If A College Is Going To Make COVID-19 Contact Tracing Apps Mandatory, They Should At Least Be Secure

from the tracer-round dept

One of the more frustrating aspects of the ongoing COVID-19 pandemic has been the frankly haphazard manner in which too many folks are tossing around ideas for bringing it all under control without fully thinking things through. I’m as guilty of this as anyone, desperate as I am for life to return to normal. “Give me the option to get a vaccine candidate even though it’s in phase 3 trials,” I have found myself saying more than once, each time immediately realizing how stupid and selfish it would be to not let the scientific community do its work and do it right. Challenge trials, some people say, should be considered. There’s a reason we don’t do that, actually.

And contact tracing. While contact tracing can be a key part of siloing the spread of a virus as infectious as COVID-19, how we contact trace is immensely important. Like many problems we encounter these days, there is this sense that we should just throw technology at the problem. We can contract trace through our connected phones, after all. Except there are privacy concerns. We can use dedicated apps on our phones for this as well, except this is all happening so fast that it’s a damn-near certainty that there are going to be mistakes made in those apps.

This is what Albion College in Michigan found out recently. Albion told students two weeks prior to on-campus classes resuming that they would be required to use Aura, a contact tracing app. The app collects a ton of real-time and personal data on students in order to pull off the tracing.

Aura, however, goes all in on real-time location-tracking instead, as TechCrunch reports. The app collects students’ names, location, and COVID-19 status, then generates a QR code containing that information. The code either comes up “certified” if the data indicates a student has tested negative, or “denied” if the student has a positive test or no test data. In addition to tracking students’ COVID-19 status, the app will also lock a student’s ID card and revoke access to campus buildings if it detects that a student has left campus “without permission.”

TechCrunch used a network analysis tool to discover that the code was not generated on a device but rather on a hidden Aura website—and that TechCrunch could then easily change the account number in the URL to generate new QR codes for other accounts and receive access to other individuals’ personal data.

It gets worse. One Albion student was able to discover that the app’s source code also included security keys for Albion’s servers. Using those, other researchers into the app found that they could gain access to all kinds of data from the app’s users, including test results and personal identifying information.

Now, Aura’s developers fixed these security flaws…after the researchers brought them to light and after the school had made the use of the app mandatory. If anyone would like to place a bet that these are the only two privacy and security flaws in this app, then they must certainly not like having money very much.

To be clear, plenty of other schools are trying to figure out how to use technology to contact trace as well. And there’s probably a use for technology in all of this, with an acceptable level of risk versus the benefit of bringing this awful pandemic under control.

But going off half-cocked isn’t going to help. In fact, it’s only going to make the public less trustful of contact tracing attempts in the future, which is the last thing we need.

Filed Under: , , , , ,
Companies: albion college, aura

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “If A College Is Going To Make COVID-19 Contact Tracing Apps Mandatory, They Should At Least Be Secure”

Subscribe: RSS Leave a comment
23 Comments
Anonymous Coward says:

Another thing about the vaccines…

If immunity conferred from having had covid (and therefore also any vaccine) is temporary, what is the upshot of that? Mandatory vaccine shots every two weeks? How long until that process is co-opted and compromised, if not from the get?

It won’t be the first time that all vaccination becomes suspect due to the actions of one group.

Anonymous Coward says:

Re: Re: Re:

Unfortunately, the virus seems to be a high enough mutation rate that the US is confirming it’s first reinfection only 6 months in. Worse, there’s concern that the immunity may only last a few months.

I don’t think that time frame your hoping for is going to work out anytime soon. (Never mind all of the idiots in the US who won’t take the vaccine for one dumb reason or another.)

MightyMetricBatman says:

Re: Re: Re:

And a vaccine can trigger a better immune reaction than the virus itself in some cases. No better example of this than rabies where you die without the vaccine; and measles which not only prevents the disease but also the loss of immune system memory cells which protect against previous diseases you have encountered.

We can only hope one or more the ongoing vaccine candidates will do the same.

Glenn says:

A virus is a virus is a virus… except when there are 28 strains of the "same" virus. A vaccine is only good for each "family" of strains. So, that could mean as many as–in this example–28 vaccines. A vaccine may work to protect for a decade, but there are likely new strains coming along every year. As to whether there could be a super vaccine developed for every strain… who knows. While you wait, just don’t go out of your way to do stupid things that could help get yourself or someone else infected. That said, the world can’t stop: if you’re not dead, then keep on living.

