Your company secrets in their hands – privacy and your smartphone

The explosive uptake of mobile devices including smartphones and tablets has us immersed in a complex, volatile soup of hyper-connected digital technologies, where not only is the perception of time being compressed, but privacy protections are being reshaped.

Smartphones and mobile devices are highly sophisticated micro computers packed with tightly integrated geospatial, optical, voice synthesis, radio transceivers, motion detectors and other technologies, glued together by very smart software.

The concentration and integration of these technologies into a single handheld device transforms the smartphone into a truly multifunctional device. This concentration, however then becomes a serious threat to privacy protection, as we are seemingly inseparable from our smartphones.

From the individual’s perspective, we still appear to be concerned about our own privacy online.

The 2013 Office of the Australian Information Commissioner (OAIC) Community Attitudes to Privacy study found the majority of those sampled were concerned about the loss of protection of their personal information online whether through identity fraud, theft, misuse or other means. These findings are also mirrored elsewhere.

Within our businesses, smartphones are the weapon of choice for conducting our day-to-day business when away from our desks, fuelling the BYOD need.

Question is: In your organisation, if there is a need to ensure a degree of protection against the deliberate or accidental data breach arising from the use of smartphones, or you have to comply with privacy legislation, what can you do about it?

Notwithstanding our concerns about data security or privacy, will our love of smartphones lead us to willingly trade off our concerns of privacy for this convenience?

Privacy legislation meets the smartphone – who wins?

Legislation may be passed, but how effective it is in a virtual, volatile and jurisdiction agnostic digital world remains to be seen. The rapid pace of development and change in digital technologies stands in stark contrast to the comparatively glacial rate of change in legal and regulatory frameworks. The effectiveness of any legislation is based on considerations such as the deterrence factor, the actual protections afforded under the law and the practicalities of enforcing the law.

But when it comes to new and emerging digital technologies – which cut across conventional legal jurisdictions – the effectiveness of legislation is sadly lacking.

The effectiveness of privacy and data breach legislation is questionable, at best. The volume and severity of data breaches continues apace, despite the substantial increases in spending on information security measures as well as the existence of privacy protection legislation and mandatory data breach reporting in many countries.

The dismal rate of successful convictions of elusive cyber criminals is testament to the comparative ineffectiveness of our jurisdiction-bound legal frameworks in the face of rapidly evolving digital technologies and their associated applications.

A rich target

Given the ubiquitous nature of mobile devices, they are rich targets for legitimate information harvesting as well as cybercrime as they concentrate, generate and broadcast a wealth of personal information about our lifestyle patterns and habits in one place. The array of systems and apps on your smartphone that continually harvest, interrogate and report back to their masters on the various types of your usage data including geospatial, phone call details, contacts and hardware information is where the real value lies to others.

Internet security company Kaspersky Labs, recently uncovered an extensive legal cyber sleuthing network with over 300 servers dedicated to the collection of information from users located in over 40 countries including Kazakhstan, Ecuador, Colombia, China, Poland, Romania and the Russian Federation. A number of these countries, however, are also associated with known cybercriminal activities.

The bottom line is that, as an individual consumer of smartphone and tablet based technologies loaded with apps, we are relatively powerless to do anything about protecting our privacy.

The same applies in organisations without the appropriate governance and security controls over BYOD mobile technologies.

Your ultimate protection lies in your choice whether to download that app or not, or to limit the use of your smartphone to only making phone calls.

When deciding to load any smartphone services, in the majority of cases, you have to agree with non-negotiable terms and conditions of the provider. A Hobson’s choice at its best.

Tips for personal protection

Despite this, as an individual, there are nevertheless a few fundamental steps you can take to help mitigate the risks to your privacy. These include:

  1. Purchase reputable mobile device security software and install it to your mobile device. This will not only help keep your device clear of known malware and viruses, but also scan all apps and other software for known privacy risks.
  2. If you are no longer using an app, remove it from your device.
  3. Download apps from reputable sources only. If the originator is a real, legitimate business, delivering a real service using their bespoke app the risks of mal- and spyware are minimal. The challenge is that reading the standard “terms and conditions” of the app (if offered) can be not only onerous, but the full ramifications from accepting that the app will access other services on your mobile device (such as location, contacts, call details or any unique network or hardware identifiers) may not be fully understood.
  4. Mobile devices are easily lost or stolen. Ensure you setup your power-on and screen lock security, as well as a other security measures including remote wipe and location identification services.
  5. When disposing your mobile device, ensure you remove any SIM and data cards then perform a hard factory reset. This will return the device to its original ex-factory settings, and remove all traces of your data from the device.

Question is: In your organisation, how, where and when is the uncontrolled use of smartphones contributing to increasing the vulnerability of your enterprise data and information.

You may just want to think twice before you email your company sensitive information from your smartphone!

This post is a variant on my article entitled “Your life in their hands – privacy and your mobile device” which appeared in The Conversation , July 2014.