By Matt Hamblen
May 19, 2008
Cameras are available on just about every kind of wireless handheld
device, from inexpensive cell phones to high-end smart phones, putting
pressure on IT managers to reconsider corporate security policies
In 2004, when cameras first became widely available for devices, many
companies that purchase devices for their employees dug in their heels
and asked their wireless carriers to provide models with no cameras.
Four years later, however, that hard-line approach appears to be
softening, at least in the private sector. "Some companies are still
avoiding [devices with cameras], but that's a minority," said Gartner
Inc. analyst Ken Dulaney in a recent interview. Dulaney works with many
Fortune 500 companies on their mobile device purchases and policies.
"Many companies have now relaxed their rules, as most are resigned to
the notion that virtually all phones include cameras built-in," added
Jack Gold, an analyst at J.Gold Associates LLC.
At one large U.S. corporation that provides BlackBerry wireless devices
to 30,000 users, the camera ban was recently lifted for new device
purchases. "Even the low-end phones are coming out with Bluetooth and
cameras, so we've ended up adding cameras to the mix of devices
allowed," said a senior IT manager at the company who asked not to be
named because of corporate policies. However, the IT manager said that
when the IT shop can disable the camera via management tools over the
network, it will do so.
There are network management tools that curtail camera use. Research In
Motion Ltd., maker of the BlackBerry, makes models that enable the IT
staff to turn off the camera through the BlackBerry Enterprise Server,
so an employee can't surreptitiously photograph proprietary information
or inappropriate material. Similar photo-blocking is available with
Windows Mobile Exchange synchronization functions, the manager noted.
But the manager said there's no similar way to control photos that are
taken on some devices and sent over Bluetooth wireless. Because of such
loopholes, there are questions about how any organization can control
camera usage. "We want to minimize the potential risk, but there's
minimal risk anyway, we've decided," the IT manager added.
Some models of the latest cell phones and smart phones are available
without a camera, to satisfy strict business buyers. Verizon Wireless
spokeswoman Brenda Raney said some models are sold that don't have a
camera, including the BlackBerry 8830 smart phone, out of an inventory
of about 30 models from various manufacturers.
"Some companies don't see the camera as an issue, but some still prefer
employees not have them in phones," Raney said. Some industries, and
many government agencies, have tougher standards than others, she noted.
Gold, who advises corporations on wireless use, said he used to tell
clients to buy phones without cameras to avoid security issues.
"However, the truth is, most phones today have cameras built in, and if
you search for a good-feature phone, you will likely not be able to find
one without the camera," he said. Instead, he urges companies to educate
their users about the security risks of cell phone cameras and to
consider turning off the cameras over the network.
The anti-camera policies were designed to prevent employees from taking
photos of information on computer screens or a company's new internal
technology and then using the photos to compromise the company.
But a camera lens can be the size of a pinhole and easily hidden, so it
can be extremely difficult for a security guard to detect a camera
carried by a visitor, analysts noted. Even proving that a device has its
camera turned off would be difficult, since the guard would need to
carefully read the device's interface to determine whether a camera was
turned off. Security guards sometimes confiscate phones suspected of
having cameras, or even resort to putting tape over the lens.
Dulaney said he first wrote about cameras as a security threat in early
2004, after seeing a flood of camera phones at the Consumer Electronics
Show. He said then that camera bans were "an overreaction" by business
users, since there are many ways consumer devices, such as USB flash
drives, can be used to grab information.
Blanket bans on cameras are "a stupid position," Dulaney said recently.
"If you are a spy, you won't have a camera that people can see." Four
years after writing his initial report, Dulaney said having a camera on
a handheld device can actually be valuable for an employee in some
situations, such as photographing a crime in an employee parking lot or
Many companies deploy cell phones with cameras that are used for
business purposes. Repairmen use them to take photos of defective parts,
while real estate agents use them to grab a quick photo of the interior
of a home for sale, analysts noted.
Dulaney urged companies to set up secure zones where restrictions on
cameras are tightest because of the greatest risks involved. That might
mean, for example, that a company would show off its latest product only
in a secure zone and would search visitors and confiscate cameras at
that location, he said.
"Usage guidelines are far more effective than outright bans," Dulaney
At the Los Angeles Community College District, camera phones are not
banned, although there are plenty of locations where security is
important, such as the school's finance offices, where student payment
records are displayed on computer monitors and laptops, said CIO Jorge
To limit the risk of someone outside the school passing by a terminal
and seeing and photographing private information, the college district
has installed "hundreds" of privacy filters on laptop and PC screens,
which prevent anyone but the user from seeing the information, Mata
said. The filters range in price from $45 to $200 apiece, he said. "We
don't want to risk privacy," he said.
As for the more general issue of cameras used to take photos of secure
information, Mata said common sense by users and general guidelines make
the most sense instead of a strict ban on phones with embedded cameras.
"Some things do not come down to a technology solution," he said.
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com