What are the privacy issues for a work and personal smartphone all in one?
June 19, 2010 9:23 AM Subscribe
My work will reimburse me for the purchase of a smartphone plus $40 per month for service. If I use the smartphone for work email, personal email, personal web surfing, and personal phone calls, how private are my personal communications and activities?
In the past I've always had two smartphones - one for work and one for personal use. I like the clear division of worlds. But, my phones are getting old and the reimbursement is financially tempting. If I use a single device for everything, how much of my personal activity will be accessible by my work? For example, I assume the IT folks at work will have access to my work email account, but not my personal email account, correct? What about web surfing history? Any other privacy issues I should consider?
In the past I've always had two smartphones - one for work and one for personal use. I like the clear division of worlds. But, my phones are getting old and the reimbursement is financially tempting. If I use a single device for everything, how much of my personal activity will be accessible by my work? For example, I assume the IT folks at work will have access to my work email account, but not my personal email account, correct? What about web surfing history? Any other privacy issues I should consider?
Assume everything you do on your work phone will be auditable, viewable, and potentially actionable by your employer. Because it probably is.
posted by Emperor SnooKloze at 9:32 AM on June 19, 2010 [1 favorite]
posted by Emperor SnooKloze at 9:32 AM on June 19, 2010 [1 favorite]
Your IT folks will have access to your work email whether you use a smartphone or not.
From a legal perspective, your IT department will have complete access to the device and anything stored on the device. So, if you get fired and turn over the device, they'll be able to examine whatever's stored on the device. And, depending on how web access works on the device, it could theoretically be forced through a proxy controlled by your IT department. In addition, you might want to read this.
From a practical perspective, though, most IT departments aren't going to exercise this level of control unless they have to - for example, if your work communication is subpoena'd (sp?). On a day-to-day level, there will typically be very little oversight of the device unless you report it lost or stolen, in which case they'll remotely wipe it - most devices used in the enterprise allow this sort of control.
In any case, you might want to ask your employer for more information about this. If they're not issuing you the device directly, but are letting you buy what you want, that will probably be quite a bit different from them issuing you a specific device, or limiting your purchase to specific devices they can manage.
posted by me & my monkey at 9:34 AM on June 19, 2010
From a legal perspective, your IT department will have complete access to the device and anything stored on the device. So, if you get fired and turn over the device, they'll be able to examine whatever's stored on the device. And, depending on how web access works on the device, it could theoretically be forced through a proxy controlled by your IT department. In addition, you might want to read this.
From a practical perspective, though, most IT departments aren't going to exercise this level of control unless they have to - for example, if your work communication is subpoena'd (sp?). On a day-to-day level, there will typically be very little oversight of the device unless you report it lost or stolen, in which case they'll remotely wipe it - most devices used in the enterprise allow this sort of control.
In any case, you might want to ask your employer for more information about this. If they're not issuing you the device directly, but are letting you buy what you want, that will probably be quite a bit different from them issuing you a specific device, or limiting your purchase to specific devices they can manage.
posted by me & my monkey at 9:34 AM on June 19, 2010
If they have remote access to the data on the phone, it's wide open. They have everything, and are the Alpha and Omega. See: Blackberries.
If it's not a corporate-friendly phone (Android, iPhone, etc), or don't go for remote access to the phone, they will possibly have access to the bill, unless they're giving you money, and you pay the bill. If this is the case, they can see general data usage but not specific sites, they can see the numbers for calls made, texts sent/received, etc. But not the contents.
posted by Rendus at 9:36 AM on June 19, 2010
If it's not a corporate-friendly phone (Android, iPhone, etc), or don't go for remote access to the phone, they will possibly have access to the bill, unless they're giving you money, and you pay the bill. If this is the case, they can see general data usage but not specific sites, they can see the numbers for calls made, texts sent/received, etc. But not the contents.
