A.

Are School Bus Tracking Systems Dangerous?

By In Technology

There has been a lot of hype recently in Tampa Bay about the “Here Comes the Bus” app. This is system that allows parents to see when their kids have gotten on a school bus, and where the bus is. Some parents are concerned that systems like this one could let malicious users, or government agents track their children. So I’m going to give a quick overview of how systems like these work, and why they are not dangerous. We will also look at what parents SHOULD be concerned about.

How it works

The system is fairly straight forward. Students have either a barcode or a passive RFID chip printed onto their “Bus Pass” – which is just a card they carry around. This card is scanned once the student boards the bus, either with an RFID reader or a barcode scanner (basically the same technology used at grocery stores and clothing shops).

The barcode or the RFID chip carries a simple ID number. This number does not represent the student in any identifiable way – it’s just randomly assigned. The RFID scanner is connected to an internet-enabled device and sends the ID number securely to a server.

Keep in mind, if any data is intercepted up to this point, it is of no use to an attacker. The attacker would at best get a random number that means nothing.

On the other side of the system is the parent’s app. This app is connected to Here Comes The Bus‘ servers, which lets them know that their child is on the bus. The bus also has a GPS tracker on it, which connects to the internet and lets the Here Comes the Bus‘ servers know where the bus is.

That random ID number is then looked up in a database which lets the application know which child has been assigned that ID number. The parent’s device securely requests that information, and it is provided securely down to the app.

It is possible the data coming down to the parent could be intercepted by an attacker. However, as this technology is very secure and is commonly used in almost every piece of software these days (from your health systems to banking apps), it is HIGHLY unlikely.

Could you track kids using their cards?

Some of these bus passes contain a chip, and that sounds scary right? Well, you don’t have to worry too much. These chips are passive RFID chips, the same type of technology that is imprinted in clothing labels to stop theft. Passive means that they need to be picked up by a powered scanner. In order to track a child, you would need to know their ID number (the randomly assigned one), and then set up expensive, high-powered scanners all around town. So it is possible, but there are WAY cheaper and easier ways to track someone. So this seems incredibly unlikely.

Could you track kids if you hacked into the Here Comes the Bus servers?

So the one thing that COULD happen is the Here Comes the Bus’ servers could be hacked. An attacker could break into the database and potentially be able to work out where a child has been, but this does not necessarily mean they will be able to find information on a particular child either. This data is hopefully encrypted, or linked to the school’s secure systems. I can’t speak to how this system has been secured and architected. My best guess is the system was designed with the understanding that this is sensitive data, and great care should be taken over the security. There are also a number of regulations in place that govern the usage and security of student and child data. The Children’s Online Privacy Protection Act of 1998 (COPPA) provides strict regulations regarding a child’s data. The Family Educational Rights and Privacy Act of 1974 (FERPA) gives parents certain rights with respect to their children’s education records. These two regulations will have been taken into account by the developers and the school board when evaluating this software.

Should I be worried about this?

No system is perfect and inherently has its risks, but these risks need to be balanced against the rewards. I think that the safety aspects of this application far outweigh the highly remote possibility of the system being misused. There are WAY easier ways to track people than trying to exploit a system like this.

So what should I be worried about?

There are real threats and issues out there for you to be worried about. Kids download all sorts of things to their devices, and these downloads represent real, actual threats. Malware embedded in games, social media apps, and even downloaded backgrounds can track your exact GPS location, leak your phone number, show inappropriate content, or steal personal information.

Instead of worrying about the government tracking your kids while you send them to a Public school, take a look at your kids’ actual devices. Install something like Norton Security Online and Norton Security for iOS or Android, or Malwarebytes. Also talk to your kids about what apps they’re using, and listen to hear for anything strange about their data usage, or content that is coming up unexpectedly, or unusual phone calls they’re getting. These are indicators of real threats to kids’ information and of valid concern by parents.

Previous ArticleNext Article
I help companies turn their technical ideas into reality.

