Use of Free Services (Draft)

DRAFT     DRAFT     DRAFT

Guidance when Considering Free or Low Cost Non-UC Technology Services

Introduction

Free and low cost technology services often seem like good options to meet our business needs, and under certain circumstances they are appropriate to use. However, these services typically include “click-to-accept” agreements that have not been reviewed or approved by UC and may introduce security risks for your information. UC and UCSC privacy and security policies apply to all University data, whether it is on UC or non-UC systems. It is therefore your individual responsibility to take privacy and security into consideration when making decisions about when it is and is not acceptable to use free/low cost services.

Important: Restricted and confidential information must never be stored, received, processed or published on non-UC systems unless you have worked with Purchasing or Business Contracts to ensure that a UC-approved agreement is in place that addresses information security and privacy requirements and concerns. Similarly, don't rely on external information systems or services for critical University business processes unless a UC-approved agreement is in place.

Do Not Use If... 
Do not use a non-UC service without a UC-approved agreement if any of the following apply.

  • You will be conducting University business that should not be disclosed to the general public;
  • Restricted or confidential information will be involved;
  • You need a high level of security;
  • Privacy is a concern;
  • There are things that wouldn’t be OK for the company to do with your information;
  • The company will or may store data outside of the United States, or data will cross US borders to reach the user. For example, some of Google's data centers are not within US borders, potentially placing University data under foreign jurisdiction and possibly subject to inspection by foreign governments;
  • You have specific requirements for availability of data and electronic communications that the service can't guarantee;
  • It would be a problem if the service suddenly changes or is no longer available, either temporarily or permanently.

If any of the above apply, consider whether the University offers a solution you could use instead, or work with Purchasing/Business Contracts to negotiate an agreement with the service provider before using the service.

Protecting Information and Privacy

When you use free/low cost applications and services, such as Google Apps, document sharing, video conferencing, instant messaging (IM), offsite data storage, web statistics services, and even Facebook, the non-UC company has access to your data, communications, account information, etc. Don’t expect that privacy, security, or business continuity protections will meet UC's standards. Some ground rules and important pointers:

  • Don’t use external information systems or services for anything that you’re not prepared to disclose or lose. It is best to assume that whatever information goes to or through the service may become public. This includes records of activities of those using the service, such as who used the service, what they used it for and when, etc.
  • Check out the company’s privacy policy – there should be a link to it somewhere on their website. Know what the vendor is going to do with the information you and others provide. This includes who they may provide information to and who they will allow to access it. What permissions have you granted by accepting their agreement/Terms of Use?
  • Don’t use external information systems or services to collect personal information. If you want to, you must ensure that California Information Practices agency requirements are met: CA Civil Code 1798.14-1798.23. See below for contact information for more information.
  • Don’t expect to get your information back if the company has a disruption in service, is acquired, or goes out of business. Keep local copies/backups of any critical data or records just to be safe.
  • Don’t expect to be informed if law enforcement or the government requests or subpoenas information from the vendor or service provider. This is true even if a UC-approved agreement is in place. While some organizations will try to direct the requester to you/the University first, there is no guarantee that this will happen, and the vendor may even be forbidden from disclosing the request. This means that your privacy and the privacy of everyone using the product or service is dependent on the outside organization.

If any of these raise concerns, using a non-UC service without a UC-approved agreement in place might not be appropriate.

Other Considerations

  • When you sign up to use free/low cost services, you may be agreeing to terms and conditions, terms of service, and acceptable use policies that are different from UCSC’s or UC's. The company can hold you to what you agree to, even if it is just a “click-to-accept”-type agreement.
  • It is essential to ensure that University data remains the property of the University. Whenever you put data on a commercial service, ensure that the terms do not conflict with University policy in terms of data ownership. UCSC’s Business Contracts Office can help with this.
  • Keep in mind that you may be required to produce records relating to University business, including email, instant messages, files, etc., regardless of whether those records are stored on University or non-University systems or services.
  • There is no guarantee that deleted content or accounts will really be deleted. It may take a while before the content or the account is completely flushed from all of the company’s archives. Practices will also vary as to how long accounts may remain idle before the account and associated data are destroyed.
  • Accessibilility: If use of an application or service will be required, e.g., the only way people can access your online content, complete an assignment, or respond to a request for information, you must make sure that it is accessible to users with disabilities. Ask the vendor whether their product is Section 508 compliant, and test it to make sure that it is. More information about web accessibility and testing web sites for accessibility can be found at the Web Accessibility site hosted by UCOP.