posted by Rendus at 9:36 AM on June 19, 2010
Your employer will probably have a look at what is going on as a matter of course, to ensure that you aren't using company property for private use. Anything they find on there will probably be viewable (and viewed) by them at the very least.
posted by Solomon at 9:37 AM on June 19, 2010
posted by Solomon at 9:37 AM on June 19, 2010
And I do not think anyone can give you a flat out answer--opinions maybe, but not facts. It really depends on your employer, reimbursement versus ownership, specific negotiated use. etc. If you are comfortable you may want to discuss this with your employer and secure a legally binding agreement regarding privacy. As an employer I would be hesitant to guarantee complete privacy because of my potential liability for your use and conduct on the equipment. I would have no interest in your private communications but it can be very difficult to have clear boundaries on one device. Good Luck
posted by rmhsinc at 9:39 AM on June 19, 2010 [1 favorite]
posted by rmhsinc at 9:39 AM on June 19, 2010 [1 favorite]
If the phone and bill are in your name, it's not a business phone, and they have no claim on it. If they own the phone and are named on the bill, it's their phone, you're only borrowing it.
posted by blue_beetle at 9:46 AM on June 19, 2010
posted by blue_beetle at 9:46 AM on June 19, 2010
I think there is a distinction between a phone you are "reimbursed for" and one the company provides. In Ontario v Quon the city had provided the text devices. The company making a partial (or even whole) contribution for you to encourage you to make a purchase and enter a contract doesn't mean they own the phone. They may be able to require complete access, and that would be a separate agreement between you and them, but without that agreement I wouldn't think they can poke their noses anywhere not directly related to work.
However, IANYL and this is an emerging area where the courts seem to be coming down in favor of access, and I don't know if anyone knows for certain yet.
posted by Some1 at 9:51 AM on June 19, 2010
However, IANYL and this is an emerging area where the courts seem to be coming down in favor of access, and I don't know if anyone knows for certain yet.
posted by Some1 at 9:51 AM on June 19, 2010
I AM an IT person, and I have been my department's resident smartphone bitch. What your company CAN see and what they will ELECT to see are two very different things (unless you're working in a fairly high-security arena). In the case of a Blackberry BES server, your IT folks can see every Blackberry PIN you send, every work e-mail you send as well as all your web traffic (assuming they control their smartphones via a group policy, which most companies do). The odds of them actually LOOKING at this shit, however, is negligible, as long as you keep your nose clean. Logging any of that info in detail (let along reviewing it) takes a lot of resources, so we generally don't LIKE to unless we are FORCED to do so.
I'll give you the schpiel I give all my incoming employees: "As long as you do your job and DON'T harass any coworkers, gain any degree of notoriety, break the law, receive a subpoena, expose us to viruses or let proprietary information out into the world... we'll have no reason whatsoever to bother you."
posted by julthumbscrew at 10:21 AM on June 19, 2010 [3 favorites]
I'll give you the schpiel I give all my incoming employees: "As long as you do your job and DON'T harass any coworkers, gain any degree of notoriety, break the law, receive a subpoena, expose us to viruses or let proprietary information out into the world... we'll have no reason whatsoever to bother you."
posted by julthumbscrew at 10:21 AM on June 19, 2010 [3 favorites]
Response by poster: Thanks for the answers so far, everyone. Some1 highlights a key fact - the phone will be my personal property, and the contract and bills will be in my name. When people leave for different employment, for example, they keep their phones.
