×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Employee-Owned Devices Muddy Data Privacy Rights

timothy posted more than 2 years ago | from the ownership-is-theft dept.

The Courts 165

snydeq writes "As companies increasingly enable employees to bring their own devices into business environments, significant legal questions remain regarding the data consumed and created on these employee-owned technologies. 'Strictly speaking, employees have no privacy rights for what's transmitted on company equipment, but employers don't necessarily have access rights to what's transmitted on employees' own devices, such as smartphones, tablets, and home PCs. Also unclear are the rights for information that moves between personal and corporate devices, such as between one employee who uses her own Android and an employee who uses the corporate-issued iPhone. ... This confusion extends to trade secrets and other confidential data, as well as to e-discovery. When employees store company data on their personal devices, that could invalidate the trade secrets, as they've left the employer's control. Given that email clients such as Outlook and Apple Mail store local copies (again, on smartphones, tablets, and home PCs) of server-based email, theoretically many companies' trade secrets are no longer secret.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

165 comments

One more reason to consider that (-1, Troll)

Anonymous Coward | more than 2 years ago | (#38631302)

You can not own the information.
Anyone thinking otherwise is deluded fool.
Coincidentally, those type of people are self centered sociopaths too.

Re:One more reason to consider that (4, Insightful)

rtfa-troll (1340807) | more than 2 years ago | (#38631634)

You can not own the information..

I don't know if you can own information, but there is definitely a concept of secrets and privacy. Your own thoughts should be protected so that you can think freely without fear. By extension, it's reasonable to imagine that companies should be allowed to have trade secrets. Just as it would be upsetting if people set up a scaffolding half a mile away and directed a super long zoom lens into your bedroom; even if they did it from their own property; it's reasonable to allow companies some ability to protect trade secrets.

It seems to me that this, where you are restricting the right of someone to spy on information which is held primarily by the company, is on much stronger ground than copyright, where you try to restrict someone else from saying something which is already in their mind.

Re:One more reason to consider that (1)

jhoegl (638955) | more than 2 years ago | (#38632774)

This is a terrible argument. So, if someone uses their personal phone for work related things, work is relinquishing IP?
No... I dont think so.
And unless you have a creepy workplace, they wont exactly be able to install monitoring software on your personal phone unless you sign something allowing them to, in which signing this also allows them other rights such as monitoring your texts, thereby making your texts work related regardless if personal or not.
I would make employees sign a "this business can wipe your personal phone if you leave to protect its IP, which may be in emails sent to your phone.", otherwise they wont have email setup on that phone.

Re:One more reason to consider that (1)

postbigbang (761081) | more than 2 years ago | (#38631682)

Saying this doesn't make it so, and it has nothing to do with self-centered sociopaths. There are many legal theories of information ownership, and they're time tested, and in some cases, needed. Your "coincidences" suggestion summarily dismisses any argument. You should go into politics.

Who profits by muddied waters? (4, Interesting)

vlm (69642) | more than 2 years ago | (#38631306)

Who profits by muddied waters? Wasn't this all figured out decades ago when employees got home telephones and occasionally talked business on them?

Re:Who profits by muddied waters? (2)

AvitarX (172628) | more than 2 years ago | (#38631338)

Or at least composed an email using outlook webmail?

People have been doing business communications from home computers for a long time. AJAX was developed initially to make that work better.

Re:Who profits by muddied waters? (1)

DCTech (2545590) | more than 2 years ago | (#38631486)

AJAX was developed initially to make that work better.

What? What does AJAX have to do with working from home?

Re:Who profits by muddied waters? (1)

lennier1 (264730) | more than 2 years ago | (#38631546)

You might want to read up on how AJAX came to be.

Re:Who profits by muddied waters? (0)

Anonymous Coward | more than 2 years ago | (#38631960)

Maybe you could clear it up for us. As far as I know Microsoft made it for news updates.

Re:Who profits by muddied waters? (2)

AvitarX (172628) | more than 2 years ago | (#38632130)

You're right, it was for new updates on MS's homepage initially, it wasn't until the next year it was used for Outlook Web Access.

A couple years later it was included in Gecko, and the first time it blew my mind was using google maps years later.

Re:Who profits by muddied waters? (2)

alphatel (1450715) | more than 2 years ago | (#38631636)

What does AJAX have to do with working from home?

If they made Ajax to clean that messy work crap from your computer, that would be something.

Re:Who profits by muddied waters? (0)

Anonymous Coward | more than 2 years ago | (#38631814)

Outlook web mail doesn't store anything on the local PC. The argument in the story is that all these personal mobile devices have full-blown mail clients on them that store or cache inboxes on the device.

Re:Who profits by muddied waters? (1)

AvitarX (172628) | more than 2 years ago | (#38632108)

It's still a communication created and consumed on employees hardware, and transmitted from it.

Probably cached too, but perhaps not.

Re:Who profits by muddied waters? (2)

lavagolemking (1352431) | more than 2 years ago | (#38631358)

You can't lose a phone and lose a few thousand customer social security numbers or credit card numbers stored on it.

Re:Who profits by muddied waters? (2)

Moryath (553296) | more than 2 years ago | (#38631638)

Sure you can.

Phone has an outlook client, automatic email login, and no password.

Phone can connect to Outlook, where someone emailed an Excel document with a few thousand customer SSN's, credit card numbers or other contact info. Employee checked the "remember password" button, so it automagically logs in.

Phone gets lost, someone picks it up, downloads document to phone memory. One SD reader later, Excel document is in the hands of someone who has "fun things" to do with the excel document's information.

