tl;dr
Sai Sravan Prabhala, a cyber-security researcher, informed us of a critical vulnerability exposing the sensitive personal information of minors. This existed on the website of the Directorate of Government Examinations, Government of Andhra Pradesh’s for the 2021 examinations. While this functionality itself has been removed, to prevent it from occurring again assisted by Sai, we have written to them and CERT-In.
Background
On 22nd December 2021, cyber-security researcher Sai Sravan Prabhala reached out to us, to bring to our notice a vulnerability in the Andhra Pradesh Directorate of Government Examination website which put the sensitive personal information of minors at risk of misuse. The Directorate of Government Examinations is an independent department functioning under the ministry of secondary education, Government of Andhra Pradesh. The department is responsible for conducting the SSC/OSSC Public Examinations, along with other minor examinations.
With the assistance of Mr. Prabhala, we discovered that the website of the Directorate of Government Examinations, Government Andhra Pradesh, which can be accessed at: https://www.bse.ap.gov.in/, suffered from a vulnerability that enabled any person to access and also edit the sensitive personal data of minors including their caste location, religious affiliation, and their disability status. Their phone number and identification marks as per school records could also be edited and accessed on the said website.
The vulnerability could be discovered by clicking on the link: “SSC Public Examinations - 2021 - Edit Online Application”. This led to a login page, which could be accessed by entering the school number in both the “User ID” and “Password fields”. The school number could be obtained by clicking on the “SSC Public Examinations 2020 and 2021 Results” link and then going to the “Individual Student Wise Results of SSC Public Examinations 2021” page where a drop-down menu in the “school” field revealed a list of schools along with their school numbers. A more detailed list of steps along with screenshots explaining how the vulnerability is discovered can be found in our representation dated 02.02.2022.
Following the above-mentioned steps led to a page that revealed the sensitive personal information of the students, which could also be edited by anyone.
We were first apprised of the vulnerability on 22nd December 2021, thereafter, on 23rd January 2022, we noticed that the vulnerability has been removed from the website. In the meantime, the vulnerability was active and it enabled anyone to access and edit sensitive personal information of minors.
Legal Consequences of the Vulnerability
This vulnerability violates the students’ fundamental right to privacy, as upheld by the Supreme Court in K.S. Puttaswamy v. Union of India (2019) 1 SCC 1. Significantly, the decision highlighted the need to secure children’s right to privacy, bearing in mind that minors lack the legal capacity to give consent. Additionally, the Government of India has ratified the United Nations Convention on the Rights of the Child (UNCRC). As a result, India endeavours to protect children from all forms of exploitation and arbitrary or unlawful interference with their privacy. Hence, if necessary measures are not taken to protect the personal information of children, it would stand in violation of the Puttaswamy decision, and the UNCRC.
The information exposed by the above-mentioned vulnerability – such as “caste or tribe” and ”religious affiliation” – has been categorised as “sensitive personal data” under the proposed Personal Data Protection bill, 2019 (“2019 bill”) as well as the Draft Data Protection bill 2021 (“2021 bill”), for which the Data Protection Authority is empowered to specify additional regulations, safeguards or restrictions. Clause 24 of the bill requires data fiduciaries to implement necessary security safeguards including “steps necessary to prevent misuse, unauthorised access to, modification, disclosure or destruction of personal data”. Neglecting to do so can result in a penalty not exceeding five crore rupees or two percent of the fiduciaries worldwide turnover of the preceding financial year, whichever is higher. Further, the vulnerability causes significant “harm” - as defined under Clause 3(23) of the Draft Data Protection bill, 2021 - to those affected as anyone can edit their personal details which can lead to “loss, distortion or theft of identity”, “humiliation”, and “observation or surveillance that is not reasonably expected”.
Currently, in the absence of an overarching data protection legislation, according to Section 72A of the Act, the websites, school managements, and individuals involved in the mass student data breach can be imprisoned for a term of up to three years or/and can be fined up to five lakh rupees.
Children’s Right to Privacy hangs in the balance
This is not the first time children’s privacy has been put at risk. Previously, Ukhrul Times, Nagaland Express, and India Times broke the news of a pan-India personal data breach of Class X and Class XII students in which their names, father’s names, physical addresses, institution names, and even contact details including phone numbers and email addresses were found in various databases which were being sold on the internet, including on Amazon. Pursuant to this, we wrote to twenty-eight State Commissions for the Protection of Child Rights and four Union Territory Commissions for the Protection of Child Rights to raise our grievances. We urged the Commissions to initiate an inquiry on the infringing websites and the e-commerce platform (Amazon) and to also forward the case to the Magistrate having the jurisdiction to hear the complaint. The Commissions were also advised to frame and implement remedial measures and guidelines to prevent the leakage of students’ personal data henceforth.
The commercialisation of students’ personal information can be attributed to the exponential growth of ed-tech and remote education amidst the COVID-19 pandemic. Presently, the IT Act and the Rules framed thereunder do not provide for any special regulation for the collection and processing of children’s data. Better practices exist that ought to be implemented. Globally, the EU’s GDPR specifies that children’s data can only be collected and processed with parental consent. In the US, the Children's Online Privacy Protection Act of 1998 regulates the collection of personal information from children under 13 years of age including children outside the US.
The 2019 and 2021 Data Protection Bill, in Chapter IV, lay down provisions to protect the personal data of children. The proposed Data Protection Authority is empowered to create regulations to specify the manner in which the age of children is verified and the consent of parents or guardians is obtained before processing the personal data of children. It is also empowered to classify fiduciaries that operate websites directed at children or process large volumes of personal data of children as guardian data fiduciaries which shall be barred from profiling, tracking, monitoring, targeted advertising, or undertaking any processing of personal data that causes significant harm to the child.
Conclusion
In our representation, we urged the Directorate of Government Examinations to ensure that the vulnerability does not arise in the future and implement policies for public reporting of data breaches or vulnerabilities. We further suggested that such policy can be modeled after the Indian Computer Emergency Response Team’s (CERT-IN) ‘Responsible Vulnerability Disclosure and Coordination Policy’, which is far from perfect but is a step in the right direction. A Bug Bounty programme may also be implemented to recognise and incentivise researchers to report vulnerabilities.
Children’s privacy, however, will continue to hang in the balance unless a consent-based privacy framework as noted above is implemented.
We acknowledge and thank Mr. Sai Sravan Prabhala for his assistance. He can be reached at: [email protected].
Important Links
- IFF’s representation to the Directorate of Government Examinations, Andhra Pradesh dated 2nd February 2022 (link).
- Securing Examination Data: No Child’s Play dated 26th July 2021 (link).#PrivacyOfThePeople - Why Student Data should be Students’ Data dated 22nd July 2021 (link).
Note: This blogpost was drafted by IFF intern Simrandeep Singh and reviewed by Tejasi Panjiar, Capstone Fellow hosted at IFF.