By Wayne P. DeCesaris, SVP Managed Solutions at Tangoe, a telecom expense management firm in Orange, Conn.
The recent ruling by the Library of Congress’ Copyright Office that made the unlocking of cell phones illegal has the communications industry abuzz. According to the new ruling, individuals and organizations caught unlocking cell phones for financial gain can be fined up to $500,000 plus up to five years in prison. While steep fines have placed the unlocking issue in the spotlight, savvy organizations will tell you that this is nothing new. For years, they have taken action to protect themselves from the security risks posed by unlocked phones.
First, let’s define “unlocking” and “jailbreaking”—two of the industry’s biggest buzzwords. Unlocking allows you to use your phone on different carrier networks. In order to unlock a smartphone without carrier permission, it must be jailbroken first. Jailbreaking allows applications not approved by Apple to be downloaded from any source, and it removes the security controls which prevent access to data on the device by unauthorized people and applications.
A common example of why an employee or general consumer would want to unlock their phone is to use it as an Internet hotspot or switch to a local carrier when traveling overseas to avoid roaming charges. However, when a device becomes unlocked, the process of jailbreaking it often decrypts previously protected data, and, consequently, can be targeted by malware. Unlocking can also interfere with your phone’s settings and its ability to be managed and voids the phone’s warranty. For example, because the device is also now jailbroken, if a third-party app crashes your iPhone, Apple will not likely support the device. Additionally, jailbreaking can leave your phone vulnerable to hacking and malicious attacks, including an iPhone worm that specifically targets jailbroken phones.
This law does not eliminate the practice of unlocking phones nor prevent unlocked phones from entering corporate networks. While many organizations already have policies in place to mitigate these rogue devices for security purposes; this law creates an even greater incentive for organizations to prevent employees from unlocking their phones with the new financial penalties and possible imprisonment. Organizations must be keenly aware of the risks of unlocking and prevent unlocked phones on their network.
Since the moment smartphones started to enter the workforce, organizations have been working to protect themselves from outside risks; the rise in tablets has only compounded the issue. Companies of all sizes had to react quickly to the rapid change in productivity solutions entering the enterprise. Device, application, and security providers reacted with solutions to combat threats on multiple fronts. Similar to a situation that plagues many other industries dealing with consumer issues, the consumerization of the smart device and tablet is exposing the enterprise to perils of unintended use of the device. The same rules that protect clothes designers and music recordings from counterfeiters are being used to protect smart device manufacturers from disabling locks that prevent unintended use. For years it has not only been illegal to manufacture and sell counterfeit goods (such as “designer” clothing and handbags), but also to knowingly purchase those counterfeit items. Like the anti-counterfeiting laws that protect the rights of the manufacturer, the unlocking regulation protects the rights of device manufacturers and carriers by preventing individuals from what amounts to essentially “stealing” bandwidth. Organizations have been accepting responsibility for issues like these for many years. It’s no different than black market software programs. If an employee were to download software illegally to their work computer, it’s the enterprise’s responsibility to attain the proper licenses to cover these missteps. There are significant fines associated with this and the unlocking mandate is no different.
Yet even with the threat of fines, people still download black market software, and the sale of counterfeit goods is a billion dollar industry. This new law will not prevent people from unlocking their phones either, and organizations will need to continue to diligently monitor for, and prevent, unlocked phones. The question now is how far should they go in ensuring that their employees don’t jailbreak or unlock their phones?
First, organizations should safeguard that employees procure only approved devices. By using a mobile device management software or services that integrate with mobile device procurement and management solutions, they can control the type of devices that an employee provisions to access the company network, therefore limiting access to information based on their role and/or location.
Employers should also require acceptance of terms and conditions that clearly describe the penalties for unlocking a device. This new law applies to the United States, but organizations will need to have the ability to enforce their policies with asset management databases that identify device locations, and where employees who use those devices reside to properly enforce local laws, whether in the US or around the globe. Penalties for employees caught unlocking their phones could include removing access to email and firewalled apps, immediately blocking communication, and locking or wiping the device.
Organizations should also have a strict process for notification and handling lost and stolen devices so that corporate data can be cleansed immediately so that it is not compromised. Recycling programs should include provisions to cleanse all devices of corporate data, before they are resold or recycled.
Organizations need a mobile strategy that monitors and enforces device compliance changes beyond basic configuration. They need to consider the risks regarding unlocked devices, which are compounded by the legal implications of the recent mandate. We’ve experienced laws like this before, and forward-thinking enterprises won’t be affected; often they have already implemented the capabilities necessary to detect such devices from entering the organization and/or accessing important data. However, for those organizations just seeing this threat for the first time, they now have all the incentive they need to take action and put a strategy in place to protect themselves from both security and legal risks.