By Ellie Fishleigh for 91探花
Lockdown has made exam season as much of a learning curve for the teachers as for the students. The task of finding new ways to hold exams was thrust on institutions with no real notice, leading some establishments to look for solutions overseas. As a result, thousands of British students have been instructed to open their computers to American tech that asks to record your screen, manage your downloads and can even track your eye movements鈥
This genre of tech has been in headlines since working from home became the status quo, with companies like that tracks not only employees鈥 faces but also their loo breaks. But when it comes to exams, remote invigilation is beginning to look like the 鈥榥ew normal鈥.
I spoke to Mike Olsen, the CEO of Proctorio, a US-based company offering a remote invigilation service with over 900,000 users according to Google Chrome. He explained what鈥檚 really going on behind the scenes of this seemingly alien, intrusive software.
What鈥檚 all the fuss about?
Before adding the extension, Proctorio asks for a wide range of permissions to enable it to 鈥榣ock down鈥 a candidate鈥檚 computer, preventing cheating and detecting plagiarism. Aware that this will frighten some students, the company explains its rationale on its . Of the ability to 鈥榬ead and change all your data on the websites that you visit鈥, they reassure users: 鈥淚t鈥檚 a lot less scary that it sounds鈥︹
Students have certainly noted the breadth of permissions you must grant the app, with over 4,000 students even having signed a to abandon the software at Australian National University. Mike jokes that the company has faced backlash from students who don鈥檛 know what they鈥檙e talking about. 鈥淚t鈥檚 hilarious, students pretending to care where their data goes. Whether they鈥檙e cheating or not, I don鈥檛 really care, but then they go out and they just say things. They don鈥檛 do any research, they just make things up, and then it gets amplified, and that鈥檚 been very upsetting over the last couple of months鈥.
He blames this on a poor marketing strategy: 鈥淚 think that鈥檚 our biggest problem right now, our marketing side does such a poor job of communication especially to the end user, to the student鈥.
He also emphasised that it鈥檚 not strictly Proctorio asking to use these permissions. Rather, the educational institutions themselves decide how they wish to monitor their students. Regarding the power to scan students鈥 rooms via webcam, Mike says: 鈥淲ell, that鈥檚 a setting that the institution turns on. It鈥檚 not on by default. We actually don鈥檛 have any defaults. They wanted that. If there鈥檚 a problem with it, well we鈥檙e just the provider, you need to talk to the institution鈥.
One such institution is the National Council for the Training of Journalists (NCTJ), who offer online assessments as an alternative to delaying their exams until it鈥檚 possible to sit them in-person. Rachel Manby, their Head of Quality and Assessment told me why they chose to use screen recording and webcam monitoring, and why open-book examinations were not an option.
鈥淲e have enabled webcam monitoring in the Proctorio software so that we are able to identify any suspected or actual malpractice that may take place during an exam. We have enabled screen lockdown so candidates are unable to access the internet during an exam, for example to look up answers or to communicate with other candidates. This allows us to protect the security of our assessments and the reliability and validity of the assessment results.
鈥淣CTJ exams at diploma level are closed book assessments whether they are delivered remotely or in centre, to maintain the integrity of the diploma qualification and to ensure a consistent and fair approach to delivery for all candidates. The data captured by Proctorio during our exams is stored securely at the NCTJ in line with data protection requirements (including the right to be forgotten) and is reviewed by NCTJ staff for quality assurance purposes only鈥.
Who is using this software?
Mike says that prior to the pandemic, Proctorio was mostly a US-based company, but is more European now: 鈥淲e really saw that concentration in the US and now it has just exploded globally, even in Europe. Europeans were more traditional, it was classrooms, it was on-campus, it was pencils and paper. And what had to happen almost overnight is they had to transform to digital, they had to transform to new exams in new formats鈥.
Lockdown certainly saw a boom in their business. 鈥淥ur system was designed to take on the load and it has done well. But as a company, we were not ready for the demand. To give you an example, in a three week period we got 1,900 leads. We didn鈥檛 have sales teams to get them on board – that was the scaling issue we hit. We鈥檙e coming out of that, but the demand hasn鈥檛 slowed down鈥.
The app has an array of logos emblazoned on its , citing Amazon, Duke University and the University of Washington amongst its clients. At present, their website says: 鈥淲e work with over 400 universities, institutions, and corporations to provide secure, reliable, cost-effective remote proctoring, identity verification, and originality authentication鈥.
At the time of the interview in late May, 15 of these institutions were in the UK, including Royal Veterinary College, Hult International Business School and the NCTJ, with 10 more being set up over the following fortnight.
