

Wipeout: When Your Company Kills Your iPhone - prakashk
http://www.npr.org/2010/11/22/131511381/wipeout-when-your-company-kills-your-iphone

======
URSpider94
What the article doesn't mention is that, if you back up all of your data to
your desktop, you can retrieve it by restoring the phone. You will still lose
the corporate data, but you will get back your apps and personal data.

If you are using Exchange at work, I would definitely recommend keeping your
personal data (email, contacts, calendar) in a separate account, which the
iPhone will seamlessly combine for you.

------
thought_alarm
I don't get it.

Where I've worked, if an IT guy started accidentally nuking people's
Blackberrys that IT guy wouldn't just be fired, he would be destroyed.

On the other hand, if your device is _actually_ lost then you would want the
entire device to be nuked.

I suppose it boils down to how much the employer is willing to invest in its
employees. If the employer is not willing to pay for the devices the employee
uses for work, then the employer is probably not going to manage those devices
responsibly. For that reason, I would never connect my personal device to work
unless my employer was willing to pay for it.

If your employer acts like they're doing _you_ a favor by allowing _your_
device on their network, then that's probably a good indication that you
shouldn't do it.

------
callahad
Do any enterprise solutions allow more granular wiping?

I'd be completely fine with my workplace being able to nuke their own
information, so long as they couldn't touch my personal data.

Well, I wouldn't be _perfectly fine_ with it, but it seems like a reasonable
minimum level of separation.

~~~
j0
Touchdown (for Android) <http://www.nitrodesk.com/dk_touchdownFeatures.aspx>
keeps all of the Exchange Activesync'd data separate from the main email on
the phone, so when you get wiped only corporate email/calendar get wiped. I
don't think anything similar exists for iPhone.

~~~
jokermatt999
I can't speak for iPhone (though I imagine it's similar), but pretty much all
your data can be recovered to your phone just by logging into your Google
Account, from what I understand. If you use AppBrain, the apps you have
installed will be saved too.

------
Timothee
I remember a similar story from a couple of months ago, and for that reason
haven't connected my work email on my phone. I'll only consider doing it if
the company starts paying for the phone and the plan. Until then, it's not
worth the risk for me.

------
adolph
Its nice to see this issue get some additional coverage.

I've been going back and forth about having my phone linked to Google this
way. I don't like the concept of handing them an invitation to remote wipe my
phone. On the other hand, there does not seem to be a better way to do over
the air contact syncing etc (without signing up for MobileMe). My current
position is to also sync to my desktop as a "if Google dies somehow" data
store and think of my phone as somewhat more disposable repository.

~~~
gvb
This is not Google per se, it is a Microsoft Exchange ActiveSync plugin
feature. When you install the Exchange ActiveSync plugin[1], it _requests_
that you authorize the software to have the authority to wipe your phone. You
must accept that or not use ActiveSync.

The advantage of ActiveSync is "push" email notifications and integration of
your Exchange calendar and address book with the base Android calendar and
address book.

If you use IMAP to access the Exchange server, the Exchange server cannot wipe
your phone.

If you connect to Google's servers (IMAP), Google cannot wipe your phone via
their servers.

[1] On my Nexus One, the ActiveSync email plugin was pre-installed and I don't
remember seeing the request for wipe permissions when I first configured it.
When Google (or whoever) pushed an update for the ActiveSync plugin, it _did_
ask me for wipe permission. That was my first clue that I sold my soul.

~~~
adolph
Yes, it isn't a Google-specific issue in general; the link to Google is me-
specific in that I linked my phone to Google in this way. I did it for
specific reasons (contacts mostly) and initially without knowledge of the
possibility or remote wipe.

It is interesting that the Android plugin has some UI words about the
authority to wipe the phone. In my recollection iOS did not display anything
like that.

It is also interesting that Google's set-up tutorial for iOS promotes the
ActiveSync method but doesn't mention remote wipe:

[http://www.google.com/support/mobile/bin/answer.py?answer=13...](http://www.google.com/support/mobile/bin/answer.py?answer=138740&topic=14252)

------
smackfu
How many people are using Exchange to sync their Google accounts to their
iPhone/iPad? How many of them realize that is an invitation for Google to wipe
your device?

~~~
jon_hendry
It's not clear Google has that kind of control. They don't control the
Exchange server. They're just feeding data to it.

~~~
spicyj
Google in fact does run the Exchange server that you connect to; setting up
Google Sync gives them just as much power as setting up any other Exchange
account would.

------
rbanffy
"somehow work could get through AT&T, who I thought controlled my phone"

And that _is_ the problem. Your phone is controlled by someone else. It's not
really _your_ phone.

~~~
martey
No, the problem is that she changed her phone's settings without realizing the
ramifications. Despite the fact that Amanda thinks AT&T controls her iPhone,
the fact of the matter is that they could only block it from the network, not
remove all of the information from it.

~~~
rbanffy
She gave her company control over her phone because she didn't think of it,
because it felt completely natural for her that AT&T would be in control of
her phone, not her.

People's misconceptions about the technologies they build their lives around
sometimes give space to a lot of pain.

------
mthomas
I believe that is also possible with Android phones when you use the default
Exchange connectivity app. I've ended up using a different program to connect
to Exchange.

------
tomjen3
And that is why I don't connect to Exchange.

~~~
arethuza
That's certainly why I don't connect any personal devices to the company
Exchange infrastructure - they pay for an iPhone so I use it for work.

I have a dumb phone, iPod and an iPad for personal use - which I find a better
combination than one _do everything_ device.

~~~
tomjen3
Do you have very large pockets?

~~~
arethuza
I use a backpack, usually with my iPod in my jacket pocket when walking
to/from work.

I have a pretty terrible attitude towards phone usage - I rarely answer it (I
usually let it ring out and return the call if it is from someone important).
Most people I deal with regularly know to text or email me rather than
phoning.

~~~
tomjen3
That would also work, but I would find it too annoying to have to carry a
backpack everywhere. But hey if it works for you, that's great.

------
Silhouette
I'm not sure what is worse:

\- the fact that this is technically possible,

\- the fact that the software and service providers think it is appropriate to
offer the feature,

\- the fact that some employers (such as the one in the article) actually
think it is even slightly reasonable behaviour to use the feature on someone's
personal phone,

\- the fact that the wiping behaviour isn't already clearly illegal with
horrific penalties, or

\- the idea that the kind of employee waiver mentioned in the article might
actually be considered a fair and enforceable part of any employment contract.

This is just so completely wrong, it's hard to know where to start!

~~~
tptacek
There's nothing wrong about it at all; it's a completely reasonable due-
diligence security mechanism.

First and most importantly, employers cannot remote-wipe your phone if you
haven't paired it with their Exchange infrastructure. Remote-wipe is part of
the technical contract you enter into when you link your phone to your
company's internal infrastructure. Therefore, while it's _totally reasonable_
to be outraged at the prospect of your employer wiping your phone, the answer
is simply "don't let them".

Why do IT departments need this capability? That's easy: when you synced your
phone up to their email system, you collected an unspecified number of company
secrets. Some of those secrets come with a legal obligation to safeguard them.
In a surprisingly large number of companies, some of those obligations have
theoretical criminal penalties attached to them.

Turning off your Exchange access doesn't get rid of secrets Exchange disclosed
to you already. Companies turn over tens or even hundreds of employees a week.
It's absurd to suggest that they'd leave this matter up to chance, with or
without a "scrub your device regularly" policy.

More to the point: when companies lose PI, PII, or financials, they end up in
the newspaper. Usually, when there's even a _reasonable likelihood_ that data
has been exposed, companies are required to notify impacted business partners,
incurring contractual and legal expenses. Even if you just left the phone in a
bar, and the thief is almost certainly just going to wipe the phone anyways.
It's naive to suggest that companies accept the risk of landing in the paper
or in court _every time someone loses a phone._

It's also perfectly reasonable to point out (bad) IT departments that require
you to tie your personal phone to their email systems. By all means, bring up
"remote-wipe" when they refuse to buy you a crappy Blackberry instead of
letting you B.Y.O.

