The concept of bring-your-own-device (BYOD) is a trend of where our society is going today, and the implications are especially relevant to law enforcement (LE). In addition to the common security related issues faced by all corporations, LE has additional industry specific issues that need to be dealt with.
Before we go into some of those specific issues, it is important to recognize the reality of the environment we are in, whether we agree with it or not. The reality is that many LE agencies are facing dwindling budgets and in many cases, technology is not getting refreshed/upgraded as quickly as it needs to be. This is very evident to me as I regularly talk to customers that are still using Windows XP in spite of it being end-of-lifed (EOL) by Microsoft. The answer i usually get to the question of why, is that the agency doesn't have the budget to upgrade the hardware and all their software. Even if LE Agencies are not using EOL products, they still often have to deal with using older technology solutions, in spite of newer ones being available. I have heard that LE moves at the 'speed of government' which I have often questioned as the financial benefits of newer solutions can be easily quantified and subsequently justified through a Return on Investment (ROI) analysis. We should also recognize that in today's world, most officers have a personal device in their pocket that has remarkable capabilities and are not being authorized for Agency work. This is a reality of where we are today,and it is not surprising that tech savvy officers recognize the limitations of what their agency supplies to them versus what they use for their personal lives.
If an officer is completing a crash report, and wants to take photos of the accident, why shouldn't they use the high definition camera built into their personal phone to take photos? If they have to take a witness statement (provided both parties agree), why cant they record it using the audio recording capabilities on their own device? If they want look up something on some internal resources/database, such as access to their RMS through either a web browser or a custom application, shouldn't that be allowed? These are all use cases that would provide greater capabilities and efficiencies with tools that already exist.
There are many issues that organizations face, even non-LE, when considering a BYOD policy. These include:
- How do you secure the internal network with external devices logging in?
- How do you enforce a security policy on the device itself? Obviously, you don't want a device with older firmware that might have security loopholes built in, connecting to your network and exposing the internal network. You also don't want a device that doesn't have adequate security to be accessed by anyone else besides the authorized user.
- What about compatibility issues around supporting the different platforms that are available (windows mobile, iOS, Android)?
- What happens if the employee leaves or loses their personal device, which has privileged or sensitive information on?
- Can an Agency enforce CJIS compliance with BYOD?
- Who has liability if the device is damaged during the line of duty?
- What if the device is misused while on duty? Does the Agency have liability?
- Can the LE officer use Agency resources for assistance in setting up the device correctly?
- What happens when if the device is subpoenaed as evidence?
- How to you document the chain of custody for any evidence collected through the device?
- many more...