> Skip to content
FEATURED:
  • The Evolution of Race in Admissions
Sign In
  • News
  • Advice
  • The Review
  • Data
  • Current Issue
  • Virtual Events
  • Store
    • Featured Products
    • Reports
    • Data
    • Collections
    • Back Issues
    • Featured Products
    • Reports
    • Data
    • Collections
    • Back Issues
  • Jobs
    • Find a Job
    • Post a Job
    • Career Resources
    • Find a Job
    • Post a Job
    • Career Resources
Sign In
  • News
  • Advice
  • The Review
  • Data
  • Current Issue
  • Virtual Events
  • Store
    • Featured Products
    • Reports
    • Data
    • Collections
    • Back Issues
    • Featured Products
    • Reports
    • Data
    • Collections
    • Back Issues
  • Jobs
    • Find a Job
    • Post a Job
    • Career Resources
    • Find a Job
    • Post a Job
    • Career Resources
  • News
  • Advice
  • The Review
  • Data
  • Current Issue
  • Virtual Events
  • Store
    • Featured Products
    • Reports
    • Data
    • Collections
    • Back Issues
    • Featured Products
    • Reports
    • Data
    • Collections
    • Back Issues
  • Jobs
    • Find a Job
    • Post a Job
    • Career Resources
    • Find a Job
    • Post a Job
    • Career Resources
Sign In
ADVERTISEMENT
Student Surveillance
  • Twitter
  • LinkedIn
  • Show more sharing options
Share
  • Twitter
  • LinkedIn
  • Facebook
  • Email
  • Copy Link URLCopied!
  • Print

A Vulnerability in Proctoring Software Should Worry Colleges, Experts Say

By  Taylor Swaak
January 6, 2022
trendsmangan-web-full-bleed.jpg
Harry Haysom for The Chronicle

A vulnerability detected last year in an online-proctoring software used by more than 2,000 American colleges is raising new alarm bells for experts, who say that too many institutions — eager to assure the academic integrity of online assessments — have failed to evaluate those platforms and weigh the risk of cyberattacks.

“Security experts and cybersecurity experts have been talking about this being a concern” with online proctoring, “but it really hasn’t been reflected in the general conversation,” said Calli Schroeder, a privacy lawyer with the Electronic Privacy Information Center. And that’s “detrimental.”

We’re sorry. Something went wrong.

We are unable to fully display the content of this page.

The most likely cause of this is a content blocker on your computer or network. Please make sure your computer, VPN, or network allows javascript and allows content to be delivered from c950.chronicle.com and chronicle.blueconic.net.

Once javascript and access to those URLs are allowed, please refresh this page. You may then be asked to log in, create an account if you don't already have one, or subscribe.

If you continue to experience issues, contact us at 202-466-1032 or help@chronicle.com

A vulnerability detected last year in an online-proctoring software used by more than 2,000 American colleges is raising new alarm bells for experts, who say that too many institutions — eager to assure the academic integrity of online assessments — have failed to evaluate those platforms and weigh the risk of cyberattacks.

“Security experts and cybersecurity experts have been talking about this being a concern” with online proctoring, “but it really hasn’t been reflected in the general conversation,” said Calli Schroeder, a privacy lawyer with the Electronic Privacy Information Center. And that’s “detrimental.”

Computest, a Dutch cybersecurity-consulting company, ran tests on one such provider, Proctorio, last June, and found a vulnerability — now fixed — within the software’s browser extension. As Computest’s head of security research, Daan Keuper, explained it, if attackers had lured someone who had the extension installed to an attacker-owned website — perhaps through email or Instagram messaging — they could have enabled the extension and exploited that vulnerability, allowing them to open email, take screenshots, and activate the user’s webcam, among other things.

The problem was in the software itself, so “everyone who had this software installed was at risk,” Keuper confirmed in an email. The Dutch news outlet RTL News first reported on the vulnerability in December; no U.S. federal laws require public disclosure in such cases.

ADVERTISEMENT

A spokesman for Proctorio, which has contracts with roughly 2,400 American colleges, said the company had promptly fixed the vulnerability, within a week of notification, and had found no indication that anyone other than Computest had discovered or exploited it. The spokesman also referred The Chronicle to the company’s blog post, published on Wednesday, that discusses the matter and highlights Proctorio’s partnership with HackerOne, an independent ethical-hacker community that finds and reports security weaknesses.

