Understanding Test Taker Privacy in Honorlock

This article provides instructions on how to understand test taker privacy in Honorlock at Idaho State University (ISU).

Honorlock is ISU's proctoring service for online exams for any course. Because Honorlock uses an extension for the Google Chrome browser, some concerns have been raised regarding student privacy and what information Honorlock collects during proctored exams. For more information, you can refer to Honorlock's Test Taker Privacy Statement (external link).

• Using Honorlock's Chrome Extension
• Collecting and Monitoring Data
• Identifying what Honorlock CANNOT access or do
• Protecting Data: Security Protocols
• Taking actionable steps for enhanced privacy
• Frequently Asked Questions

Honorlock works as a simple browser extension (like an add-on for Google Chrome), not as a full program that installs on your computer. This is an important privacy feature.

Because it's just a browser extension, Honorlock can only work within your Chrome browser - it can't access the rest of your computer. This means it cannot see your personal files, passwords, or anything else on your computer outside of the exam you're taking in Chrome. This design keeps your private information private while still allowing the exam to be monitored.

Users can visually verify precisely when Honorlock is active. The extension's icon in the Chrome toolbar displays a flashing red indicator whenever it is monitoring or recording. If this indicator is not shown, you can be certain that the tool is inactive and not collecting any data.

This limited, browser-contained scope directly informs and restricts the specific information Honorlock can access during an exam.

Honorlock is engineered to collect specific data points only for the duration of a proctored exam. Data capture begins when the authentication process is complete and ceases the moment the student submits the exam in ISU Canvas and selects "end proctoring."

Data Collected During the Proctoring Session

During an active proctoring session, Honorlock may capture the following information, as determined by the faculty’s exam settings:

• Student & Course Information: Basic data synced from ISU Canvas, including the student's name, email address, course number, and exam name.
• Identity Verification: A photo of the student and their photo ID (such as a university or government-issued ID), captured via the webcam to confirm the test-taker's identity.
• Environmental Scan: If required by the faculty, a 360-degree webcam scan of the testing area is recorded to ensure the environment is clear of unauthorized materials.
• Exam Session Recording: A comprehensive recording of the exam session, which includes video from the webcam, audio from the microphone, and a recording of all desktop activity.
• Web Activity: A log of the web pages that are visited or attempted to be visited within the Google Chrome browser during the exam session only.

The collection of this data is strictly time-bound. When a student submits their exam within ISU Canvas, all webcam, audio, and screen recording functions automatically stop.

Honorlock Does Not:

• Sell or monetize student data. Honorlock is contractually prohibited from selling or otherwise monetizing student data. Its only purpose for using student information is to provide proctoring services for the institution.
• Scan a student's local network. The service cannot access or scan other computers, mobile phones, tablets, or any other devices on the local network.
• Route network traffic from a student's device through Honorlock servers. All network activity remains on its standard path.
• Access personal files or passwords on the computer. The Chrome extension only works  within the browser and does not have permission to read local files, saved passwords, or other personal data.
• Control the computer or download files to it. Honorlock cannot take control of a user's mouse or keyboard, nor can it install any files onto the device.
• Use facial recognition. The system uses facial detection technology, which is fundamentally different. It detects that a human face is present in the webcam view but does not identify the specific face or match it against any database.

Student privacy is ensured through a multi-layered strategy that combines technical safeguards, independent audits, and strict adherence to legal and educational privacy standards.

Technical Security Measures

Honorlock Employs industry-standard protocols to secure data at every stage.

Security Features

• Cloud Hosting: Hosted on Amazon Web Services (AWS), utilizing their secure U.S. data centers
• Data Encryption (In Transit): All data transfers are encrypted using industry-standard TLS 1.2 and SSL protocols
• Data Encryption (At Rest): All stored data, including videos and photos, is encrypted using AES-256 block encryption
• Data Destruction: Data is purged according to federal NIST 800-88 guidelines after the retention period of 365 days

Legal Compliance

Technical measures are validated by adherence to legal frameworks and regular third-party assessments.

• FERPA Compliance: Honorlock is bound by the Family Educational Rights and Privacy Act (FERPA). Under this act, the school, not Honorlock, is the owner of the student data. Honorlock acts solely as a service provider and is prohibited from using data for any purpose other than proctoring.
• Independent Audits: Every year, independent security experts review the platform to confirm it keeps your information safe. The platform also regularly tests its defenses by having security professionals try to find weaknesses and vulnerabilities, so they can be fixed right away.
• Employee Protocols: All employees receive mandatory FERPA and data protection training. Access to student data is restricted to employees whose jobs require it (e.g., support staff), is tracked and logged, and requires a VPN for access.

While the platform has extensive responsibilities for protecting data, users also have agency in managing their own privacy.

While Honorlock provides robust default protections, students and faculty can take simple, proactive steps to further ensure their comfort and privacy. These actions provide an additional layer of personal control over the testing environment.

1. Uninstall the Extension After Each Exam: The Chrome extension can be completely removed in seconds. Simply right-click the Honorlock icon in the Chrome toolbar and select "Remove from Chrome." It can be reinstalled in less than 30 seconds before your next proctored exam.

2. Create a Dedicated Chrome Profile for Testing That's Not Linked to Your ISU or Personal Google Account: Creating a new user profile in Chrome establishes a clean, isolated browser environment for testing. To do this:
   1. Open the Chrome browser.
   2. Navigate to the "People" or profile icon in the toolbar
   3. Select Add Chrome Profile.
   4. A new window will open to set up your profile.
      1. To create a profile without signing into a Google Account, click Continue without an account. 
   5. Enter a name for this new profile. You can choose a photo and color scheme if desired.
   6. Select Done to complete the setup.
   7. This ensures that personal bookmarks, saved passwords, and browsing history are not present or accessible during the exam session.

Q: Is someone watching the test-taker in real-time for the entire exam?

• A: No, not typically. A machine learning system monitors the exam session and flags unusual activity, such as another person entering the room. If the AI detects a potential issue, a live proctor is notified and may "pop-in" via a private chat window to assess the situation and help you get back on track. Your instructor can review the full recording and any flagged incidents after the exam is complete.

Q: What kind of ID do students need?

• A: Any form of government issued ID (driver’s license, state ID, passport) can be used for the authentication process. School ID cards can also be used. Please do not use military ID or bank cards.

Q: Who determines if academic dishonesty occurred?

• A: Honorlock does not make determinations about academic integrity. The system's role is to report possible incidents by flagging them for instructor review. The instructor makes the final determination by reviewing the exam recordings, proctor notes, and other relevant information.

Q: How long is data stored?

• A: The data retention period is 365 days. After the designated retention period expires, all associated data is securely deleted according to federal data destruction guidelines.

Q: What if the test-taker needs to wear a mask?

• A: Test-takers can wear a mask during the exam. The procedure requires you to briefly remove the mask during the initial photo ID authentication step. Once your identity is verified, you can put the mask back on for the duration of the exam.

• Chat with Canvas Support for Faculty (external link)
• Canvas Instructor Guides (external link)
• Visit the ITRC Portal for answers to common questions (external link)
• For additional assistance email AnswersITRC@isu.edu