Remote Learning and Student Privacy

For the past three months (since May 19, 2020), I have been communicating with various representatives of my university, Arizona State University, to resolve an issue regarding widespread infringement of student privacy. However, every person with whom I have spoken (seven in total, including the president of the university himself) has either ignored my claims, dismissed my claims, or passed me to someone else. Yesterday, I received an email from the university’s Executive Director of Learning Experience, or the person to whom I was directly referred by the president of the university to address my claims, and again — and still to my surprise — my claims were ignored.

Now, if the problem were that my claims were trivial and as such undeserving of due time and energy, then I would understand them being dismissed or ignored. However, my claims are not trivial; they are serious: I am alleging unethical and illegal practices on the part of the university, which practices are resulting in widespread infringement of student privacy. Surely, claims such as these are deserving at least of refutal! Alas, in none of my exchanges with university representatives have my claims been refuted; they have simply been dismissed or ignored.

So what follows in this article is the problem, embedded in which are my claims. I speak for myself and my own institution; however, given the prevalence of the factors, this problem is universal, and its implications are universally applicable.

To facilitate online and remote learning, Arizona State University (ASU) has adopted — and many of its instructors have implemented — third-party software and services. And on the surface, this may appear harmless — it’s certainly reasonable — but it actually places ASU students in the uncomfortable position of having to share personal data with companies that they wouldn’t otherwise. And while I recognize that some of this is simply an unavoidable consequence of our shared predicament as a community quarantined, I also recognize that not all of it is, for some of these third-party software and services were adopted and implemented long before anybody got sick, only now they’re being used with greater force and frequency.

The most common of these third-party products (as far as I can tell, and besides Zoom) are two programs created by Respondus, Inc. Respondus, Inc. is a technology company that develops assessment applications for educators. These applications include tools for online testing and remote proctoring, the most popular of which (and the first on my list of most-common third-party products) is LockDown Browser, an application that “prevent[s] cheating” by “lock[ing] down testing environments within a learning management system.” Specifically, LockDown Browser limits the use of computers by restricting access to applications other than LockDown Browser itself. According to Respondus’s website, “1500 [sic] universities rely on [LockDown Browser] to prevent cheating on 120 million exams each year.”

Respondus’s LockDown Browser companion program (and the second product on my list) is a newer application called Respondus Monitor, which also “prevents cheating” by recording students via webcams as students take exams. Among its features, benefits, and advantages (for instructors), the program uses facial-recognition technology to create a “biometric signature” of each student (to ensure that the same student remains in the webcam frame for the duration of exams), and it processes all “mouse, keyboard[,] and screen activity,” as well as “continually tracks the applications and processes that are running on the computing device during an exam session” (Respondus Privacy Policy). According to Respondus’s website, over 1,000 universities will use Respondus Monitor on more than 20 million exams in 2020.

Although these products enable educators to perform proctored online and remote assessments, their use is contingent upon two critical factors universally dismissed by at least the relevant faculty at ASU: context and consent.

As it relates to context, the contents of this article — indeed, my claims — would be irrelevant if students were using university computers at the university. But we’re not; we’re using personal computers in our homes. And as it relates to consent, Respondus LockDown Browser and Respondus Monitor require full access to and full control of students’ personal computers to operate, and the use of these programs requires students to be recorded in our homes. As such, and by law, students must consent to downloading, installing, and using these programs — which is to say that, by extension, instructors (or institutions) must acquire consent from students before requiring us to use these programs for assessment. However, we students are not being asked to consent, nor are we being provided with alternatives if we refuse to consent; instead, we are being required, absolutely, for which the consequence of refusing, of course, is failure — meaning, students who do not consent to allowing controlling access to their personal computers or to being monitored in their homes are downloading, installing, and using Respondus programs (and, by extension, taking online exams) under duress.

While I recognize that institutions may endorse the use of Respondus products (or similar products), institutions are not authorized to make decisions about privacy and personal data on students’ behalf. Respondus even requires, as stated in their terms of use, that students must opt in to the use of Respondus products by agreeing to the terms of use. As such, failing to provide students with the option to opt in (or to opt out, and to do so without consequence) is an invasion of privacy as well as a violation of privacy laws.

What laws I am referring to are at least those of the EU’s General Data Protection Regulation (GDPR), which gives legal control of personal data to individuals in the EU specifically, but is generally applicable given that companies who do business in the EU, regardless of their home country, must adhere to the GDPR’s policies. Among these policies is the requirement of companies to acquire explicit consent for collecting data from their users:

“Consent must be freely given, specific, informed and unambiguous. In order to obtain freely given consent, it must be given on a voluntary basis. The element ‘free’ implies a real choice by the data subject. Any element of inappropriate pressure or influence which could affect the outcome of that choice renders the consent invalid.” —Consent Overview , GDPR. (For further information, refer at least to Article 7 , which stipulates the conditions for consent.)

By requiring students themselves to download and install third-party software or to use third-party online tools, instructors render the use of such software subject, exclusively, to the discretion of students. And if students do not consent to providing personal data to the respective companies (which, in the case of Respondus products, is actually both Respondus and students’ institutions), and if the consequence for not consenting is a failing grade because of an inability to complete assignments or participate in assessments, then it is incumbent upon instructors to provide alternatives, lest the “consent” of all consenting students be compliance by coercion, and as such invalid, and the actions of instructors illegal.

Institutions fall into a gray area with regards to their use of third-party software, as institutions are not responsible for the privacy policies of the companies that develop such software. However, by employing these companies to provide software or services on their behalf, institutions endorse the respective privacy policies, and adopt the policies by extension, thus rendering themselves likewise subject to the stipulations of the GDPR (or other relevant laws). Also, by requiring students to engage with third-party software providers directly, institutions forfeit control of the use of third-party software by students, as such use is dependent on the consent, not of institutions, but of students. Finally, the ethics of requiring students to download and install third-party software despite students’ desires or better judgement — indeed, to do so under duress — are at least questionable, and they, along with everything else I’ve mentioned in this article, lay a strong foundation for litigation.

I know that this article is disjointed and unclear, and that it’s missing data and counterarguments and solutions; I’ve written it quickly, as a new semester is about to begin, and there are a million objections to what I’ve said as well as a million more objections to the objections, so it’s just difficult to organize. Nevertheless, the point of this article is to say that students are under no obligation to use Respondus products (or similar products), which products and their implementation by institutions, as evidenced in this article, are designed for the sole purpose of controlling and restricting, both of which are antithetical to learning.

The worst revelation from this three-month experience is that my university has exempted itself from responsibility and as such refuses to be held accountable. We students have rights that are being infringed in the absence of a precedent, and the university and its instructors have responsibilities that are being shirked in the absence of policy, yet there seems to be no path to recourse. The issues described in this article are as much legal as they are moral, and if anybody (lawyers) would like to help us out, we students would greatly appreciate it.

More people have spoken and are beginning to speak about this problem. Below are links to articles, should you find them interesting or useful.