Computers, Privacy & the Constitution

Employee Privacy and the BYOD Movement

-- By LuChen - 06 Mar 2015

No Expectations of Privacy

It is no secret that little privacy is afforded to employees who use company-provided computers, phones, and other technology, regardless of whether their use falls under the realm of business or personal. Employers are naturally inquiring, and their curiosity is not easily tempered by such insignificant barriers as privacy concerns. In Stengart v. Loving Care Agency, an employee took what she believed to be reasonable precautions by using her personal (rather than employer-based) email account, without saving her password anywhere on the computer, but nonetheless had her email exchange retrieved from the company’s temporary storage system. The emails in this particular example were communications between the employee and her personal lawyer, making the trespass even more egregious since it violated attorney-client privilege. Even so, circuits have split on whether an employee has a reasonable expectation of privacy in these circumstances, with some courts actively defending the right of the employer to such information. For example, Holmes v. Petrovich held that an employee’s communications sent via computer in this way could be equated to speaking “in her employer’s conference room, in a loud voice, with the door open.”

Why aren't these cases linked? Why should the reader not be provided with what she needs in order to read your draft carefully?

The BYOD Movement

But what if an employee uses a personal device for work, instead of company-provided computers? BYOD, or “Bring Your Own Device,” is a relatively new movement that allows employees to bring their own devices to work, replacing company-provided technology with their personal iPhone, Android, or other device of their choosing. Some companies have even incorporated a BYOC policy, or “Bring Your Own Computer.” Employees like it because it’s convenient for them, and employers like it because it cuts costs and improves functionality.

It’s therefore no surprise that the BYOD movement is popular and growing fast. In 2011, the Aberdeen Group showed that 51% of surveyed companies allowed employees to use any personal mobile devices for business purposes, and an additional 24 percent exercised a similar policy for compliant devices. A study by IDC and Unisys found that 40.7 percent of the devices used by information workers to access business applications were ones they owned themselves. Furthermore, 74 percent of IT organizations agreed that the growth of BYOD policies was “inevitable.” Companies such as Kraft Foods, Sybase, and Citrix have started subsidizing purchases of personal devices that are to be used for work purposes.

Why is this a "movement"? It's just a job practice, requiring the workman to supply his own tools. In few verticals of US industry (finance, health care) does the CIO in an organization have the power to determine which devices the workers will carry. BYOD is therefore a surrender to inevitability as well as a determination to squeeze cost savings from the inevitable without increasing liabilities.

Problems with BYOD

But although the BYOD movement certainly has its allure, such a policy is not without its own (often greater) problems. Because employers are entrusting their employees with work-related data on their personal devices, they believe it necessary to be able to protect their business information. This protection most often comes in the form of installing software on the employees’ devices and implementing a BYOD policy that enables them some degree of monitoring and control.

Indeed, instead of curtailing intrusions, many BYOD policies grant employers extensive access to the seemingly “personal” devices that employees bring into work. Depending on the employer, the specific BYOD contract, and the software that the company chooses to install, all of the following information is possible to access by an employer:

  • Address book and contacts
  • Usernames and passwords for different accounts
  • Internet history
  • Personal photos and videos
  • Chat and messaging history
  • Personal emails
  • Phone records
  • Calendar appointments
  • GPS and location information

The list is non-exhaustive, and also depends heavily on the employee’s type of use concerning the device. For instance, an employee that uses an “app” to monitor her health may inadvertently reveal a medical condition to her employer that she would not want to disclose. In another example, in the case of Pure Power Boot Camp v. Warrior Fitness Boot Camp, the employer accessed his employee’s Hotmail and Gmail account after discovering her log-in credentials.

You are behind the curve here. The handset manufacturer wants to take advantage of virtualization in the handset, so that the employer can have one VM running in the handset containing employer data, and the employee can have a second "zone," or "profile" which is another VM running in the same handset. The employer's "mobile management platform" controls the employer VM in the device and the employee's photos and personal records can survive, for example, job severance, which will automatically wipe the employer's VM and remove its data from the employee's handset.

This is the Samsung "KNOX" technology, for example, which Samsung recently donated to Google for integration into the Android trunk. This approach, or something close to it, will then become the standard method for "sharing" the employees' handset between the personal and business roles.

Which will not stop employer overreaching. Samsung's own MMP recently began asking Korean employees "voluntarily" to give root on their personal VM inside the handset to Samsung as well.

Remote Wipe

Neither does an employer necessarily have to confine himself to passively gathering data from an employee’s dual-use device. Many employers are empowered to do a “remote wipe” of a device, which entails deleting all information stored on that device - including not only business information but also the employee’s personal contacts, emails, photos, books, music, and any other data stored on the dual-use device - and making the device itself unusable by locking it. This is accomplished through software that the company’s IT departments download onto the device, though sometimes even that is unnecessary; ActiveSync? , a remote wipe and lock feature, comes preinstalled in most consumer mobile devices.

Employers assert, of course, that the remote wipe is a precautionary feature used in the case of the device being lost or stolen, lest company data fall into the wrong hands. However, the remote wipe leaves employees with the short end of the stick, as most policies do not require employee approval for remote deletion, do not retain personal data after a wipe, and do not have a policy of reimbursement for the loss of personal content such as music and applications. If an employee values security and privacy in his personal information, free from tampering, then subscribing to a BYOD policy is far from the safest option.


The central issue inherent in managing a dual-use device is the difficulty in separating personal information from company-owned data - that is, when employers attempt to make the distinction at all. Privacy concerns abound, for employers not only monitor the personal data of an employee but are capable of deleting data altogether if it suits their needs. And these are only the issues on an average day; if the company becomes involved in litigation, dual-use devices may be seized in their entirety, and any personal information on them surrendered. It is true that some BYOD policies are more generous to employees than others, but an employee would be well-advised in reading BYOD policies carefully, and considering the alternative of instead just carrying two separate devices.

The next draft would benefit from more research into the state of technology.


Webs Webs

r3 - 26 Jun 2015 - 20:15:38 - MarkDrake
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM