My name is Philippe Winthrop and I am the Managing Director of The Enterprise Mobility Foundation (click here to see my bio on LinkedIn). The EMF is an independent (downtown) Boston-based think tank, whose sole mission is to evangelize best practices in terms of how organizations can reap the greatest benefits from deploying mobile technologies such as smartphones and tablets in their workplace.
While I now reside in the city, I thought I would also mention on a personal note, that I spent more than 20 years of my life living in one of the towns that is part of the 7th District of Massachusetts (Arlington), which you represent in the US House of Representatives…and that I too graduated from Boston College (Class of 1995).
That said, I am writing you today – and sharing this letter with the 4000+ members of The Enterprise Mobility Forum – regarding the ‘‘Mobile Device Privacy Act,’’ which you introduced to the House on January 25, 2012.
Firstly, I would like to applaud your efforts and objectives, as best summarized in the introduction of the bill, where the stated intent of the new legislation is:
To require disclosures to consumers regarding the capability of software to monitor mobile telephone usage, to require the express consent of the consumer prior to monitoring, and for other purposes.
This is an absolutely vital piece of legislation, specifically because of the rapid adoption of smartphones by the general consumer population, as well as the explosion of social media services such as Facebook, Foursquare and Twitter, to name a few. What’s even more important, as it pertains to this proposed legislation, is that the world of mobile and social are converging at a frenetic pace. By Facebook’s own estimates, there were 425 million monthly active users (worldwide) who used Facebook mobile as of December 2011.
There is no question in my mind that we need better controls with regards to how companies (particularly those in the social media) are using the information provided by consumers on their mobile devices for their own commercial profit. Furthermore, I also believe we need much better resources for educating consumers to the potential impact of using mobile devices.
That said, there are very important (unintended) potential consequences of this legislation, should it pass in its current form, that I feel compelled to bring to your attention….particularly as they apply to the use of mobile devices in the corporate sector.
Let me start off by providing some context. Until a few short years ago, mobile devices were used predominantly by corporate executives so they could access their work email at all times. Back then, their companies provided, paid for and supported those devices (mostly BlackBerry phones) in what our industry calls the Corporate Liable (CL) model. With the advent of the iPhone and the Google Android platform, the game changed completely. More and more individuals were buying their own smartphones for personal use and started demanding that they be allowed to use their personal smartphones for work. This trend has been called Bring Your Own Device (BYOD), which is a subset of a broader concept called the Consumerization of IT.
The BYOD trend has, for the last two years, been one of the, if not THE most contested topics in the world of enterprise mobility because of the fact that IT departments fear the loss of control of corporate data on devices they don’t own. During this period of time, there have been a wide array of companies that have developed solutions for helping companies manage and secure these smartphones and tablets, in an industry called Enterprise Mobility Management (EMM) or alternatively (and inaccurately) called Mobile Device Management (MDM).
The goal of the EMM vendors is to help IT departments secure, manage and control the mobile devices and the corporate applications and data that resides on these devices, as well as (among myriad other functions) wipe the devices should they be lost or stolen. In many respects, the EMM software that companies are using is monitoring the employees’ mobile devices in order to protect sensitive corporate data and information.
It’s important to note that this EMM technology is not something that consumers will purchase on their own, but rather a tool that corporations will purchase and deploy on employee devices (regardless of who purchased the device)….based upon protocols provided by the handset manufacturers (including Apple, Google, Microsoft and Research in Motion).
This brings me to Section 2, Paragraph A, Sub-Paragraph 2b of the bill, which would require that:
[…the Federal Trade Commission shall promulgate regulations under section 553 of title 5, United States Code, that require…a provider of commercial mobile service or mobile broadband service to disclose the information described in subsection (b) to the consumer at the time of entry into a contract to provide service to the consumer on a mobile telephone...] that the consumer does not purchase from the provider in connection with such contract.
So what is Subsection “B”?
The information described in this subsection is the following: (1) The fact that the monitoring software is installed on the mobile telephone (or, in the case of a disclosure described in subsection (a) the fact that the software that the consumer downloads is monitoring software). (2) The types of information that the monitoring software is capable of collecting and transmitting. (3) The identity of any person to whom any information collected will be transmitted and of any other person with whom such information will be shared. (4) How such information will be used.
