Securing Examination Data: No Child’s Play

Concerned about the threat to children's privacy and safety caused by such data breaches, in July 2021, IFF sent thirty-two representations to the State and Union Territory Commissions for the Protection of Child Rights in India.

26 July, 2021
8 min read

tl;dr

The e-commerce giant Amazon, a vendor on the platform named ‘Shastri Nagar Charkya Puri’, two websites, namely, “Students Database India” & “Students Database”, and shockingly a few government and school management officials have reportedly compromised the personal information of Class X and Class XII students across the country. Concerned about the threat to children's privacy and safety caused by such data breaches, in July 2021, IFF sent thirty-two representations to the State and Union Territory Commissions for the Protection of Child Rights in India and filed three Right to Information (RTI) requests with the Central Board of School Education (CBSE), National Commission for the Protection of Child Rights (NCPCR) and the Ministry of Education’s Department of School Education and Literacy.

Background

In June 2021, Ukhrul Times, Nagaland Express, and India Times broke the news of a pan-India personal data breach of Class X and Class XII students. Alarmingly, their names, father’s names, physical addresses, institution names, and even contact details including phone numbers and email addresses were revealed in these databases. The main individuals/entities involved in facilitating the sale of such information are:

A. Shastri Nagar Charkya Puri and Amazon

According to Ukhrul Times, a trader named ‘Shastri Nagar Charkya Puri’ collated the personal data of students to create the ‘Bihar Student Database’, ‘Haryana Student Database’, and ‘Nagaland Student Database’. What’s more concerning is that the e-commerce giant Amazon, which has over 100 million Indian users registered, facilitated ‘Shastri Nagar Charkya Puri’ in selling the databases priced at Rs. 299. The Nagaland Express has also reported that Shastri Nagar Charkya Puri claims that the data is “latest and verified”. In addition, the report suggests that Shastri Nagar Charkya Puri and Amazon have not made any effort to inform the students whose privacy has been compromised. Only after several parents raised concerns and reported the item to Amazon, was the link to purchase the student database taken down.

B. Database and Students Database India

In addition to ‘Shastri Nagar Charkya Puri’, two websites, namely, “Students Database” and “Students Database India” are also selling the personal data of Indian children. The “Student Database” website presents a “record count” of the number of students whose data has been collated to prepare the database. On calculating the All India Class XII CBSE 2020-21 batch’s record count presented by the website, IFF learned that 13,14,756 children’s personal information has been compromised. In addition to the All India databases, this website has also put up region-specific databases for sale, each of which provides “free samples” of the student data. Further, the website also provides sixteen student databases at no cost. This leaves a whopping 9,04,963 students’ personal data freely available.

The database gives purchasers access to extremely sensitive information such as the student’s name, mobile number, gender, email address,  and age. While Amazon had taken down the page to purchase the student databases sold by ‘Shastri Nagar Charkya Puri’, the two aforementioned websites are still operating.

C. Government Departments and School Managements

The institutions created to safeguard the data of students are now reported to have partaken in the non-consensual disclosure of personal information themselves. A report published by The New Indian Express on July 21, 2021, claims that the staff and officers in the Tamil Nadu Education Department headquarters and in education departments across the state have been selling the personal information of Class X and Class XII students to colleges. Allegedly, a district education department official charged 2 rupees for each student’s mobile number. Similarly, The Times of India has reported that the administrative staff of schools in Nagpur are now charging anywhere between 2 rupees to 5 rupees per student’s personal data disclosure.

Concerns on the Data Breach

October 25, 2015, FirstPost, in a report, highlighted how sexual predators, on procuring children’s sensitive information such as their names and contact details - which was freely available on a university’s website - began to contact and lure them under the guise of offering career advice. In the current situation, similar possibilities of the critical misuse of examination data to commit such heinous acts cannot be ruled out, as students' personal information has been compromised by the aforementioned websites, vendors and officials. Similarly, in an interview conducted by The New Indian Express, a technology expert highlighted that in instances of such data breaches, there is a possibility of students’ contact numbers being uploaded on pornographic websites.

From a legal perspective, this data breach violates the students’ fundamental right to privacy, as upheld by the Supreme Court in K.S. Puttaswamy v. Union of India (2019) 1 SCC 1. Significantly, the decision highlighted the need to secure children’s right to privacy, bearing in mind that minors lack the legal capacity to give consent. Additionally, the Government of India, in 2005, had accepted two Optional Protocols to the United Nations Convention on the Rights of the Child (UNCRC). As a result, India endeavours to protect children from all forms of exploitation and arbitrary or unlawful interference with their privacy. Hence, if necessary measures are not taken to protect the personal information of children, it would stand in violation of the Puttaswamy decision, and UNCRC’s Optional Protocols.

Section 43A  of the Information Technology (Amendment) Act, 2008, holds bodies accountable if they fail to implement “reasonable security practices and procedures” when handling sensitive personal data. According to Section 72A of the Act, the websites, school managements and individuals involved in the mass student data breach can be imprisoned for a term of up to three years or/and can be fined up to five lakh rupees. However, considering the “Students Database India” website claims that they have been providing “100% genuine” data of students from every state and Union Territory for the past six years, the legal ramifications in place seem inadequate.

It is imperative to highlight that the rampant commercialisation of students’ personal information can be attributed to the exponential growth of ed-tech and remote education amidst the COVID-19 pandemic. Bearing this in mind, the motives of the database purchasers go unchecked as hackers, stalkers, scammers and unwanted marketers are now just a few clicks away from accessing a vast number of students’ personal information. This can leave several students vulnerable to fraud and identity theft, as individuals do not frequently change their personal information, especially email addresses and phone numbers.

IFF’s Proactive Measures

Concerned about the potential threats the aforementioned databases pose to the children’s safety and their right to privacy, on July 16, we wrote to twenty-eight State Commissions for the Protection of Child Rights and four Union Territory Commissions for the Protection of Child Rights to raise our grievances. We urged the Commissions to initiate an enquiry on the infringing websites (“Students Database”, “Students Database India”), the vendor (Shastri Nagar Charkya Puri) and the e-commerce platform (Amazon) and to also forward the case to the Magistrate having the jurisdiction to hear the complaint. The Commissions were also advised to frame and implement remedial measures and guidelines to prevent the leakage of students’ personal data henceforth.

On July 11, 2021, we filed an RTI request with the Ministry of Education’s Department of School Education and Literacy. To our dismay, on July 19, 2021, the Department replied solely to a query on the National Achievement Survey and disposed of our request. The problematic aspects of this reply are twofold. First, this insinuates that the Department has willfully chosen to not disclose the information. Second, even if the non-disclosure of information was not deliberate, it remains concerning as it insinuates that the Department does not have the pertinent information that we sought.

Similarly, on July 8, 2021, we filed an RTI request with the CBSE. We sought information related to whether the CBSE categorised and stored the students’ personal data. We also enquired about whether the CBSE makes privacy impact assessment reports or issues any Standard Operating Procedure (SOP) vis-a-vis students’ personal information protection. Lastly, on July 11, 2021, we filed an RTI request with the NCPCR. We inquired if the NCPCR had received any complaints regarding any incidents of students’ personal data breaches. However, we are still awaiting a response from both of the authorities.

Conclusion

The elixir to the grave concerns on students’ data would be the creation of watertight legal provisions and policies to prohibit such data breaches. This opinion was shared by UNICEF in its report which highlighted the vulnerability of Indian children vis-a-vis data breaches. UNICEF also urged the government to enact stringent laws to tackle the menace of cybercrimes and secure children’s right to privacy. While the Personal Data Protection Bill, 2019 is a welcome step towards data governance, it still falls short on several accounts. Our piece titled “#PrivacyOfThePeople - Why Student Data should be Students’ Data” offers a deep dive into the issues with the proposed law. In sum, the Bill makes no mention of either non-personal data or sensitive personal data. Considering the ubiquity of Indian student databases in the market, the possibility of students’ non-personal or sensitive personal data disclosure seems inevitable. In addition, unlike the comprehensive General Data Protection Regulation and Family Educational Rights and Privacy Act, 1974, the Bill does not discuss data security practices at length.

