Mobiles and Your Identity

Today I want to just briefly talk about the competition between Apple’s iPhone and Research in Motion’s Blackberry. I’m not going to bother with things like the aesthetics or the ease of using one over the other. Instead what I want to talk about is how these devices are, and will (in the iPhone’s case) be used. I’ll, as usual, provide a bit of background and then get to what is the real issue with these devices: unless secured, these devices, and other like them, can reveal a substantial amount about yourself and others, enough that it would be a relatively simple task to assume your identity and potentially negatively affect others’ identities/reputations.

Packing Some Confidential Property

I’ll admit it: whenever I go anywhere, my Blackberry comes with me. I use it to track all facets of my life: my contacts (i.e. who I know, what I know about them, notes that I see as important about them), my calendar (i.e. what I do at almost all points of my day, who I’m meeting with, why I’m meeting with them), my email (i.e the communication that I have and think should be recorded for a later date), and my instant messaging (i.e my personal discussions that let me be me with friends). This is super-convenient for me. It also means that I’m carrying a device that would give someone who found/stole it a significant insight into my life and some insight into the lives of people that I know.

Apple has recently announced that they will be releasing the SDK for the iPhone, which will mean that push email and increased enterprise integration are forthcoming. That’s great! Now RIM will have some real competition (sorry Palm users, I don’t really see the Treo as competition at this stage in the game), and people who love all things ‘i’ will be able to get their email on their (more stylish) devices. It will also overcome a recent criticism that iPhones aren’t for enterprise-appropriate because they don’t provide the functionality that is demanded by enterprise-level customers.

What Have You Been Saying? When? Why?

Unsurprisingly, if your phone is stolen and the password broken then a potential rescuer/thief can learn an awful lot about you. This can be helpful if they call home and let your mom know that your phone is safe, but troubling if all of your celebrity friends start getting phone calls from creepy strangers. It’s even worse when those strangers know where you’re going, what you’ve been saying, and discover interesting tidbits not just about you, but about your corporation and companions as well.

What is most appealing about the iPhone is that with some new software that will be coming out for it, it can be wiped of all data by IT workers from a distance. This means that if you do have confidential anything on it that a few relatively simple clicks of a mouse and keyboard will erase the data that may have otherwise been responsible for destroying your career. At issue, of course, is that at the moment we don’t know how securely deleted this information is/will be. While it will almost certainly be enough to stop a casual thief from discovering anything useful on it, I have my doubts that will will prevent someone who really knows what they’re doing from gaining access to the files.

In the case where one of these devices is found/stole the person who possesses it can learn an awful lot about you. I know many people who email passwords to themselves, just in case they forget them. They also store personal pictures and intimate correspondence. While true that these devices tend to leave files on the network they are associated with (rather than remaining on the device itself), it is a relatively simple process to move them from the device to a portable computer. Depending on what is stored, and the details in the notes, memos, and meeting events, it’s entirely possible that someone could learn a significant amount about you. This could be used to harm your reputation or damage your identity, with identity here being defined as the values and normative expectations that you have built up around yourself, and insofar as you could suffer more tangible financial or marital unpleasantness that otherwise expected had your personal information not been compromised.

What Could be Improved?

As it stands now, it is possible to lock out a Blackberry from accessing the network it is associated with, which means that your email can remain safely hidden away from anyone else. To the best of my knowledge (and the knowledge of employees at RIM who I have spoken to about this) the same doesn’t apply to the other data that resides on the device. In Apple’s case, they will enable enterprise support teams to wipe iPhones, limiting the chances of confidential data being made public. Both of these solutions are, in my mind, inadequate. What would be preferable would be to allow both individual users (i.e. those who sign up for personal plans) to wipe their devices remotely. This, of course, would mean that they would be vulnerable to weak security protocols that discrete vendors put in place but I don’t see that as a reason to avoid this kind of system.

One of the nice things about enterprise level securing of mobile devices includes disabling the devices to the point where they cannot be turned on once IT has sent the ‘kill command’. The devices can be reactivated if it happens to be recovered, though the likelihood of that happening is likely minimal. What might be helpful, at least on personal devices, is for the lock-out screen to include some service number that a person who finds the device to call in order to return a device to its owner. In this situation the individual who lost the device would reimburse their carrier for the costs of returning the device. In most cases the cost of returning the device should be lower than purchasing a new mobile, leaving the individual who lost the device in a better position than if they had to abandon most hopes of ever seeing it again.

It’s my hope that by allowing individuals to lock their devices from a secured remote location that they would be able to reduce the damage that could come to them and to the individuals who’s information is held in the device as well. I don’t want to claim that my proposals would resolve all, or even most of the identifiable information issues with personal information management devices, but think that they would be a step towards a more comprehensive security system.