As I had mentioned earlier, I vehemently agree with you that we need to have consumer privacy protection laws in the context of how consumer information is being used by companies for their own commercial benefit. So where do companies get to exert their right to protect their information?
Mr. Representative, I believe organizations also need to be empowered with the tools necessary to protect their strategic corporate information assets (including their human assets) for a wide array of reasons. Let me offer, as a primer, just two illustrative scenarios:
- GPS monitoring. There has been much push back from consumer privacy groups regarding the fact that location based services are accessing “too much” information from a mobile device’s GPS and being able to “see” exactly where a person is. Location tracking need not be a bad thing! Should there ever (G*d forbid) be another terrorist act in the United States, I believe that it would be in everyone’s best interest that a company could track an employee’s location by their device’s GPS to make sure they were not affected by the attack, thereby reassuring family and colleagues of that person’s safety.
- Application Tracking: There are over 1 million applications that consumers can download onto their smartphones and tablets on the various public app stores. Some of those applications (a small minority) have (un)intentional security limitations that will expose data on a user’s device. EMM solutions with specific mobile application management capabilities can help companies protect their data and their employees by tracking the activity of those applications. I believe that this (and other) EMM capabilities are vital to protecting the intellectual capital of our companies, particularly in the context of remaining competitive in the global marketplace where we are facing increasing (and sometimes nefarious) competition from other countries.
I could (and would be more than happy to) provide you any number of other examples Mr. Representative, where monitoring mobile activity is actually beneficial to the WORKFORCE, but the key message I would like to convey to you is that the wording of the legislation in its current form would potentially make it much more difficult for companies to track and protect their employees and their data. It would only get worse in industries where governance, risk and compliance management is critical (including in healthcare, finance, retail or any other highly regulated industry). Additionally, it is imperative for you to understand that companies are caught with the dual mandate of protecting consumer privacy while also having to protect enterprise/consumer data. It is a very fine balance to be able to achieve both mandates while also encouraging innovation and making a profit…and insuring individual privacy (particularly in a BYOD construct).
With this all said, I would like to now make specific reference to Section 6 of the proposed Bill where penalties for violating this proposed law would be levied by the Federal Trade Commission and the Federal Communications Commission, as well as State Attorneys General.
As I am sure you know Mr. Representative, there have already been a number of lawsuits (some even going all the way to the Supreme Court) around the issue of mobile privacy, where there is almost invariably reference made to the 4th Amendment of The Constitution. I fear that the wording of the legislation as it stands today would only obfuscate the matter further (as BYOD deployments only complicates user/employee “rights’), extending the length of trials, and making legal rulings and interpretations of existing laws that much more complex.
Again, Mr. Representative, I applaud your leadership in seeking to protect consumer privacy in the mobile and social age. However, I equally encourage you to not just protect consumers, but also employees and employers (because it’s all the same in the end) as mobility provides us untold potentials.
Stan Lee, creator of Spider Man, famously wrote that “With great power comes great responsibility.” I couldn’t agree more. The social and mobile age will provide consumers with great knowledge-based power, but we must also act responsibly in terms of how to protect all the constituents in this new world. That said, the nuances of mobility in the context of personal privacy and the use of personally owned devices for corporate use – and the undeniable right of the workplace to protect its proprietary information – and the undeniable right of individuals to protect their own data – make this an issue with far more questions than straightforward answers.
Your proposed legislation needs, in my opinion, to take into account the governance, risk and compliance needs of the workplace in the context of how can personal privacy rights be balanced with the needs of organizations to manage corporate or individually owned devices (via the BYOD construct…or the emerging Corporate Owned Personally Enabled construct) in order to secure and protect the corporate data that will blur with an individual’s needs and rights to use their mobile devices for personal use.
Should you be interested in discussing this matter further, I would be more than happy to have a telephone conversation or meet with you face to face, either here in Massachusetts or in Washington DC at your earliest convenience. You or your staff can find me on Twitter at @biz_mobility or via the EMF’s contact page.