Hey look. A lost phone = a few thousand customer SSN's.

Re:Who profits by muddied waters? (3)

lavagolemking (1352431) | more than 2 years ago | (#38632100)

I said phone, not cell phone or smart phone. You know, those ancient analog devices mounted on the wall from the day and age mentioned in GP, before cell phones were widespread. You speak into them, and they don't connect to the internet or remember your recent contacts. We are still talking about

decades ago when employees got home telephones and occasionally talked business on them

right? Maybe I'm naive, but I don't seem to remember Outlook from a phone being possible back then.

Point being, in the time when this figured out, you didn't have to worry about what kind of sensitive data was stored on a device with no storage capability.

Re:Who profits by muddied waters? (0)

Anonymous Coward | more than 2 years ago | (#38631402)

Back then you couldn't just connect a phone to another device and retrieve and make public everything that was transmitted on it.

Now, people want their phone to play music, watch videos, share photos, and everything under the sun, and I think that's great and all. The problem is that all that can just be taken right off the phone with copying software and device, and when you also have trade secret information, it's liable to be copied too.

A competitor who gets hold of that trade secret stands to profit from the muddied glob of information.

Re:Who profits by muddied waters? (5, Interesting)

vlm (69642) | more than 2 years ago | (#38631598)

Back then you couldn't just connect a phone to another device and retrieve and make public everything that was transmitted on it.

Sure you could. Darn near 30 years ago my father had a terminal at home hooked up to a printer. And 40 years ago my grandfather had a reel to reel tape recorder hooked up to the phone (business purposes, something about dictation services and the then new concept of documenting conference calls with engineering consultants). This is old old old old case law. So I ask again, who profits by dredging this up and muddying the waters with a fake sheen of newness?

See the thing about IT/CS, is there's never really anything new, its just all recycled over and over, everything, and the noobs always think they as the youth of American are the ones who invented it. There is some old saying about every generation of teenagers think they're the first generation to invent 1) rebellion and 2) music and 3) sex and everyone old enough to see the pattern just laughs.

Re:Who profits by muddied waters? (1)

ColdWetDog (752185) | more than 2 years ago | (#38631710)

Now it's on the Internet. That makes it different.

I originally wrote that as a snarky statement, but on reflection there is some truth to that. The case law for 'ownership' of data traversing the Internet is different from that on a POTS line or a tape recorder at home. It may well be, an a lawyers' universe, that a totally different outcome is to be expected.

Or at least argued.

Re:Who profits by muddied waters? (2)

theshowmecanuck (703852) | more than 2 years ago | (#38632002)

The internet is irrelevant to the conversation. It is just a conduit to making something public. It is the "making public" and "who owns what data" parts that are important. All the internet does is make the dissemination easier and possibly wider spread. What is germane is "who owns what data when you connect to a company's systems," and "what rights do people have with respect to their own devices connected to a company's systems?"

The decisions with respect to rules and/or law that will eventually come out of this will be around for many, many years. What we know as the 'internet' now could evolve into something completely different, but where the same rules and laws apply. At best, the internet brought the issue to the forefront because of the number of cases where this now applies. To say this is a problem with the internet is akin to politicians saying that the only solution to energy wasting light bulbs is to use fluorescent light; when in reality they should have just capped the wattage that light bulbs can use and allow manufacturers to use whatever technology that achieves it in an "environmentally friendly" way (unlike mercury laden fluorescent bulbs).

Re:Who profits by muddied waters? (1)

ohnocitizen (1951674) | more than 2 years ago | (#38632516)

Can I just say how much I like your use of the word "Darn" there? Masterful. "Get off my lawn" is an art form. That said, your observation about what was possible in the murky past of 30 years ago is an excellent point. However your generalization that there is "never really anything new" misses out on a few minor counter examples such as the internet, or space travel. Unless we want to think of connections between computers or sailing as "pretty much the same thing".

Re:Who profits by muddied waters? (1)

russotto (537200) | more than 2 years ago | (#38632218)

Who profits by muddied waters? Wasn't this all figured out decades ago when employees got home telephones and occasionally talked business on them?

Home telephones don't store data (except the occasional phone number), so smartphones add a new aspect. The Uniform Trade Secret Act (UTSA) is pretty much silent on what constitutes "efforts that are reasonable under the circumstances to maintain its secrecy", so there's plenty of room for muddied waters there.

Email a trade secret? (0)

Anonymous Coward | more than 2 years ago | (#38631310)

That should invalidate a trade secret, seeing how insecure that is. Unless they use encryption (just kidding, I know they don't).

Re:Email a trade secret? (4, Insightful)

bussdriver (620565) | more than 2 years ago | (#38631340)

Forget that; I want clarification on the right of the corporation to invade our privacy. They shouldn't be able to "steal" your computer and clone the whole thing just to find out if you emailed the competition some secret!

Information is not property. Once you let them redefine reality you've conceded to their terms of battle.

Re:Email a trade secret? (0)

Anonymous Coward | more than 2 years ago | (#38633038)

Simple solution, never use your personal shit for work. EVER.

Why link to another Galen Gruman article? (5, Informative)

khasim (1285) | more than 2 years ago | (#38631334)

If InfoWorld cannot get enough hits on his articles by themselves (see other discussions here) then why does Slashdot have to link to them?

How to thwart the high priests of IT
http://it.slashdot.org/story/11/12/18/2154224/how-to-thwart-the-high-priests-in-it [slashdot.org]

Seriously?

