Following the lead of other large businesses, IBM implemented a “bring your own device” policy in 2010, allowing employees who work outside of the office to use devices other than corporate-issued smartphones. Unfortunately, the company felt it had to follow this liberal policy with a conservative ban on technologies that IBM considered potential security issues. IBM’s Chief Information Officer, Jeanette Horan, put together a team to create guidelines as to which applications are safe to use and which are off-limits. In her words, many IBM employees were “blissfully unaware” of applications that could pose security risks.
Dropbox is one popular utility on the banned list, along with other file transfer services, for fear employees could upload sensitive information meant to stay inside the company. Apple’s iCloud service is also blocked at IBM, with their I.T. department substituting an internally-hosted MyMobileHub service.
Even Apple’s Siri personal assistant is banned at IBM because of worries spoken queries might be stored somewhere and viewed. A look at Apple’s user agreement confirms “[b]y using Siri or Dictation, you agree and consent to Apple’s and its subsidiaries’ and agents’ transmission, collection, maintenance, processing, and use of this information, including your voice input and User Data, to provide and improve Siri, Dictation, and other Apple products and services.” Siri does collect information, such as each user’s address book contents, for the purpose of improving voice recognition, but IBM may be most concerned that it (at least temporarily) stores digital recordings of dictation of SMS messages or emails.
Interestingly, IBM doesn’t forbid the use of Google, despite all the privacy concerns people have expressed with its services over the years. Perhaps that’s at least partially because Google now anonymizes IP addresses after nine months and cookies in search engine logs after 18 months.
Siri lead developer Edward Wrenbeck states that the personal assistant doesn’t open up any avenues that weren’t there before. Many internet companies face the same issues about handling of users’ data. Even if you do nothing more than leave GPS location services enabled on a cellphone, you could be in violation of a non-disclosure agreement if it reveals you’re at a customer’s location.
This effort on IBM’s part may help raise awareness of potential security issues with technology, but it’s not likely to provide any real solutions. For as long as employees have been able to save data on personal computers, they’ve had the ability to take copies of that data offsite. Tiny USB memory sticks and micro SD cards have only made that easier. Cutting off access to Dropbox or iCloud merely blocks a few high-profile options for moving information off of IBM’s internal systems. Surely, there are hundreds of other services offering similar functionality — not to mention such options as uploading content back to a net-connected home computer via VPN or encoding content for upload via Usenet messages. Employee trust is the only real answer.
Comments are closed.