Are School Bus Tracking Systems Dangerous?

There has been a lot of hype recently in Tampa Bay about the “Here Comes the Bus” app. This is system that allows parents to see when their kids have gotten on a school bus, and where the bus is. Some parents are concerned that systems like this one could let malicious users, or government agents track their children. So I’m going to give a quick overview of how systems like these work, and why they are not dangerous. We will also look at what parents SHOULD be concerned about.

How it works

The system is fairly straight forward. Students have either a barcode or a passive RFID chip printed onto their “Bus Pass” – which is just a card they carry around. This card is scanned once the student boards the bus, either with an RFID reader or a barcode scanner (basically the same technology used at grocery stores and clothing shops).

The barcode or the RFID chip carries a simple ID number. This number does not represent the student in any identifiable way – it’s just randomly assigned. The RFID scanner is connected to an internet-enabled device and sends the ID number securely to a server.

Keep in mind, if any data is intercepted up to this point, it is of no use to an attacker. The attacker would at best get a random number that means nothing.

On the other side of the system is the parent’s app. This app is connected to Here Comes The Bus‘ servers, which lets them know that their child is on the bus. The bus also has a GPS tracker on it, which connects to the internet and lets the Here Comes the Bus‘ servers know where the bus is.

That random ID number is then looked up in a database which lets the application know which child has been assigned that ID number. The parent’s device securely requests that information, and it is provided securely down to the app.

It is possible the data coming down to the parent could be intercepted by an attacker. However, as this technology is very secure and is commonly used in almost every piece of software these days (from your health systems to banking apps), it is HIGHLY unlikely.

Could you track kids using their cards?

Some of these bus passes contain a chip, and that sounds scary right? Well, you don’t have to worry too much. These chips are passive RFID chips, the same type of technology that is imprinted in clothing labels to stop theft. Passive means that they need to be picked up by a powered scanner. In order to track a child, you would need to know their ID number (the randomly assigned one), and then set up expensive, high-powered scanners all around town. So it is possible, but there are WAY cheaper and easier ways to track someone. So this seems incredibly unlikely.

Could you track kids if you hacked into the Here Comes the Bus servers?

So the one thing that COULD happen is the Here Comes the Bus’ servers could be hacked. An attacker could break into the database and potentially be able to work out where a child has been, but this does not necessarily mean they will be able to find information on a particular child either. This data is hopefully encrypted, or linked to the school’s secure systems. I can’t speak to how this system has been secured and architected. My best guess is the system was designed with the understanding that this is sensitive data, and great care should be taken over the security. There are also a number of regulations in place that govern the usage and security of student and child data. The Children’s Online Privacy Protection Act of 1998 (COPPA) provides strict regulations regarding a child’s data. The Family Educational Rights and Privacy Act of 1974 (FERPA) gives parents certain rights with respect to their children’s education records. These two regulations will have been taken into account by the developers and the school board when evaluating this software.

Should I be worried about this?

No system is perfect and inherently has its risks, but these risks need to be balanced against the rewards. I think that the safety aspects of this application far outweigh the highly remote possibility of the system being misused. There are WAY easier ways to track people than trying to exploit a system like this.

So what should I be worried about?

There are real threats and issues out there for you to be worried about. Kids download all sorts of things to their devices, and these downloads represent real, actual threats. Malware embedded in games, social media apps, and even downloaded backgrounds can track your exact GPS location, leak your phone number, show inappropriate content, or steal personal information.

Instead of worrying about the government tracking your kids while you send them to a Public school, take a look at your kids’ actual devices. Install something like Norton Security Online and Norton Security for iOS or Android, or Malwarebytes. Also talk to your kids about what apps they’re using, and listen to hear for anything strange about their data usage, or content that is coming up unexpectedly, or unusual phone calls they’re getting. These are indicators of real threats to kids’ information and of valid concern by parents.

Previous ArticleSoftware Development Teams: Build vs. ContractNext ArticleCapture The Flag Games in Role-Playing Games

Greg

I help companies turn their technical ideas into reality.

