In June 2014, the U.S. Supreme Court ruled in Riley v. California that police officers generally* may not search the digital information on a smartphone without first obtaining a warrant. Law enforcement professionals were surprised and appalled, because case law previously said the Fourth Amendment does not require a warrant for a search of personal items obtained incident to an arrest.
What does a criminal law case that limits police cell phone searches have to do with corporate Bring-Your-Own-Device (BYOD) policy? The case illustrates evolving legal theories about reasonable expectations of privacy in personal devices. If it is illegal for law enforcement to access personal information on a smart phone without a warrant, where do businesses stand when they demand access to data on their employees’ devices or remotely wipe that data?
As Chief Justice John Roberts explained:
“Modern cell phones are not just another technological convenience. With all they contain and all they may reveal, they hold for many Americans ‘the privacies of life.’”
Privacy concerns in mobile devices are a hot topic. The FBI Director’s recent statements opposing stronger mobile device encryption, for example, raised concerns among privacy advocates who were already spooked by government surveillance revelations. Another example of the importance of device privacy was highlighted in a uSamp survey recently commissioned by Zix Corporation. Nearly one-third of respondents said that they would rather lose their wallet than their mobile device. That’s not surprising.
IT professionals and business owners are struggling with how Enterprise Mobility Management (EMM) impacts employees’ reasonable privacy concerns about giving their employer control over personal mobile devices. To alleviate employer concerns, human resources and legal departments are requiring employees to sign BYOD waivers, usually named Mobile Device User Agreements. Typically two to eight pages of intimidating legal provisions, those documents give the employer broad rights to access, read, alter and wipe information on the device.
Although the waivers may help solve some of management’s legal concerns, BYOD waivers do nothing to address employees’ legitimate privacy concerns or their objections to losing control over personal devices. Moreover, having access to mobile device data can create legal risks for the employer even if employees sign a BYOD waiver. An employee might assert, for example, that the employer discriminated against the employee based on information that the employer obtained from the employee’s device.
Defenders of BYOD waivers assert that employees voluntarily sign over device privacy and control in order to participate in BYOD. Employees may perceive, however, that BYOD is a job imperative and they have no real choice. And employees may conclude that the employer’s promise of EMM device containerization is more an illusion of privacy than a real comfort – because employees don’t often segregate their work and personal lives and data neatly into digital sandboxes.
At Zix, we have a completely different approach to providing mobile device access to work. With our ZixOne® app, employees can manage their work email, including attachments, and access their work calendar and contacts from their Android or iOS mobile devices. Employees interact with their email as usual – composing new messages, replying and forwarding existing messages and reviewing attachments – without storing that data on the mobile device. If the device is lost or stolen, the employer simply disables that device’s access to work email, calendar and contacts. Because ZixOne does not store corporate email on the mobile device, the employer doesn’t need to control or wipe the device.
ZixOne respects employee concerns about privacy and device control, while protecting corporate email content. That strikes us as a better approach than taking control of personal devices and demanding employee signatures on a BYOD waiver.
* The Court allowed for certain exceptions, such as exigent circumstances.