Professional Documents
Culture Documents
Tale 2014 7062621
Tale 2014 7062621
Abstract—This paper presents a method to deliver course 1) students no longer able to use the rankings to
rankings that maintain student confidentiality while still allowing demonstrate their position to others,
students to selectively prove their position in a class to others if 2) the ivory towers unable to award student prizes without
they wish. The method’s selective anonymity is implemented
through a secure hashing algorithm that is designed to protect breaking the anonymity of the system and with
student privacy even where a student’s name, their student ID, 3) the ranking of small groups jeopardised by the peril of
their project teams and the student’s ranks for other work items name identification through grade correlation
are known. The paper includes results showing student
perceptions of the approach and the impact on their performance and so a quest for a new ranking approach was championed by
for a second year Computer Science course at the University of the ivory towers.
Waikato in New Zealand.
This paper details the result of our quest to find a way to
Keywords—Student Privacy; Grade Rankings; Course Hashes provide student rankings that removes the disadvantages of the
Student ID ranking system itemised above while still providing
students with the protection of rank anonymity. We begin in
Section II by providing an overview of alternate methods that
I. INTRODUCTION deliver various levels of student ranking privacy and examining
O
NCE upon a time, there was a set of students who their benefits and issues. In Section III we then provide
lived in a land without mobile devices, free internet technical details of our approach and show how it addresses all
and social networking sites. Each semester the the issues inherent in the Student ID ranking system and in
students took part in a tournament organised by an ivory tower Section IV we provide results from an initial case study of the
and their names and results were released as rankings on a use of our approach by students on a core Computer Science
large notice board in a public arena for all to see. The rankings course at the University of Waikato.
were respected as being a fair and transparent indicator of
achievement in the field and were far preferred to the approach II. BACKGROUND
of the neighbouring kingdom where every competitor was In this section we review several approaches to delivering
simply given a letter grade of A for “A”ttendance which the student ranks and identify a set of characteristics that we can
people criticised as not rewarding individual effort and hiding use to contrast the different approaches as summarised in
information from future patrons. Table I.
But then one day there came a magical wind of change that The traditional Student Name ranking system simply
connected all the students through mobile devices, free internet provides a list of student names ordered by their position in the
and social networking sites. The change brought great class often with a column of actual mark values. The system
opportunity for the students but also great risks given the has the advantage of being perhaps the most straightforward
traditional named ranking system. In particular some were ranking approach to understand and use and allows students to
concerned that evil mage would misuse the technology to, for quickly identify their own position and prove their position in a
example, anonymously cyberbully students both high and low ranking to others. However Student Name rankings do not
in the rankings and so parliamentary bills were proposed [1] to provide any form of anonymity and have been largely replaced
change the laws of the land [2], [3], [4], [5] to govern the use of by Student ID rankings at universities today.
the new technology and the ivory towers, whose councils were
The Student ID ranking system used as standard in New
explicitly charged with the well-being of their students [6],
introduced guidelines for dealing with the new technology [7] Zealand Computer Science and Engineering departments today
can be seen as a simple change to the Student Name ranking
and changed their approach to the tournaments to publish ranks
system wherein student names are replaced by their student
by student ID rather than by student name.
IDs. Student ID rankings have the inconvenience of an ID
Unfortunately, the Student ID ranking approach cast a lookup not seen in Student Name rankings but provide the
cloud over the land with: benefit of immediate anonymity which ensures third parties can
Approach Know Position Prove Position Immediate Anym. Indirect Anym. Correlation Anym. Plausible Deni.
Student Name
Student ID
No Rankings
Unique ID
Course Hashes
not identify a student from the ranking without further benefits such as providing plausible deniability even after a
information. Unfortunately, however, immediate anonymity is student discloses a mapping to “prove” they have a particular
permanently removed from future rankings if a student’s position in a ranking as you will see in the following sections.
position in one ranking is disclosed to others for example
through a class prize for top students. Further, Student ID
rankings are vulnerable to correlation analysis attacks wherein III. METHOD
project team members can identify the IDs of other members in In this section we discuss our approach to generating
group results and, like Student Name rankings, Student ID selectively anonymous rankings. We start with our abstract
rankings suffer from a lack of plausible deniability once a Course Hash algorithm in Section III-A before describing and
student’s ID is known. analysing our specific algorithmic implementation choice in
Sections III-B and III-C. The system architecture used to
Of course, the most secure ranking system is one that does
deliver our algorithmic choice is described later in Section IV-
not exist or is kept entirely private. Unfortunately, while being A where we detail our implementation case study.
