Place restrictions on Data Collection policies.
Place restrictions on Data Collection policies.
Like many of the students during these unprecedented times, I am concerned over the usage of Proctorio and similar programs being implemented as a mandatory part of the educational system. I think I speak for the entire world when I say that privacy is a universal right not a privilege and it is not something that we are willing to give up nor is it a matter of negotiation.
Proctorio will be storing our Biometric Information.
Proctorio states that they will be scanning our faces and monitoring our eyes for the entirety of the exam. Biometric data is defined as samples, models, fingerprints, similarity scores and all verification or identification data. As stated on their website, they scan ID's and faces BEFORE the test begins and that is kept as well.
Per their Data Deletion and Destruction agreement they state:
Proctorio will store and maintain institutional data for up to 30 days after the termination of an applicable agreement, unless otherwise specified. If, however, you have entered into a SaaS Agreement with Proctorio then we will retain your data for six months by active data retention and for one year by cold storage. We may be able to retain your data for longer periods of time subject to an additional fee and agreement by you and Proctorio.
According to the Institution's preference regarding data destruction, Proctorio will either: 1) destroy the data, or 2) deliver it to the Institution.
This means that until the school’s contract with them is completed, Proctorio will keep the data. We do not know how long each school contracts with Proctorio.
Although Proctorio argues their data vault is safe, we must remember a few things.
1) Equifax was hacked in 2017, and they have IT security advisors, on-call.
2) The Pentagon was hacked by 7 Hackers and they were able to get into a F-15 fighter jet and Orbital Satellite commands. It is highly doubtful Proctorio has higher security measures than the United States Military.
3) After an extensive search, there are only 48 people publicly listed to work for Proctorio, only 7 of which are publicly listed as IT staff. IF they have other IT staff they are not listed. This leads to the question: How is such a small group of people going to monitor thousands of peoples of data 24/7?
2. Proctorio contradicts their own policy statement.
Per their website:
We do not disclose your Personally Identifiable Information except in the following limited circumstances:
Law and Harm: We may disclose your information if we believe that it is reasonably necessary to comply with a law, regulation or legal request; to protect the safety of any person; to address fraud, security or technical issues; or to protect Proctorio's rights or property.
Other Disclosures: We may disclose your information to fulfill the purpose for which you provide it and to enforce or apply your SaaS and other agreements with us.
So, they do in fact share our information with anyone who has the right title. This is concerning because the only time they will deny information is a random person asking for data. As of 2020, Arizona, the state which Proctorio is located in, does not require Law Enforcement to obtain a warrant before handing over data collected so long as the department is officially requesting data from the company.
We do understand that to preserve the integrity of testing, certain measures and policies must be made. However, this cannot come at the price of our privacy and our data rights.
As such we do not consent to have out data taken without certain measures in place to prevent abuse.
1. Biometric data is a non-starter. There should be NO biometric data stored. Thumbprints, ID pictures, retinal data, facial recognition data, etc.
2. If a family members' information is recorded, that data is subject for immediate deletion, as they have not given consent nor are they part of the institution.
3. Any monitoring data must be deleted within 1 hour of review of the school not to exceed 48 consecutive hours of pending administrative time.
4. Each individual student must receive a receipt of the deletion of data and if their data is subject to additional review, a receipt should be for every day their data is kept. (up to 48 hours.)
5. Data cannot be packaged as part of metadata packages, and to obtain data, a signed warrant from a court must be required.
6. The institution requiring data collection will be held liable for all data breaches and the consequences of any data leaks regarding their students and family members.
Please understand that we are not fighting the decision to prevent cheating. We are objecting to the decision to collect non-pertinent data longer than what is necessary to prevent unmitigated data leakage.
If these measures are implemented we have no problem with using these proctoring services.