What National Security Can Teach Us About Protecting Our Exams

June 20, 2017

Written by Alison Foster, Test Security Specialist

If you have been paying attention to some of the under-the-fold news of the past week you might have come across a scoop from a journalism website called the Interceptor titled “Top-Secret NSA Report Details Russian Hacking Days Before 2016 election.” The source for the story was a classified NSA report that the news outlet had received from an anonymous informant, and a photograph of this official-looking report was included in the article.

While the story itself is both arresting and highly pertinent, what I found particularly interesting were the events that took place immediately after the article’s publication. Within one hour of the report appearing online, federal agents arrested a government contractor and charged her with leaking classified government information. I was flabbergasted, how did they find her so quickly?

Here is the long and the short of it: by posting the picture of the classified document online, The Interceptor accidentally outed its own source. The photograph of the document showed a near-invisible digital watermark applied by the NSA’s printer. This watermark identified the printer serial number, as well as the time and date the document was printed. Once the FBI saw this watermark in the photograph, it was a walk in the park for them to match it to the account that printed it.

Quite simply, the document was tagged with an oh-so-useful “stolen by” marker. A digital watermark is a concealed fingerprint—nearly invisible to the naked eye, but as clear as a bread crumb trail to a trained examiner. In this instance, it led FBI investigative teams directly to the woman responsible for sending the classified data to the news outlet.

The NSA isn’t the only organization that uses watermarks to fingerprint and track their valuable information. In fact, the glitzy world of Hollywood (the exact opposite end of the spectrum from the dour hallways of government security) also relies on watermarking to protect its intellectual property.

Every year, when awards-season hits Hollywood, the Motion Picture Association of America (MPAA) sends more than 7000 “screener DVD’s” of the Oscar nominated films to the individuals who vote on them. The voters view the films, cast their votes, and then return the DVDs to the MPAA. However, most of these films have yet to be released to the public, and the film industry cannot risk losing millions of dollars if even one of them is casually misplaced and uploaded onto the Internet. (In past years, the MPAA was forced to stop sending screeners all-together because so many of the voters were sharing their copies online.)

To protect these DVD’s from falling into the wrong hands and to reinforce just how serious the MPAA is about protecting its content, each DVD is stamped with a watermark (a string of data code inserted into each frame of the film) that is specific to the individual who received the screener. If the film were to appear online, the film industry would know exactly which of those 7,000 voters was at fault (either they shared it themselves or weren’t careful enough with their copy and allowed it to be stolen), and they would be prosecuted to the full extent of the law. The voters are perfectly aware of these consequences when the accept their screener DVD. Needless to say, it is a strong deterrent.

Both the NSA and the MPAA have decided that they cannot risk their information being leaked to the public; the consequences are just too great. They have allocated huge budgets for instituting strong, and all-encompassing security plans with various tactics designed to prevent, detect, and deter individuals from stealing and/or leaking their information. For them, watermarking is an integral part of this plan. Not only can watermarks be used to track down the thieves, it also deters them.

We in the assessment field need to learn from Hollywood, from the National Security industry. Like them, the testing industry is constantly under attack by people who want to steal our information and release it to the public.

We need watermarking.

We need it for the deterrent effect it has on would-be cheaters and thieves. We need it to help us track down those people who steal the test questions we spend so much of our time and resources creating. Digital watermarking should be an integral part of every test program’s test security strategy.

The wonderful thing is, there are programs and software out there now that make digital watermarking our exams not only possible, but shockingly easy. Caveon’s Secure Exam Development ™ is one such program. Working in tandem with Caveon Technology, it is now possible to not just incorporate watermarking into the test development process, but to automate it.

Just think of the possibilities. Watermarking can be embedded in an exam’s development, increasing the security of each test question with a minimal drain on time and other resources. With Caveon Scorpion™ watermarking can be incorporated into the development of each item, and with Caveon SEI™, a watermarking stamp can be implanted in each screen of a published test. Cheaters and thieves beware, we now have built-in breadcrumbs to lead us directly to you!

The lesson here is simple. If watermarking is necessary to protecting highly classified national security intelligence, if it is vital to protecting billion dollar Hollywood films, then it should also be a mandatory defense for protecting our tests. With the release of new software, such as Scorpion or SEI, this goal is easily achievable. It is time to start leaving our own trail of breadcrumbs.

Alison Foster

Test Security Specialist, Caveon Test Security