Bring Your Own Device: Data Privacy Recommendations and Technical Implementation
Article by Dr. Sebastian Kraska (attorney and External Data Protection Officer) and Peter Meuser (independent IT consultant).
For many users everyday life without smartphones and tbablets is virtually inconceivable. These devices have become constant companions in day-to-day life, recreationally as well as in business. Times when only a privileged handful of executives were granted access to active business communications and corporate data while “on the road” gradually come to an end. The following article shows essential parameters of pertaining data protection law and technical matters. These are facts companies have to keep in mind if they plan to allow employees to use their private smartphones for business purposes (“BYOD,” short for “Bring Your Own Device”).
Why is data protection law relevant at all?
As the “responsible entity” (pursuant to the Federal Data Privacy Act (BDSG) Section 3(7)), in terms of liability law, a company bears responsibility for the compliant processing of personal data when such processing is conducted on an employee’s personal smartphone. Unlike company-owned smartphones, if no prior agreements are in place for privately owned smartphones, a company has only limited options when it comes to instituting and enforcing technical and organizational standards regarding secure data processing on private devices.
Recommendation: Policy agreement with employees in advance
Taking these considerations into account, it is recommendable to use only company-owned hardware within the company. If however a company plans to permit the use of private smartphones a written policy between employee and company must be established right from the start. From a legal standpoint this agreement is indispensible – specifically to avoid liability problems, to defuse potential conflicts (e.g., telecommunications secrecy), and to ensure the orderly processing of business data on private devices. The following list of standards and regulations covers the main issues that any such agreement should contain.
Standard on the separation of private and business data
To avoid access restrictions (specifically when it comes to private e-mails, due to telecommunications secrecy; cf. https://www.iitr.de/beschaeftigten-datenschutz-private-arbeitnehmer-e-mails-und-die-reichweite-des-fernmeldegeheimnisses.html), private and business data have to be separated as distinctly as possible.
This separation elucidates the primary requirement in need to be resolved within a BYOD strategy. All smartphone platforms currently sold and actively developed, such as the Apple iPhone (iOS), Google Android, RIM BlackBerry and Microsoft Windows Phone, basically come with the option to manage multiple email accounts on the same device “separately”. Typically companies use Microsoft Exchange (“Outlook”) or Lotus Domino (“Lotus Notes”) as their “messaging system”; these applications also provide business calendars and contact data easy to be synchronized with the smartphone.
But to establish a “clean” partition between private and business data further action has to take place. In the beginning both areas are treated equally on the devices. Therefore, if an unprotected private device containing business data falls into the hands of a third party, both areas lay equally exposed. If the user forwards private e-mails via the company email account, these messages are dealt with under the control mechanisms of the company’s messaging system (e.g., legally mandated mail archiving). The other way round there is a likewise risk that company data will be forwarded unchecked via the private account. Privately installed smartphone applications (depending on the mobile platform) can enable access to email accounts – undetected by the user – and automatically transmit confidential information to the outside world.
These risks need to be controlled minimized and, wherever possible, stopped as soon as a private device connects to the company’s IT. In addition, iPhones, BlackBerries, as well as devices among the Android and Windows phone family of phone already come with various manufacturer-installed settings that touch upon the various approaches to “Mobile Device Management” [“MDM”; see the detailed discussion “Überblick: Kontrollmöglichkeiten der aktuellen Mobilplattformen im Unternehmenseinsatz” (“Overview: Control options on current mobile platforms in corporate use”) in German at http://itlab.de/s/mdmov].
Regulation on data access
In advance an agreement should be established with the employees regarding the company’s authorization specifics of (remote-) access smartphone data. Legal background: Any concealed/covert data processing operation legally bears greater weight than an open/transparent data processing action; therefore, it is more difficult to justify in terms of data protection law.
For technical implementation, if we consider the data directly subjected to the individual right to privacy – for instance, the remote collection of call data or GPS/positioning data – the modern smartphone unlocks a plethora of additional private data relevant to IT guidelines. These “additional” private data include 1) information about the core inventory of privately installed apps, 2) information about configurations for private email, WiFi and VPN, as well as 3) information about the roaming status for detection of foreign travel. Due to specific security risks even the installed version of the smartphone’s operating system may come up as a reason to preclude company connectivity, and thus should be part of the agreement about collected data.
In addition to the passive read-out of device data, systems like the BlackBerry Enterprise Solution also enable the active installation of apps. With this performance the company’s remote access to the employee’s private smartphone becomes influential. In principle iPhone and Android-based devices only allow such active app installation at the user’s request. In this phase MDM solutions do not support total remote control of both mobile platforms for support purposes; this control can only be permitted through the express authorization of the user on a case-by-case basis.
Regulation of the question: “When is the company allowed to delete data?”
