After a late-December Washington Post story
revealed a nationwide epidemic of colleges quietly installing pervasive
wireless location-tracking systems on campus, which gathered data on
students without meaningful consent, inside and outside of class, broken
down by protected categories such as race and gender, as well as on
potentially invasive lines such as whether a student is from abroad,
security researcher Lace R Vick (previously) tweeted an offer to students to explain how they could “dismantle such a system.”
In a followup Gizmodo article,
Vick delves into the deficiencies with the notifications, consent and
privacy policies associated with these services – which are a typical
mess of overbroad grabs that are subject to change without notice,
couched in deceptive language.
Vick also puts campus location-tracking in the context of campus
information security, which is historically very poor, with low-quality
passwords, a lack of access auditing, and interconnection of services
and networks that allow both outside attackers and insider threats (such
as a professor who wants to stalk a student) to operate with wide
latitude and a low likelihood of being caught. Adding location-tracking
to such a system vastly increases the risks of the kinds of cyberattacks
that are already endemic to campuses.
For his finale, Vick explains what he would have done had he been an
undergrad on a campus with such a system, including setting up fake
beacons that record every student as being present in every class; using
their own tracking beacons to create public league tables of which
profs preside over classes that students are likely to skip; disrupting
Bluetooth radio frequency bands to block all the tracking beacons;
decompiling the app to analyze how the services share data and to see if
there are strong protections to stop users from getting location-data
on other people.
Vick also lays out how he could create rogue firmware for the
location-tracking beacons, and deploy protocol analyzers to understand
what kinds of information is being extracted and stored by the system.
He notes that some or all of this conduct could violate federal law and
campus policies and could get students into serious trouble and Gizmodo
specifically recommends that students not engage in this behavior.