secure, the No Ranking approach does not allow students to
know their own position in a class and has the potential A. Course Hashes
drawback of preventing students from being able to prove their We define a Course Hash to be a function that maps course
position to third parties which may be required to join some and student information to unique IDs for use in rankings. In
companies [8] given the risk that letter grade assignments may contrast to the Unique ID system, access to the Course Hash
not be representative of ability and are almost certainly not function is provided publicly so students can enter their
comparable between course variants, institutions and even information to prove their position in a class to others thus
years for the same course at the same university. removing the main issue seen in the Unique ID approach as
A secure alternative to not providing public rankings is to illustrated in Table I.
provide rankings with a unique ID for each course work item The student information used in the Course Hash needs to
for each student. This approach has the advantage of allowing uniquely identify a student but also to provide direct
the student to know their own position in the class, provides anonymity. To achieve this we can use student IDs and a
immediate anonymity, correlation anonymity and plausible private key making our general Course Hash function:
deniability and also provides indirect anonymity which allows
prizes to be given for a work item without disclosing the courseHash(courseID, workItemID,
unique ID mapping for other work items to third parties in the studentID, privateKey) (1)
case where the unique IDs are randomly assigned. However the
approach has the disadvantage of requiring students to manage
The keys need to be provided on a per student basis to prevent
multiple IDs and of not providing any way for a student to
enumeration attacks given the low search space of student IDs
prove their position in a ranking without the university
in most university classes. A different student key can be
providing explicit confirmation of a mapping.
supplied for each work item for each student to act as work
The ranking approach we present in this work is called item proof certificates in the hash mapping or the same student
Course Hashes. As Table I shows, Course Hashes provide a key can be used by a student across multiple work items where
means to disclose rankings to students in a way that is just as a trusted Course Hash Generation Form such as the one
private as using unique IDs but has the advantage of allowing presented in Fig. 1 is provided as in our practical
students to demonstrate to a third party that they have a implementation which we discuss further in Section IV-A.
particular ranking position for a work item at any point in the
An example of a Course Hash function would be to use the
future without the need for a long lived central authority to
variable block size Spacey Cypher [9] acting as:
store the mappings for years to come. Unlike the Unique ID
system, Course Hashes have the advantage of not necessarily spaceyCypherbk(courseID.workItemID.studentID,
requiring students to manage multiple keys and have other privateKey) (2)
Student
Fig. 2. Illustration of our Course Hash implementation architecture using the SaSe Secure Hashing Service [25] to perform hash calculations. The response from
the SaSe service is a base64 encoded SHA1 of the passed data string from which the first 12 characters are shown as the 72-bit Course Hash ID by the course
web page JavaScript code.
The form was made accessible on a trusted website for the We introduced the idea of Course Hashes to students on the
course hosted on the university web servers [24] and COMP200 course through a Moodle notice explaining that
implemented our Course Hash algorithm by simply calling the rankings could not be given for the course by student ID if we
SaSe Secure Hashing Service [25] over a standard REST- were also going to give prizes to the top students and so we
JSON [26] [27] client connection as illustrated in Fig. 2. Note were introducing an alternative ranking system. Technical
that as we only use student IDs (which are traditionally details of the Course Hash approach were not given and we did
published and thus considered non-private in Student ID not explain the alternate approaches considered like Unique
rankings), our generated keys and work item codes in our IDs in the e-mail. We followed the initial notice up after
Course Hash algorithm, we are not sending any personal finalising our Course Hash implementation with a notice
information such as e-mail addresses or names to the hashing explaining how students could get their private keys from the
service. Having said that, it should be noted that the case study pseudo grade item in Moodle and provided a link to the Course
architecture is not immune to Pharming attacks and so trusted Hash Generation Form of Fig. 1 which has some motivation
networks or clients secured with techniques such as [28] are and usage information above the entry fields.