Re:Why link to another Galen Gruman article? (4, Interesting)

Moryath (553296) | more than 2 years ago | (#38631694)

What's really funny is that Galen "I'm a fucking moron" Gruman just wrote this second article, which was the answer to why those supposed "high priests" - really, IT people trying to implement the policies put forth by PHB's high up the chain and legal teams trying to stop the risk of trade secrets going out the door - did the things he didn't like in the first article.

I've kind of felt that... (5, Insightful)

Omnifarious (11933) | more than 2 years ago | (#38631346)

I've kind of felt that personal devices like phones and such should be treated as extensions of your own mind. For example, they should be covered by the fifth amendment.

This means, from a trade secret standpoint, that transmission of the secret from your device to an unrelated third party should be treated as if you personally wrote out the trade secret and sent it. And if your device was hacked, it should be legally treated the same as if you were conned into revealing the trade secret. But you employer should have absolutely no rights with regards to examining what's on your device. It should be treated as a black box.

Re:I've kind of felt that... (4, Insightful)

lindi (634828) | more than 2 years ago | (#38631518)

Perhaps in theory but that's not very realistic today. Malware on a phone can easily leak a lot of data without anybody noticing, that won't happen with your mind.

Re:I've kind of felt that... (1)

Omnifarious (11933) | more than 2 years ago | (#38631556)

It can happen with your own mind, but it's very hard and require a superbly deft con-artist to accomplish. But yes, I agree, that's a fly in the ointment. We need some major improvements in security technology for software. It's a 'non-trivial' problem.

Re:I've kind of felt that... (1)

Antarius (542615) | more than 2 years ago | (#38631570)

Of course it can! That's why the smart ones of us wear the tinfoil hats!

Re:I've kind of felt that... (1)

viperidaenz (2515578) | more than 2 years ago | (#38631750)

Not if they use wavelengths shorter than the thickness of your tinfoil! The only way to really be safe is to electrify the hat while you wear it to interfere with any ultra high frequency radio waves.

Re:I've kind of felt that... (2)

sjames (1099) | more than 2 years ago | (#38631944)

Sure it will, at least in some cases. Haven't you ever seen anyone infected with either the Cuervo or Stoli virus? Some are even susceptible to the Coors attack.

Re:I've kind of felt that... (0)

Anonymous Coward | more than 2 years ago | (#38631616)

I've kind of felt that personal devices like phones and such should be treated as extensions of your own mind. For example, they should be covered by the fifth amendment.

Can they also be covered by the 2nd amendment? Droids with frickin lasers!

Re:I've kind of felt that... (1)

houghi (78078) | more than 2 years ago | (#38632730)

I just don't use any private stuff for work or work stuff for private tasks.
Want to work from somewhere else then at the office? You give me the tools to do so. Be that a PC and internet connection or a phone.

So my employer has not even no right, he also has no reason to investigate anything owned by me. Makes it easy for them AND for me.

Companies have their head in the sand (1)

wgianopoulos (2406046) | more than 2 years ago | (#38631348)

This is an issue employers have ignored for years. I brought this up to my employer several years ago as an upcoming issue in the future and no one wanted to hear it. They insisted their what you can do with our devices on our network was sufficient.

Ah, the counterpoint to "Death of the IT Guru" (3, Insightful)

sandytaru (1158959) | more than 2 years ago | (#38631354)

A few recent submissions to Slashdot have been from end users complaining about miserly IT overlords refusing to allow personal devices onto the network, and telling the end users "No you can't." These articles were all written from the manager's standpoint, whereby they figured if their use of their personal devices was going to allow them to be more productive, then there was no reason to say they couldn't use them. Right? Well, the legal issues surrounding them are a very good way to say "wrong." Between all the compliance issues and security risks that personal devices entail, the legal headaches and challenges that could ensue if something goes awry should be enough of a deterrent for most businesses.

They were written by the same guy. (4, Insightful)

khasim (1285) | more than 2 years ago | (#38631436)

A few recent submissions to Slashdot have been from end users complaining about miserly IT overlords refusing to allow personal devices onto the network, and telling the end users "No you can't."

...and...

Well, the legal issues surrounding them are a very good way to say "wrong."

That series of articles was written by the same guy writing this article.

Between all the compliance issues and security risks that personal devices entail, the legal headaches and challenges that could ensue if something goes awry should be enough of a deterrent for most businesses.

Which are exactly the points that everyone here brought up in response to those previous articles.

And those reasons are the reasons why companies do NOT do what he claims that they ARE DOING now (and the point of his previous articles).

Who "owns" the work you do for the company on your personal computer? What rights does the company have to your personal computer when you leave?

Why even get into a discussion of that? The company issues you a laptop to use at home and you are supposed to use that laptop for company work. When you leave, the company gets the laptop back.

No questions. No problems.

But simple solutions like that do not generate articles about how companies are allowing employees to bring whatever they want into the company and connect it to the company's private data.

Even though he had not interviewed a SINGLE CIO from any company in the health-care industry stating that they did what he claimed they did.

Re:They were written by the same guy. (2)

Billly Gates (198444) | more than 2 years ago | (#38631748)

Then why is Slashdot still accepting stories written by him?

He is a troll and just an average Joe trying to flamebait his way to hits to CIONetworkWorld mag or whatever it is. He is an idiot and not an actual I.T. visionary, editor, or CIO who is qualified to write a well documented article relevant to I.T. in the enterprise.

To keep it simple I.T. exists for a reason. It exists to manage computers and networks so the business can make money. If employees manage it then it defeats the purpose of I.T. in the first place. It is a liability issue too and not just a legal one.

