Apple’s iMessage Can Cause Problems when Issuing Employees iPhones

 

iMessage iNo

The Technology and Marketing Law Blog recently had a post describing an employer lawsuit that included privacy infringement based claims against an employer for intercepting iMessages using his company supplied iPhone. Although the California Court ultimately rejected the claim, it had an interesting fact pattern that raises concerns for attorneys and employers.

The employee in the claim had been issued an iPhone from his employer. Upon being issued the iPhone, he associated the phone with his personal Apple iCloud account and enabled Apple’s iMessage. iMessage, unlike standard SMS text messages, allows sending and receiving text messages without an active cellular number. This means that if you register your cellular number with iMessage, your Apple account will allow you to send and receive iMessages on other devices with a broadband connection, even if you have no cellular connection. When you switch to a different cell phone (even if it is another iPhone), you must disable iMessages, or else your old iPhone will continue to receive iMessages if it is on a WiFi network, or another cellular account is registered with it.

The problem is that after the employee’s employment ended, he returned his company issued iPhone, and did not wipe the device or disable iMessages. The employee claims that his former employer continued to receive and review his text messages since his Apple iMessage account was not disabled. The California Court ultimately decided that the employee had no privacy claim against his former employer.

The reason that I found this case interesting, is because I am sure that there are plenty of attorneys in Delaware that are issued iPhones and/or iPads by their employers. This immediately causes concerns for me about employees taking steps to make sure that their data cannot be accessed once they leave their current employment. If you have linked a personal Apple iCloud account to your iPhone or iPad, some of your data created after starting a new job, may be accessed by a former employer. Both messages sent and received by iMessage, as well as any data stored in iCloud, may continued to be accessed on the old device until the Apple iCloud account is removed or your password is changed.

If you are currently using iMessages and iCloud on your employer-issued iPhone or iPad, you will want to make sure that you sever any connection before your employment ends. If you do not, there is a chance that text messages you receive in new employment may be intercepted by a former employer. If you are an employer issuing iPhones or iPads, you will want to have a clear policy on the type of personal information and accounts permitted on a company issued iDevice. Even for an employer, concerns arise that after an employee is terminated, information that was saved to iCloud (like documents created in Pages or Keynote) may continue to be available to former employees. For a managing partner at a law firm you need to know how confidential materials are being stored.

I would recommend not using iCloud and iMessage on any employer supplied iPad or iPhone. Although this eliminates some of the benefits of these services, it protects both an employee and employer from the concern of confidential information being accessed after the employment relationship has ended. Beyond the concern of private personal data being accessed, if an attorney has an old iPhone/iPad that is still receiving data from iCloud that can potentially be accessed by a former employer, there is a very real chance of violating your obligations under Rules 1.1 and 1.6 of the Delaware Rules of Professional Conduct. If you do use iMessage or iCloud, and you are not able to disable these services when employment is terminated, it is important that you immediately change your iCloud password to protect your data. Changing your password should protect you against a former employer accessing documents and data that apps store in iCloud. You should also contact Apple Support to have your old phone number deregistered from iMessage.

See Sunbelt Rentals, Inc v. Victor for the California District Court Decision.

 

Celebrity iCloud Image Breach and Client Confidentiality

iCloud ConfidentialityI recently posted a new article on Mobile4Law.com about Client Confidentiality in light of the recent iCloud celebrity image leak that occurred over this past weekend. iCloud is a service offered by Apple that is available on every current iPhone and iPad that allows certain data on your device to be stored in the cloud. Over the weekend, it was reported that about 100 different celebrities had personal images accessed that were being stored using Apple’s iCloud service.

It is suspected that these photos were accessed by malicious users using a brute-force attack to guess passwords of the accounts affected. It appears that the only reason they were successful in the attack is because the accounts were using simple passwords, and that Apple did not lock accounts after a certain number of unsuccessful login attempts. 

In the article on Mobile4Law.com, it is explained why this should be a concern to individuals in the legal community that use cloud services for storage of confidential cloud information. I suggest that attorneys take a look at revised Rule 1.6 and the comments to that rule, and determine if they would have committed an ethical violation if confidential client information had been accessed from their account using this same attack.  

Steve Butler PhotoThis post was written by Steven Butler. Steven is a full-time Delaware attorney that limits his practice to Social Security Disability. Along with being a contributor for iPlugDelaware, he is a partner at Linarducci & Butler, PA.

Another Week, Another iOS Security Bug

Today another reminder has come that your telephone operating system is never as secure as you may think it is. 9To5 Mac has a story indicating that a security researcher has discovered that several versions of iOS 7 (including the current version 7.1.1), are not encrypting email attachments in the bundled Mail application. This is a major issue, because adding a passcode to your iPhone or iPad, is supposed to add this extra layer of security to your attachments.

What this means to the end-user in the legal community, is that it is possible that if your device falls in the wrong hands, your attachments may be accessible even if your device is password-protected. There does not appear to be any solution to this issue at this time. The security researcher, Andreas Kurtz, reached out to Apple and it claims to be aware of the issue, but has not indicated when a fix would be issued.

In the meantime, be careful if you are using a corporate, Government or personal email account on your device, and you are exchanging documents with confidential information.