For some experts and faculty members, the news of the vulnerability isn’t surprising. “It was just a matter of time,” said Chris Gilliard, a visiting research fellow at Harvard and an advocate for digital privacy. Online-proctoring software itself, he believes, is essentially “malware” to begin with.

Nonetheless, the discovery has left those observers even more skeptical that students are secure when using these tools. “Has anyone hacked into” such software, asked Maritez Apigo, an English professor at Contra Costa College, “and it just never hit the news?”

Rapid Growth

The use of online-proctoring tools has exploded since colleges went remote in the spring of 2020. Proctorio’s business reportedly increased ninefold from April 2019 to April 2020, with nearly three million active weekly users as of March 2021. It and other proctoring companies — such as Honorlock and ProctorU — permeated the news cycle just as quickly, drawing widespread ire over concerns with student stress and allegations of bias against people with disabilities or darker skin tones. Students at more than a dozen universities, including the City University of New York, the University of Wisconsin at Madison, and Washington State University, have circulated petitions protesting the use of the tools.

ADVERTISEMENT

Cybersecurity has been largely absent from the discourse, though colleges have simultaneously grappled with a rise in cyberattacks. Microsoft Security Intelligence data show that “Education” is the industry most threatened by malware right now, making up 82.3 percent of reported cases in the last 30 days, as of Thursday.

(At least one online-proctoring company, ProctorU, had previously reported a data breach, in 2020 — an incident in which a hacker posted the records of nearly 450,000 people registered with the service, including their email addresses, full names, street addresses, and phone numbers. The impact, if any, of that breach still isn’t clear.)

Schroeder hopes news of the Proctorio vulnerability will spur colleges to move away from online proctoring. So far, she’s been disappointed that many are still leaning on the tool, and not exploring alternative testing methods such as open-book and project-based assessments. While Covid-19’s Omicron variant is once again causing sudden moves to temporary online instruction, colleges should be ready by now, she said.

“I very much sympathize with the fact … that colleges were making the best choice [they] could very quickly” when Covid-19 first hit, she said. But “now that we’ve had more time, and it looks like this may be a more ongoing situation … you don’t really get the excuse of saying ‘We had to make a quick call’ anymore. You need to be able to pull back and re-evaluate.”

Where Do Colleges Stand?

ADVERTISEMENT

The Chronicle researched about two dozen colleges that — according to Google-search data of “.edu” sites compiled by Royce Kimmons and George Veletsianos, faculty members at Brigham Young University and Royal Roads University, respectively — produced the most web-page results mentioning Proctorio. We asked the colleges whether this development had influenced how they thought about online proctoring.

One, Utah State University, said it remained “confident” in the tool’s security, noting that Proctorio conducts daily vulnerability scans. The software has “been positive for our students to be able to continue their educational goals” during the pandemic, a spokeswoman added via email.

Other replies were more ambiguous. At least six of the colleges no longer use the tool, though it wasn’t clear whether that decision stemmed from cybersecurity concerns.

The 23-campus California State University system, which says it has been moving away from the use of online proctoring since 2020, stated that it would not renew its Proctorio agreement, which expires in September. It would, however, allow individual campuses to contract with Proctorio directly.

All that confirmed they had agreements with Proctorio said the software was not mandatory. A few also noted low usage: A spokesman at the University of Wisconsin at Milwaukee, for example, wrote in an email that it “does utilize Proctorio software, but in a limited way,” with 115 of some 8,400 courses — less than 2 percent — using the software during the fall-2021 semester.

ADVERTISEMENT

So why keep an online-proctoring software if usage is low and controversy is high? The answer is complicated.

Many colleges and their faculty members remain worried about academic integrity — in the summer of 2020, at least, 93 percent of nearly 800 surveyed instructors said they believed online exams encouraged cheating. Cassidy Creech, a marketing lecturer at Utah State, said that while he uses hands-on, project-based assessments for most classes, Proctorio has been a “valuable” tool for him in one gateway course, where many students remain online and he wants to ensure foundational knowledge before they move to upper-level courses.

