We need to talk about your students

By on 11 Oct 2023

Categories: Community Tech matters

Tags: , ,


Blog home

A Cheetah in the classroom
A Cheetah in the classroom - generated in Dall-E supplied by the author.

What’s the problem with students?

If you work in academia — in network design, operations, security or forensics, or as an academic — we’ll need to talk. It’s about your students, and what they get up to online when you don’t watch. We know, cheating is a topic that most academic institutions would prefer not to talk about. We’d rather talk about our research prowess, the prizes and awards our staff and students have won, the latest rankings, and our shiny new campus facilities and initiatives. But it’s a talk we need to have, and as with the birds and the bees, someone needs to broach the subject. Let that be us here, and perhaps you at your institution. Sit down, be brave, and read on. We need to talk about students cheating, the network, and what to do about it.

To be clear, we’re not talking about cheesy Johnny running out of ideas on question 6b in a hard exam and daring a sideways glance to their neighbour’s exam script to glean a less-than perfect answer to fill that embarrassing little gap. No. we’re talking about students who make systematic arrangements to outsource pretty much all assessments in their degree to third parties, online. We’re talking about students who lie to university staff to get into a position where they can do so. That position will typically be an online assessment.

Picture of a cheetah in a classroom from Dall-e (provided by the author).
Figure 1 — Cheetah in a classroom, Dall-E (from the author).

We have been seeing quite a few cases like these over the last year. But that’s not because our students are inherently less honest than yours. We see them because we’ve started looking. We didn’t always look, and not in the right place. We now see because we look at what the network sees. If you don’t see such cases, then that’s probably either because you don’t look, or you don’t look in the right place. But that doesn’t mean it’s not happening.

A common thread in the cases we see is the central role that the network plays in inadvertently facilitating the cheating in the first place, in inadvertently preventing its detection, and in inadvertently causing balls to be dropped when it comes to prosecution. This is where we believe that academia and the IT services supporting academia can make a significant difference. Let’s talk about where IT can make that difference.

A big factor in the new world of cheating is the move to online assessment platforms, where students submit assessment answers through a web form or upload their work to a web-based platform. They may do so from home — completely unsupervised — or from a computer lab under invigilation.

What we’ve observed

Restricting ourselves to the IT aspects of cheating, we have observed that:

  • Where assessment questions are reused frequently over time and answers are known, students can copy/paraphrase these from online repositories. Have you had a look at whether your questions appear online?
  • Students can obtain answers online with no intellectual input of their own. If students have access to ChatGPT, they can get an instant answer. Or they may engage services purportedly offering tutoring, such as Chegg or Bartleby, where they can obtain answers within minutes; all it sometimes takes is a screenshot of the question taken from a tutoring service app. Unless questions are individualized with systems such as our dividni.com, (if you’re on Canvas or Moodle this is also reachable as dividni.online) it is generally not possible to identify the poster of a question that appears online. Unsurprisingly, tutoring services take the privacy of their users at least as seriously as the academic integrity to which they purport to commit themselves to. Individualization fingerprints offenders.    
  • Many assessment platforms allow more than one concurrent login from the same user account. This allows cheats to engage one or more helpers to process their assessment questions in parallel without input of their own. Where platforms do not allow multiple concurrent logins from the same user, they often allow multiple sequential logins — not as convenient, but one can at least leave the hard bits to the next helper. Even if students use multiple logins from their own devices, it’s a matter of fairness — not everyone has access to a desktop plus a laptop plus a tablet plus a phone.
  • Many assessment platforms do not check or restrict where users access from. This allows an individual student account to answer questions from locations that the student cannot possibly have been in physically. We have seen many cases of students accessing from both campus within the assigned lab and simultaneously from off-campus addresses, in some cases even from overseas. When challenged, the student can claim that the overseas address was a VPN on their laptop — and you didn’t explicitly ban them from using VPNs, or use a single device only, did you?
  • Most assessment platforms log client IP addresses in one way or another, a great way to spot such attempts to access the platform from different and incompatible locations. For example, if a student is supposed to sit an assessment from a lab but the IP address is not a lab address. However, those logs are not always easily accessible. Some require service calls to vendors to procure; others may be refused under some sort of privacy concerns. Also, if the platform is used by many, then it’s likely to sit behind a load balancer, and may log the load balancer IP address only, completely obscuring the origin of the answer.
  • So you have the IP addresses that your students used? How do you find out what they mean and where they are located? APNIC’s RDAP Web is your friend, as are traceroutes to confirm that an address is really in the location you think it is. Are two students seen coming from the same IP address colluding, are they just flatmates, or do they come from the same on-campus (CG)NAT or NATed lab? Interpreting RDAP output is a bit of black art that even your average computer science lecturer isn’t necessarily capable of, so the people who do know how to interpret the magic numbers are a bit of a bottleneck in prosecution.
  • Setting a password for the assessment and only revealing it in the invigilated lab establishes a further hurdle for cheating, but it’s hard to stop students from sharing the password with outsiders during toilet breaks.
  • You still use IPv4 and your lab sits behind a NAT? Then all your students in the lab will access your assessment system from the same IP address. Not a problem? Consider what happens if Alice does her questions first and then logs in as Bob and does his questions for him. You can’t detect that now. With IPv6, the assessment system log would flag them as coming from the same machine, with an address different from everyone else’s.
  • Students in the lab barred from accessing the Internet may elect to bring their own devices, and that could include Mobile SIM and Wi-Fi USB dongles or USB drives with prepared material.
  • We’re all sympathetic to students suffering from sudden family emergencies, but when the death of the student’s fifth grandmother necessitates urgent travel, it’s perhaps worth asking for official documentation. And what would be better to document the travel than an itinerary from the student’s airline or travel agent? They come conveniently in the form of email documents that can be forwarded, too. However, not all academic and administrative staff will necessarily know that these are merely HTML documents, which even the less capable students can easily edit with a simple text editor, even without any HTML knowledge. As network support, you already educate your users about forged emails. But what about recognizing forged digital documents that decisions are based on? Forged evidence is not at all uncommon. We have seen everything from fake COVID tests at the rate of 80 to 100 times the current national incidence, along with other forged medical documents and death notices of unrelated people, to the use of foreign SIM cards and photos taken abroad to ‘prove’ a student’s ‘presence’ there — all to sidestep invigilation.
  • If the family emergency seems genuine, you’d also want to make sure that the student’s IP profile around the time of the assessment is compatible with where they claim they will be. The assessment system provides one record, and of course, students know that this can be made to look as it if came from wherever they need to be — that’s what VPNs are for, and we found that almost all of our students claim to use them. But how about their mobile phone automatically logging into campus Wi-Fi while they’re purportedly overseas? Where does this place them?
  • Online proctoring is a mixed blessing. Say you have a system that records both the student’s webcam and the student’s screen. And then the system produces a confidence score based on how often the student looked away from the screen. Cool AI! Except the student staring at the webcam may in fact be staring at a cam turned 180 degrees to face the back of the screen, with the helper who is actually sitting the assessment being in front of the screen, and the student mirroring typing movements. The helper can then use ChatGPT on a separate device and copy-type the answer over — great score for focus on the screen, and almost guaranteed to fly under the radar. Various variations of this are conceivable. The not-so-great confidence scores require someone skilled to have a look at that as well, of course. Looking at all webcam footage manually takes a few lifetimes, though.
  • Now you’ve caught them cheating, but it’s the first time you have dealt with them. Probably just a slip-up by a stressed-out student, right? Tell them off and they’ll never try it again? Well, some won’t but some, unfortunately, will persist. Who can tell you whether they’re a known cheat that’s already been picked up a couple of times by another department? If there is a central registry of offenders, is it actually being used by everyone who detects an incident?

What to think about

Even with the best logging and technology, prosecution of offenders may fail if certain other aspects aren’t in place. Are students being told explicitly what is and isn’t allowed in terms of tool or device use? If your systems collect IP addresses of parties submitting answers to assessments or accessing other systems, does your institution’s privacy policy cover this and are you able to use this information? Are you allowing the students to use non-institutional VPNs, and if so why?

Are your institution’s admin staff sufficiently IT literate to recognize that they are dealing with an attempt to deceive if students are meant to sit an exam in an invigilated lab, and the assessment system logs them modifying answers from an IP address outside the lab?

The golden standards of security principles equally apply if you want to have secure assessments — zero-trust and defence in depth. Use them!

Image from Dall-E (provided by the author) of Sherlock checking exam papars.
Figure 2 — Sherlock checks exam papers, Dall-E (from the author).

This post was written by Ulrich Speidel and Mano Manoharan. Ulrich and Mano are senior lecturers in Computer Science at the University of Auckland. The APNIC Foundation has supported Ulrich’s research through its ISIF Asia grants.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.


  1. Jukka

    Please no; sounds like more surveillance with poor justifications. Just plan better exams and exercises. Do it even with paper and pencil rather than force unnecessary surveillance upon students.

  2. Ulrich Speidel

    I wish someone could tell me what these much talked-about better exams and exercises look like. Much of what is affected now is the result of “best practice” pedagogy of the last couple of decades. Paper-based exams (which I’m a great fan of) also have invigilators and roll calls – also a form of surveillance, if a little more obvious and direct, and students do complain about overbearing invigilation, too. But we have seen that the moment one goes online and does away with meaningful invigilation – by choice or necessity – large numbers of students take advantage of it, well into the double digit percentages. Many of our students go on to jobs where they will be responsible for software and networks that, ultimately, human lives and property will depend on. We owe it to the people who rely on our graduates’ qualification to ensure that it isn’t obtained fraudulently. There are, of course, different ways to approach this – but we know that educational initiatives such as academic integrity courses have almost no effect. The first step is always prevention – plugging potential exploit avenues. Surveillance only comes in thereafter – it’s more expensive in terms of effort. But our university’s privacy statement also states very clearly that we collect personal information to run our disciplinary processes – and we don’t force anyone to enrol. Intriguingly, almost all students we catch – even hardcore offenders – return in subsequent semesters (where suspension and expulsion penalties allow). Most do play by the rules then.


Leave a Reply

Your email address will not be published. Required fields are marked *