
Michigan college is tracking its students with a flawed app - wglb
https://techcrunch.com/2020/08/19/coronavirus-albion-security-flaws-app/
======
aetherspawn
Yeah, I’d just buy a $100 android phone and use it as my keypass whilst at
uni. Don’t take it off-site with you - you’d have virtually unlimited freedom
if you leave it in your room, or turn it completely off before leaving campus.

It is a straightforward response to a ridiculous request on user privacy: you
can’t force me to use my personal phone how you’d like unless you provide it.
You can force me to buy into an app that tracks the location of my device in
order to enter buildings and such, but you can’t control which device I choose
to use, nor force me to carry it in my personal life. The flaw in the
underlying assertion (one-to-one phone/person relationship, location of a
phone = location of a person) is not my problem.

~~~
avianlyric
> you can’t force me to use my personal phone how you’d like unless you
> provide it. You can force me to buy into an app that tracks the location of
> my device in order to enter buildings and such, but you can’t control which
> device I choose to use, nor force me to carry it in my personal life.

While I appreciate what you're trying to say, and agree that it's draconian.
The assertion that they can't force you isn't quite true. The collage is
private property, they can absolutely make entry conditional on using this app
on your personal device.

If you don't agree with their measures, then you simply aren't allowed on the
colleges private property. Just as equally they can make compliance a
condition of providing your education (it's a private contract after-all).
Again, don't like it, don't get educated.

Ultimately college education is a contract between private individuals, none
of the protection you have against government overreach apply.

~~~
gowld
Contracts are only enforceable (a) if they are conscionable, and (b) if they
exist.

Is there a contract saying the user must carry the tracking app everywhere
they go?

~~~
XMPPwocky
Probably not but there almost certainly is the standard set of "industry
standard" clauses that inevitably end up in any sort of consumer contract,
basically saying "we can kick you out for any reason we want, what are you
going to do, all our competitors have the same language".

~~~
qserasera
I eagerly await legal challenges for this.

------
gorgoiler
> _students are expected to use the app or face suspension_

How does this work in the contract the college has with the student? Is there
a term in the contract that allows the college to unilaterally add additional
terms — terms which can then lead to unilateral termination of the contract by
the college with or without some kind of notice period?

Presumably “suspension”, while framed as a punitive measure against students,
is legally just the college withdrawing from the contract under previously
agreed terms?

I ask because I’m increasingly encouraging young people to recognize that they
are legal adults when they go off to higher education, and they should
politely resist any trend for colleges to infantalise them by reframing terms
of contracts as silly rules.

~~~
applecrazy
As a university student (not attending the university mentioned however), I
can chime in here. If we chose to come on-campus, we were given an addendum to
our housing agreement to sign before we moved in. Simply put, no addendum
signed = no housing (since they reserve the right to terminate one's housing
for any reason). I imagine it's a similar situation for many universities
nationwide.

Regarding your second point:

> Presumably “suspension”, while framed as a punitive measure against
> students, is legally just the college withdrawing from the contract under
> previously agreed terms?

The article addresses this: private universities have a lot more leeway on how
they conduct business.

~~~
jacobkania
If you already signed a lease, you don’t have to agree to new terms for that
lease. It’s already a valid lease that can’t easily be terminated, and
Michigan has pretty good renter protection laws (I used to live there). Not a
lawyer though, but a lease is a binding agreement that they can’t just
arbitrarily change and force you to accept

~~~
brown9-2
Students don’t lease dorm rooms in the traditional sense of a lease

------
gruez
>If a student leaves campus without permission, the app will alert the school,
and the student’s ID card will be locked and access to campus buildings will
be revoked

This seems so flawed and easy to bypass. Leave your phone in your dorm and
sneak off campus, it's as easy as that.

~~~
smt88
> _Leave your phone in your dorm and sneak off campus, it 's as easy as that._

To do... what? Without a phone, many will have no means of transportation.
They won't be able to sync up with friends or use GPS.

It's absolutely unimaginable that a large number of college students will
leave campus without a phone. They're much more likely to have a separate
phone to put the app on.

~~~
neckardt
Don't you have old phones laying around? Install the app on one of those and
keep using your main phone.

~~~
smt88
Read the fifth sentence of my comment, where I proposed exactly that.

I was responding to someone who proposed leaving campus without a phone.

------
DoofusOfDeath
I'm curious about the interplay of (a) this app/policy vs. (b) other measures
the college will take. E.g., mandatory social distancing, masks, dorm
occupancy, etc.

I could see how implementing (a+b) _might_ yield lower infection rates than
just (a) or just (b).

But if having (a) in effect lulls the college into _relaxing_ (b), _and_ some
students subvert (a), then I could see how it's a recipe for an outbreak.

~~~
lki876
The rate of infection may be lower, but that doesn't necessarily mean fewer
people will be in infected -- it means the spread takes more time.

------
mindfulhack
This is insidious. What kind of college dean or president would think that
this is OK?

With such a low level of regard towards young people and with only potential
for gross abuse, if the staff's leadership refuse to apologise and withdraw
the app's obligatoriness then they should be sacked without delay.

I know this is a strong opinion but I'm really on board with that petition.