~~~
Silhouette
> There's nothing wrong about it at all; it's a completely reasonable due-
> diligence security mechanism.

Nonsense. There is absolutely nothing diligent about having an ability to wipe
someone's personal data that has no connection to your business, under any
circumstances.

> Remote-wipe is part of the technical contract you enter into when you link
> your phone to your company's internal infrastructure. Therefore, while it's
> totally reasonable to be outraged at the prospect of your employer wiping
> your phone, the answer is simply "don't let them".

So, here's Flawed Cliché #1 in the opposition argument: "If you don't like it,
don't sign up for it."

Unfortunately, if this sort of behaviour is tolerated, it becomes an
assumption by management that it is acceptable. Refusing to accept it yourself
then gets you a black mark in some manager's mental file, at best.

Moreover, the risk to the personal phone here is completely disproportionate.
This sort of link could be established by an employee without any awareness of
the potential consequences, in response to a casual request by a manager
before the employee goes off to a conference the following week.

> Why do IT departments need this capability? That's easy: when you synced
> your phone up to their email system, you collected an unspecified number of
> company secrets. Some of those secrets come with a legal obligation to
> safeguard them.

Flawed Cliché #2: "You have to protect company secrets."

Firstly, this is a complete straw man: protecting _company_ secrets from the
company mail server does not in any way require deletion of _personal_ data on
a _personal_ phone.

Secondly, if the company has legal or regulatory constraints in how it handles
some data, it should not be providing access to that data on a system that is
not supplied, properly configured and fully secured by the company's experts
anyway.

> Companies turn over tens or even hundreds of employees a week. It's absurd
> to suggest that they'd leave this matter up to chance, with or without a
> "scrub your device regularly" policy.

Flawed Cliché #3: "We need to secure our data when people leave to protect us
against inside jobs."

Firstly, anyone who is pulling off an inside job is probably not going to
leave the only copy of valuable/sensitive data on their personal phone.

Secondly, maybe you should be more careful with who you hire if this is a
serious problem. Someone who is determined to pull off an inside job isn't
going to be stopped by such a simplistic approach.

Basically, your entire counter-argument is a non-argument. Nothing you have
said in any way justifies a company having the power to interfere with your
personal data, and if they need that kind of power over company data because
of its sensitivity then they should not be relying on employees' own devices
anyway.

~~~
tptacek
I think you read about 100 words into my comment, got angry, and started
typing. If you hadn't, you'd have seen that I wasn't talking about insiders
pulling heists.

~~~
Silhouette
> I think you read about 100 words into my comment, got angry, and started
> typing.

Physician, heal thyself. You wrote:

> Companies turn over tens or even hundreds of employees a week.

Unless this is some difference I have never previously encountered between
British and American English usage, that seem a pretty clear reference to
employees coming and going. In the context, what else could you possibly be
referring to apart from the danger of leaking data because employees who used
to have legitimate access still had the data after they left?

------
JunkDNA
My employer solved the issue of people not knowing about this very easily.
Before you can connect to exchange with a personal device, you had to sign a
document saying that that they could remote wipe your device if it gets lost
_as well as_ when you terminate employment.

------
jodrellblank
The whole article is based on this:

 _Stanton wouldn't have been surprised to see this kind of remote control on a
company phone.

But this iPhone was hers.

"It was my account, in my name [and] I'd paid all the bills," Stanton says.
"It didn't make any sense to me that somehow work could get through AT&T, who
I thought controlled my phone, and could completely disable the phone and the
account."_

The whole news item is "person doesn't understand how a system they use works,
as a result gets confused shocked and indignant".

There's no _news_ here. Exchange ActiveSync has been working that way for,
what, 4-7 years or so.

If you haven't learned what something can do, then you have every right to be
confused, but pretty much no right to be annoyed.

This kind of nuanced technology with personal phone and phonebill connected
over a third party network to a company email and calendar does not have "a
nontechnical explanation" for how it works. There is no nontechnical
explanation for what kind of security problems you might end up with if
someone steals a mobile phone with a live email account - from revealed
information in emails and calendars and address books and live address book
searches, to social engineering to forged messages. The phone might have a VPN
connection.

