Recorded live at the 2026 EDUCAUSE Cybersecurity and Privacy Professionals Conference, Sophie and Jenay talk with Ben Archer and Michael Tran Duff about frameworks for supporting innovation in higher education while protecting data privacy in the age of AI.
Takeaways from this episode:
- Compliance is "the floor" for privacy strategies, and institutions will benefit from a proactive privacy-by-design approach that prioritizes ethical best practices.
- Artificial intelligence increases both risks around data privacy and security, and the potential value of using data for decision-making, requiring strong data governance programs to protect data while capturing its value.
- Leaders will benefit from continued stakeholder engagement to build trust and educate users about how their data is being used.
View Transcript
Sophie White: Hello everyone and welcome to EDUCAUSE Shop Talk. Thank you all so much for joining us first thing in the morning at the Cybersecurity Privacy Professionals Conference, or this live podcast recording. I'm Sophie White, I'm a content marketing and program manager here at EDUCAUSE, and the host for today's discussion.
Jenay Robert: My name is Jenay Robert. I'm the senior researcher at EDUCAUSE and I'm your co-host.
Sophie White: Great. So we are so excited to have two special guests here with us to discuss privacy in this age of AI. So I will just introduce them and then we'll jump into the discussion. So first of all, we have Michael Tran Duff. Michael has devoted his career to serving academic and research institutions and is the Harvard University Chief Information Security and Data Privacy Officer. Prior to joining Harvard as University Chief Information and Security Data Privacy Officer in 2022, he served as Chief Information Security Officer and Chief Privacy Officer at Stanford University. So hop down across the country to join us on the East Coast. Thank you for being here, Michael.
Michael Tran Duff: Thank you.
Sophie White: Next up we have Ben Archer. Ben is a privacy leader with extensive experience in higher education and compliance and currently serves as the Assistant Director for Technology, Privacy, and Compliance at Arizona State University. Thanks, Ben. Great. So today we're going to talk about privacy and AI. This is intentionally an unstructured discussion. We're going to see where it goes, but looking forward to having you all here with us. So first, I'd love to just kick it off as privacy officers as we see the proliferation of AI. What is top of mind for you right now?
Ben Archer: There are so many things. I think one of the biggest is that for the past couple years, we've been treating AI as a separate thing. We've got a contract with OpenAI or a contract with Microsoft or Google or whoever. And now we're starting to see, okay, all of this AI is being built into all of the tools that we know and love and use every day. And so we're either getting new contracts with AI on them or it's just sort of up here in the menu somewhere, this new AI functionality. So finding a way to address the privacy concerns of we're using this tool, we're using it in a certain way with search data, and now we have this new functionality that we're not quite sure how it's going to be made use of institutional data, student data, those sorts of things. So that's one thing that I think has been that I've wrestling with the last couple months.
Michael Tran Duff: Yeah. I've been reflecting on it, on the state of privacy today and just thinking about how privacy has evolved over the last, say, 75 years where, and AI is just the next part where the revelation I had is that the loss of privacy is a common result of new digital technology. Think about what's happened to mobile devices, internet, credit cards, cameras. There's probably at least 50 cameras of this room alone. So if we were trying to think about how much privacy we have today for how little compared to say folks living in the 1950s and AI is just the next step and it maybe is narrowing that sliver even further. So we talked about that.
Sophie White: Yeah. No, that's a great point. And I'm curious, both of you have been around the privacy space for a while at all. So we mentioned the change of privacy itself, but as privacy officers, how has your role changed maybe from the time that you started in this field until the time that you find ourselves at now?
Ben Archer: I think it used to be that when I first started the world of cyber privacy, FERPA was mostly what we carry out. And if you had to be a FERPA expert and know a little bit about technology, and that was pretty much good enough. And now we have just all of these different regulations. We have state regulations, we have foreign regulations that apply extra territoriality, and all of these other things that just really make the world of privacy so much more complicated. We have a patchwork of state privacy laws, we don't yet have a federal privacy laws. So we have all these sector specific laws. So I think just the complexity of the world of privacy, especially as a place privacy regulations, but also trying to convince folks that it's not just about compliance. It's not just about doing what the law says because all of these regulations, I don't know if you find this, Michael, most of them are built on the safe side of best practices.
If we just do the right thing, we're sort of automatically compliant. There's so many of these regulations. So it's so much easier to just say, let's do all of the phase that all of these privacy laws are ultimately based on.
