My earlier post on whether Apple's iPhone can be used legally in the financial industry produced some useful quick responses via Twitter.
The short answer seems to be that the iPhone probably can't be legally used for communicating with financial industry customers without modification, either of the operating system or of the apps that are used. That is, the app and/or the operating system has to allow corporate management access to the contents of the phone, or at least to the "corporate" apps on the phone.
What's interesting is that Apple seems to have modified its operating system to provide corporate purchasers exactly that. Apple offers something called MDM, or mobile device management. Talking to corporate managers, Apple brags, a bit obscurely, that "because corporate accounts, apps, and content installed via MDM can be managed by iOS, IT has the ability to remove or upgrade them without impacting personal data." (Emphasis added.) I think that means that the company can go into the iPhones of its employees and read the contents of their communications whenever it wants.
MDM isn't exactly the most communicative name for the access Apple has created. The company has been insisting a bit counterintuitively that a Justice Department request that it disable a peripheral security feature on a single phone is "a backdoor." If so, what should we call MDM, which enables access to every account, app, and piece of content installed on an iPhone? A front door?
Actually, I suspect Apple calls it a marketing opportunity.
It turns out Apple is happy to create a back door for its phones if that expands its market.
Who would have guessed?
Three further points:
- Apple does make an effort to segregate the user's own data from the backdoored corporate enclave it creates with MDM. Whether that really works under stress is an open question.
- San Bernardino County probably could have enabled MDM on the iPhones it bought, but didn't. Obviously that was a mistake, though very few enterprises can be expected to anticipate a need for access to the phone after its user commits mass murder.
- MDM doesn't entirely solve the problem of allowing iPhone use at work in financial institutions. If a user simply uses his own phone and his own apps, MDM is no help. It looks as though the employer has to rely on "the honor system" (h/t @Susan_Hennessey) or some other imperfect mechanism ("Bans on cell phone use on trading floor, email scanning for references to other apps," h/t @muchty) to prevent that obvious end-run on the regulation.
UPDATE: I changed "Apple offers" MDM to "Apple enables" MDM, because of ambiguity about how much of the MDM capability is created, rather than enabled, by Apple.