What if a sexual harrasement lawsuit happened and every email needed to be subpoened? Ooops ... thats what I thought. $10 million dollar judgement won Cha-ching! The guy who wrote that ariticle is an idiot who obviously not ever worked in I.T. before

I am agreeing with you. (2)

khasim (1285) | more than 2 years ago | (#38631894)

As I've posted before ...

The purpose of corporate IT is to ...
allow company approved people to
access company data
using company approved apps
on company approved hardware
at company approved locations
with company mandated security methods
on the company approved IT budget and staffing level
to keep the company in business and out of court.

He is an idiot and not an actual I.T. visionary, editor, or CIO who is qualified to write a well documented article relevant to I.T. in the enterprise.

And I think that is the core problem there. He is a writer.
It does not matter what device a writer uses to write his articles.
It does not matter what software a writer uses to write his articles (as long as it can do ASCII or whatever).
It does not matter what email app a writer uses to send in his articles.
It does not matter where a writer writes or where he sends in his articles from.

But going from that experience and generalizing to something like the health-care industry ... he's an idiot.

So why does Timothy keep linking to his articles?

Things folks don't think about. (4, Informative)

JakiChan (141719) | more than 2 years ago | (#38631426)

There are a few things that the users who want company (email/data/whatever) on their personal (iCrap/PC/whatever) don't think about.

1) Is the remote wipe functionality such that if I have to zap your device it will only nuke the company data? Are you willing to lose ALL the data on your phone? I've heard about folks suing their employers over this.

2) If I suspect you're up to no good and you're using a company device I can take that device and conduct forensic analysis on it. If it's your personal device I can't force you to surrender it.

3) Are you willing to pay for whatever security software IT mandates?

I know there are some Mobile Device Management packages out there working on this, and hopefully the best practices will all be sorted out soon. However coming up with these best practices (and buying the software/etc to support them) is not free. So to the employee they think "Hey, this doesn't cost you anything! I bought the phone!" But they don't see the TCO at all.

Re:Things folks don't think about. (1)

Kjella (173770) | more than 2 years ago | (#38631648)

1) It's total destruction.
2) This is their problem, not mine.
3) No

The first one I only accepted because well it could get lost or stolen, I should have backups anyway and hopefully it'll be as rare as actually losing the phone. It's remote wipe, not remote control. But I might also not run to IT security until I'm sure it's gone for good. As for the last point, that I have everything on one phone means I'll carry it almost always. If I had to have a separate work phone, well then if I'm not on call with pay then tough shit. Maybe the IT department see this as a problem but for the company it should mostly be a win-win so I don't think it's unreasonable that they take the cost of their security system. But then I've never been a huge fan of bring your own gear, except for the phone. It's enough to carry one phone, I'm perfectly happy to let the company supply me with a laptop and whatever else I need to do my job.

Re:Things folks don't think about. (1)

PNutts (199112) | more than 2 years ago | (#38632124)

1) It's total destruction.
2) This is their problem, not mine.
3) No

1) It doesn't have to be
2) If you're employeer has reason to believe you are a risk then I would say it is your problem. Most data transfer activities can be prevented and logged.
3) Many people do. Secure e-mail clients for Android are $19. The only reason to use one on an iPhone is if you want to limit the wipe to corporate e-mail and/or don't want a passcode for the phone (just e-mail). This assumes the company has appropriate security policies in place (ActiveSync, etc.).

Re:Things folks don't think about. (4, Insightful)

vlm (69642) | more than 2 years ago | (#38631680)

I know there are some Mobile Device Management packages out there working on this, and hopefully the best practices will all be sorted out soon.

Don't need them. All you need is rdesktop/VNC/SSH. Some companies have been working "in the future" for a couple decades now, some still aren't in the present.

Is the remote wipe functionality such that if I have to zap your device it will only nuke the company data?

Yeah.... go ahead, wipe the vmware image my wife connects to via rdesktop. Its not going to affect her phone, desktop, tablet, work laptop, home laptop, etc.

Its conceptually not much different than allowing remote webmail access.

Re:Things folks don't think about. (1)

Shavano (2541114) | more than 2 years ago | (#38631934)

Except it allows more extensive access to the company network and therefore exposes the company to more opportunities for the information to pass out of their control.

Key logging. (2)

khasim (1285) | more than 2 years ago | (#38632030)

Yeah.... go ahead, wipe the vmware image my wife connects to via rdesktop. Its not going to affect her phone, desktop, tablet, work laptop, home laptop, etc.

Probably not. But that is only half the question.

The other half is ... can it leak company information via your wife's "phone, desktop, tablet, work laptop, home laptop, etc".

And for that answer, you have to postulate massive infection on your wife's device. And a Russian cracker on the receiving end. Can that Russian cracker use the information gathered to impersonate your wife and gain access to the company's private data with her credentials?

With a company-owned device, the company can ensure a minimum level of anti-virus / patches / whatever to "prove" in a legal sense that the company took reasonable measure to prevent the breach.

Re:Things folks don't think about. (1)

Billly Gates (198444) | more than 2 years ago | (#38631790)

Liability too. What if the employer gets sued for wrongful termination or sexual harrasement? Every email would need to be subpeoned. ... oops what this person did it from a personal IPhone with her gmail account and there is no record! Cha-ching $10 million rewarded to X, as it is evident the employer was negligent to allow IPhones on network to hide all their horrible deeds etc! You would be surprised what the lawyers can conjure for something like this is not silly at all.

Employers have a right to be assholes. You are there to work and not play with the latest toys. They have a right to know what is going on and manage their data and employees. That is just life and liability, legal, as well as them supporting your systems in a prompt manner so you can get work done is their responsibility and not yours.