Michael Tran Duff: Well, and I want to pick up on that because I agree. You just said something I believe strongly in that IOC is more than compliance. And at Harvard, we like to say that compliance is the blower, just the minimal you could do. I like to think of privacy as in terms of more like an ethical terms. What is the right thing to do, which often exceeds what's required by regulation. Just quick example, you gave a great example of FERPA. Well, as many of us know, FERPA does not have a notification requirement. You have to put a note in the file. That's the regulation. So when there's a compromise affecting FERPA data, do we just put that note in the file or do we actually notify the student? Well, I think most of us do the right thing or the right thing, and we notify the student that there's been a problem.
That's a great example of going above the bare minimum to notify clients.
Sophie White: Yeah. And this is actually making me think going to the general session, which you were all just at. Allison, who just completed our session, had a great point. I thought about is cyber security as a field going in this direction where we're focused upon compliance rather than the foundational cybersecurity elements? Not the same as privacy, but do you think privacy is going in that direction where you're being maybe tasked to make sure that you're cutting all these compliance requirements, but not go beyond the floor? Or what does that look feel like?
Ben Archer: I think it is similar in that the organizational push for privacy often comes out of these requirements. We've got this new law and you got to figure out how to record weight that we had in this new regulation and how do we make sure that we're checking all boxes. So a lot of the organizational push comes from that compliance factor, but it's our job as privacy professionals to sort of tell the story of why that's not enough and why it's so much simpler for the organization. If we do the right thing, if we follow those best practices across the board, then we don't have to scream every time there's a new law or new regulation because we're already doing the thing that that regulation is trying to force us to do.
Michael Tran Duff: Well, I love that. At Harvard, we flipped. Obviously you have to abide by the regulations and we all struggle with the patchwork of state regulations that the increasing, ever increasing number of international regulations. But Harvard, we established years ago a set of privacy principles, and we did that in order to prepare ourselves or the capital regulations. Now we did base it on some of the same, let's say, underlying ideas that behind the regulations, but it's just a whole different approach. We said, "Look, here's some principles that are important across all of our work." And we've been building that into the culture of Harvard, building privacy by design has been very effective. And when I pitch these, I said, "Look, today they're principles. Soon there will be policies and not long after that, they will be law." But we took a very proactive approach and I think that's worked very well.
Ben Archer: And I think that's a great approach because there are so many situations we find ourselves in where where policy is silent, where there isn't a policy about this thing. AI is a great example where, okay, there is already a policy for this thing when we all started dealing with ChatGPT showing up on campus. So we look to things like our principles to say, "Here's how we ought to respond to this new technology, this new environment, this new thing." And we already have sort of a programmed approach to how we're going to address this novel technology or process or whatever it might be rather than scrambling and saying, you got to put a policy in place. I think it's fantastic that you have principles that sort of address all of the gaps when there isn't a policy when there isn't a regulation.
Jenay Robert: As we're talking about the changing role of the privacy officers over time, I started thinking about the impact of more news stories about data privacy over time. And since we're here to talk about AI, what has brought privacy into the news more prominently than AI? At least as a lay person, who is not a privacy expert. That's the thing that's made me most aware. How has that impacted the work you're doing today? Are there some big splashy current ... We're going to publish this in a week or two, I think. And so what's the current buzz in the news that's impacting you in your role?
Michael Tran Duff: I can mention a couple of things, got to get us started. I mean, I think one of the big news items that we've probably all heard about is Anthropic's Mythos, and it's a building to find vulnerabilities. Well, that is going to supercharge the adversary's capability to have breaches. And of course, there's usually a financial motivation behind those breaches. They breach information, personal information, so then they can either blackmail you or they can sell it to someone else. We're going to see that happening more and more. So that's a big privacy concern. And so we have to really focus on privacy and security are two sides in the same coin. So we're going to really have to focus in on the security side to prevent this surge of breaches that otherwise will be coming our way.
Sophie White: And how do you address that? So I know I think the New York Times just put out the first Mythos article maybe a week ago. So it's kind of in this paradigm now that we're talking about on the global level. What do you say when a leader at your institution comes to you and says, "I just read this article about Mythos, should you be worried?"
Michael Tran Duff: The answer is absolutely sure, worried enough. In fact, one of the sessions that the Harvard team did at this conference is called was that we named it Surviving The Zero Day Apocalypse and we laid out our bug pocalypse survivor strategy, and that includes trying to isolate systems off the internet so you have a little more time to patch and make sure patching is efficient as possible, make sure you can respond quickly incidents. That's the short version.
