Australian universities should think twice before installing spyware on students’ computers
7 May 2020|

Australian universities will soon be administering examinations online to comply with Covid-19-related social-distancing requirements and restrictions on movement.

To deter students from cheating, several universities have said that they plan to use online tools to supervise exams remotely. Classified by some as ‘legitimised’ versions of spyware, the software uses facial-detection and machine-learning technologies to identify and monitor students while they’re taking their exams online.

In April, the Australian National University announced its decision to use Proctorio, while the University of Sydney, the University of Queensland and the University of Western Sydney have reportedly decided to go with a competitor, ProctorU.

Proctorio and ProctorU are just two of a number of companies that provide online invigilation services. The exact parameters of the software vary between companies and are tailored to the specific test conditions, which the universities determine themselves.

In general, the software is integrated into the university’s systems and is used to monitor students by accessing their webcams, microphones and desktops during the exam. Both ProctorU and Proctorio, for example, can track eye movements and record keystrokes to identify suspicious behaviour, which they then automatically flag. They can also lock down browsers to ensure students can’t access online material. Students may be required to scan their room with a webcam at various points throughout the exam before being permitted to proceed.

Universities’ use of these products raises privacy and security concerns related to the amount of sensitive data that’s collected and stored by the software. Proctorio and ProctorU state in their terms of service that they will not be liable for damages associated with loss of data. They also state that they make no warranty on the security and reliability of the services they provide and therefore disclaim all liability for any problems with security or reliability. ProctorU doesn’t claim that the software will be ‘free of viruses or other harmful components’. However, these legal provisions don’t necessarily mean that the products will be faulty or insecure in some way.

Of enormous concern, each company’s terms state that in the event of bankruptcy, merger, acquisition, reorganisation or sale of assets, information may be sold or transferred as part of that transaction.

The terms state: ‘You will be notified via email and/or a prominent notice on our website of any change in ownership that affects the processing of your personal information, as well as any choices you may have regarding your personal information.’

It’s disturbing that universities have demonstrated a willingness to engage with companies that offer very little guarantee, beyond their marketing material, that data will be protected or that there will be legal safeguards in place. Indeed, ProctorU states that it will retain data for ‘as long as necessary’.

According to the companies, students consent to these terms through the use of the software. However, many universities have made using the software a condition of passing their courses, which means students are effectively unable to refuse consent. Some universities have taken steps to mitigate this issue. The ANU, for example, has offered deferred exams to students who don’t want to use the software. However, due to the uncertainty over Covid-19, students may not be see this as a truly viable option.

The University of Queensland has taken steps to mitigate the risks associated with retaining data by announcing that all ‘identity data’ collected by the software will be deleted within one week. The ANU released a statement that all data collected will be hosted in Australia and will be accessible only to ANU staff.

However, these measures may not provide adequate protection, especially considering the sensitive nature of the data collected. The data stored on university systems has proven to be a highly desirable target for hackers. Over 200 university and research centres reported more than 1,000 data breaches, or attempted breaches, in 2018. Universities already hold an enormous amount of personal information for current and past students that is of interest to state and non-state actors. The data extracted from this software will only add to that.

Both the University of Sydney and the ANU have noted that universities around the world are using similar programs and that the companies they’ve selected haven’t suffered security breaches. While that may be true, it’s not a basis for assessing the future security of the software.

It’s also not clear how effective online invigilation will be at ensuring students don’t engage in academic misconduct. Students who are determined to cheat will find ways to do so. A number of blogs and online threads provide readers with instructions on how to avoid detection during exams monitored by invigilation software.

One solution for universities to prevent cheating lies in switching to open-book exams that require critical thinking and problem solving, rather than turning to surveillance technology, especially at the expense of students’ data security.

The unprecedented nature of the pandemic has forced universities to move quickly to ensure that they have the capacity to conduct online exams for thousands of students. While academic integrity is undeniably an important consideration for universities transitioning to online exams, it must be weighed against the privacy and data security risks.