ExamSoft’s remote bar exam sparks privacy and facial recognition concerns

Sometimes the light Kiana Caton is forced to use gives her a headache. On top of common concerns that come with taking a state bar exam — like passing the test — Caton has to deal with challenges presented by facial recognition technology. She’s a Black woman, and facial recognition tech has a well-documented history of misidentifying women with melanin. Analysis by the federal government and independent research like the Gender Shades project have proved this repeatedly. The European Conference on Computer Vision also recently found algorithms don’t work as well on Black women as they do on other people.

Ok @ExamSoft support told me to “sit directly in front of a lighting source such as a lamp.” I’m receiving the same issue preventing me from completing the NY UBE mock exam. Facial recognition technology is racist. @DiplomaPriv4All do y’all think I have “adequate lighting”? pic.twitter.com/7tFdwfpyHB

— Alivardi Khan (@uhreeb) September 11, 2020

To ensure her skin tone doesn’t lead ExamSoft remote test monitoring software to raise red flags, Caton will keep a light shining directly on her face throughout the two-day process, a tactic she picked up from fellow law school graduates with dark skin.

“If someone has to shine a light in their face, they’re probably going to get a headache, or if they have sensitivity to light or are susceptible to migraines or anything like that it’s going to affect their performance, and that’s something I’m really concerned about,” Caton said.

Next week, law school graduates from 20 states — including Caton, who is in California — will simultaneously take the bar exam from remote locations using ExamSoft. In order to take part, they must first surrender biometric data like an iris scan or facial scan.

To administer the test, ExamSoft will collect and store the biometric data of a generation of legal professionals. More than 30,000 law school graduates will participate, a National Conference of Bar Examiners (NCBE) spokesperson told VentureBeat. This appears to be the largest attempt to remotely administer state bar exams in U.S. history.

Delays caused by COVID-19 mean job offers previously extended to law school graduates may already have passed their intended start dates. For Caton and many others taking the test next week, a job offer may hang in the balance.

Above: The light Caton will use during the California bar exam next week. Data privacy concerns led her to buy a new laptop for the test, also pictured here.

Image Credit: Kiana Caton

Security is also in question: On July 27, remote proctoring software company ProctorU was hacked, a data breach that exposed the personally identifiable information of 400,000 people. A day later, a remote Michigan state bar exam administered by ExamSoft was hit with a DDOS attack. Investigations into the reported ExamSoft attack are ongoing.

The NCBE, which developed state bar exams, requires all remote testing to be conducted via proctoring software. An NCBE spokesperson told VentureBeat that all jurisdictions administering the remote exam will use ExamSoft. But concerns are still swirling around the software.

“I don’t understand how we can possibly be judged by these people in our own competency when it kind of seems like they need to worry about whether they can actually do this exam. It’s less than a week away now, and people are having tons of issues,” Caton said. “So I’m just really concerned about this exam, and I’m wondering if it’s going to go forward like it’s supposed to and whether or not I’m going to be delayed any further in starting my job.”

On top of data privacy and racial bias concerns, Caton and other bar exam applicants have to worry about whether ExamSoft will answer the phone if things go wrong. Caton said her mock exam went off without a hitch, but people who took a test earlier this month in the state of New York reported long delays when they called ExamSoft after they encountered issues.

As a result of the pandemic, use of AI-driven remote testing software has gone up, despite continued concerns about surveillance, biometric data collection, and bias. Each state bar association and state supreme court has dealt with uncertainty brought on by the pandemic in different ways. In Texas, legal professionals took exams in hotel rooms as monitors walked from room to room to check on them. In the state of Washington, the bar association is waving bar exams altogether. Concerns over racial discrimination, tech issues, and historically disruptive wildfires led deans of 15 major California law schools to request the state supreme court make the bar exam an open book test.

After ExamSoft was chosen to administer the test in California, the ACLU shared its opposition to the use of remote testing software that uses facial recognition. In a letter to the California Supreme Court, the organization argued that these conditions have the potential to exacerbate historical inequity in the legal profession.