From a policy perspective, it is essential for Commissions and government bodies to work proactively to combat such data breaches. This includes ensuring data brokers and commercial entities adopt sustainable data security practices. Taking a leaf from the World Privacy Forum report, government agencies also ought to mandate educational institutions to conduct a Privacy Impact Assessment. Additionally, it is imperative to thwart the corrupt practices of government officials. Hence, governments on both - the state and national levels - must set up mechanisms to ensure accountability and transparency of education departments and school managements. To conclude, in light of students’ privacy and personal data being at stake, there is an imperative need to overhaul both - the legal and policy frameworks - to realise child rights in the digital age.

Link to the Representations sent to the State Commissions for the Protection of Child Rights
1. Andhra Pradesh State Commission for the Protection of Child Rights Representation
2. Arunachal Pradesh State Commission for the Protection of Child Rights Representation
3. Assam State Commission for the Protection of Child Rights Representation
4. Bihar State Commission for the Protection of Child Rights Representation
5. Chhattisgarh State Commission for the Protection of Child Rights Representation
6. Goa State Commission for the Protection of Child Rights Representation
7. Gujarat State Commission for the Protection of Child Rights Representation
8. Haryana State Commission for the Protection of Child Rights Representation
9. Himachal Pradesh State Commission for the Protection of Child Rights Representation
10. Jharkhand State Commission for the Protection of Child Rights Representation
11. Karnataka State Commission for the Protection of Child Rights Representation
12. Kerala State Commission for the Protection of Child Rights Representation
13. Madhya Pradesh State Commission for the Protection of Child Rights Representation
14. Maharashtra State Commission for the Protection of Child Rights Representation
15. Manipur State Commission for the Protection of Child Rights Representation
16. Meghalaya State Commission for the Protection of Child Rights Representation
17. Mizoram State Commission for the Protection of Child Rights Representation
18. Nagaland State Commission for the Protection of Child Rights Representation
19. Odisha State Commission for the Protection of Child Rights Representation
20. Punjab State Commission for the Protection of Child Rights Representation
21. Rajasthan State Commission for the Protection of Child Rights Representation
22. Sikkim State Commission for the Protection of Child Rights Representation
23. Tamil Nadu State Commission for the Protection of Child Rights Representation
24. Telangana State Commission for the Protection of Child Rights Representation
25. Tripura State Commission for the Protection of Child Rights Representation
26. Uttar Pradesh State Commission for the Protection of Child Rights Representation
27. Uttarakhand State Commission for the Protection of Child Rights Representation
28. West Bengal State Commission for the Protection of Child Rights Representation
Link to the Representations for the Union Territory Commissions for the Protection of Child Rights
1. Andaman and Nicobar Islands Commission for the Protection of Child Rights Representation
2. Chandigarh Commission for the Protection of Child Rights Representation
3. Delhi Commission for the Protection of Child Rights Representation
4. Puducherry Commission for the Protection of Child Rights Representation

(This blogpost has been authored by IFF intern Deepika Nandagudi Srinivasa and reviewed by IFF staff.)

Important Documents

  1. #PrivacyOfThePeople - Why Student Data should be Students’ Data dated July 22, 2021 (link)






Subscribe to our newsletter, and don't miss out on our latest updates.

Similar Posts

1
Your personal data, their political campaign? Beneficiary politics and the lack of law

As the 2024 elections inch closer, we look into how political parties can access personal data of welfare scheme beneficiaries and other potential voters through indirect and often illicit means, to create voter profiles for targeted campaigning, and what the law has to say about it.

6 min read

2
Press Release: Civil society organisations express urgent concerns over the integrity of the 2024 general elections to the Lok Sabha

11 civil society organisations wrote to the ECI, highlighting the role of technology in affecting electoral outcomes. The letter includes an urgent appeal to the ECI to uphold the integrity of the upcoming elections and hold political actors and digital platforms accountable to the voters. 

2 min read

3
IFF Explains: How a vulnerability in a government cloud service could have exposed the sensitive personal data of 2,50,000 Indian citizens

In January 2022, we informed CERT-In about a vulnerability in S3WaaS, a platform developed for hosting government websites, which could expose sensitive personal data of 2,50,000 Indians. The security researcher who identified the vulnerability confirmed its resolution in March 2024.

5 min read

Donate to IFF

Help IFF scale up by making a donation for digital rights. Really, when it comes to free speech online, digital privacy, net neutrality and innovation — we got your back!