If you’re reading this, you’ve probably signed up for a few online services in the past. But when was the last time you actually read a terms of service agreement? Do you change the default security permissions when installing a new app? Have you ever reviewed a privacy policy? 


Consider this scenario – and the risks 

In joining new platforms and utilizing new services, we often give up more data than we realize, and may even be putting ourselves at risk. In an article for Data Privacy Week, security evangelist Tony Ascombe provided a hypothetical example of what the consequences: 

“An engineer turns up at your home to install devices that monitor your internet activity, what TV programs, movies, radio and music you consume, keep track of the temperature you like in your home, when you turn off the lights, log who you are calling and connecting with, track what products you purchase and how frequently, monitor where you travel in the car, and even opens your mail, and scans the content before you have the opportunity to read it yourself. Your partner is freaking out at the surveillance being installed in your home and questions if this invasion for access to a free service is worth it.” 

While it may seem like an extreme example, the disconnect between our physical and digital spaces can make it even more difficult to understand the scope of permissions we grant to service providers. Further, even if a privacy policy explicitly states what data is being collected, policies rarely explain what that data will be used for, outside of “marketing purposes.” But this can mean a lot more than targeted ads: 

Imagine if a privacy policy stated the actual use of the personal data collected – data collected will be used to identify if you are in a segment of society whose political view can be manipulated, resulting in you changing your voting position, or your online actions give indicators that you may be easily manipulated into taking further risk when investing, which could result in financial loss (or gain). 

At MSU Denver, we have a shared responsibility to protect data per FERPA, HIPAA, PCI and University policy.  

If you are considering using a new tool or service as part of your work (especially if it’s free) consider the following before agreeing to policies: 

  • Will you be sharing content you developed yourself through this service?  
    • A common stipulation in service agreements is that the service provider gains full rights to all content shared in the tool. Many people sign away the rights to their hard work without realizing it. 
  • Will users of the service get added to marketing lists?  
    • If you are engaging with teammates or students through the service, you may inadvertently be exposing them to unwanted advertising, profiling, data mining and more. 
  • Non-educational service providers are under no obligation to meet FERPA requirements for student data privacy, and most standard terms of service don’t even mention FERPA.  
    • MSU Denver only shares data with services that can meet FERPA requirements. 
  • As a state-funded institution, MSU Denver is bound by state procurement rules, which are often contrary to the default terms and conditions presented by free online services. 

Before procuring any technology hardware, software or service, open a ticket with Information Technology Services to investigate the technology. This gives ITS a chance to perform a risk analysis, avoid potential pitfalls, and identify safer and simpler alternative solutions. 

For personal use, check https://tosdr.org/, which provides a simple, comprehensible breakdown of many major websites’ terms of service. 

If you have any questions or concerns, please contact the ITS Service Desk at 303-352-7548 or support.msudenver.edu.