It may be preferable for the company – especially if the smartphone is lost (and also, under certain circumstances, if the employee’s departure from the company is contentious) – to be able to delete any data stored on the smartphone by remote command. However, this delete command would also affect the employee’s private data – depending on the operating system and the MDM solution in place. For this reason it is recommendable to institute a regulation at the outset.
The standard options of most common messaging platforms essentially permit complete device erasure even without any additional MDM mechanisms provided a connection to the device for data synchronization purposes still exists. But technically speaking, the trend runs unequivocally towards both establishing a clean separation between private and business data on the devices, and allowing the ability to selectively delete company data. Today the RIM company, for example, can consistently implement this service with “BlackBerry Balance” (serving only BlackBerry devices); the Good Technology company does the same for iOS (iPhone/iPad), Android and (to a limited extent) Windows Phone. Apple adds options to its profile-based MDM-specification to allow companies to remove, in a targeted manner, their email accounts from devices, along with other centrally administered configuration settings. The MDM solutions offered by suppliers AirWatch and MobileIron also incorporate this option and implement it. Integrated “self-service portals” enable the user to automatically initiate these kinds of actions – a desirable option in the event of loss for example. As soon as the user activates the MDM-based administrative integration, the user explicitly confirms (through an on-screen dialog) the scope of data that the company’s IT department is able to delete from the device.
Employer’s rights to treat private devices on par with company devices
As a follow-up to the matter of “When is the company allowed to delete data?” we propose a regulation clarifying from the employer’s perspective that in principle, the employer may deal with the employee’s private smartphone in a manner equal to that of any other business hardware.
In terms of administration this specifically applies to the control and/or deactivation of specific device functions. The potential issues here range from the deactivation of Internet-based voice recognition through Apple’s “Siri” (an internal policy at IBM, for instance), to the suppression of automatic data security through cloud services, to permitting the installation of apps only from a catalogue of in-house applications, and not from public app stores like Apple and Google. Technically speaking, the ability to effectively administer such regulations depends on the smartphone’s operating system and the MDM solution installed on it.
Regulation on the use of monitoring tools
When using (technically recommended) monitoring tools to track the correct system status and the permitted system usage, two specific points pertaining to data protection law must be taken into consideration: a) the type and nature of data processing, and the associated purpose, must be described transparently at the beginning; and b) when third-party service providers (particularly non-European) use software, the company must observe data protection regulations to the extent applicable (see the detailed discussion at: http://www.iitr.de/so-funktioniert-internationaler-datenschutz.html).
The continuous recording of tracking data on end devices, especially on US made products, has always represented an area meriting particular attention. For example the standard setting for the BlackBerry corporate solution is to track call data and downloaded Internet pages if the administrator has not expressly blocked these tracking features. Within the context of private devices there is hardly a justifiable reason to collect these data. There should be a clear-cut agreement with the device owner prior to activation, even for a truly useful option like device positioning (if the phone is lost), such as offered by AirWatch and MobileIron for iPhones and Androids. Ultimately regulations on cost assumption will establish if it is necessary to record the roaming status of private devices. Companies have to take into account that the recording of even innocuous looking data which may be useful for support cases (for example: collecting the data on the last connection between the end device and the company’s IT), basically is not always in the interest of the device owner. When it comes to an explanatory situation this party may be all too aware of why business e-mails were ignored, even though it is quite obvious from a technical standpoint that the e-mails reached his or her digital companion.
As soon as the company’s connection to a private device is put on a “blacklist” maintained by the company due to security settings changeable by the user – such as activation of a device password of pre-defined value, activation of device encryption or the absence of certain apps – it becomes indispensible to regularly track this device and harmonize it with a completely modified centralized framework. Special attention should be paid to detect a jailbreak (iPhone) or a rooting (Android). Smartphones in this condition can be used beyond the options intended by the manufacturers in order to operate unauthorized software for example. But for security reasons, this method of enhancing functionality – which is popular among private users – cannot be tolerated within a corporate context. The majority of MDM solutions are not operational unless the user is prepared to allow his or her private device to be monitored within the agreed parameters. In the BYOD use scenario, most MDM solutions respond with automatic measures for detected violation of security guidelines. These solutions range from a mere passive notification to the user and the responsible IT offices in the most basic case to an active interruption of mail synchronization until the user independently restores conformance with regulation/policy to the deletion of all corporate data in the most extreme case. Since IT security guidelines are completely dynamic in nature, the system must track when time limits have been exceeded in regular initiation of contact between smartphone and MDM solution.
In this context Good Technology’s approach stands out. One can largely dispense with “conventional” device administration, and thus device monitoring through iOS and Android – even though these are present. With this approach, company data is stored in self-contained (and encrypted) app containers that allow no direct exchange whatsoever with other apps on the device. The app container communicates with the company IT department through a dedicated, encrypted channel. This way the user-controlled settings to guarantee secure operation are no longer a decisive factor to the same extent and become substantially easier to manipulate. In addition, of course, a jailbreak/rooted test and report by the Good solution remain indispensible.
