clock menu more-arrow no yes

Filed under:

Dystopia Starter Kit: The data privacy nightmare of facial recognition and location apps in the SEC

New, 106 comments

Technological creep on college campuses comes in many flavors.

NCAA Football: Tennessee at Alabama John David Mercer-USA TODAY Sports

I don’t know if you’ve heard, but student attendance is frequently groused-about around Tuscaloosa. Sure, the majority of students may show up, but they don’t stick around.

The reasons are legion, of course: it’s hot as hell for the first 2/3rds of the season; the crappy out-of-conference home slate provides little inducement; Alabama gets saddled with a ton of early games; the Crimson Tide is leaps and bounds better than most opponents who stroll in Bryant Denny; the University no longer is a sleepy little enclave of in-state kids from Sparkman and Speake — over half of the undergraduate population isn’t even from the state any more; and, frankly, fans being spoiled by success — the last time Alabama truly stank, a 2020 entering freshman had just begun kindergarten; and many, many other reasons.

To ameliorate this most First World of all problems — keeping butts in seats — the University of Alabama adopted what was perhaps the most ham-fisted approach you’ll ever see — the carrot and stick geolocation of FanMaker. The carrot is rewarding those who stick around with the possibility of receiving coveted postseason tickets. The stick is the threat of losing season tickets if students don’t stick around for the whole game.

Never mind the fact that these students have paid for those seats and have spent tens of thousands of dollars annually on tuition: Stay or feel the Byrne. Never mind the fact that no such restriction is placed on Tide Pride season ticket holders. And, never mind the different sorts of programs at other schools have met with great success without the need to baby young adults or potentially invading their privacy.

As the New York Times so succinctly labeled the program, it’s “Orewellabama.” And the app was widely panned across the nation — from sports media to students to civil libertarians to privacy advocates. In the face of persistent criticism about data harvesting, the response from administration was less than helpful: delete the app when you leave the stadium — as though that’s the summa of the dissemination of always-on, bluetooth-enabled geotracking and data scraping schemes.

Despite administrators poo-pooing away these valid concerns, Learfield / Paciolan, FanMaker’s parent company, very clearly states the purpose of the app — it is an analytics program. The POS, micro-locationing services, ticket scanning, etc. are all merely data points in those analytics — data which, we hardly need remind you, are the real commodities of value in B2B internet commerce:

FanMaker is the largest provider of athletic team loyalty programs in the US and Australia. FanMaker loyalty programs integrate social media, point-of-sale, ibeacon (micro-location), ticket purchase, and ticket scanning data into one comprehensive platform. FanMaker captures every interaction fans have with your team and provides analytics and business insights so you can better engage with your fans. Beacon triggered push notifications allow instant and personal marketing like never before and integration with CRM systems and data warehouses make FanMaker an integral part of any ticket sales and marketing operation. Join teams around the world and work with FanMaker to give your fans a truly individual experience.

In fact, data analytics is now increasingly the core business of Paciolan — with its ticketing and other services as means to that end. A quick perusal of FanMaker’s blog doesn’t attempt to hide what these spyware and marketing programs look like.

While we were unable to locate the precise terms of use and data policy that FanMaker applies to Alabama, a representative sample was available via Mississippi State, another FanMaker “partner”:

It reads, in its entirety:

Your privacy is very important to us. Accordingly, we have developed this Policy in order for you to understand how we collect, use, communicate and disclose and make use of personal information. The following outlines our privacy policy.

Before or at the time of collecting personal information, we will identify the purposes for which information is being collected.

We will collect and use of personal information solely with the objective of fulfilling those purposes specified by us and for other compatible purposes, unless we obtain the consent of the individual concerned or as required by law.

We will only retain personal information as long as necessary for the fulfillment of those purposes.

We will collect personal information by lawful and fair means and, where appropriate, with the knowledge or consent of the individual concerned.

Personal data should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete, and up-to-date.

We will protect personal information by reasonable security safeguards against loss or theft, as well as unauthorized access, disclosure, copying, use or modification.

We will make readily available to customers information about our policies and practices relating to the management of personal information.

We are committed to conducting our business in accordance with these principles in order to ensure that the confidentiality of personal information is protected and maintained.

To say these vague assurances and even vaguer proposed uses of your data are insufficient does a disservice to insufficiency. You are more apprised of your rights when you drop in to get a hair cut.

Internationales Hackertreffen in Almere Photo by Markus Matzel/ullstein bild via Getty Images

Yet, for all pushback on the app, America’s colleges are increasingly turning to tech to monitor, spy upon, and compromise the privacy and data security of their students. And, almost as bad, their attitude is a patronizing and parochial one towards these young adults who are on one hand students and on the other hand their consumers (and, apparently forgotten in such technological condescension, is that they will be Hometown U’s future alumni and potential donors). Still, as quickly as the technology has become available, administrators are rushing towards it.

Missouri, in particular, has flung themselves headlong into the darkness:

The school is using hidden technology and an app on student cellphones to keep track of who is in class and who is not.

Officials say it’s for the students’ own good. Besides, they say, MU’s athletic department has been using the tracking app the past four years for all freshmen athletes, plus any athlete in academic trouble.

Now, as a test pilot, the school is expanding the program to any student new to campus for this semester, which starts Tuesday. Faculty volunteered to have their classes be part of the test. Their students won’t be given a choice.

“A student will have to participate in the recording of attendance,” said Jim Spain, vice provost for undergraduate studies at MU. Every student involved will be told ahead of time that attendance is being monitored. University officials, Spain said, will even work with students who don’t have a phone to make sure they can participate.

It’s not just attendance at football games or in classrooms either. A variety of spyware solutions are popping up and marketing themselves to higher ed.

Nor should it be reassuring when schools claim that geofences and beacons are not GPS-enabled, thus have no tracking outside of the defined area. Aside from user error, bluetooth is the least secure entry point on a smartphone device. Their increasing complexity has become their downfall, particularly with the newer low energy bluetooth designs (BLE). Meaning? Users can face BLE-based botnets, hacks, and large-scale tracking.And, even if you’re not on a BLE device, Bluetooth 5 has just as great a potential for bad actors to compromise or retrieve information from the device — since it has an even greater geographic range.

Your data is a commodity, and bad guys are everywhere: Even when they don’t necessarily realize that they are the bad guys at the time.

Neither schools nor their “partners” have specified precisely what data or likenesses shall be kept, how and where they shall be stored, how they will be retained, how they will be secured, how the network is secured, when and how (or even if) they will be destroyed when no longer necessary, how student privacy will be protected, whether they sell or share data and likenesses to third parties and affiliates and how to opt-out if so, what legal and constitutional safeguards are in place, or — even as a threshold matter — just why in the hell these technological intrusions are even a necessity.

But, even if everything is on the up-and-up, and absolutely no one aside from the school is making use of the data, and even if no school or app sells the data to third parties, very real concerns exist about centralized data collection and the tempting hacking targets those databases represent. Not only do your name and credit card number and address have value to bad actors as primary commodities in and of themselves, they are quite valuable on the dark web in the underground data resale markets.

If any of this doesn’t ring a bell, perhaps then Equifax will.

Hacker And Data Security Photo by Thomas Trutschel/Photothek via Getty Images

Your data is the product; your acquiescence to its collection is the point of sale: in fact, that data is often worth well above and beyond what you purchased or subscribed to from a given entity.

Your location at any and all times is valuable. So too are your shopping habits, your brand preferences, your driving data, your sleep schedule and heart rate, even your menstrual cycle. Those 3:00 a.m. rage-tweets are valuable. A decade-long defunct LiveJournal account? Priceless. Those silly Halloween party photos are worth money to someone, somewhere. And, with the holy grail of a technocratic police state fast approaching — AI-powered facial recognition — your likeness may be worth the most of all to the analytics industry. In fact, in some nations, you can no longer even purchase a smartphone without facial scanning technology.

We already know such programs are being marketed to local police agencies, despite the constitutional morass they present. We know that they are being used by tinpot autocrats across the globe to suppress their peoples and even enact a genocide. To say nothing of the well-documented implicit biases that are baked-in to much AI, or that facial recognition tech is really bad with recognizing non-white faces —with the AI apparently operating under your racist uncle’s “they all look alike” algorithm.

We also know that these companies desperately want your likeness. And, the more you ask them why and for what purpose, the less forthcoming Big Tech has been about it — despite companies like Clearview providing nothing less than a not-so-gentle jumpstart into a dark, fast-approaching future.

Yet, for all those concerns, and for the demonstrable lack of trustworthiness that Big Tech has displayed time and again, many college campuses are rushing to institute facial recognition on campuses. In the SEC, Georgia has indicated that it very well may use that technology. Florida has already given a firm commitment to not doing so. It seems as though Alabama and Missouri would lean towards facial recognition as well, being early adopters of invasive beacon technology. Mississippi State is most probably a lean towards adoption as well, given their incredible dedication to monetizing “analytical insights” about attendees of their athletic events.

If end-users want to participate, and they are fully apprised of the purposes, means of collection, and use of their data and likenesses, that is fine; a free society permits you the freedom of contract and the ability to relinquish control of your identity, habits, and likenesses. But, the fundamental questions above have not been answered. And, attempts to pin down those answers have been brushed aside, downplayed, minimized, ignored. Until those answers are forthcoming, you can hardly claim that fully-informed waiver of student and consumer privacy rights have been made. “Trust us” is insufficient. That trust is broken.

And for the rest of us, for the majority who don’t wish to be cyberstalked by marketing software sanctioned by universities (and permitted by dozens of pages of boilerplate adhesion contracts upon the click of a button), then is it time to receive some definitive answers to those very commonsense questions. Not another voluntary step towards surrender should be made such that third parties can churn out a few bucks selling you to advertisers, governments, law enforcement, universities, and Big Tech without those being completely and fully addressed.

As Robin Williams once famously said, “I’m not afraid of Big Brother. I’m afraid of Little Snitch.”

SEC member institutions have no business being the harvesting apparatus for Little Snitch, nor being Little Snitch themselves, when all you wanted to do was go to class or catch the first half of a football game.