Remote Proctoring for the MOOC – an opening for the next wave in privacy excess

For those who herald such things, 2012 was the year of the MOOC – massive open online courses. Most MOOC courses are free, though some providers are attempting to monetize the offerings. The Chronicle of Higher Education reports that Coursera, the leading provider has exceeded one million students while Udacity is nearing that mark.

The MOOC movement represents a highly disruptive innovation in education. Content is provided for free (or low cost) to the public on a massive scale. While some courses are little more than correspondence programs, others are highly interactive – with student projects, effective feedback, and measurable learning outcomes.

Successful educational institutions will still sell the academic degrees as well as the more intimate experiential learning opportunities. Other universities, struggling financially, tend to see MOOCs as threats to revenue while other critics raise concerns about rigor and engagement.

Ironically, the open access for the MOOC raises concerns about the reliability of the authentication of the test taker. If the certification is valuable, then perhaps one can hire a stand-in to take the course and pass the exam. According to the Washington Post, “security measures suggest that people sometimes cheat in MOOCs, even when there are no course credits or money at stake.”

To expand its business model and improve the reliability of MOOC participation, Coursera has launched a “pilot project to check the identities of its students and offer “verified certificates” of completion, for a fee. A key part of that validation process will involve what Coursera officials call “keystroke biometrics”—analyzing each user’s pattern and rhythm of typing to serve as a kind of fingerprint.”

Keystroke biometrics are recognized for distinguishing between automated computer responses and human responses, so they are quite useful for separating human users from computer bots. They are less commonly used as an identity credential.

The keystroke biometrics are just part of the Coursera approach. It will also use photographs of the student’s ID and of the student taken from the computer to be compared by hand.

The most common way for online courses to be verified is for the student to take the exam at a test center. Such facilities exist throughout the county and sometime universities offer this service to each other as an accommodation for traveling students.

Using ineffective technologies will make a joke out of the credibility for MOOC certification. While the risk of being caught will deter some potential cheaters, it will incentivize others to work around the weak protections and harm the credibility of these programs.

Inevitably, the next step in student monitoring will be to remotely capture photos, video or audio of the students engaged while in the course. Products that remotely control onsite computers such as Apple Remote Desktop, LanSchool, and Net Orbit, can be adapted to the student’s home computer. In 2010, for example, a Philadelphia high school was sued for spying on its students without any prior notification.

Perhaps the use of live biometric voice recognition would improve the reliability and avoid the risk that the system could capture data surreptitiously, but such steps should be taken with caution.

Until the MOOC certificate is part of a college transcript, there is no reason to worry about verification. Schools offering college credit for these courses should extend their academic standards and honor codes to the courses.

Any monitoring of online students should be done in a manner that requires the student to log into the system and complete verification steps. It should not allow the system to reach into the student’s computer or turn on monitoring devices – including keystroke monitors, microphones or cameras. Any system that allows the school to choose when to monitor the student is likely to become intrusive and glean inappropriate information by the school.

There are many effective ways to verify the work of students – computer monitoring should not be one of them.

Advertisements

Lack of Network Diligence Will Cost Dearly

Northwest Florida State College acknowledged on Oct. 10, 2012 that it has been the subject of a data breach. The announcement explained the attack included “Northwest Florida State College student data on 76,500 current and past students as well as student data on approximately 200,000 Bright Futures scholars across the State of Florida” as well as 3200 employees.

The breach seems to have been identified and corrected approximately two weeks prior to this announcement, around Sept. 24th. But the report acknowledges that the break-in began May 21st and continued unabated for three months.

The NWFSC student information compromised in the security breach contains public directory information including name and address, as well as confidential student data including birth date and Social Security number. The Bright Futures scholars’ data file includes all State of Florida Bright Futures eligible students during the 2005-06 and 2006-07 academic years. This data file contains student names, Social Security numbers, dates of birth, ethnicity and gender. No student academic files have been compromised.

