[0xEFF]

Over half of Google's workforce are contractors. Google does not provide a mobile device to contractors. The options for TVC's are to let Google control a personal device or take a significant productivity hit and opt-out of mobile email, chat, and docs.

[mekane8]

That's a really crappy policy if I'm understanding it right - not provide a mobile device but insist on completely managing one if they choose to use it for company business? What a shitty way to treat people working for you.

[CoolGuySteve]

It should be illegal. How much is your employer allowed to know about you or who you contact outside of work?

The answer should be nothing but there's a moral hazard wherein employees can't do much about it without limiting their career.

[tssva]

They are contractors. They don't work for Google. They either work for themselves and have a contract directly with Google, are an employee of a company which has a contract with Google or are a sub-contractor to a company with a contract with Google.

If they are directly contracted with Google or a sub-contractor through another company they should purchase an additional phone for this purpose. Both the phone and the service would be considered a business expense for tax purposes.

If they are a direct employee of another company then that company should be providing a phone for this purpose. If Google or their employer won't provide a phone for this purpose than neither considers it a requirement for the job and they should not worry about it.

[zaroth]

How else could corporate IT possibly do it?

A contractor can deduct work expenses from income, a phone is just one item on a long list of things that will be deducted.

If there is corporate information on a device, it would be a breach of their fiduciary responsibility not to manage that device and have the ability to remotely wipe that data.

[chipotle_coyote]

> If there is corporate information on a device, it would be a breach of their fiduciary responsibility not to manage that device and have the ability to remotely wipe that data.

I don't think, in a legal sense, that's true. It feels like it comes from the same mindset that corporations have a "fiduciary responsibility" to their shareholders to always put profits above all else; in fact, there's nothing in corporate law or financial regulations that requires that at all.

The IT department has responsibility for network and systems policies and company-owned equipment, and it's perfectly reasonable for them to have the ability to wipe data on that equipment or set policies that disallow personal devices on company networks at all. But they have no requirement -- and I would argue no business -- to wipe a non-company device just because someone added a corporate email account to it.

Does that make it marginally more likely that someone could keep corporate email that they weren't supposed to? Sure. But there are other legal ways of handling that which aren't destructive to non-company property. No one would argue that a policy of "if you take physical work home, upon termination the company can set fire to your house to ensure all copies are destroyed" is enforceable.

[zaroth]

I’m pretty sure GDPR protection of “personal data” applies to employees and not just customers.

If my personal calendar and work emails are being copied onto your device, you better believe the GDPR data protection regulations apply.

The house example is ridiculous. The point is if you commingle the data in ways such that the endpoint protection software no longer supports delineating the corporate data, then the user (employee/contractor) has opted into that situation with eyes wide open.

> Computing devices need to be protected from loss or theft through mobile device management capabilities, such as remote wipe and kill. A lost device could be the weak link in the data protection chain, leading to a data breach based on information stored on the device or accessible through still active user credentials. Enforcing certain settings in order for a device to connect to the network at all – such as local encryption, password complexity, the presence and currency of security software, and the removal of the local administrator account – will be an essential part of protecting the organization within the GDPR framework.

[1] - https://www.actiance.com/wp-content/uploads/2017/03/WP-GDPR-...

[chipotle_coyote]

The house example is exaggerated, but as I wrote in another reply: just as my personal physical property does not become company property if I am on their physical property, my personal data should not become company data if I am on their network.

> If you commingle the data in ways such that the endpoint protection software no longer supports delineating the corporate data, then the user (employee/contractor) has opted into that situation with eyes wide open.

You're assuming the user has been given a clear understanding of the situation, and frankly, I think you're letting the IT department off the hook here. They need to either provide protection that can prevent "commingling" to their satisfaction, to grant a comparable level of trust to users with personal devices that they do in other aspects of conducting business (which was the real point of the example you didn't like), or just to ban personal devices.

[zaroth]

> They need to either provide protection that can prevent "commingling" to their satisfaction, to grant a comparable level of trust to users with personal devices that they do in other aspects of conducting business (which was the real point of the example you didn't like), or just to ban personal devices.

DLP (data loss prevention) software should be present on any personal computing device that can store company data, which will be a requirement of their cyber-security insurance policy, a requirement of the various audits they surely undergo, and probably also a requirement of GDPR.

It's providing strictly more choice and flexibility to their employees and contractors to allow them to host company data on their personal device, the obvious trade-off being made when you install the DLP endpoint software on your phone and grant it permission to remote-wipe your device if necessary.