Ben Archer: And I think this also dovetailed really nicely with what we were just talking about because so many of the privacy principles like the minimization, like limitation, things like that, lend themselves to reducing the last radius of a breach. So if we accept the proposition that there are going to be more breaches because technology is going to surface the vulnerabilities that keywords haven't found, then the best approach to that is to limit the amount of data you're collecting, the amount of it you're keeping, where you're keeping and how you're sharing if all of these things that us privacy pros have been talking about for decades. And so if we start implementing some of these things, we can actually reduce the impact of these breaches and not just to save our institutions money, but also help build more trust with our customers because we're the ones doing the right thing when these breaches are going to start happen.
Michael Tran Duff: Yeah, I love that because you asked earlier, how is AI changing our roles as privacy officers? And I would say one of the primary changes that I'm making is to focus on data risk and minimization.
Ben Archer: Absolutely.
Michael Tran Duff: In the wake of AI, I think that's the best thing we can do.
Sophie White: I have another tricky question. We also hire I grew so much about data driven or data informed decision making. So gathering data in order to support enrollment, student success, advancement, all of these goals. How do you balance that need for making more data to be collected in order for data by data protect it more in the outside studies because of these concerns about breaches cybersecurity center?
Ben Archer: I think that's a great question. It's one of my favorite topics because ASU is number one in innovation for I think 11 years in a row now. So it's something that we really pride ourselves on. And so my job is not to say, "No, you can't do that. " It's here's how we can do that in a better way. So one of the things that I love to share is by implementing best practices by doing the right thing by our data subjects and having the ability and really fostering that trust with that. Folks are more willing to provide their data and give consent to data in ways that the laws don't say, "Oh, well, you are automatically able to do this. " If folks consent because they trust your institution to do the right thing with their data, they're going to let you do things that are normally just you have to get additional permission, et cetera.
And so one of the ways that privacy supports innovation is by building that trust with our data subject, by demonstrating that we are doing the right thing with their data, we're doing things that support them, benefit them. One of the great examples that I love to get is for our data tracking. People always say, "Oh, well, I don't want targeted ads to track." And one of the ways that Arizona State uses targeted advertising is if you're an ASU student, we're not going to advertise to you because A, it's a waste of money and B, it sort of saves all of that hassle. And so one of the ways that we use advertising tracking is to not market to you. And that's a way that benefits our students and they make people think huh, maybe I should update for this targeted advertising because it's actually being used in the way the benefits me.
So I think there are a lot of ways that we could use privacy to improve our ability to use data and make data decisions.
Michael Tran Duff: Well, see, this is really important because AI is encouraging the flow of data because that's what makes it useful. So I'm going to go back to where I started. I think it's important for us to help people understand the trade-off. AI is an amazing tool. It's incredible. It's probably one of the most amazing things humans have ever created, but there's privacy trade-off. It needs data to be useful to us. Well, then guess what? Your data is now accessible to other companies, even more companies than today. So imagine trying to live without a mobile device, a credit card, trying to avoid cameras everywhere. You would be living in a cabin in the woods. This is not practical. So I don't want people to have the false understanding that they can necessarily not subscribe to some of these data flows. It's going to happen even if you don't want it to, but I think it's important for people to understand those trade-offs, just so they understand what the state of their price gets.
Jenay Robert: And I can say for the EDUCAUSE research team, we pretty consistently see that our stakeholders over the last few years are saying, "I understand all the appeasing ways that AI could help with innovation in higher ed, and I see all of the corporate risks associated and any privacy and security is the top of that list every single time." I wonder if that general sense among our community is almost making it easier and for you to have these conversations about privacy with your stakeholders? Are they more willing with participants in protecting data privacy now that it's so much more in the ether?
Michael Tran Duff: I say there's two parts of that question. There's a segment of our population that has just kind of resigned to the fact that they have very little privacy and they excel. Yeah, those are people that say, "Well, why would I mind if I'm on the camera because I'm not going to commit any crimes?" Okay, that's one view of it. But then there are others, to your point, that this is really raised privacy and as a concern for that, and they're really tuned into all the ways that our privacy is talked to.
