CIO magazine reports the Federal Appeals Court of the Sixth Circuit has ruled the installation of agents* on BYOD that monitor the private communication of users may violate federal laws restricting wire tapping. The essence of the ruling is that both the vendor and the entity that installed the agents could be liable.
Here is the abstract of the majority opinion as written by Justice Ronald Lee Gilman:
Except as otherwise specifically provided in this chapter[,] any person who— (a) intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication . . . shall be punished [by a fine or by imprisonment.] 18 U.S.C. § 2511(1)(a). Section 2511 thus criminalizes the intentional interception of an electronic communication. See id. A separate section of the Wiretap Act then provides a private cause of action for persons who are victimized by such criminal conduct: (a) In general.—Except as provided in section 2511(2)(a)(ii), any person whose wire, oral, or electronic communication is intercepted, disclosed, or intentionally used in violation of this chapter may in a civil action recover from the person or entity, other than the United States, which engaged in that violation such relief as may be appropriate.
Consequently, a corporation that installs security agents on BYO devices that intercept and inspect both corporate and personal communication may be engaging in wiretapping in violation federal law, per the Sixth Circuit court's ruling. In such event, injured employees may be able to sue both their employer and the manufacturer of the software for remedies. From CIO magazine:
"Usually, if an employee does not expect privacy when using a corporate device, a company would not be found in violation for searching the device," said Alena Shautsova, a New York City lawyer focused on employment discrimination and other issues. "If, however ... the corporation monitors intentionally his private email or other private accounts, then I believe violations will be found."
As an example, consider the following in light of the court's ruling: An insurance giant deploys a CASB for securing cloud applications. In doing so, the corporation chooses an agent-based CASB that installs agents on every end-user device for the purpose of inspecting and protecting corporate communication from that device. An employee of that insurer takes her family to Grandma's house for Thanksgiving. Then, she needs urgent access to corporate documents. She uses Grandma's laptop browser to access her company's Sharepoint Online repository to access the documents. During the login process, the corporate CASB solution installs a CASB agent which proceeds to proxy and inspect all traffic thenceforth between that laptop and Microsoft properties, including all personal communication such as Hotmail email accounts, photo sharing and so forth. In view of the Sixth Circuit's ruling, both the insurance giant and the CASB solution provider may be violating federal wiretapping laws and could be liable for any resulting damages to the employee and to Grandma, whose laptop browser is now permanently proxied through the CASB, until Grandma uninstalls the agent.
As a second example, consider a mobile security agent required by a corporation in order for employees to access corporate email on BYOD. Such solutions may have broad access to any and all communication on a smartphone, including but not limited to call history, web history, search history, user names and passwords, location history, contact lists, camera and even SMS text messages.
In view of the Sixth Circuit's ruling, both the corporation and the security vendor may be violating federal wiretapping laws and could be held liable for any resulting damages.
In brief, installing agents on corporate owned devices is fine, since there is no expectation of privacy on a device owned and operated by the corporation. But installing security agents that monitor corporate and personal communication on BYOD where the user has a strong expectation of privacy, could constitute wiretapping, in light of the court's ruling.
When choosing a cloud or mobile security solution, look for architectures that offer agentless options. Agent-based architectures may appear powerful in the lab, but may prove impossible to deploy at scale, and worse yet, may pose legal liability in light of the Sixth Circuit's ruling.
*in Luis v Zang & Awareness Technologies, a lower court dismissed plaintiff's suit on the grounds that monitoring through software agents is not wiretapping. The plaintiff appealed, and the Federal Appeals court ruled that monitoring by software agents could constitute wiretapping, subject to federal wiretapping laws, and that plaintiff may sue both the manufacturer and the entity doing the monitoring. The Appeals court sent the case back to the lower court for decision on its particular merits. No matter how the lower court rules in that specific case, the Appeals court's ruling regarding wiretapping stands, unless overturned by the US Supreme Court.