Employee use of smartphones and tablet computers on the job is far outpacing their managers’ efforts to draft policies regulating their use.
For example, there is no governmentwide mobile device strategy. But one is on its way — the Office of Management and Budget is expected to issue one this month.
Meanwhile, some agencies are crafting their own policies to address legal, privacy and security challenges. In some cases, these policies vary depending on whether mobile devices are issued by the government or the personal property of employees who use them for government purposes.
Marine Corps Recruiting Command, for example, has a Wireless Device Usage Policy, which recruiters and public affairs staff must agree to before receiving government-issued smartphones and tablets. The policy outlines what information can be stored on the devices and for how long, what applications can be downloaded, and when video and camera features can be used. Employees must also agree not to modify the operating system.
“Because I don’t control [Android] phones on the network yet, there are a lot of things [employees] can download on these phones that we don’t have control over,” Robert Brown, the command’s assistant chief of staff for the communications electronics division, said in an interview.
While BlackBerry smartphones and 4,000 Windows-based tablet computers are operating on the command’s network and managed centrally, another 4,000 Android phones are still awaiting approval to be connected to the network, but are delayed until security concerns are worked out.
Under the policy, Android users are required to download a commercial Google Gmail account to conduct official business and are prohibited from adding personal email accounts to the phone. They are only authorized to take photos and videos to document the physical appearance of a recruit and for other official recruiting purposes. Users are encouraged to use social media applications, such as Facebook and Twitter, for work purposes.
Commanders have to trust that the policies in place are strong deterrents for potential rule breakers. “We expect everyone to act like an adult,” Brown said. Recruiters are told not to download applications that have not been approved for use, but policies alone can’t enforce the rules.
Brown said commanders and others in authority can confiscate a phone if the billing statements show unusually high usage rates of data or minutes. Recruiters who exceed their minutes must pay for the overages.
The General Services Administration is deciding whether its policies and mobile device management software will restrict employees’ access to certain mobile applications, said chief information officer Casey Coleman.
Mobile device management software allows agencies to centrally track the use of mobile devices and ensure they are in compliance with agency policies.
Restrictive policies are good for security, but they limit what employees can do on their mobile device, Coleman said.
Both Coleman and Brown said they would like to see more guidance from OMB on how much leeway should be provided employees in using commercial applications and which apps should and should not be approved.
Marine recruiters are not allowed to use their own devices under the policy. “From my perspective, it’s much easier for me to provide a government device that we own and control than for you to bring something in the network and personal data that is inadvertently exposed,” Brown said. If personal contacts and photos are lost, “I don’t want to be responsible for that,” he said.
Rebecca Herold, a privacy and security consultant, said employee rights must be considered when developing policies for employees’ personal devices that are used for government business. Legal battles can arise if agencies don’t have policies that clearly explain what employees can and cannot do if they conduct government work on their personal devices.
For example, the policy should say whether the government can have access to the contents stored on the device and what will happen to data on the device if it is lost or stolen.
“Agencies need strong policies, procedures and training so employees know” what is expected of them, Herold said. Software applications that allow agencies to remotely wipe data off a personal device could raise legal concerns.
The Equal Employment Opportunity Commission, which manages a mix of government and personal devices, and the Veterans Affairs Department, which manages only government-issued devices, are among the agencies that have this capability. Agencies must ensure that users know, understand and agree to user policies before they can use personal devices in the workplace. Herold recommends that agencies train employees on proper use of new technologies, especially when policies are updated.
Kimberly Hancher, EEOC’s chief information officer, said budget cuts forced her to consider a bring-your-own-device (BYOD) policy. Hancher has been working with an advisory group comprised of attorneys and employees to develop a policy to govern a pilot program that is testing a small-scale bring-your-own-device program.
There is little guidance available on how to craft a BYOD policy because it is a fairly new concept for feds, Hancher said. She hopes the mobile strategy that OMB is working on will address this issue so agencies can embrace personal devices in the workplace.
The BYOD policy clarifies what expectations of privacy employees should have. EEOC will only require access to a personal device by a technician to implement security features or applications, or to respond to discovery requirements that rise out of administrative, civil or criminal procedures.
“We try to just put it in black and white,” Hancher said.
Hancher projects as much as 30 percent of employees, or 135 people, will trade in their government phones when the BYOD policy moves out of the pilot phase, which will come after the federal mobile strategy is released, she said.
While the pilot now is focused on security and privacy, EEOC will determine in the next phase if giving employees stipends for using their personal devices is feasible.
“This is an ongoing discussion,” Coleman said about funding mobile initiatives. “We have defaulted more on the side of issuing devices rather than trying to be restrictive” because of costs.