If the company required their employees/contractors to use their personal device for company business, this would be an entirely different discussion. In California, the employer is required to reimburse employees for using their personally owned device for company business - i.e. required to pay for the cost of a phone and the service plan.

Employees choose not to buy a second phone and get paid for their service plan on their personal phone for convenience, and to save themselves the cost of a personal plan. Some choices are not strictly good, but include pros and cons which are individual's responsibility to weigh.

I think it's a safe assumption that anyone choosing to install the DLP agent on their personal phone, particularly at a company like Google, does so fully informed of the responsibilities that come with that decision.

[mcguire]

"But they have no requirement -- and I would argue no business -- to wipe a non-company device just because someone added a corporate email account to it."

Personal devices are excellent attack vectors if allowed on the internal network unmanaged. The alternative is not accessing internal resources, email, etc., unless the employee is given a company-owned device.

[chipotle_coyote]

I'd genuinely argue that if the company's worried about that, they should either (a) to disallow personal devices on the internal network, period, or (b) find a management solution that does not involve putting data they do not manage at risk. Just as my personal physical property does not become company property if I am on their physical property, my personal data should not become company data if I am on their network. I understand that segregating data that way may be a hard IT problem, but if they can't do it, the solution should not be "welp, we control your data now."

[EpicEng]

>or take a significant productivity hit and opt-out of mobile email, chat, and docs.

I'd call that a quality of life improvement. Why are contractors required to be available 24/7? I've never experienced that as a contractor, nor would I agree to it.

[dleslie]

And this is why I do not have any access to work accounts on my phone.

If it's so important that it must be done during my personal time then my manager can call me and request as much.

Remember pager duty and overtime pay? Doesn't that seem quaint now that many people seem to have accepted that they must make themselves available at all times?

[Joe-Z]

>Remember pager duty and overtime pay? Doesn't that seem quaint now that many people seem to have accepted that they must make themselves available at all times?

I'm too young to remember, but I have a few years of working experience under my belt now. The amount of people that greenlight everything a supposed authority demands of them just baffles my mind. I'm not even mad if a company tries to maximize their gain on the expertise that I bring to the table. That's just the game: You work for what's in your best interest, I work for mine. But when you push back against a perceived worsening of workplace conditions and the people not supporting you are your colleagues, because they somehow see themselves as being on the same side as the boss... I'm kind of sad about the social achievements people are willfully throwing away in the hopes that they themselves will 'make it' one day

And by the way, this is coming from someone who loves his job and has a good relationship with his boss. Doesn't mean I have to be delusional about what's going to happen when push comes to shove

[oncalleng]

Google does pay employees for time spent on-call outside of normal work hours. On-callers for services with tighter SLOs get payed more.

[PopeDotNinja]

I put work Slack on my phone, but that's it. Maybe 2FA stuff as needed.

[bussierem]

>I put work Slack on my phone

This instantly qualifies you as "available 24/7"

[PopeDotNinja]

It does. I work remote and off hours, and my phone doesn't blow up to much, so I roll with it for now.

[neves]

They can freely choose to stay unemployed

[EpicEng]

Incredibly insightful, thank you. We all know how hard it is to find a programming gig these days.

I'm not convinced you have any knowledge of how things actually work in Google, but my point is that you can give me a ring if something requires immediate attention. If you don't provide a company phone I'm not using mine instead.

[hvidgaard]

Buy a "Google phone" and use it for that, keeping your private phone, well private. It's just the cost of doing business with them.

[d1zzy]

Unless your job requires work email/calendar while at home I really don't see how having corp access on mobile can be a justification for productivity.

The moment my company announced a requirement for having to install a corp policy enforcement application on my personal phone if I wanted to have access to the corp account (a reasonable request, in terms of company policy/security) was the moment I stopped having corp account on my phone (or any phone for that matter). It's been working fine for years.

[cloudwalking]

Contractors are not expected to work after hours. This is a reasonable stance for the company to take.

[m-p-3]

Seems like Google isn't leveraging their own tools properly then.

They can make a non-corporate device have a work profile with Google Apps Device Policy, and only that profile will be purged if the device is wiped by a Google Admin.

[52-6F-62]

Even simpler for corps as large as Google is simply having a supply of contractor devices they completely wipe upon the termination of the contract. That's what my last company did.

They didn't require contractors to bring their own computers and phones to the office if they were needed for their work.

I'm sure Google could afford that as well as to manage it...

[c0achmcguirk]

Google does do that. Lot of misinformation in this thread.