~~~
paul_f
If you're not sure the answer, it's almost always money. The school wants
their $45,000 tuition bills paid

------
darcys22
After a certain point is it just better for everyone to keep an old burner
smartphone for these ‘required’ apps

~~~
smt88
In this case, I disagree.

This is a private school, and its students are customers. Their school is
forcing an app on them that violates their privacy far more than is necessary
for contact tracing, _and_ it was developed by a non-software firm with no
understanding of security.

The solution here is to petition and protest the school, not just work around
the app.

~~~
kyleee
I think you are both correct, but since there is no guarantee about the
timeline and success of the "petition and protest" approach, I'm all for the
burner phone strategy in the meantime.

------
gnu8
It is very disturbing that Nucleus ignored and stiffed the security researcher
who pointed out their obvious issue with AWS keys. They should not expect
cooperation from the security community in the future and I hope this will
have a severe impact on their ability to attract and retain customers.

------
lki876
IMHO: Don't bother with college. All information anyone could possibly need is
available from libraries and the internet. If you learn what you need to know
and prove that you know it, people will hire you.

~~~
ignoramous
If only colleges' sole purpose was to impart knowledge.

I think they're a great place to meet like-minded people, form friendships,
find potential co-founders, grow your network, get inspired by people some of
whom are likely to be world's best at what they do.

Another thing is colleges force you through a rigid system of semesters,
courses, and exams that takes most of guess work out of the learning. Besides,
I'd wager one needs a disproportionate amount of patience to be disciplined
enough to follow their own curriculum of learning regardless of accessibility
and availability of content.

I am not saying the current system is the best humanity can do, but:
[https://en.wikipedia.org/wiki/Wikipedia:Chesterton%27s_fence](https://en.wikipedia.org/wiki/Wikipedia:Chesterton%27s_fence)

------
aaron695
Covid apps using Bluetooth are useless.

If you want a chance for it to work, this might.

This is what a lockdown is. Taking huge risks, be it loose APIs or destroying
parts of the economy, all to stop a huger risk.

If you want to understand why Republicans protest the lockdown, look here,
this is the beginning of the creep. Republicans mightn't understand what they
are protesting but they at least can see the fear, which Democtatz can't.

Given what the media, politicians and the public in general say, everyone just
doesn't seem to understand either risk or it's magnitude.

~~~
Nitrolo
I'll admit I'm not an expert in this area, but why are apps using Bluetooth
useless? Because people turn Bluetooth off?

~~~
taejo
Measurement-Based Evaluation Of Google/Apple Exposure Notification API For
Proximity Detection In A Commuter Bus
[https://arxiv.org/pdf/2006.08543.pdf](https://arxiv.org/pdf/2006.08543.pdf)

"We find that the attenuation level reported by the GAEN API need not increase
with distance between handsets, consistent with there being a complex radio
environment inside a bus caused by the metal-rich environment... Applying the
rule used by the Swiss Covid-19 contact tracing app to trigger an exposure
notification to our bus measurements we find that no exposure notifications
would have been triggered despite the fact that all pairs of handsets were
within 2m of one another for at least 15 mins"

~~~
raziel2p
I wish they would've tested more distances. If the threshold is 1.5 meters or
even 1.0 meters that's still better than nothing at all. No one is touting
these apps (or masks, or social distancing) as the ultimate solution to the
spread of SARS-CoV-2, it's all just things we can do to reduce the risk.

~~~
aaron695
> I wish they would've tested more distances.

Bluetooth is 31 years old. What is there to test?

> No one is touting these apps <snip> it's all just things we can do to reduce
> the risk.

The app does not reduce risk, even if it worked. It's for contact tracing.
This is importantly different.

You seem confused, which I might guess is because the app was touted
incorrectly in many countries. Masks and social distancing do reduce risk.
Although most Western countries told you otherwise to begin with on masks. And
told you incorrectly how to wash hands, and also incorrectly said it reduces
risk (considered unlikely). I'll add being outdoors also probably reduces
risk, not sure this is commonly touted yet.

~~~
raziel2p
I mean risk at the societal level, not individual. Maybe there's a better
word. Anyway what I mean is that the risk of the virus/disease spreading
faster than our healthcare systems can handle is lowered by effective contact
tracing. Not that I personally am less at risk of being infected if I install
the app.

~~~
aaron695
Ok, some politicians etc were calling the apps a condom or sunscreen.

All evidence since March has been boots on the ground for contact tracing is
what's important. Not tech.

But the Bluetooth apps, which we know can't work well also don't try for
behaviour change, they might even increase risk. This app at this college is
trying for positive behaviour change.

