This Blog




AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.


AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

May 2013 - Posts

  • US Fifth Amendment Rights: Judge Tells Suspect To Surrender Encryption Password One Month After Saying Otherwise

    As I scanned through the headlines at this morning, I ran across news that:
    After having first decided against forcing a suspect to decrypt a number of hard drives that were believed to be his and to contain child pornography, a U.S. judge has changed his mind and has now ordered the suspect to provide law enforcement agents heading the investigation with a decrypted version of the contents of his encrypted data storage system
    Seeing how I was aware of only one case where the judge upheld a suspect's Fifth Amendment rights regarding disk encryption, I was pretty sure the above was a reference to a story I had blogged about, approximately one month ago.

    And, the more I read, the more I realized that the latest decision is not the judge "changing his mind."  Under the circumstances, the judge pretty much had no choice but to give the green light to the request.

    Encryption Broken

    If you'll recall, the judge had originally ruled that, under the specific circumstances, the suspect couldn't be forced to decrypt his computer hard disks, which were believed to contain child pornography.  It all boiled down to one thing: the government couldn't make the absolute, airtight case that the laptops and hard disks belonged to the suspect, which, I remind you, was the technicality of technicalities:
    • The computers and accessories were found in the suspect's domicile.
    • He lived alone for 15 years until the moment he was arrested.
    • The computer login name was the suspect's first name.
    • But the suspect didn't admit that the devices were his (it's surprising how effective the advice to "keep your mouth shut" happens to be, no?)
    There is a twist to this story, however:  On May 16, 2013, the government announced the finding of new information, noting:
    Since April 19, 2013, the FBI has continued to devote substantial resources to attempting to decrypt Feldman’s storage system. Recently, the FBI was able to decrypt and access a small part of Feldman’s storage system, namely a single hard drive. Unfortunately, the vast majority of Feldman’s storage system remains encrypted.
    The one single hard drive not only contained child pornography but also "detailed personal financial records and documents belonging to Feldman [the suspect]," including personal pictures of the suspect.  And, just like that, the main obstacle to getting the suspect to provide the password, without compromising his Fifth Amendment rights, disappears.

    The suspect has until June 4, 2013 to comply.

    How was Encryption Broken?  Isn't it Supposed to be Nearly Impossible?

    I find it hard to believe that encryption was broken.  What happened, more likely than not, was that the FBI managed to guess at the password that unlocks the laptop.

    When it comes to full disk encryption, the weakest spot tends to be the password.  But, you can't get around not using a password.  The encryption key, which is what actually protects encrypted data, must be long and very random in order to provide security (otherwise, it'd be easy to guess).  But, the longer and more complex it is, the harder it is for people to memorize it.

    Thus, the presence of a password, which can be changed at will, personalized, and made as long or as short as necessary.  But, again, its Achilles Heel is that it's much easier to be brute-forced (trying all combinations until exhaustion) than an encryption key, as well as trying other methods of shortening the attack.

    This is why AlertBoot's encryption software has settings for automatically wiping the encryption key if a preset number of wrong password entries are made.  Once the encryption key is wiped, it doesn't matter if you know the password or not.  Of course, we also backup the key to ensure access to your data in the event that a laptop is recovered.

    What Do They Need More Evidence For?

    Of course, seeing how the government could prosecute the suspect with the current evidence, one wonders why he has to provide the password to the rest of the "storage system."

    The answers are myriad.  It could be that the government is trying to make its case airtight (they already know what can happen if they don't satisfy that particular condition).  It could be that they're looking to find other suspects or associates.  Or, perhaps they want to go through all images to ensure that there aren't new cases of a child being abused (governments the world over keep databases of child pornography, and compare newly found images to see if they're new abuse cases or just old ones being passed around).

    Perhaps the government is looking to set a precedent.  Who knows?  Regardless, there are plenty of justifiable reasons for taking a peek into the rest of the hard disks.

    Does This Mean that Encryption Software Isn't Good at Protecting Data?

