The Importance of Risk Assessment When Reading Terms and Conditions

Adapted from Ken Ries (CISO UW-River Falls) for EDUCAUSE.

Did you buy new tech for the holidays? Read the terms and conditions. As the chief information security officer for the University of Wisconsin (UW)-River Falls and UW-Stout, I have been asked to review an increasing number of web and mobile applications (from an information security perspective) since the move to alternative forms of course delivery. Higher education institutions are required to protect their data. As a security officer, I must take a risk-based approach when evaluating applications and services. As an individual, you should do the same. 

The level of risk associated with any app or service is directly related to the data it contains or to which it has access. For example, a password manager is high risk, but a news app is probably low risk. A contact app might be medium risk, but it is probably high risk if it has access to your text messages or your location. Many widely used apps, including Facebook and Google, offer security and privacy checkups, including options to control the information and data they collect. Go through your apps, check the terms and conditions (often found under your profile), and ask yourself the following questions: Do I want to give this information away? What would happen if my social and professional circles had access to it? Is the risk of this third-party flashlight application really worth the reward of using it? Why does this Santa app require so many permissions to work?

Once you begin to understand the risk, you can make decisions to protect yourself and your personal and professional connections. Should I use the free version or the paid version? Should I use a long password? Should I enable multifactor authentication? Do I need to worry if my data is encrypted? Should I install the app at all? These questions need to be answered based on your risk assessment. If an app isn’t worth it, uninstall it. 

In my professional role at UW, I need to consider compliance with all applicable laws and policies. While they can be difficult to navigate, they serve to protect the institution and our users. In my personal life, there are few compliance requirements—and few protections. I am responsible for the risk that comes with clicking “I accept.”

Some companies make it very easy to understand their terms and conditions. Others try to hide their actions behind vague terms. Sometimes, the terms are too complicated to understand. As you navigate technology decisions in your personal life, I encourage you to read the terms and conditions instead of clicking through them. If an app or service is burying terms in legalese or vague statements, its real product is probably your data. As the old saying goes, “If you’re not paying for the product, you are the product.” Give yourself the gift of privacy and security this holiday by considering the risk before clicking “I accept.”