BYOD policy: Who controls your smartphone?

Whether you love them or hate them, smartphones are an amazing technology. Not only does the average smartphone have more computing processing power than what was used to send a man to the moon, but thanks to ubiquitous connectivity practically everyone has access to the entire scope of human knowledge, all from a device that is small enough to fit in our pocket. Like any other widely embraced technology, however, smartphones have caused their share of friction. Lately, I have been noticing something of a power struggle related to the smartphone. No, I’m not talking about Sprint and Verizon battling it out for market share. I’m talking about those who want you to use your own phone for their own purposes, raising the question: Who controls your smartphone?

On the surface, this sounds insidious. After all, the phone that is in your pocket right now is yours. You bought the phone, you pay the bills, so you get to decide how to use it, right? Not quite.

Three or four years ago, one of the biggest trends in IT was Bring Your Own Device, or BYOD. Previously, corporate IT had largely required employees to work from officially sanctioned, corporate-owned devices. The idea was that these devices could be configured to comply with the organization’s security policy, whereas personal devices presented an unacceptable risk to security. The Bring Your Own Device trend started when employees (especially executives) started demanding to be able to work from the latest generation of consumer devices.

BYOD: Going too far?

Who controls your smartphone

The Bring Your Own Device initially gave people unprecedented flexibility to work from the device of their choosing. More recently, however, this trend seems to be going too far. Whereas working from a personal device was once a choice, I have been hearing an ever-increasing number of stories of employees who are pressured into working from personal devices. I have even heard a couple of stories of organizations that no longer provide employees with computers, tablets, etc., instead expecting employees to work from their own personal devices. This trend has been compared with other industries in which employees are required to provide their own tools. For example, hair stylists commonly supply their own combs and scissors. Auto mechanics often provide their own wrenches.

Personally, I don’t have a problem with the idea of employees being asked to provide their own computing devices, so long as the requirement is put into place ethically. After all, it is one thing to inform a prospective employee of the requirement during a job interview. It’s another thing to suddenly require existing employees to start providing their own computing devices.

Of course, most organizations are not yet requiring employees to provide their own computing devices. For right now, the biggest issue related to the use of personal devices is device policing. I will be the first to admit that the IT department must take steps to ensure that devices that connect to corporate resources do not create security or compliance problems. But at what point does the need for security give way to policing an employee’s personal life?

For an employee who sometimes works from a personal device, the bigger question may be a matter of what the organization can and cannot do with the device. In some cases, the organization’s capabilities are spelled out for the employee during the device enrollment process. For example, an organization may display a screen asking the employee to accept various terms and conditions prior to completing the enrollment process.

In other cases, the enrollment portal may describe to the employee what they can expect. Microsoft Intune, for example, is really good about this. When a user enrolls an iOS device into Intune, the enrollment portal displays a message similar to the one shown below, telling the employee exactly what the IT department can and cannot do. The only problem with this is that the employee might not necessarily be notified if these capabilities were to change at some point in the future.

Who controls your smartphone
For me, the real issue over who controls your smartphone is that of device ownership. Pretty much any organization is going to require that mobile devices such as smartphones adhere to some basic security standards if they are allowed to access company resources. For example, an organization is probably going to require devices to be password protected and to automatically lock after being idle for a specific period of time. That’s all good and well, but things can be taken too far.

In an effort to keep devices secure, some organizations have been known to use ActiveSync policies that disable certain hardware features on mobile devices, such as the camera, Bluetooth connectivity, and even the GPS. There have also been stories of organizations disabling the device’s Web browser in the name of security. Of course the opposite can also be true. A lawsuit from a couple of years ago alleges that a sales executive was fired after uninstalling an application that tracked her whereabouts constantly, even on the weekends.

When ‘acceptable use’ becomes unacceptable

As annoying as it would be to lose core device functionality to overzealous ActiveSync policies, a bigger problem may be that in some companies using a device for work may mean relinquishing the ability to use the device as you please. I have read about companies that now impose acceptable use policies for any device that accesses corporate resources, not just those devices that the company owns. Such a policy would technically mean that an employee who works from their own device would be subject to the same behavioral standards as an employee working from a corporate-owned device. In other words, the apps that the employee installs, the text messages that the employee sends, and the websites that the employee visits all have to comply with the company’s acceptable use policy.

An employee could conceivably be fired for sending an off-color text message from their own personal device to a close friend who does not work for the company, outside of business hours. If that sounds crazy, then consider cases that have made the news of teachers or even celebrities who have been fired for violating some sort of morality clause in their contract.

Until the legal system manages to sort things out, the best way for an employee to protect themselves is to use separate devices or separate profiles for work and personal use. Employees would also be wise to ask for a written statement of the company’s policies regarding the contents of personal devices.

It is also advisable for anyone who uses a mobile device for both work and personal use to configure automatic cloud backups of data such as photos, videos, and contacts. Corporate IT can easily perform a remote wipe of enrolled mobile devices. Such operations purge the device of all its data and apps, resetting the device back to its factory defaults. There have been documented cases of employees losing personal data as a result of accidental remote wipes.

Who controls your smartphone? A widening battlefield

Although corporate BYOD policies probably represent the most obvious battle over who controls your smartphone, the fight is also being fought on the commercial front. Some car manufacturers, for example, have begun phasing out in-dash navigation systems in favor of smartphone apps that use the driver’s phone to send navigation data to the vehicle’s screen. The terms of service for some of these apps discuss everything from the ways that your personal data can be collected to ways in which the app can display notifications (ads?) on your mobile device. Similarly, some insurance companies have begun using smartphone apps to track their customers’ behavior in an effort to establish risk.

Photo credit: Shutterstock/Pixabay

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top