assumed when verifying a student Course Hash ID mapping
and in any case, the form of Fig. 1 makes students and third To assess the ease with which students grasped the concept
of Course Hashes we decided to only release the grades of our
parties aware that official verification is still required in order
for ranking positions to be relied on. first returned assessment item (a mid-semester test) through a
Course Hash ranking and held off releasing the scores through
B. Student Reception the Moodle standard grade system. To recap the composition of
the case study, there were 115 students enrolled on this core
To this point we have considered laws and bills currently second year course of varying levels of prior computer
before parliament [1], [2], [3], [4], [5], [6], hybrid cyphers [9], knowledge and ability but despite this, there was only one
cryptographic hashing algorithms [13], the Birthday problem request for support after we released the first Course Hash
[17], [18], High-Performance Computing [19], [20], [21] and rankings on Moodle. In that request two local students
provided formal probabilistic bounds on clashes with repeating questioned how to get their Course Hash ID from the form and
and non-repeating key selections over large search spaces. one of those students questioned why they had to use Course
While this level of complication was necessary to motivate the Hashes in the first place. Before the support staff had a chance
need for Course Hashes and analyse the security of our to respond, both local and international students replied to the
algorithmic choice in a robust manner, it should be recognised post explaining that the key required for the hash generation
that users only need to be able to enter their student ID and key form was the Private Student Key from Moodle rather than say
in the form of Fig. 1 to be able to actually use Course Hashes. the student’s Linux password and detailed the problem with the
However, this “black box” usage simplicity does not mean that traditional Student ID ranking system explaining how they
our case study implementation can be considered user friendly understood and appreciated the anonymity afforded to them by
in requiring, as it does, private key lookups in Moodle, typing the new Course Hash approach. Given the student responses
of keys and student IDs into a public hash generation web page staff did not need to respond to the support post and Course
and then a final grade lookup in a separate ranking PDF Hashes were accepted by all as the primary form of grade
document. Despite this lack of integration, the students adopted distribution for the course from that point on.
the implementation without significant issue and were mostly
enthusiastic about the new ranking approach as we demonstrate Following the course we provided the students with an
with anecdotal and survey evidence in the remainder of this opportunity to provide feedback on their Course Hash
section. experience. We created a survey adhering to Total Survey
Comfortable Using the Course Hash Generator Agree 5 (2) 6 (2) 2 (1) 9 (8) 4 (3)
Would Prefer Per Work Item Keys - 7 (3) 7 (3) 8 (7) 4 (3) 0 (0)
SA
SD SD SA SD SA
D A
SA SD
NAND D A
D A
NAND
D
A NAND
NAND
Valued More Information Usable Work Item Keys
Fig. 3. Pie charts corresponding to the total survey result figures of Table II for the questions (from left to right) of whether the students: valued the attempt to
protect their ranking privacy, were interested in additional technical details, were comfortable using the Course Hash Generation Form and whether they would
prefer individual work item keys to a single key. The segment labels correspond to the SurveyMonkey classifications of: Strongly Disagree (SD), Disagree (D),
Neither Disagree Nor Agree (NAND), Agree (A) and Strongly Agree (SA).
Quality (TSQ) design principles [29] to try to assess the level The survey invitation e-mail was constructed according to
to which the students: the Web Survey Invitation Design principles of [31] and e-
mailed to the student’s with two reminders sent over a 1 week
1) valued our attempt to protect their ranking privacy, period. No prize or inducements were given to complete the
2) would be interested in more details on the approach, survey and in total 26 students responded (22.6%) which is
3) were comfortable using the ID Generation Form and consistent with the student response rates seen in [31].
4) would prefer per work item private keys instead of the
single Private Student Key provided. Table II and Figure 3 summarise the survey results. It can
be seen that the responses of the group of students who elected
as well as to collect general feedback on the good and bad to enter their Feedback ID (whose figures are quoted separately
points of the student’s initial Course Hash experience and any in brackets) is not inconsistent with the responses of the other
specific suggestions for improving the implementation and the students in the table who just answered the survey quickly.
assessment questionnaire itself (to identify any TSQ usability
issues). To satisfy the timelines, accessibility, col- lection The survey used labelled sentiment fields to collect
completeness and accuracy dimensions of the TSQ responses, which makes creating an average view difficult
requirements and to reduce measurement, item non-response without a set of weights that arguably would need to be
and processing errors [29] we used SurveyMonkey [30] with calibrated on an individual respondent basis. However, taking a
ranged radio button and free text entry boxes to collect and cue from SurveyMonkey where the five sentiments are given a
collate survey responses. To satisfy the credibility and linear weighting scale, if we weight the sentiments with the
comparability dimensions of TSQ we provided an optional integers from -2 to 2 with negative weights for disagreement
additional text field on the survey form for students to enter a and positive weights for agreement, we can summarise the
“Feedback” Course Hash ID which they could generate using views of Table II as that the students as a group were quite
the same Private Student Key and form they used to generate positive about our attempt to protect their ranking positions
the Course Hash IDs for the standard work items of the from discovery by other students and people outside the class
COMP200 course [24]. The additional Feedback ID allowed us (+0.85 average), had mixed views about the need for additional
to identify confirmed unique survey responses from actual information and on the ease of use of the implementation
COMP200 course students without having to provide student (+0.04 average for both) and did not think additional work item
personal e-mail addresses or connect student IDs with student keys would be of any benefit given the current implementation
views on the externally administrated survey website. (-0.65 average). This interpretation of the average student view