A vulnerability detected last year in an online-proctoring software used by more than 2,000 American colleges is raising new alarm bells for experts, who say that too many institutions — eager to assure the academic integrity of online assessments — have failed to evaluate those platforms and weigh the risk of cyberattacks.
“Security experts and cybersecurity experts have been talking about this being a concern” with online proctoring, “but it really hasn’t been reflected in the general conversation,” said Calli Schroeder, a privacy lawyer with the Electronic Privacy Information Center. And that’s “detrimental.”
Computest, a Dutch cybersecurity-consulting company, ran tests on one such provider, Proctorio, last June, and found a vulnerability — now fixed — within the software’s browser extension. As Computest’s head of security research, Daan Keuper, explained it, if attackers had lured someone who had the extension installed to an attacker-owned website — perhaps through email or Instagram messaging — they could have enabled the extension and exploited that vulnerability, allowing them to open email, take screenshots, and activate the user’s webcam, among other things.
The problem was in the software itself, so “everyone who had this software installed was at risk,” Keuper confirmed in an email. The Dutch news outlet RTL News first reported on the vulnerability in December; no U.S. federal laws require public disclosure in such cases.
A spokesman for Proctorio, which has contracts with roughly 2,400 American colleges, said the company had promptly fixed the vulnerability, within a week of notification, and had found no indication that anyone other than Computest had discovered or exploited it. The spokesman also referred The Chronicle to the company’s blog post, published on Wednesday, that discusses the matter and highlights Proctorio’s partnership with HackerOne, an independent ethical-hacker community that finds and reports security weaknesses.
For some experts and faculty members, the news of the vulnerability isn’t surprising. “It was just a matter of time,” said Chris Gilliard, a visiting research fellow at Harvard and an advocate for digital privacy. Online-proctoring software itself, he believes, is essentially “malware” to begin with.
Nonetheless, the discovery has left those observers even more skeptical that students are secure when using these tools. “Has anyone hacked into” such software, asked Maritez Apigo, an English professor at Contra Costa College, “and it just never hit the news?”
Rapid Growth
The use of online-proctoring tools has exploded since colleges went remote in the spring of 2020. Proctorio’s business reportedly increased ninefold from April 2019 to April 2020, with nearly three million active weekly users as of March 2021. It and other proctoring companies — such as Honorlock and ProctorU — permeated the news cycle just as quickly, drawing widespread ire over concerns with student stress and allegations of bias against people with disabilities or darker skin tones. Students at more than a dozen universities, including the City University of New York, the University of Wisconsin at Madison, and Washington State University, have circulated petitions protesting the use of the tools.
Cybersecurity has been largely absent from the discourse, though colleges have simultaneously grappled with a rise in cyberattacks. Microsoft Security Intelligence data show that “Education” is the industry most threatened by malware right now, making up 82.3 percent of reported cases in the last 30 days, as of Thursday.
(At least one online-proctoring company, ProctorU, had previously reported a data breach, in 2020 — an incident in which a hacker posted the records of nearly 450,000 people registered with the service, including their email addresses, full names, street addresses, and phone numbers. The impact, if any, of that breach still isn’t clear.)
Schroeder hopes news of the Proctorio vulnerability will spur colleges to move away from online proctoring. So far, she’s been disappointed that many are still leaning on the tool, and not exploring alternative testing methods such as open-book and project-based assessments. While Covid-19’s Omicron variant is once again causing sudden moves to temporary online instruction, colleges should be ready by now, she said.
“I very much sympathize with the fact … that colleges were making the best choice [they] could very quickly” when Covid-19 first hit, she said. But “now that we’ve had more time, and it looks like this may be a more ongoing situation … you don’t really get the excuse of saying ‘We had to make a quick call’ anymore. You need to be able to pull back and re-evaluate.”
Where Do Colleges Stand?
The Chronicle researched about two dozen colleges that — according to Google-search data of “.edu” sites compiled by Royce Kimmons and George Veletsianos, faculty members at Brigham Young University and Royal Roads University, respectively — produced the most web-page results mentioning Proctorio. We asked the colleges whether this development had influenced how they thought about online proctoring.
One, Utah State University, said it remained “confident” in the tool’s security, noting that Proctorio conducts daily vulnerability scans. The software has “been positive for our students to be able to continue their educational goals” during the pandemic, a spokeswoman added via email.
Other replies were more ambiguous. At least six of the colleges no longer use the tool, though it wasn’t clear whether that decision stemmed from cybersecurity concerns.
The 23-campus California State University system, which says it has been moving away from the use of online proctoring since 2020, stated that it would not renew its Proctorio agreement, which expires in September. It would, however, allow individual campuses to contract with Proctorio directly.
All that confirmed they had agreements with Proctorio said the software was not mandatory. A few also noted low usage: A spokesman at the University of Wisconsin at Milwaukee, for example, wrote in an email that it “does utilize Proctorio software, but in a limited way,” with 115 of some 8,400 courses — less than 2 percent — using the software during the fall-2021 semester.
So why keep an online-proctoring software if usage is low and controversy is high? The answer is complicated.
Many colleges and their faculty members remain worried about academic integrity — in the summer of 2020, at least, 93 percent of nearly 800 surveyed instructors said they believed online exams encouraged cheating. Cassidy Creech, a marketing lecturer at Utah State, said that while he uses hands-on, project-based assessments for most classes, Proctorio has been a “valuable” tool for him in one gateway course, where many students remain online and he wants to ensure foundational knowledge before they move to upper-level courses.
“For me, honestly, it’s given me a level of assurance I need in the results — to have the confidence that everybody is playing on a level playing field,” he said.
Data proving that online-proctoring software curtails cheating is limited. Proctorio directed The Chronicle to an independent 2018 research study that identified lower test scores and shorter test times for proctored versus unproctored online exams. The authors suggested those findings indicated reduced instances of cheating. The study did not explore what role factors such as students’ anxiety with online proctoring might play in their performance.
Economics probably explains some of the loyalty to online proctoring, Gilliard said. “Once institutions purchase a thing, they have to justify that purchase … you can’t just leave it on the shelf,” he said. Reporting by The New Yorker revealed some Proctorio contracts are worth around half a million dollars a year.
For the University of Texas at Austin, specifically, re-upping the service last year was a matter of not having a better option fleshed out when the contract came due for renewal. The university’s academic-integrity committee hadn’t yet weighed in, “nor did we have the alternative solutions for faculty,” a spokeswoman wrote in an email. The committee later recommended strongly that the university not use the software.
Experts point to numerous ways faculty members can foster integrity with online assessments. They cite open-book or conceptual, essay-based exams as opposed to multiple choice, for example, or — simply — trusting students more.
The committee at UT-Austin also recommends numerous short tests throughout a semester, with each test having a relatively low impact on the final grade, or Zoom-proctored exams for classes of fewer than 49 students. Apigo said she’d seen colleagues at Contra Costa College, a two-year institution in California, embrace creative assignments, too; for example, asking students in a biology course to communicate what they know about a particular disease by designing brochures.
Such approaches may better reflect the skills needed in the postgraduate work force, Gilliard said.
“In the real world, people don’t mostly sit in a room in a timed session under the eye of cameras.”