    On the contrary.  It's evidence that encryption works.  How long has the FBI been working on cracking the suspect's encrypted storage?  Well before April 19, 2013.  The fact that they spent their resources and only managed to crack one (and possibly because of good luck) is ample evidence that your lost or stolen laptops and smartphones are secure from the average data breach.
    Related Articles and Sites:
  • Data Breach Cost: Schnucks Grocery Store Claims Minimum Wage Rate As Potential Data Hacking Cost

    As a data security company, we review our newsfeed for interesting and notable stories involving information security.  Among the topic we visit often is the cost of a data breach.  We have seen many ways of calculating the financial losses of a data breach when a company is hacked, or if laptop encryption and mobile security software were not used on lost or stolen digital devices.

    It's not uncommon to factor in postage, outside consultants, 24-hour toll-free lines, lost employee productivity, legal expenses, damaged reputation, and more.  You can add a new element: minimum hourly wage.

    Simple Arithmetic

    According to, a family-run grocery store based in St. Louis, Schnuck Markets Inc., has calculated the potential fallout from a credit card and debit card hack at $80 million dollars: 500,000 people affected, minimum-wage at $7.25/hour, and an assumption that each person spent an average of 2 hours dealing the with the effects of the breach (calling up banks because of their credit cards and whatnot).

    This actually comes out to "only" $7.25 million.  However, take into consideration that "the Illinois Supreme Court has in the past approved a ratio of punitive to compensatory damages of about 11 to 1" ( and you get a cool $79.75 million.

    I'm not sure if that ratio is a maximum or an average of all compensatory damages or what, but all of this appears to have the objective of inflating that final figure.

    Why?  Because,
    Schnucks sought to remove a case from Illinois’ St. Clair County Court to a federal civil court in the Southern District of Illinois. Such courts have jurisdiction when the potential class action includes residents of another state, the amount involved exceeds $5 million, and the class has more than 100 people. []
    In other words, Schnucks needs some amount that is over $5 million; otherwise, the case remains in county court.

    I don't know how it might be advantageous to have a trial in county court vs. federal court (more on this further below, actually), but it looks like Schnucks really wants a change in venue.  (Otherwise, why quote $80 million when $7.25 million handily meets the legal requirement?)

    Precedent Setting?

    The problem, as noted, is that no American court has ever considered the time spent rectifying one's credit as a reason for winning a lawsuit.  Indeed, such cases tend to be "summarily dismissed," which is legalese for "not even seeing its day in court because there isn't a case there at all."

    Yet, it remains to be seen whether the courts do accept the above math as satisfying the threshold for the condition that the "amount involved exceeds $5 million."  If the courts rule that it does, then... well, I don't have to be a lawyer to see that it could be a watershed moment.  If this passes muster, then every single lawsuit involving a data breach would reference it; it would be a great setback to businesses and other organizations that have an enjoyed a great amount of protection from the courts.

    (Although, truth be told, the tide is turning on that front as well.)

    An Expert Weighs In on Venue Change

    According to a lawyer quoted in a article, Schnucks is playing a very delicate game.  He also gives possible explanations on why the company is looking to have its case tried in federal court:
    • Schnucks may think it has a fair chance at the federal level because their courts "are generally better equipped and more experienced at handling large class-action data breach lawsuits."
    • Data breach lawsuits don't tend "to fare well in federal courts," something that I can attest to based on my 5+ years of covering such issues.

    The downside, though:

    Schnucks' effort to get the case to federal court is that it is in a sense admitting that potential damages against it could be tens of millions of dollars, he said. Any company that admits that it faces more than $5 million in potential damages from a lawsuit will later have a hard time backing away from that number if the case goes against it.
    I've said before, I'll say it again: using proper solutions to protect one-self from data breaches, such as BYOD security programs and laptop encryption software, is much easier than trying to fix things after the fact.

    It's not the fact that such solutions are infallible.  Rather, it's the fact that most states and courts tend to view the presence and use of such solutions as (1) a company that wasn't being neglectful when it comes to data security and (2) many laws and regulations provide safe harbor if they are used.

