American Remote Invigilation Software Being Used For UK Exams: Proctorio’s Crib Sheet

By Ellie Fishleigh @_machiavellie_

Lockdown has made exam season as much of a learning curve for the teachers as for the students. The task of finding new ways to hold exams was thrust on institutions with no real notice, leading some establishments to look for solutions overseas. As a result, thousands of British students have been instructed to open their computers to American tech that asks to record your screen, manage your downloads and can even track your eye movements…

This genre of tech has been in headlines since working from home became the status quo, with companies like PwC opting for remote working software that tracks not only employees’ faces but also their loo breaks. But when it comes to exams, remote invigilation is beginning to look like the ‘new normal’.

I spoke to Mike Olsen, the CEO of Proctorio, a US-based company offering a remote invigilation service with over 900,000 users according to Google Chrome. He explained what’s really going on behind the scenes of this seemingly alien, intrusive software.

What’s all the fuss about?

Before adding the extension, Proctorio asks for a wide range of permissions to enable it to ‘lock down’ a candidate’s computer, preventing cheating and detecting plagiarism. Aware that this will frighten some students, the company explains its rationale on its Google Web Store page. Of the ability to ‘read and change all your data on the websites that you visit’, they reassure users: “It’s a lot less scary that it sounds…”

add-proctorio-extension

Students have certainly noted the breadth of permissions you must grant the app, with over 4,000 students even having signed a petition to abandon the software at Australian National University. Mike jokes that the company has faced backlash from students who don’t know what they’re talking about. “It’s hilarious, students pretending to care where their data goes. Whether they’re cheating or not, I don’t really care, but then they go out and they just say things. They don’t do any research, they just make things up, and then it gets amplified, and that’s been very upsetting over the last couple of months”.

He blames this on a poor marketing strategy: “I think that’s our biggest problem right now, our marketing side does such a poor job of communication especially to the end user, to the student”.

He also emphasised that it’s not strictly Proctorio asking to use these permissions. Rather, the educational institutions themselves decide how they wish to monitor their students. Regarding the power to scan students’ rooms via webcam, Mike says: “Well, that’s a setting that the institution turns on. It’s not on by default. We actually don’t have any defaults. They wanted that. If there’s a problem with it, well we’re just the provider, you need to talk to the institution”.

One such institution is the National Council for the Training of Journalists (NCTJ), who offer online assessments as an alternative to delaying their exams until it’s possible to sit them in-person. Rachel Manby, their Head of Quality and Assessment told me why they chose to use screen recording and webcam monitoring, and why open-book examinations were not an option.

“We have enabled webcam monitoring in the Proctorio software so that we are able to identify any suspected or actual malpractice that may take place during an exam. We have enabled screen lockdown so candidates are unable to access the internet during an exam, for example to look up answers or to communicate with other candidates. This allows us to protect the security of our assessments and the reliability and validity of the assessment results.

“NCTJ exams at diploma level are closed book assessments whether they are delivered remotely or in centre, to maintain the integrity of the diploma qualification and to ensure a consistent and fair approach to delivery for all candidates. The data captured by Proctorio during our exams is stored securely at the NCTJ in line with data protection requirements (including the right to be forgotten) and is reviewed by NCTJ staff for quality assurance purposes only”.

Who is using this software?

Mike says that prior to the pandemic, Proctorio was mostly a US-based company, but is more European now: “We really saw that concentration in the US and now it has just exploded globally, even in Europe. Europeans were more traditional, it was classrooms, it was on-campus, it was pencils and paper. And what had to happen almost overnight is they had to transform to digital, they had to transform to new exams in new formats”.

Lockdown certainly saw a boom in their business. “Our system was designed to take on the load and it has done well. But as a company, we were not ready for the demand. To give you an example, in a three week period we got 1,900 leads. We didn’t have sales teams to get them on board – that was the scaling issue we hit. We’re coming out of that, but the demand hasn’t slowed down”.

