Test Piracy: The Darker Side of Certification

Originally Published in Certification Magazine, 1/2003

It’s no surprise that one definition of piracy in the dictionary is “an act of robbery on the high seas.” But a second definition states, “the unauthorized use of another’s production, invention or conception, esp. in infringement of a copyright.” Except for the “high seas” part, both definitions of piracy describe exactly what has been going on in the darker places of IT certification. Stealing questions, changing test results, taking tests for someone else and unauthorized use of materials during testing are some of the daring, illegal and unethical actions becoming more commonplace as individuals attempt to achieve unearned certifications. The problem has become epidemic, and serious efforts are underway throughout the industry to combat it.

But here’s the bright side: Today’s piracy efforts for the most part are juvenile, occur infrequently, remain unorganized and have occurred in an environment of trust and developing technology. With industry-wide support and organization, along with new tools and industry commitment to protecting the value of certification, these piracy efforts can be countered.

Scope of the Problem: Larger than IT Certification 

In August 2002, the Educational Testing Service (ETS) temporarily suspended testing of the Graduate Record Exam (GRE) in China, Korea and Taiwan because of suspicious testing patterns in these regions, as well as Web sites with questions and answers from live GRE exams. Paper-and-pencil testing was re-instituted in these countries. More recently (October 2002), the National Board of Podiatric Medical Examiners canceled the scores of 272 students from four schools because there was evidence that the students had the test content before the scheduled exam date.

Recently in Massachusetts, 19 teachers, administrators and students broke the rules for administration of a statewide assessment known as the Massachusetts Comprehensive Assessment System (MCAS). Teachers sent test questions to colleagues, returned test booklets and asked students to revise them and gave some pupils two days instead of one to complete the test essays.

In IT, results of a recent survey of 629 respondents indicated that 86 percent of certification candidates felt that it was acceptable to use “brain dumps,” Web sites that contain illegally obtained questions from live exams, to prepare for the exams. Only 9 percent felt that such an activity was cheating.

A few years ago, Nancy Cole, president of ETS, described the United States as a “nation of cheaters” and cited evidence to support her claim that cheating has become commonplace, with up to 98 percent of college students admitting to cheating in high school (Miami Herald, Dec. 15, 1998). Other researchers, Linda Trevino, a professor at Penn State, and Donald McCabe from Rutgers reported that cheating on tests for college students increased from 25 percent to 50 percent between 1963 and 1993 (reported in New York Times, May 10, 2002).

It is clear that when the stakes are high, such as those for certification/licensure or college admission exams, the motivation to cheat or commit other types of testing fraud exists. Individuals will try to get a higher score or a passing decision without having the sufficient skill or knowledge. While there are many honest individuals, it must be recognized that others will try to gain from the lack of security measures taken to protect exams and the programs that rely on them.

Computerized Testing: Good News and Bad

There is no doubt that the switch from paper-and-pencil tests to computerized tests has improved the security of the exams. In fact, the major security problem associated with paper-and-pencil testing, that of students copying the answers from students sitting near them, has been completely wiped out by the computer’s ability to present questions in a random order. Here are some other security advantages:

Complete and equivalent test forms are randomly selected. Test-takers can’t anticipate which set of questions they will see.

Computerized adaptive testing creates individually tailored exams, reducing the exposure level of questions and making it difficult for less competent individuals to succeed by cheating.

Encryption and password protection provide secure transmission of tests and test results.

Test development that is entirely computerized prevents the copying and distribution of question pools and tests.

Now the bad news. One of the major advantages of computerized testing to certification candidates is the ability to give the test any time at convenient locations. Some IT certification tests have been available for more than two years. This convenience brings with it a huge security problem: It lets earlier test-takers share questions with later test-takers. Paper-and-pencil tests do not have this problem, because they are usually given only once a year at set locations. While the best solution to this problem is to increase the size of the item pool and create more test forms, this takes time, uses valuable resources and is expensive.

Types of Security Problems 

What exactly are the types of security problems occurring in IT certification? I have categorized them by those occurring before, during and after testing. Here are two or three examples of each. The examples aren’t all from IT certification tests, but illustrate what has occurred or what is possible:

Before Testing

Arranging to have someone take the test for you. Last year in the United Kingdom, an employee of a testing center offered a passing score to anyone who would pay him his asking fee, about $500. He would have the candidate meet him at the testing center where he would perform the required security measures. Then once the test began, he would answer the questions for the candidate.

Obtaining the questions prior to taking the test. One of the more popular forms of testing fraud occurs when a certification candidate obtains alleged actual test questions prior to taking the test. This is done in several ways, but the most popular seems to be visiting brain-dump sites. Brain dumps are Web sites where others who have already taken a particular test have supposedly memorized the questions and placed them on the site. Sometimes the access to the site is free, but often the candidate pays a fee to receive access to the questions.

During Testing

Using unauthorized materials. IT certification candidates have been caught bringing a wide variety of “aids” with them into the actual room where tests are delivered. These include copies of training and technical manuals, PDAs, digital cameras, tape recorders, cheat sheets (papers with information on them that would help to answer questions) and blank paper for copying questions and options. These and other materials and techniques are, of course, forbidden and should have been left outside the testing room.

Receiving help during the exam. Because many testing centers exist within the walls of training centers, there exists strong motivation to help the center’s students pass the test. On occasion, instructors or other employees of the training centers have “helped” the examinee answer questions. While this wasn’t necessarily done for a fee and may even have been spontaneous, it is still an example of fraud.

Leaving the testing room for the purpose of getting help. During lengthy tests, it is possible to obtain permission to leave the testing room to get a drink of water or to go to the restroom. Some test-takers have taken advantage of this privilege and have used it as an opportunity to consult unauthorized materials or ask someone for help.

After Testing

Memorizing questions with the intent of sharing them later with others. A few years ago, a test-preparation company hired individuals to take the GRE in its computerized form, memorize the questions and return and report. The questions were then used to create more accurate and realistic practice materials. In IT certification, the same practice occurs, particularly for more popular exams.

Changing the test results after the test has been taken and failed. Attempts have been made to hack into the testing center systems to access the test results and make changes to the data, raising the score and changing the fail decision to a pass decision.

I could provide examples of other types of fraud and more examples of the types I listed; however, it is clear that testing fraud is not limited to a single type of behavior. The creativity of individuals desperate to pass a test (or make money off the desperation of others) is alive and well.

Costs to You and Others 

A new IT certification test: $35,000. A new test question: $350. Confidence in a test result: priceless.

A secure test that accurately measures the competence of each test-taker from the time it is published to the time it is retired is a very important tool to you, to the certifying body and to the industry. If it serves its purpose, it provides unshakeable confidence in the holder of the certification. The certifying body can confidently stand behind the individual, and those hiring the certificant can expect a level of competence equal to the job needed.

Once the test is compromised, the confidence in the test is shaken. This triggers the decision to create more items, more forms of the test and perhaps an entirely new test, bringing to bear at least the costs given previously. And let’s be clear on this point: Those costs are eventually going to be taken out of the test-taker’s pocket in the form of higher fees. In fact, the existing price of a test today is higher because of the costs of managing security. With the increase in security issues, that cost will rise even more before all is said and done.

Of course, the rising costs to a program are small compared to the decreasing value of the certification. Each instance of violation reduces that value in a very real sense for the particular certification, as well as the industry as a whole.

So, What’s Going to Happen Now?

There are specific actions being taken by organizations as well as industry-wide efforts to combat the fraud that is occurring. There is no doubt that efforts will be doubled, money will be spent, and legal action will be taken. Because the issues are so damaging to the industry, organizations will join to share expense and information, and to support one another’s efforts.

An industry security group has already been formed, the Information Technology Certification Security Council (ITCSC). The ITCSC, supported by the Association of Test Publishers and CompTIA and comprised of active and influential IT certification programs, has as its mission, “To promote and protect the integrity and value of IT certifications for test-takers, employers and the industry through enhanced security standards and public awareness.” The ITCSC will be influential in producing guidelines and standards of test security, developing industry policies, promoting collaboration within the IT industry and with national and international organizations. More information about the ITCSC can be obtained from its Web site at www.certsecurity.org.
Security efforts in IT certification will focus on detection and prevention. Obviously, detection refers to detecting or discovering an instance of testing fraud, either after it has already occurred or while it is in progress. This can occur at any number of levels: making sure a test-taker is authentic, validating test results and data transmissions, etc. Prevention efforts will make sure that attempts at fraud will be unsuccessful, eliminating opportunities and reducing further motivation to cheat. I believe that both detection (followed by action) and prevention activities will be ultimately very successful in reducing instances of fraud to relatively harmless levels. Let’s take a closer look at what these efforts might look like.

Appeal to Candidates

It’s a fact that many candidates cheat. It is to these people that anti-piracy messages are targeted. Efforts have been made to describe the reasons why cheating on certification exams is a bad idea, that it raises costs and devalues the certification. The premise is that certification candidates, being adults, will be persuaded by the reasoning and will cease doing things to harm the program and themselves. Hopefully they will also help to monitor and report the activities of those who prey upon the industry for personal gain. Visible PR campaigns will help spread the anti-piracy message, and incentive programs will encourage involvement and improvement.

Reduced Exposure to Questions 

Of course, with a single set of items, a certification test is at great risk. But when the pool of items is large enough to support many equivalent forms, it is more difficult to memorize all of the questions and pass on any practically useful information to others. Most IT certification exams use two to three forms. This can be increased if necessary.

