The purpose of this document is to help development teams associated with the University of Illinois fulfill their responsibility to comply with Illinois Cybersecurity standards, including IT07, IT08, and IT13.

GitHub Copilot is now available through the University of Illinois Shared GitHub Service.

This guide is meant to assist development teams in navigating security and privacy concerns when deciding whether to adopt GitHub Copilot.

Note that this information is current as of April 2025.

Maintain human oversight of software development and ensure users understand to validate the accuracy and security of GitHub Copilot’s code suggestions and other output. This can be achieved through mature software development life-cycle practices. See Cybersecurity, Example Development Standards and contact securitysupport@illinois.edu for further assistance.

Units and users should review:

• Generative AI Solutions Hub - Best Practices
• Generative AI Solutions Hub - Resources.
• Privacy Considerations for Generative AI.
• System Digital Risk Office’s Generative AI Homepage
• System Digital Risk Office - Generative AI Awareness
• System Digital Risk Office - Generative AI Guidance for expected use cases

• GitHub Copilot may only be used with code that complies with the University of Illinois GitHub Shared Service - End User Service Agreement.
• Users should only provide essential information needed to use the GitHub platform for intended business and educational purposes and avoid disclosing high-risk, sensitive, and internal data with generative AI tools, including but not limited to unpublished research data, financial information, employment details, student records, and healthcare information.

• GitHub Copilot should not be used through an individual license when the code is subject to export restrictions
• GitHub Copilot should not be used through an individual license when the code is licensed to a third party under an agreement that assures confidentiality limited to that third party.
• Teams that need to license code to others under uncommon software licenses are encouraged to consult with the Office of Technology Management for additional guidance.

GitHub Copilot purchased through the campus GitHub Enterprise agreement provides privacy assurances that are typically sufficient for these cases.

• Copilot provides suggestions based on the working context of a developer’s code editor which requires temporarily transferring an ephemeral copy of various elements of that context to GitHub’s servers.
• Copilot does transfer content from developer’s code editor to GitHub’s servers for purposes of assessing the context and providing suggestions. What is transferred is purely ephemeral, and shortly after Copilot has provided suggestions, the copy is deleted and is not used for any other purpose.
• The Copilot extension in the code editor does not retain prompts for any purpose after it has provided Suggestions, unless you are a Copilot Individual subscriber and have allowed GitHub to retain developer’s prompts and suggestions.

• Information about security precautions in GitHub Copilot are available at GitHub Copilot Trust Center.

• GitHub does not use data from Copilot Business or Copilot Enterprise to train its model.
• GitHub Copilot may train on code shared with it under other GitHub Copilot licenses.

Maybe?! Many people expect AI generated code suggestions to fall under fair use laws, but there is little legal precedent as of February 2025.

• Whether a suggestion generated by an AI model can be owned depends on many factors including, but not limited to: the intellectual property law in the relevant country, the length of the suggestion, the extent that suggestion is considered ‘functional’ instead of expressive.

GitHub Copilot has features that can help concerned users navigate code license issues:

• GitHub Copilot is previewing a code-referencing feature to assist users to find and review potentially relevant open-source licenses.
• GitHub does offer IP indemnification for the unmodified suggestions when Copilot’s filtering is enabled

Development teams whose code is licensed to others are encouraged to enable these features.

Developers with additional Privacy or Security concerns about using GitHub Copilot are encouraged to contact securitysupport@illinois.edu for additional guidance.