CEO @Sourcetoad and @OnDeck

Founder of Thankscrate and Data and Sons

Author of Herding Cats and Coders

Fan of squash, whiskey, aggressive inline, and temperamental British sports cars.

You must be logged in to post a comment.

Is Anyone Working on Agentic Authentication?

February 10, 2025 23:23February 11, 2025In Technology

Everyone is building AI-powered tools, even people who shouldn’t be. Agents seem to be the next obvious (and big?) step. But these little bots need a secure way to act on behalf of users without causing chaos.

Richard Dulude at Underscore VC wrote about the lack of identity standards for AI agents in this LinkedIn article. I don’t know Richard or Underscore VC (sorry). But, he’s right, traditional authentication assumes either a human or a machine with static credentials, and that doesn’t work for AI agents that need to make decisions and take actions. Companies want accountability (and probably liability), and users need control of what their potentially psychedelic robot is doing on their behalf. This balance doesn’t exist yet.

This is probably for another blog post, but right now, everyone, including the bots, are using human interfaces as a stopgap. OpenAI’s Operator is a great example, agents pretending to be humans to interact with systems that weren’t built for them. That’s fine for now, but eventually, the human interfaces will be an afterthought. Like how “mobile-first” design took over, we’ll be doing “agent-first” design with human-accessible backups. Having a dedicated standard for agentic authentication might be a good first step in that machine-to-machine way of thinking and designing systems.

Agentic Proxy Credentials (APC): A Solution (A Term I Totally Made Up)

I made this up. It’s probably a bad term, but naming things is fun. This doesn’t exist… if you are a large battery and power supply company, don’t sue me. I’m spitballing here.

One possible fix is the “sucked out of my thumb” Agentic Proxy Credentials (APC). This would let users grant their AI agents secure, limited permissions to interact with systems while making sure the right level of oversight are in place. There are things that I wanted to do this very week, but I don’t trust my bots with my actual usernames and passwords:

Stop me talking to Airline Idiot Bots

Talking to airline chatbots is painful. Right now, they can only regurgitate FAQ answers. With an APC, my AI assistant could log into my airline account, check flights based on my loyalty status, and rebook me without you having to touch anything. This would make AI actually useful instead of just a slightly smarter help page.

Paying for small things without having to deal with entering my ACH data AGAIN

I don’t want to give an AI full access to my bank account. But I wouldn’t mind letting it handle small transactions in a controlled way. With APCs, I could grant my assistant time-limited access to approve payments or move money within strict limits. The AI does the work, I stay in control, and my bank account doesn’t mysteriously empty overnight… unless I’m Ambien shopping again.

AI Dungeon Master’s Assistant

D&D is great, but session prep is a time sink. I want an AI that logs into my D&D Beyond account, manages stat blocks, generates lore-friendly content, and even takes session notes. The AI handles the boring admin work, and you get to focus on making your players cry (or cheer, if you’re nice). Yes, serious stuff here.

How It Could Work

There are a few ways to make this happen, I think. I’m no longer allowed to do actual engineering at my own companies I founded, so this blog is my outlet. Everyone needs a hobby.

Zero-Knowledge Proofs (ZKP): Let the agent verify credentials without exposing sensitive data.
Time-Limited OAuth-like Tokens: Give agents temporary access that expires after a set time.
Multi-Factor Delegation (MFA->MFD): Require multiple checks before an agent gets access (biometric + device trust, for example).

Is Someone Already Building This?

Honestly, I wouldn’t be surprised if Okta, OAuth, or OpenAI are already working on this and I’m just ranting for no reason. But if they aren’t, they should be. The pieces are all there, someone just has to put them together.

I need this, but I can’t find it. If anyone is working on it, let me know. I’m too busy trying to solve employee gifting at scale at Thankscrate, implementing AI into every existing business at Sourcetoad, and making sure passengers can watch TV and book dinner reservations in the middle of nowhere at OnDeck.

Greg Ross-Munro