Computerized adaptive testing is a measurement technology currently in use by several IT certification programs. The test presents questions based on how the person has answered previous questions, essentially tailoring a unique test for each candidate. This technology can provide a valid and reliable certification decision using 40 percent to 70 percent fewer items. Obviously, tests built in this way are very difficult to exploit. Items memorized are quite useless, since it is unlikely they will be seen on subsequent exams by other test-takers.

Also, it is possible to stop tests early for good reasons. For example, if a person has answered enough questions incorrectly that he has logically failed the test, there is no reason to show any more questions. The test should stop immediately, and a fail decision should be given. Similarly, if a person has answered enough questions correctly to pass the test, the test should be stopped.

A test can be stopped if it is suspected that the test is being taken for reasons other than obtaining certification. Item response theory, a measurement theory providing interesting applications to high-stakes testing, provides the statistical foundation for discovering inappropriate patterns of answers. For example, a test is obviously appropriate if a person is able to answer more easy questions correctly than moderate questions, and more moderate questions correctly than difficult questions. An abnormal pattern can be easily detected if the test-taker answers the same percentage of questions correctly whether they are easy or difficult or, even more strange, a person does better on the difficult questions than the easy ones.

Patterns of responding based on correct/incorrect answers and the time it takes to answer can be analyzed as well. Keep reading for more detail on this approach in the Data Analysis section.

Tighter Security During Development 

While security problems during development have been rare, tools and procedures used during the development of a test must ensure that test questions are kept secure. Access to item banks must be tightly controlled. Transmission of item banks should be encrypted and password-protected. There should be no paper versions of items available for any purpose.

Tighter Center Security 

Many security problems occur because of sloppiness or intentional laxity at testing centers. Consequently, this has been a strong target for improvement. Better monitoring of center performance, better training and selection of personnel and harsh de-authorization and criminal penalties have all been used to strengthen the security at centers over the past few years.

The use of biometrics, techniques to verify the identification of candidates, promises to reduce the number of problems associated with individuals taking tests for others. Imagine a center where a person has to provide a thumbprint prior to taking a test. Immediately the center accesses a database and matches the thumbprint with the name of an individual in the database. The name is compared to the ID provided by the candidate. If it all checks out, the candidate is allowed to take the exam. The exam results are then forever connected to the name and thumbprint of the candidate. That person would not then be able to take the test for another person. If a thumbprint were shown to match more than one name, the test would not be allowed to continue, and all records would need further examination.

Improved Data Analysis Tools 

Probably the area that holds the greatest potential for fraud detection is the use of sophisticated data analysis tools. Taking a test results in the production of data. Two important pieces of data collected are right and wrong answers and the time to answer a question. It is possible, for example, to use the time it takes to answer each question to determine that a person was taking a test appropriately. Inappropriate tests can be easily detected. For example, if a person is taking the test for the purpose of memorizing questions, she will have an unusual response-time pattern compared to those who are trying to answer the questions. See the chart for a list of three test-takers and their response-time patterns for a prominent certification program. The average response time is also given, with the questions ordered from briefest to longest. Notice the correlation of response times for the appropriate test and the lack of correlation for the inappropriate ones.

As more is known about how tests are taken appropriately, it is possible to monitor tests in real timeÐwhile the test is in progressÐand determine before it is finished if the test-taker is behaving as a motivated candidate or is taking the test for some other reason, perhaps only to memorize questions.

Data analysis tools are currently being used to study pass rates at testing centers across different countries or regions of the world. Even testing patterns for individuals can be analyzed. Can you imagine a reason why a person might retake a test after he has passed it? Such a pattern should be available as the person attempts to retake the test and could be used to prohibit it.

Legal Solutions 

Those involved in testing fraud can expect aggressive legal action in the future. In August, Microsoft announced the successful prosecution of a man who pled guilty to the theft of trade secrets. He had sold stolen versions of several Microsoft exams on his Web site. The FBI investigated the case, and it was prosecuted by the U.S. Attorney’s office.

In another recent and ongoing case dealing with testing fraud, defendants were indicted for arranging to have people take a test for them. The test involved was the Test of English as a Foreign Language (TOEFL), owned by the Educational Testing Service of Princeton, N.J. The U.S. Attorney’s office used the federal mail fraud statute to prosecute the individuals.

As certification candidates, each of you signed non-disclosure agreements stating that you would not disclose any material that you saw on the exam. That agreement is a legal binding agreement that could serve as a strong basis for legal action.


Quality certification programs are difficult and expensive to build. They provide high value to the organization sponsoring the certification, to those holding the certification and to those using the credential for decisions on partnering, hiring, promoting, etc. Certification in IT is a healthy, growing enterprise, serving a specific purpose.

The certification industry will continue to support certification efforts and will respond to direct threats of piracy and other types of testing fraud with effective efforts at detection and prevention. Fraud that is discovered will be dealt with quickly using appropriate, including legal, means. Those of you who value your own certification should applaud these efforts.

David Foster

President and CEO, Caveon Test Security