Is your employer responsible for car repairs to get you to work too? Where does it end?

Re:Things folks don't think about. (1)

PNutts (199112) | more than 2 years ago | (#38632072)

Liability too. What if the employer gets sued for wrongful termination or sexual harrasement? Every email would need to be subpeoned. ... oops what this person did it from a personal IPhone with her gmail account and there is no record! Cha-ching $10 million rewarded to X, as it is evident the employer was negligent to allow IPhones on network to hide all their horrible deeds etc! You would be surprised what the lawyers can conjure for something like this is not silly at all.

Employers have a right to be assholes. You are there to work and not play with the latest toys. They have a right to know what is going on and manage their data and employees. That is just life and liability, legal, as well as them supporting your systems in a prompt manner so you can get work done is their responsibility and not yours.

Is your employer responsible for car repairs to get you to work too? Where does it end?

Corporate email to/from Gmail can be captured by corporate systems. iPhones can be kept off corporate networks via certs. Gmail to Gmail can be subpoenaed, and the company's liability would be dependent on their action if reported. The person on the receiving end will most likely keep a record if they intend to pursue punishment/resolution. If there's no record anywhere, it's he said/she said and the lawyers make more money than anyone else.

Re:Things folks don't think about. (1)

pete6677 (681676) | more than 2 years ago | (#38632098)

Your argument about subpoenaing emails completely flops. If it involves emails sent to/from a company email account, they will be retrieved from the company mail server. It does not matter what kind of device is used to connect to that server or who owns it.

If the subpoena involves a personal device and a personal account, the process would be the same as it is if a company does not allow personal devices on their network. You are aware that iPhones work completely independent of a company network, right?

In short, I don't see how anything in your post pertains to the subject at hand.

Re:Things folks don't think about. (2)

Shavano (2541114) | more than 2 years ago | (#38631912)

But if you kept a backup, their remote wipe is ineffective, and companies have no technical means to keep you from backing up their data on your machine (home PC, smart phone, iPad) and no technical means of erasing it or even discovering that it exists.

For example, the employee may be using one of those web services that backs up all his information to "the cloud." Now the company's info is now on the employee's personal device and there are also and unknown number of copies on servers that neither party can control. And the "cloud" backup servers could be in several other legal jurisdictions than the employer and employee. Imagine an employer and employee in the UK but the backup server is in the USA, or India or China or all three. Good luck to the English company trying to chase down and destroy copies of their they-thought-it-was-secret information then.

So what are employers to do, and where should they draw the line and prevent employees from having access to their information?

Re:Things folks don't think about. (3, Interesting)

germansausage (682057) | more than 2 years ago | (#38631952)

We have a mail app for our (employee owned) iphones which encrypts the message store on the phone, and can be remotely wiped. It's not quite as functional as the built in apple mail app but it's good enough. If you want company mail on your personal phone you have to use the app. You can still have your own personal mail accounts, if we nuke the company mail, (by revoking the encryption key) your personal mail is untouched. Company pays for the app. Employee purchases and owns phone, company splits cost of voice and data plan 50/50 with employee and pays for work related long distance calls. It is sensible, and works ok.

Re:Things folks don't think about. (1)

pete6677 (681676) | more than 2 years ago | (#38632126)

It seems like a common-sense workable policy like yours is threatening to some of the IT dinosaurs on this board, who fear the loss of control. What they really fear is change - they were the same people in the early 80s fighting to keep PCs out of the office. In fact, I remember many of the exact same arguments being used (loss of central control, who will be responsible, etc).

Re:Things folks don't think about. (2)

germansausage (682057) | more than 2 years ago | (#38632422)

I think some people choose IT or Engineering because they like black and white answers to everything. You can't BS past the laws of physics. This I-beam meets the load requirements or it doesn't; this cable can carry sufficient current for the motor or it can't, this hard drive can hold all the data or it can't. No nasty grey areas.

Of course, once you add human beings and their conflicting needs and desires into the mix the grey areas abound. The problem for this kind of person comes comes when they start treating their own rules and policies as if they were laws of physics (and expect everyone else to do so also). They see themselves and their policies as holy guardians of their systems integrity and despise the "lusers" who try to work around them and violate their rules. Their users see them as rigid, obstructionist and in the way of productivity.

IT security and operational flexibility are opposing goals. If your systems are completely open you'll be down with viruses and trojans, lock them down 100% and nobody will get any work done. You can't go all one way or the other, you need to find workable compromises.

Jurisdiction (2)

theshowmecanuck (703852) | more than 2 years ago | (#38632044)

You are forgetting that there are different rules in different jurisdictions. What might work in your state/country might not work in others. That also has to be considered.

Re:Things folks don't think about. (-1, Flamebait)

Dupple (1016592) | more than 2 years ago | (#38632086)

You nearly had a valid point until iCrap. Then you became a bigot and a 'tech superior' douche bag. Then it became apparent that you didn't have a point at all. You get a 3? MODERATOR ABUSE

Simple, really (4, Informative)

cdrguru (88047) | more than 2 years ago | (#38631454)

Many large companies have very simple policies about this for this very reason: ABSOLUTELY NO DEVICES NOT COMPANY SUPPLIED ON THE NETWORK. If the company is counting on trade-secret status for things like customer lists of course this is going to be in jeopardy once the customer list is loaded onto a non-corporate-owned device. It is at least going to open the door sufficiently that it is going to be very expensive to litigate in the future.

