Wipeout: When Your Company Kills Your iPhone

Nov 22, 2010

A few weeks ago, Amanda Stanton's iPhone suddenly went black.

She had been talking on it and navigating with a GPS app during a work trip to Los Angeles. Then, without any warning or error message, the phone quit.

Everything was gone -- all her contacts, photos and even the phone's ability to make calls.

It was only after she got home to Silicon Valley that she found out that her phone had been killed by her employer, a publishing company.

Destruction Via E-Mail

Someone in the IT department had sent out what's called a "remote wipe," a kind of auto-destruct command that's delivered by e-mail. The wipe was done by mistake, and Stanton wouldn't have been surprised to see this kind of remote control on a company phone.

But this iPhone was hers.

"It was my account, in my name [and] I'd paid all the bills," Stanton says. "It didn't make any sense to me that somehow work could get through AT&T, who I thought controlled my phone, and could completely disable the phone and the account."

It's no surprise to people who know IT. Since 2003, a growing list of smart phones have come loaded with software from Microsoft that makes remote wipes -- and many other remote-control commands -- possible.

The phone doesn't need to download any new software. All that's necessary is for the phone's user to configure it to receive e-mail from a Microsoft Exchange Server -- the kind most big companies use.

A Remote On/Off Switch

Once that's been set up, an IT department has the capability to wipe the phone and turn off functions like Bluetooth, the Web browser and even the phone's camera.

"The reason why you see such a long list of various policies and controls is because different organizations want those controls," says Adam Glick, senior technical product manager for Microsoft Exchange.

He points to the peace of mind the system offers to people whose phones have been stolen, and who can rest assured that all the personal information contained inside can be erased from afar.

Glick says employers sometimes need remote control of other functions, like the camera, to prevent leaks. "If you're having an important meeting about the future finances of the organization and people put that up on a slide, and someone might take out their camera phone and take a picture. And then they might go and, say, post that to the Internet," Glick says.

A Sticky Situation, Waivers

But when companies exert that kind of control over someone's personal phone, things can get messy. Anthony Davis runs IT for a manufacturing company in Seattle, and he says he makes a point of letting people know that when they opt to get company e-mail on their personal phones, they're signing up for more than just e-mail.

"We actually have a one-page waiver that says, you know, if you're going to connect your personal phone to the corporate e-mail system, that we do have the capabilities if the phone is lost to remote wipe it -- and we will -- and then have the employee agree [to] and sign that form," Davis says.

Control Over Tablets, Other Devices

But companies often aren't that transparent about the power e-mail gives them over personal phones. And it's not just phones.

IT administrators can send similar commands to iPads and other personal devices that get work e-mail. Lewis Maltby, president of the National Workrights Institute, says he's not sure what a court would say about a company that wipes an employee's phone without permission.

But he says he'd like to find out: "I'm salivating right now at the prospect of this lawsuit."

A New Overlap

Maltby says there's now a breakdown of the old paradigm that your company controls work devices and you control yours and "never the twain shall meet."

"Now, you have this gray world in which everything overlaps, and everything that's personal is business and vice versa, and now it's a mess," he says.

Putting work e-mail on a personal device may be convenient, but for Stanton it's no longer worth the risk.

After restoring her iPhone -- or, as she calls it, her "precious iPhone" -- she says she'll never put work e-mail on it again. Copyright 2011 National Public Radio. To see more, visit http://www.npr.org/.

Transcript

MARY LOUISE KELLY, host:

From NPR News, this is ALL THINGS CONSIDERED. I'm Mary Louise Kelly.

MELISSA BLOCK, host:

And I'm Melissa Block.

By now, we've learned not to expect privacy on company-issued computers and cell phones. If your employer owns the device, he controls it. But what about your personal smart phone?

As NPR's Martin Kaste reports, your employer may have some remote control over that, too.

MARTIN KASTE: Amanda Stanton found out the hard way. Traveling in L.A. for work, she was navigating with her iPhone...

Ms. AMANDA STANTON: ...and the phone went black. It just turned into a brick.

KASTE: Everything was gone: all her contacts, her photos, even her phone's ability to make calls. It was only after she got home to Silicon Valley that she found out that her phone had been killed by her employer.

Ms. STANTON: It was a huge shock.

KASTE: An IT guy had sent out what's called a remote wipe. It's a kind of auto-destruct command delivered by email. The wipe was done by mistake, and Stanton wouldn't have been surprised to see this kind of remote control on a company phone. But this iPhone was hers.

Ms. STANTON: My account in my name. I'd paid all the bills. It didn't make any sense to me that somehow, work could get through AT&T - who I thought controlled my phone - and could completely disable the phone and the account.

KASTE: But to the people at your IT department, this is old news. The moment you set up your phone to get email from a Microsoft Exchange server - which most big companies use - that server is able to send commands to your phone. And not just remote wipes. Depending on the phone, an IT person could turn off your Bluetooth signal, your Web browser, even your phone's camera.

Mr. ADAM GLICK (Senior Technical Product Manager, Microsoft Exchange): Different organizations want those controls.

KASTE: Adam Glick, senior technical product manager for Microsoft Exchange, says these commands make a phone more secure. And it is true that if your smart phone is ever stolen, you'll likely be relieved that your IT people can send a command wiping the memory.

As to remote control over other functions, like the camera, Glick says employers sometimes need those to prevent leaks.

Mr. GLICK: If you're having an important meeting about the future finances of the organization, and people put that up on a slide. And someone might take out their camera phone and take a picture, and then they might go and say, post it to the Internet.

KASTE: Anthony Davis runs IT for a manufacturing company in Seattle, and he says he makes a point of letting people know that when they opt to get company email on their personal phones, they're opting in to more than just email.

Mr. ANTHONY DAVIS: We actually have a one-page waiver that says, you know, if you're going to connect your personal phone to the corporate email system, that we do have the capability - if the phone is lost - to remote wipe it, and we will - and then have the employee, you know, agree and sign to that form.

KASTE: Lewis Maltby, president of the National Workrights Institute, says he's not sure what a court would say about a company that wipes an employee's phone without permission. But he'd sure like to find out.

Mr. LEWIS MALTBY (President, National Workrights Institute): I'm salivating right now at the prospect of this lawsuit.

KASTE: And it's not just phones. IT administrators can send similar commands to iPads and other personal devices that get work email.

Maltby says we're seeing a breakdown of the old paradigm that work controls work devices, and you control yours.

Mr. MALTBY: Now you have this gray world in which everything overlaps, and everything thats personal is also business and vice-versa. And now, it's a mess.

KASTE: Putting work email on a personal device may be convenient, but for Amanda Stanton, it's no longer worth the risk. After restoring her iPhone, she says she'll never put work email on it again.

Martin Kaste, NPR News, Seattle. Transcript provided by NPR, Copyright National Public Radio.