Four days ago, I read a story by Brad McQueen in the Arizona Daily Independent entitled “PARCC field tests had major data security flaws and of course they knew all about it.” I was waiting for the news to appear in other places before saying anything, using the two-sources rule that I try very hard to stick to. And today, it appeared in Louisiana on BayouBuzz.com. Their story had an even more shocking title, “PARCC Security Breaches Revealed; Microsoft, InBloom, News Corp. Implicated.” Now it’s my turn.
First let’s get a frame of reference. PARCC Inc is the corporation that is the nonprofit arm of the multi-state testing consortium known as the Partnership for Assessment of Readiness for College and Careers, or PARCC. Working with an online test-delivery system known as TestNav, created by textbook and testing giant Pearson, PARCC delivered about half of the Common Core-aligned tests online this spring to schools in about a dozen states, including both Maryland and Illinois.
TestNav, the online tool that allows students to take the PARCC tests online, is a Web-based application, although Pearson has also developed apps for tablets with at least a certain screen size and Chromebooks. Schools point students’ browsers at a certain URL, provide them with student login credentials, and TestNav decides which test questions to deliver. It also allows students to type in their answers. It runs on just about any browser: Safari, Chrome, and Firefox on Macs, and Internet Explorer, Chrome, and Firefox on Windows computers.
Of course, it won’t run on Internet Explorer version 8 or lower, because those browsers didn’t work with the new standard on the Web, known as HTML 5. Microsoft only built support for HTML 5, on which TestNav relies, into Internet Explorer starting at version 9. The other browsers have similar dependencies, although Chrome has been working with the HTML 5 standard on both Macs and PCs for several versions at this point.
One of the published system requirements for Internet Explorer was that “accelerators” must be disabled. Accelerators are on-screen shortcuts that can launch another application or go to another Web page. For example, you might be able to select some text in an article, hit the accelerator for “search,” and have Internet Explorer feed your selected text into Bing, Google, or whatever you have selected as your default search engine.
This security risk is nothing new
Both news reports cited above are irresponsible, in my opinion. They both claim that it is a “security risk” to shut down TestNav when a student launches an accelerator. It is, in fact, tighter security to shut down the test-delivery program than to keep it open and allow the student to use the accelerator functionality to, potentially, look up an answer on the Web.
As soon as this hole was discovered, Pearson decided to check at the time TestNav was launched and not even allow the student to log in if accelerators were enabled. A note on Pearson’s TestNav website explains this decision, but the dissemination of that document to test administrators in our schools may have been less than optimal. The link, here, will take you to the document directory on Pearson’s support site. Just select “TestNav_DisablingAcceleratorsinIE,” which says, in part:
When test takers use the Highlighter Tool in TestNav, the Accelerator function in Internet Explorer (IE) 9, 10, and 11 could automatically invoke an external action such as online search for the meaning of the highlighted words or sharing of the selected text via email. TestNav can detect this behavior as a security threat and exit the student from the test. As an extra security precaution for the PARCC Field Test, TestNav will not allow a student to start a test if Accelerator is present and enabled.
That document was issued on March 17, about a week before the field test began, and shortly thereafter, it was decided that many schools would have to do too much work to go around and disable the accelerators on thousands of computers students were using for testing in some states. Yes, the accelerator function can be turned off by a group policy, from a central administration panel or dashboard, and so on, but many schools that were participating in the PARCC field test didn’t have that centralized control available.
When it was discovered that this lack of central control would make it virtually impossible to disable accelerators on all the computers that would be used for testing and harder still to switch them to Chrome or Firefox, Pearson changed the error such that it would only halt the test if the student actually invoked an accelerator’s external operation.
This should be the normal behavior for any test-delivery tool. If a student tries to launch any other application, including surfing to another website, which is what accelerators do in Internet Explorer, the most secure thing to do is shut down the test. That’s what TestNav does.
The specific complaint here
The two articles I cited suggest that the time in between when the test shuts down and the proctor “resumes” the test so the student can log back in and complete the test creates a security risk. During this time, the computer user is able to use any other programs available.
Yes, some schools create a test-taking desktop that has only the TestNav URL pre-loaded in the default browser, but again, not every school has such a tight eye on security.
The risk is the same for paper-and-pencil versions
The security risk—that the student, after having seen some of the questions, can invoke an accelerator function, get kicked out of the test, surf the Web to find all the answers he didn’t know, and then resume the test and fill in the answers—is what all the brouhaha is about in these news articles, even though allowing students out of the testing room or, on computer, the browser’s kiosk mode is an even bigger security risk.
This is the same as when a kid goes to the bathroom during a traditional test on paper. During the time he is out of the room, he can make a cellphone call to his dad, who happens to be a professor, and get all the answers.
Oh, but we don’t allow cellphones in schools or even bathroom breaks in the middle of any given session of testing, you say. Fine. But then surfing the Web during an online test shouldn’t be allowed either, and proctors will get a notice on their dashboard when a student exits a test so they can get right over to that student’s desk and make sure he’s not surfing the Internet.
I would even suggest the online security is tighter than the security for paper-and-pencil versions, because TestNav will have recorded why and at what time the student exited the test. All these records can be checked, whereas students looking up the answer to questions during the time when they’re out of the room is not logged anywhere.
Work remains, and we’d like to get to it
So, in conclusion, let’s lay off the sensationalism, OK? We have real issues to deal with, like making sure our schools are technology-ready, making sure the tests are of an acceptable quality, making sure test proctors know what they need to do with these tests that will be new for everybody next year. We have real problems, and we don’t need to create alarm about a non-existent problem a newspaper ties to inBloom, News Corp, and Microsoft, which are so far away from this picture that mentioning them is ridiculous.
And good people, please don’t waste educators’ time chasing down problems that will not yield any solutions. This is hard work, and it’s not a very good product right now. We have a lot of work to do, and shouting at the wind about “security risks” and saying we’re putting students’ personal information at risk by giving them a test is a complete waste of everybody’s time.
