“CU assures its students in its privacy statement that it ‘collects the least amount of personally identifiable information to fulfill duties and responsibilities.'” (Walter Madison/CU Independent)
Opinions do not necessarily represent CUIndependent.com or any of its sponsors.
The university has administrative control over your email, your location data and your search history. With the vague and open-ended language in CU’s privacy policy, they have the ability to not only collect vast amounts of personal data on you but do so without your formal consent.
Why is this a problem? Theoretically, if you are signed in to your CU Gmail account on your cell phone, then every location you stop could be tracked and marked on your Google Maps Timeline. The Timeline is a world map showing every location you have ever visited down to the last coffee shop and pet store. This can be found in your personal account settings.
For example: If you are underage and you visit a liquor store, the university (who has administrative control over your Google account) could see this and send an officer to your room to bust you. This is a purely hypothetical example but it demonstrates the capabilities of the technology we have grown to accept in our everyday lives. A very real example of this sort of overstepping is the way the Chinese government rates its citizens in real-time based on what they buy, who they talk to and how they talk to one another.
CU assures its students in its privacy statement that it “collects the least amount of personally identifiable information to fulfill duties and responsibilities.” This is too vague. “Duties and responsibilities” could easily include many activities that overstep students’ privacy. It gets worse. In the fine print, you can read that “this statement does not apply to websites that are created and maintained for purposes other than conducting official university business…” This means that the university is fully willing and able to collect as much information as it wishes from things you search and do online beyond the realm of CU-managed websites. This could include Amazon, YouTube, Twitter, Instagram — really any site.
Another element worth considering is that the university will collect “the information you provide … (and) share (it) with individuals within the university community who need to know it in order to … carry out university business.” This last part is not only the most arbitrary but also the most dangerous. Carrying out “university business” could entail anything from selling your information to examining your financial status based on your purchase history. There is no evidence that this is currently happening, but it appears to be well within CU’s rights as a university to do so.
The other major point worth considering here is that Boulder is a “Google for Education Customer,” meaning that CU relies on Google to do a lot of heavy lifting, such as providing Google Suite services as well as network reliability to the campus. Google defers ownership of the data each school uses back to the “schools” and then CU, for the time being, applies that “ownership” to students. According to OIT spokesperson, Scott Pribble, “students own all their data with only a couple of minor exceptions.” Those “minor exceptions” are supposedly in relation to projects students work on “for the university.” Again, the vague language here is where we can get into trouble. It is essential that this information, a complete list of all the exceptions to CU’s rules of ownership, be explicitly stated to every student in their privacy contract.
Unless the university directly states these aforementioned exceptions as well as assurances that they will not collect location and search history data, we can not be fully sure that it will never happen. In the end, it is up to us to pressure CU into ensuring that these statements are added to the privacy contract.
Contact CU Independent Staff writer Walter Madison at walter.madison@colorado.edu.