Ben Archer: Yeah. I think one of the things that a lot of folks just assume, well, because of social media, everyone assumes they have no privacy. They have no problem sharing all their data and sort of really miss the data privacy side of things where folks are increasingly interested in and caring about privacy, making purchasing decisions based on privacy of different institutions and organizations, especially with younger generations. And so what we're seeing is younger generations have a stronger opinion about privacy to the point that they're actually making their purchasing decisions based on which company's going to respect their privacy better. And so I often hear, well, nobody cares about privacy anymore. Everyone's just posting everything online. And I sort of countered that with the reality that the research shows that that's actually not the case. People are more interested in data. And so we had this massive opportunity of demonstrating to our data subjects that we're doing everything that we are trustworthy, that we are doing the things that they would expect in the institution so that they can trust us with their data.
Michael Tran Duff: I forgot the interesting example that sort of ties into this. The set of files, right? So we think about the academic environment. Well, remember when AI meeting assistants came on the scene, you've heard of Firefly, that you may have been in the Zoom meeting and it says someone's note taker is there. Well, at least at Harvard, there was a strong reaction to that because particularly let's say at the law school, they're having these very interesting debates where you might be asked to take a position that you don't agree with and you have to argue in the classroom. So the concern was if you have one of these note takers in one of those classes, it could have a chilling effect on the discussion to the detriment of the education. So we came up with a policy on AI assistants in meetings, which has that very according exclusion for disability accommodations, right?
That's pretty obvious. But otherwise, we've essentially eliminated those note takers from meetings, especially in a classroom sense.
Ben Archer: It's a great thought.
Jenay Robert: I absolutely have already had the case where someone doesn't show up for a meeting, but they're notetaker does. That was a moment for me. Especially had a little tangent, walked away from my laptop for a bit, came back.
Michael Tran Duff: What a great example of a very useful tool, but it has a privacy trick.
Sophie White: Yeah. We talked about this during a recent Shop Talk episode related to the EDUCAUSE Students of Technology study because we were talking about students requesting recordings of lectures as a way to support their learning, they review the lecture afterward, but especially in this time when we're talking about academic freedom and faculty maybe are feeling monitored to think about are we confident the faculty are comfortable with this? Are we in a conversation about them about the trade-offs of supporting student learning while also their integrity in the work that they do? So it's not easy to teach.
Ben Archer: No, and I think that's an excellent point, especially if we're talking about bucketing videos and things like that because one of the challenges with a lot of commercial AI is this, I call it the pass the buck model of licensing. So the vendor says, "Well, you as a user, by giving us data, you're saying that you have the rights to it and your granting us the rights to it so that if I, as a student, drop my faculty member's video or lecture notes or PowerPoint into it, I am saying to this AI company, I own this stuff and now you can have it. " And so if there is an issue, it gets blamed on the user. And so it sort of takes the corporate responsibility out of it because we absolutely know AI is being used to process data that is not owned by the person who is inputting it.
And so that challenge is really made. One of the things that I'm trying to indicate to users is one of the challenges with a lot of these commercial applications and why we had institutional versions that have the right protections is to prevent that type of thing.
Michael Tran Duff: Well, okay, let me hear you there because we focus heavily on the tones of the bridge. So we have an AI inbox and we have all the tools in there under enterprise agreements that have AI riders. But we all heard about this story where the New York Times do OpenAI and OpenAI, at least as far as I've seen, they got their best in price, great price turns, but they were compelled to produce all these logical fronts. So suddenly this privacy pot that all their millions of users thought they had goes out the window. So I just mentioned that as an example where even in the best intentions, it can get flipped.
Ben Archer: That's a great point. I think the privacy around AI, especially as it comes to now, because our prompts and the thing we get back are so important because when you're working with a human being and email and things like that, chat, you have this understanding, okay, there's someone else who's privy to this conversation and they might share. And so you're automatically sort of more aware of the fact that this information can be shared. And the way that a lot of users approach AI is it's, this is just me and a computer talking. Nobody's ever been see this. And so they don't have that, you mentioned the chilling effect, a lot of people don't have the self-censorship that they would have while working with another human being when they're working within AI. And so the privacy concerns of sharing those inputs and those outputs are so much larger because it reflects a much more personal communication that folks have that they're not anticipating is getting shared or viewed by you.
Sophie White: I wanted to ask you, Michael, you mentioned the Harvard sandbox, and I think that's a great example of maybe a situation where we've materialized globally about the Harvard Sandbox project. And could you tell us what you learned from that? And you mentioned you're prepping for this all building up trust among students as a really important takeaway.