The Chronicle of Higher Education reports that “cases of identity theft have already been reported, with information used to take out loans or open store accounts and make purchases.”

An update by the university regarding the intrusion added details regarding the attack:

At this point in time, the personal information of employees includes name, birthdate, employee Direct Deposit bank routing and account number information, and Social Security number. Approximately 50 employees to date have reported issues with identity theft, including the college president, faculty and staff.

For universities struggling in a weak economy, high tuition, and questions on the return in investment, failures to protect the information of prospective or current students could prove disastrous. Senior university leadership should learn from the obligations under HIPAA and Sarbanes-Oxley to stay very informed and engaged in the security of their students – both offline and online. That the president of the university was personally targeted by the attackers makes the need for diligence even more important.

It is also a good reminder that all of us receiving funds via direct deposit need to become more diligent checking our accounts.

The university has set up a website at http://www.nwfsc.edu/security/.

New School Year Requires Privacy Refresher

As we wave goodbye to the school bus or drop off our college-aged mini-adults on campus, we parents immediately start to wonder what is happening with our students. In the past few years, a host of data issues have parents and school officials struggling to navigate the information superhighway.

The law begins with the Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99). This federal law protects the privacy of student education records. It has reach to almost every educational institution since the law applies to all schools that receive funds under any applicable program of the U.S. Department of Education.

FERPA was made infamous when confusion regarding the law slowed the intervention for medical treatment of a Virginia Tech student who later went on a shooting rampage. As Inside Higher Ed explained at the time, a presidential report stated that ““it was almost universally observed that these fears and misunderstandings likely limit the transfer of information in more significant ways than is required by law.” Since the regulations provide schools the ability to disclose information “to protect the health or safety of the student or other individuals” schools had the ability to disclose information. It took the Virginia Tech attack to make administrations realize the that they need to use the exceptions to the law more fully. Since then, schools have developed emergency responses.

FERPA also provides an excellent model for data privacy. ED.gov provides a useful summary:

FERPA gives parents certain rights with respect to their children’s education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom the rights have transferred are “eligible students.”

Parents or eligible students have the right to inspect and review the student’s education records maintained by the school. Schools are not required to provide copies of records unless, for reasons such as great distance, it is impossible for parents or eligible students to review the records. Schools may charge a fee for copies.

An additional note to those parents who have children under 18-years-old attending college part-time. Some universities continue to be blind to the age specifications of the law and treat the high school students as adults. Parents need to file a FERPA consent form signed by the student in some cases. They should also alert the university to the problem because it may suggest other FERPA misunderstandings.

A trend that has grown in recent years is the ability for students to violate each other’s privacy. Sometimes labeled cyberbullying, students often learn private information about each other, and less often (but still too frequently) they publicize this information to embarrass, harass or tease their classmates.  Last year, a secreted computer video camera in a dorm room led to the outing of a gay Rutger’s student and live streaming of his sexual encounters resulted in his suicide a few days later. Tyler Clementi’s death gave witness to the pain such invasions of privacy can cause, but less extreme acts and less extreme reactions occur far too frequently.

An even more bizarre invasion of privacy occurred a Pennsylvania school spied on students using software delivered to the homes. Allegedly to control misconduct by students, the school secretly installed remote webcam software to monitor student’s activity in their homes. This is one of those incidents that many of us would have dismissed as inconceivable hypothetical concerns – until a governmental body was actually arrogant and thoughtless enough to misuse the technology. Lesson learned.

Students, parents and schools all need to remember the purpose of privacy is to protect people. When it is used to ignore students at risk, the purpose of privacy has been distorted. When it is used to spy on people – whether fellow students or the school’s students – then it is a violation of a person’s individual dignity.

Privacy is a human right and essential to human dignity, self-worth, and a functioning society. While it may have no economic value, it has a profound value to society. FERPA and other laws protect these rights, but they can only manage broad uses and mis-use.

As we go back to school, we need to make the values of privacy one of the lessons to be taught and followed this academic year.