The app has an array of logos emblazoned on its home-page, citing Amazon, Duke University and the University of Washington amongst its clients. At present, their website says: “We work with over 400 universities, institutions, and corporations to provide secure, reliable, cost-effective remote proctoring, identity verification, and originality authentication”.

At the time of the interview in late May, 15 of these institutions were in the UK, including Royal Veterinary College, Hult International Business School and the NCTJ, with 10 more being set up over the following fortnight.

Why does it need all those permissions?

With so many permissions enabled, I put it to Mike that students may fear Proctorio is a goldmine for data theft and fraud, and wonder why it needs all those abilities. “We basically asked for everything we needed. So, assuming that the exam has all the security features, all the recording features, everything was enabled, we asked for all the permissions and used those.

“That was a mistake, I think that was lazy. A lazy mistake when it comes to engineering, easier to ask for everything upfront and now we’re not using it. But again, from your point of view, you don’t know that, how can you trust that. So, we’re moving to a different model”.

The new model, planned for release this summer, is going to ask for the ‘minimum amount of permissions required’ and operate as a browser extension through a web-page, using a concept called ‘sandboxing’.

He says: “Websites run a sort of sandbox concept, meaning they can’t access personal files, none of that can be touched. So if we operate as a browser extension, we can also operate within the sandbox, which gives us just enough access to secure the content, but it doesn’t give us any access that most people are concerned about: personal files, being able to turn on whenever we want to turn on, installing things on your system. It’s just a browser extension”.

Within the remote proctoring world, this is novel, and Mike is pleased that his competitors are copying them: “The competition still use remote control software unfortunately. You’re installing stuff on your computer, they take control, they actually move your mouse, click your keyboard. But we don’t want to operate that way”.

Proctorio’s model comes with bonuses for privacy and efficiency, Mike suggests. Unlike some competitors who use a human (based in a call centre in India, he says) to monitor students through the webcam, Proctorio uses AI, protecting privacy. As a result, he says the cost of licensing the app for use with one student for an entire year is equivalent to the price of 1-1.5 exams with a competitor who uses a human invigilator.

Where does the data go?

Customers can choose where their data is stored. Mike says that when a client is on-boarded they pick a region, and all the data flows through and is stored in that region without leaving. They offer storage that is specific to the US, the UK and Germany, plus a general EU region space and storage in India, Canada and Australia. The privacy laws adhered to will also depend on the region being contracted with.

However, Proctorio does use Microsoft data centres, which have been the subject of some scrutiny over the years due to fears the US Patriot Act could enable the States’ government to collect information material to terrorism or espionage investigations.

But Mike believes Microsoft’s problems have now largely been addressed. “I know there were concerns early, because of things like the US Patriot Act, which would effectively allow the US government to access data. I know Microsoft has found ways around that, they don’t own the data centres. They’re based in Germany but licensed to Microsoft. They just give their customers access to it. Which effectively eliminates the ability of the US Patriot Act to kick in”.

How is the data stored?

The data itself is stored using zero-knowledge encryption. Mike says this means it wouldn’t matter if the data flowed through the US as it is ‘essentially useless’ to anybody snooping on it. To explain how this encryption technique works, he drew an analogy.

“Let’s say I’m a company that holds paperwork for a law firm and before they send it to me, they shred it. And I store the shredded documents and then when they need them, they have some magic way to turn them back into papers. What that does is prevents me from data-mining or training an algorithm, because the data I’m storing is useless. That’s why you’re not going to see a lot of companies doing this”.

Indeed, he says there are only about six companies in the world trying to use this form of encryption because it’s undesirable for investors who want to use data to ‘squeeze extra money out of a company’. “One of the differences is I’m not venture funded”, he says. “The reason you don’t see zero-knowledge encryption anywhere is because there’s no way I can squeeze data out of the data we’re storing. It’s something that makes me not investable, it doesn’t make me a very attractive sale for a company”.

I spoke to the founder of DataSecurityExpert.co.uk, Graeme Batsman, to get his opinion on this storage method. He warned that “the zero-encryption is then rendered useless if claims to be unlockable by teachers”, and that without two-factor authentication, fishing is easier.