    Plus, there's the undeniable fact that their use – for example, disk encryption on a laptop full of sensitive data – really does protect the data in the event something goes wrong.


    Related Articles and Sites:
  • Lawyers And Disk Encryption: ABA Model Rule 1.6 Confidentiality of Information And Recommendations

    People in the legal sector have sought our services to protect portable digital devices.  It's not surprising, really: legal professionals have taken up technology for better efficiency and mobility, and you'd be hard pressed to find a lawyer or a paralegal who didn't own a laptop or a smartphone (or both), or one who doesn't use email or send documents electronically.

    No wonder, then, that individual lawyers as well as legal firms seek out AlertBoot's services in order to secure laptops, smartphones, and tablets, as well as backup media such as external hard drives.

    My own research showed that lawyers are not required to use encryption; however, some mentioned that this may not necessarily be so, and pointed me to the American Bar Association (ABA) Model Rules of Professional Conduct, particularly Rule 1.6, which deals with the confidentiality of client information.

    After going over it, and the opinions that the ABA has published, I finally understood what our clients were hinting at: as of May 2013, lawyers are not required to use encryption, just like medical professionals are not required to use encryption.  However, for professionals in the medical sector, HIPAA and HITECH rules are structured so that one cannot escape the use of encryption, especially when it comes to portable devices that store sensitive patient data.

    Likewise, the ABA concludes that the use of encryption (or any other type of data security) is not required.  The twist, however, is that those in the legal profession have always been required to protect a client's information, and thus they have little recourse but to use encryption and other data protection tools.... although this depends on the situation.

    The ABA leaves it up to individual members to know when that situation arises.

    Laptops and Smartphones: Encryption is Needed

    I won't go into the details, but it's pretty clear that if a lawyer uses either a laptop computer or a smartphone to store and access confidential client information, these require a certain degree of protection.

    Thankfully, most smartphones and tablets that use iOS (Apple) and Android already come with disk encryption built-in.  For Apple devices, it's just a matter of setting up a password, since their smartphones and tablets already come encrypted.  When choosing a password, the rule of thumb is that the longer and more complex the password (i.e., it uses both letters and numbers), the more secure it is.

    For Android devices, encryption has to be enabled.  Instructions on how to secure these devices are easily found via online searching.

    For laptops, the story is a little different.  Most computers do not come with laptop encryption software on them.  For example, BitLocker is included free in Microsoft Windows versions labeled "Ultimate" and "Enterprise."  If you're using Windows "Professional" or lower in the OS chain, then BitLocker is not available.

    Assuming that free disk encryption comes with your particular computer, you still have to figure out whether it matches your needs.  I'll discuss it further below, but here are a couple of scenarios to consider: will you need help resetting your password in the event you forget it?  Do you know how to manage and safeguard your encryption key?  Do you know what to do in the even your data gets corrupted and your computer won't boot up?

    "Reasonable Efforts" to Protect Data

    In the comments to Rule 1.6 of the ABA Model Rules, it is noted that:
    (c)  A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
    I can already see how this is confusing: what exactly defines "reasonable"?

    The consensus appears to be that the use of encryption is a reasonable effort.  Why?  For various reasons:
    • Encryption is one of the pillars on which computer security is based upon.
      1. It is used in finance ensure secure transactions over the internet.  Online banking, for example, is possible because of data in motion encryption.
      2. It is used in medical sector to protect patient data that are stored in computers, smartphones, tablets, backup tapes, external hard drives, etc. – anywhere a digital byte may be stored.
      3. It is used by governments to secure their own sensitive information, be it military transmissions, classified information, or otherwise.
    • Data security experts not only testify that encryption works, they use it to secure their own data.
    • Governments the world over have slowly been admitting that they cannot break encryption, and have resorted to passing laws that would legally allow them gain access by coercing the data's owner.

    So, it's pretty established by now that encryption works, and it works very well.  The question is, then, what type of encryption solution should one get?

