July 19, 2013, 4:18 PM — The thought of a CIO turning to spying technology to peek inside a personal iPhone makes people furious. They fret about an employer remotely reading personal emails and text messages, seeing personal photos and videos, and listening to personal voicemail.
But they would be wrong to worry about such things.
At least that's the message from Ojas Rege, vice president of strategy at MobileIron, a mobile device management software developer.
"There's a ton of confusion out there, and so the trust gap has widened," says Rege. "Employees don't really know what their employer can and can't see. They're just guessing."
Such is life in the brave new world of "bring your own devices" (BYOD), where work life and personal life collide on a single device. BYOD has become a flashpoint for privacy: Employees are pressured into signing strict user policies heavily weighted toward a company's legal right to access and monitor devices, while giving an employee's expectations of privacy short shrift.
Only three out of 10 employees completely trust their employee to keep personal information private, according to a MobileIron-commissioned survey of 3,000 workers across the United States, United Kingdom and Germany. The flip side is that the rest aren't so sure.
[ Related: CIO Takes Action to Solve BYOD's Privacy Problem ]
The survey sought to learn more about the trust gap in the enterprise, but what it really found was mass confusion. It's a dangerous scenario: Confusion can quickly escalate from head-shaking to finger-pointing to employee lawsuits claiming privacy rights violations.
Making matters worse, tech companies and the media have played a role in causing this confusion. Consider this Sprint television commercial showing a boss viewing compromising pictures of an employee on an iPhone:
It's not clear what is happening. The boss doesn't seem like the iPhone-carrying type, so why is he holding the employee's iPhone? If this is the boss's iPhone, how does he have access to pictures that the employee uploaded? While the commercial is about data plans, the scary image pours fuel on the fire of confusion.
Hoping to clear up some misconceptions, CIO.com talked with MobileIron's Rege to find out exactly what a company can and cannot see on a BYOD smartphone or tablet.
Two out of five employees in the survey don't think the employer can see anything--and they're wrong. Company email and data flow through corporate servers, "so absolutely your company can see it," Rege says. If you're connected to the corporate Wi-Fi network, the company knows what you're doing.
If you're not on the corporate Wi-Fi network, a company still has visibility into the BYOD smartphone. Technically speaking, a company can see the wireless carrier, country, make and model, operating system version, battery level, phone number, location, storage use, corporate email and corporate data.
The company can also see the names of all the apps on the device, both personal and work-related. This visibility has led to some companies blacklisting apps on a BYOD smartphone or tablet. It's important to note that a company cannot see the data within apps.
Visibility is a little more limited for rogue devices, or smartphones not under a formal BYOD policy but still accessing company email. Companies can still see the make and model and carrier, as well as corporate email and data, but not the location of the device.
So what can't a company see?
Technically speaking, a company cannot see personal email, text messages (unless done over a corporate text messaging app), photos, videos, voicemail and Web activity. The survey found that respondents were most worried about employers seeing these types of data, Rege says, "yet all those are technically impossible to see on an iOS device, unless it's jail-broken."
Oddly, more than half the survey respondents said they were far more comfortable with their employer seeing their location on the BYOD smartphone.
CIOs who clear up some of the confusion will help close the trust gap.
Survey respondents said they would be more trusting if the employer spelled out exactly what it can and cannot see, both from a technical standpoint and an optional one (as in, opting not to track location), as well as why it wants to see the information.
Respondents also said they want it in writing that the employer will not look at personal information.
However, this last request is impossible in today's legal system. Personal devices may be subject to search and review in the event of litigation that involves an employer or other similar legitimate reason, which can include any business information on the phone. It's just like any other piece of evidence, document or computer that could be confiscated and looked at for evidence.
In such extreme cases, all data on a BYOD smartphone or tablet becomes fair game. So CIOs should be clear that they cannot promise to not look at personal information. But even this should help close the trust gap.
"Transparency drives trust," Rege says.
Tom Kaneshige covers Apple, BYOD and Consumerization of IT for CIO.com. Follow Tom on Twitter @kaneshige. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn. Email Tom at firstname.lastname@example.org
Read more about consumerization of it in CIO's Consumerization of IT Drilldown.