We have a student who has two different IP addresses on his CSV report log for an exam. The test runs on a different IP address midway through his exam. We suspect the student tried to re-enter and continue the exam after exiting our testing room from an outside computer. The student continues to deny any wrong doing indicating that he didn't access the exam from outside the testing center. The student also informed our proctor about the submission prior to exiting the room and he verified the exam was submitted. What are some of the possible reasons why there could be two different IP address on his CSV report file? Is the IP address information completely accurate to hold the student liable for violation of academic integrity in this case?
Solved! Go to Solution.
Hello joelthariath... Welcome to the Canvas Community, and thanks for posting your question here. Unfortunately, I'm not exactly sure how to help. However, what I will do is share your question with the https://community.canvaslms.com/groups/canvas-developers?sr=search&searchId=005e0c40-1bc7-4e21-ac7a-... and https://community.canvaslms.com/groups/admins?sr=search&searchId=0cb475d7-94ba-44fb-bddb-3215f06d9f7... groups here in the Community in hopes that your question will get some additional exposure. If you are not yet following either of these groups, please use the links that I have provided, and then click on the "Follow" button which you will find on the upper right corner of the page. Also, you may need to click on the "Actions" >> "Join group" menu option which you will find near that same area of the screen. I hope this will be of some help to you, Jo. Good luck!
You left out a lot of information that needs examined before you can establish a violation of academic integrity, and without that information, a change of IP address alone is not sufficient.
It is possible that the IP address can change in the middle of a session and that should not be used to limit a session. By itself, it is not convincing evidence of wrong doing. It is an indicator that may suggest wrong doing, but it can happen without any action on the users part.
HTTP requests are designed to be independent, meaning that you do not open a single connection to Canvas for an exam and maintain that same connection throughout the exam -- each request, each answer submitted, each tracking status, etc., is made with a new connection and the IP address can change.
Many connections to the internet are behind firewalls or NAT devices so that many devices can use the same IP address rather than each device getting its own IP address. Our home connection has one IP address to the Internet, which is what Canvas would see, but there are a dozen or so connected devices coming from that single device. With every reboot of the modem, our IP address changes. Sometimes our ISP changes it on their end without us rebooting the modem. They also use some kind of proxy system that intercepts our requests before sending them directly to the internet for processing (when I mistype a hostname, I often get a search page from my ISP with suggestions rather than just the error that it couldn't be found).
A common scenario among schools may be that there is a range of IP addresses that come from the school or the testing center. You didn't specify whether the IP address changed a little from one school IP to another one or whether it was completely different as in it changed from a school IP to a local cable provider's IP.
If the exam was set up with just a single attempt and the student submitted it during the time they were in the testing center, then it's not the student coming back after exam to try and finish it, they wouldn't be able to get in. If you allow more than one attempt on a quiz that needs to be proctored, then you need to make sure you limit it to a single attempt. If your school provides a specific IP address or range of IP addresses that can be tied to the testing center, then you can put those in the quiz restrictions to make sure they're in the testing center. There are other security features that you can use; be sure to check out Quiz Settings to Maximize Security .
I suppose that it is possible that a student had an accomplice already logged into their account and coordinated the effort so that the student would go into the testing center and begin the exam while the accomplice would come in at a specific time and finish the exam for them and then the student would leave. I'm not sure about your testing center, but ours is set up so that the proctor can see what is on each student's screen and if this was happening, then the student's screen would look like they weren't doing anything unless they kept refreshing the browser page so the answers started appearing.
The quiz audit log ("View Log" from the quiz moderation page), if enabled, can provide information. It doesn't provide the IP address, but it does show the behavior. If there is a continuous workflow, then it's unlikely that the student coordinated with an accomplice.
You may need to involve your Canvas Admin who may need to get the IT department involved as well. The Canvas Admin can look through the page view logs and see if the student was doing other things at the time -- it may be that the accomplice wasn't already logged in and waiting. That might show evidence of something else going on (or it may not either). There may be IP addresses that can be used for tests taken in the testing center that whoever creates the exam (instructional designer or instructor) needs to put into the quiz settings.
