Our bosses live in our phones

Extending the workday through BYOD

For a couple years now, I’ve been trying to figure out who owns my phone. Not physically. I know for sure that I overpaid Apple for the privilege of constantly having to maintain dongles.  

But, who actually owns the data on my device? You can argue that, since the phone is physically in my possession, I own everything on it. You can argue that the creators of the apps own it, since they can delete my data, and they can analyze it  in the form of logs. You can argue that Apple owns it, since they have the right to revoke apps from the App store, and they keep stuff like iMessages. 

Or, you can argue that, if you live in America (and probably a lot of other legally similar countries) and have any work apps like email installed on your phone, everything on your phone belongs to your employer. 

I first became interested in this idea when I started a new job and was given the choice to either take a company device or use my own phone for work email. Like 60-70% of people in corporate America today, I opted for Bring Your Own Device (BYOD).

BYOD really picked up around 2010.  People, particularly executives who wanted to take advantage of their shiny new iPhones, lobbied to use their own devices for work email. Companies, reasoning that it would be cheaper not to constantly replace hardware, easier, and result in more productivity gains for workers, started creating formal policies around this. A secondary issue that they didn’t often talk about was that it meant employees could now access email wherever they were, since they carried their phones with them, effectively tethering them to work around the clock. 

In a much-shared piece last week, Judith Shulevitz wrote about how today’s erratic work schedules ensure that we have no time for leisure. She led off with a description of an experiment in week-long staggered work schedules in the Soviet Union and segued into how, in America today, longer hours at the office and the rise of the unpredictable gig economy are leading us all to feel like we spend all of our time at work.

Shulevitz does a good job addressing the macro picture, but biggest problem for many white-collar employees is not only that our email comes home with us. It’s that, as a result of BYOD, our companies have made their homes on our phones, our computers, and all of our smart devices.

In theory, it’s a win for everyone: you get to keep your most recent iPhone, push any upgrades immediately, and also be connected to email if you need it. In practice, since it’s been implemented, BYOD become a social and legal nightmare.

There’s a lot to discuss with regards to the social ramifications of being constantly being plugged into office programs like Slack and the insane amount of work-life blurring these programs create. But, even ignoring all of those, I had one fundamental question: 

If I have work materials in my personal phone, is my phone now considered a work device and liable to corporate litigation? 

The answer is a definitive “maybe.” 

Please note, since I am extremely not a lawyer, take the following as absolutely not any kind of legal advice and just the synthesis of me searching around for random stuff at 2 in the morning while feeding the baby (and the B+ I got in my business law class in undergrad).

The key issue at hand here is a legal term known as “discovery.” Let’s say your company gets in some sort of legal trouble. For example, maybe, I don’t know: you’re an energy and commodities service company based in Texas and you get into a little bit of fraudulent accounting, which makes your stock price fall from $90 to $1. (No, this isn’t about WeWork. WeWork’s theoretical stock is worth less than that.)

Someone sues you - maybe the federal government, maybe shareholders, maybe the SEC. What usually happens in a case like this is that before the lawsuit starts, both sides start gathering evidence which will decide whether the case goes ahead. Each side issues a request for the documents they need, and the goal of the opposing side is to technically adhere to the request while providing as little information as possible . One way to do this is to flood the opposing side with documentation.  The goal of each side is to process all of the information, panning for legal gold. This is discovery.

A lot of documents are discoverable, including: 

  • detailed information on how a business is run (for example, a party might try to determine how a company that sold a dangerous product decides what to sell, or how a business makes employment-related decisions or keeps its accounting records)

  • documents relating to the dispute, and

  • the personal, educational, and professional background of a witness.

As you can imagine, lawyers will try to scoop up as much as possible in order to get an informational advantage and move the case to their favor. 

In the case of our energy company, what came out of that case was a corpus of emails during a FERC investigation

Joe Bartling, a litigation support and data analysis contractor working for Aspen Systems (now Lockheed Martin) collected the Enron data at Enron Corporation headquarters in Houston during two weeks in May 2002., The Federal Energy Regulatory Commission (FERC) had hired Bartling to preserve and collect vast amounts of data in the wake of the Enron Bankruptcy in December 2001. In addition to the Enron employee emails, all of Enron's enterprise database systems (hosted in Oracle databases on Sun Microsystems servers) were also captured and preserved. This included its online energy trading platform, EnronOnline.

This was 160 GB of data. In 2001. Can you imagine what a discovery process for a similar trial would generate today[1]?

The real problem here is that if you keep work email on your phone, or any kind of work documents whatsoever, your device is now potentially open to discovery, even if you’re just tangentially related to the case.

The process of getting data off of phones and related devices is called eDiscovery and, as you can probably imagine, given how much money trials generate, there is an enormous market for it. 

What’s discoverable, potentially?

Your work email, of course, but also your text messages, Snapchats, social media posts, and Slack logs (even the embarrassing ones). In fact, so many companies now make Slack a part of their process that Slack has a separate API for Discovery. (And also don’t forget that employers can read absolutely everything you put in Slack, including DMs.)