You can easily envision the employee with the customer list on their personally-owned phone walking into their new employer with what they feel is a leg up on all the other sales people. It's on their phone, it is their list of contacts that they have been dealing with for years and now they can offer them new stuff from their new employer. Why not, right? Well, if you do it with paper you are going to get sued. My guess is that if you do it with your phone it is going to be a lot more complicated than it would have been before.

A large part of the problem is that some companies simply do not understand the ramifications of having their supposedly private, secret information scattered about. They plug in a wireless router on the internal network without thinking it through, perhaps comforted by the knowedge that they used the best 26-character WEP password they could think up.The president brings in a iPad into a completely Windows-centric environment and wants to be able to use it with company data - not knowing that the application makes a static copy of the entire database on the device.

Yes, there are some nice nifty devices out there that the company hasn't seen fit to buy yet. That doesn't mean they should be on the network. And the whole question of user-owned devices being securely within the trade-secret umbrella or not is one that will only be resolved through a lot of court cases. And some people would do very well to remember that it isn't the successful business that gets to be one of the "first" in litigation.

Re:Simple, really (4, Interesting)

vlm (69642) | more than 2 years ago | (#38631738)

...ABSOLUTELY NO DEVICES NOT COMPANY SUPPLIED ON THE NETWORK. If the company is counting on trade-secret status for things like customer lists...

Funny you should mention this, to work around that agony, at a previous financial services employer, the field techs had the customer site data in plain text email as attachments, which the field circus techs had access to via internet webmail. Boss/supvr was gatekeeper and responsible for email forwarding the most recent customer data snapshot to any of his techs that requested it from him.

The problem with hollywood movie plot based security is that it usually completely misses the mark of real security issues. If it takes 30 minutes of biometric and two factor security to get some data, what happens in the real world is one tech will simply txt message another tech asking him to email the info he needs to his gmail.

Re:Simple, really (1)

smoothnorman (1670542) | more than 2 years ago | (#38631798)

That's probably close to as good as can't be hoped for, policy-wise. However the previous company i worked for wouldn't allow us access to public databases (of protein structures) so in order to do research we discovered a public wireless network, associated with the local library system, that we could access from within the company offices. Knowing we'd never be permitted to have a specific machine on both networks (wireless and wired) as that would be a grave security problem (...i guess...) we had one machine 'outside' and one 'inside' and wrote a restricted gateway of sorts between ("stupid"? sure. but somehow having two machines made the microsoft certified IT team happy). My sad point being that a company supplied network must often be twisted (if only via memory stick) so that a herd of lawyers could be driven through it.

Re:Simple, really (1)

houghi (78078) | more than 2 years ago | (#38632778)

Not only is is probably my companies policy, even more important, it is mine as well.

If it is not a tool that was given to me by the company, they do not want me to use it. That tool can be a PC at home, a phone to be reached for business purposes, a program that would help me or a website that I might not be able to reach because it is blocked.

If they do not give it to me, they do not want me to have it for whatever reason. I see no reason why I should go around their backs and try to do it anyway.

And no way they will be forcing me to use my own stuff. You want me to use it? You provide it. It is yours to do with as you see fit.

Email (0)

Anonymous Coward | more than 2 years ago | (#38631468)

Email, flash drives have already created the problem. Once an email is sent, it can be copied without goverence, at least it can be tracked. Flash drive access is another story (stuxnet). A device or media does not really protect a trade secrete, loyal staff and information policies as always is where protection is best started.

what about companies that make you buy / pay part (2)

Joe_Dragon (2206452) | more than 2 years ago | (#38631508)

what about companies that make you buy / pay part of the cost of there system??

Now if they are forceing you to buy there system then you should be able to install any game or app you want but what about mixed cases where the company and you both pay for the system who own's it and who has the right to data and out of work use?

Re:what about companies that make you buy / pay pa (1)

Shavano (2541114) | more than 2 years ago | (#38631962)

The answer to that is to say no to such arrangements. They're risky for both the employee and the employer. Also, the employer shouldn't be asking the employees to subsidize them with free or reduced-cost equipment.

Re:what about companies that make you buy / pay pa (1)

Slashdot Assistant (2336034) | more than 2 years ago | (#38632110)

How common is this arrangement? The closest thing to this that I've seen is with home-based employees who pay for their Internet access, which of course is factored in to their salary. Contractors may be another case in point, but then the questions you asked should have already been answered in their contract. It's definitely not something to be ignored until things go wrong.

If there's any question... (1)

DoofusOfDeath (636671) | more than 2 years ago | (#38631540)

The Congress shall rapidly remedy it, in employers' favor. What, are you against campaign financers job creators?

UK Information Commissioner Office issues guidance (4, Interesting)

Rob the Roadie (2950) | more than 2 years ago | (#38631544)

ICO issues guidance about private emails [guardian.co.uk], reminding the public sector that the Freedom of Information Act covers private emails if they are used for business matters.

"Christopher Graham, the information commissioner, said: "It should not come as a surprise to public authorities to have the clarification that information held in private email accounts can be subject to freedom of information law if it relates to official business."

Not really a device thing... but related none the less.

Personal experience (1)

Anonymous Coward | more than 2 years ago | (#38631560)

This sort of things seems to me common? Seems to be a cultural divide.

There are two groups of people at my company when it comes to IT Home/Work segregation when you get past those who don't want anything to do with computers and such.

Group 1: Get work appliances and take them home to use as home devices. So much so that we occasionally have to contact these employees and explain we need their cellphones, laptops, etc. devices back as they belonged to the company. No, we did not care that they would be able to use facebook or have a phone until they got new devices from their new jobs.

Group 2: Bring in their home phones, laptops, etc.