CEO @Sourcetoad and @OnDeck

Founder of Thankscrate and Data and Sons

Author of Herding Cats and Coders

Fan of squash, whiskey, aggressive inline, and temperamental British sports cars.

Leave a Reply

The State of AI-Coded Software, May 2025

In Software, Technology

I’ll probably regret writing this. At the very least, I’ll cringe reading it in a few months. But here we are.

Lately, we’ve been getting a wave of client requests asking us to evaluate software they built using AI tools. These aren’t engineers. These are business folks using increasingly powerful AI products to try and build functioning systems. And to be completely honest, the results are both impressive and a bit alarming.

People are building whole applications on their own. Backends, frontends, user interfaces, even some database logic. Sometimes they even look good. These are smart people who don’t know how to code but have managed to produce working systems.

The problems show up immediately when we start reviewing the internals. The code is usually a mess. In many cases, it would be extremely difficult to maintain or extend. And if you need to move that code from the platform it was created in to a cloud provider like AWS, you’re going to hit a wall. These platforms wrap everything in layers of scaffolding that make portability a nightmare.

Security is worse. We’ve found plaintext credentials scattered across files. We’ve seen SQL injection vulnerabilities that shouldn’t even be possible in modern frameworks. We’ve seen structural issues that would get flagged in a freshman CS class.

Despite all that, what people are creating are legitimate prototypes. They’re functional. They run. But when you’ve put a few weeks into building something, and you show it to a software engineer, it’s hard to hear that your shiny new thing needs to be rebuilt from scratch.

I want to be clear. I am not anti-AI. Almost everyone at my company uses AI tools every day. We use Copilot, Cursor, ChatGPT, Claude, and more. We build out frontends with tools like v0 and Lovable. These tools have changed how we work.

Some of our engineers report productivity improvements of 30 to 40 percent. That’s not a rounding error. That is a major shift. But they are still writing the code. They are reviewing it. They are checking for performance, clarity, security, and maintainability. They are not letting the tools decide architecture. They are using AI like they use autocomplete or linters, but with more power behind it.

This is also where expectations need to be adjusted. These systems will not save you 90 percent on development. They will not let you skip engineering altogether. But if they save you 30 percent, that’s a real gain. Imagine you’re building a house. The general contractor says it’s going to be $500,000. You tell them you already did the blueprints, filled out all the permits, and figured out the site plan using some AI tools. If they came back and said, “Alright, I’ll knock 30 percent off,” that would be the best deal of your life. That’s where we are today with AI-generated software. A solid start. A real value. Not a replacement.

For me personally, AI has made it fun to write code again. I haven’t been a working programmer in over a decade, and most modern toolchains are enough to scare me off. Now, with the right assistance, I can build something without getting stuck on Docker configs and dependency mismatches. That’s a big deal.

In the startup world, AI-first development is everywhere. Most of the current Y Combinator batch is using AI tools to write the bulk of their code. But those teams are highly technical. These are engineers using better tools, not tools replacing engineers.

So for non-developers using AI to build products, here are three things you should keep in mind:

  1. These tools are great for building prototypes. If you build something yourself, you will understand it better and will be a better partner to your engineering team. That matters.
  2. These tools can help you build usable frontend components. You probably won’t want to go live with them, but they can get you close enough to work with a real development team.
  3. If your app is small, non-critical, doesn’t store sensitive data, and lives entirely in its native platform, you can probably keep it running. That’s fine for internal use or personal projects.

One day, you’ll be able to speak an app into existence and deploy it with a voice command. It will be fast, secure, and beautiful. But today, you still need an experienced software engineer to check your work before you send real data through it. That’s just where we are right now.

The upside is huge. We can now get experts from other domains to build working prototypes and test ideas without needing an engineering team on day one. That’s powerful. But if your product is going to handle sensitive data or support real users, bring in someone who knows what they’re doing. Not because the AI is bad. Because the stakes are high.