FBI backdoors force a rethink of BYOD

The BYOD compact is of mutual convenience and respect for each other's data, but mobile management zeal may break the needed trust

FBI backdoors force a rethink of BYOD

The iPhone 5c for which the FBI wants Apple to create a special version of iOS so that it can bypass the iPhone 5c's password-reset limit and autowipe? If the San Bernardino Health Dept. had installed the county's MobileIron mobile management software on it, the county could have reset the iPhone's password and let the FBI access the iPhone without any hassles.

Also, the terrorism excuse that the FBI is using to force Apple to create a backdoor would be gone. (The FBI has at least 10 other cases involving criminals where it wants Apple to crack iPhones for similar access, but citing terrorism is an easier way to get compliance.)

Now MobileIron and other mobile management vendors are happily reminding IT organizations that for the cost of only $4 or $5 per month per user, they too can help the FBI if an employee turns out to be a criminal or terrorist.

Hmm -- suddenly, I'm not sure I want my iPhone on the corporate network or managed by a corporate mobile management tool. I'm no terrorist or criminal, but that doesn't matter. Right now, encryption is my only assurance of keeping my personal information private, whether on my iPhone, Mac, or other devices that I use. 

For both my convenience and my employer's, I work on personal devices. I know that what I do via corporate systems, like Exchange, OneDrive, or Slack, is subject to my company's discovery. That's fine. But my iPhone and Mac also have my own information -- my text messages with friends and family, my personal files, and so on. I don't want that information available to my company, or anyone else, without my permission.

The beauty of BYOD combined with mobile management was that we could have it both ways: Corporations could protect their data, and so could we individuals, thanks to the notions of separation built into mobile devices, especially in Apple's products.

But the encryption and password resets aren't so separated, which is why mobile management products can be configured to let IT reset the password for the device, which in turn unlocks the encryption for the whole device -- not simply their own secured container on that device.

That is a strong reason for anyone who believes in privacy to reconsider using personal equipment for work. Maybe we should carry two smartphones -- or, if the company won't pay for a corporate device, no longer be accessible outside the office. Maybe we should bring home the corporate laptop and stop using our personal PCs to catch up on work at night or on weekends.

Some IT managers would love that result -- many have never liked the intermingling of personal and professional. But most companies were happy to let employees pick up some of the equipment and connectivity tab, and many employees have been happy to get the flexibility of using the tools they prefer wherever they are. It was a mutually beneficial exchange.

But that exchange required an understanding that IT would limit its access to corporate data, which it can typically get from its servers even if a device is locked and encrypted -- very little on a smartphone exists only there, after all.

However, if IT can be used by the police or other agency to unlock an encrypted personal device, then all that personal information stored on the phone and via personal servers becomes accessible as a by-product of the investigation.

That's essentially the issue for the San Bernardino iPhone 5c -- the FBI doesn't want the county information (which it already has) but the personal information on it.

Because that iPhone 5c was issued by the county, I believe the county has a right to unlock it for the FBI. But I don't agree that Apple should be forced to crack the iPhone because the county didn't install yet software that would let it unlock the iPhone for the FBI -- why is Apple on the hook for that?

If it were an employee's personal phone used for BYOD purposes, I don't believe the employer should provide the FBI access, much less be compelled to do so. It's not the employer's property.

Sure, a company might make such access a condition of BYOD -- fair enough. But it's equally fair to decline to participate. After all, BYOD is supposed to be about optional use and convenience. If it's a work requirement, issue the necessary equipment and serice.

The post-9/11 trend toward a police state is bad enough. It would be adding insult to injury to actively help it happen. So don't do it.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies