What happens to your data when you use an application? If the answer to that question is unclear or it’s known that data is leaked or sold, there’s a good chance that the university will block (intranet) the app. This is part of a new policy introduced by Library and Information Services (LIS) a month ago. So far, 442 alerts have been triggered by employees who tried to use one of the fully blocked apps.

For the time being, LIS has identified three hundred applications that are potentially unsafe. Only some of these have been blocked immediately, says Joost de Jong, Product Owner Security Operations at LIS. “We started with applications with the highest risk and the lowest number of users. The only apps we blocked immediately were the ones with fewer than fifty users. The rest will first be placed in a monitoring state for thirty days.” This means that employees see a pop-up informing them that the application is being monitored and warning them that the app will shortly no longer be available. If they close the notification, they can still use the app. This is not the case for apps that are completely blocked. Every thirty days, the service checks whether new applications need to be added to the block list.

DeepSeek

To determine which apps are undesirable, LIS uses a digital tool that assigns a score in a number of areas, such as safety and privacy. The tool also checks whether the application complies with legislation. Applications that score poorly in these respects include emailR, Looyu-crm, Ludashi, and DeepSeek. The main problem with the latter is that TU/e has too little insight into how the application handles user data, explains Chief Information Security Officer (CISO) Martin de Vries. “If you put data into it, we don’t know what the AI model does with it. It’s also unknown what safeguards the organization has in place to protect information properly.”

De Jong confirms this: “If an app is bad and has security flaws, there’s no need to check anything else. There’s a good alternative for every bad app. So we put the bad apps on the ‘block list’ and scrutinize the good ones.” If LIS turns out to have been a little too proactive in blocking an app, someone is bound to come forward and say: “This is the best app in the world and I need it,” De Vries believes. “But you’ll often find that there’s another option that’s just as good, but safe.”

Poorly made

This new policy fits in with a new way of looking at the world (specifically the digital one), explains De Jong. “We’re moving from ‘open by default’ to ‘closed by default’ because everything is simply becoming more risky.” In his view, the world is less innocent than it used to be. He also sees technology accelerating at an incredible pace. “Tens of thousands of apps are created every day. Many of them are just poorly made and leak data. They sometimes ask for so much permission that if you allow the app, you’ll also give it access to all your colleagues’ information.”

According to him, TU/e wants to get a better handle on these kinds of situations and comply with relevant legislation in one fell swoop. “The government requires us to have a higher level of security. We have to be able to demonstrate that we have everything under control. You can’t do that if you allow ten thousand apps.”

Defense

Caution is advised, says De Jong. This also applies to individuals, because these kinds of measures don’t guarantee 100% safety. “We’re still at risk, for example if a company that does make good apps is hacked, or if a company is careless about keeping information private. That’s why our first line of defense still consists of users thinking carefully about what they do and how they handle information.”

The applications are only blocked for employees. LIS doesn’t want to block anything for students, because they buy their own laptops. However, students will notice that the aforementioned DeepSeek application isn’t available on the network, but that’s because the firewall blocks it.