When Trends Collide: Data Collectors Are Gathering Information from Smartphones Used for BYOD

Linda Musthaler
By | August 18, 2014

Posted in: Network Security Trends

I had an interesting conversation the other day with Rob Shavell, the co-founder and CEO of the online privacy company Abine. We talked about two big trends in mobile computing and what happens as a consequence of their intersection. This collision of trends could have big implications for companies that permit employees to use their personally-owned devices at work (BYOD).   

The first trend is the astounding growth trajectory for the practice of BYOD. In a recent global survey conducted by the Cisco Internet Business Solutions Group, the researchers determined that 89% of IT departments worldwide enable BYOD in some form. This may be as simple as allowing employees to read their corporate email on their smartphones, or it could be as sophisticated as encouraging workers to use a range of business applications to work with enterprise data on the go.

The second trend has to do with something that most of us are much less familiar with but which is also growing quite rapidly: the unobtrusive collection of personal data from smartphones. Shavell says there are companies that are collecting personal usage data off of smartphones via the applications that people download onto their phones. This data is then sold to advertisers or data exchanges in order to monetize it.

When I talk about "personal data" from the phones, I mean the minute-by-minute history of the location of the phone; what apps are on the phone; what the user does online, and so on. In other words, it is personal tracking data, not enterprise data that the user might be accessing. However, even having the personal tracking data allows the collection companies to combine the phone data with other offline data to build a pretty extensive personal profile about the person who carries that smartphone.

How is the data collected? It's all about the apps. Everyone who carries a personal smartphone has downloaded at least a few apps. It's highly likely that many of these apps – especially the no or low cost ones – have been built with snippets of code (software development kits, or SDKs) that come from third party sources. In fact, app developers are often paid to include these SDKs in their applications. Sometimes the sole purpose of an SDK is to collect tracking data from the phone.

When an end user is downloading an app to his phone, he has no way of knowing if the app includes tracking code. The app's terms of agreement are usually too vague to know if data is being collected, and if so, how it is ultimately used or who has access to it.

Certainly marketers and advertisers want this information in order to target their ads and offers to specific groups of people that meet a certain profile; for example, people who work in downtown Houston and who eat lunch in the local restaurants several times a week. Let's send those people a discount coupon for that new restaurant that just opened in Market Square!

The question is, who else can gain access to this information, and how might they use it? Or even worse, do apps occasionally cross the line and surreptitiously collect other information from the phone, such as the contacts list or the photos on the phone? Yes, they certainly do.

In the U.S. today, the smartphone app market is largely self-regulated. Developers believe they are within the law to collect data from devices and to try to profit by using that data in ways that, perhaps, the user isn't aware of or hasn't anticipated. They are supposed to tell you what data is collected and how it will be used but these explanations are often buried deep in complex terms and conditions and they are deliberately vague.

So what does this mean for BYOD? The ramifications aren't quite clear yet, but one thing is certain: the Mobile Device Management industry has not yet caught up with these data collection and privacy issues. MDM products are largely aimed at helping to control which users and devices can access what data under which conditions.

So far MDM doesn't really address the collection of tracking data from smartphones. Why should it? Let's just say that criminals can be very innovative in finding ways to exploit intimate information about people to get what they want. For instance, one could easily imagine a corporate executive being blackmailed because someone has used tracking data from the person's phone to discover that he or she has been going to a specific address each day at noon to carry on an affair. Or much more likely, a criminal could send a very tailored spear phishing attack message to an employee's smartphone. The uses of personal data are almost endless.

So what's the answer? As BYOD continues to grow and risks to organizations mount, we need a couple of things in this area. First, we need legislation or regulations that restrict what data can be collected and how it can be used, along with very explicit disclosure information. Next, we need the MDM market to move in the direction of blocking the collection of tracking data or other personal information when the device is "work mode." And finally, it would be helpful if the smartphone manufacturers would make it easier for phone owners to opt out of this kind of data collection if they want to.

You May Also Be Interested In: