← All articles
·3 min read·Pedagogy & ethics

Why Your Proctoring Software Is Built Against Students

Most online proctoring tools treat student privacy as an afterthought -- a compliance checkbox rather than a design constraint. Here's the case for rethinking that architecture from the ground up.

The default assumption

When institutions adopt online proctoring, the default assumption is: integrity requires surveillance.

Video recording. Face scans. Keystroke logs. Browser monitoring. All of it uploaded, stored, and -- in many cases -- processed by third-party AI systems. Students are asked to consent to this as a condition of sitting their own exams.

The framing is understandable. Exams are high-stakes. Cheating has real costs. But the architecture built to prevent cheating has created a second problem: it collects far more data than it needs, stores it far longer than it should, and exposes students to risks that have nothing to do with academic integrity.

What "data minimisation" actually means in practice

GDPR's Article 5(1)(c) requires that only data adequate, relevant and limited to what is necessary be processed for stated purposes. This is sometimes called the data minimisation principle.

For online proctoring, "necessary" should mean: data that helps determine whether a candidate was acting with integrity during their exam. That's a narrow scope. But most proctoring platforms interpret it far more broadly:

  • Video recordings of the exam room -- stored for 30-90 days. Useful for disputed incidents. Not necessary for the vast majority of sessions that conclude without incident.
  • Biometric face vectors -- extracted from video to verify identity. Sensitive data under Article 9 GDPR. Often retained indefinitely.
  • Keystroke and mouse movement logs -- collected continuously. Not strictly necessary for determining integrity; behavior patterns during an exam are not the same as evidence of cheating.
  • Environment scans -- photographs of the room. Often stored alongside video. An entire private domestic space, captured.

The argument that "students consent" doesn't resolve this. Consent under GDPR must be freely given, specific, and informed -- conditions rarely met when proctoring is a mandatory requirement for course completion.

The asymmetry the industry ignores

There's a structural asymmetry in how proctoring platforms handle data:

  • Students bear all the privacy risk. Their biometric data, home environments, and behavioral patterns are stored by third parties they have no real relationship with.
  • Institutions bear the compliance risk. Under GDPR, the institution is the data controller. When a vendor has a breach, or retains data beyond its stated purpose, it's the institution that faces regulatory scrutiny -- and the students who suffer the harm.

This asymmetry is baked into how most proctoring tools are sold. Privacy is positioned as a feature of the platform, not as a fundamental design constraint.

A different architecture is possible

ProctorSafe was designed from the opposite assumption: nothing leaves the student's device unless it has already been evaluated as relevant to exam integrity.

The browser-based SDK runs entirely on-device. Keystroke patterns, tab-switching behavior, focus events -- all processed locally. Only the output: a small, HMAC-signed event log -- timestamps, event types, trust scores. No video. No face scans. No room photographs.

From a GDPR perspective, this changes the compliance posture entirely. The data controller (the institution) is no longer responsible for the security of video archives they never collected. The purpose limitation question almost resolves itself -- the data being transmitted was only ever generated for integrity assessment.

What this doesn't mean

It doesn't mean proctoring should be lax. The trust score system still flags anomalous behavior for human review. Institutions still control their own threshold policies. But the data trail is proportionate to the actual question being asked: was this exam session conducted with integrity?

The industry has spent years optimising for proctor comfort -- features that make review easier, archives that protect institutions from liability. That's understandable. But those features came at students' expense.

The alternative is an architecture that takes both sides seriously: effective integrity tools, and privacy that doesn't require a trade-off.