Jeff Jardine

Wiping away trust in cellphone security

You work for a company or a government agency that has its own email system, as do most.

You access the email system using your own cellphone, which, in the age of technology, is extremely common. It’s your phone, not your employer’s. Or is it? How much control should your boss have over your phone?

It’s a question that arose in the Yosemite Community College District recently. Instructors use the email system to communicate with students, one another and the district administration. The instant nature of technology offers and demands instant communication.

They are given the choice of signing in through their phone’s browser, such as Safari, or through a more convenient mode using the district’s server. The latter comes with a price – ultimate control of your phone – as Android owners are told when they prepare to sign in: “Server webmail.yosemite.edu must be able to remotely control some security features on your device. Activating administrator will allow Email to perform the following operations.”

Three pages of operations give the system’s administrator – meaning the district – the authority to erase all data, including contacts; set password rules; control screen locking functions; disable messaging; prevent use of the Internet; and disable the device’s cameras, Wi-Fi and SD cards, etc. The term, among techies, is to “wipe” the phone, which eliminates everything from photos to contacts to emails and data. In essence, the phone would be reset to its original factory condition.

Other institutions, including California State University, Stanislaus, have the same ability through Microsoft Exchange.

“Enterprise data may be compromised via email,” said Stan Trevena, Stanislaus State’s interim associate vice president for information technology. “If a person does not have a lock screen on their phone, and they lose their phone, sensitive data ‘may’ be exposed.”

Even so, Trevena said, “I can’t imagine any circumstance other than the theft of a phone that would make a person want to do a remote wipe. In the case of Exchange, there is also an administrative feature to allow a system admin to perform a remote wipe of a device. Same reasons would apply, it would be done to preserve privacy in the event that a phone is stolen or lost.”

Marty Gang, YCCD’s associate vice president of information technology, said the practice has been in place for at least three years. Employees can access their email through https://webmail.yosemite.edu via their phone’s own browser, such as Safari, and not relinquish control of their phones. Or they can sign up through the district’s server and play by its rules, which include granting the authority to wipe out a phone’s memory, Gang said.

Anyone who recently purchased or replaced an Android phone might be seeing the conditions for the first time, he said.

“Employees are not required to load the district’s email onto their phone,” YCCD spokeswoman Connie Chavez said. They can contact the district’s help desk if they need, well, help.

If your security radar isn’t already on high alert, it should be, no matter whether it’s a phone, desktop, laptop or notebook device. Just reading that set of conditions attached to the district’s app version gives reason for concern, especially at a time when privacy and security are huge issues. Numerous retailers have had their systems hacked and their clients’ information stolen.

Con artists repeatedly call folks, telling them there is a problem with their computers that can be fixed if you’ll just give them access. Those who fall to it have their information, including credit card and even tax information, stolen.

Government agencies and businesses are obligated to maintain secure information systems. Individuals need to protect themselves, as well, including from intrusion by governments and institutions.

I asked some others about phone controls. A friend in law enforcement said he uses his personal phone for work. When he takes photos of an accident or incident, they can become evidence in the case. But he downloads it himself and sends it through the proper channels. He doesn’t grant the agency remote access to his phone, nor does it request that access. If higher-ups believe his phone houses other information that is important to a case, they can issue an administrative subpoena to search the contents, he said.

Marsha Cunningham, IT director for Stanislaus County, said the county provides phones to its employees. “We discourage the use of personal phones,” she said.

One reason, she said, is because government business – including emails using public web servers – is supposed to be public record. In fact, there’s no doubt in my mind that some public officials use their private email accounts to keep certain conversations from being public. But if it’s on a government server, it in theory is supposed to public, except when it involves personnel issues.

Cunningham’s other concern is that if a county employee loses a private phone, the finder or thief would have access to information that he or she isn’t authorized to have. An employee who loses such a phone is asked to inform the county within 24 hours so the IT staff can disable the account or change passwords to block entry. Wiping.

So there is it: Agencies and businesses guard against employees losing phones, which can compromise information and privacy of others stored within their systems.

Employees, meanwhile, shouldn’t grant anyone access to their private phones, and back up any vital photos and information stored in them.

It’s a matter of trust, or lack thereof.

Bee columnist Jeff Jardine can be reached at jjardine@modbee.com or (209) 578-2383. Follow him on Twitter @JeffJardine57.

  Comments