Where did the FortifyFL App go wrong?
Reopening schools during a global health crisis comes with its own set of challenges. But on top of that, school officials shouldn’t have to worry about the additional complications stemming from a flawed school safety app.
In Feb., when an investigative reporter from ABC News in Tampa uncovered critical design flaws in Florida’s statewide school safety app that allowed pranksters to overwhelm school resources with bogus reports of impending school violence and other crimes, it was immediately clear that Florida’s school safety app, known as FortifyFL, was doomed to fail.
School and government officials in Florida deployed the FortifyFL app across the entire state with no authentication mechanism in place. That means anybody could simply go to the app store, download the app, pick a school, and start sending in tips. In fact, during my own research this week to see if this glaring problem had been addressed I was able to download the app from Virginia and send in tips anonymously without location services activated or using any special tools. (Of course, I never actually sent any tips to the app, but verified that I was able to get to the point of submission).
Poorly designed apps like FortifyFL not only lead to bad information that overwhelms authorities, it also leads to incorrect assumptions about the value of crowdsourced risk intelligence and the effectiveness of other leading platforms in this market. Although the experience of officials in Florida have led some to question whether the $254,000 contract to develop FortifyFL was a “squandering” of tax dollars, our experience at LiveSafe and the experiences of other market-leading developers and risk experts has proven the value of the technology time and time again. We are reducing risk, helping school’s engage students, and saving lives — not overwhelming the system with bogus data.
So where did FortifyFL go wrong?
Authentication & Access Control
The two most glaring problems with the deployment of FortifyFL was the lack of user authentication and access control.
“Because our clients push out just as much safety information as they receive, we ask that LiveSafe users register with a piece of contact information like an email address or phone number so they can receive timely, relevant safety alerts from our broadcast system,” said Dan Morrison, Senior Director of New Products at LiveSafe. “While students can still report tips anonymously and have their identity masked inside the LiveSafe system, this initial contact registration helps us verify a valid identity, which we find greatly reduces abuse of our system. This simple step keeps malicious actors from creating multiple accounts, impersonating other users, and coordinating misinformation, while giving our legitimate users the ability to receive safety information via the app on their phone, via SMS, or their email accounts.”
To ensure only verified users can subscribe to the service, LiveSafe offers several robust integration options with HRIS solutions, including Workday (certified partner), and supporting security standards such as OAuth 2.0, SFTP data transfer, and SCIM 2.0.
LiveSafe supports flexible options for clients to secure their communities, which does include allowing public audiences (i.e. parents, visitors). We protect communities by a variety of means as preferred by the customer. We currently support a variety of authentication methods including Single Sign-On (SAML 2.0), directory integration, Email Domain restrictions, and passcode protection.
In addition, we provide training on all the different techniques and tools provided on the LiveSafe platform. As a SaaS platform, however, we believe in providing customers the flexibility to configure the platform to best fit their needs. Customers are in charge of their own policies relating to how they respond to differing degrees of anonymity.
In addition to its lack of authentication, FortifyFL offers no access control. This is evident by the fact that I was able to download the app and choose any school in Florida from my home in Virginia.
Although anyone can download the Mobile App, LiveSafe can restrict a person from joining a specific school’s branded version of the Mobile App based on the measures listed above, thereby, also prohibiting that person from submitting tips to the Customer’s Command Dashboard.
A Word About Quality Tips
At LiveSafe, we’ve invested in becoming a leader in the use of artificial intelligence and natural language processing to improve the quality of risk information that school and corporate security officials need to focus on.
LiveSafe Insights is a best-in-class AI-powered tool that enables your organization to analyze all aspects of your LiveSafe deployment and construct a unique risk profile to surface actionable trends and early warning indicators.
“LiveSafe Insights analyzes our client’s portfolios using natural language processing to best understand their portfolio of tips, and we have built mechanisms to de-prioritize routine tips and test tips,” said Dan Morrison. “Additionally, we tag data on a number of dimensions to surface if tips deal with urgent items like physical violence, high-sensitivity items like mental health concerns and bullying, or basic safety hazards like suspicious individuals or slip and fall risks. These tags allow us to segment and prioritize certain types of tips for our clients so they can focus their energies on the high-impact, preventative tips, and batch-process less timely, less critical reports”
And because LiveSafe anonymizes and aggregates its data when crafting LiveSafe Insights models, our clients get smarter together. For example, models used to detect threats of violence in stadiums and entertainment clients work just as well for many of our education clients, and models used to detect workplace harassment can often detect bullying in schools, said Morrison.
“We have collected millions of data points on what a high-impact, timely, relevant tip looks like, and have utilized this to help make our clients savvier in how they use our system to support their prevention strategy,” Morrison said. “While a machine can never fully outsmart a nefarious actor, we seek to arm our clients with best in class tools to make the most out of their portfolio of tips.”