Of course, the student doing other things at the same time they were taking an exam may not be intentional wrong-doing either. There have been times I've sat down at my computer and start doing things in Canvas just to find out that my wife had logged in was doing things. It usually takes me a few clicks to realize that things aren't right and log her out and log back in myself. If someone were monitoring her actions, it would look like she was doing something from home while she was at work.
Thanks for the reply. Our canvas administrator is involved and the only two things we find to be questionable is the browser data (there is change in browser from 56 to 57) and the IP address (changes to a different one midway through the exam). There is also a delay of 5-6 minutes between when the exams bumps from one IP address to the other according to the CSV report. What other information could we look at to confirm if there is a violation of academic integrity involved. I know you suggested the quiz log, but that appears to show appear workflow.
The jump in browser is suspicious. Given the numbers you're quoting, I'm going to assume it's Firefox (Chrome is on version 62). Normally Firefox only asks you to upgrade when you first load the browser. It would be unusual for a student in a testing center to restart their browser during an exam. If they does upgrade, it should not take 5-6 minutes to complete the process and get back into the quiz, although I suspect you're using "delay" in a manner different to what I'm using it. By "delay", I interpret that to mean that there is no work for 5-6 minutes and then the IP address changes. I suspect you mean that the switch to the new IP happened about 5-6 minutes after the quiz was began. You mentioned that the audit log shows that there was a workflow, which is why I wonder if we're understanding the word differently. It can make a big difference whether there's a pause in the workflow of 5-6 minutes or the change just happened after 5-6 minutes.
Some schools lock down the browser and use the Extended Support Release (ESR) so that they can check out changes before releasing them to the students and making sure that they're not going to cause problems. Your school doesn't appear to be doing that as the ESR is currently on version 52. Others lock down their computers so that students can't install new software. You could check the computer that the student was using and see if it is now on FF57.
Did the change in the browser version correspond to the change in the IP address?
Browser user agent strings can be faked and they make extensions that do it easily. You can make Firefox look like Chrome. The recommendation is that you check for the capabilities of the browser rather than relying on the user agent string, but there are libraries that use the user agent string to detect what a browser is capable of. While it is possible that a student changed their user agent while keeping the same browser, it is very unlikely that it would happen in the middle of an exam where the student is focused on other things. I'm giving the possible defense of a student. Nothing you have given so far is indisputable evidence by itself. Together, it is suggestive that something went wrong.
If I sat on the judicial board and you brought the evidence that you've provided here, I would let the student off with the evidence being circumstantial and encourage you to better prepare your case next time. Of course, I don't sit on the judicial board, but you have too many unanswered questions here to convince me that there aren't reasonable explanations. You may have that evidence and you're just not presenting it here, but I can't be convinced with what you have provided. You seem to be on a fishing expedition, looking for something, without really knowing what it is you think the student did. Your story of what you think happened changes.
What I just described is to be expected. You're in the exploratory phase and that's what happens now. You learn more about the situation, you find out more information, your hypotheses change. Before you accuse a student of violating the academic integrity policy, you need to come up with the most reasonable and detailed explanation of what happened that you can.
I'm going to give you a list of questions that you should know the answers to, at least as best as you can. You should not answer these questions here in the Community, but answering to yourself will help convince you whether or not you have a case against the student. They are things that I would want to know if you brought the case to me to adjudicate.
Figure out what you're accusing them of and then gather then evidence that will convince someone that they did that. There is rarely a smoking gun when it comes to cheating, it's a case that you build and going through those questions will help you decide whether or not you have the case.
You may not find irrefutable evidence of wrong doing and suspicious things often have innocent explanations, but the simplest solution is often the right one, and if a student comes up with elaborate explanations, that might works against them as to believability, especially if those change as more evidence comes forward.
Things can be explained -- like the browser froze on me during the exam and after waiting a while, I decided to restart it but it came up saying it was time to upgrade. If there was a delay in responding to questions, that could match what was being said. If there were network issues, the student may have tried to reboot the computer when it froze and Windows had to install new updates and gotten a new IP address -- but that depends on your setup and normally the student should have said something to the proctor, but if they were able to finish the exam in time or it was BYOD then they may not have.
Finally, dishonesty is not my thing. I am very bad at telling when people are lying to me and even when I know they're lying to me I still want to believe that they are honest and telling me the truth. Other people spend a lot of time trying to detect academic dishonesty and perhaps they can provide better resources and advice than I can?