Is federal BYOD for mobile moving too fast?

Federal agencies are moving toward “BYOD” mobile policies even as questions about security and privacy continue to arise, according to panelists speaking April 4 at the FOSE conference.

A number of agencies have instituted or are considering BYOD (Bring Your Own Device) policies because many employees rely on their personal smart phones and tablets to manage their lives. The White House is preparing to release a governmentwide BYOD policy.

At the same time, the BYOD trend presents some tricky challenges not fully resolved yet, according to speakers on a FOSE panel.

Because of the ubiquity of smart phones in peoples’ lives, the government is moving toward BYOD “whether we like it or not,” said Rob Burton, partner at the Venable LLP law firm. “But this train may be moving too fast.”

One of the sticking points is whether government agencies have the right to examine or download personal information from employee devices. Burton cited a recent Supreme Court case involving a municipality investigating a policeman for alleged violations. The city downloaded personal information from the policeman’s city-owned smart phone, and the court ruled that was reasonable.

In that case, the court ruled that the government agency had a right to examine the personal information. But if the device had been owned by the policeman, the ruling might have been different, Burton suggested. The privacy expectation presumably would trump any agreements signed by the employee, he added.

“There might be some expectation of privacy in BYOD,” Burton said. “There is some real complexity in BYOD and the courts probably will deal with it.”

Another challenge is security against the growing threat of foreign agents seeking to gain access to U.S. government information, Burton said.

“We think the cyber issues for BYOD are a huge legal area and will be very tough and challenging for corporations and government agencies,” Burton said.

Even at agencies with BYOD policies in place, employees might choose not to participate because of objections to the terms of the policy, according to another panelist at a related seminar.

At the General Services Administration’s Federal Systems Integration and Management Center, about half of the 120 employees currently own personal mobile devices, said Chris Hamm, operations director at the center.

Under an existing BYOD policy and a mobile device management system, the workers are able to use those devices to access email and calendar applications, as well as some other Web browser-based applications, Hamm said.

For connection and integration with GSA’s network, the agency requests that before a device can be connected, the employee sign several agreements for security and access authorizations, Hamm said. One of the agreements is to allow remote wiping of the device under certain conditions.

Currently, only about 10 percent of the employees have opted to sign the agreements for network access for their devices, Hamm said.

“The prospect of remote wiping bothers people the most,” he added.

The FOSE conference is sponsored by 1105 Media, parent company of Federal Computer Week.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

2014 Rising Star Awards

Help us find the next generation of leaders in federal IT.

Reader comments

Wed, Apr 25, 2012 Frank Lee

Isn't this what the Consent to Monitor warning statement is all about on pretty much every DoD website and computer? Its pretty clear. Seems to me more groups simply need to tell users the risks up front say in annual training (and remind them before every access) that they're putting that device at risk.

Mon, Apr 23, 2012 JohnHenderson Dallas, GA

It Definitely poses the question as to how free Americans really are when there is a potential of personal texts and whatnot being hacked into. Am I the only one out there who finds this disturbing? Great article, and it really lays out the various legal issues involved with BYOD. I think this is also a big issue for any business, your workers BYOD devices not only get hacked, but they are frequently lost or stolen, and much of the emails and texts are on the phone! Smartphones and iPads are a real problem, since doctors like viewing patient data, files and images on them, and iMessage is not HIPAA compliant, just like email. It is this sending of personal information to personal devices that can be lost, which opens up a lot of legal issues for anyone with a cell phone. While the large enterprise solutions having a deeply integrates system where the IT department takes control of the device or provides workers with devices, in a hospital and business setting I am hearing that this can be an issue or barrier to these kinds of systems. Looking around, the hospital I work for did find a way to at least protect text messaging and protect the hospital from lawsuits concerning HIPAA issues related with BYOD by using Tigertext ( www.tigertext.com ); which while not as integrated as the large enterprise solutions, offers some really good benefits, especially cost and device flexibility. IT managers, but also employees are really going to have to be aware of all the different solutions available for BYOD and security - especially smartphones and iPADs. Resources: http://byod.us/ http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html http://www.tigertext.com

Thu, Apr 5, 2012

This is the best idea they have come up with, the public sector has been doing this for years. Most of what the goverment tries to hide is public anyway. Just give your employees and allowance and have them get a phone that meets the criteria of the companies needs. Just about every phone out there is now in compliant with what we use. Red solo cup, lets have a party!

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above