What is my best privacy strategy for a work smart phone?
August 19, 2019 4:10 AM Subscribe
I work for a large tech company that requires us to carry smart phones. I would like to keep as much information to myself as possible, but I don't want to pay for a private phone -- I don't use my phone too much. What's my best way to approach this?
For the past two years I've had my gmail account, Facebook, LinkedIn and online dating profiles on my work phone.
My company will either: (1) Provide a phone and pay for all costs OR (2) Cover up to $100/month in phone bills but not cover the cost of a phone.
I don't think using my own phone and having the company pay for it will prevent privacy intrusions as they want to install my work email and monitoring apps such as AirWatch on any phone they're paying for.
Just paying for my own phone and coverage would be a solution, but I like to save money, so I don't want to buy service for another line. I was thinking of keeping all my private stuff on a separate phone, but then just using my company phone as a hotspot when I needed to do anything private, and vpn-ing from my personal phone to the company phone.
VPNs can be had for as little as $3/month. I'm not a heavy mobile user other than for calling friends, looking for directions and killing time when I'm bored, so I don't think the added expense of another phone is worth it. Or am I wrong?
My plan is to continue to make calls and texts from my company phone. I travel quite a bit internationally, and it's nice to have the company phone paid for instead of searching for new or extra service.
Is this a good idea? What would you do? Do you have any better ideas?
Thanks!
For the past two years I've had my gmail account, Facebook, LinkedIn and online dating profiles on my work phone.
My company will either: (1) Provide a phone and pay for all costs OR (2) Cover up to $100/month in phone bills but not cover the cost of a phone.
I don't think using my own phone and having the company pay for it will prevent privacy intrusions as they want to install my work email and monitoring apps such as AirWatch on any phone they're paying for.
Just paying for my own phone and coverage would be a solution, but I like to save money, so I don't want to buy service for another line. I was thinking of keeping all my private stuff on a separate phone, but then just using my company phone as a hotspot when I needed to do anything private, and vpn-ing from my personal phone to the company phone.
VPNs can be had for as little as $3/month. I'm not a heavy mobile user other than for calling friends, looking for directions and killing time when I'm bored, so I don't think the added expense of another phone is worth it. Or am I wrong?
My plan is to continue to make calls and texts from my company phone. I travel quite a bit internationally, and it's nice to have the company phone paid for instead of searching for new or extra service.
Is this a good idea? What would you do? Do you have any better ideas?
Thanks!
If you're not okay with your company knowing all activity that happens on your phone, including Snapchats, FB conversations, Gmail threads, etc., you need a separate phone that they don't have. No amount of VPNing will matter if they have access to your device, which, if they pay for it, they do.
posted by nosila at 6:17 AM on August 19, 2019 [5 favorites]
posted by nosila at 6:17 AM on August 19, 2019 [5 favorites]
(Is that kind of wholesale monitoring possible on iOS,or just Android, nosila?)
posted by uberchet at 6:38 AM on August 19, 2019
posted by uberchet at 6:38 AM on August 19, 2019
Most companies I worked for who offered to cover phone costs or “let” you put work email on it also said I had to agree to let them brick it if needed.
posted by tilde at 6:41 AM on August 19, 2019 [6 favorites]
posted by tilde at 6:41 AM on August 19, 2019 [6 favorites]
If the only way your personal data transits your company phone is as encrypted traffic between your personal phone on the Wifi side and your VPN's exit point somewhere out on the Internet, with the company phone acting solely as a wifi hotspot and not as any kind of encryption endpoint, then all the company can possibly learn about your Snapchats, FB conversations, GMail access and so forth has to be gleaned via analyzing traffic volumes and burst patterns, because metadata like that is all that the company's monitoring facilities will ever actually see.
The only way to make this not true is to install a company-provided root certificate on your personal phone that would allow the company to spoof your VPN provider's server certificate and run man-in-the-middle attacks against your VPN. Hotspot software that attempts to do this automatically and surreptitiously for "security" reasons does exist, but any decent VPN client should foil its attempts. At worst, a company-controlled phone used as a hotspot could be set up in such a way that you can't actually use it for that unless you do permit it to install a MITM-enabling certificate on any connecting device. Which, obviously, you wouldn't do because then you might as well not be using two phones in the first place.
If you use your company phone as an endpoint rather than as a hotspot for a second phone, or if the VPN exit point on the upstream side of the company phone is company-provided rather than a personal account you've set up independently, then you have no way to prevent corporate IT from running stuff that lets them look at anything they damn well please.
Personally I'm with parmanparman; I would just eat the cost of my own personal phone service and not involve the company phone in any non-company-related activity whatsoever.
posted by flabdablet at 6:56 AM on August 19, 2019 [4 favorites]
The only way to make this not true is to install a company-provided root certificate on your personal phone that would allow the company to spoof your VPN provider's server certificate and run man-in-the-middle attacks against your VPN. Hotspot software that attempts to do this automatically and surreptitiously for "security" reasons does exist, but any decent VPN client should foil its attempts. At worst, a company-controlled phone used as a hotspot could be set up in such a way that you can't actually use it for that unless you do permit it to install a MITM-enabling certificate on any connecting device. Which, obviously, you wouldn't do because then you might as well not be using two phones in the first place.
If you use your company phone as an endpoint rather than as a hotspot for a second phone, or if the VPN exit point on the upstream side of the company phone is company-provided rather than a personal account you've set up independently, then you have no way to prevent corporate IT from running stuff that lets them look at anything they damn well please.
Personally I'm with parmanparman; I would just eat the cost of my own personal phone service and not involve the company phone in any non-company-related activity whatsoever.
posted by flabdablet at 6:56 AM on August 19, 2019 [4 favorites]
I'm not a heavy mobile user other than for calling friends, looking for directions and killing time when I'm bored
That can say a lot about you to anyone who is looking. Work phone belongs to work, everything on it and the physical phone itself. Your best strategy is work phone for work, personal phone for personal. Keep it separate, be safe, and eat the cost.
posted by epanalepsis at 7:21 AM on August 19, 2019 [4 favorites]
That can say a lot about you to anyone who is looking. Work phone belongs to work, everything on it and the physical phone itself. Your best strategy is work phone for work, personal phone for personal. Keep it separate, be safe, and eat the cost.
posted by epanalepsis at 7:21 AM on August 19, 2019 [4 favorites]
Here you can get text only pre-paid plans for C$15. It's what I have and I use WiFi for my data needs (for maps I've downloaded all the areas I'm like to drive to). Maybe such low buck plans are available in your area? (Note that if you use WiFi at work your company will be able to monitor that activity.)
posted by Mitheral at 7:26 AM on August 19, 2019
posted by Mitheral at 7:26 AM on August 19, 2019
I have worked with a couple employers who had this arrangement. There’s no way to ensure privacy on a corporate-managed device, even with a VPN, because they can install whatever they want on the phone itself.
(This is not strictly nefarious, btw. Especially if you are expected to conduct work activities on your company phone, providing for corporate access can be a compliance issue. For example, in a lawsuit against the company, contents of any company devices can be subject to discovery.)
A separate device, where you do no work, is probably the only practical way to ensure privacy. Get the cheapest device you’re comfortable with, eat the cost of a phone plan, and treat your company phone like your company laptop/desktop: work equipment.
posted by a device for making your enemy change his mind at 8:10 AM on August 19, 2019 [2 favorites]
(This is not strictly nefarious, btw. Especially if you are expected to conduct work activities on your company phone, providing for corporate access can be a compliance issue. For example, in a lawsuit against the company, contents of any company devices can be subject to discovery.)
