University of Valencia logo Logo Privacy and Digital Transformation Chair Microsoft-UV Logo del portal

Three lessons on the protection of smartphones used by state authorities

  • June 9th, 2022
Man talking on the phone

Review of the Smartphone Security column by the Chair's director, Ricard Martínez, published in the June edition of the magazine Tecnología y Sentido Común.

With regard to the breach of the security of the Prime Minister's and the Defence Minister's mobile phones with the Pegasus software, questions arise about the handling and use that authorities and civil servants should have of devices or terminals owned by the state. 

A first issue to pay attention to is BYOD. An acronym that stands for Bring Your Own Device. This concept is used by data protection experts to name two cases of digital vulnerability. The first is when institutional terminals are used for private purposes and the second is when private terminals are used in the public service. It is known that the more an institutional device is used for private purposes or a personal device for institutional purposes, the higher the risk of a security breach. And that means putting the state's data at risk.

A second issue is the level of training and awareness of users. This points to competences, skills and obligations. In other words, in the training process on data protection it is essential that it is understood as a space for the search for knowledge, empowerment of the user and a commitment to security. This is particularly relevant when an authority or official has access to information that is sensitive for their entity. 

Finally, the third issue concerns the use of these devices. Today, the telephone function of smartphones is residual. In other words, its main use is not to talk on the phone. "A terminal can be used to access information repositories, electronically sign documents, monitor processes or people”, explains Professor Ricard Martínez, director of the Microsoft-Universitat de Valencia Privacy and Digital Transformation Chair in the Smartphone security column. It is precisely in these processes that the device is most vulnerable to cyber-attack.

The case law of the European Court of Human Rights, and even the Spanish Constitutional Court, prescribes that private devices may not be used in the public service. Although regulatory control of this instruction is difficult, an effective tool to achieve this is to subject the smartphone to regular audits and controls.

In conclusion, if anything can be learned from the security breaches of smartphones at the highest levels of government, it is to prompt public reflection on how to manage their security. "If the highest executive institution is exposed to these risks, any one of us is at risk”, concludes Martinez in his column.

REVIEW of the Smartphone Security column by Professor Ricard Martínez Martínez published on pages 39 and 40 of the June issue of the digital magazine Tecnología y Sentido Común.