Employee-Owned Devices Muddy Data Privacy Rights 165
snydeq writes "As companies increasingly enable employees to bring their own devices into business environments, significant legal questions remain regarding the data consumed and created on these employee-owned technologies. 'Strictly speaking, employees have no privacy rights for what's transmitted on company equipment, but employers don't necessarily have access rights to what's transmitted on employees' own devices, such as smartphones, tablets, and home PCs. Also unclear are the rights for information that moves between personal and corporate devices, such as between one employee who uses her own Android and an employee who uses the corporate-issued iPhone. ... This confusion extends to trade secrets and other confidential data, as well as to e-discovery. When employees store company data on their personal devices, that could invalidate the trade secrets, as they've left the employer's control. Given that email clients such as Outlook and Apple Mail store local copies (again, on smartphones, tablets, and home PCs) of server-based email, theoretically many companies' trade secrets are no longer secret.'"
Re:Email a trade secret? (Score:5, Insightful)
Forget that; I want clarification on the right of the corporation to invade our privacy. They shouldn't be able to "steal" your computer and clone the whole thing just to find out if you emailed the competition some secret!
Information is not property. Once you let them redefine reality you've conceded to their terms of battle.
I've kind of felt that... (Score:5, Insightful)
I've kind of felt that personal devices like phones and such should be treated as extensions of your own mind. For example, they should be covered by the fifth amendment.
This means, from a trade secret standpoint, that transmission of the secret from your device to an unrelated third party should be treated as if you personally wrote out the trade secret and sent it. And if your device was hacked, it should be legally treated the same as if you were conned into revealing the trade secret. But you employer should have absolutely no rights with regards to examining what's on your device. It should be treated as a black box.
Ah, the counterpoint to "Death of the IT Guru" (Score:4, Insightful)
They were written by the same guy. (Score:5, Insightful)
That series of articles was written by the same guy writing this article.
Which are exactly the points that everyone here brought up in response to those previous articles.
And those reasons are the reasons why companies do NOT do what he claims that they ARE DOING now (and the point of his previous articles).
Who "owns" the work you do for the company on your personal computer? What rights does the company have to your personal computer when you leave?
Why even get into a discussion of that? The company issues you a laptop to use at home and you are supposed to use that laptop for company work. When you leave, the company gets the laptop back.
No questions. No problems.
But simple solutions like that do not generate articles about how companies are allowing employees to bring whatever they want into the company and connect it to the company's private data.
Even though he had not interviewed a SINGLE CIO from any company in the health-care industry stating that they did what he claimed they did.
Re:I've kind of felt that... (Score:5, Insightful)
Trade secret argument is bogus (Score:3, Insightful)
Re:One more reason to consider that (Score:4, Insightful)
You can not own the information..
I don't know if you can own information, but there is definitely a concept of secrets and privacy. Your own thoughts should be protected so that you can think freely without fear. By extension, it's reasonable to imagine that companies should be allowed to have trade secrets. Just as it would be upsetting if people set up a scaffolding half a mile away and directed a super long zoom lens into your bedroom; even if they did it from their own property; it's reasonable to allow companies some ability to protect trade secrets.
It seems to me that this, where you are restricting the right of someone to spy on information which is held primarily by the company, is on much stronger ground than copyright, where you try to restrict someone else from saying something which is already in their mind.
Re:Things folks don't think about. (Score:5, Insightful)
I know there are some Mobile Device Management packages out there working on this, and hopefully the best practices will all be sorted out soon.
Don't need them. All you need is rdesktop/VNC/SSH. Some companies have been working "in the future" for a couple decades now, some still aren't in the present.
Is the remote wipe functionality such that if I have to zap your device it will only nuke the company data?
Yeah.... go ahead, wipe the vmware image my wife connects to via rdesktop. Its not going to affect her phone, desktop, tablet, work laptop, home laptop, etc.
Its conceptually not much different than allowing remote webmail access.
Re:Trade secret argument is bogus (Score:3, Insightful)
The employee may unwittingly do so. People don't accidentally blurt out trade secrets, but many people do opt to download and run the occasional Trojan, many run buggy software or software that un-buggily treats some types of caches as not particularly sensitive, or they send home PC's unencrypted drive platters back to manufacturers, or run proprietary software where you (nor they) simply don't have any way of knowing what all it does, or -- countless other things.
You can say it was still their responsibility to not do those things, but that doesn't really help you much, once your secret it out anyway, not to mention most of the time you won't know which one did it.
The point is that it's less secure, whether or not the end you feel satisfied that you have someone to blame.
It's all well and good to say "they have a responsibility" but when you tell them they're not allowed to any mainstream OS, or take advantage of equipment warranties on their personal equipment, suddenly you're the bad guy and "unreasonable."
Re:One more reason to consider that (Score:5, Insightful)
It's not just an issue of protecting "trade secrets", but of protecting customer information in compliance with law and being able to prove that corporate decisions are made in compliance with law without collusion and back-room deals.
Most employees (including a HUGE segment of the Slashdot crowd) do not understand the fundamental reason companies do NOT want you using "personal devices" to do business, but to use the company-provided equipment instead.
The company's obligation to legal and ethical requirements to protect and manage data FAR outstrip your desire to use your iToy at the office.
Re:Email a trade secret? (Score:5, Insightful)
No, COMPANY email is trade secret. Why are people paying their own money to buy hardware and software for work-use is beyond me. Sure the company won't buy you the latest shiny i-crap from grApple but is it worth it to get sued for breaking NDAs and industrial espionage? You want toys, you buy it yourself and use it for home and off-work.You want to work? Get your company to pay for it and return it to them when you leave the company. The end.
Re:Things folks don't think about. (Score:4, Insightful)
I think their concern is more the opposite. They aren't afraid that they wouldn't be able to produce email - they're afraid that they WOULD have to produce email that they should have destroyed.
Many employers destroy email after a fairly short period of time - they define it as unofficial and not to be retained. They make sure that all emails and their backups are destroyed in accordance with this policy, so that if they are subpoenaed they can just point to the policy and say that they don't have anything to turn over, and an audit would show them to be in compliance with their policy. A court can tell them to stop deleting emails relevant to a case after the subpoena is issued, but they will not punish a company for deleting emails that it had no legal requirement to retain.
However, if the employee points out that their boss uses a gmail account and refers to some Google webpage that states that law enforcement can retrieve email for a period of a year or something, then a court would almost certainly allow them to subpoena copies of anything that Google has, and Google would turn them over.
As others have pointed out, if required to keep email the employer could do this on their end as long as the email at least passed through their servers, although if an employee sticks their gmail account on their business card then all bets are off...