Computers, Privacy & the Constitution

Privacy in the Mobile Workplace - AirWatch

-- By AndrewWatiker - 05 Mar 2017

The Problem

For many, the 21st-century workplace has expanded beyond the office and now includes the home, the coffee shop, the train and even the airplane. Many employers expect workers to be available to work wherever they may be. While one can debate the social merits of these changes, they raise difficult technical challenges for employees and employers. One of these is providing secure access to company materials and communications channels on mobile devices.

AirWatch: A Popular Solution

The market now supports a number of products designed to support IT departments in managing these challenges. One of these is AirWatch from VMWare. This product allows for IT to “manage” devices running a variety of operating systems (including mobile operating systems) whether the devices are company owned or owned by an employee. While AirWatch, and similar products, may prove useful for companies attempting to secure their data, they raise serious privacy concerns. Focusing on AirWatch, we find that while AirWatch claims to protect privacy, the protection offered is largely illusory. Further, employees are not given an adequate choice when use of these products is promoted. Legal scholars are beginning to recognise the threat of these kinds of applications can post if misused.

The Privacy Issues – Not Fully Disclosed

VMWare is aware that employees using its software have specific concerns about privacy, particularly in the context of installing the software on their own devices. In their “Privacy First” white paper, VMWare indicates that users often think of the software as “big brother” and suggest companies take steps to help their employees understand how the software works. VMWare also launched a website, designed to help employees understand the workings of the software better. The site suggests that the software effectively separates devices into personal and work apps and that the company can only track actions taken in work apps. A short video, even purports to show exactly what an IT manager would see to comfort users. However, the video and website are misleading. For example, the video suggests that an employer cannot wipe personal data nor can it see personal apps, neither of these statements is true.

Diving deep into the technical documents provided to IT administrators, AirWatch can provide an employer with a much more detailed picture of the user’s personal life than the website lets on. Specifically, the application can track an employee’s location, display a list of personal apps installed on the device, remotely wipe all of a user’s data (including personal non-work data) and disable the lock code. While AirWatch recommends best practices (see pg. 23-25) that discourage employing these features on employee-owned devices, companies remain free to do so. Employers using AirWatch set the terms and conditions for their employees using the software. For example, see the terms and conditions for the software as employed by Stanford University.

The Threats – Practical and Legal

VMWare boasts of the wide proliferation of AirWatch among many large companies and private institutions, including universities. While VMWare suggests that employees can simply opt out of the software by uninstalling it, the reality is quite different. Many companies require the use of the software to access work remotely and an inability to access work remotely may be incompatible with work responsibilities. For users concerned about the privacy of their personal information, it may be necessary to carry two devices, one work and one personal, and to limit the circumstances under which the work device is used. These risks are not theoretical, in 2010 NPR reported on an iPhone user who had her personal phone wiped by her employer using Microsoft Exchange.

In 2013, the CEO of AirWatch himself (prior to the company’s acquisition by VMWare) detailed some legal risks that companies can face. For example, a company could be at risk if an IT employee recognised apps related to a health condition on a phone and spoke to the phone’s owner about it, or if employees lost personal data that was stored in a company provided application.

What Should Be Done

Ultimately, honest employees should not be put at personal risk (either in terms of employment or personal privacy) to protect corporate security. The proliferation of AirWare and its installation on employee’s personal devices crates unnecessary risks to the employee. Security can be enhanced through efforts on the part of operating system developers, corporate IT departments, VMWare and its competitors and lawmakers.

Creators of closed operating systems should step in to prevent applications like AirWatch from accessing users personal data. For example, Apple could code iOS to prohibit applications from accessing lists of applications installed on the phone and from initiating remote wipes. If necessary, Apple could create a separate version of iOS for corporate owned devices including these features, eliminating the expectation of personal security that comes from a privately owned device.

Employers should cease the regular installation of this type of software on personal devices. If companies do not feel comfortable allowing personal devices to connect to their network they should either remove the requirement to work remotely or issue company-owned devices to all employees.

VMWare should update their website to provide a more honest explanation of the features of AirWatch? . The site should detail all of the most intrusive ways that the software can be used. Further, VMWare should recode their software to make the most egregious uses of the software prohibited by design rather than relying on self-regulation through best practices.

Finally, there should be legal protection for owners of devices from having their personal information subjected to the whim of an IT administrator. Either companies should be legally prohibited from executing full wipes and accessing non-company application information or employees should be legally protected from discipline for electing to not use this kind of software.

Navigation

Webs Webs

r4 - 22 Mar 2017 - 17:40:10 - AndrewWatiker
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM