Privacy in the Mobile Workplace - AirWatch

-- By AndrewWatiker - 22 Jul 2017

The Problem

For many, the 21st-century workplace has expanded far beyond the office. Employers, by insisting on remote access, raise difficult technical challenges. One of these is providing secure access to company materials on mobile devices.

The Security Challenge and the Role of MDM

The challenge of providing secure remote access is particularly acute in the context of mobile devices. Among working-age adults in the United States, smartphone ownership is approaching near ubiquity. Employers, recognizing this fact, often permit or require employees to work remotely on their personal devices. In theory, the use of personal devices serves both employees and employers, allowing employees to carry only one device and employers to avoid the expense of purchasing and maintaining the devices. However, personal devices are under the control of their owners and employers have limited ability to regulate the owner’s security practices.

Employers rightfully fear the exposure of sensitive information. Without adequate security, confidential information can reach competitors or thieves. To meet the growing demand of employers seeking to protect confidential information stored on employee devices, employers have turned to Mobile Device Management (MDM) products including VMWare’s AirWatch.

MDM provides IT departments with the ability to control personal devices, including smartphones. For example, companies using AirWatch can distribute company applications, ensure operating system patches are installed, and remotely remove business data from lost devices. The software is particularly attractive to law firms that must protect confidential client data. The software is also seen as important to institutions like medical schools that must protect patient information.

MDM and Threats to Privacy

While the technological capabilities of MDM are important in the context of business data, these capabilities raise privacy concerns because they reach beyond business data and touch personal data as well. According to AirWatch's best practices guide (see. pg. 23-25), an employer using AirWatch can: track an employee’s location, display a list of personal apps installed on the device, remotely delete all of the data on a device (including personal data), and disable the lock code.

How an employer elects to use the power granted by MDM may place employees at risk. For example, an employee reported to NPR that her employer deleted personal data off her phone. Concern has also been expressed about MDM interfering with union organizing activity. There is also risk for employers as well. The CEO of AirWatch (prior to the company’s acquisition by VMWare) detailed legal risks that companies can face. For example, a company could be at risk if an IT employee recognized apps related to a health condition on a phone and spoke to the phone’s owner about it, or if employees lost personal data that was stored in a company provided application.

What Can and Should Be Done

Presently, employers willing to accept these legal risks will likely face little resistance to their demand that this software be installed. While VMWare points out that employees can simply opt out of using the software by uninstalling it, employees must continue to work and have little bargaining power to push back on a corporate installation mandate. While collective bargaining for privacy is an option for some employees, most fall outside of unions. In the present political climate, the federal government represents an unlikely ally for workers. Instead, progressive governments at lower levels can and should step in.

Concerned legislatures can take affirmative steps to protect employees. Recent legislative actions in economically important states like California and New York demonstrate that states and localities still pass employee-protecting laws. A legislature could pass a law mandating an employer offer a company owned device to an employee, if the employer would otherwise require an employee to install software giving the company the power to delete, modify, or view personal data on an employee owned device.

Even without government intervention, businesses can step up to recognize potential opportunities by better aligning the incentives of employers and employees. For example, a developer of mobile operating systems could partner with major corporations to build sufficient security into the core operating system to allow companies to avoid the expense of purchasing AirWatch (or similar software). Employers, in turn, could promote phones on that operating system to employees. Employees may be incentivized to purchase a phone that will not require the installation of intrusive software.

Another business solution could see Apple or Microsoft create mobile-friendly interfaces to access their desktop operating systems. Rather than employees accessing company data on personal devices directly, their devices would simply display content stored on their work computers through existing remote desktop technology running through a VPN. Microsoft may already be working on improving the display of Windows 10 on Smartphones. Accessing work resources this way could eliminate the need for MDM technology because personal devices would not need company information to be stored on them at all.

For now, employees have little choice to ensure security beyond carrying two phones. This is an expensive and inconvenient solution for consumers. Here too, however, business opportunities exist to better meet consumer needs. A simple but effective solution could be a phone that offers parallel hardware in a single device. The phone would feature separate and isolated processing and storage facilitates for business and personal data. The phone would also have two separate operating systems installed and the two “phones” would share little more than a screen (with a toggle switch), battery and form factor.

The time for legislative and technological innovation to protect employees is now. In 2015, a study conducted by Harris Poll (on behalf of MDM developer MobileIron) asked respondents to indicate which categories of personal information they would be uncomfortable with their employer seeing. Across all eight categories from e-mail to personal contacts to location information, employees were significantly less uncomfortable with employers seeing personal information than they had been just two years earlier. If this trend continues, employees may become sufficiently complacent with the sacrifice of their privacy to preclude innovation.

The draft is thorough in description, so long as VMWare and Apple are the only companies on earth. It might make more sense to begin by describing the BYOD situation more generally, explaining why "mobile device management" became so important, and why the tug of war over MDM and employee privacy presents so many multivalent problems. (In verticals like health care and finance, where the employer can still largely determine what employees' devices are; and in verticals where the device is required to exist, but the employer cannot effectively determine what it is, even though business is done over it.) Some analysis of the business incentives of the various relevant players (the employer, the handset manufacturer, the platform companies, and the telecomms) would also help, if there were room for it, which will be tricky.

On the normative side, the question is "what does 'should' mean?" This is a society of at-will employment, and at the federal level there are no prospects of any regulatory, let alone legislative, efforts on behalf of workers in this or any other context for the immediate future. Unions no longer matter. So what relevance has "should"? And who could possibly have either the legislative authority or the constitutional right to tell companies or individual programmers what to put in their software?