DEV Community

Cover image for When Policy Goes Too Far...
Andrew M
Andrew M

Posted on • Edited on

When Policy Goes Too Far...

Recently, TechCrunch reported a COVID-19 policy horror story taking place this fall on a college campus in Michigan. The school deployed a COVID contact tracing app for use on campus, hoping to limit the spread of the virus, but in reality encouraging the spread of sensitive data. The app stores real time tracking data, user ID, COVID test results, and contact with others. Unfortunately multiple vulnerabilities have been discovered within the app, turning the looming oversight into a real nightmare.

Albion College most assuredly had good intentions in they hopes of using the app to stop the spread of the virus on their campus. COVID has proven to be an issue on many college campuses, and even though their population is relatively small, they were taking steps to halt the spread of the virus.

That being said, storing massive amounts of location data is much more than a risk, it actively intrudes on the students' lives. These are all adult college students at the end of the day. Regardless of how much one intends to do good with and protect sensitive data, there is always a chance that it can be stolen and leaked, as seen even by massive organizations such as the DNC and Facebook. In the wrong hands, personal data tied to location, tied to COVID test results sets up a cascade of privacy issues if a leak were to occur.

What makes this situation even worse is the fact that there was little internal testing or review prior to the launch of the app. Massive vulnerabilities in the app left sensitive data in the source code, and the ability to harvest data easily from the QR codes that the app is built around.

As a student at Penn State, it would never cross my mind to use an app like this on my campus. An app with little testing from a startup company that harvests massive amounts of data by the second oversteps the boundaries of a reasonable expectation of privacy. Not only that, but attending a large university, or any university for that matter places a large target (and bounty) on the data that can mined from this case.

Tech can certainly be useful in aiding the contact tracing of students. One possible solution is to utilize the student ID swiping system that many colleges have put in place. This would record when students enter or exit a building, but would not do so constantly, and not be stored in an insecure cloud database outside of the college network. This would allow the University to reference the log in case a student tested positive for COVID-19, but would not link their test results to their personal identity and location data.

I'm sure that this wills serve as a lesson for future apps that are designed to constantly track location. While they seem like a good idea, they require tremendous oversight and testing before they are ready to be deployed. Even still, there's probably another way to use tech to solve that problem, a solution with much less risk.

Updates to my COVID Web App Diagram

This past week, I've taken time to refine the data model that I began to craft in the post below:

This time however, I'll be taking it a step further and splitting my one ER diagram into 2: a physical diagram designed for immediate SQL database implementation and a conceptual diagram that is quick and easy to explain to a company executive.

Take a look at the video below for an in-depth explanation of the refined ER diagrams!

Here's a closer look at the diagrams discusses in the video.

Conceptual

Alt Text

Physical

Alt Text

Top comments (0)