If A College Is Going To Make COVID-19 Contact Tracing Apps Mandatory, They Should At Least Be Secure
from the tracer-round dept
One of the more frustrating aspects of the ongoing COVID-19 pandemic has been the frankly haphazard manner in which too many folks are tossing around ideas for bringing it all under control without fully thinking things through. I'm as guilty of this as anyone, desperate as I am for life to return to normal. "Give me the option to get a vaccine candidate even though it's in phase 3 trials," I have found myself saying more than once, each time immediately realizing how stupid and selfish it would be to not let the scientific community do its work and do it right. Challenge trials, some people say, should be considered. There's a reason we don't do that, actually.
And contact tracing. While contact tracing can be a key part of siloing the spread of a virus as infectious as COVID-19, how we contact trace is immensely important. Like many problems we encounter these days, there is this sense that we should just throw technology at the problem. We can contract trace through our connected phones, after all. Except there are privacy concerns. We can use dedicated apps on our phones for this as well, except this is all happening so fast that it's a damn-near certainty that there are going to be mistakes made in those apps.
This is what Albion College in Michigan found out recently. Albion told students two weeks prior to on-campus classes resuming that they would be required to use Aura, a contact tracing app. The app collects a ton of real-time and personal data on students in order to pull off the tracing.
Aura, however, goes all in on real-time location-tracking instead, as TechCrunch reports. The app collects students' names, location, and COVID-19 status, then generates a QR code containing that information. The code either comes up "certified" if the data indicates a student has tested negative, or "denied" if the student has a positive test or no test data. In addition to tracking students' COVID-19 status, the app will also lock a student's ID card and revoke access to campus buildings if it detects that a student has left campus "without permission."
TechCrunch used a network analysis tool to discover that the code was not generated on a device but rather on a hidden Aura website—and that TechCrunch could then easily change the account number in the URL to generate new QR codes for other accounts and receive access to other individuals' personal data.
It gets worse. One Albion student was able to discover that the app's source code also included security keys for Albion's servers. Using those, other researchers into the app found that they could gain access to all kinds of data from the app's users, including test results and personal identifying information.
Now, Aura's developers fixed these security flaws...after the researchers brought them to light and after the school had made the use of the app mandatory. If anyone would like to place a bet that these are the only two privacy and security flaws in this app, then they must certainly not like having money very much.
To be clear, plenty of other schools are trying to figure out how to use technology to contact trace as well. And there's probably a use for technology in all of this, with an acceptable level of risk versus the benefit of bringing this awful pandemic under control.
But going off half-cocked isn't going to help. In fact, it's only going to make the public less trustful of contact tracing attempts in the future, which is the last thing we need.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: academia, contact tracing, covid-19, mandatory, security, students
Companies: albion college, aura
Reader Comments
Subscribe: RSS
View by: Time | Thread
Another thing about the vaccines...
If immunity conferred from having had covid (and therefore also any vaccine) is temporary, what is the upshot of that? Mandatory vaccine shots every two weeks? How long until that process is co-opted and compromised, if not from the get?
It won't be the first time that all vaccination becomes suspect due to the actions of one group.
[ link to this | view in chronology ]
Re:
2 weeks would be pointless, but if you could prevent infections for a couple of years that would achieve local eradication, give time for the proper border control measures and so on to be put in place, and to look for a better vaccine.
[ link to this | view in chronology ]
Re: Re:
Vaccination once a year is acceptable, after all that is how the flu vaccine works.
[ link to this | view in chronology ]
Re: Re:
Unfortunately, the virus seems to be a high enough mutation rate that the US is confirming it's first reinfection only 6 months in. Worse, there's concern that the immunity may only last a few months.
I don't think that time frame your hoping for is going to work out anytime soon. (Never mind all of the idiots in the US who won't take the vaccine for one dumb reason or another.)
[ link to this | view in chronology ]
Re: Re:
If COVID-19 mutates like the flu does, then a vaccine will be just as effective in letting us get ahead of it as a flu vaccine is in eradicating flu season.
The fact that we have flu vaccines AND a flu season tells you all you need to know about how well it will work out.
[ link to this | view in chronology ]
Re:
Nope, I don't think your parenthesized comment is true. The vaccine provokes the immune system differently. Yes, using the same proteins as the virus (well, selection of), but there is more to it.
[ link to this | view in chronology ]
Re: Re:
And a vaccine can trigger a better immune reaction than the virus itself in some cases. No better example of this than rabies where you die without the vaccine; and measles which not only prevents the disease but also the loss of immune system memory cells which protect against previous diseases you have encountered.
We can only hope one or more the ongoing vaccine candidates will do the same.
[ link to this | view in chronology ]
A virus is a virus is a virus... except when there are 28 strains of the "same" virus. A vaccine is only good for each "family" of strains. So, that could mean as many as--in this example--28 vaccines. A vaccine may work to protect for a decade, but there are likely new strains coming along every year. As to whether there could be a super vaccine developed for every strain... who knows. While you wait, just don't go out of your way to do stupid things that could help get yourself or someone else infected. That said, the world can't stop: if you're not dead, then keep on living.
