Page Comparison

Many of us use "cloud apps",

...

whether

...

we

...

email

...

through

...

a

...

Hotmail

...

account,

...

share

...

photos

...

through

...

Facebook

...

and

...

Flickr,

...

move

...

documents

...

between

...

home

...

and

...

work

...

computers

...

through

...

Dropbox

...

and

...

MobileMe,

...

videoconference

...

with

...

colleagues

...

and

...

loved

...

ones

...

in

...

different

...

time

...

zones

...

with

...

Skype

...

and

...

AIM,

...

blog

...

through

...

WordPress

...

and

...

Blogger,

...

upload

...

our

...

lives

...

through

...

video

...

clips

...

on

...

YouTube

...

or

...

collaborate

...

on

...

writing

...

a

...

paper

...

with

...

Google

...

Docs.

...

If

...

we

...

use

...

these

...

apps,

...

it's

...

because

...

they

...

can

...

save

...

us

...

time

...

or

...

money,

...

or

...

offer

...

us

...

the

...

ability

...

to

...

do

...

something

...

we

...

couldn't

...

do

...

otherwise.

...

As

...

a

...

bonus,

...

it

...

means

...

someone

...

else

...

has

...

to

...

worry

...

about

...

those

...

annoying

...

computer

...

tasks

...

like

...

backing

...

up

...

data,

...

ensuring

...

enough

...

disk

...

space,

...

etc.

...

But

...

the

...

fact

...

that

...

your

...

data

...

is

...

now

...

in

...

someone

...

else's

...

hands

...

has

...

all

...

sorts

...

of

...

implications,

...

not

...

all

...

of

...

them

...

to

...

your

...

advantage,

...

when

...

there

...

is

...

no

...

contract

...

or

...

agreement

...

between

...

UC

...

and

...

the

...

company

...

offering

...

the

...

service.

...

Whether

...

a

...

given

...

cloud

...

app

...

is

...

appropriate

...

to

...

use

...

for

...

your

...

UCLA

...

activities

...

(or

...

even

...

for

...

your

...

personal

...

use)

...

is

...

a

...

matter

...

of

...

understanding

...

the

...

risks

...

and

...

making

...

an

...

informed

...

decision.

...

This

...

document

...

is

...

intended

...

to

...

help

...

you

...

be

...

a

...

savvy

...

consumer

...

of

...

these

...

services

...

should

...

you

...

choose

...

to

...

utilize

...

them

...

in

...

connection

...

with

...

UCLA

...

activities.

...

Ground

...

rules

...

1. It is your responsibility to take privacy and security into consideration when making decisions about when it is and is not acceptable to use free/low cost services. All University and campus policies apply to all University data, whether on UC or non-UC systems. Most of these services typically include "click-to-accept"

...

1. agreements

...

1. that

...

1. have

...

1. not

...

1. been

...

1. reviewed

...

1. or

...

1. approved

...

1. by

...

1. UC

...

1. and

...

1. so

...

1. may

...

1. introduce

...

1. security

...

1. risks

...

1. for

...

1. your

...

1. information

...

1. and

...

1. to

...

1. the

...

1. University.

...

1. If

...

1. you

...

1. need

...

1. help

...

1. assessing

...

1. these

...

1. risks,

...

1. don't

...

1. hesitate

...

1. to

...

1. ask

...

1. (see

...

1. Resources,

...

1. below).

...

2. Restricted

...

1. and

...

1. confidential

...

1. information

...

1. must

...

1. never

...

1. be

...

1. stored,

...

1. received,

...

1. processed

...

1. or

...

1. published

...

1. on

...

1. non-UC

...

1. systems

...

1. unless

...

1. you

...

1. have

...

1. worked

...

1. with

...

1. Purchasing

...

1. to

...

1. ensure

...

1. that

...

1. a

...

1. UC-approved

...

1. agreement

...

1. is

...

1. in

...

1. place

...

1. that

...

1. addresses

...

1. information

...

1. security

...

1. and

...

1. privacy

...

1. requirements

...

1. and

...

1. concerns.

...

1. Similarly,

...

1. don't

...

1. rely

...

1. on

...

1. external

...

1. information

...

1. systems

...

1. or

...

1. services

...

1. for

...

1. critical

...

1. University

...

1. business

...

1. processes

...

1. unless

...

1. a

...

1. UC-approved

...

1. agreement

...

1. is

...

1. in

...

1. place.

...

2. The

...

1. University

...

1. cannot

...

1. protect

...

1. the

...

1. privacy

...

1. of

...

1. your

...

1. communications

...

1. if

...

1. you

...

1. use

...

1. one

...

1. of

...

1. these

...

1. services

...

1. ,

...

1. as

...

1. it

...

1. has

...

1. no

...

1. control

...

1. over

...

1. what

...

1. occurs

...

1. outside

...

1. its

...

1. borders.

Situations in which non-UC

...

services

...

are

...

(likely)

...

inappropriate

...

The following are serious indicators of situations in which use of a non-UC service without UC-approved agreement being in place is inappropriate. If one or more of these conditions apply to your circumstances, consider whether the University offers a solution you could use instead, or work with Software Central or Purchasing to negotiate an agreement with the service provider before using the service.

• You will be conducting University business that should not be disclosed to the general public;
• Restricted or confidential information will be involved;
• You need a high level of security;
• Privacy is a concern;
• There are things that wouldn't be acceptable for the company to do with your information;
• The company will or may store data outside of the United States, or data will cross US borders to reach the user. For example, some of Google's data centers are not within US borders, potentially placing University data under foreign jurisdiction and possibly subject to inspection by foreign governments;
• You have specific requirements for availability of data and electronic communications that the service can't guarantee;
• Credit card data is involved;
• You are subject to the requirements of a Data Management Plan.
• It would be a problem if the service suddenly changes or is no longer available, either temporarily or permanently.

