New mobile data security measures

Employees complain it's not user friendly

smartphone pincode
Photo: DUB

The timing was unfortunate. In the middle of the summer break, many UU employees were told they would have to download a Microsoft app to access their UU e-mail on their smartphones. This app is secured by a six-digit code and is submitted to the university's security.

Most employees managed to download the application, but it soon turned out that the new way of working was inconvenient for many.

Multiple calendars
The biggest complaint is that employees can no longer sync their work calendars with other calendars. “That is already terribly difficult for someone with a full agenda but for people who have their own company in addition to their work at the university, or for those who work for another employer, that's practically insurmountable,” complains Daniël Janssen, an Associate Professor at the Department of Communication & Information Sciences. He is now forced to keep an eye on two agendas at the same time — one for UU activities and another one for his remaining activities.

Another frequent complaint is that it is no longer possible to copy text from the UU e-mail to other environments such as WhatsApp. Several employees indicate that it is customary to share the information received by e-mail in a WhatsApp group of colleagues. Not being able to do so anymore is, therefore, considered a big nuisance. It is possible to copy a message from your UU e-mail and paste it on WhatsApp if you're working on a desktop computer or laptop. Employees can also circumvent the barrier by forwarding an e-mail to their private e-mail address. 

Buying a new phone
There were also quite a few employees who couldn't download the Microsoft app because the operating system on their phones was too old. The app requires Android OS9 or higher, while iPhones and iPads must have iOS 13 or higher. Those with outdated operating systems had to purchase a new phone or tablet to access their work e-mail on the go.

Employees from several faculties and departments have received a new mobile phone from UU since then. However, there are faculties that do not reimburse smartphones, such as the Faculty of Science. Gert Folkers was told by his manager that if he wanted to continue reading his work e-mail on his phone, he would have to acquire a new model himself. “I've had my device for a little over two years, yet the operating system was too old for the new app. I'm not going to buy a new phone myself, this one still works. So, no e-mail then. I find it strange that the university demands you to have a modern device but is not willing to pay for it.” Folkers is a member of the University Council and has been given a tablet for the position. “But that's too old as well. We can't read our e-mail on that device either. And no, we can't expect to get a new tablet."

In the Faculty of Science, employees can request a mobile phone through their manager, explains the faculty's director, Klaas Druijf. Together, the manager and employee are supposed to choose the most suitable model according to the employee's needs. They will discuss, for example, whether it is really necessary for the employee to access their work e-mail on the phone. That's why there are employees at that faculty who have gotten a new device, while others haven't.

According to Folkers, the policy is not really clear-cut at that faculty. “The costs are borne by the department and our manager opts for facilitating the laboratory rather than purchasing smartphones for employees.”

Forced to use Microsoft
Another point of criticism is the fact that employees are being forced to use a Microsoft product. “I think it's weird that I am supposed to put a Microsoft environment on my phone. How safe is that?” wonders Gerhard Blab, a teacher at the Faculty of Science, also chair of the Faculty Council. According to him, many of his colleagues are critical of this as well. “People are just going to use their private e-mail. They forward everything. Is that safe?" Personally, he finds it annoying that he's not able to edit his e-mails and added data. “I don't just want to see my data, I also want to work with it.”

Poor smartphone security
Susanne Veenstra acknowledges the complaints. She is the Project Leader of Solis Cloud Endpoint Management (also known as Scem). “We are constantly evaluating what is necessary to secure UU's data and whether that should outweigh user-friendliness,’ she says. Veenstra notes that she used to work at a bank, where the security requirements are significantly stricter.

The university decided to work with this programme following a study that showed that data security tends to be poor on university mobile phones. The investigation was carried out by the Education Inspectorate after a hack at Maastricht University. “The data from e-mail accounts was fairly easy to access and that is a major risk. We know that a relatively large number of phones are lost or are not secured by a code or fingerprint. As a result, everyone can access the e-mail and therefore the data — some of which can be confidential. In that case, a data breach can easily occur, which can damage UU's reputation. You also run the risk that the university can be hacked or that research data becomes public. These are risks worth avoiding.”

It is possible to add your personal agenda to your UU agenda
Veenstra says that data can be edited and copied, as long as that is done within the safe Microsoft environment — for example, by copying something from your e-mail and pasting it onto Word or Teams.

The fact that calendars cannot be synchronised is a disadvantage, she acknowledges: “But, when making appointments, sensitive data can be added in the attachments, as well as data about the staff which is not allowed to be shared, according to privacy legislation. If we do not protect the calendars, employees will be able to share appointments and staff data will be out of the organisation's sight.”

But there is a solution to the problem, she adds. “Other calendars can often be added to the UU Outlook calendar. Then you will have your private agenda and your work agenda in the same place. Only the other way around is not possible.”

New policy in the making
According to Veenstra, it is illegal to forward a message from your UU e-mail to a private address. “There is a risk involved in forwarding data from UU's environment. If it leads to a data leak or the UU system gets hacked, the employee will be held responsible for it. The costs to repair such damage are significant and can add up quickly.”

Deputy Director Carol van der Palen, from the IT department, notes that there is a proposal to make a university-wide policy on smartphones provided by UU. “This policy must clearly define who is eligible to get a mobile phone for work and what kind of phone the university can offer them. That is far more complex than it may seem. How will the university finance this and which models will it make available? These points are still being discussed.”

Who does the e-mail belong to?
Meanwhile, employees still debate whether the current measures are proportional to the risks. Is the data on mobile phones so much more vulnerable than on laptops? The university says laptops are better protected than mobile phones, which is why the measures are more strict for the latter. Associate Professor Daniël Janssen disagrees. He considers the data to be more private than belonging to UU, referring to a 2017 ruling by the European Court of Human Rights which states that employers are not entitled to access employees' work e-mails. Janssen sees a parallel to UU's measures and believes that the university is interfering too much in the employees' personal sphere, disrespecting the boundaries between work and private life.