Look I have a degree in Computer Science, I wrote software to send the strings necessary to use IPOP, heck I even memorized the RFC number (1939).
And in all this time, never did I once see anything on that protocol that could do anything more than download mail and delete the mail you had in your account.
So I hear about Exchange and figure "oh just another protocol MS came up with, properly has extensions for calendars and stuff".
Now if I don't know this is going on, how can anybody know?
It would be one thing if the device said "by connecting to this system, you allow it to removely wipe this device allow/deny?" but it doesn't.
No, it is not criminal, it is an essential component of ensuring security in lost devices. It would be completely useless if it asked if it was ok to wipe the device.
If you are unable to understand that Microsoft added a lot of stuff to the exchange protocol, and this is one of them, perhaps you are in the wrong field. This is not top secret information, it has been around since Windows CE, and is requested by all big businesses.
It's my phone, my property. Nobody gets to access it without my permission, period. If someone sneaks a back door onto my phone, that is criminal.
If experienced developers don't know about this feature, there is no earthly way that the average user can be considered to have consented to access.
My boss can't kick down my door and ransack my house to find secret documents he gave me. If I violate my NDA, he can seek to remedy that in civil court.
It's my phone, my property. Nobody gets to access it without my permission, period.
And by connecting to ActiveSync you are telling your phone to "do ActiveSync things" and that includes letting it push policies such as "require a PIN/Password" and "be erased when needed". That you didn't know it meant that is not really grounds for saying it's criminal or whatever.
Hey, you know one earthly way you could know about this feature? Asked. "Hey IT people, can I connect my home phone to my work email? What should I know?".
"No, it is not criminal, it is an essential component of ensuring security in lost devices."
You say that as if that is some sort of an argument. But there is no actual law or force in the universe that says that necessary steps to do something that you consider "securing your network" will therefore automatically not be "criminal". In fact once you start trying to think of what criminal activities someone might take in the name of "securing their network" it isn't that hard to come up with a very long list.
Something does not become legal merely because you have an excuse!
(Note I'm not saying this is illegal or not. That would take careful analysis of the law and probably a detailed specification of what jurisdiction we're talking about and the precise details of a specific hypothetical since it almost certainly goes both ways, depending. I'm just claiming the argument doesn't make much sense.)
In twenty years I have never seen any message in any publicly documented protocol that means "nuke yourself utterly", much less ever expect to see anyone knowingly implement such a thing. So I was also unaware of this appalling misfeature, as was the author of the article. I believe this has not been widely disclosed outside the sadistic IT control freak set, and that they are not getting informed consent that this is possible before devices are reconfigured to permit it.
Exactly. Everyone defending this feature seems to miss that point entirely. If I set up my work email on my iPhone and was offered the following options:
POP3
IMAP
Exchange
What would I choose? With those options, one has more "features" and push email, but also allows my company to wipe my phone without asking me. This is not communicated to me through the UI.
I think it would significantly affect my decision over which to use if that information was presented to me.
Yeah, and girls who walk home alone at night had it coming if they're raped.
Of course, we know it's a bad idea to mix work-devices and private devices, and we probably also have little trouble procuring a work-smartphone if we need that. But for a non-IT person with his new iPhone, exited that pointing the Exchange app to mail.work.com just works, it's unacceptable.