A separate device, where you do no work, is probably the only practical way to ensure privacy. Get the cheapest device you’re comfortable with, eat the cost of a phone plan, and treat your company phone like your company laptop/desktop: work equipment.
posted by a device for making your enemy change his mind at 8:10 AM on August 19, 2019 [2 favorites]
If it's impractical (either financially or logistically) to have a personal phone as well, one thing I would strongly advise is that you keep regular, comprehensive backups of your data on a personal drive/cloud account/whatevs. The reason is, if you ever happen to get let go from the job, it's very probable your employer will demand that you hand over your phone on the spot, without any possibility of getting your personal stuff off it. Without a private backup, you won't be able to transfer any of it to a new phone.
posted by Thorzdad at 8:10 AM on August 19, 2019 [2 favorites]
posted by Thorzdad at 8:10 AM on August 19, 2019 [2 favorites]
if you ever happen to get let go from the job, it's very probable your employer will demand that you hand over your phone on the spot, without any possibility of getting your personal stuff off it.
Or just remote wipe it with no warning.
I would never keep anything I want personal or private on a device with company controlled mobile device management software on it. In your situation, I'd get a small personal device and do the hotspot option.
posted by Candleman at 9:06 AM on August 19, 2019 [2 favorites]
Or just remote wipe it with no warning.
I would never keep anything I want personal or private on a device with company controlled mobile device management software on it. In your situation, I'd get a small personal device and do the hotspot option.
posted by Candleman at 9:06 AM on August 19, 2019 [2 favorites]
Top of the line smartphones are ridiculously expensive now so I can understand the reasoning for wanting only one phone. If you want your privacy and to save money too I would use the work phone only for work, buy a personal prepaid phone plan (about $20/month for simple needs), and get a used smartphone off swappa.com or gazelle.com. One other option is to use the work smartphone with a personal WiFi only device such as an iPod Touch or iPad.
posted by mundo at 9:45 AM on August 19, 2019 [1 favorite]
posted by mundo at 9:45 AM on August 19, 2019 [1 favorite]
Depending... anything on or through the work paid / subsidized mobile may leave way for work to claim ownership since it was accomplished with work's money. I sorta made this mistake through years of letting work buy my home computers and pay network bills. Technically, if worst came to worst, the vast majority of code and data on my computer now could be claimed by work. (They're not that evil but I could never get a straight legal answer to things like contributing to OSS or the like.)
It definitely would have been better to duplicate and have personal / work devices. I totally wish I had gone that route.
Two phones, work and private, just deal with it.
posted by zengargoyle at 2:48 PM on August 19, 2019
It definitely would have been better to duplicate and have personal / work devices. I totally wish I had gone that route.
Two phones, work and private, just deal with it.
posted by zengargoyle at 2:48 PM on August 19, 2019
uberchet - no matter what the operating system is, the owner of the device has complete control over what's on the phone. If they want to pre-install or remotely install monitoring software, for example, they can do it. (Sorry I'm slow!)
posted by nosila at 8:37 AM on August 28, 2019
posted by nosila at 8:37 AM on August 28, 2019
My point is that I'm not sure that full-on monitoring software is possible on iOS. Apple's privacy focus, and overall OS security features, make these things harder to do on iPhones.
So, sure, you can preload any app you want, but you'd still be limited by the rules of the OS in question.
posted by uberchet at 9:08 AM on August 28, 2019
So, sure, you can preload any app you want, but you'd still be limited by the rules of the OS in question.
posted by uberchet at 9:08 AM on August 28, 2019
iOs specifically allows management software used by companies/schools to monitor internet activity; it's baked right in. They can also restrict installation or removal of apps including GPS tracking apps. Or a keylogger/screen logger. If the company owns your phone you should just assume you have no secrets from your employer (or honestly anyone in IT who may have a lapse of ethics) related to the phone.
posted by Mitheral at 9:38 AM on August 28, 2019
posted by Mitheral at 9:38 AM on August 28, 2019
This thread is closed to new comments.
posted by parmanparman at 4:14 AM on August 19, 2019 [17 favorites]