Use of Non-UC Technology Services: Additional Information

Security-Related Guidance for Using Social Networking Sites and Instant Messaging/Chat/Texting

--> NOTE: This page contains supplemental guidance about the above topics. For general guidance about the use of Non-UC Technology services, see the main page at http://its.ucsc.edu/policies/free.html


Introduction
(from http://its.ucsc.edu/policies/free.html)

"Non-UC technology services" are computer-related services that you can sign up for online, often for free or nearly-free. Many of us have non-work Google accounts; store our data in Apple or Microsoft's cloud or with an online backup service; share photos with Flickr and Picassa; use Dropbox and MobileMe to store, move, and share documents; stay in touch with others via Skype and instant messaging (IM); share our lives and thoughts on Facebook, Snapchat, and Twitter; and the list goes on.

Non-UC services often seem like good options to meet our business (and personal) needs, and under certain circumstances they are appropriate to use. It is important to remember, though, that when you use these services, your data is in someone else's hands.  

The “click-to-accept” agreements that these services use have not been reviewed or approved by UC and may introduce security risks for the information you post or send.

UC and UCSC privacy and security policies apply to all University data, whether it is on UC or non-UC systems. It is therefore your individual responsibility to take privacy and security into consideration when making decisions about when it is and is not appropriate to use free/low cost services.


THE BOTTOM LINE

A UC-approved service agreement is required for non-UC systems that store, receive, process or publish restricted information.

A UC-approved service agreement is recommended for non-UC systems that store confidential information or are used for essential University business processes.


Guidance for Social Networking Sites, Virtual Worlds and Online Gaming such as Facebook, Snapchat, Twitter, Second Life, World of Warcraft, and Apple Game Center

  • You must follow University policies and rules of conduct when you are, or might appear to be, acting in an official University capacity. If your site represents or could appear to represent the University, or if you're using the site for official university business, please see UCSC's Social Media Guidelines for guidance. For questions, contact Teresa Decker, Social Media and Marketing Manager, University Relations.
  • Many sites require users to provide personal information such as date of birth when signing up for an account. Before signing up, review the site's terms and conditions and privacy policies so that you understand how this information will be used. Only sign up if you are comfortable with what you have read.
  • When posting or sharing information or having discussions, ask yourself whether the information should be publicly available. If it shouldn’t, or if you are approaching a line beyond which the information should be protected, stop and move to a more secure forum.
  • Assume that anything you post will be permanently available. Even if you delete the information, don’t assume it’s actually gone. Copies can still exist on other computers, web sites, backups or in search engines.
  • Be aware that Facebook’s Terms of Use grant them the right to use any user content posted to the site for any purpose. Many other sites say this, too. Only post content for which this is acceptable.
  • Some sites and virtual worlds display information about individuals who have signed up as friends or members. You should inform people if this is the case for a University-related space. Always provide an alternative for people who do not wish to share their information.
  • Facebook's "Privacy Basics" page has information about Facebook's privacy options. Facebook users can also find helpful information about Facebook privacy settings at Sophos and InformationWeek. Please note these are not official Facebook web sites.

Guidance for Instant Messaging/Chat/Texting

Instant messaging (IM), chatting and texting can be useful communication tools. It is important to be aware that they are also channels for social engineering -- people trying to trick you into revealing information you shouldn't reveal, or trick you into clicking on malicious links, opening harmful files, or other schemes to put your device or data at risk.

Because IM, chats and texts are vulnerable to many of the same phishing and hacking techniques as email, many of the same precautions are necessary:

  • Never send your password or other personal information via IM. Don't respond to requests for this type of information.
  • Don't click on links unless you know and trust the sender AND are confident it is a safe link. Identities can be impersonated, so ask before clicking if you are at all unsure.
  • Never open pictures or download files unless you are expecting them and you can verify who the information is from. Use the same precautions you would use with email attachments. The file(s) may have a virus, and files sent via IM/chat can bypass anti-virus software. If you are unsure, contact the sender and verify what the file is. And remember: IM identities can be impersonated.
  • If you share a computer, do not set your IM client or browser to automatically log you in. This would allow others to impersonate you. Also be sure to sign out, clear the browser cache, and quit the browser/program when disconnecting.

There are also privacy issues to keep in mind: When you use an IM/chat/text service, the content of your messages pass through, and may be stored on, the service provider's systems. The service provider may store logs of your conversations or other records of your activities when you use their service. Don't send anything that would not be OK for them to store or use. Messages are also typically sent "in the clear", so if someone is eavesdropping, they would be able to see whatever you send and receive.

In addition to the basic guidance above and at http://its.ucsc.edu/policies/free.html, the following help address some of the risk:

  • Do not use IM, chats or texts for anything that requires a record or documentation for business purposes.
  • Use encryption for IM, chats and texts if available.
  • Don't send restricted data, even if it's encrypted.
  • Keep your software and devices up to date.
  • Only use trusted computers/devices to access your account. If you use a device that has been compromised, your password and information can be stolen.
  • Any device used for work must meet all of the applicable UC and UCSC security requirements, including up-to-date antivirus software; patched, current versions of operating system and application software; a local firewall; and unnecessary services must be disabled, turned off, or removed.
  • Use a different password for IM than for your other accounts, and change your IM password periodically. IM commonly uses little or no encryption for the transmission of login credentials, so passwords are vulnerable to being stolen.
  • Only share your screen name with people you trust, and only communicate with people in your contact or buddy list.

For More Information and Guidance...


Reviewed Aug 2015