Michael Tran Duff: Yes. Well, first, I'd say that overall the sandbox has been extraordinarily successful. It has enabled our researchers, our staff, faculty to use AI in about as safe a way as you could hope. And we're trying to provide you the carrot in that this is a free tool. We have this wide range of models, all the latest models you can use and all for free for you, as opposed to having to use your own personal paid account. Okay. So that goes a long way to preventing people from sending sensitive data via their own personal LLM. However, the adoption among students has been relatively low. Why? Well, we asked and they said, "Well, we're afraid Harvard's going to be watching their prompts." Even though we have explicit language on, first of all, we're not going to do that. We have a privacy policy at Harvard that explicitly addresses that kind of thing.
You need to have approvals and avoid certain circumstances, but yes, it's true, we could. Now there's also an option of you could just delete your history. Well, then the question is, does it really get deleted or not? So there's that trust deficit, and I don't have a great solution for. We've tried to emphasize that we are very serious about privacy and in terms of using this tool because we want students to use it. But I think that's looking for any advice that anyone may have. I think that's the state of today where there's a kind of inherent mistrust of organizations when it comes to your personal information. And by the way, I can't say it's unfounded. We've seen it happen. So I can't debate. It's hard to debate that. It's like, yeah, you're right to be worried. We are giving you all the assurances that we could get.
Ben Archer: I think that's a great concern. We have, at Arizona State, we have a create AI tool that has a similar approach of we have tools that are available for students to use and we wrestle with the same thing. And so one of the processes that we put in place is having an automatic sort of threat detection model that we set a threshold for so that if there's things like self harm data that's in the news right now with opening IDs too, we have tools that will automatically identify and flag that type of communication so that then it gets escalated, but there's no human reviewing that content until it passes the threshold. And so that's a way that we've committed to our users. We're not going to be just going in there snooping to see, are you asking the ChatGPT for answers to the quiz? But if it gets to a certain threshold of these particular types of harm, then it's going to be escalated to our public safety office to address it in the way that they would address any other type of threat.
And so that's a way that we've committed to our users, how we could protect their privacy, but still provide for safety.
Jenay Robert: I was also wondering if this problem is in terms of end user education, maybe it's less about use or not use tool, but it is some is it's about helping them understand what lives in between. So use the tool, in any case of the sandbox, if you're worried about us looking at your prompts, which hey, you're not, but you can still use it and not say things you don't want us to, use it to make lists of things to study, but they'll pop to it about your problems with your girlfriend.
Michael Tran Duff: That's a great point. And I suspect that's how it's being used, especially by the students. Yeah. Although you can Imagine a student where I'm just used to using this I'm attached to this tool. And that's why for many of the students, they're not doing research necessarily. We would hope the ones who are doing research and using it for that purpose are using the sandbox. We're very adamant about that, but we don't have a good way to force it.
Sophie White: I mean, and it seems like a challenge occurs of sandbox adoption that thinking about the mission of higher ed to help students think critically, seemingly they're thinking critically about how to use these tools and their privacy, which you could say is a good thing too.
Ben Archer: And so much of that goes to education, right. We want our students to understand these are the trade offs. And in a lot of cases, as a student, I would much rather Arizona State or Harvard has access to my data than some for- profit company got any access to the data. So a lot of it is about education and developing a trust. You can trust our institutions to do the right thing with your data, whereas a commercial entity, you can trust that to maximize profits. And so if invest the trade-off, it simplifies that decision for our Users.
Michael Tran Duff: Another fairly recent development that kind of ties into this are that have you ever seen those Meta AI glasses? Yeah. Again, incredibly useful, incredibly useful, especially for accessibility. However, there's a tradeoff. Now, this one's interesting because yes, it's your privacy, but it's also others of privacy. So imagine a near future where everyone's wearing AI enabled glasses, it's basically, wasn't there a ... Was it called a dark fear?
Sophie White: Black Mirror.
Michael Tran Duff: Black Mirror. Wasn't there an episode like that where every scene recorded? Yeah. But that's
Sophie White: We had to tell the story about us getting filmed the other day.
Jenay Robert: Oh yeah. Oh my gosh. It's so funny that we're at a privacy and security conference. We were having dinner in Downtown Disney. And so a friend texted me. She's a huge Disney adult. I can't believe she was watching a livestream at the time we were there on the livestream right now. And she sends me the link and we start watching the live stream and we're trying to find the person who was streaming. We couldn't find them. It was a phenomenal Black Mirror experience that we had. And of all places at a conference.
Sophie White: And then we were telling this and someone said to us, well, when you go to see there are signs everywhere saying you'll be filmed. But I was like, I thought that was for safety. And we need to make sure we're safe in the space not so we could be on a YouTube livestream in the gift shops with the Star Wars store. So it's a weird time that we find ourselves in.