Why does it need all those permissions?
With so many permissions enabled, I put it to Mike that students may fear Proctorio is a goldmine for data theft and fraud, and wonder why it needs all those abilities. 鈥淲e basically asked for everything we needed. So, assuming that the exam has all the security features, all the recording features, everything was enabled, we asked for all the permissions and used those.
鈥淭hat was a mistake, I think that was lazy. A lazy mistake when it comes to engineering, easier to ask for everything upfront and now we鈥檙e not using it. But again, from your point of view, you don鈥檛 know that, how can you trust that. So, we鈥檙e moving to a different model鈥.
The new model, planned for release this summer, is going to ask for the 鈥榤inimum amount of permissions required鈥 and operate as a browser extension through a web-page, using a concept called 鈥榮andboxing鈥.
He says: 鈥淲ebsites run a sort of sandbox concept, meaning they can鈥檛 access personal files, none of that can be touched. So if we operate as a browser extension, we can also operate within the sandbox, which gives us just enough access to secure the content, but it doesn鈥檛 give us any access that most people are concerned about: personal files, being able to turn on whenever we want to turn on, installing things on your system. It鈥檚 just a browser extension鈥.
Within the remote proctoring world, this is novel, and Mike is pleased that his competitors are copying them: 鈥淭he competition still use remote control software unfortunately. You鈥檙e installing stuff on your computer, they take control, they actually move your mouse, click your keyboard. But we don鈥檛 want to operate that way鈥.
Proctorio鈥檚 model comes with bonuses for privacy and efficiency, Mike suggests. Unlike some competitors who use a human (based in a call centre in India, he says) to monitor students through the webcam, Proctorio uses AI, protecting privacy. As a result, he says the cost of licensing the app for use with one student for an entire year is equivalent to the price of 1-1.5 exams with a competitor who uses a human invigilator.
Where does the data go?
Customers can choose where their data is stored. Mike says that when a client is on-boarded they pick a region, and all the data flows through and is stored in that region without leaving. They offer storage that is specific to the US, the UK and Germany, plus a general EU region space and storage in India, Canada and Australia. The privacy laws adhered to will also depend on the region being contracted with.
However, Proctorio does use Microsoft data centres, which have been the subject of some due to fears the US Patriot Act could enable the States鈥 government to collect information material to terrorism or espionage investigations.
More from News
- Tanzania Is Dealing With Digital Fraud Through Legislation – What Are The Changes?
- UK Government To Launch 拢500 Million Sovereign AI Unit – What Does This Mean?
- World Quantum Day 2026: Experts Reflect On Industry Developments This Year
- 79% Of UK Workers Fear Losing Their Jobs This Year – And Its Not AI Related
- Scail Launches To Help Regulated SaaS Businesses Navigate The AI 鈥淧erfect Storm鈥
- X Is Taking A Slightly Different Approach To Managing Click Bait Content – Will It Work?
- AI Is Meant To Reduce Workloads, Why Is It Still Causing Workers Cognitive Fatigue?
- Apple Wins Q1 As Smartphones Shipments Go Up And Competitor Sales Go Down
But Mike believes Microsoft鈥檚 problems have now largely been addressed. 鈥淚 know there were concerns early, because of things like the US Patriot Act, which would effectively allow the US government to access data. I know Microsoft has found ways around that, they don鈥檛 own the data centres. They鈥檙e based in Germany but licensed to Microsoft. They just give their customers access to it. Which effectively eliminates the ability of the US Patriot Act to kick in鈥.
How is the data stored?
The data itself is stored using zero-knowledge encryption. Mike says this means it wouldn鈥檛 matter if the data flowed through the US as it is 鈥榚ssentially useless鈥 to anybody snooping on it. To explain how this encryption technique works, he drew an analogy.
鈥淟et鈥檚 say I’m a company that holds paperwork for a law firm and before they send it to me, they shred it. And I store the shredded documents and then when they need them, they have some magic way to turn them back into papers. What that does is prevents me from data-mining or training an algorithm, because the data I鈥檓 storing is useless. That鈥檚 why you鈥檙e not going to see a lot of companies doing this鈥.
Indeed, he says there are only about six companies in the world trying to use this form of encryption because it鈥檚 undesirable for investors who want to use data to 鈥榮queeze extra money out of a company鈥. 鈥淥ne of the differences is I鈥檓 not venture funded鈥, he says. 鈥淭he reason you don鈥檛 see zero-knowledge encryption anywhere is because there’s no way I can squeeze data out of the data we鈥檙e storing. It鈥檚 something that makes me not investable, it doesn鈥檛 make me a very attractive sale for a company鈥.
