A man checks facebook on his smartphone while waiting for a train in a metro station in Washington, DC, on May 9, 2012. Mere weeks from a multi-billion-dollar debut on the stock market, Facebook has ramped up its focus on mobile lifestyles with the purchase of "social discovery" startup Glancee. Facebook has made a priority of following its users onto smartphones at the heart of Digital Age lifestyles even though the social network has yet to make clear how it plans to make money doing so. (AFP/Getty Images)
Agencies are slowly giving feds the green light to use their personal smartphones and tablet computers to get work done.
But that freedom may come at a cost in terms of less control over the device, no reimbursement for phone charges, and restrictions on apps that can be installed.
“The employee has to understand that they are going to lose some of their privacy rights, [and] there will have to be a tradeoff for the convenience of using their personal device,” said Rob Burton, a former federal executive and now partner at the Venable law firm. Burton advises government contractors on their mobile policies.
Before swapping your government-issued BlackBerry for your personal Apple or Android device, read the rules carefully and fully understand what you are agreeing to, Burton urges.
The administration is expected to release governmentwide bring-your-own-device (BYOD) guidelines this summer based on lessons learned from pilot projects at federal agencies. Until then, some agencies are crafting their own.
One of the first to fashion a set of rules is the Equal Employment Opportunity Commission. It requires employees who use their own smart devices for work to agree to have third-party software installed so the agency can manage security settings on the devices and remotely wipe devices clean of government emails and data if they are lost or stolen.
For months, EEOC Chief Information Officer Kimberly Hancher worked with information security staff, lawyers and the employees’ union to draft rules that balance employee privacy and government security.
“The main thing that the union wanted was to make sure that the privacy expectations were put front and center,” Hancher said.
An “expectation of privacy” notice is written in bold on Page 1 of the four-page policy: “EEOC will respect the privacy of your personal device and will only request access to the device by technicians to implement security controls … or to respond to legitimate discovery requests.”
Last week, the agency gave its 468 employees who have agency-issued BlackBerrys a number of choices:
Voluntarily return your BlackBerry and bring your own Android, Apple or BlackBerry smartphone or tablet to work.
Return your BlackBerry and get a government-issued cellphone with voice features only.
Keep your BlackBerry with the understanding that EEOC does not have replacement devices.
“I gave up my BlackBerry,” Hancher said. “I use an Android.”
The pilot is set to run through September or longer, depending on EEOC’s comfort level that all policy issues have been worked out. Hancher expects there will be some tweaks to the policy as the pilot evolves.
Hancher’s information technology staff is meeting with employees to help each decide which device or devices to use and what the effects will be.
She projects between 10 percent and 30 percent of BlackBerry users will opt for the bring-your-own-device program.
Initially, EEOC’s BYOD program will focus on providing employees with access to their work email, calendars, contacts and tasks. With the mobile device management software, workers can read and write emails without Internet connectivity, but they cannot send or receive them until an Internet connection is restored. Senior executives who own Apple iPads will have access to the agency’s internal systems through a virtual private network.
The policy will require employees to foot the bill for all voice and data usage, including that for work purposes. That may prompt some to hold on to their BlackBerrys.
For EEOC’s younger employees, their personal devices are an extension of their personalities, Hancher said. For seasoned workers, their personal device allows them to do administrative work from the comfort of their living rooms.
“While I’m not advocating working 24 by 7, it is just more comfortable to sit and do timecard approvals on a Friday night instead of prime time when people need to put their attention on more complex and business-oriented issues,” Hancher said.
But many wonder whether the move toward mobility will make it even harder for feds to draw a line between their personal lives and work.
“If you’re off duty and you’re at the beach … I think it’s clear there is no expectation that you will respond” to emails, said Nuclear Regulatory Commission CIO Darren Ash. He plans to address the topic in his agency’s upcoming BYOD policy this summer.
Similar to EEOC’s program, NRC’s bring-your-own-device program will be voluntary and employees will not be required to relinquish their BlackBerrys. Initially, only personal devices that meet National Institute of Standards and Technology encryption standards will be eligible for use.
“We have to manage [employee] expectations, [and] you want a policy that stands the test of time,” said Ash, who is working with his chief financial officer, general counsel, union representatives and others to craft the policy.
Veterans Affairs Department CIO Roger Baker said personal devices will be part of the department’s mobile strategy in the future. VA is buying mobile device management software that can manage up to 100,000 government-issued and personal devices on its network. He envisions a day — perhaps five to six years from now — when feds would be expected to buy their own personal devices to get work done.
As VA employees connect to the department’s network with their personal devices, it will “be subject to the mobile-device manager, it will be subject to my control and my ability to wipe the device if I determine that the information is in any way at risk,” Baker said.
The department has not yet established a BYOD policy, but Baker expects it will have some restrictions on what apps can be downloaded on personal devices. Software applications that are known to violate information protection policies and could compromise VA data — such as a virus-infected version of the “Angry Birds” game — will be restricted.
“I don’t think we will be overly prescriptive,” Baker said. “In other words, if you’ve got your iTunes music on it, it’s not going to be an issue.”
Personal devices with software that allows workers to bypass built-in security features could be wiped if an employee attempts to connect to VA’s network.
Baker said the easiest route would be to remotely wipe the device of both government and personal information, but the policies would make clear what employees can and cannot do on their devices.
“People are pretty cavalier about their own information when they are using it directly for their benefit, [but] they take a very, very dim view of me being that cavalier with their information,” he said.
One of the main BYOD security issues government has to sort out is minimum security standards for apps, said Tom Suder, president and founder of Mobilegov, which develops enterprise applications. Suder is also involved in addressing federal mobility issues through the nonprofit American Council for Technology — Industry Advisory Council. He thinks many agencies will allow employees to access government data on their personal devices only while on site and connected to the network.
Feds should frequently back up their personal data in case it is accidentally wiped by the agency or destroyed in the event that classified data is leaked onto the device, Suder said.
Agencies also must consider what type of data can be accessed by mobile devices, where that data will be stored and how it will be securely transported to mobile devices, said Anil Karmel, management and operations chief technology officer at the Energy Department’s National Nuclear Security Administration.
“You really have to find the right balance between security and functionality,” Karmel said.