The proliferation of consumer devices in an increasingly mobile world has created an environment in which most Federal departments and agencies regard the approval of Bring-Your-Own-Device (BYOD) policies as inevitable. Nearly 90 percent of Federal employees who use mobile devices for work report that the technology allows them to be more productive, especially while traveling on agency business or working remotely. And some 69 percent believe that increasing mobility will enhance service to citizens. BYOD compounds these advances by improving convenience and ease-of-access for users. Importantly, it could also yield cost savings for government. But, these increases in convenience and productivity could also signal a loss of personal privacy for government workers—a freedom dear to those already required to trade away certain privacy expectations in exchange for positions of trust.
BYOD blurs the already-gray line defining privacy expectations for Federal government employees. Today, government workers sign away privacy rights when using government-owned equipment, including agency-provided computers and mobile devices. The Office of Personnel Management’s computer user responsibilities policy explicitly states that employees “do not have the right to privacy while using any Government equipment…[and] your use of Government office equipment, for whatever purpose, is not secure, private, or anonymous.” Recent court decisions including a Supreme Court opinion have delivered conflicting interpretations regarding government employees’ privacy expectations. This idea introduces yet another variable to muddy the water of these competing decisions: the issue of employee ownership of devices with access to sometimes-sensitive government networks and applications that are also intended for personal use.
Employee ownership of devices with access to government information introduces inherent security risks for government IT networks. Realization of the security vulnerabilities of BYOD has prompted early-adopter departments and agencies to create strict user policies and implement mobile device management (MDM) solutions compelling government users to sign away a certain degree of the privacy and integrity of their information in exchange for the security of government data. MDM solutions include basic security measures such as encryption and multi-factor user authentication—requisites for many government systems—but introduce new capabilities such as remote lock and wipe, control and administration, and GPS tracking tools. The implementation of these tools jeopardizes the privacy of government workers who expect personal communications and data to remain private. For example, MDM solutions could allow the government to erase employees’ critical personal information along with government data in the event of a security breach or even track employees outside of their work environments.
The following diagram depicts the security and privacy implications of BYOD in comparison with those of government-owned equipment.
Because of the security risks inherent to BYOD, tradeoffs of personal privacy are likely necessary to authorize Federal employees’ use of personal mobile devices, especially in bureaus, agencies and departments with sensitive information. A recent BYOD program at the General Services Administration (GSA), however, demonstrates the challenge of attempting to mandate these tradeoffs through voluntary user agreements. In the program, only 10 percent of 60 original participants decided to sign a BYOD agreement stipulating the approval of certain security mechanisms in order to sign onto the agency’s network. One security provision—authorizing remote wiping of the device including personal data—was likely the chief deterrent. So what solutions, if any, promise to mitigate government employees’ privacy concerns while protecting the security of government information, and how will the lines between personal privacy expectations and government information be drawn?
- Containerization: Containerization separates personal and business data, allowing government information to be remotely wiped in the event of a security breach. Containerization can be implemented using a virtual desktop infrastructure and cloud computing. Currently, the National Security Administration (NNSA) is considering this approach as a means of mitigating security concerns in a BYOD environment. Importantly, containerization also protects the integrity of personal information by clearly separating corporate data from personal data and usage.
- Heavy Encryption: Agencies and departments should use MDM solutions incorporating heavy encryption for government mobile applications, multi-factor user authentication, and automatic locking capabilities.
- System-Sensitive User Agreements: Employees with access to sensitive data and systems should be required to sign BYOD user agreements, while employees with access to non-sensitive data should be able to elect to sign appropriate user agreements. These agreements should be written in a way that is fair to government employees and recognized in collective bargaining agreements with public sector unions. Without an existing agreement, employees with mobile devices should not be able to access government networks.
Government leaders will need to effectively implement BYOD user policies and manage employee privacy expectations in order to appropriately mitigate risk. The security vulnerabilities of BYOD are evident, but it is unrealistic to believe that government employees will avoid using personal devices for work applications altogether. A 21st century government will benefit from the use of a more mobile, dynamic workforce. To ensure widespread adoption of BYOD policies, it is crucial that government delineates clear privacy protections for employees and enables the technology necessary to protect them.
 CDW-G, “Federal Mobility Report: Security Edition,” February, 7, 2012, http://webobjects.cdw.com/webobjects/media/pdf/CDWG-Federal-Mobility-Report-020712.pdf.