I spoke to the founder of , Graeme Batsman, to get his opinion on this storage method. He warned that 鈥渢he zero-encryption is then rendered useless if claims to be unlockable by teachers鈥, and that without two-factor authentication, fishing is easier.
I asked Mike whether this meant the weakest link in the chain is the institution itself, and whether they use two-factor authentication to tackle this. 鈥淲e鈥檝e talked about it internally. But right now there鈥檚 no enforcement so it鈥檚 whatever security policy and procedures the institution has in place for accessing student grades鈥.
Mike says he would love to introduce two-factor, even though it would be a huge investment, and is working on designing this.
Now to get technical鈥 breaches, certification and auditing
鈥淧roctorio conducts daily security audits including penetration testing and vulnerability assessments鈥, its page claims. But, Graeme tells me, a human doing this would cost a fortune, so if these tests are conducted by scripts, their value will be limited as scripts can only find 鈥榳hat鈥檚 known in the world鈥, whereas humans can detect unknown issues.
Mike admits that Proctorio has never had human testing, although a contract starting June 1st will introduce human auditors. 鈥淲e鈥檝e always had automated testing. We鈥檝e just hired a security company who’s going to go in really aggressively and not just use automated models, actually humans. It鈥檚 the first time we鈥檙e doing that鈥.
He says the aim will be to 鈥榩rove they鈥檙e doing what they鈥檙e saying they鈥檙e doing鈥, and how securely they are doing it, in three ways: 1) testing the zero-knowledge encryption, including the algorithm used 2) analysing the data flows 3) aggressively attacking to try and steal data.
This will be their first attempted breach. Mike says the company has never experienced an attempted breach, although they have faced a denial of service attack whereby students try to overload the system.
鈥淭ypically it鈥檚 if a student doesn鈥檛 want to take a final exam. We鈥檙e most vulnerable during final exams because our systems are so strained. We鈥檝e got tens of thousands of users all taking exams at the exact same time. So our normal pattern is like an attack; our systems are being attacked normally by just student data鈥.
As for meeting British security standards, Graeme warned that American certifications don鈥檛 hold much credibility in the UK.聽 Proctorio has ISO 27001 certification, 鈥渙ne of the most popular information security standards in existence鈥, according to , and is internationally recognised.
When asked about the scope of the certification, Mike told me the ISO covers all three entities, and that it mainly focuses on technology certification: it covers processes, data flows, and whether there are restrictions between connections and services.
Turning a new leaf
Mike hopes his next update will address some students鈥 fears, and also wanted to stress that the company is carbon neutral thanks to tree-planting off-set programmes and the fact candidates don鈥檛 have to use fuel travelling to testing centres. Hopefully this will be of some consolation to environmental science students.
My take
I used Proctorio because I was taking exams with the NCTJ, and when I that downloading the app felt like 鈥榮elling my virginity鈥, I was surprised when Mike personally replied to say he was happy to contribute to my story about it!
Mike鈥檚 candidness and transparency are unusual in the rather murky, esoteric world of tech, which has in itself made me trust his intentions. Having scoured Proctorio鈥檚 website I can see they鈥檝e done their best to assuage users鈥 fears, and although Mike thinks their marketing strategy has been poor, I am sympathetic. An app that controls your PC and scans your bedroom is an inherently tough sell no matter how you explain it.
The experience of using the app was simple but downloading it was nerve-wracking: I stand by my joke that clicking that 鈥楢dd extension鈥 button felt like a violation. So, I am delighted that Proctorio鈥檚 new model will require fewer permissions and hope they can convey to students the integrity of the zero-knowledge encryption they use.
I am also pleased that Proctorio will start using human auditors but am shocked that it took them 6 years to reach that point given how comprehensive the permissions granted are. I am also surprised they didn鈥檛 introduce two-factor authentication long ago; it seems irresponsible to make students鈥 data accessible to teachers after merely entering an email address and password, which are clearly susceptible to hacking.
However, in Proctorio鈥檚 defence, I appreciate that the surge in demand due to coronavirus has exposed the company to unexpected levels of attention at a time when the app is still evolving. Also, I preferred being able to take exams from the comfort of my home, without spending hours travelling and sitting in a clinical exam hall. I hope Proctorio fixes its issues so students can continue their education without the added worry of data security and won鈥檛 feel obliged to make sarcastic tweets.
Thank you to Mike Olsen, CEO of Proctorio, for agreeing to an interview, and to Graeme Batsman for his insights on data security standards.