Someone else got trampled by the march of technologic complexity, that's
perhaps the news.

~~~
Silhouette
> If you haven't learned what something can do, then you have every right to
> be confused, but pretty much no right to be annoyed.

Pretty much every legal system in the world exists because such a position is
more idealistic rather than realistic. No human being has the capacity to
fully understand every interaction and agreement they participate in as a
routine part of daily life. If people actually stopped to read and understand
all the small print, taking expert advice where they needed it to fully
appreciate the implications, then society would literally collapse in days.
Likewise, if everyone refused to use any device where they had not received
full technical training in every aspect of the functionality, society would
fall apart.

We counter this problem using legal techniques, such as requiring that any
term in a contract must be reasonable and understood by both parties for it to
be enforceable. The law in most jurisdictions also explicitly recognises that
not all contractual agreements are made between parties of equal bargaining
power and resources, and therefore tends to give the benefit of the doubt to
the little guy. In this case, if it isn't illegal for a company to exert this
kind of control over an employee's personal property without the involvement
of flashing neon signs and professional legal advice, perhaps it should be.

~~~
wglb
Do you feel that _"We actually have a one-page waiver that says, you know, if
you're going to connect your personal phone to the corporate e-mail system,
that we do have the capabilities if the phone is lost to remote wipe it — and
we will — and then have the employee agree [to] and sign that form," Davis
says._ is a flashing neon sign?

What I find odd is that a company allows people to keep confidential company
information on a personal device at all.

There are many reasons to require this, including insider information, or
other legally-required barriers, as well as company-protected information.

~~~
Silhouette
> Do you feel that [...] is a flashing neon sign?

Yes it is, but it doesn't say anything about the company wiping the phone
negligently because someone in IT screwed up.

Also, it's rather like holding up a flashing neon sign saying "I'm about to
beat you up" before you beat someone up. You might have made them aware of the
problem, but that doesn't mean your actions are either justified or legal.

> What I find odd is that a company allows people to keep confidential company
> information on a personal device at all.

Exactly. If the data is sensitive, it should be controlled properly by the
company using company equipment. That has been my argument all along.

> There are many reasons to require this, including insider information, or
> other legally-required barriers, as well as company-protected information.

To require what? If you mean an arbitrary wipe of a personal device that is
not limited to company information, which is what this whole discussion is
about, then I'm starting a new club for posters telling me about how there may
be legal requirements that necessitate such a facility without actually saying
what those requirements are, what laws impose them, or in what jurisdiction.
Please take a membership form and join the queue. :-)

~~~
jodrellblank
There is not going to be a law requiring a company wipe an employee's personal
phone.

To the extent that this is covered by law, and I am not a lawyer, it will be
under something like "a company covered by this regulation will use industry
standard practices to protect customer data on mobile devices".

One of the industry standard practises is remote wipe of the whole device in
the event of theft. Personal or not, the distinction is idealistic and not
realistic.

~~~
Silhouette
It is not in any way an industry standard to allow employees to use personal
devices to access sensitive corporate data. In fact, doing so would
automatically fail a security audit in a lot of large businesses.

~~~
tptacek
And it would be perfectly fine at any number of other large businesses,
including some of the country's largest law firms, some of the largest
financial services companies in the world, and several health information
providers.

~~~
Silhouette
Indeed, and I've never claimed otherwise. (Obviously I personally disagree
with such a policy, but that is immaterial to this debate.)

Please remember that the question here is whether some sort of generic laws or
regulations might implicitly require an employer to have the power to
compromise their employees' personal phones and wipe their personal data,
given that none of the people arguing on legal/regulatory grounds has ever
come up with any citation that makes this requirement explicit.

In his post, jodrellblank mentioned "industry standard practices" as an
example of such generic legal wording. The fact that many large businesses
accept the policy of using employees' personal devices does not make it an
industry standard. The fact that many more do not _does_ mean that it is not
an industry standard.

------
jpspeno
Zimbra 6 supports remote wipe too.

