SoylentNews is people
SoylentNews
College contact-tracing app readily leaked personal data, report finds:
In an attempt to mitigate the potential spread of COVID-19, one Michigan college is requiring all students to install an app that will track their live locations at all times. Unfortunately, researchers have already found two major vulnerabilities in the app that can expose students' personal and health data.
Albion College informed students two weeks before the start of the fall term that they would be required to install and run the contact tracing app, called Aura.
[...] Aura, however, goes all in on real-time location-tracking instead, as TechCrunch reports. The app collects students' names, location, and COVID-19 status, then generates a QR code containing that information.
[...] TechCrunch used a network analysis tool to discover that the code was not generated on a device but rather on a hidden Aura website—and that TechCrunch could then easily change the account number in the URL to generate new QR codes for other accounts and receive access to other individuals' personal data.
A student at Albion, looking into the app's source code, also found hard-coded security keys for the app's backend servers. A researcher took a look and verified that those keys gave access to "patient data, including COVID-19 test results with names, addresses, and dates of birth," TechCrunch reports.
(Score: 2) by slinches on Friday August 21 2020, @08:17PM
The bluetooth proximity detection system is only effective if enough people use it. I don't know the market penetration rate in the US now, but I suspect it's in the low single digits. At that rate it's almost entirely useless and I don't see it picking up unless it's forced on people.
The way to make the system effective with such a low utilization would be to combine both bluetooth proximity and location tracking to identify the group settings where transmission occurred. Then people who were there, but don't/can't use the tracking app would still be able to determine exposures by monitoring public notices. Either way, you're not going to get widespread voluntary participation so you might as well take the most advantage of the data from those who don't mind being tracked.