Standards on the fixed setting of system parameters
We recommend standards stipulating in writing that the employee must activate certain security settings on his/her smartphone and as soon as they are set the employee is not allowed to no change them anymore (for example, regulations on password assignment, automatic smartphone disabling, enabling GPS positioning in the event of loss, etc.).
As described above, the basic structural framework of MDM solutions is certainly represented by the technical definition of guidelines on secure operations, and the monitoring of compliance with these guidelines; however, today’s systems mostly provide data for the user about required settings or policy violations often too cryptic and opaque. For a practical setting the company should compile documentation individually tailored to the company’s situation, arrange introductory training for employees about their private devices and provide access to trained support personnel. Since the guarantee of data protection and data security moves within a dynamic context, it is not only necessary to create a static starting point, but rather to establish a process helping to document each current situation efficiently and providing this information to the employees in a readily consumable manner.
Regulation on the allocation of liability
To avoid the eventuality of legal disputes, we recommend the establishment of an agreement on the allocation of liability between employee and employer.
Notification duty in the event of loss
Of particular importance (specifically with respect to the informational obligations of the company in the event of data loss pursuant to BDSG Section 42a) is the employee’s obligation to immediately notify the employer in the event of a smartphone loss.
MDM solutions also support this organizational action with the “self-service portals” discussed earlier. The employee can both 1) initiate contact with the helpdesk through this portal, using any random PC with Internet access in order to submit his or her loss report through formal channels, and 2) take immediate action by attempting to locate his or her device, and conducting remote deletion.
Use of private smartphones by third parties
Additionally it would be advisable for the employer to prohibit the employee from allowing other third parties (friends, family members) to use his or her smartphone, thus ensuring that it is the employee and the employee only, who can gain access to company data.
If the private device is intentionally passed on to a third party the protection of company data can only be supported technically by protecting access to business data with one’s own password, regardless of what type the device. “Good for Enterprise,” for example, administers this protection for its own mail app, whose data are automatically encrypted, regardless of any other device encryption system that may be activated (cf. “standard on the separation of private and business data” above).
Performing repair and maintenance work
Employers and employees should agree to regulations on the regular performance of repair and maintenance work (uploading of updates by the IT department; not submitting the smartphone to third party repair workshops, etc.).
If a device has to be handed in for an extended period due to a repair situation, we recommend securing the data on the unit and deleting sensitive data. If the MDM solution in use allows for the targeted deletion of the corporate configuration by pressing a button (a standard option for the Apple MDM) and the device basically has to be reintegrated into the company’s IT department without helpdesk support, this procedure should also be delineated in the employee agreement. On the smartphone side, most MDM solutions only require three forms of data to be indicated in the MDM app in order to register the private device with the company: 1) the name of the MDM server, 2) the user ID (typically analogous to the employee’s Windows ID at the company) and 3) the (Windows) password. Against this background, it is typically sufficient merely to prohibit the employee from lending his or her smartphone containing company data to any third party.
Conclusion
If companies permit the use of private smartphones for company business, they remain legally liable for the data processing performed on these devices. However in cases of doubt they cannot legally access the device. Nonetheless, if the company opts to permit the use of private smartphones it is imperative from a legal standpoint to agree to a preliminary regulation with the employee so that a reasonable balance can be struck between the liability risks on the one side and the benefits from the use of private smartphones on the other.
How to provide technical support for agreements on the business use of private devices depends both on the smartphone models acceptable to the company’s IT department and on the selected Mobile Device Management (MDM) solution. Currently, BYOD cannot be implemented generally and with any arbitrary device without security risk to the company or data protection considerations for the employee. Most options today still offer the administrative functions of iPhone and iPad Apple has been adding to its devices since iOS 5. Todays’ strictest approach to separate private and business data for Android and Windows phones can be found among the products from Good Technology. But even this solution does not fit every business situation, and therefore must be carefully examined prior to use.
Irrespective of most recently deployed technical solution all IT activities on private devices should be documented precisely and transparently for the employee bundled up with data protection agreements. Given the dynamic nature of this task, we recommend to establish an effective and easy-to-manage documentation process. This can also be part of the company’s “mobile” intranet, for example.
About the authors
Mr. Peter Meuser, iTlab Consulting (http://www.itlab.de, +49 (8152) 999654) is an independent IT consultant specializing in enterprise mobility and provides services to companies in strategy development, product selection, solution implementation and training.
Dr. Sebastian Kraska, attorney, is an expert in the area of commercial data protection law and together with a team of regional partners, provides services to companies throughout Germany as an external Data Protection Officer.