Employee Privacy Succumbs to MDM

An experiment conducted by Bitglass reveals that mobile device management software can potentially give employers an unprecedented look into their workers' personal lives.

Mobile device management (MDM) is practically a necessity in today's workplaces, at least for businesses concerned about how their data is being treated on bring your own devices (BYOD). Employees may feel differently if they catch wind of a new report from Bitglass.

The cloud security specialist recently ran an experiment on unspecified MDM software solutions using its own workforce as test subjects. After configuring their MDM platform to route mobile traffic through a corporate proxy and decrypting SSL traffic through the use of corporate-issued certificates on BYOD devices – a common setup in enterprises according to Bitglass – the company was able to get an up close and personal view of employees' lives during and after work hours.

In a blog post revealing the results of Bitglass' "MDMayhem" experiment, product marketing manager Salim Hafid said that after inspecting the captured packets, the "team was able to see the contents of employees' personal email inboxes and capture usernames and passwords, all transmitted in plain text via the always-on VPN we setup. Even third-party apps were susceptible to packet sniffing."

MDM also provided Bitglass with app download and browser histories, exposing health-related searches along with other deeply personal insights into users. Sandboxing capabilities like those found in iOS, which runs on iPhones and iPads, failed to keep a lid on data sent by popular apps like Messenger and Gmail.

Bitglass was also able to keep tabs on their employees' movements. Unbeknownst to users, the company could force GPS to keep running in the background, allowing the company to see the places its workers frequented after punching the clock for the day and during the weekends.

Disturbingly, MDM can also be used to deliver a devastating one-two punch to an employee's personal data.

The company was able to restrict backups to cloud backup services. That capability, coupled with remote wipe options, could potentially be used to delete a user's personal contacts, photos and other data without a means of restoring them, warned Bitglass.

"The invasion of privacy by MDM is a key reason that there are two billion mobile devices on the planet, but only a few million devices managed by MDM" said Nat Kausik, CEO of Bitglass, in a statement. "IT leaders looking to enable BYOD must focus on a data-centric, agentless approach that respects user privacy."

Pedro Hernandez is a contributing editor at Datamation. Follow him on Twitter @ecoINSITE.

Tags: privacy, mobile device management, MDM

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.