For example, in Calendar Research v. StubHub, StubHub hired away three employees from Calaborate to create a scheduling app for StubHub. Calendar Research purchased Calaborate’s assets when that company went bankrupt, and claimed that the former CEO of Calaborate had downloaded proprietary information and misused it while working at StubHub. As a part of that trial,

[the] plaintiff filed a discovery motion seeking production of Slack messages from two of the individual defendants. Plaintiff did so after finding that defendants had produced “Slack email notifications, which alert users to pending messages, but not the messages themselves.” In response to plaintiff’s motion, defendants began producing the requested messages.

GPS coordinates, too (although, happily, they didn’t go through in this case):

In their work for Indianapolis-based Angie’s List, the salesmen say they spent a significant portion of their workday on the phone, finalizing advertising sales for the company website. Because the company did not provide cellphones or laptops for use outside its offices, sales personnel were encouraged to use their own personal electronic devices.

With the federal lawsuit pending, Angie’s List claims that getting GPS and location services data from the personal cellphones and laptops the salesmen used in their work will enable the company to “construct a detailed and accurate timeline of when [the salesmen] were or were not working.”

There are a lot of vendors working on extracting everything from deleted text messages (did you know that text messages on iOS devices aren’t really deleted, they’re just tombstoned in a SQLite database until new ones come in?), to Snapchats, to social media profiles:

See: Milo’s Kitchen Dog Treats Consol. Cases, No. 12–1011, 2015 WL 1650963 (W.D. Pa. Apr. 14, 2015). 

Finding: A user’s designation of a Facebook page as “private” does not shield it from discovery if the information sought is relevant; parties have no “reasonable expectation of privacy” for information posted on Facebook.

I’m really curious what went down in that Dog Treats Kitchen.  But if you’re looking for an example closer to tech, look no further than Uber (there’s always a shady Uber story that’s relevant). 

Anthony Levandowski was a Google employee who worked on self-driving cars there. Then, he started his own self-driving car company, Otto, which was acquired by Uber. Waymo, the Google self-driving car subsidiary, filed a lawsuit that alleged he had “downloaded 9.7 GB of Waymo’s highly confidential files and trade secrets, including blueprints, design files and testing documentation."  

Apparently, the way he did this was by sending himself messages through Wickr and Telegram: 

Waymo’s theory is that Levandowski, Ron, and other Uber employees used Wickr and other "ephemeral" messaging apps [like Telegram], which delete conversations, to discuss the trade secrets they had stolen from Waymo. This “may explain why the 14,000 files stolen from Waymo by Anthony Levandowski have not yet been discovered on the Uber infrastructure.” 

Although these example cases are directly related to when employees were not super above-board legally, anyone who had ever been in a Slack chat with them, texted with them, or sent them things were swept up in the discovery evidence.

eDiscovery, however, is still a relatively new area, and the law is still trying to figure out what is acceptable to be searched and what is not. Cases are being decided all the time that test these boundaries, but the specifics are often so specific that it’s not clear whether they apply across the board. 

For example, in this other case, a Wall Street trader was fired and the company then searched his computer, which was a work-from-home computer with personal hard drives plugged in. Was this a work machine? Are any of our phones work machines? Who knows.

And herein lies the problem.  Not only do these work situations put us in a constant social gray area, but now we’re also constantly in a legal gray area. 

Consider a situation like this, which comes up pretty regularly: 

You have Slack on your work computer and on your phone. Someone messages you about a document you have to edit, and you open your work Slack on your phone. But you don’t have your work computer handy. You open the document on your phone, downloading it there. You then open Slack on the web on your home computer, download the document, and make the edits. You sign into your work Outlook on your laptop and send it off. You check on your phone to make sure the document sent, and receive a reply in your Outlook app.

What are you now liable for? In discovery, can your phone be searched? How about Slack on your phone? How about your personal email?  I don’t know. And what’s more, the law doesn’t clearly yet, either. 

And I think this, even more than constantly having to be “on” at work, is the big problem: the fact that our company now sits in the middle of every personal interaction we have, and we’ll never know if we’re responsible for it, until the lawyers come through asking for evidence.

[1] As a side note, here are two awesome links related to discovery: 1) You can get the Enron emails in your inbox on a rolling basis. And 2) Watch this David Beazley talk on Discovery with Python, even if you don’t program in Python.

Art: A Maid Asleep, Vermeer, 1656

What I’m reading lately:

  1. The story of how Norilsk, a town in the Russian far north, got high-speed internet. All of a sudden, the state-sponsored media wasn’t so popular anymore.

  2. What’s faster, Tensorflow or PyTorch? The deep learning wars continue.

  3. This terrifying phone cover is meant to be textured like human skin and once you see it you can never unsee it.

  4. There’s no way I’ve read this all yet, but this goes into what’s in an AWS Lambda

  5. There’s a saying in Russian, “If you don’t praise yourself, who else is going to?” That’s the energy in this tweet and paper, and I love it.

About the Author and Newsletter

I’m a data scientist in Philadelphia. Most of my free time is spent wrangling a preschooler and an infant, reading, and writing bad tweets. I also have longer opinions on things. Find out more here or follow me on Twitter.

This newsletter is about issues in tech that I’m not seeing covered in the media or blogs and want to read about. It goes out once a week to free subscribers, and once more to paid subscribers. If you like this newsletter, forward it to friends!