December 2020: The Importance of Risk Assessment When Reading Terms and Conditions

min read

Campus privacy and security professionals can adapt these materials to build awareness of the importance of evaluating the terms and conditions and privacy policies when acquiring new software and hardware.

Smartphone with a document titled 'Terms and Conditions' on the screen
Credit: Cristian Dina / Shutterstock.com © 2020

Campus Security Awareness Campaign 2020

This post is part of a larger campaign designed to support privacy, security, and IT professionals as they develop or enhance their security awareness plans. The campaign is brought to you by the Awareness and Training Community Group sponsored by the EDUCAUSE Higher Education Information Security Council (HEISC). View the other monthly blog posts with ready-made content on the awareness campaigns resource page.

Are you buying new tech for the holidays? Read the terms and conditions. As the chief information security officer for the University of Wisconsin (UW)-River Falls and UW-Stout, I have been asked to review an increasing number of web and mobile applications (from an information security perspective) since the move to alternative forms of course delivery. Higher education institutions are required to protect their data. As a security officer, I must take a risk-based approach when evaluating applications and services. As an individual, you should do the same.

The level of risk associated with any app or service is directly related to the data it contains or to which it has access. For example, a password manager is high risk, but a news app is probably low risk. A contact app might be medium risk, but it is probably high risk if it has access to your text messages or your location. Many widely used apps, including Facebook and Google, offer security and privacy checkups, including options to control the information and data they collect. Go through your apps, check the terms and conditions (often found under your profile), and ask yourself the following questions: Do I want to give this information away? What would happen if my social and professional circles had access to it? Is the risk of this third-party flashlight application really worth the reward of using it? Why does this Santa app require so many permissions to work?

Once you begin to understand the risk, you can make decisions to protect yourself and your personal and professional connections. Should I use the free version or the paid version? Should I use a long password? Should I enable multifactor authentication? Do I need to worry if my data is encrypted? Should I install the app at all? These questions need to be answered based on your risk assessment. If an app isn't worth it, uninstall it.

In my professional role at UW, I need to consider compliance with all applicable laws and policies. While they can be difficult to navigate, they serve to protect the institution and our users. In my personal life, there are few compliance requirements—and few protections. I am responsible for the risk that comes with clicking "I accept."

Some companies make it very easy to understand their terms and conditions. Others try to hide their actions behind vague terms. Sometimes, the terms are too complicated to understand. As you navigate technology decisions in your personal life, I encourage you to read the terms and conditions instead of clicking through them. If an app or service is burying terms in legalese or vague statements, its real product is probably your data. As the old saying goes, "If you're not paying for the product, you are the product." Give yourself the gift of privacy and security this holiday by considering the risk before clicking "I accept."

Get the Word Out

Newsletter or Website Content

Pay attention to who, what, why, and how when reading privacy policies.

  • What information is collected, how is it being collected, and why is it being collected?
  • How does the application or service provider protect your information, and how long will it be stored?
  • Who will have access to the information, and how will it be shared?
  • What choices do you have?

Social Posts

Note: The following posts are Twitter-ready and meet the social media platform's character-length restriction.

  • Keep personal information personal. Do not share personal information with anyone who does not need to know and never share it via email, social media, or other ways in which your privacy cannot be assured. #PrivacyAware
  • Protect your personal information. Always read the privacy policy and terms! #ProtectYourPrivacy
  • Who's that third-party flashlight app sharing your data with? #privacypirates

Email Signature

Ask staff to add a tip to their email signature block and link to your institution's information security page.

Example:

Jane or John Doe
Chief Information Security Officer
XYZ College or University

Keep personal information personal. Do not share personal information with anyone who does not need to know, and never share it via email, social media, or other ways in which your privacy cannot be assured.

Resources

For more information and resources, you can also reference previous EDUCAUSE Review Security Matters Campus Security Awareness Campaign blog posts about the importance of reading and understanding the terms of conditions.

For more information about information security governance, compliance, data protection, and privacy programs, please visit the EDUCAUSE Review Security Matters blog as well as the Cybersecurity Program page. Access additional security and privacy awareness resources through the Awareness Campaigns page.


Ken Ries is the Chief Information Security Officer, University of Wisconsin-River Falls and University of Wisconsin-Stout.

© 2020 Ken Ries. The text of this work is licensed under a Creative Commons BY 4.0 International License.