Brad McQueen: PARCC field tests had major data security flaws and of course they knew all about it

By | August 12, 2014

The following article appeared in the Arizona Daily Independent.  While the article was written in Arizona, PARCC is a national testing consortia.  Concerns about testing security valid for any state that requires PARCC testing.  This past Spring, Kings Park participated in field testing despite several attempts by community members to have this type of testing cancelled.  (See here, here, here, here, here, and here.)

Brad McQueen writes…

The Common Core testing company, PARCC , knew it had major data security flaws in its computer-based field tests, administered by Pearson Testing this past spring to over 1 million students in 14 states, but they went ahead with the field test anyway.

The PARCC test was piloted by over 1 million students this past spring so that PARCC/Pearson testing group could then use the data gathered to fine tune their tests, which they will then sell back to states to use as their Common Core assessments during the 2014/2015 school year. The PARCC field test had a testing window that stretched from 3/24 – 6/6/14 in which the states had to administer their test.

As stated in my previous article about data security and the field tests, the students and the schools taking part in these field tests received nothing in return for their services. Or so I thought.

According to internal emails between “state leads” in our departments of education and the PARCC group, those students taking the field test may have received a lesson in good old Common Core deception.

In order to maintain data security the computerized tests must maintain a secure connection to the online test using a popular browser like Internet Explorer. It is similar to when you require a secure connection online to do your taxes online or pay your bills online. Any breach in security can cause a loss of valuable personal information.

Twelve days before the PARCC field tests were due to begin, an email was sent to state leads that warned of both internal and external data security flaws in the PARCC computerized tests that posed a security risk to student data.

There are flaws that are internal to the PARCC computerized test that pose threats to student data security

The PARCC test has a feature that allows kids to “highlight” the text of passages with a color by clicking on it to aid in comprehension. It also has a feature that enables kids to check on the meaning of words on the test, similar to an online dictionary, where kids can “select” a word or phrase by clicking on it. In fact, PARCC boasts about this feature.

The problem is that when kids try to use the “highlight” or “select” features it causes the students to be logged off of their secure connection to the test if they are using certain versions of the popular web browser Internet Explorer as its Accelerator feature is triggered. The Accelerator feature allows a user to quickly surf the web for various things like dictionaries or maps. There is then a lag time between when the student is logged off the test and when the test administrator logs them back on where the field test security is breached.

In a PARCC email from Danielle Griswold to all PARCC state leads on 3/12/14 they confirm,

“The down time between when students are exited from the secure test mode in TestNav (the online test platform) and when the proctor resumes the testing leaves a gap that is a security risk.”

To avoid this security flaw, the test administrator must manually disable the Accelerator feature to prevent the kids from being exited from the test. The PARCC test does not have the capability of disabling the Accelerator feature on the Internet Explorer automatically, rather it must be done manually by a human.

The only other way, and the best way to disable this security flaw, is to remove the highlighting and selecting feature from the test. But PARCC/Pearson has already invested heavily in these prized accommodation features in all its pretest literature, training manuals, tutorials and practice test items. Think they’ll do the right thing?

Oh yeah, if kids are using iPads, and many did during the field tests, there is no way to disable the Accelerator function. The PARCC crowd doesn’t seem concerned about kids using iPads when they say in their email, “similar issue for iPads will remain, but the number of iPad users for Field Test is much smaller.” This is small comfort to those kids and their data, but thanks for caring PARCC, Pearson, and Departments of Education.

There are also flaws that are external to the PARCC computerized test that pose additional threats to student data security

I should have told you not to eat before reading this article, because there’s more.

There are also flaws that are external to the PARCC computerized test that pose additional threats to student data security when using certain versions of Internet Explorer with the Accelerator feature.

Common applications like anti-virus updating, screensavers, pop-up blockers, or the computer accessing other programs will exit the student from the test exposing them to a data security risk until they are manually logged back on to the test by the test administrator. These applications must also be disabled manually before the test begins.

Sounds like there were loads of ways for your kids’ data security to be breached during the PARCC field test, huh? But remember when PARCC, Pearson, and your state Departments of Education delayed/cancelled the field test so that they could correct these serious test security flaws? Me neither.

What PARCC/Pearson and your State Departments of Education actually did instead was stay on schedule with the field test, keep all the security flaws a secret, and updated their test administrator’s field test instructions to include that the administrators must manually disable the Internet Explorer Accelerator feature and all the other possible applications that cause students to be exited from the field test and triggers a breach in student data security.

Here’s the update sent to the field test administrators on 3/20/14, four days before the tests were to begin:
______________________________________________________________________________

General Note for Computer-Based Testing

Before Testing

As Test Administrators and/or Technology Coordinators prepare student test taking devices for the field test, please be sure to take the following steps to ensure test security:

1. Check every device to ensure that all software applications, including Internet browsers, cameras (still and video), screen capture programs (live and recorded such as Skype), email, instant messaging, application switching, media players (such as iTunes) and printing, are closed on all student testing devices before the test begins.

2. In addition, schools should work with their technology staff to configure the common applications listed below to NOT launch on any student test taking devices during testing sessions:

a. Anti-virus software performing automatic updates

b. Power management software on laptops warning of low battery levels

c. Screen savers and sleep mode

d. E-mail with auto message notification

e. Calendar applications with notifications, such as Google Calendar

f. Pop-up blockers
______________________________________________________________________________

Access the full attachment to the 3/12/14 email from PARCC to its state leads explaining the full extent of the field test security flaws here.

So teachers who will play the role of field test administrators, who are already overwhelmed with their teaching responsibilities, are also supposed to play computer gurus using their mostly underwhelming, out-of-date school technology to maintain all data security manually?

All this will be done on behalf of a private testing company, PARCC/Pearson, free of charge so that this same company can then adjust its test and sell it back to the states as their Common Core test next year for millions of dollars. Only in the world of Common Core would this make sense.

Companies are out for profit, so I understand their motive, but why are our Departments of Education colluding with these data predators? It’s education malpractice.

Sarah Gardner, Arizona’s Director of PARCC Assessments echoed a sentiment that other PARCC state leads parroted when she stated the following in her April 2014 newsletter a full month after receiving the email from PARCC alerting her to the serious data security flaws inherent in the PARCC field test:

“There may be a few glitches, but that’s why we are field testing…and working out these glitches will lead to better operational tests.”

All of PARCC’s state Departments of Education unanimously declared the PARCC field tests a success with only minor “glitches”. Those of us who work in schools that took the field test or parents who have kids who took the field test remember quite a different story…

Continue Reading…  http://www.arizonadailyindependent.com/2014/06/16/parcc-field-tests-had-major-data-security-flaws-and-of-course-they-knew-all-about-it/#sthash.5XAOjZeE.dpuf

brad

Leave a Reply

Your email address will not be published. Required fields are marked *