Have UMass Lowell Ban Use of Insecure Proctoring Software

0 have signed. Let’s get to 1,500!


While I understand the need to catch cheaters and maintain legitimacy and credibility on exams, having students install Ring-0 software on their PERSONAL devices is frankly unacceptable. I, along with many students I have talked to about this subject, do not feel comfortable installing what is essentially a rootkit onto any of our personal machines. For those of you not familiar with what Ring-0 or rootkit programs are, they're basically programs that have the greatest possible access/permissions a computer can grant. Ring-0 programs essentially have as many permissions as the underlying operating system kernel itself (the core of any operating system).

For example, Respondus has FULL access to your files (unless they're on a separately encrypted drive, other isolated filesystem, etc.), private keys, mouse movement, screen, and camera (even has camera access when the proctoring software isn't even running). I highly doubt UML or any UML department would ever exploit these privileges in any way. The problem more so lies in the countless security vulnerabilities that are almost certainly hiding in the Respondus code, waiting to be exploited by malware and/or other forms of malicious software. If you think professionals are "too good" to make these mistakes, keep in mind that even the creator of C++, Bjarne Stroustrup, makes simple mistakes in his code. No programmer is infallible, nor is their code.

All of this is also assuming that Respondus doesn't do any data harvesting themselves, which, considering how most internet-based companies do some form of user data-harvesting and selling, is not that far fetched. Furthermore, it turns out that they even partially ADMIT to harvesting user data for long after the exam takes place (at least a year). As the post in the link mentions, the Terms of Use even state that "Respondus does not guarantee removal of all traces of any information or data (including recordings) from the Respondus Monitor Services after deletion". They even then try to claim that they aren't liable if their servers are breached and user data gets stolen. This reddit user even details what specific data Respondus themselves claim to harvest, and why this software is risky and should be avoided. Do note that what Respondus CAN harvest and CHOOSES to harvest are different, but other malicious software could still use Respondus as an attack vector to harvest personal data, even if Respondus itself doesn't harvest that data.

These two former cases are the main reasons why any cybersecurity expert would heavily advise against ever installing any Ring-0 application on any personal device in almost every circumstance (and no, proctoring college exams is not one of those few exceptions).

I, along with those whose signatures can be found on this petition, agree that this software creates massive security vulnerabilities and attack vectors, and thus cannot be tolerated on personal devices under any circumstances, and must be banned in UMass Lowell classes.

References:

AstroLuminosity. "Respondus Lockdown browser and monitor update" Reddit, 22 Jun. 2020, https://www.reddit.com/r/geegees/comments/he5yn9/respondus_lockdown_browser_and_monitor_update/. Accessed 14 Sep. 2020.

deleted. "[Help] University is forcing this program onto our personal computers. What can I do to keep it from digging in when I'm not actively using it?" Reddit comment, 23 Aug 2018, https://old.reddit.com/r/privacy/comments/99kx7n/help_university_is_forcing_this_program_onto_our/e4p68j1/. Accessed 14 Sep. 2020.

“Terms of Use - Respondus Monitor (Student).” Respondus, Respondus Inc., https://web.respondus.com/tou-monitor-student/. Accessed 14 Sept. 2020.