Why is coursework necessary for students

Universities in the corona pandemicOnline monitoring should make exams possible

Corona also has the education sector firmly under control. While schools should stay open with all their might, universities are increasingly relying on distance learning. However, this poses major challenges for her, for example with the exams. How can their proper course be ensured?

For a whole range of universities, the solution is: online with a watchdog. They use special systems that the students monitor during the exam. This is explicitly permitted in North Rhine-Westphalia and Bavaria by ordinance. Berlin is also preparing a corresponding instruction from the Senate. The students therefore have to install monitoring software on their computer, the conformity of which with data protection and basic rules of IT security must be questioned in any case.

Various options for online monitoring

Manfred Kloiber: Jan Rähm, is the remotely monitored online exam actually the only option for an internet-based exam?

Jan Rähm: Of course not, you could take a so-called "Open Book" exam, for which you as a student can use any material, including the online search. You just have to show that you understand the subject. Or they take the exam completely without supervision - then they show full confidence in their students, which is likely to be the exception.

There is the option of simply monitoring the whole thing, for example using online conference software, where the sound and video are simply shown to the supervisor, or fully monitored using very special solutions - and they have it all. Because according to the information we have, these solutions use extensive monitoring, for example via a browser plug-in. It collects: the camera image, the sound, open browser tabs and windows, other applications, screen content, clipboard, location, running processes and much more.

After reading the browser interface description, we are not entirely sure whether all of this information can really be collected in this way. One thing is certain, however: it is comprehensively monitored. At least some students and university employees dislike this massively. In addition, such monitoring is at least worth discussing in terms of system integrity, data protection and privacy.

Monitoring is perceived as uncomfortable

Kloiber: That is why we asked those affected and data protectionists how things stand in terms of data protection with such solutions and whether they are compatible with the EU General Data Protection Regulation.

"You came into the virtual room. And then you were asked to have your ID card ready and hold it in the webcam. Then five pictures of you were taken with your ID card. Then you had to sign an agreement again, so to speak, that you actually take this exam yourself, "says Leonard Wolf, a student at a German distance learning university.

This year he wrote an exam online for the first time. The monitoring by special software was quite uncomfortable for him: "And then you actually got to the point where I realized that I wasn't really that comfortable with it, where you had to show your exam environment."

Software providers promise data protection

What is particularly unpleasant about this online supervisor - known as proctoring - is that the recorded data ends up in global clouds, depending on the software, and is also processed there. For example, the automatic fraud detection relies on image and sound analyzes that are carried out in distributed data centers. But at least for the solutions used in the EU, the providers assure that they will comply with the General Data Protection Regulation and that they will not process or store any data outside of European data centers.

Thomas Fetsch is Area Manager Germany for the Proctorio supervisory solution. Although his company would rely on a US cloud provider with Microsoft Azure, extensive precautions have been taken to protect data and only data centers within the EU have been used:

"All data is completely end-to-end encrypted from the start. That means the key for the data that is encrypted at all times, even if it is collected, is encrypted immediately and accordingly on a cloud infrastructure at Microsoft Azure Filed. But at no point do we know who that person is. "

Only one ID is generated for each student. This means that the data can only be accessed via the university's learning management system. This approach is compatible with the GDPR, says the Bavarian State Commissioner for Data Protection, Thomas Petri. However, only as long as the monitoring remains within the framework of the Bavarian Remote Examination Testing Ordinance.

Resistance to online surveillance

In Bavaria, however, extensive filming of students' surroundings is not allowed. The recorded data may also not be transmitted to non-EU countries. And they may only be stored for as long as it is technically absolutely necessary. Automated monitoring is also not permitted. In Bavaria, the university staff has to do this themselves. Whereby the software can warn the monitoring party.

Petri: "The point is: Will the personality rights of this form, which is now planned, be adequately taken into account? And I think that the regulation essentially respects the personality rights of those affected."

And yet there is resistance to the surveillance solutions. Take Canada, for example: Ian Linkletter is doing research on learning technologies at the University of British Columbia. He is extremely critical of proctoring software because it often works in a non-transparent manner. That's why he calls it: Academic Monitoring Software.

Problem of lack of transparency

In particular, he examined the Proctorio solution critically. To do this, he shared - in his opinion - publicly accessible materials from the manufacturer, including in social networks. He has now filed a lawsuit. "It's not just a lawsuit against public participation. It's a lawsuit against science and its special freedoms: contributing public knowledge, engaging in critical discourse and questioning the way we do things," says Linkletter.

Proctorio, however, sees it differently. Quote: "We have taken steps to defend our intellectual property and to protect our partner institutions and students who use our platform worldwide." Linkletter passed on confidential information. This endangers the company, the universities and their students.

Kloiber: So the fight is tough. Jan, software whose IT security is weakened by transparency, how seriously is it?

Rähm: This is a very old question in the software world. The concept is called "Security Through Obscurity", which translates as "Security through obscurity". It is one of the most scolded concepts and has often proven to be ineffective, at the latest at the moment when someone has been able to resolve the ambiguities.

That could also happen to the solution of the named company. The software is currently sold as a plug-in for the Chrome browser. And these plugins can be reverse engineered with manageable effort, so you can make the original source code visible.

Monitoring software can be tricked

Kloiber: And then you could hack him too?

Rähm: Yes, of course, but whether this is necessary to outsmart the software remains to be seen. Students at the Berlin University of Technology and Economics tried out one of the monitoring solutions and discovered numerous ways to manipulate and trick the monitoring - which was also the task of this internal university test.

For example, they were able to insert ready-made text modules without the software noticing - the equivalent of a cheat sheet, so to speak. The solution to run the monitoring software in a virtual machine is even more elegant. This could not be recognized by the student and the student had a free hand.

Kloiber: Hacking is one thing - not every student will be able to do it. The other is the IT security of such solutions, which, if you want to take the exam, must be installed. How about that?

Rähm: In this regard, the Proctorio spokesman explained to us that both the software and the server are subject to regular security reviews by independent experts. We also have such a report, so I consider the statement to be credible and also consider the basic IT security to be given.

However, installing such software is not without risk. Because even if the ordinances for remote monitoring set strict limits, the basic functions are still included in the software. In the case of Proctorio and comparable solutions, as a student at my university and the manufacturer, I have to trust that only what is recorded is actually recorded.