    Encryption Recommendations

    While there are many ways to encrypt data, my recommendation would be to use a solution that meets the following: 
    • It employs AES-128 or higher.  AES, American Encryption Standard, is the de facto encryption algorithm for the US government.  Data security researchers the world over have attacked, and are still attacking it, and AES has proved to be resilient.
    • It was validated by NIST.  The National Institute of Standards and Technology tests encryption software to see whether there are any weaknesses to them.  Even if a particular encryption software employs AES, there could be weaknesses in it how it is actually used within a particular software suite.  NIST's validation ensures that such weaknesses are not present.  The US federal government can only use NIST-validated encryption.

    A quick word on validation: some encryption packages out there claim to be "NIST-certified."  NIST itself doesn't use the terminology "certified."  If you find a software or hardware vendor who claims their security product is certified by NIST, it either means one of two things:

    • They've actually been validated by NIST, but are confused and are interchangeably using the words "certified" and "validated."  Security-wise, this confusion is not a problem.
    • They have not actually been validated by NIST, but their software conforms to NIST requirements, which are listed publicly.  The idea is that you'll be secure...but without someone actually kicking the tires, you'll always wonder if this is actually the case.  This is potentially a problem.

    Does the second situation above matter?  It might for meeting certain legal terms.  For example, HIPAA and HITECH rules require that "valid encryption processes" be used in order to enjoy safe harbor from the Data Breach Notification Rule.  What is a valid encryption processes?  Well, it turns out that it's whatever NIST says it is, and in order for NIST to make a decision, they have to go through the process of validating it.

    When you think about it, it only makes sense: what would a bunch of healthcare professionals know about encryption requirements?  It only makes sense for them to defer to people who test and research computer security for a living.  Namely, the group of researchers at NIST.

    What Do You Want?  What Do You Need?

    Once the above conditions are met, lawyers should be evaluating the extra features that mobile data security and encryption providers to the legal sector are putting at their disposal.
    • Encryption Key Management.  Each device that employs cryptological protection has its own encryption key; this is why you can use the same AES encryption algorithm and still guarantee privacy.  In the event that something awry were to happen, such as your computer not booting up, the key has to be produced.  Otherwise, you've essentially locked yourself out of your computer forever.  Even if you knew your password, it wouldn't help in this case: Passwords are, to put it simply, a method to push the encryption key in place so that you can access a device's data.  Since you have the password but no key, you're locked out.

      One of the greatest challenges when it comes to encryption in the enterprise is not the act of planning and carrying out laptop encryption.  Rather, it's the management of the encryption keys (essentially keeping track of which key belongs to which machine and ensure that you've written down the key's details correctly, as a single character error will invalidate your key).

    • Password Recovery.  People forget their passwords for myriad reasons.  If your encryption software comes with a method to reset a password, this will help assuage any concerns regarding passwords.  Generally, password resets require an outside party to be involved (your laptop, smartphone, or tablet wouldn't house a password reset feature because it would become a security issue).  For example, an Android device's password can only be reset by going through Google's services.

    • Data Recovery.  Computers fail.  Sometimes, they fail spectacularly.  Under such circumstances, chances are that help is necessary when it comes to recovering your data.  Even if you have an IT department, chances are that they'll need help.  After all, recovering encrypted data is not a situation most people, even if they work with computers, face on a frequent basis.  If you're using free encryption, who do you turn to?

    • Management Server.  If your office requires the protection of multiple computers and smart devices, you'll be better off with a server for managing your encryption project.  Among other things, a dedicated computer server allows an administrator to deploy the encryption software to multiple computers and devices, push out required updates, and run audit reports to ensure that everything is as it should be.

    • Encryption of external media.  While the storage capacity of laptop computers has increased exponentially, a universal law appears to be that your laptop's disks will "runneth over."  Even if that's not the case, sometimes you may find it convenient to copy a file to a USB flashdrive and hand it to a colleague that will in turn copy it to his or her laptop, especially when the files are too big to be emailed.

      External disks are the weak chain in full disk encryption because data is copied in its raw form to external storage media.  In other words, when full disk encryption is used, the data is only encrypted when it's on that particular computer disk.  Copy it over to some other disk – be it a hard disk drive, a USB flash drive, or a CD – and the data is no longer protected.

      This is also true for hand-held devices.  Android products often feature an expandable memory slot.  Encrypting this external storage location is also important in ensuring top-grade data security.

      Also, if you back up your laptop's computer data to an external hard disk, you'll also want to make sure that this backup disk also encrypted.

    • Remote Data Wipe.  Even if you have encryption in place, you'll probably gain some peace of mind knowing that the data can be irrecoverably deleted in the event that your device is lost or stolen.  Data wipes can be triggered in two ways: the command can be given by an administrator when the device is stolen or it can be automatically triggered when the wrong password is entered a certain number of times (e.g., on the eleventh incorrect password entry attempt).

    It's not a coincidence that AlertBoot Mobile Security (for smartphones and tablets) and AlertBoot Full Disk Encryption (for laptop computers and external hard drives) address all of the above issues, among other things (you can find out more by contacting us).

    Use Your Judgment

    Ultimately, though, you must understand that encryption is not a perfect palliative to your data security ills.  It doesn't take a rocket scientist to realize that not losing a smartphone or a laptop computer is always the best "choice" when it comes to data security.  Encryption is there to play back up, not to be the main star.

    Related Articles and Sites:


  • Apple BYOD Protection: Pentagon Clears Apple Devices for Use In DOD Network

    Many media outlets are reporting that the US Department of Defense (DOD) has finally approved the use of Apple devices on its network.  I see plenty of comments like, "Great, prepare for malware to spread in our country's military networks because some government worker decided to download the wrong game" or some nonsense.

    Yeah, BYOD, or Bring Your Own Device, introduces risks.  That's why you need to have the appropriate infrastructure to support BYOD, including the use of MDM (mobile device management) solutions for smartphones and tablets like AlertBoot Mobile Security.

    It also helps if your BYOD project is not actually a BYOD project.

    Apple Devices are STIG-tastic reports that:
    The release of the Apple iOS 6 STIG is a major stride in building a multivendor environment, supporting a diverse selection of devices and operating systems, DISA officials said. This STIG and the recently approved STIGs for the BlackBerry and Samsung Knox operating systems demonstrate DISA's commitment to validate a range of devices that meet DOD security standards so the best technology is available to achieve mission requirements, they added.
    The STIG, or Security Technical Implementation Guide, is documentation designed to standardize security in the installation and maintenance of computer hardware and software, according to Wikipedia.

    It Ain't BYOD If You Don't Bring It

    What this all means is that Apple can now sell their devices to the military.  This does not mean that people can bring their own iPhones and connect them to the government network.  Also from (my emphasis):
    government-issued iOS6 mobile devices are approved for use when connecting to Defense Department networks within current mobility pilots or the future mobile device management framework
    See how it says government-issued?  A further explanation by the same site (my emphasis):
    Officials said the STIG does not allow personally acquired mobile devices to connect to DOD networks.
    In other words, they'll give employees an iPhone. Or an Android phone (as long as it's a Samsung, I guess, or running KNOX).  Or perhaps even a Blackberry.  Basically, the DOD, which is already leveraging Blackberry devices for better productivity and communications, is now widening their options in terms of hardware (and possibly software).  

    No BYOD here.  More like CYOD, Choose Your Own Device.

    Fool Me Twice, Shame on Me

    The capriciousness of the "here come the data breaches" comments are a little annoying.  Granted, the military once had a huge problem in their hands due to USB memory sticks, and ended banning all removable media devices on DOD machines.  However, I like to think that much has changed since 2008.  It seems quite obvious to me that the DOD would have learned something from the experience; they're most probably not approving Apple and Samsung devices without a good idea of what they're doing.

    Getting Philosophical

    Now, you might say, "hey, it's a matter of when, not if.  That's the nature of data breaches.  You can't really escape it; you can only be lucky enough not to be there anymore when it happens."  In other words, MDM, passwords, encryption, location tracking, etc. are all for naught; attempting to provide security is useless when you know it's going to eventually happen.

    Well, that's also true when it comes to death.  The probability of you meeting your maker is 100% (in a manner of speaking), but mass suicides are severely lacking among the logical crowd.  Often times, engaging in the "impossible" is still worth doing regardless of the odds.

    Related Articles and Sites:


  • UK BYOD Security: 82% Of Biz Unaware Of Existing Data Protection Expenditures

    The UK Information Commissioner's Office (ICO) ordered a report to find the extent of English businesses' knowledge on the European Commission's data protection reforms. Among other things, the updates to the privacy laws further encourage (indirectly) the use of data protection software, like AlertBoot's Mobile Security for smartphones and tablets, as well as introducing novel ideas such as the "right to be forgotten."

    Bad News

    The survey's results are not very encouraging.  For example, it turns out that 82% of businesses did not know how much they spend on data protection.  Observed,
    it is not surprising, then, that 87% could not estimate what the impact of the reforms would be.

    Respondents were asked to describe the reforms as they understand them. Four out of ten had an inaccurate understanding of all ten reforms, and not one fully understands every one.

    An Easier Way?  A Totally Transparent Cost Structure

    I don't know about "the inaccurate understanding of all ten reforms," but I can understand why most businesses don't have a good idea on their data protection budget.  The answer is that it's not easy figuring out what it actually costs.

    Consider just one example of data security: laptop computer encryption and mobile device security for smartphones and tablets.  Under the traditional model you have:
    • License purchases.  Depending on the approach, a company may have to purchase the licenses in pre-arranged blocks, say at least 100 licenses, and 50 additional license blocks after that.  If you need 105 licenses, you have to purchase 150.  The remaining 45 are sometimes called "shelfware" because that's where they end up; maybe you'll them all, maybe you won't.

      Because computers are tracked (e.g., to install updates or new software), you have a good idea of how many machines are on your network.  But the cost of the data security is actually greater than that because of shelfware as well as computers than are not plugged to the network.  Unless you have meticulous records, chances are your estimates will be lower than reality.

    • Bring Your Own Management Server.  In other words, you have to provide the infrastructure for managing, deploying, and installing the licenses you just purchased.  Of course, you could do it without central management.  But if you have more than, say, 50 computers to manage (again, to install updates or new software or whatever), a management server saves time and money.  But only if you plunk down money.  The problem is that you may add, retire, or repurpose servers as necessary or as opportunity permits.

      And, by doing so, you also change the equations for what you're spending in terms of electricity, peripherals (like LAN cables and whatnot), etc.  In the end, these add up to a substantial figure.  But, with things moving in and out, you're never quite sure what the figure is.  For example, a management server for full disk encryption is repurposed as a printer server...did you update your accounting spreadsheets as well?

    • Data Center.  Many companies make use of data centers to ensure reliability and uptime of core operations.  The data security portion probably holds a fraction of the space allocated in a data center.  So what are its costs, exactly?  You know you're paying saying, $5,000 per month, but how much of that is assigned to the data protection portion?  Good luck finding out.

    • Employees.  Maybe the company has an IT department.  And maybe the IT department's personnel are doing double (or triple) duty as coders, troubleshooters, software installers, hardware installers, and who knows what else.  How much of their time is spent on data security stuff?  Or maybe they've got people dedicated to doing password resets for people who forgot their passwords and are locked out of their computers.

    As you can see, trying to figure out how much data security costs is fraught with blind spots.

    Of course, it doesn't necessarily have to be this way.  AlertBoot's security suite for endpoints – AlertBoot Mobile Security for BYOD and AlertBoot Full Disk Encryption for laptop hard drives – are a model of cost transparency: a flat annual price without any predefined license purchases: you can obtain as many (or as little) licenses as you need.

    This is possible because the solution is cloud-based, hosted on AlertBoot's data centers.  This means any hardware and software issues are left up to AlertBoot.  Furthermore, the company provides support and password recovery services 24/7, ensuring that the IT department is focused on more important matters.

    Because all of this is included in AlertBoot's offerings, calculating data security costs are also very easy.

    Related Articles and Sites:
  • Smartphone Security: Facebook App - Yes, They Can Use Your Smartphone Camera (But They Won't)

    Whenever I mention that AlertBoot Mobile Security, an MDM for protecting smartphones, allows one to disable their camera (and keep it that way), some people say something along the lines of "hey, that's great for companies infringing on my darn tootin' rights to do whatever the heck I want with my own smartphone that I'm allowed to use at work, but why would I personally want that?"

    I never could answer this question.  What is the value of this feature for the smartphone owner?  Thankfully, Facebook is making the case for me on this one.

    Facebook Spokesperson Essentially Says: "Trust Us"

    In what I can only describe as one of the most horrific (but also naively refreshing?) statements I have read in a while, had this to report (my emphasis):
    While it is technically possible for the Facebook app to record video and audio without your knowing, the spokesperson said Facebook won't do that.
    I realize that I haven't even covered the details of the story, but doesn't the above kind of make the hairs on your neck stand up, and tells you all that you need to know, regardless of the story?

    I know it does to me.

    It's Google's Fault

    Eli Langer over at has a story on how people are "complaining about Android applications" for Facebook and Google Search.  Namely, that these apps can use a smartphone's "microphones and camera at any point without any confirmation."

    I wouldn't have believed it if it weren't for a screenshot that shows the legal language.  You can find it by visiting the story, but it reads:
    Record Audio: Allows the app to record audio with the microphone.  This permission allows the app to record audio at any time without your confirmation.

    Take Pictures and Videos: Allows the app to take pictures with the camera. This permission allows the app to use the camera at any time without your confirmation.
    Now, a screenshot in the age of Photoshop means nothing.  But, consider this: (1) multiple people are tweeting about it, (2) neither Mr. Langer nor are not known for pulling April Fool's day pranks in mid-May (as far as I know, that is), and (3) there is the admission by a Facebook spokesperson, which we already saw above.  In fact, the full quote in the article is the following:
    A spokesperson for Facebook explains this [the legal language above] as follows: the language in this disclaimer comes from Google and wasn't written up by Facebook, it's simply how Android handles camera access. While it is technically possible for the Facebook app to record video and audio without your knowing, the spokesperson said Facebook won't do that.
    I'm on the fence whether the full passage makes the spokesperson's statement more or less creepy.  One the one hand, the "openness" and "transparency" are appreciated (even if most people wouldn't read the legalese).  On the other hand, a living, breathing person telling me that I should ignore the implications.... well, let's just say that I'm pulling out of storage my X-Files t-shirt just for this occasion.

    The Solution?

    AlertBoot is one of the many companies that have a BYOD solution.  It's an MDM (mobile device management) service that allows one to control and manage smartphones and tablets from the cloud, and it includes features like remote data wipe, password policies, and Wi-Fi provisioning (and more, of course).

    It also includes the ability to disable cameras on mobile devices.  Many companies do not allow cameras in the workplace for myriad reasons, and this is how it works in AlertBoot:
    1. A policy is created in the online management console.  For simplicity's sake, it'll be for disabling the camera.
    2. Apply it.
    The policy is updated for devices, and that's that.  This works as long as the device is not jailbroken (of which the administrator will be notified).

    If a regular/official/authorized version of the device's OS is in place, the Facebook app will not be able to access the camera, period (in the event of a conflict between the app settings, "use camera," and the AlertBoot MDM settings "camera disabled," the latter comes out on top, as should be the case).

    Of course, the "real" solution is for Google and/or Facebook to change their policies and not allow this to happen.  I mean, the app can technically access your mic and camera but "it won't happen?"  Why build it, then?  And why ask for permission to use it without your being aware of it?

    Related Articles and Sites:
More Posts Next page »