Mobile Device Management - A threat to employee privacy?

Dan O'Keefe

The popularity of smartphones and tablets within businesses, along with the continuing trend towards Bring Your Own Device (BYOD) arrangements, has, quite rightly, led many companies to focus on the related information security implications.

A key point that many businesses have missed, however, is the impact on employee privacy.

A business with a well thought-out mobile device policy is likely to make use of some kind of mobile device management solution, as this is all but essential to protect company information.

Five years ago, a mobile device management system would do little beyond allowing the IT department to remotely wipe a lost or stolen device, and perhaps control some security or encryption settings.

Nowadays, however, solutions can provide IT technicians with full remote access to devices, allowing you to lock phones, set passwords or wipe devices and even allow them to use inbuilt locational services to track wherever the gadgets are.

Do users know how much you know?

If you administer a mobile device management solution with GPS tracking functionality, you will be able to see where each device, and therefore its owner, is located.

Do your users know you can do this? It’s fair to say that many may see this kind of “big brother style” surveillance as extremely intrusive – especially if you are able to track their every move only because their own personal iPhone has been joined to the company network.

It doesn’t necessarily end there. With MDM software, you may be able to read text messages, see private photos and users’ Web browsing history. This would probably shock many users who think that what they do on their cellphone is completely private.

It’s clear that you must take steps to clarify what is expected of both the users and the business. Failure to do so could result in your clients falling foul of employee privacy legislation.

Recommended Strategy

  • Ensure that your clients have employee privacy and monitoring policies in place, paying particular attention to local law that will vary from country to country (and from state to state in the U.S.).
  • Fully inform all users with mobile devices as to exactly how they may be used.
  • If a client permits BYOD, ensure it makes staff aware of the implications of joining personal devices to the corporate network.
  • Make use of lock-down features to prevent users accessing forbidden features on their devices.
  • Ensure that company policies inform users exactly what MDM software allows the IT department to do, but also state in the policy how this functionality may be used. For example, the policy may state that location tracking will only be used if a device is lost or stolen.

IT departments have always had the ability to snoop at private information. A combination of trust and well-written policies ensures that these abilities are not abused.