Group 1 tends to be upper management. Group 2 a random lower manager or two, supervisors and hourly.

__

One quick tangentially related question:

IT purchasing freeze. They want to keep their user@company.com emails for prestige appearance, but haven't decided yet to renew the company.com domain name that is up Wednesday. I'm seriously considering just buying it myself and filing for reimbursement since it falls under my job duties to renew it, if they would give me the money for it.

I'm afraid of following scenarios:
1) I don't do it we risk losing it and someone taking it and using it against us by setting up a webpage and/or using it to get emails sent to that domain.
2) I do get it, but the company owns it and refuses to reimburse.
3) I do get it, I have ownership now. I become Terry Childs 2.0.

document it send a e-mail to the purchasing person (1)

Joe_Dragon (2206452) | more than 2 years ago | (#38631646)

Make it say if you do not sign off on the funds to renew our web site name (add more to make it sound like it's not the severs) can end up sending people to a other company or maybe even end becoming a porn site. Put in links to other dead web sites maybe even goatse.cx saying some other person can buy our site and trun it in to that.

Re:Personal experience (1)

fred911 (83970) | more than 2 years ago | (#38631734)

Aside from you being an employee, what is the difference between 1 and 2?

Additionally, if you don't renew it, it will be snapped up and held hostage by some registrar or addsense farmer.

Once that happens it becomes complicated and real costly.

Re:Personal experience (1)

sjames (1099) | more than 2 years ago | (#38632024)

Don't do it. Document the risks in 1 and pass it along with your request to the party that can sign off on it. Make it clear that you stand ready to process the request when they approve the funds. It is now their decision and their problem.

Next, polish your resume. If they're really so chintzy/policy locked that they would risk it over a <$20 domain registration fee, they probably are making other equally stupid decisions.

Trade secret argument is bogus (2, Insightful)

gnasher719 (869701) | more than 2 years ago | (#38631576)

A trade secret hasn't left the control of the company just because it is on my personally owned device - as long as I have a legal duty not to pass it on any further. As an employee, I would have that duty, just as any outside company or person under NDA would have.

Re:Trade secret argument is bogus (3, Insightful)

Anonymous Coward | more than 2 years ago | (#38631718)

The employee may unwittingly do so. People don't accidentally blurt out trade secrets, but many people do opt to download and run the occasional Trojan, many run buggy software or software that un-buggily treats some types of caches as not particularly sensitive, or they send home PC's unencrypted drive platters back to manufacturers, or run proprietary software where you (nor they) simply don't have any way of knowing what all it does, or -- countless other things.

You can say it was still their responsibility to not do those things, but that doesn't really help you much, once your secret it out anyway, not to mention most of the time you won't know which one did it.

The point is that it's less secure, whether or not the end you feel satisfied that you have someone to blame.

It's all well and good to say "they have a responsibility" but when you tell them they're not allowed to any mainstream OS, or take advantage of equipment warranties on their personal equipment, suddenly you're the bad guy and "unreasonable."

Re:Trade secret argument is bogus (1)

Anonymous Coward | more than 2 years ago | (#38631730)

Exactly. This is no different than placing a hard copy file in a non-company issued briefcase, driving the said briefcase in a non-company issued car to your non-company issued home, and reading it at your non-company issued table/desk with light provided by a non-company issued lamp. Allowing an employee to remove the data from their network/facility does not mean that all legal protection is forfeited.

where's the muddiness? (4, Interesting)

Cederic (9623) | more than 2 years ago | (#38631630)

Life is pretty fucking simple:
- the company's data belongs to the company
- the individual's data belongs to the individual
- customers' data belongs to the customers and is protected by law

So don't allow customer data onto insecure personal devices, decide whether you'll allow company data onto those devices and accept that your employees will have data you don't control on them.

Shit, I work for a bank, I can think of a dozen ways of permitting end user computing in the office without breaking any FSA regulations, the law or unreasonably jeopardising the company.

Re:where's the muddiness? (2)

fred911 (83970) | more than 2 years ago | (#38631936)

Example:
  Say I am an outside sales rep. I do have an office at the company and I receive maybe 10% of my book from company leads. I am 100% commissioned. In my office I have copies of every clients data, invoices, receipts, everything with an emphasis documenting profit, among other things.

  One day I show up and get terminated and my boss says you cant take your records.

  Whos property is it?

Re:where's the muddiness? (1)

Cederic (9623) | more than 2 years ago | (#38632200)

Either it's your data or it's the company's. What the fuck does the underlying device have to do with that? Why the hell didn't you and the company agree on this long ago, back when you were first employed in that role?

Those issues are not end user computing related.

Re:where's the muddiness? (1)

Brett Buck (811747) | more than 2 years ago | (#38632078)

You will have plenty of people who would argue that there is no such thing as data ownership. Many of them here.

Re:where's the muddiness? (1)

Lumpy (12016) | more than 2 years ago | (#38632318)

but it does not let the Corporation push off the costs of a smartphone onto the worker without compensating them for it.
how are we going to afford the CEO's new diamond inlaid business cards? Actually BUY tools for the employees? are you mad?

Only companies run by idiots try and con the employees into supplying their own tools for work. If it's their tools they control what is on them not the company. If you want control, purchase and maintain ownership of all tools the employees use.

When I leave my job, my laptop goes with me, Any IT guy that tries to take it from me will get a warning and then I will defend myself. If they wanted control over what is on my laptop, they should have bought one for me instead of being cheap assholes and refusing to.

Re:where's the muddiness? (0)

Anonymous Coward | more than 2 years ago | (#38632696)

So what's an "insecure personal device" ? Is an iPhone with passcode lock that is encrypted (256bit AES) constitute a secure device?