“Given the invasive and discriminatory nature of facial recognition technology, the proposed use of software that collects biometric data for the administration of the bar examination would be antithetical to the State Bar’s mission of protecting the public and increasing access and inclusion in the legal system,” the letter reads. “In an unprecedented moment that requires innovative, equitable pathways to attorney licensure due to the myriad challenges posed by COVID-19 and the ongoing movement for racial justice, the deployment of facial recognition threatens to further entrench racial and economic inequities that have long created barriers to the legal profession.”

Facial recognition flags raised while a person is taking a bar exam will not halt a test, an ExamSoft spokesperson told VentureBeat. But because facial recognition tech is less likely to recognize Caton, it may raise red flags and cause human reviewers to assess her exam. Similar issues have been reported with other exam software, like that from Proctorio. ExamSoft declined to share the name of the company that created the facial recognition technology it uses.

State Bar of California interim executive director Donna Hershkowitz responded to the ACLU letter last week. Espousing a commitment to an inclusive legal profession, she said any facial recognition issues flagged by the software will be analyzed by four human reviewers, part of a series of steps that she believes will eliminate facial recognition bias.

In addition to concerns about facial recognition technology, a participant leaving the frame of view at any time or the occurrence of sounds — including the sounds of voices — can also trigger ExamSoft flags that require humans to review a bar exam. Nearby sounds could prove a potentially common problem, particularly as the pandemic has kept many households working and schooling from home. A survey of Maryland bar exam applicants shared with VentureBeat found that more than 40% lack access to a quiet place where they can take the bar exam without interruption.

The Electronic Frontier Foundation (EFF) raised concerns about the perpetuation of inequity in a letter to the California Supreme Court last month. Additionally, the EFF expressed concerns about California Consumer Privacy Protection Act (CCPA) violations and warned that the State Bar of California is making data collected by ExamSoft alluring to hackers.

“It is well known that storing large collections of private or personally identifiable information (PII) creates the risk of a security breach, and ExamSoft’s retention of data is no different,” the EFF letter reads.

As a way to further reduce risk, the State Bar of California requested that ExamSoft delete all biometric data associated with the test after human reviewers have sifted through instances flagged by predictive AI. Exactly when ExamSoft will be required to delete biometric data it gathers while administering the test is unclear, but it could be at least a few months after the test. In a letter sent Friday, California Supreme Court clerk and executive officer Jorge Navarrete said the State Bar of California has 60 days to submit a timetable for when ExamSoft will delete all collected biometric data.

In a separate discrimination matter related to the California bar exam, a number of recent law school graduates have filed lawsuits against the NCBE and State Bar of California alleging state and federal disability law violations. People with disabilities have been told they must take the test in person at designated testing locations. In response, Hershkowitz said in a statement shared with VentureBeat that appropriate COVID-19 measures will be taken to safeguard in-person administration of the test for people with disabilities and declared that “there is no unlawful discrimination of the October bar examination.”

ExamSoft hack in Michigan

Concerns about privacy and other issues are not without precedent. On July 28, about an hour into the bar exam in the state of Michigan, some test takers experienced login issues. In a statement shared on Twitter later that day, ExamSoft said its login process was targeted by a distributed-denial-of-service (DDOS) attack. In the statement, the company said this marked the first time ExamSoft had experienced a DDOS attack on the network level and that no data was compromised during the attack.

The Michigan Board of Law Examiners and ExamSoft emphasized that all bar exam applicants were able to complete the exam that day and that the Michigan Board of Law Examiners allotted extra time to test takers impacted by login delays.

A day later, Michigan Supreme Court Chief Justice Bridget McCormack ordered an inquiry into the login issues experienced by some Michigan test takers. Results of that investigation are still outstanding, a Michigan Supreme Court spokesperson told VentureBeat. About a week after the incident, ExamSoft asked the Department of Homeland Security and FBI to open investigations. ExamSoft and its network provider have put additional redundancies in place to make sure these kinds of delays don’t happen again, a company spokesperson told VentureBeat in an email.

