InfoSec Blog - The Importance of Risk Assessment When Reading Terms and Conditions
May 3, 2021
Interested in buying some new tech or signing up for a new online service this spring? Read the terms and conditions. Since the start of the pandemic when teaching, learning, and working moved online, Information Security has been asked to review an increasing number of web and mobile applications. Higher education institutions are required to protect their data, and the Information Security team must take a risk-based approach when evaluating applications and services. As an individual, you should do the same.
The level of risk associated with any app or service is directly related to the data it contains or to which it has access. For example, a password manager is high risk, but a news app is probably low risk. A contact app might be medium risk, but it is probably high risk if it has access to your text messages or your location. Many widely used apps, including Facebook and Google, offer security and privacy checkups, including options to control the information and data they collect. Go through your apps, check the terms and conditions (often found under your profile), and ask yourself the following questions:
- Do I want to give this information away?
- What would happen if my social and professional circles had access to it?
- Is the risk of this third-party flashlight application really worth the reward of using it?
- Why does this app require so many permissions to work?
Once you begin to understand the risk, you can make decisions to protect yourself and your personal and professional connections. Should I use the free version or the paid version? Should I use a long password? Should I enable multifactor authentication? Do I need to worry if my data is encrypted? Should I install the app at all? These questions need to be answered based on your risk assessment. If an app isn't worth it, uninstall it.
At the University of Guelph, Information Security needs to consider compliance with all applicable laws and policies. While they can be difficult to navigate, they serve to protect the institution and our users. In your personal life, there are few compliance requirements—and few protections and ultimately you are responsible for the risk that comes with clicking "I accept."
Some companies make it very easy to understand their terms and conditions. Others try to hide their actions behind vague terms. Sometimes, the terms are too complicated to understand. As you navigate technology decisions in your personal life, read the terms and conditions instead of just clicking through them. If an app or service is burying terms in legalese or vague statements, its real product is probably your data. As the old saying goes, "If you're not paying for the product, you are the product." Give yourself the gift of privacy and security by considering the risk before clicking "I accept."
Pay attention to who, what, why, and how when reading privacy policies.
- What information is collected, how is it being collected, and why is it being collected?
- How does the application or service provider protect your information, and how long will it be stored?
- Who will have access to the information, and how will it be shared?
- What choices do you have?
Are you evaluating a new application or service for the University of Guelph? If so, be sure to use our Security and Risk Assessment service.
Written by: Stephen Willem (Chief Information Security Officer) based on content from Educause.