About

In response to the COVID-19 pandemic, universities are pursuing a broad range of technology-assisted public health programs on campus. However, there is a troubling trend of mandating use of these new and often experimental technologies as a condition of returning to campus in order to work or study.

Contact tracing is a complex undertaking. The primary public health benefits are to track and diminish the spread of the disease. But it is intrusive to ask people who they have been near, when, and where. Thus, it requires cooperation, trust, and help from the person who is ill, or exposed to someone else who is ill. Contact tracing is also a social service, giving someone who is ill advice, and connections to resources often as basic as how to get food while staying home. A new application or device might add value to a robust public health plan, yet it cannot be a replacement. Thus, at the core of the effort there must be trust in public health officials, for people to comply with their demands, even for something as simple as staying home. This trust requires openness, transparency, and consent from all of the individuals involved. Technology might be an aid to this, but it cannot be the only response to the crisis, and it cannot be mandated.

University leadership need to keep in mind that all of these apps have been created as a rapid response to a pandemic, and thus have not received the sort of testing for flaws or security problems that would happen in a normal development process. The resulting bugs from these rush jobs have the potential to undermine any planned data collection and security protocols. If community members at a university are compelled to use these programs, despite the personal and technical risks, universities will disproportionately harm the most vulnerable individuals among them.

These novel apps, especially if mandated, may also exacerbate the digital divide on campus. These apps require a person to own an up-to-date smartphone which is always charged and close to their body. Students or faculty who do not have phones would be unable to meet the smartphone app requirements to attend classes in person. Some of those same students or faculty might also lack reliable home broadband or work space, and thus be unable to attend classes remotely, either.

There are many reasons why one might choose not to participate in these programs. Automated contact-tracing and notification programs feature a wide range of potential privacy and security concerns. The least worrisome programs don’t collect any data at all by default, but allow a user to stay informed about campus news or track their symptoms and share at their own discretion. On the other hand, there are technologies being adopted which collect and handle sensitive biometrics, personal medical data, and/or precise location data.

Given the sensitivity of this data, how these programs work needs to be transparent. Details about what methods are implemented have a great impact on both the efficacy and privacy concerns. For example, location tracking using GPS and cell site information is not suited to contact tracing, because it will not reliably reveal the close physical interactions that experts say are likely to spread the disease. It is, however, precise enough to expose sensitive information like whether we’ve been to a church or a bar. On the other hand, programs establishing a proximity history by means of Bluetooth, typically through Google-Apple Exposure Notification (GAEN) apps, are much more effective at preserving privacy,

In addition to being transparent about what data is collected, it is essential that universities are also transparent about how data is being handled and what rights users have to access and delete their own information. To foster more trust, universities should also disclose details around the agreements they have with external vendors.

By mandating these applications and devices, institutions are building a public health response based on discipline and coercion rather than trust. Operating in the dark, students and workers may fear the worst. For students violating rules, this means possibly facing disciplinary proceedings and sanctions. Tracking mandates, particularly by government entities like public universities, also have the potential to chill constitutionally protected speech. Students may be afraid to exercise their rights to speak out about university policies if they fear the university or law enforcement can misuse these public health technologies for mass surveillance.

TAKE ACTION

CALL ON YOUR UNIVERSITY TO TAKE THE PLEDGE

Universities must strike any app mandates from their existing student commitments, and publicly commit to the University App Mandate Pledge (UAMP). If a university identifies a specific technology it would like students to use, it is the university’s responsibility to present it to students and demonstrate that it is effective and respects their privacy. It must do so by sharing privacy policies, by explaining how and by whom student data will be used and shared, by making commitments regarding how the institution will protect students privacy, and by offering avenues for feedback before and during decision-making. Anything less will infringe on the rights of students, faculty, staff, and community members.

Related Updates

Deeplinks Blog by Adam Schwartz | November 1, 2024

The Human Toll of ALPR Errors

This post was written by Gowri Nayar, an EFF legal intern. Imagine driving to get your nails done with your family and all of a sudden, you are pulled over by police officers for allegedly driving a stolen car. You are dragged out of the car and detained at gun...

Deeplinks Blog by Andrew Crocker | August 12, 2024

Federal Appeals Court Finds Geofence Warrants Are “Categorically” Unconstitutional

In a major decision on Friday, the federal Fifth Circuit Court of Appeals held that geofence warrants are “categorically prohibited by the Fourth Amendment.” Closely following arguments EFF has made in a number of cases, the court found that geofence warrants constitute the sort of...

Deeplinks Blog by Thorin Klosowski | July 29, 2024

Senators Expose Car Companies’ Terrible Data Privacy Practices

In a letter to the Federal Trade Commission (FTC) last week, Senators Ron Wyden and Edward Markey urged the FTC to investigate several car companies caught selling and sharing customer information without clear consent. Alongside details previously gathered from reporting by The New York Times, the letter also...

Deeplinks Blog by Cooper Quintin, Babette Ngene | July 15, 2024

EFF to FCC: SS7 is Vulnerable, and Telecoms Must Acknowledge That

It’s unlikely you’ve heard of Signaling System 7 (SS7), but every phone network in the world is connected to it, and if you have ever roamed networks internationally or sent an SMS message overseas you have used it. SS7 is a set of telecommunication protocols that cellular network operators...

Deeplinks Blog by Beryl Lipton, Cooper Quintin | June 12, 2024

The Next Generation of Cell-Site Simulators is Here. Here’s What We Know.

Dozens of policing agencies are currently using cell-site simulators (CSS) by Jacobs Technology and its Engineering Integration Group (EIG), according to newly-available documents on how that company provides CSS capabilities to local law enforcement. A proposal document from Jacobs Technology, provided to the Massachusetts State Police (MSP)...

Deeplinks Blog by Catalina Sanchez | June 4, 2024

Car Makers Shouldn’t Be Selling Our Driving History to Data Brokers and Insurance Companies

You accelerated multiple times on your way to Yosemite for the weekend. You braked when driving to a doctor appointment. If your car has internet capabilities, GPS tracking or OnStar, your car knows your driving history.And now we know: your car insurance carrier might know it, too.In a recent New...

Deeplinks Blog by Brendan Gilligan | May 17, 2024

EFF to Court: Electronic Ankle Monitoring Is Bad. Sharing That Data Is Even Worse.

The government violates the privacy rights of individuals on pretrial release when it continuously tracks, retains, and shares their location, EFF explained in a friend-of-the-court brief filed in the Ninth Circuit Court of Appeals.

Press Release | May 6, 2024

EFF Zine on Surveillance Tech at the Southern Border Shines Light on Ever-Growing Spy Network

SAN FRANCISCO—Sensor towers controlled by AI, drones launched from truck-bed catapults, vehicle-tracking devices disguised as traffic cones—all are part of an arsenal of technologies that comprise the expanding U.S surveillance strategy along the U.S.-Mexico border, revealed in a new EFF zine for advocates, journalists, academics, researchers, humanitarian aid workers, and...

Deeplinks Blog by Karen Gullo | March 15, 2024

Location Data Tracks Abortion Clinic Visits. Here’s What to Know

Our concerns about the selling and misuse of location data for those seeking reproductive and gender healthcare are escalating amid a recent wave of cases and incidents demonstrating that the digital trail we leave is being used by anti-abortion activists.The good news is some states and tech companies...

Deeplinks Blog by Adam Schwartz | February 27, 2024

Sen. Wyden Exposes Data Brokers Selling Location Data to Anti-Abortion Groups That Target Abortion Seekers

This post was written by Jack Beck, an EFF legal internIn a recent letter to the FTC and SEC, Sen. Ron Wyden (OR) details new information on data broker Near, which sold the location data of people seeking reproductive healthcare to anti-abortion groups. Near enabled these groups to send...

Search form

Search form

About

End University App Mandates

About

Contact

About

Issues

Updates

Press

Donate

Search form

Search form

About

About

Related Updates

Follow EFF:

Contact

About

Issues

Updates

Press

Donate