Privacy-Invasive Proctoring Software Declared Unconstitutional by US Court
During the Covid-19 pandemic we avoided most forms of person-to-person interaction unless absolutely necessary. That was deeply problematic for education, which is based on the idea of a teacher interacting in person with a class of students. The use of video calls addressed that, if imperfectly, but there is another aspect of learning that poses additional challenges.
Exams are an important part of most educational systems, and allowing students to take them at home raised the issue of cheating. Using video calls to monitor what students did during an exam was generally considered insufficient. There were fears that students might post notes or other helpful information out of sight of the webcam, or even be given hints by other people in the same room.
To prevent students from cheating, many educational institutions started using proctoring software, which seeks to play the role of a human proctor who oversees examinations. The problem is that proctoring software is unreasonably privacy-invasive… and technically illegal in many places.
The Road To Exam Supervision Is Paved with Good Intentions
A few months into the pandemic, the Washington Post was reporting on “a new wave of student surveillance” based on central monitoring of students through software:
The live proctors these companies hire ensure test-takers abide by a strict set of rules. They watch the students’ faces, listen to them talk and can demand they aim their cameras around the room to prove their honesty. Some companies also use facial-recognition, eye-tracking and other software that purports to detect cheating and rates the students’ “academic integrity.”
The list of techniques used to check on students is long. It includes collecting facial images, monitoring keystrokes, tracking eye movements, checking background images, and recording sounds. Moving the eyes away from the keyboard for too long might be regarded as evidence of cheating, despite the fact that some students have difficulty maintaining eye contact in this way.
In addition, proctoring software often collects device logs, including IP addresses, details of sites visited, and how long a student remained on a particular Web page.
For every anti-cheating technique, there is a workaround. As far back as 2015, Jake Binstein put together an extensive list of ways to cheat even when proctoring software is being used. Irrespective of whether they are effective as replacements for traditional proctors, these programs are deeply problematic from a privacy viewpoint.
Proctoring Software Is Privacy-Invasive
It all starts with the fact that proctoring software seeks to maximize its surveillance abilities in an attempt to catch any kind of cheating. The latter goal makes proctoring software much more invasive than taking an exam in an educational establishment, where the oversight is limited and more tightly targeted.
Highly-personal data may be gathered from monitoring a student’s room, typically a bedroom. And that information becomes available to the company carrying out the exam surveillance, as well as to its human supervisors.
For effective monitoring to take place, students are required to install software on their personal computer. That in itself tends to discriminate against those with less functional hardware – for example, students from poorer backgrounds – or using a more secure but less widespread operating system like GNU/Linux.
Proctoring software typically demands access to every aspect of the system used to carry out the exam – screen, keyboard, camera, microphone – in order to gather as much information in real time as possible. This level of access not only increases the chance that personal information may be gathered, but also provides a target for hackers.
If the proctoring software has flaws or, worse, backdoors, then even more harm may be done to the student and their individual privacy.
As a result of all these very evident problems with proctoring software systems, there has been a growing resistance to them. For example, in 2021, Dartmouth Medical School accused 17 students of cheating in remote exams. The Electronic Frontier Foundation (EFF) went through the students’ logs that were used to justify the accusations, and found that the supposedly incriminating data could have been generated automatically through the syncing of course material to student devices.
Eventually Dartmouth Medical School dismissed the charges, “upon further review and based on new information received from our learning management system providers.” There was another big win against proctoring software last year, reported by the EFF:
one of the more invasive techniques – the “room scan” – was correctly deemed unconstitutional by a federal judge in Ogletree v. Cleveland State University. “Room scans” are a common requirement in proctored exams where students are forced to use their device’s camera to give a 360-degree view of everything around the area in which they’re taking a test. Often, this is a personal residence, and frequently a private space, like a bedroom.
Proctoring Software Is Likely Not GDPR-Compliant
It is curious that these victories for privacy were all in the US rather than in the EU, where the stringent General Data Protection Regulation (GDPR) has been in operation for some years. At last, a French administrative court outside Paris has suspended a university’s use of the proctoring platform TestWe:
The TestWe case arose after the Distance Learning Institute – University of Paris 8, where all classes are remote, started using it for examinations. It automatically checks their identities at the beginning and during the test. It requires that all firewalls and antivirus apps are deactivated. The classic version of the app photographs students every three seconds. The images are analyzed, and any “suspicious behavior” is reported to the platform.
As the EFF notes, the ruling was only preliminary. There is still another battle, namely to convince the court that the app is illegal under the GDPR. Aside from a legitimate purpose, whatever entity accesses personal data has to be authorized by law to do so, and is only allowed to collect what is needed for the specified purpose.
In practice, proctoring software generally tries to maximize the amount of personal information it can gather in order to catch any attempted cheating. That means it should clearly be banned across the whole of the EU unless the services take great care to minimize data collection, which is likely to prove hard, perhaps impossible.
Featured image created with Stable Diffusion.