This is ridiculous speculation. (2)

sribe (304414) | more than 2 years ago | (#38631684)

When employees store company data on their personal devices, that could invalidate the trade secrets, as they've left the employer's control.

Bullshit. You might as well claim that trade secrets are invalidated if the employee takes written notes home from a meeting because, after all, "they've left the employer's control". Except that employee still has a legal obligation to not spread those trade secrets to unauthorized parties...

Re:This is ridiculous speculation. (0)

Anonymous Coward | more than 2 years ago | (#38631982)

In a lawsuit or legal/accounting auditing their needs to be a paper or e-paper trail. If a lawsuit needs to be filed and data is known to leave you wont have a case or vice versa if someone sues you.

Lawyers suck but that is a big reason for control and not just to make sure you are not goofing on slashdot or facebook at work. Lawyers love auditing. Some employers even have polices saying no emailing work docs at home. Not all, but I imagine banks would be a big one for obvious reasons.

Sure it is fine to email the boss on an IPAD to let him know when that report will be done or if you are going to be late next Tuesday for a dentist appointment, but real HIIPA, financial control, or proprietary information, is a no no.

what 'muddy'? (0)

Anonymous Coward | more than 2 years ago | (#38631724)

don't bring any external electronic devices in whatsoever - keep 'em in your car, and if you get caught, you're instantly fired!

sheesh!

Re:what 'muddy'? (1)

maxwell demon (590494) | more than 2 years ago | (#38631988)

don't bring any external electronic devices in whatsoever

So I'm not allowed to wear my watch?

Re:what 'muddy'? (1)

Lumpy (12016) | more than 2 years ago | (#38632276)

WATCH!!?!

Security, can you escort this watch wearing heathen from the building! We will ship you the contents of your desk after we inspect it all first.

Trade secrets and lack of control (2, Interesting)

Todd Knarr (15451) | more than 2 years ago | (#38631896)

I think the argument that trade secrets are revealed because the employee's device is outside the company's control is somewhat invalid. The device may be outside the company's direct control, but technically so is the employee's brain and mouth. The employee, however, is within the company's control, thanks to the agreement the employee signed about how they'd handle the company's secrets. Since the employee's device is within the employee's control, and the employee's agreed to handle secrets in an appropriate way, the company's got sufficient indirect control to keep the secrets secret. If that weren't the case then telling the employee the secret in the first place would expose it, since the employee's mind isn't under the company's direct control and the only control exerted is the same agreement about how the employee will handle those secrets.

Cloud storage is another matter, but solving that will require a massive change in the law: making it so my e-mail is mine, period, and you can't serve a subpoena on the server operator to gain access to my e-mail, you have to serve the subpoena on me.

No it doesn't. (2)

Shavano (2541114) | more than 2 years ago | (#38631990)

It doesn't muddy the rights. All the potential problems involve unintentional (on the part of the company) release of the information to third parties. The employees are supposed to have access to company information, but aren't allowed to disclose it to third parties without permission.

Adjust expectations (1)

sjames (1099) | more than 2 years ago | (#38632118)

Simple fact, Ajaxco might very well make the best widgets out there at a fair price, but NOBODY gives a crap about it's email. NOBODY.

Some people might care about customer credit cards, and so those shouldn't be on ANY mobile device, no matter who owns it.

If somebody finds a lost cellphone, they will do one of 3 things.

  1. Return it to it's owner. Cool, no problem
  2. Wipe it and use it as their own. Not preferred, but the data's wiped.
  3. Wipe it and fence it off to someone else. Same as 2.

What they won't do is try to auction off the incredibly valuable minutes to the last weekly meeting everybody slept through or the contents to the many MANY emails from that guy that doesn't realize there is any option but "reply to all".

If you have data that falls under HIPAA, treat it like credit cards. That is, it doesn't go on mobile devices no matter who owns them. If absolutely necessary, let it use an RDP or VNC session to a company owned server somewhere.

Congrats, it now no longer matters who owns the device.

simple solution (0)

Anonymous Coward | more than 2 years ago | (#38632250)

Use the employee owned mobile device as an ACCESS device, not a storage or processing device. Google Citrix Goldengate.

Dear CEO (1)

Lumpy (12016) | more than 2 years ago | (#38632260)

My device, My data. if you want control over it, then stop being a cheap bastard and buy me a iPhone and you pay for the data plan and cellphone service.

If you want control, you have to pay all the costs. Otherwise, stuff it in your gold plated urinal.

BAN Infoworld (0)

andsens (1658865) | more than 2 years ago | (#38632380)

Can we please ban infoworld links for a while?!?! In the last two months, everything that linked to an article there was complete and utter rubbish!

Company/Personal Responsibility - Not Muddy at all (2)

rathaven (1253420) | more than 2 years ago | (#38632634)

I think this is quite straightforward. A company can be responsible for the interfaces that are provided to internal data to none-company devices and the data on company devices. Outside of that the responsibility stops with the end user (employee/customer/guest/consultant/whoever) and the company's usage policies should mirror this and breach of these constitutes breach of contract and therefore liability for damages.

No problem (1)

Anonymous Coward | more than 2 years ago | (#38632662)

Company decides what can be done with comany equipment, I decide what can be done with mine. No problem!

Company decides what equipment can be connected to their network.

Company owns the work I do on company time, I own the work I do on my own time. (No, I wouldn't dream of signing a contract where the employer get rights to stuff I program in my spare time at home. But of course they will fire me if I actually compete with them in any way or form.) No problem here either!

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...