I'm mostly interested in the technological aspects of this question, rather than the legal aspects. (I agree with others who've suggested the legal questions likely have no clear-cut answer.) So to put it a different way, how much of my personal information do the IT folks at work have access to (a) in the routine course of business, and (b) if they're interested enough to put in a little extra effort to access the information?
posted by pitseleh at 10:23 AM on June 19, 2010
I'm mostly interested in the technological aspects of this question, rather than the legal aspects. (I agree with others who've suggested the legal questions likely have no clear-cut answer.) So to put it a different way, how much of my personal information do the IT folks at work have access to (a) in the routine course of business, and (b) if they're interested enough to put in a little extra effort to access the information?
posted by pitseleh at 10:23 AM on June 19, 2010
In general, they won't have any technological access to info on your personal phone. They will of course be able to see any work e-mails you send or receive. Also, if you install and run any VPN software your web traffic might be routed thru the corporate network for logging and inspection but that is unlikely. In theory they could ask you to run some sort of agent on your phone to monitor things but that is unlikely unless you work in a sensitive or highly regulated area.
In short, take head of julthumbscrew's advice in the last paragraph and you won't have problems.
posted by mmascolino at 10:45 AM on June 19, 2010
In short, take head of julthumbscrew's advice in the last paragraph and you won't have problems.
posted by mmascolino at 10:45 AM on June 19, 2010
Wasn't there just a Supreme Court decision regarding a policeman's attempt to claim his cell phone conversations were private?
posted by Mr. Gunn at 11:01 AM on June 19, 2010
posted by Mr. Gunn at 11:01 AM on June 19, 2010
pitseleh: that entirely depends on the particular smartphone and your company's particular setup. More info about the phone and their back-end architecture would be helpful. Some setups are nothing more than an e-mail "push" - a server routes e-mail to your phone, your phone picks it up. Other setups are far more bidirectional. I'd be very conscious of what the company loads on your device - proprietary handheld software can do a whole slew o' stuff.
posted by julthumbscrew at 11:40 AM on June 19, 2010
posted by julthumbscrew at 11:40 AM on June 19, 2010
I just wanted to say as another IT lackey that blue_beetle above is wrong. The phone may be in your name, and the bill may come to your house, but I know for a fact in at least Illinois and New Jersey, the legal system will grant your employer access to the phone's contents if you've used that phone for company business and the contents might be relevant to legal action on the company's part. Please take it from me, if you have real reason to want to keep your phone-based information really REALLY private, it may not be the setup for you... As julthumbscrew said, if you don't fuck with us, we won't fuck with you, but what you're really banking on is your company's desire to play nice. Just sayin...
posted by OneMonkeysUncle at 12:05 PM on June 19, 2010 [1 favorite]
posted by OneMonkeysUncle at 12:05 PM on June 19, 2010 [1 favorite]
Ask your work if they require your phone purchase to be "provisionable." If they have no clue what that means, then you're probably fine. It lets them force settings (think PIN locking when idle), remote wipe, monitor and lock the device (usually in case of theft). Clever enough software installed by IT could probably turn on the front facing camera without a recording indication and track GPS. If you're the kind of guy who takes off early or goes on smoke breaks, GPS might be evidence, but security cameras do the same thing. But that takes epic amounts of extra effort, like that bored high school sysadmin who recorded students.
Either way, they can probably snoop on network traffic if you're on their wifi, and looks like the court ruled they can review SMS and maybe data plan traffic. Traffic at home wifi will probably be safe unless your IT installs some proxy or monitoring app.
If the courts hand them your phone, you can probably expect a good deal of information to be revealed: browser history, installed apps, personal settings, pictures taken and saved, SMS saved, personal email acct IMAP cache, maybe even usernames and passwords if your phone saves them.
posted by pwnguin at 3:12 PM on June 19, 2010
Either way, they can probably snoop on network traffic if you're on their wifi, and looks like the court ruled they can review SMS and maybe data plan traffic. Traffic at home wifi will probably be safe unless your IT installs some proxy or monitoring app.
If the courts hand them your phone, you can probably expect a good deal of information to be revealed: browser history, installed apps, personal settings, pictures taken and saved, SMS saved, personal email acct IMAP cache, maybe even usernames and passwords if your phone saves them.
posted by pwnguin at 3:12 PM on June 19, 2010
This thread is closed to new comments.
posted by rmhsinc at 9:32 AM on June 19, 2010