Image Credit: John Robinson
The University's MyUoY app was supposed to pilot this term and featured multiple functions, controversially including a check-in feature. The app was immediately accused of being an invasion of privacy due to the fact it required students' location to confirm they were at their contact hours using Bluetooth beacons in the room and by using satellite information.
Once the pilot was launched, students immediately set about searching the app for issues. After two key issues were reported, the app was taken down within just over a day of being live on 19 December. The app went live again on January 06 but further issues saw the app taken back down on January 08.
When asked about the issues faced, the University reassured Nouse that “a small number of issues, not related to attendance data or other personal data, were identified by students during this testing process and reported to IT Services".
This statement has now been proven false by a Nouse investigation which has obtained the internal reports from the University through FOI requests.
The report clearly states that the second issue identified within the first day of the app being online exposed incredibly important personal information including students’ and staff’s full name, email address, home address, term-time address (or work address for staff), college (as “alternative address”), birthday, phone number, department and course, Student ID number, library card number and ExLibris “people ID” identifier, alongside library information such as money owed and details on fines.
This information is directly contrary to the University's statement and shows a clear threat to students' privacy and their trust in the University to store their information securely.
Despite now being assured said issue was not exploited by anyone malicious, only those trying to prove the application was insecure, the issue and resulting cover-up raise serious questions about the security of the University’s systems. Ash Holland, the student who discovered the exploit, was asked not to share the information allowing the University to then issue an at the time unopposable false statement to both Nouse and, subsequently, URY.
Holland described the University's error as “trivial” to Nouse and described the mistake as “truly amateur”. Ash describes the moment where they read the University's statement in Nouse by saying “at first I thought it was a mistake, that the University had misunderstood what issues Nouse were asking about or something”.
The UoY student went on to tell Nouse that they “couldn't believe that the University would be trying to say the issues were unrelated to personal data, I still have no idea why they’re sticking with that statement. Every document I have read agrees that multiple vulnerabilities were discovered which exposed a range of personal data - I don’t understand why anyone would say otherwise”.
Ash desribed the fault to Nouse as an “amateur” mistake. Detailing the fault, Ash told Nouse that “when resizing the window students noticed the app made a network request which meant it was refetching information to re-render to library tile.
“When refetching the information, as well as information about library books, it requested all of the student’s personal information”. This meant that by simply changing the username in the URL to someone else’s username all of the personal information listed could be accessed.
The University has however said that they have “had requests for information at various points in the investigation timeline and have answered these requests honestly. The University has been open and transparent throughout the process”.
The University also stated in an FOI which asked for a clarification on whether any of the issues involved personal data: “The intention of this statement was to reassure students that there had not been any unauthorised access to students’ personal or attendance data as a result of the security issues that had been discovered. This was due to the prompt and responsible approach taken by the student that reported the issues to us, for which we are very grateful.”
The false statement may have therefore had the good intentions that this statement describes but the statement is far from transparent. Ash Holland told Nouse that the University’s statement to Nouse that the issues were “not related to attendance data or personal data” was “indefensibly false”.
When questioned how the University knew that student’s personal data was secure they answered “as part of the investigation process, full log files were provided by the supplier to the University’s security team. These log files recorded all accesses to data, and were analysed by the University to identify any such access. The outcome of this assessment was that no unauthorised access requests were made.”
The University however remains committed to the project also stating they are “keen to work with students to understand their needs and their vision on how this should be implemented”.
Speaking to YUSU’s academic officer, Giang Nguyen told Nouse:
“it is important for the University to be honest about if and when things go wrong, in order to build trust with the students’ community. I agree with students that any breaching of our personal data is the breach of our rights, and how is it vital to protect our own personal data, and how insecure and vulnerable we must feel when our own personal data has been misused”. Adding that “the University did not communicate to us about this data breach”.
Speaking of behalf of YUSU the academic officer added “we are not happy with the lack of transparency and proper students’ consultation on the app and the attendance monitoring tool. Further and sufficient student consultation should be carried out prior to continuation. The Union is more than happy to work with the University on a consultation plan as we have already been doing. Until then, the Union won’t make any decision about supporting its implementation”.
The academic officer elect Matt Johnstone has told Nouse that when it comes to the MyUoY app he understands the obligations the University has to monitoring attendance through the Tier 4 visa regulations but that “this monitoring should be as non-intrusive as possible, to maintain the level of respect that students deserve”.
Computer science representative and outspoken critic of the MyUoY application Tom O’Neill described the University’s adamancy that they had been honest and transparent throughout the process as “baffling”. Stating to Nouse that the University’s “comments about the safeguarding of students’ data appear misleading when weighed against the reality of the potential data issues so I question if they can be trusted to be fully transparent in future”.
The Nouse investigation also discovered that the University has already spent £29,000 through staff time on the project.
A further £2,500 was spent on the Bluetooth beacons which are now not in use. The University refused to release the amount in total that has been spent on the project. The pilot was paused in week 4, after only 355 people downloaded the app and it was faced with wide-spread criticism and further technical issues.