Remote proctoring companies like Proctorio, ProctorU, and ExamSoft collect all manner of private data on students and test takers, from biometric information to citizenship status to video and audio of a user’s surroundings. During the pandemic there has been a 500% increase in the usage of these proctoring tools—in 2020, more than half of higher education institutions used remote proctoring services and another 23% were considering doing so. At this point, remote proctoring services are a given for many students. But despite their rocketing use–and data breaches, and concern from federal lawmakers and California’s Supreme Court, no meaningful data protections have been put into place to protect the privacy of test takers.
Too many schools across the state continue to use remote proctoring at its most invasive settings.
California’s Student Test Taker Privacy Protection Act (STTPPA) will correct this. It is put forward by Senator Dr. Richard Pan (S.B. 1172) and sponsored by EFF and Privacy Rights Clearinghouse.
The TTPPA directs proctoring companies to follow reasonable data minimization practices, meaning they cannot collect, use, retain, or disclose test takers’ personal information except as strictly necessary to provide proctoring services. In the event a student’s data was processed beyond what was required to proctor the exam, the student has the opportunity to take the proctoring company to court. This allows the courts to decide, narrowly and thoughtfully, what data is actually required to collect for proctoring services, how long it needs to be be held, and how it needs to be used and disclosed. It’s a simple bill that should give the people harmed—test takers—the opportunity to protect their data and privacy. A summary of the bill is here.
Proctoring software creates serious problems for students, including:
- Bias: the software inaccurately flags disabled students as cheating more often, and fails to recognize black and brown faces properly, making it harder for some (already disadvantaged) users to succeed.
- Surveillance: the software can collect extremely personal and private data, and retention periods are often years-long. Data breaches of this private, and often biometric, information have already occurred.
- Security vulnerabilities: these tools often force students to hand over administrator rights to their devices, putting them at risk of dangerous security invasions.
This bill will tackle these problems. Right now, students have little recourse for protecting the private data that is collected from them during these proctored exams, or for limiting access the software has on their devices. Proctoring companies claim their customers are the schools who pay them, and not the test takers whose private data is processed. Together, those two entities decide on the surveillance features used, the data retention period, and more. Even where there is no school involvement, such as during the bar exam, companies say the students are still not the customer–the test administrator is. On this basis, proctoring companies have made it difficult for test takers to leverage California’s Consumer Privacy Act to protect their data, or request its deletion.
This simple bill will right the imbalance that exists and give students the ability to protect their own private information. It will also require proctoring companies to be more transparent about their data collection and usage, which will help improve security. And it will allow courts to analyze the effectiveness of remote proctoring tools.
Who Supports the STTPPA
The STTPPA is currently sponsored by EFF and Privacy Rights Clearinghouse. These organizations have fought to protect students’ rights for years.
California’s state government has already recognized the problem that the STTPPA would address. In late 2020, the California Supreme Court directed the California State Bar to prepare a timetable for destruction of all bar examinees’ personally identifiable information retained by the remote proctoring company (ExamSoft). The court recognized that some data collection was unrelated to the administration of the bar, and that unnecessary retention of sensitive PII data increases the risk of unintentional disclosure. The STTPPA would enshrine this sort of requirement in law.
This simple bill will right the imbalance and give students the ability to protect their own private information.
Students Have Led the Way—Now California Should Step Up
Students should be able to take tests without fearing for their privacy. But they rarely can opt out of data collection when using remote proctoring, let alone say they don’t want to use an online proctoring platform. Rather, the choice is often between using the invasive software or not taking the exam and getting a zero. One study showed that 97% of students using online proctoring tools were required to do so. That’s why students have been at the forefront of this fight, pushing back against automated proctoring in their schools.
Dozens of schools across California have already taken meaningful action. For example, UC Berkeley, for example, uses Zoom to proctor exams—no data collection required. UC Santa Barbara, as well, has recommended teachers move away from high stakes testing during remote learning, and has required that faculty cannot require students to participate in remote proctoring. Many educators have likewise recommended against remote proctoring.
Still, too many schools across the state continue to use remote proctoring at its most invasive settings. STTPPA will alleviate privacy concerns for students like these who are required to use remote proctoring.