BBC bans use of non-MS PDAs

Palms and Psions deemed leaky subversives...

The BBC IT department has evidently taken the Microsoft shilling, in some style. Our sources informed us a while back that the company is spending a total of £61 million on Windows upgrades for approximately 24,000 desktops, and now an internal memo leaked to NTK reveals that it has banned staff from using any non-Microsoft PDA with company machines.

So BBC staffers using Palms and Psions (Psion, incidentally, is based not a molotov cocktail's throw from Beeb HQ) can deem themselves security threats, and have until summer of next year to switch or stop using them with the company kit.

The BBC is actually standardising on PocketPC 2002, claiming that all other PDA platforms are insecure. Microsoft does indeed publicise the security features of of PocketPC 2002, and there is, sort of, a real security issue for IT departments when it comes to PDAs. But it's actually a lot more about BOFH control-freakery than it is really about security.

Historically, PDAs have overwhelmingly been owned by individual staff, rather than issued by the employer, and as connectivity has got better the staff have more and more started to sync their PDA files with those on their desktop machines. And they're also starting to copy sensitive company files to them so they can work at home and on the move, so the corporate crown jewels are walking out the door in people's pockets, and the devices aren't even adequately passworded.

Or at least that's what MIS, its paranoia fuelled by 'anytime, anywhere' propaganda, thinks. The reality of course is that maybe 1 per cent of relentlessly anal-retentive corporate PDA users regularly sync substantial quantities of data between their PDA and their company desktop. Mostly, people keep a few phone numbers, diary, some notes, maybe pick up some email remotely (clue here about how sensitive data gets out of building without legs or pockets being involved at all), and if they've got company documents they want to work on, they print them out, shove them on a disk, email to themselves and work on a portable and/or home PC.

What is it anyway, you may ask, that people have access to on the corporate network that is both sensitive and likely to be receptive to fitting onto and working on via a PDA? There really is not a lot that staff would innocently transfer then accidentally leak or lose, and if they deliberately want to steal and leak company data, they'll get it out of the building without the assistance of a blacklisted PDA anyway.

As we've said before, the headaches IT departments are having with PDAs are almost entirely self-inflicted. The propaganda says you can use your PDA to log onto the corporate network and work on your (or actually, not your) files, anytime, anywhere (VPN support is a big Microsoft checkmark for PocketPC 2002), so if the IT department buys into that, it then has to consider where its data is going. And it has to consider how it can control data on PDAs that it doesn't own, and doesn't necessarily support.

So it has to outlaw them. Then it has to issue company PDAs to the people who 'need' them. It has to support them, of course, so before you can say total cost of ownership it's shelling out several thousand bucks per PDA, per annum, while simultanteously panicking about the amount of data that might be escaping.

If it had just left people to buy their own PDAs, if it had not gone for the full-on VPN trip, it wouldn't have cost it anything. And if it had done some sensible things concerning data security such as implementing sensible access restrictions, or maybe (revolutionary!) using thin clients to ensure that data remotely accessed remained on the corporate servers, then life might well be simpler and a whole lot cheaper. But there's kit out there we don't control, and we can't have that, can we?

A couple of readers have asked us to encourage you all to email the BBC complaining about the ban. We are of course happy to oblige, and you can do that here. ®