just like Zimmerman” was arrested and charged with a felony.  Despite law enforcement statements that there was no truth to the statement, the youth has still been criminally charged.
 
An 18-year-old who regularly posts his own rap lyrics and videos was charged with “communicating terrorist threats”after posting rap lyrics that referenced the Boston marathon bombings.  Despite petitions and arguments that locate the statement under the First Amendment protection of freedom of speech, the youth remains incarcerated and has been denied bail. 
 
An 18 year old girl was ordered to remove a Facebook status where she "LOL-ed" her report of her DUI accident.  Despite her statements that she had no intention of minimizing or making fun of the incident, she was sentenced to two days in jail for contempt of court when she failed to do so.
Two Britons on their way to the US to “destroy America” were met at the airport, searched and detained by armed guards.  Despite attempting to explain that “destroy” in this context referred to partying, they were kept overnight and put on a return flight the next day.

In each of these situations, we see statements made on social media being taken out of context by law enforcement and resulting in various degrees of criminal investigation, detention and prosecution. 

 

Context is key

I’ve written before about the problematic presumption that information online is inherently public.  Here I want instead to examine the context within which such information is shared; and then explore the importance of understanding that context in appropriately interpreting the information. 

protect_your_privacy_by_blackjack0919-d4t4qfn.jpg

Ibrahmin suggests that online networks be thought of as “complicit risk communities where personal information becomes social capital which is traded and exchanged.” Thus, if we are to correctly understand the interactions within those spaces, it is imperative that we recognize that these utterances, performances, and risks are undertaken within a particular community and are enacted with a view to acquiring social capital within that particular community. 

While observers may believe that any or all information posted online is inherently public,  research suggests rather that the absence of (or failure to adhere to) current mainstream privacy standards does not indicate an absence of privacy or the desire for privacy altogether.  Indeed, from historical antecedents through to contemporary youth online engagement  we see recognized community norms that facilitate the recognition and protection of privacy even where no physical or spatial privacy is possible. 

One of the fundamental underpinnings of the “if it’s on the Internet its public” attitude is the recognition that it’s never that hard for motivated searchers to find information no matter what precautions or obfuscations are employed by the user.  Questions about the accuracy, reliability or even truthfulness of the information that can be found in this way are left unaddressed by this presumption

Accordingly, as online engagement increases, so too does the collection of information from those spaces by external bodies, be they employers (current or prospective); educational institutions; lawyers; law enforcement bodies or even the State itself.   Where this information is being used by third parties, there is a risk that the information will be misinterpreted or accorded more weight than is deserved. 

Social Media and Law Enforcement

A Lexis Nexis Risk Solutions 2012 survey of 1200 law enforcement professionals reveals the extent to which social media use has permeated law enforcement activities.   At least 50% of the respondents use social media at least weekly for law enforcement purposes, and 67% believe that social media use is of assistance not only in solving crimes but in solving them quickly.  The study shows that social media information and platforms are used for a variety of purposes, including identifying persons, discovering criminal activity in the first place, and gathering evidence.

Research on social media conducted for Public Safety Canada recently included 11 interviews with persons related to law enforcement about their use of social media in February and March 2011.  In their results detailing the way(s) in which social media may be used in information gathering and investigations, respondents discussed Open Source Intelligence gathering (OSINT) – finding the profile(s) of an already identified suspect individual, mapping the interpersonal networks, and collecting other information which can be linked to the individual at issue.  While this may have a positive impact in some cases such as that of Rodney Brardfod, who was being investigated for armed robbery and was exonerated by a Facebook status, the process does result in a largely unregulated collection of personal information and the inferences drawn from information as well as performance and social connection(s) to others.

"we run the risk of sarcasm, artistic expression, mere frustration or hyperbole resulting in the criminalization of individuals who are thoughtless rather than dangerous."

There are also instances where a particular suspect isn’t identified, but a particular incident is at issue and law enforcement agencies use social networks in order to identify a suspect.  In both the Vancouver, BC, Stanley Cup riot and the London, Ontario, riots, law enforcement interacted with SNSs in novel ways.  While participants were posting pictures and stories on Facebook, Twitter and other networks, police were able to follow the action, identify perpetrators, and levy charges more serious than simple participation (in the cases of those who detailed their actions). Of course, this process isn’t restricted to law enforcement agencies -- in the wake of the Vancouver riots numerous Facebook groups were set up by users for the purposes of assisting with identifying perpetrators  while others eschewed Facebook and used the web directly to set up similar sites.

Law enforcement does not simply use SNSs reactively -- it is increasingly the case that social network sites are monitored proactively, as in the case of the NYPD, who actually set up a Facebook team to monitor SNSs on an ongoing basis,  or the recent revelation of the Department of Homeland Security’s program  that included a list of key words and search terms that are monitored prophylactically for security reasons. 

It is unquestioned then that law enforcement can and does use information from social media sites.    My purpose here isn’t to argue that these uses are good or bad – rather, I am arguing that the importance of context in understanding and interpreting this information cannot be overstated.  Identity presentations, connections and interactions are informed by the context in which they exist, as well as existing for the purpose of facilitating interactions and social capital within those spaces. 

In the first example given above, Jesse Hirsch was accepted as a “Facebook Expert” in the Ontario criminal trial of a young man who posted comments on his Facebook threatening a suicide attack against the Children’s Aid Society who had recently apprehended his infant son.  Hirsch testified that Facebook users “routinely embellish what they say as part of an online persona” and the accused was ultimately acquitted.    It is imperative that the role of context in shaping the presentation of information and tone of online be understood.   If law enforcement agencies are unable to do so, recourse should be had to experts who do understand the role of context and performance in online spaces.  Where charges make it to court, counsel must insist on the right to lead evidence contextualizing the posts admitted into evidence. 

The presumptive accuracy and reliability of statements made in online spaces can and should be called into question by appropriately contextualizing the information and its production.    If this is not done, we run the risk of sarcasm, artistic expression, mere frustration or hyperbole resulting in the criminalization of individuals who are thoughtless rather than dangerous.