Free, however, is a relative term.
“When you’re using free tools, it’s important to realize that those tools aren’t actually free,” says Sol Bermann, CISO at the University of Michigan. “Those free tools are using you and your data as the currency or payment.”
Once that data is handed over, it’s gone; there’s no demanding a refund. In the best-case scenario, it winds up in the hands of companies that might pepper your newsfeed with targeted advertisements. More concerning are those with more malicious intent: the hackers and scammers looking to steal data for nefarious reasons.
Then there are regulatory concerns. The more time universities have students and faculty spending in the digital universe, the more opportunity there is to violate student privacy laws such as the Family Educational Rights and Privacy Act (FERPA).
“Universities are obviously using technologies now that they may not have previously,” says LeRoy Rooker, director of the U.S. Department of Education’s Family Policy Compliance Office. It’s critical, he says, that the technology being used doesn’t create what could be considered private education records and then inadvertently disclose those records to unauthorized parties.
Cybersecurity Is a Shared Responsibility
Universities have a clear responsibility to safeguard the data of their students and faculty, Rooker says, by ensuring those solutions and the people using them comply with privacy regulations.
To that end, Rooker says, it’s critical that university IT teams and faculty work with university contracting and compliance experts to ask the right questions and do their due diligence. “I’ve yet to come across a vendor who didn’t say they were FERPA compliant,” Rooker says. “And, as I tell institutions, some of them actually are.”
The cybersecurity burden, however, doesn’t fall only to the university, but also to the students and faculty themselves. “We are ever more reliant on individuals to understand that they have a shared responsibility to maintain security,” Bermann says. “Security is not just done for you. You have to do your part.”
MORE ON EDTECH: Learn the Difference Between Security, Privacy and Confidentiality
For students and faculty, often the best means of ensuring personal safety is by adhering to the guidelines of and adopting the software selected by the university’s IT department.
“We strongly urge our faculty and students to make sure they’re using the software we provide, because our contracts provide specific assurances about how the data can be used and shared,” Bermann says. “That includes restrictions about it being used for advertising or other purposes beyond the scope of the service. Our contracts are, frankly, the greatest privacy guarantee we have.”
“Can we stop our community from downloading or accessing free software or using free services?” Bermann says. “No. But we certainly strive to make sure that they have the appropriate tools at their fingertips to do the job. We recognize it might not be exactly the perfect fit or what they want to use all the time, but part of that shared responsibility is to remember it is about more than just the individual. It’s about the community and institution.”