“For me, honestly, it’s given me a level of assurance I need in the results — to have the confidence that everybody is playing on a level playing field,” he said.

Data proving that online-proctoring software curtails cheating is limited. Proctorio directed The Chronicle to an independent 2018 research study that identified lower test scores and shorter test times for proctored versus unproctored online exams. The authors suggested those findings indicated reduced instances of cheating. The study did not explore what role factors such as students’ anxiety with online proctoring might play in their performance.

Economics probably explains some of the loyalty to online proctoring, Gilliard said. “Once institutions purchase a thing, they have to justify that purchase … you can’t just leave it on the shelf,” he said. Reporting by The New Yorker revealed some Proctorio contracts are worth around half a million dollars a year.

ADVERTISEMENT

For the University of Texas at Austin, specifically, re-upping the service last year was a matter of not having a better option fleshed out when the contract came due for renewal. The university’s academic-integrity committee hadn’t yet weighed in, “nor did we have the alternative solutions for faculty,” a spokeswoman wrote in an email. The committee later recommended strongly that the university not use the software.

Experts point to numerous ways faculty members can foster integrity with online assessments. They cite open-book or conceptual, essay-based exams as opposed to multiple choice, for example, or — simply — trusting students more.

The committee at UT-Austin also recommends numerous short tests throughout a semester, with each test having a relatively low impact on the final grade, or Zoom-proctored exams for classes of fewer than 49 students. Apigo said she’d seen colleagues at Contra Costa College, a two-year institution in California, embrace creative assignments, too; for example, asking students in a biology course to communicate what they know about a particular disease by designing brochures.

Such approaches may better reflect the skills needed in the postgraduate work force, Gilliard said.

“In the real world, people don’t mostly sit in a room in a timed session under the eye of cameras.”

Update (Jan. 7, 2022, 2:09 p.m.): This article has been updated to provide more information about California State University's use of online proctoring.
We welcome your thoughts and questions about this article. Please email the editors or submit a letter for publication.
TechnologyTeaching & LearningOnline LearningInnovation & Transformation
Taylor Swaak
Taylor Swaak is a staff reporter at The Chronicle of Higher Education, covering how innovations in technology are changing the student experience. She aims to hold institutions accountable for technology that is misused or contributes to inequity, as well as uplift success stories that could inspire other ideas.
ADVERTISEMENT
ADVERTISEMENT
  • Explore
    • Get Newsletters
    • Letters
    • Free Reports and Guides
    • Blogs
    • Virtual Events
    • Chronicle Store
    • Find a Job
    Explore
    • Get Newsletters
    • Letters
    • Free Reports and Guides
    • Blogs
    • Virtual Events
    • Chronicle Store
    • Find a Job
  • The Chronicle
    • About Us
    • DEI Commitment Statement
    • Write for Us
    • Talk to Us
    • Work at The Chronicle
    • User Agreement
    • Privacy Policy
    • California Privacy Policy
    • Site Map
    • Accessibility Statement
    The Chronicle
    • About Us
    • DEI Commitment Statement
    • Write for Us
    • Talk to Us
    • Work at The Chronicle
    • User Agreement
    • Privacy Policy
    • California Privacy Policy
    • Site Map
    • Accessibility Statement
  • Customer Assistance
    • Contact Us
    • Advertise With Us
    • Post a Job
    • Advertising Terms and Conditions
    • Reprints & Permissions
    • Do Not Sell My Personal Information
    Customer Assistance
    • Contact Us
    • Advertise With Us
    • Post a Job
    • Advertising Terms and Conditions
    • Reprints & Permissions
    • Do Not Sell My Personal Information
  • Subscribe
    • Individual Subscriptions
    • Institutional Subscriptions
    • Subscription & Account FAQ
    • Manage Newsletters
    • Manage Your Account
    Subscribe
    • Individual Subscriptions
    • Institutional Subscriptions
    • Subscription & Account FAQ
    • Manage Newsletters
    • Manage Your Account
1255 23rd Street, N.W. Washington, D.C. 20037
© 2023 The Chronicle of Higher Education
  • twitter
  • instagram
  • youtube
  • facebook
  • linkedin