Fearing coronavirus, a Michigan college tracks its students with a flawed app

Most other contact-tracing apps use nearby Bluetooth signals, which experts say is more privacy-friendly.Hundreds of academics have argued that collecting and storing location data is bad for privacy.The Aura app generates a QR code based on the student’s COVID-19 test results. (Image: TechCrunch)The Aura app generates a QR code based on the student’s COVID-19 test results. Last year, TechCrunch reported on a student at Tufts University who was expelled for alleged grade hacking, despite exculpatory evidence in her favor.Albion said in an online Q&A that the “only time a student’s location data will be accessed is if they test positive or if they leave campus without following proper procedure.” But the school has not said how it will ensure that student location data is not improperly accessed, or who has access.“I think it’s more creepy than anything and has caused me a lot of anxiety about going back,” one student going into their senior year, who asked not to be named, told TechCrunch.One Albion student was not convinced the app was safe or private.The student, who asked to go by her Twitter handle @Q3w3e3, decompiles and analyzes apps on the side. If we increased or decreased the account number in the web address by a single digit, it generated a QR code for that user’s Aura account.In other words, because we could see another user’s QR code, we could also see the student’s full name, their COVID-19 test result status and what date the student was certified or denied.TechCrunch did not enumerate each QR code, but through limited testing found that the bug may have exposed about 15,000 QR codes.We described the app’s vulnerabilities to Will Strafach, a security researcher and chief executive at Guardian Firewall.