[ link to this | view in chronology ]
Assumptions and Trust
Huge assumption in that everyone has a device to load the app on. The arstechnica article links to an Albion page that says nothing about what happens if a student does not possess a phone. Not everyone does
And I for one am not comfortable with track-and-trace. I just don't trust those in authority not to abuse it.
[ link to this | view in chronology ]
Re: Assumptions and Trust
"The arstechnica article links to an Albion page that says nothing about what happens if a student does not possess a phone"
I would hope that some common sense rules apply, as not only does not everyone have a phone, but they do break. But, you never know with these things.
"And I for one am not comfortable with track-and-trace. I just don't trust those in authority not to abuse it."
Well, the purpose of track and trace is to avoid the need for more draconian measures, so you're really stuck either way.
[ link to this | view in chronology ]
Re: Re: Assumptions and Trust
What's more draconian than being forced to carry around an agent that directly updates your permanent record 24/7 and that retains the power to ban you from services?
Sorry, but that's as draconian as you can get. The only next step is to have it able to issue a death warrant against you.
[ link to this | view in chronology ]
Re: Re: Assumptions and Trust
Especially now with COVID, I'm seeing a lot of businesses make this assumption. Can't do a curbside pickup without a phone. Sometimes can't buy from a store without using a trackable card (ie. they don't take cash, although there's no evidence it's spreading the virus). Even a couple years ago, I was unable to access some real estate showings because they didn't write a buzzer number in the lobby, only a phone number.
My guess is that they have no "common sense" plan, and also that anyone with an incompatible phone will be screwed. And I wonder whether the thing will work on Android without a Google account or without Google's proprietary software.
[ link to this | view in chronology ]
Re: Re: Re: Assumptions and Trust
I had an idea for a gadget that suspends your cash in an alcohol bath, then extrudes it (wringing it out in the process) when needed. No risk of infection from that, and the damp bill could even be considered a disinfecting wipe for the people who handle it!
[ link to this | view in chronology ]
Re: Assumptions and Trust
I came here to make pretty much that exact comment.
Not everyone has a brand new smart phone. Not everyone even owns a phone.
There's also the aspect of the app being able to lock students out of campus buildings if it detects that their mobile device has left campus without permission. Um, what? College students are almost always over 18, who do they need permission from?
[ link to this | view in chronology ]
Re: Assumptions and Trust
Some colleges are already requiring smartphones for tracking attendance, for small payment transactions, student ID, and access control.
And it's becoming common for colleges to demand complete health records, even for adult students. Which they absolutely have to have for... no reason that makes sense.
[ link to this | view in chronology ]
Why do I gain the Impression that Aura saw the chance to collect lots of personalized data for sale to advertisers, and took it?
[ link to this | view in chronology ]
i would have thought the most important thing is to make sure they work!
[ link to this | view in chronology ]
Some questions begged, others ignored
Begged Question: Does the college have the right --in the first place-- to limit a student's access, movement, and education based entirely on a REQUIREMENT that this tuition-paying contract-signed student:
These are an absurd set of assumptions to gloss over and assume.
Followup Question: If the college has exactly zero jurisdiction off campus [and in the US with the exception of "greek" houses and "activity houses" this is true] then there is ZERO tracking of people meeting off campus.
If Alice and Bob go out for a beer at Trudi's Beerpub, it's off campus, outside college jurisdiction, and --given the nature of college students-- will lead to less social-distancing than on campus.
Further, with current tests being around 50-65% accurate, Alice and Bob can get tested many times, and eventually get a negative (or maybe even the first time around) and whether false or not, report that in the app... so that when they ACTUALLY ARE on campus the app [that they're forced to install on a smartphone they're forced to carry and maintain and keep charged, on, and networked] marks them as safe.
Now to that add the part about the app leaking personal identifying information, infection status, and locations, and the whole thing becomes a complete cluster.
Ehud
[ link to this | view in chronology ]
Re: Some questions begged, others ignored
I think it's probably fair to assume that college-age people with a smartphone will not let it out of their sight. ;) I wish this was sarcastic, but it has at least a bit of truth to it.
This is a very good point. Based on what we read about the parolee tracking app, I would not be surprised to learn that Aura (mis)uses the device in a way that drains the device's battery much faster than if the device were idling normally.
That's not actually a question, but it's still a good point. It might be hand-waved away as being that the college has the authority to refuse them access to college property on any or no basis, much the same way at-will states allow employees to be fired for any or no reason. If the college had such an authority, then it could exercise that authority to say that students don't need to be tracked, but that it will deny access to anyone who refuses.
[ link to this | view in chronology ]
Missed opportunity for a headline
"Researcher demonstrates ability to remotely read students' auras."
[ link to this | view in chronology ]
I do not support the Facebook policy because it is not a normal process. Educational resources have the right to help students. For example, generating fonts or writing themes for important educational projects. These are automatic resources that help automate processes. Facebook uses similar algorithms.
[ link to this | view in chronology ]
Re:
I think you meant to post in a different thread...
Cheers,
Ehud
[ link to this | view in chronology ]
I see a lot of companies making this assumption, especially now with COVID. Hopefully it will be made safe for everyone. In the event that someone needs help with an essay, I always use the services of this service https://getnursingessay.com/, since I do not have much writing with me.
[ link to this | view in chronology ]