As college students try to return to campus, some are being asked to allow the college unprecedented access to their whereabouts and health information, as we posted last week. Many are learning about the personal implications of their data security for the first time, let alone dealing with being quarantined.
When the first wave of the pandemic was happening earlier this year, we wrote about contact tracing apps and highlighted the potentially invasive access to your personal information, location and contacts. But these apps are now being used in many places. I’ve previously explored the wide ranging methods colleges are using to try to bring students back to campus safely and how they are planning to track their students (and staff). In that post, I cite the story about Albion College in Michigan which contracted with a developer to build their own tracking app that had several rookie security coding bugs.
It may not be reasonable to expect students to debug their tracking apps, but this is what happened at Albion. One of the bugs was discovered by a computer science student at the college who stepped through the code. Good for her, but still most of us shouldn’t have to do this. We should trust the college IT managers to do their jobs. That clearly didn’t happen. Gayle Barton, who worked as the CIO at Swarthmore and Amherst colleges, told me last week that “we can’t fault the colleges for trying to find a way to reopen and to keep the students safe at the same time.” But she sees the Albion situation as “an example of the kind of bad decisions which are made when technology acquisitions are decentralized, and anyone with an idea can sign the college up with an online service. Their tracking app was not even half-baked and this went wrong in so many ways.”
One of the biggest issues with the app for Albion students is that they have no way to opt out of using the app: if their phones don’t run the app, they could be disciplined or even expelled from school. This requirement to “must use” is a privacy issue: something that employees of the Museum of Natural History in NYC also have expressed unease with their tracking app.
David Goodman, who has been a CTO at various non-profits told me last week, “there is a fundamental incompatibility between what is needed from a public health perspective and the way individuals – especially Americans — think about their data privacy.”
It’s time for more transparency, not less
The issue is that we have become complacent about how much of our private data we give away when we use various social media apps that are “free.” I put that in quotes because there is a cost to using these apps and that cost is that advertisers learn about our browsing and shopping habits. (As a reminder, review my earlier post about what advertisers can learn from my post on social media scraping.)
Goodman says, “Since Americans tend to see their data and privacy as commodities, maybe they should pay people to use these tracking apps.” That would make this transaction more obvious. “Then we will use these tracking apps all day.” Certainly, at Albion this was heavy handed, and while what they are trying to do makes sense but no one is comfortable with their lack of privacy. Barton says, “there still would need to be a way for people to legitimately opt out of any tracking app”.
Contrast what Albion and the Museum of Natural History are doing with what is happening in many countries in Asia. There you have similar smartphone tracking apps, and “you have to compare apps even if you want to get into a taxi and show that you both test negative,” says Goodman. “In the U.S., we have a different attitude towards our individual freedoms which are in conflict with things like contact tracing.” As evidence of these attitudes and in the news last week, the state college in Oneonta had to shut down after more than 500 students tested positive for the virus.
Barton says it all comes down to having solid IT leadership and necessary skills on staff to do proper security vetting. She says there “should have been questions about things like who can access this data and what is to prevent this information from being misused?”. Perhaps the students aren’t the only ones that need to go back to school this semester. Colleges need to be explicit about their privacy standards and their apps’ intentions.
Whether or not you are of college age, should you download a contact tracing app to your own phone? Certainly if it is required. But, as we posted last week, follow best security practices, be aware of what data elements these apps are tracking and what application permissions are selected.
*** This is a Security Bloggers Network syndicated blog from Blog | Avast EN authored by Avast Blog. Read the original post at: https://blog.avast.com/protecting-data-security-on-campus-avast