How Should Students Respond To Their School’s Surveillance Systems?

Hundreds of thousands of American students are being tracked by their colleges to monitor attendance, analyze behavior and assess their mental health, the Washington Post reported this week. That article has now provoked some responses… Jay Balan, chief security researcher at Bitdefender, told Gizmodo that the makers of the student-tracking apps should at least offer bug bounties and disclose their source code — while rattling off easily foreseeable scenarios like the stalking of students. Gizmodo notes one app’s privacy policy actually allows them to “collect or infer” students’ approximate location — even when students have turned off location tracking — and allows third parties to “set and access their own tracking technologies on your devices.” And cypherpunk Lance R. Vick tweeted in response to the article, “If you are at one of these schools asking you to install apps on your phone to track you, hit me up for some totally hypothetical academic ideas…” Gizmodo took him up on his offer — and here’s a bit of what he said: Students could reverse engineer the app to develop their own app beacon emulators to tell the tracking beacons that all students are present all the time. They could also perhaps deploy their own rogue tracking beacons to publish the anonymised attendance data for all students to show which teachers are the most boring as evidenced by lack of attendance. If one was hypothetically in an area without laws against harmful radio interference (like outside the U.S.) they could use one of many devices on the market to disrupt all Bluetooth communications in a target area so no one gets tracked… If nothing else, you could potentially just find a call in the API that takes a bit longer to come back than the rest. This tells you it takes some amount of processing on their side. What happens if you run that call a thousand times a second? Or only call it partway over and over again? This often brings poorly designed web services to a halt very quickly… Assuming explorations on the endpoints like the phone app or beacon firmware fail you could still potentially learn useful information exploring the wireless traffic itself using popular SDR tools like a HackRF, Ubertooth, BladeRF. Here you potentially see how often they transmit, what lives in each packet, and how you might convert your own devices, perhaps a Raspberry Pi with a USB Bluetooth dongle, to be a beacon of your own. Anyone doing this sort of thing should check their local and federal laws and approach it with caution. But these exact sorts of situations can, for some, be the start of a different type of education path — a path into security research. Bypassing annoying digital restrictions at colleges was a part of how I got my start, so maybe a new generation can do similar. 🙂 Gizmodo calls his remarks “hypothetical hacking that you (a student with a bright future who doesn’t want any trouble) should probably not do because you might be breaking the law.” But then how should students respond to their school’s surveillance systems?