Issues to consider

...

When you use cloud apps, the non-UC company has access to your data, communications, account information, etc. A company may have entirely reasonable privacy, security and business continuity protections in place, but you shouldn't assume they meet UC's standards. How important this is depends upon on your specific use of these services.

To help make this determination, consider the issues listed below. If any of them raise concerns, using a non-UC service without a UC-approved agreement in place may be ill-advised.

Privacy issues

Be mindful that your privacy and the privacy of everyone using the product or service are dependent on the non-UC company.

1. It's best to assume that whatever information goes to or through the service may become public. This includes records of activities of those using the service, such as who used the service, what they used it for and when, etc.
2. A company's privacy policy (linked from their web site) should detail what it will do with your information, including to whom they may provide information and to whom they will allow access. What permissions have you granted by accepting their agreement/Terms of Use?
3. If a subpoena, search warrant or other legal instrument is presented to the company to obtain information about you, you shouldn't expect to be informed. While some organizations will try to direct the requester to you/the University first, there is no guarantee that this will happen, and the vendor may even be legally prohibited from disclosing the request.
4. Companies can be acquired, change business models or go out of business. Even if you keep local copies of critical data, what happens to your data if, say, the company that was hosting your data shuts down?

Operational, legal and contractual issues

1. When you sign up to use free/low cost services, you may be agreeing to terms and conditions, terms of service, and acceptable use policies that are different from UC's or UCLA's. The company can attempt to hold you to what you agree to, even if it is just a "click-to-accept"-type

...

1. agreement.

...

1. Do

...

1. you

...

1. have

...

1. delegated

...

1. authority

...

1. to

...

1. enter

...

1. into

...

1. this

...

1. type

...

1. of

...

1. agreement

...

1. on

...

1. behalf

...

1. of

...

1. UCLA?

...

1. If

...

1. not,

...

1. you

...

1. may

...

1. be

...

1. in

...

1. violation

...

1. of

...

1. University

...

1. policy

...

1. if

...

1. you

...

1. "click-to-accept"

...

1. the

...

1. terms

...

1. of

...

1. use.

...

1. It

...

1. is

...

1. essential

...

1. to

...

1. ensure

...

1. that

...

1. ownership

...

1. of

...

1. University

...

1. data

...

1. remains

...

1. with

...

1. the

...

1. 
   University.

...

1. Whenever

...

1. you

...

1. put

...

1. data

...

1. on

...

1. a

...

1. commercial

...

1. service,

...

1. ensure

...

1. that

...

1. the

...

1. terms

...

1. do

...

1. not

...

1. conflict

...

1. with

...

1. University

...

1. policy

...

1. or

...

1. governmental

...

1. contracts

...

1. and

...

1. grants

...

1. in

...

1. terms

...

1. of

...

1. data

...

1. ownership.

...

1. Software

...

1. Central

...

1. can

...

1. help

...

1. with

...

1. this.

...

1. Keep

...

1. in

...

1. mind

...

1. that

...

1. you

...

1. may

...

1. be

...

1. required

...

1. by

...

1. the

...

1. University

...

1. to

...

1. produce

...

1. records

...

1. relating

...

1. to

...

1. University

...

1. business,

...

1. including

...

1. email,

...

1. instant

...

1. messages,

...

1. files,

...

1. etc.,

...

1. regardless

...

1. of

...

1. whether

...

1. those

...

1. records

...

1. are

...

1. stored

...

1. on

...

1. University

...

1. or

...

1. non-University

...

1. systems

...

1. or

...

1. services.

...

1. Using

...

1. a

...

1. cloud

...

1. app

...

1. does

...

1. not

...

1. relieve

...

1. you

...

1. of

...

1. this

...

1. obligation

...

1. but

...

1. may

...

1. make

...

1. it

...

1. more

...

1. difficult

...

1. for

...

1. you

...

1. to

...

1. comply.

...

1. There

...

1. is

...

1. no

...

1. guarantee

...

1. that

...

1. deleted

...

1. content

...

1. or

...

1. accounts

...

1. will

...

1. really

...

1. be

...

1. deleted.

...

1. It

...

1. may

...

1. take

...

1. awhile

...

1. before

...

1. the

...

1. content

...

1. or

...

1. the

...

1. account

...

1. is

...

1. completely

...

1. flushed

...

1. from

...

1. all

...

1. of

...

1. the

...

1. company's

...

1. archives.

...

1. Practices

...

1. will

...

1. also

...

1. vary

...

1. as

...

1. to

...

1. how

...

1. long

...

1. accounts

...

1. may

...

1. remain

...

1. idle

...

1. before

...

1. the

...

1. account

...

1. and

...

1. associated

...

1. data

...

1. are

...

1. destroyed.

...

1. If

...

1. the

...

1. service

...

1. is

...

1. free

...

1. or

...

1. "click

...

1. wrap"

...

1. you

...

1. probably

...

1. have

...

1. little

...

1. or

...

1. no

...

1. recourse

...

1. against

...

1. the

...

1. vendor

...

1. if

...

1. something

...

1. goes

...

1. wrong

...

1. or

...

1. they

...

1. do

...

1. something

...

1. you

...

1. don't

...

1. agree

...

1. with.

...

Acknowledgements

...

and

...

Further

...

Reading

...

• Much of this advisory document has been adapted from UCLA's Guidance on the Use of Cloud Apps by Individuals, UC Santa Cruz's Use of Free Services, with additional input from UC Berkeley and Lawrence Berkeley Lab.
  *Cornell University's Outsourcing and Cloud Computing for Higher Education provides a comprehensive overview of these issues.