CISO discourages non-work-related apps on U-managed devices
Tristan Harris, former design ethicist at Google and co-founder of the Center for Humane Technology, delivered a memorable line in “The Social Dilemma,” a Netflix documentary about the addictive nature of social media.
“If you’re not paying for the product,” Harris said, “then you are the product.”
“App companies make money from information they gather on their users and sell to other companies,” said Corey Roach, the University of Utah’s chief information security officer (CISO).
With some apps, there may be more at stake than personal data. For example, the popular video-sharing app TikTok and its China-based parent company, ByteDance, have come under heightened scrutiny in recent weeks over data privacy and security concerns. In December 2022, Utah Gov. Spencer J. Cox issued an executive order that prohibits the use of TikTok on most state-owned electronic devices.
“If ... permissions seem excessive, inappropriate, or invasive, do not grant the app the requested permissions or do not install the app.”
– Corey Roach, chief information security officer
According to the news release, “Chinese national security laws allow the Chinese government to compel companies headquartered in China to provide it with data, which may include the personal data, intellectual property, or proprietary information of users in the United States and Utah.”
Although dozens of public universities in the United States have blocked TikTok from campus networks and more than half of states have restricted its use on government-issued devices, the Utah governor’s executive order excludes institutions of higher education like the U and other Utah Board of Higher Education schools. Despite the executive order’s limited scope, Roach cautions people using U-managed devices not to install or use any application that doesn’t serve a legitimate university purpose (e.g., research, teaching, and marketing and communications).
“If you use a university-managed device for university business, and an app doesn’t help you perform your role, don’t install it,” Roach said. “Be cognizant of the information being collected, even on your personal device, and make sure you know what you’re giving away.”
Chief Information Officer Steve Hess said UIT Leadership and the Information Security Office are monitoring developments around this issue.
“Ensuring the safety and integrity of university data and IT systems is a top priority at the University of Utah,” Hess said. “We’ll continue to evaluate any and all threats posed by applications and any potential security risks related to use of these platforms.”
Further reading
According to its privacy policy, data that TikTok collects include personally identifiable information, key stroke patterns, location information based on SIM card and/or IP address, app activity, browser and search history, and biometric information. Data collected by TikTok falls under three categories: information that users provide, information it collects from other sources (for example, contact lists carried over from Facebook), and information it collects for its own purposes and for resale (e.g., usage information, device information, location data, messages, metadata, and cookies).
TikTok, of course, isn’t the only application that collects and distributes user information. The New York Times studied the tracking behavior of 250 iPhone apps in 2021. Of the 20 weather apps it investigated, 17 gathered data to track devices for advertising purposes, and 14 used location information to track devices.
Roach strongly urges members of the U community to familiarize themselves with the privacy policies of all applications installed on professional and personal devices.
“Pay close attention to an app’s privacy policy and the permissions an app requires or requests when it’s installed. If the permissions seem excessive, inappropriate, or invasive, do not grant the app the requested permissions or do not install the app.”
What do you do if you're uncomfortable with a particular service’s privacy practices? You can disable cookies and tweak other privacy settings as needed. Apple devices, for instance, allow users to limit ad tracking and switch off location tracking.
“In the end, your best bet is to avoid an app altogether if you don’t trust the company to safeguard your information,” Roach said.
Node 4
Our monthly newsletter includes news from UIT and other campus/ University of Utah Health IT organizations, features about UIT employees, IT governance news, and various announcements and updates.