7 ways MDM threatens employee privacy

There are some downsides to tackling BYOD.

1 byod

Controlling BYOD

For years, organizations have turned to Mobile Device Management (MDM) solutions with the hope of wrapping their arms around BYOD. MDM is a technology that enables organizations to control every aspect of a mobile device, from permitted apps to outbound communications. But with that complete control comes the potential for abuse.

To understand the extent to which MDM solutions could monitor and control BYOD devices, the Bitglass research team installed MDM software on several employees’ personal mobile devices with their permission. The outcome? Complete visibility into employees’ activities, personal interests and more at the click of a button.

Bitglass also found that there was little in the installation process that would signal to employees that they were being monitored, indicating that organizations could silently monitor all employees’ personal activity, without their knowledge and consent. Here is an in-depth look at some of the downsides of MDM from Rich Campagna, senior vice president of products at Bitglass.

employee privacy

SSL MITM exposes private communications

One of MDM’s most prominent features, ripe for abuse, is the ability to monitor all outbound and inbound traffic. While there is an expectation that SSL-based traffic involving personal data is securely transmitted, that’s not necessarily the case. Researchers found that with a VPN and trusted certificate, SSL encryption can be broken, allowing MDM to monitor all activity in the browser. This includes information like personal banking passwords, personal email and more, all routed through the corporate network in plain text.

RELATED: Examining man-in-the-middle attacks

employee privacy
CSO staff

Wide open access to users’ browsing histories

MDM gives organizations complete access to users’ browsing activities, a slippery slope considering most expect sensitive healthcare queries and Amazon product searches to remain private. But it doesn’t stop there. Access to employees’ web history includes financial queries and political activity, all personally identifiable information that could be used against employees.

employee privacy

Mobile apps give MDM access to personal info

It isn’t just browsing history that can be accessed by MDM – these solutions also know which third-party apps are installed on user devices. While it may seem innocuous, this app inventory capability gives organizations the ability to track employee hobbies – everything from sports team allegiances to dating applications. This out-of-the-box capability has the potential to further cross privacy boundaries.

employee privacy

Location data revealed

Most employees are aware that administrators can easily track managed devices via GPS. However, few consider the extent to which this data could be used to monitor their behavior. MDM can force the GPS to remain active in the background without notifying the user and track employee locations in real-time, all while draining the battery. This level of visibility over location has the potential to be far more invasive than simply tracking a lost or stolen device.

employee privacy

Poor user experience

It’s clear from the numbers that that employees aren’t keen on MDM. According to research, 57 percent of employees refuse to participate in BYOD programs, citing privacy concerns and poor visibility. That poor user experience is further validated when looking at app store user feedback. Unsurprisingly, many of the most popular MDM apps from VMware and MobileIron garner between 1.5 and 3 stars out of 5, often due to lack of key functionality.

employee privacy

Risk of personal data loss

On personal mobile devices, employees keep some of their most intimate personal data – photos, messages, notes, and more. With MDM software, all data on the mobile device can be remotely erased, including personal data. What’s more, MDM can restrict or disable backups through services like iCloud, leaving employees with little recourse when trying to retrieve lost data. This capability confirms the very real fear among employees that MDM software puts personal information at risk.

employee privacy

Restrict core device functionality

Employees expect the freedom to use their mobile phones and tablets as they see fit. Unfortunately, with MDM, core functionality may be limited in an effort to lock down and secure the device. While simple security requirements like PIN codes and disk encryption are easily justified, many MDM solutions go a step further and can limit access to the camera, apps like FaceTime on iOS, Bluetooth and basic features such as copy/paste.

RELATED: 10 ways to secure a mobile workforce

Copyright © 2017 IDG Communications, Inc.

Related Slideshows