Mobile encryption and your company's data
The forthcoming legal battle between Apple Computer Inc and the United States of America, or more specifically, In The Matter of The Search Of An Apple IPhone Seized During The Execution Of A Search Warrant On A Black Lexus IS300, California License Plate 35KGD203, is proving to be of great interest to people around the world.
Regardless of your personal position with respect to law enforcement access the situation should be a stern wake up call to employers who issue technological devices to their staff.
This case will set the precedent with regards to strong encryption measures and law enforcement access for the United States legal system but it will have global implications. It is almost certainly going to be litigated, it is likely to be litigated all the way to the US Supreme Court and it will attract much amicus attention. It is a good candidate to set precedent because there is no real urgency in recovering the content and, as Prof. Orin Kerr points out here, there are no Fourth Amendment (unreasonable search and seizure) issues to cloud the process. It is that second point that gives rise to my discussion here.
“even if the government didn’t have a warrant, the government has the consent of the phone owner. The phone in this case was owned by the San Bernardino County Department of Public Health, Farook’s employer. Farook used it, but the county owned it.”
The employer issued their staff member with a device. That employee is no longer of this earth and the employer has good reason to believe that he was making inappropriate use of the device. The employer is locked out of the device because they have no mechanism of recovering or resetting the pin-code that was used on their device. This is a problem. Employers certainly have interests in the application of strong encryption on mobile devices, but, even if the Government or the hardware provider do not (or should not) retain an unlock privilege, the employer probably should.
Employers need to;
- Know that the data held on their employee’s devices is secure should that device ever be lost to a malicious 3rd party, but also,
- Be in a position to unlock that machine should that malicious party turn out to be the employee themselves or indeed should the employee die or otherwise become unavailable, and;
- Be in a position to unlock the device should their staff member forget their credentials because, in all likelihood, there may be work product on the device that is not saved elsewhere.
The legal machinations will work out the extent to which the United States Government can force a provider to make it possible unlock/decrypt a consumers’ device. On that point I probably fall on the side of Apple; the issue being that if it is possible for one government then it is possible for all and not all governments are entirely respectful of the rule of law.
But, in this case, the San Bernadino County should quite clearly have ensured that they were in a position to unlock the device. Employers, issuing hardware to their employees should ensure that they are in a position to unlock those devices.
Enter the Mobile Device Management (MDM) tool. This allows organisations to remotely manage devices including, in most cases, not only mobile phones but also laptops and tablets. An MDM tool can enforce encryption on the device, solving for point #1 above, while also allowing an administrator to reset the pin-code or password, solving for #2 and #3. There are a number of other capabilities provided by most MDMs including remotely locking or wiping a device.
As a matter of good governance, organisations who equip their employees with mobile technology such as smartphones should be using a Mobile Device Management tool to ensure that they retain ultimate control over those devices.
Contact us if you want to talk more about MDM or learn how mobile solutions can help your improve your business productivity.
Posted by: Chris Auld, Chief Technology Officer, Executive Director | 24 February 2016
Tags: mobility, MDM, Mobile Device Management
Rate this post: