The purpose of this document is to help development teams associated with the University of Illinois fulfill their responsibility to comply with Illinois Cybersecurity standards, including IT-7, IT08, and IT13.

GitHub Copilot is now available through the University of Illinois Shared GitHub Service.

This guide is meant to assist development teams in navigating security and privacy concerns when deciding whether to adopt GitHub Copilot.

This information is current as of February 2025.

• GitHub Copilot may only be used with code that complies with the University of Illinois GitHub Shared Service - End User Service Agreement.
• Users should only provide essential information needed to use the GitHub platform for intended business and educational purposes and avoid disclosing high-risk, sensitive, and internal data with generative AI tools, including but not limited to unpublished research data, financial information, employment details, student records, and healthcare information.

GitHub Copilot licensed under the University GitHub Enterprise license provides more privacy assurances than an individual GitHub Copilot license. GitHub Copilot should not be used through an individual license when the code is subject to export restrictions or when the code is licensed to a third party under an agreement that assures confidentiality limited to that third party. GitHub Copilot purchased through the campus GitHub Enterprise agreement provides privacy assurances that are typically sufficient for these cases. Teams that need to license code to others under uncommon software licenses are encouraged to consult with the Office of Technology Management for additional guidance.

• Copilot provides suggestions based on the working context of a developer’s code editor which requires temporarily transferring an ephemeral copy of various elements of that context to GitHub’s servers.
• Copilot does transfer content from developer’s code editor to GitHub’s servers for purposes of assessing the context and providing suggestions. What is transferred is purely ephemeral and, shortly after Copilot has provided suggestions, the copy is deleted and is not used for any other purpose.
• The Copilot extension in the code editor does not retain prompts for any purpose after it has provided Suggestions, unless you are a Copilot Individual subscriber and have allowed GitHub to retain developer’s prompts and suggestions.

• Information about security precautions in GitHub Copilot are available at GitHub Copilot Trust Center.

• GitHub does not use data from Copilot Business or Copilot Enterprise to train its model.
• GitHub Copilot may train on code shared with it under other GitHub Copilot licenses.

Maybe?! Many people expect AI generated code suggestions to fall under fair-use laws, but there is little legal precedent as of Dec 2024.

• Whether a suggestion generated by an AI model can be owned depends on many factors including, but not limited to: the intellectual property law in the relevant country, the length of the suggestion, the extent that suggestion is considered ‘functional’ instead of expressive, Etc.

GitHub Copilot has features that can help users sensitive to code license issues navigate using the tool:

• GitHub Copilot is previewing a code-referencing feature to assist users to find and review potentially relevant open-source licenses.
• GitHub does offer IP indemnification for the unmodified suggestions when Copilot’s filtering is enabled

Development teams whose code is licensed to others are encouraged to enable these features.

Developers with additional Privacy or Security concerns about using GitHub Copilot are encouraged to contact securitysupport@illinois.edu for additional guidance.