An employee at a Danish firm, let’s call her Anna, is given a smartphone to use on the job. She’s also allowed to use it for personal business. Now let’s now say Anna and husband want to have children, and she downloads an app that allows her to keep track of her menstrual cycle. Then, somehow, the boss finds out what Anna has on her phone, and, before she knows it, she’s being let go in order to save the company from taking a hit from the maternity law that parliament is about to pass.
Though only hypothetical, and highly unlikely (unless Anna’s boss is a jerk), the technology that could allow it to happen is already widespread. Company-supplied phones are typically installed with what’s known as MDM (mobile-device management) software that allows an employer to keep tabs on how they are being used.
In a similar, real-world example, a Djøf member recently contacted us about a situation in which his employer had installed MDM software on his phone. He has a job with a new firm, but the phone, which he bought from the employer when he left, still has the software on it. He can’t get it off, meaning that, for all intents and purposes, the phone is still under his previous employer’s control.
Datatilsynet, the national data-protection authority, is also critical of MDM software; recently, it warned that it gives your employer access to information that it shouldn’t have.
The spread of mobile phones, and especially now smartphones, has made workers more efficient, flexible and – as the name suggests – mobile. Your company is, of course, making it as easy as possible for you to work, but if you are going to have access to company data (be it in the form of e-mail, files or computer systems) the company is going to want to make sure that its data are protected. The problem with that, though, is that it raises privacy questions while also – counter-intuitively – putting the company’s data at risk.
Efficiency and security
There are two reasons why your employer wants to put MDM software on the devices it gives you, according to Nils Christian Ørbech, a Djøf system administrator.
“Firstly, because it makes certain functions and programs available to the employee,” he says. “But, the other reason is that it is a security measure that prevents you from installing programs or apps that could pose a danger to the company’s data.”
Whether it is to make you more efficient, your phone more secure or another reason entirely, once your employer puts the software on your device, your data are accessible. The question is just how much of it they can get at.
According to Ørbech, there are basically two types of information MDM software can be used to access: which apps you’ve downloaded and the phone’s GPS data.
False security
That may sound innocuous enough, but it isn’t, according to Samir Maktabi, who provides consultancy about mobility and security – including MDM.
He reckons that a lot of MDM software does nothing to protect the employee, and that it may even violate GDPR.
“A list of the apps you’ve download is extremely sensitive personal information,” he says. “Dating apps like Tinder and Grindr say something about your sexual preferences. If you’ve downloaded betting apps, you could be suspected of having a gambling problem. That’s just not information your company should have.”
He explains why: “You could imagine that if the head of IT was about to get fired, he could take a look at the information on the managing director’s phone. Or he could blab that someone in the company had 17 dating apps.”
There are technologies that make it possible to keep devices safe without collecting sensitive employee data, according to Maktabi.
Android phones, for example, can be partitioned, so you that even though you only have one phone, you can keep your professional data separate from your personal. If you have an iPhone, you can use an app that requires a password to access work-related functions like e-mail, contacts and your calendar.
Another way to provide employees with a measure of privacy, Maktabi says, is to force companies to keep a log of when personal employee data gets accessed – something he says is easy to do.
So it is technically possible to respect employees’ privacy without compromising security, but if the company isn’t on top of things and improperly installs MDM software, it puts its own and its employees’ data at risk.
“And then there are all the companies out there that haven’t updated their MDM software yet so they meet data-protection requirements,” Maktabi says.
Legitimate, within limits
In Denmark, Datatilsynet is responsible for making sure that companies live up to GDPR. Allan Frank, a computer-security specialist working for Datatilsynet, understands that the rules can be hard to understand for companies and their employees. MDM, he says, isn’t black and white.
There are, he makes clear, good reasons why a company would want to control an employee’s phone, even if that might put it in touch with personal information.
“It’s perfectly legitimate for a company to want to keep its computer infrastructure safe, and to want to prevent devices from compromising the security of the network,” Frank says.
That, though, is not the same as giving employers carte blanche to hoover up as much information as possible. In order for monitoring to be considered reasonable, two criteria need to be met, according to Frank: firstly, it may not exceed the minimum level necessary for protecting the device and the company’s infrastructure, and, secondly, the company needs to take measures to protect the information, such as restricting access and, if it is accessed, keeping a log of who did it and when.
In addition, the employee must be fully informed of the extent of the monitoring. If a company does all of that, then they shouldn’t have any problems, Frank says.
The question, of course, is whether firms are actually doing all of that. Even though Frank has no reason to doubt that they are doing what they can, there are plenty of grey zones between work and personal data where it might not be clear what the right thing is.
“We’re human, and we’re bedazzled by all the things technology allows us to do, but, if we get too distracted, we might not consider what digital footprints we could be leaving behind,” Frank says.
His personal solution has been to prioritise security over flexibility.
“I have two phones,” he says. “I don’t mix work and personal data. Seen from a security perspective, that’s the best solution.”
Assessing risk
One of the main reasons for installing MDM software is to protect company data, but that’s not as straightforward as it once was.
Even if you have a profile on your phone that you only use for work-related activity, everything you have on it – personal and work-related – is most likely being backed up to iCloud, Dropbox, Google Drive or whatever other cloud you subscribe to. If you’ve given Facebook, Endomondo, Snapchat or any other app permission to share your data, then you can give up any hope of keeping your work-related data from being spread around.
“The more we mix our personal and work lives, the greater the chance that something bad will happen,” Frank says.
Some companies – the sensible ones – have done a digital risk assessment and identified the employees that need higher levels of monitoring due to the nature of the information they work with, according to Henning Mortensen, the chair of Rådet for Digital Sikkerhed, a group that seeks to inform the public and businesses about computer security.
“The biggest problem is if the people who are responsible for monitoring haven’t put much thought into their risk assessment – if they just do it without trying to strike a balance between respecting employees’ personal information and the company’s obligation to protect its own data,” Mortensen says.
Employees have a choice
Michael Gylling Hviid, a mobility specialist with We Do Mobility, which companies hire to install their MDM software, defends the practice.
“Companies get a lot more out of their system if they have MDM,” he says. “It gives them peace of mind that their data aren’t being misused or that it won’t wind up in the wrong hands.”
Hviid recognises that it might not be in someone’s interest to allow their employer to see which apps they have downloaded. But, he believes it is a necessary evil.
“Employees have a choice. No-one is telling them they need to read their e-mails, but if they are going to, they need to accept that they will lose some of their privacy.”
Put another way, they could do like Allan Frank and get themselves a second phone. But, for most people, that’s not an acceptable option.
In everyone's interest
If you are an employee who is being monitored, and you aren’t aware of it, you either missed the memo or your employer is being negligent, according to Mortensen.
“Your company has an obligation to inform you,” he says.
If your employer hasn’t told you whether there is MDM software on your phone, it’s easy enough to check on your own.
“It’ll be an app that neither you nor your provider put there and that you can’t remove,” Mortensen says. “Another thing you can do is search the company intranet to see if there is a company policy you weren’t aware of.”
Frank’s recommendation is for employers and employees alike to take an interest in data security. It might seem irrelevant, but knowing what your employer has access to can only benefit you.
“This isn’t the sort of thing that might not seem to matter much when you are on good terms with your employer,” he says. “But, if things suddenly go awry, you might find out the hard way what can happen if one of you knows more about the other than they should.”