Additional Guidance for Social Networking Sites, Virtual Worlds and Online Gaming such as Facebook, MySpace, Second Life, World of Warcraft, and Apple Game Center

  • You must follow University policies and rules of conduct when you are, or might appear to be, acting in an official University capacity. If your site represents or could appear to represent the University, or if you're using the site for official university business, consult with the Director of Public Affairs to ensure appropriateness.
  • Many sites require users to provide personal information such as date of birth when signing up for an account. Before completing the account creation process, review the site's terms and conditions and privacy policies so that you understand how this information will be used. Only sign up if you are comfortable with what you have read.
  • When posting or sharing information or having discussions, ask yourself whether the information should be publicly available. If it shouldn’t, or if you are approaching a line beyond which the information should be protected, stop and move to a more secure forum.
  • Assume that anything you post will be permanently available. Even if you delete the information, don’t assume it’s actually gone. Copies can still exist on other computers, web sites, or in search engines.
  • Be aware that Facebook’s Terms of Use grant them the right to use any user content posted to the site for any purpose. Other sites may, as well. Only post content for which this is acceptable.
  • Some sites and worlds display information about individuals who have signed up as friends or members. You should inform people if this is the case for a University-related space and provide an alternative for people who do not wish to share their information.
  • Facebook users can find helpful information about Facebook privacy settings at mashable.com and allfacebook.com. Please note these are not official Facebook web sites.

Additional Guidance for Instant Messaging

Instant messaging (IM) can be a useful communication tool. This communication channel also opens a new vector of attack for social engineering -- people trying to trick you into revealing information you shouldn't reveal, clicking on malicious links, opening harmful files, or other schemes to put your system or data at risk. IM is vulnerable to many of the same phishing and hacking techniques as email, so many of the same caveats that apply to email also apply to IM, and many of the same precautions are necessary. Also, files sent via IM can bypass your computer's anti-virus software and potentially infect your computer more easily than files sent another way.

IM also comes with privacy issues: When you use an IM service, the content of your IMs passes through, and may be stored on, the service provider's systems. The service provider may store logs of your conversations or other records of your activities when you use their service. Instant messages are also typically sent "in the clear", so if someone is eavesdropping, they would be able to see whatever you send.

In addition to the basic guidance in this document, the following help address some of these additional risks:

  • Do not use IM for anything that requires a record or documentation for business purposes.
  • Use encryption for IM if available.
  • Don't send restricted data via IM. Assume others can see your IMs even if you are using encryption.
  • Use IM services and software for which support and regular updates are available, and update your IM software when new versions are released.
  • Only use trusted computers to access your IM account. If you use a computer that has been compromised, your password and data can be stolen.
  • Workstations used for IM should meet UCSC's minimum network connectivity requirements, including up-to-date antivirus software; patched, current versions of operating system and application software; a local firewall; and unnecessary services disabled, turned off, or removed.
  • Assume that your IMs may be logged or recorded by the service provider. Don't IM anything that would not be OK for them to have.
  • Use a different password for IM than for your other business accounts, and change your IM password periodically. IM commonly uses little or no encryption for the transmission of login credentials, so passwords are vulnerable to being stolen.
  • Only share your screen name with people you trust.
  • Only communicate with people in your contact or buddy list.
  • Phishing scams are common in IM. Never send your password or other personal information via IM. Don't respond to requests for this type of information.
  • Don't click on links in IM unless you know and trust the sender AND are confident it is a safe link. IM identities can be impersonated, so ask before clicking if you are at all unsure.
  • Never open pictures or download files sent via IM unless you are expecting them and you can verify who the information is from. Use the same precautions you would use with email attachments. The file(s) may have a virus, and files sent via IM often bypass anti-virus software. If you are unsure, contact the sender and verify what the file is. And remember: IM identities can be impersonated.
  • If you share a computer, do not set your IM client or browser to automatically log you in. This would allow others to impersonate you. Also be sure to sign out, clear the browser cache, and quit the browser/program when disconnecting.

UCSC Requirements Relating to the Use of Google Analytics for Web Statistics

  • All web pages that use Google Analytics (GA) must clearly indicate they are doing so. The statement, “Web statistics by Google Analytics” included on each page using the service is acceptable.
  • The notice that GA is being used must link to our campus privacy policy and “must provide notice of our use of a cookie that collects anonymous traffic data” (Google's words). Linking the words “Web statistics by Google Analytics” to the informational web page at http://its.ucsc.edu/terms/google-analytics.html is acceptable.
  • GA account administrators must configure GA not to share GA data, so that the usage statistics will only be available for UCSC's local use. (Account admins: for each GA account, check “Do not share my Google Analytics data” on the “Edit Account and Data Sharing Settings” screen.)

For More Information and Guidance...

  • ...about privacy considerations, contact UCSC’s Privacy Officer: lbeaston@ucsc.edu, 9-2666
  • ...about security considerations, contact UCSC’s IT Policy Office: itpolicy@ucsc.edu, 9-2779
  • ...about whether the terms and conditions of an agreement are acceptable from a University perspective, contact UCSC Business Contracts

Rev. 8/2/10

DRAFT     DRAFT     DRAFT


Privacy Policy and Terms of Use