Michael Tran Duff: It is weird timing. And you just mentioned something that also has become another reason. We've all been through that debate about safety versus privacy in terms of surveillance cameras. Well, with the round incident, guess what? Everyone is rushing to install as many cameras as they can. And then when something like that happens, it kind of tilts the scales in one direction or the other. Right now they're definitely tilting towards safety. There'll be a lot more cameras around to the detriment of the privacy. So I think I don't know what to say about that except that to make people aware.
Ben Archer: Yeah. And I think it's always been interesting to me because the idea is you don't have a right to privacy if you're in public space and so you could be filming, et cetera. But that concept is a much older concept than constant surveillance cameras and live streams online that are open to anyone and all of the things that are sort of being built upon this branch that if you're in public, you have no right to privacy. Well, it's okay if you take the picture and somebody happens to be walking with you in the background, but it's a much different thing when everyone is being identified and tracked and that data is being compiled and solely a lot of ways to companies who don't necessarily have our best interest at heart. And so I think that approach is another reason why education is so important in educating our students.
And I think the best way for our institutions to do to educate our students is by demonstrating how their data ought to be handled and what protections should be in place so that they start developing our students develop this expectation of their rights should be respected. And then when they go out into the world and start experiencing companies not respecting their rights, they push back in the way that they wouldn't if they didn't have that education.
Well, I love the way you put that, Ben. And I think it's pretty standard in corporate settings to say you have no expectation of privacy at work. I pushed back on that vehemently at both Stanford and corporate. I removed that language from the calls. I said, "You absolutely do have an expectation of privacy, except for these very narrow circumstances." So I still find that battle to an extent, but I feel very strongly about it because I don't think you have no expectation of privacy is a good start. I think that's a nonstarter. I think we do have expectations of privacy in many areas of our lives, including at work. If you're emailing a colleague, you should expect that's private unless someone is threatening someone else or there's some sort of legal investigation. Otherwise, yeah, you should feel that that's private.
Sophie White: So we only have a few minutes left. And one thing I'm interested in just thinking about the expectation of privacy is some of these technologies are agenetic AI that are coming out. So a few times at this conference. How are you thinking about that in terms of maybe training students, faculty, staff to maybe use the power of these tools, but also consider it a privacy implication? So what should we all be doing?
Ben Archer: Do you want to start?
Michael Tran Duff: I know this is an audio recording and there's something, but if you could see my eyes, they got away. Yeah. That's because, I mean, open call, I'm sorry, I'm just going to have to come back to incredibly useful tool, incredibly useful, but generally people give it full access to everything on your computer. So that's your email, your files, your calendar, everything. And therein lines its usefulness. They can help you with all that. But now you've surrendered that data to another company, and that is a trade-off you have to understand. Now, in many cases, you could argue, "Well, it's just that person's own privacy." Well, but that's not really true because these may be work machines and you may have work-related information. You maybe work in HR and you have a lot of HR information on your machine and now you've exposed that information. So I don't have a great answer to this question.
This is a very recent development and I'm very worried about it because there aren't many great controls on it.
Ben Archer: Right. And I think that's what it comes down to is the controls and we're not quite there yet. And I look at it as both from the cybersecurity and the privacy side, very much that I wouldn't just turn my credentials over to an untrained intern and say, "Go do my work for me. " And that's effectively what you're doing with these agentic policies, you're turning up your credentials, you're letting them act on their behalf, which in many cases we generally have policies against that sort of thing. But also to Mike's point, you're exposing all of this data that you have access to that isn't yours. And so a lot of folks have this, I have whatever's in my inbox is my data. Well, you got data about people that you were just mentioning. There can be conversations about sensitive topics that are intended to be confidential and only read by the recipient that now all of a sudden are being exposed and might be used in ways you don't anticipate because of programming flaw and misunderstanding whatever an IP is.
So I think A, the key is to have several credentials so that you're not giving someone access because we wouldn't do that for any other human and for the other B is having the right controls in place to prevent certain types of uses just the way we would.
This episode features:
Ben Archer
Associate Director, Technology Privacy and Compliance
Arizona State University
Michael Tran Duff
Chief Information Security and Data Privacy Officer
Harvard University
Jenay Robert
Senior Researcher
EDUCAUSE
Sophie White
Content Marketing and Program Manager
EDUCAUSE

