Fearing coronavirus, a Michigan college is tracking its students with a flawed app
Schools and universities across the United States are split on whether to open[1] for the fall semester, thanks to the ongoing pandemic.
Albion College, a small liberal arts school in Michigan, said in June[2] it would allow its nearly 1,500 students to return to campus for the new academic year starting in August. Lectures would be limited in size and the semester would finish[3] by Thanksgiving rather than December. The school said it would test both staff and students upon their arrival to campus and throughout the academic year.
But less than two weeks before students began arriving on campus, the school announced it would require them to download and install a contact-tracing app[4] called Aura, which it says will help it tackle any coronavirus outbreak on campus.
There’s a catch. The app is designed to track students’ real-time locations around the clock, and there is no way to opt out.
The Aura app lets the school know when a student tests positive for COVID-19. It also comes with a contact-tracing feature that alerts students when they have come into close proximity with a person who tested positive for the virus. But the feature requires constant access to the student’s real-time location, which the college says is necessary to track the spread of any exposure.
The school’s mandatory use of the app sparked privacy concerns and prompted parents to launch a petition[5] to make using the app optional.
Worse, the app had at least two security vulnerabilities only discovered after the app was rolled out. One of the vulnerabilities allowed access to the app’s back-end servers. The other allowed us to infer a student’s COVID-19 test results.
The vulnerabilities were fixed. But students are still expected to use the app or face suspension.
Track and trace
Exactly how Aura came to be and how Albion became its first major customer is a mystery.
Aura was developed by Nucleus Careers in the months after the pandemic began. Nucleus Careers is a Pennsylvania-based recruiting firm founded in 2020, with no apparent history or experience in building or developing healthcare apps besides a brief mention in a recent press release[6]. The app was built in partnership with Genetworx, a Virginia-based lab providing coronavirus tests. (We asked Genetworx about the app and its involvement, but TechCrunch did not hear back from the company.)
The app helps students locate and schedule COVID-19 testing on campus. Once a student is tested for COVID-19, the results are fed into the app.
If the test comes back negative, the app displays a QR code which, when scanned, says the student is “certified” free of the virus. If the student tests positive or has yet to be tested, the student’s QR code will read “denied.”
Aura uses the student’s real-time location to determine if they have come into contact with another person with the virus. Most other contact-tracing apps[7] use nearby Bluetooth signals, which experts say is more privacy-friendly.
Hundreds of academics have argued that collecting and storing location data is bad for privacy[8].
The Aura app generates a QR code based on the student’s COVID-19 test results. Scan the QR code to reveal the student’s test result status. (Image: TechCrunch)
In addition to having to install the app, students were told they are not allowed to leave campus for the duration of the semester without permission over fears that contact with the wider community might bring the virus back to campus.
If a student leaves campus without permission, the app will alert the school, and the student’s ID card will be locked and access to campus buildings will be revoked, according to an email to students, seen by TechCrunch.
Students are not allowed to turn off their location and can be suspended and “removed from campus” if they violate the policy, the email read.
Private universities in the U.S. like Albion can largely set and enforce their own rules and have been likened to “shadow criminal justice systems — without any of the protections or powers of a criminal court,” where students can face discipline and expulsion for almost any reason with little to no recourse. Last year, TechCrunch reported on a student at Tufts University who was expelled for alleged grade hacking[9], despite exculpatory evidence in her favor.
Albion said in an online Q&A[10] that the “only time a student’s location data will be accessed is if they test positive or if they leave campus without following proper procedure.” But the school has not said how it will ensure that student location data is not improperly accessed, or who has access.
“I think it’s more creepy than anything and has caused me a lot of anxiety about going back,” one student going into their senior year, who asked not to be named, told TechCrunch.
A ‘rush job’
One Albion student was not convinced the app was safe or private.
The student, who asked to go by her Twitter handle @Q3w3e3[11], decompiles and analyzes apps on the side. “I just like knowing what apps are doing,” she told TechCrunch.
Buried in the app’s source code, she found hardcoded secret keys for the app’s backend servers, hosted on Amazon Web Services. She tweeted her findings — with careful redactions to prevent misuse — and reported the problems to Nucleus, but did not hear back.
A security researcher, who asked to go by her handle Gilda[12], was watching the tweets about Aura roll in. Gilda also dug into the app and found and tested the keys.
“The keys were practically ‘full access’,” Gilda told TechCrunch. She said the keys — since changed — gave her access to the app’s databases and cloud storage in which she found patient data, including COVID-19 test results with names, addresses and dates of birth.