Blog post

The Dark Side of Bringing Your Own Device

By Andrea Di Maio | May 29, 2012 | 4 Comments

web 2.0 in governmentcloud

Last week I met clients in the Bay area and had two very intesting conversations about BYOD (Bring Your Own Device) policies.

In one case, the CIO had been struggling for so long with frequent requests from users to support their devices of choice that he went for a much broader choice of enterprise-provided user devices. The reasoning that the cost of supporting an increasing variety of user-owned devices and the risks posed by how employees may mismanage the boundary between enterprise and personal use were greater than the cost of providing enterprise devices. He claimed that this helped make employees more conscious of and cautious about the distinction between business and personal use.

In the other case, the CIO told me that there s a proliferation of devices, despite the lack f a formal BYOD policy. When we touched upon one of the typical risk, which is the use of personal clouds (such as DropBox, iCloud, Google Drive), he told me that one of the personal cloud providers contacted him, providing a list of hundreds of employees in his organization who had registered for their service (presumably with their business email address). The purpose was clearly to sell the enterprise version, but this raises a vary interesting question: to what extent are consumer software providers respecting their users’ privacy and how is our personal data being used in ways that we would not anticipate.

If I were one of the employees using that tool, I would be pissed at the vendor. I may be using the personal cloud for purely personal purposes or to store public data, hence in full compliance with my code of conduct, and yet my employer would have reasons to believe that am doing something wrong.

This is not new. Every time we visit a web site from our corporate network or give our business email address when registering for a service we leave a digital trace. We rarely think about what the provider might do with it besides piling on our spam load. However this example shows that the vendor can simply tell our employer.

BYOD looks like an unstoppable trend, as more and more people look for the convenience of usin their own device. However there are potentially serious implications, ranging from the enterprise erasing a personal device in case it is lost (including all personal data, which is irremediably lost in case we find the device but have missed the last backup), to a vendor airing our possible non-compliance to our employer, to our employer accessing and analyzing our personal data.

The irony is that while everybody is worried about the risks of BYOD to the enterprise, the worst risks could be for us.

Comments are closed

4 Comments

  • There is an implicit question that needs to be tackled in your post, and it is the non-differentiated usage of professional e-mail addresses for personal purposes. Or not even having a second/personal e-mail address for one’s own purposes.

    I think it is a matter of “Digital Literacy 101” that e-mail addresses send tacit messages about our digital identity. Thus, I would not be surprised to see my cloud provider talk to my CIO because I and a hundred workmates are using their solution… if I had provided my pro address. I would be but angry – and the data leakage definitely suable at least under Spanish law – had I provided my personal address.

    This is, of course, very related with personal/pro uses of devices that I can bring to my own work.

  • Dave says:

    Our organization was recently contacted by a personal cloud provider, quite similar to what you have mentioned in your post. And for compliance, we setup a corporate/enterprise agreement. The points you make are quite relevant. Our approach is that we will contact the users who have registered a cloud account with their corporate email, request that they provide assurance that it’s for corporate purposes, and if so, they will become part of the corporate agreement and have to justify the monthly/annual costs to their Director or above. It’s not the best process, but it works, for now at least. There has to be some level of acceptance that accounts registered with your corporate email, do indeed indicate that they are being used for corporate purposes. And if that is the case, then we should be compliant, and if not, then the user should reconsider.

  • Andrew Ecclestone says:

    Hi Andrea,

    When you tweeted the link to this piece, you tagged it with #opengov. I’m curious as to how you see this as related to Open Government, or if it was just a typo.

    Also, in case you haven’t seen it, this is worth a read, on how we might define ‘open government’:
    http://integrilicio.us/2012/05/22/a-working-definition-of-open-government

  • Andrew,
    it is relevant as open data as well and social media will be tools that employees will use on their devoces of choice.