|
Blackberry Security Question - Help
Hey everyone (especially to you IT guys out there):
I was wondering if you all can give me an honest answer as to how safe my personal information is on my Blackberry: On my BB 8830 (my phone-I bought it), it is currently on my own separate (personal) account with Verizon wireless. I just submit a T&E for it every month. I run BES (BB Enterprise) mailbox that syncs with my Outlook messages on my company email folder. This also synchronizes my calendar, but not contacts (I instructed our IT department to not do that). Question is: I have personal BIS accounts (which I use for personal clients) through BB Internet Service (verizon's). Can my company's IT department read/access: 1. My BIS email accounts 2. My Blackberry Internet history, and sites I've visited 3. My call history, or even track my calls? 4. My contacts I'm mainly concerned about client privilege - I maintain confidential client info on my personal BIS accounts. Is there a potential way my IT department can access those BIS emails, contacts, web pages, and the like ... merely because I have a BES (enterprise) link with the company? If they can get to it, is there a way I can firewall my BIS email accounts from them? haha... |
In short, yes. When you a tie a blackberry to a BES server, you essentially give all control of the phone to the BES server. Your IT administrator can access your device remotely, force passwords, restrict BIS access, wipe the device, etc. I haven't tried to pull data from a BB in a while, but it can in theory be done. With BES, the admin can inventory all the applications, versions, etc. on the phone as well force the installation of other applications, etc. The BES policies can be pretty intrusive if the Admin so chooses.
If you have a BB tied into BES, you should assume the device (and the contents on it) are under the control of the BES administrative policies. |
Wow, I didn't know it could be that intrusive! I'll keep that in mind.
Is the same thing the case if I was using a Treo on ActiveSync through the Enterprise Server? Not BES, but just an Enterprise Service link with Outlook. Thanks! |
Activesync isn't as thorough as a BES server. Some of the features depend on the phone, version of activesync, etc. AS is trying to replicate much of the BES feature set. Most AS implementations have at least some basic functionality to force a password or lock your device remotely. You can do other things like disable bluetooth, disallow certain apps, etc. You can see a lost of some of the policy options here: http://technet.microsoft.com/en-us/l.../bb123484.aspx
The only way to sync with a corporate server and not give control of your phone, is to use a standard mail protocol like POP3 or IMAP (similar to BIS). Unfortunately, doing so limits your ability to use other features such as calendaring, address-book lookup, etc. |
Wow, that's good info - thanks. Lesson learned the easy way. For anyone else in the legal industry, have you addressed this with privilege or work-product issues? I work in house (and that's where my BB syncs up with, but it's my BB, my account with Verizon, etc.) and have other BIS email accounts containing privileged info, and at the very least, confidential work-product. If BES can even theoretically get to them (what they actually do doesn't matter, I guess), has anyone dealt with this before?
Getting 2 phones just isn't practical, nor is getting off of BES ... (though I'd rather do the latter if it comes down to it) |
Is there any way for the user to determine the exact policies that have been implemented? What if the user ditches BIS and uses something like Logic Mail's IMAP client for Blackberry?
Turning to the privilege issue, there were some recent changes to the federal rules that negated some of the more draconian aspects of the privilege waiver doctrine (particularly in inadvertent disclosure cases). Unfortunately, it may be another five years before most states get on board. I've been concerned for a long time that policies that gave third parties access to privileged communication could be deemed a waiver of privilege under some of the harsher applications of the waiver doctrine. The new revisions go a long way to address this problem, but there are still some very large holes. |
Just to clarify, the issue is 'BES' not 'BIS'. Blackberry Enterprise Service vs. Blackberry Internet Service. BES is the corporate server, whereas BIS is just straight e-mail through blackberry.
You need to get all the policies from the BES administrator. I don't believe there is a way to see a full policy dump from the phone. BES was designed to do everything you are asking for to 'protect company data' from unauthorized access and release. Just wasn't designed to work with multiple companies on the same device. A third party IMAP client doesn't really help if you're connected to a BES server as the BES server has the ability to see everything on the phone. If the datastore for LogicMail's IMAP client is encrypted, technically, the BES admin's would have access to the datastore, but may not be able to access it without a password. If 'disclosure' is the concern, I think one would be able to argue that the corporate e-mail server is no different than a transfer medium and should not be considered 3rd party disclosure. I'm in the legal world (from the technical side), we have over 100bb's issues to employees with BES and this has never come up. Phones get lost all the time though; its great to know they are locked, encrypted, and we can wipe them remotely. |
I think insiderdude might be house counsel for a corporation and might be concerned that his IT department doesn't have the same sensitivity that you do.
Denverhockeyguy, I do have a question for you on policies. Is "enable wireless reconciliation" something that you guys control even as to BIS accounts. My wife has Windows Mobile BB Connect device using BES to her company's server. She also has a personal exchange server account from 1and1. We programmed the BIS website to get her mail via OWA for this. It works great, but it says that wireless reconciliation is not enabled on her device and I just can't find a way to get it going. Is there any reason why a corporate administrator would have blocked this feature while allowing BIS to work? I know this is guess work on your part, but I'm am completely clueless. |
Dubai Stu, I'm with you... and unfortunately; this is where things get messy. BES, Exchange, etc. all have different levels of administrators and access rights. Unfortunately, in IT somebody (hopefully not many) have the keys to the kingdom. That said, access to a device, pulling data, etc. will all be recording in the systems audits logs. These logs should be reviewed regularly by a Sr. Manager or another 3rd party to catch that kind of behavior or hopefully deter it from happening in the first place.
Unfortunately, in most organizations, the centralized groupware items: (e-mail, calendars, folders on laptops), there are usually a couple of the IT guys that have keys to most of it. Its possible to eliminate these kinds of access (the military does it all the time), but usually the cost to the organization to have those types of controls in place greatly exceeds the risks. Its easier to audit those that have access. My opinion is that many IT folks should be held to similar licensing standards as lawyers and other professions. Some of us have too much access to too much sensitive information. (this is an entirely different unrelated topic). From insiderdude's comments, I got the impression ID has work stuff and personal stuff on the same device and is concerned about work accessing his personal stuff. I do it, just because the hassle of keeping them completely separate (different devices, limited functionality) outweighs my personal exposure. It's really a judgment call on the part of a user. With BES you are part of the work cloud, in many respects no different than working from your office desk. Accessing external information is just a matter of you pulling it locally. You can remove your device from the work cloud, and pull data out from the office, but you then limit your functionality (and some companies don't allow this). Both methods work. It really depends on what is more important to you. |
| All times are GMT -6. The time now is 9:04 am. |
This site is owned, operated, and maintained by MH Sub I, LLC dba Internet Brands. Copyright © 2026 MH Sub I, LLC dba Internet Brands. All rights reserved. Designated trademarks are the property of their respective owners.