I asked Mike whether this meant the weakest link in the chain is the institution itself, and whether they use two-factor authentication to tackle this. “We’ve talked about it internally. But right now there’s no enforcement so it’s whatever security policy and procedures the institution has in place for accessing student grades”.

Mike says he would love to introduce two-factor, even though it would be a huge investment, and is working on designing this.

Now to get technical… breaches, certification and auditing

“Proctorio conducts daily security audits including penetration testing and vulnerability assessments”, its Privacy and Cookies page claims. But, Graeme tells me, a human doing this would cost a fortune, so if these tests are conducted by scripts, their value will be limited as scripts can only find ‘what’s known in the world’, whereas humans can detect unknown issues.

Mike admits that Proctorio has never had human testing, although a contract starting June 1st will introduce human auditors. “We’ve always had automated testing. We’ve just hired a white-hatted security company who’s going to go in really aggressively and not just use automated models, actually humans. It’s the first time we’re doing that”.

He says the aim will be to ‘prove they’re doing what they’re saying they’re doing’, and how securely they are doing it, in three ways: 1) testing the zero-knowledge encryption, including the algorithm used 2) analysing the data flows 3) aggressively attacking to try and steal data.

This will be their first attempted breach. Mike says the company has never experienced an attempted breach, although they have faced a denial of service attack whereby students try to overload the system.

“Typically it’s if a student doesn’t want to take a final exam. We’re most vulnerable during final exams because our systems are so strained. We’ve got tens of thousands of users all taking exams at the exact same time. So our normal pattern is like an attack; our systems are being attacked normally by just student data”.

As for meeting British security standards, Graeme warned that American certifications don’t hold much credibility in the UK.  Proctorio has ISO 27001 certification, “one of the most popular information security standards in existence”, according to itgovernance.co.uk, and is internationally recognised.

When asked about the scope of the certification, Mike told me the ISO covers all three entities, and that it mainly focuses on technology certification: it covers processes, data flows, and whether there are restrictions between connections and services.

Turning a new leaf

Mike hopes his next update will address some students’ fears, and also wanted to stress that the company is carbon neutral thanks to tree-planting off-set programmes and the fact candidates don’t have to use fuel travelling to testing centres. Hopefully this will be of some consolation to environmental science students.

My take

I used Proctorio because I was taking exams with the NCTJ, and when I tweeted that downloading the app felt like ‘selling my virginity’, I was surprised when Mike personally replied to say he was happy to contribute to my story about it!

Mike’s candidness and transparency are unusual in the rather murky, esoteric world of tech, which has in itself made me trust his intentions. Having scoured Proctorio’s website I can see they’ve done their best to assuage users’ fears, and although Mike thinks their marketing strategy has been poor, I am sympathetic. An app that controls your PC and scans your bedroom is an inherently tough sell no matter how you explain it.

The experience of using the app was simple but downloading it was nerve-wracking: I stand by my joke that clicking that ‘Add extension’ button felt like a violation. So, I am delighted that Proctorio’s new model will require fewer permissions and hope they can convey to students the integrity of the zero-knowledge encryption they use.

I am also pleased that Proctorio will start using human auditors but am shocked that it took them 6 years to reach that point given how comprehensive the permissions granted are. I am also surprised they didn’t introduce two-factor authentication long ago; it seems irresponsible to make students’ data accessible to teachers after merely entering an email address and password, which are clearly susceptible to hacking.

However, in Proctorio’s defence, I appreciate that the surge in demand due to coronavirus has exposed the company to unexpected levels of attention at a time when the app is still evolving. Also, I preferred being able to take exams from the comfort of my home, without spending hours travelling and sitting in a clinical exam hall. I hope Proctorio fixes its issues so students can continue their education without the added worry of data security and won’t feel obliged to make sarcastic tweets.

Thank you to Mike Olsen, CEO of Proctorio, for agreeing to an interview, and to Graeme Batsman for his insights on data security standards.