Cowardly Lion says:

Assumptions and Trust

Huge assumption in that everyone has a device to load the app on. The arstechnica article links to an Albion page that says nothing about what happens if a student does not possess a phone. Not everyone does

And I for one am not comfortable with track-and-trace. I just don’t trust those in authority not to abuse it.

PaulT (profile) says:

Re: Assumptions and Trust

"The arstechnica article links to an Albion page that says nothing about what happens if a student does not possess a phone"

I would hope that some common sense rules apply, as not only does not everyone have a phone, but they do break. But, you never know with these things.

"And I for one am not comfortable with track-and-trace. I just don’t trust those in authority not to abuse it."

Well, the purpose of track and trace is to avoid the need for more draconian measures, so you’re really stuck either way.

Anonymous Coward says:

Re: Re: Assumptions and Trust

more draconian measures

What’s more draconian than being forced to carry around an agent that directly updates your permanent record 24/7 and that retains the power to ban you from services?

Sorry, but that’s as draconian as you can get. The only next step is to have it able to issue a death warrant against you.

Anonymous Coward says:

Re: Re: Assumptions and Trust

I would hope that some common sense rules apply, as not only does not everyone have a phone, but they do break. But, you never know with these things.

Especially now with COVID, I’m seeing a lot of businesses make this assumption. Can’t do a curbside pickup without a phone. Sometimes can’t buy from a store without using a trackable card (ie. they don’t take cash, although there’s no evidence it’s spreading the virus). Even a couple years ago, I was unable to access some real estate showings because they didn’t write a buzzer number in the lobby, only a phone number.

My guess is that they have no "common sense" plan, and also that anyone with an incompatible phone will be screwed. And I wonder whether the thing will work on Android without a Google account or without Google’s proprietary software.

Bergman (profile) says:

Re: Assumptions and Trust

I came here to make pretty much that exact comment.

Not everyone has a brand new smart phone. Not everyone even owns a phone.

There’s also the aspect of the app being able to lock students out of campus buildings if it detects that their mobile device has left campus without permission. Um, what? College students are almost always over 18, who do they need permission from?

Ehud Gavron (profile) says:

Some questions begged, others ignored

Begged Question: Does the college have the right –in the first place– to limit a student’s access, movement, and education based entirely on a REQUIREMENT that this tuition-paying contract-signed student:

  • Owns a smartphone
  • Always carries said phone on campus
  • Leaves it on, charged, and communicating with networks
    These are an absurd set of assumptions to gloss over and assume.

Followup Question: If the college has exactly zero jurisdiction off campus [and in the US with the exception of "greek" houses and "activity houses" this is true] then there is ZERO tracking of people meeting off campus.

If Alice and Bob go out for a beer at Trudi’s Beerpub, it’s off campus, outside college jurisdiction, and –given the nature of college students– will lead to less social-distancing than on campus.

Further, with current tests being around 50-65% accurate, Alice and Bob can get tested many times, and eventually get a negative (or maybe even the first time around) and whether false or not, report that in the app… so that when they ACTUALLY ARE on campus the app [that they’re forced to install on a smartphone they’re forced to carry and maintain and keep charged, on, and networked] marks them as safe.

Now to that add the part about the app leaking personal identifying information, infection status, and locations, and the whole thing becomes a complete cluster.

Ehud

Anonymous Coward says:

Re: Some questions begged, others ignored

  • Always carries said phone on campus

I think it’s probably fair to assume that college-age people with a smartphone will not let it out of their sight. 😉 I wish this was sarcastic, but it has at least a bit of truth to it.

  • Leaves it on, charged, and communicating with networks

This is a very good point. Based on what we read about the parolee tracking app, I would not be surprised to learn that Aura (mis)uses the device in a way that drains the device’s battery much faster than if the device were idling normally.

Followup Question: If the college has exactly zero jurisdiction off campus [and in the US with the exception of "greek" houses and "activity houses" this is true] then there is ZERO tracking of people meeting off campus.

That’s not actually a question, but it’s still a good point. It might be hand-waved away as being that the college has the authority to refuse them access to college property on any or no basis, much the same way at-will states allow employees to be fired for any or no reason. If the college had such an authority, then it could exercise that authority to say that students don’t need to be tracked, but that it will deny access to anyone who refuses.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...