Skip to main content
Dashlane Logo

College Contact Tracing Apps Are Leaking Student Data

Originally published:|Last updated:|Rachael Roth
College student

In an effort to keep students and the greater public safe during the pandemic, some colleges forget to factor in students’ privacy.

Campuses across the US welcomed students back in late August, initiating fears that Covid-19 cases would rise dramatically. The world sat back and watched as universities implemented their own rules and regulations to slow the spread, while trying to maintain some semblance of normal college life. Yet the numbers tell an unfortunate truth. Infection rates have risen since the start of the college semester, with hundreds of students testing positive for Covid-19.

Some schools have enforced two-week quarantine upon students’ arrival on campus, increased virtual learning, limited classroom capacity—or completely reversed course and sent students back home.

Other colleges are taking a more technological approach.

College and contact tracing

Albion, a liberal arts college in Michigan, is relying on a contact tracing app to track the spread of Covid-19 on campus.

In August, the school announced that students would be required to download an app called Aura onto their smartphones. The app points students to an on-campus Covid-19 testing site. It then lets school officials know when students test positive for Covid-19, and uses constant, real-time location-tracking to monitor their activity, revealing if they’ve come into contact with someone who has tested positive. The school has made it impossible for students to opt out of this technology. If a student turns off their phone or their location tracking, they’ll be marked absent during class and possibly suspended.

Can we trust contact tracing apps with students’ data?

Aura collects students’ names, real-time location, and whether they are positive or negative for Covid-19. To share this information with school officials, a QR code is generated containing the individual’s data.

The problem is Aura developers did not keep students’ privacy in mind when creating the app, leaving many students’ personal information vulnerable.

When an Albion student who was skeptical of the app’s security searched Aura’s source code, she discovered “keys” that gave her access to the app’s backend servers. A security researcher later tested the keys, which revealed sensitive information stored in the app’s database and on the cloud, including patient’s test results, addresses, and dates of birth, according to TechCrunch.

Using a network analysis tool, TechCrunch was able to look into how data was gathered and maintained by Aura. They created an Aura account, received a QR code, then changed that code by 1 digit, which revealed other students’ information, including their full names and Covid-19 test results. They estimated 15,000 accounts could have been exposed due to this loophole.

Though these holes have since been patched up, the school, as well as Aura’s developer, Nucleus, have not acknowledged the security issues, giving students little faith in Albion’s commitment to protecting their privacy.

Albion has also taken other, more extreme measures to curb Covid transmission: School officials get an alert from the Aura app if a student leaves campus without permission, and they can then block that student’s access to buildings via their ID card. Students and parents have since launched a petition to make the Aura app optional.

This type of surveillance has been met with resistance at other universities. At Oakland University in Michigan, a petition was started when the school tried to require its students to wear a “BioButton” which monitors temperature, repository rate, and heart rate. Though the device does not use location tracking, many students felt it violated their privacy, and some cited religious reasons for not wanting to wear the device.

Bluetooth technology and contact tracing apps

Colleges are not the only communities using contact tracing apps. In states like Virginia, an app called COVIDWISE was deployed to slow the spread of Covid-19. State officials categorize the app as an “exposure notification” app, however, rather than a contact-tracing app. Using Bluetooth technology developed by Google and Apple, COVIDWISE assigns a sequence of random numbers to each user, which it then compares to other users nearby. This way, the app can track if a user has come into contact with someone who tested positive for Covid-19. Unlike new apps like Aura, the technology behind COVIDWISE was developed with user privacy in mind.

Manual contact tracing

There are of course manual methods for contact tracing. In New York State, for example, thousands of individuals have been employed as contact tracers to assist health officials, making phone calls to those potentially exposed and in some cases knocking on doors if phone calls are ignored. Similar programs have been deployed in a number of other major cities like Los Angeles, Houston, and Chicago, if not on the same scale.

But there are social reasons why individuals may be resistant to contact tracing. Not only do we have to divulge our behavior and activity to a federal agency, we also must entrust them with our health information. According to the CDC’s website, however, this information is kept confidential between you and your medical provider. Though contact tracers inform people who have been exposed to the virus, they do not divulge the name of the person who might have exposed them.

On college campuses, the level of privacy has not been held to the same standards as implied by manual contact tracing or Bluetooth-based apps. In an effort to protect students, it seems that colleges have begun to lose their trust.

Sign up to receive news and updates about Dashlane