This week was the California Bar Exam, a grueling two-day test that determines whether or not a person can practice law in California. Despite the privacy and security risks remote proctoring apps present to users, the California Bar, as well as several other state bars throughout the country, are requiring that students use proctoring and surveillance app ExamSoft to protect the “integrity” of the test. The results have been nothing short of disastrous, and test-takers have taken to calling these remotely proctored exams the “Barpocalypse.”
All of this was avoidable.
Students are reporting significant technical issues, including difficulty installing or downloading the software, failures to upload the exam files, crashes, problems logging into the site, last-minute updates to instructions, and lengthy tech support wait times resulting in students taking the exam hours late (if at all). Additionally, we have heard from numerous examinees who are concerned that their data has been breached, adding to the numerous reports of identity, credit card, and password theft reported by previous users.
All of this was avoidable.
Last month EFF sent a letter to the California Supreme Court, which oversees the California Bar, asking them not to require ExamSoft for the bar exam. Our concerns were threefold: Test takers should not be forced to give their biometric data to the company, which can use it for marketing purposes, share it with third parties, or hand it over to law enforcement, without the ability to opt out and delete this information. Without a clear opt-out procedure, this data collection violates the California Consumer Privacy Act. Additionally, this data collection creates obvious security risks, as the recent data breaches of proctoring apps have shown. And finally, technical issues, as well as requirements that could disadvantage users who cannot meet them, could wreak havoc on users, forcing them to withdraw from the exam. It is unfortunate that several of our concerns have been validated.
Thankfully, the California Supreme Court has heard at least some of these concerns. Shortly after receiving our letter, the Clerk and Executive Officer of the California Supreme Court asked the state bar [pdf] to propose a timetable within 60 days for the deletion of all the 2020 bar applicants’ personally identifiable information collected via ExamSoft:
ExamSoft’s Privacy Policy appears to permit the company to use and disclose applicants’ data for many purposes, some of which appear to be unrelated to the administration of the examination. Thus, the court shares applicants’ concern that any unnecessary retention of their sensitive PII data may increase the risk of unintentional disclosure.
This is a good step forward in protecting applicants’ data, and we are glad to see it. However, it is not enough. After receiving a concerned letter from the deans of several California law schools, the Court replied [pdf], stating that ExamSoft’s proctoring tool would not make any determination about a student’s eligibility, nor would it be used to prevent any applicant from completing their exam:
...the proctoring software will not determine any examinee’s identity, integrity, eligibility, or passing grade, nor will the software be used to prevent any applicant from completing their exam. Instead, multiple layers of human review of the exam videos will permit human proctors to make those determinations.
Unfortunately, that was not the case. At a minimum, the software’s technical issues prevented many students from taking the exam. Additional issues with remote proctoring, from the fear of not knowing what might invalidate an exam to lost time, created stressful experiences for many, many test takers. Some even report being *told* to withdraw due to tech support issues. Additionally, the Court should consider the disproportionate impact these remotely proctored exams have on examinees of color and those with disabilities, as outlined by the Consortium for Citizens with Disabilities (CCD) Rights Task Force and the Lawyers’ Committee for Civil Rights Under Law. The Court and the state bar must also recognize that the failure of the proctoring software’s facial recognition features created a much more difficult environment for some examinees—such as those with darker skin—who were forced to alter their environment by shining lights on their faces, for example, during the entirety of the test:
Regardless of whether human reviewers are ultimately responsible for determining the integrity of applicants’ test results, it is clear that this remote proctoring experience was not a success. While we applaud the California Supreme Court and the state bar for requiring deletion of biometric data, there are many unanswered questions: we still don’t know how long that data will be held by ExamSoft, which still creates privacy and security concerns; we don’t know whether breaches have already occurred; and we don’t how the California Bar will assist applicants who experienced issues with the exam due to the proctoring software.
The simple truth is that the California Bar and the Supreme Court should not endorse these remotely proctored exams, and should not approve of this dangerous mass data collection, even if the data will be deleted—eventually. The California Supreme Court and the state bar want to have it both ways, admitting that “ExamSoft’s privacy policy appears to permit [pdf] the company to use and disclose applicants’ data for many purposes, some of which appear to be unrelated to the administration of the exam,” and simultaneously writing that “the collection of this data is critically important to ensure the integrity and security of the examination process.”
The only real way to square this circle is to offer all applicants an alternative to the ExamSoft proctored test in the future. We hope the Supreme Court of California will insist on this for February’s test, and we hope other states will take note of this #Barpocalypse, so that future applicants will not be forced to experience these unacceptable levels of privacy, security, and technical issues.