In order to understand the privacy complications that accompany BYOD (Bring Your Own Device) it is probably better to think of the issue as TYDH (Take Your Device Home). It’s not a particularly catchy acronym, but it describes the issue more succinctly – It’s not the organization’s phone. It’s my property.
For simplicity, I will use the term, “organization” to refer to any party (such as an employer, corporation, state or government entity) during the following discussion. Additionally, I’ll use the term, “mobile networked device”, when referring to laptops, smartphones, tablets, USB drives, rogue Wi-Fi devices, etc. And I’ll use your home a metaphor for discussing privacy, since most of us have a home, & – particularly in America – we have strong, almost sacrosanct, notions about the privacy of our homes.
You have a home, with features such as a windows (with shades drawn or not drawn), & rooms – an out-door porch, doors that open and close, a kitchen, living room, bathrooms, bedroom, study room, ante-room, etc.
Everyone would agree that, within the confines of your home, you have a reasonable (legitimate) expectation of privacy. You talk to your spouse, go to the bathroom; you cook what you want; you have sex; you get dressed and undressed; you rant & rave (if that’s your thing), etc. You legitimately intend to shield all of these behaviors from the view of others.
Sometimes, but only sometimes, your “expectation of privacy” is somewhat diminished– even in your own home. For example, if you host a party, & there are numerous cars collected about the driveway of your home, or numerous people gather on your open porch, your activities are made “public” – at least to the extent that those activities are open to public view.
The metaphor of the home with its more or less legitimate expectation of privacy, is analogous to that of one’s personally owned mobile networked device. Gmail conversations are akin to what happens within the confines of a home – the living room, kitchen, bedroom, etc. Private surfing on the web (whatever the site) is akin to closing the door to use the bathroom. Face Book might be akin to the invitation (and display) of people on the porch of your home.
Your legitimate expectations of privacy – whether in the home or on a computer – depend upon the extent to which you take (or forgo) efforts to make private or shield your activities from public view.
Everyone would agree that to “bug”– by audio and visual surveillance– one’s home would constitute a fundamental invasion of one’s privacy to do what one wants to do in private. So too, to “bug” a privately owned mobile networked device to view, read, or record what one is doing in Gmail conversations, general surfing of the web, etc. is likewise a fundamental invasion of one’s privacy and liberty interest. Thus, if an organization insists upon the capacity of that organization to somehow “invade” any private content of a private mobile networked device owned by an individual, then that invasion is akin to an invasion of the privacy and liberty interests of an owner of his or her own home.
An organization might argue that it has a paramount interest in “bugging” or otherwise controlling access to an individual’s privately owned mobile networked device if that device is also being used for organizational purposes (i.e., involving proprietary information of the organization) along with the purely “private” purposes of the employee. This is a strong argument because it might be reasonably said that an employee –if she insists upon using her personally owned mobile networked device for both personal and “organizational” purposes – necessarily forfeits her right to have all communications & data on that device immune from organizational scrutiny and control.
That is, the employee has a choice: (1) on the one hand, she can use her personally-owned mobile networked device for purely “private” purposes, totally shielded from the organization’s view; or (2) she can use a separate mobile networked device owned by the organization for the sole use of organization business and thus open to complete organization overview.
An employee might argue, on the other hand, that – as a practical matter – it is more economical and business efficient for the employee to use her “own” mobile networked device for both personal matters and organizational matters. That being the case, the employee’s legitimate expectation regarding the privacy of her purely “private” mobile networked device use is paramount to any invasion or control by the organization over that device. That is, the otherwise legitimate interests of an organization to protect its propriety information, for example, is trumped by the privacy/liberty interests of the employee to protect from view or disclosure her private communications and activities.
In the case where the employee uses her own personal mobile networked device for both “personal” and “business” use, the question is whether the interests of the organization in controlling/monitoring that device to protect the organization outweighs the recognized interest of the employee to keep secret or shield her purely “private,” non-organization activities and communications.
As you might intuit, this question involves an assessment of real “risk”: i.e., the actual extent to which the organization might be harmed by not controlling and monitoring the employee’s personally owned mobile networked device as opposed to adopting a policy of non-monitoring and non-control.
Perhaps the answer to this tension and risk is to focus on what is most “normative” in real life, depending upon the particular organization involved. That is, a strong case can be made that, as a practical matter, and in the most usual case, there is relatively little risk that employees who use personally-owned mobile networked devices for both personal and business purposes result in actual harm to the organization if that device is lost or stolen. The result and risk might be different, however, if the very nature of the organization’s business is, for example, “top secret” or involving “national security.”
As a general proposition, applicable to most cases. it would seem that the “normative” behavior of employees to use their own mobile networked device for both “personal” and “business” uses – which, by the way, fosters practical business and economic efficiency – tips the scale such that the organization should not control or otherwise invade such devices in light of the paramount “privacy” interests of the employee. Surely, certain safeguards can, at least minimally, reduce the risk of adverse impact on the organization – i.e., identity or data access controls, or rules for promptly reporting the loss of a personal mobile networked device. On the other hand, as indicated before, the scales might well tip in a different direction depending upon the extent of particular harm that might be incurred by the particular company/employer– (i.e. the CIA).
: – /