Alright, I have to install @ExamSoft for my law school exam. So let's do a thread on it from a privacy point of view 🙃
So first, my university says I have to log in with my school account. Fair enough. I then get a link to download the software.
The exams can be done in secure, non-secure blocked internet, or non-secure modes. Secure mode locks down your computer and access to files, non-secure blocked internet lets you access local files but not internet resources, and non-secure mode let's you access everything.
There are some sample exams included to try to run the software and figure out how to get it working. I went ahead and downloaded it to make sure I'm ready for my test.
First thing that pops up is the terms of service, let's see what these contain.
Well the first big thing is that you have to agree to mandatory arbitration which is pretty standard if not annoying.
Second, you're not allowed to run the software in a virtual machine. You're allowed to run it on a dual boot machine as long as you don't restart your computer during exam usage.
This part is really annoying because of all the access they ask for on the machine as we'll see in the ✨privacy✨ section.
Data collected includes biometric data including photos and face scan for the purpose of facial recognition. There is a link to a biometric consent terms of service. examsoft.com/es/biometric-c…
However, within that page there's the following nugget: "You are free to decline consent to provide Biometric Data and recordings to ExamSoft. However, your Institution may require you to consent to the collection of this data to take the exam using ExamSoft software."
Which is kind of broken that you have to force consent if your university requires you to do so or not be able to take the exam.
The policy also states "we share all photos, scans, and recordings, as well as a list of potential anomalies, with your Institution, but we do not make any determinations about them." Which seems weird because making a list of anomalies is by definition making a determination.
On the bright side, the have a stated deletion timeline of one year or sooner if your institution requests it. Doesn't look like there's any way to request it yourself.
Now that we've done that, let's look at the privacy policy.
Collection includes "makes and models of computers used by exam takers, types and versions of software used by exam takers, security and software performance related information, and log files and software usage patterns, such as exam upload and download information"
So theoretically, they could collect the info about your computer and all the software that you have on it. The logs look like they reference just the ExamSoft software so that seems reasonable.
I'm guessing they do some kind of rootkit/kernel thing based on this clause: "in order to secure the exam taker’s device, ExamSoft must access and, in some instances, modify device system files."
They position themselves as the data controller and state that your school is on the hook for your privacy rights...
"...contact the university or test administrator directly to exercise applicable privacy rights. If you contact us directly, we may remove or update your information within a reasonable time and after providing notice to the controller of your request."
They also say you "may" request that data is deleted but the caveat seems to be that it's only when data is no longer required for exam administration.
Additionally, arbitration is mandatory and there's no way to opt out of it except by means of simply not using the software.
So now that I've done the reading, some thoughts: I'm generally frustrated at the opacity of the exam options that students are being required to use without any guarantee of privacy.
The intrusiveness is not limited to ExamSoft, the games industry also has really intrusive measures (e.g. Riot installing kernel modules to monitor for anti-cheat).
Fortunately, the university has an option where you can borrow a laptop. I might just do that to take the exam. But overall, it's generally really frustrating that there aren't better solutions that are less invasive.
The thing that's additionally frustrating about this whole experience is that you're literally banned in the terms from trying to do any sort of auditing of the software itself which is why I'm just looking at what I can see in the terms.
So how does ExamSoft address these privacy questions? In one of their articles they mention that students may have a concern about data privacy and their answer is...that they comply with privacy laws. examsoft.com/resources/5-my…
They (fairly) note that they aren't doing facial recognition and are instead verifying off a baseline photo without if there's a recognition failure. I'll contend that it's also better that they log it instead of block the examtaker.
examsoft.com/resources/diff…
examsoft.com/resources/diff…
In their response to senators last year they mention that they focus on system monitoring and don't host their own proctors (instead rely on the school itself). examsoft.com/resources/resp…
However, these answers still don't give a clear picture to students what exactly is stored by them. Students, as the primary users of the software, should be able to know what the other side of it looks like.
Overall, it seems they do better than other solutions I've heard of. But the problem still perpetuates the core problem of compelled consent of extremely sensitive data. While remote proctoring does provide more accessibility, it should not be at the expense of choice.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