Despite ExamSoft’s assurances, law school graduates continue to express security concerns. More than 50 state bar applicants taking the test next week in Pennsylvania requested a fraud investigation earlier this month, claiming they experienced an uptick in compromised passwords after ExamSoft downloads.

Under the guidance of the NCBE, ExamSoft will administer all remote October bar exams. But some remote test monitoring software companies were not interested in participating. Speaking with the American Bar Association for a recent article, ExamSoft cofounder and current Extegrity CEO Greg Sarab said his company was one of three that backed out of remote proctoring services for state bar exams. He feels it’s risky to use the technology at this point, as evidenced by inconsistent performance in mock and live tests. Sarab also expressed concern about risks related to reliable internet connections and lack of time for companies like ExamSoft to test their technology.

In response to critics who called remote bar exam testing too risky, an ExamSoft spokesperson said “We have no way to speak about how other vendors feel about their software or the quality, stability, or resilience of their products,” adding that the company has built trust among thousands of clients over its 22-year history.

Diploma privilege, provisional licensing, and supervised practice

In an attempt to address unprecedented logistical challenges and keep the legal profession moving forward during the pandemic, state bar associations are even beginning to consider ways law school graduates can practice law with temporary licenses or do away with bar exams entirely.

In California, for example, the bar exam passing grade was permanently lowered in July from 1440 to 1390. Last week, the State Bar of California Board of Trustees approved a provisional license agreement that will allow law school graduates to practice law until 2022 without taking the bar exam. The board also directed its provisional licensing working group to consider whether it would recommend these individuals be admitted to the state bar if they complete a set number of hours of supervised practice as provisionally licensed lawyers.

Caton said she can’t imagine that any job offer with a rate of pay promised to a licensed lawyer will be offered to a provisionally licensed attorney.

“It’s basically a glorified internship or something,” Caton said of provisional licensing. “So I’ve never understood the purpose. I don’t think that my opinion is anything novel or unusual. I think a lot of people have the same question.”

The District of Columbia Court of Appeals took yet another approach, adopting a supervised practice program last week that allows graduates of accredited universities to receive a license to practice law if they work under the supervision of a more senior attorney for three years.

Diploma privilege means people can get a license to practice law without taking the bar exam as long as they meet certain requirements, like graduating from an American Bar Association accredited law school. As state bar associations began delaying tests and implementing remote testing options last spring, groups like United for Diploma Privilege and Diploma Privilege for Maryland sprang up to encourage more state bars to adopt diploma privilege, particularly to ensure access for groups like low-income applicants and people with disabilities. This year, states like Washington, Utah, and Louisiana, have adopted diploma privilege.

As testing and licensing boards grapple with the need to administer certification tests during the pandemic, the kind of logistical and privacy hurdles law school graduates encounter are impacting professionals across multiple industries. In some instances, engineers have had to drive across state lines to complete a certification test. Other individuals have had to choose whether to risk their lives by going to an in-person certification that could lead to higher wages or better opportunities during an economic recession.

During the pandemic, remote learning has revealed ways students can get left behind as issues like lack of broadband access impact their education. Remote test monitoring software that uses facial recognition and debates around licensing requirements for lawyers reveal additional inequalities, as well as surveillance and data privacy challenges.

Caton said she’s proud of this generation of legal professionals for speaking out, but she wonders why more politicians and bar-certified lawyers aren’t speaking up on their behalf. Being a bar exam applicant in the current environment, she said, can give law school graduates the impression that the legal community isn’t interested in protecting them because they’re not quite lawyers and yet can no longer be considered members of the general public.

“I can’t quite wrap my head around how this could possibly be the state of things right now, and it’s a little concerning also that we haven’t had too many attorneys or legislators standing up for us,” she said. “It feels like we’re being treated like we’re expendable, like our rights and our data and privacy are expendable, and so I think that’s where we’re at right now.”


You can’t solo security

COVID-19 game security report: Learn the latest attack trends in gaming. Access here


Read More

Khari Johnson