A couple of weeks ago, we talked about the new SRM process and the expedited procurement alternative, and since these new procedures came into place, we have received a few inquires about the reason why a free software should still go through a review process. The answer is easy: because nothing is really free.
And we get it: free feels harmless. No budget impact. No procurement. No invoice floating in someone’s queue. It feels like the lowest-risk decision possible. But in the world of software, free is rarely free.
When the Software Risk Management review process was implemented, the goal wasn’t to create paperwork but to create visibility and protection. Software is now infrastructure. One tiny app can touch student records, research data, institutional identity systems, compliance obligations, and reputation, sometimes all at once. And no price tag doesn’t make any of that go away. It just hides the costs.
In the broader marketplace, people are talking about this, too. Personal finance writers explain that “free” apps often monetize in indirect ways, like selling data, tracking behavior, or pushing ads, precisely because the lack of a sticker price doesn’t eliminate underlying value exchanges. The same logic applies in institutional contexts: there’s always a trade-off.
Free software is almost always a business model. If money isn’t coming from you, it’s coming from your data, your usage patterns, your access rights, your attention. And for an institution, that’s not a casual thing.
The GNU project even makes a philosophical distinction between “free as in beer” and “free as in freedom”--the real freedom to use, understand, modify, and share software. That matters because the kind of “free” in many commercial apps is neither freedom nor transparency.
And here’s where the risk becomes real: when faculty or staff sign up for a tool with their university email and click “I agree,” that application suddenly touches the institution. It may store data on third-party servers. It may grant rights over uploaded content. It may allow the vendor to change terms without notice. All those fine-print clauses are there to protect the vendor, not you, because that’s how contracts work, and that’s why only certain university community members have signatory rights.
Terms of service can include things like ownership claims, data reuse rights, retention rules, or limited liability, and most people agree to these without reading them. That’s understandable, but agreeing to them on behalf of a university entity without review is not a trivial decision.
And it’s not just theory: free products evolve. Features change. Companies pivot or fold. Services sunset overnight. A “no cost” tool today can become a critical dependency tomorrow, leaving teams scrambling to replace it or, worse, migrate institutional data.
In higher education, there are compliance layers to think about too: FERPA, HIPAA, accessibility standards, and more. A free app does not magically align with any of those. In fact, many explicitly state that they are not designed for regulated or protected data.
Before clicking on that fun tool, there are some questions that most people don’t consider:
- What data is being entered here?
- Where will it be stored?
- Who will have access?
- Who owns it?
- What happens if the vendor changes terms?
- What happens if the service disappears?
And those questions matter whether the invoice is $0 or $100,000.
Free software can be great, innovative, valuable, and appropriate. Many open source tools are powerful precisely because they embrace real freedom, not because they hide costs. But assuming that “no cost” equals “no risk” is a myth that leads to avoidable problems.
That’s why we ask for SRM review--not because we want to slow people down, but because we want everyone’s good work to stay good work, not become an institutional headache later.
So, before we click “I agree” on behalf of the university, it’s worth understanding exactly what we’re agreeing to.