BYOD: "bring your own device" & privacy
/margin notes:
- The phone you carry with you every day might not be "yours". It reports on where you go and the information on it—personal or not— may not be private.
- You wouldn't expect your employer to have the right to watch you when you use a toilet they own, why is it okay to watch you what you do on the phone?
- We are increasingly expected to be available/accessible via technology for work 24/7—as the lines between personal and professional time are blurring, individual privacy is being sacrificed.
The days of 9-5 jobs seem to be long gone for many of us.
Emails, phone calls, consultations with clients or with team members who are dealing with clients – these are increasingly a regular feature of life whether we are in the office or out of it, during “office hours” or not. As Dr. Melissa Gregg notes:
For those in large organisations, mobile and wireless devices deliver new forms of imposition and surveillance as much as they do efficiency or freedom, and with email increasingly considered an entrenched part of organisational culture, ordinary workers are finding it necessary to develop their own tactics to manage a constant expectation that they will be available through the screen, if not in person.
Given the constant expectation of availability, employees are increasingly using smartphones, tablets and the like. It is important to note, however, that just as the work day is now bleeding into personal time, so too do personal communications use and work communications use become increasingly blended. Whether the smartphone or tablet is issued by an employer or belongs to the employee, the fact remains that often work and personal communications take place on the same device(s). This phenomenon is discussed under the term “BYOD” (Bring Your Own Device). In this piece, that term will be used whether the device is in fact supplied by the employer or is a device owned by the employee but being used for work purposes.
This collapse of the professional and the personal creates issues and concerns for both parties to the relationship.
For the employees, it is the risk of exposing personal information to the employer as well as the possibility that the employer might be able to use such information for disciplinary or other purposes. In a recent online survey of employees in the US,UK and Germany, MobileIron found while 80% of respondents were using personal devices for work, on average only about 30% of employees “completely trust their employer to keep personal information private and not use it against them in any way.” As for what information was actually accessible to employers, 41% of those surveyed believed that employers had no access to the information on their device, 15% simply weren’t sure what information was accessible, and fully 44% were confident that employers could see data but were unsure what specific data might be accessed or reviewed. When asked about the level of concern for various types of information that was or might be on the device, respondents indicated that:
- Personal email and attachments: 66%
- Texts: 63%
- Personal contacts: 59%
- Photos: 58%
- Videos: 57%
- Voicemails: 55%
- All the information contained in all the mobile apps: 54%
- Details of phone calls and internet usage: 53%
- Location: 48%
- List of all the apps on the device: 46%
- List of just the apps used for work: 29%
- The information in the apps used for work: 29%
- Company email and attachments: 21%
- Company contacts: 20%
Employers are also at risk.
Employers are responsible for the security and safeguarding of information, and therefore must in the first place be aware of the issue in the first place. Workplaces may well have policies in place explicitly forbidding the use of work devices for personal communications, but this does not guarantee the policy will be adhered to. A survey conducted by Aruba Networks found that approximately 17% of 3,500 EMEA employees failed to declare their personal devices to their IT department – it is impossible for IT departments to ensure proper upgrades and security to devices of which they are not even aware. This of course presumes that IT departments do have in place procedures for dealing with such devices and guarding against data loss or leakage – a recent Acronis survey showed that only 31% of companies even mandated a password or key lock on such personal devices, while only 21% wiped company data from the device when an employee leaves the company.
That same Acronis survey revealed even more gaps in business understanding and treatment of BYOD – first of all, 30% of organizations were still forbidding personal devices from accessing the network. Of the others, only 40% had any kind of personal device policy in place. Finally, whether there were actual policies in place or not, over 80% of organizations revealed that they had not developed or provided any training to employees about BYOD privacy risks. The failure to do so, of course, assists in the perpetuation of the problem, since failure to educate only exacerbates employee ignorance of risks, failure to declare devices to IT, and uncertainty and concern about employer access to information on the device.
It should be noted that while the Supreme Court of Canada has not yet had occasion to consider BYOD explicitly, in 2012’s R v Cole decision which dealt with a teacher’s work computer on which a file of pornography was discovered the Court was willing to find that the teacher’s subjective expectation of privacy was reasonable in the circumstances (although ultimately the illegally obtained evidence was admitted). Again in this case while we see a Court wrestling with various public policy issues, writing for the majority, Justice Fish noted that:
[2] Computers that are reasonably used for personal purposes — whether found in the workplace or the home — contain information that is meaningful, intimate, and touching on the user’s biographical core. Vis-à-vis the state, everyone in Canada is constitutionally entitled to expect privacy in personal information of this kind.
[3] While workplace policies and practices may diminish an individual’s expectation of privacy in a work computer, these sorts of operational realities do not in themselves remove the expectation entirely: The nature of the information at stake exposes the likes, interests, thoughts, activities, ideas, and searches for information of the individual user.
What then should an employee do to protect her privacy on a shared workplace/personal use device? Well, when meeting a friend after work the other day I was surprised when she set down both a Blackberry and a smartphone on the table, and seemed to alternate her use between them. Eventually she explained that the Blackberry was work-issued and she used it only for that purpose. The smartphone, on the other hand, was her personal device and she said the monthly plan was a small price to pay to be sure of the security of both her own personal communications and those of her organization.
It may be a hassle to tote more than one device around with us, but until there are better policies, procedures and understandings in place around BYOD, it may be the best approach.