Explained: How the student data breach leaves minors vulnerable to several threats

As shocking and disturbing as it may sound, buying sensitive personal data of students from across India is as easy as ordering a household appliance from an e-commerce portal. The Internet Freedom Foundation (IFF) has revealed how the privacy of lakhs of students hailing from different education streams across the country is on sale, with vital contact information available to interested parties for a nominal amount.

How was the student data breach detected?

In June 2021, Ukhrul Times and Nagaland Express broke the news of a seller named ‘Shastri Nagar Charkya Puri’ retailing databases of Class 10 and 12 students from Bihar, Haryana and Nagaland on e-commerce website Amazon. These databases – embellished with an elaborately-designed cover image – contained not just students’ names, but the names of their parents, residential addresses, names of their education institutes, phone numbers and email addresses. All this data, for a measly sum of Rs 299. These ‘commodities’ continued to be available until several individuals reported the items for breach of privacy, which is when they were finally pulled off the site.

Neatly-packaged and labelled databases containing sensitive student data were on sale on Amazon until recently.

Which websites in India are selling student data?

IFF also reveals two full-fledged websitesStudents Database and Students Database India – that engaged in the same practice. According to the digital rights organisation, data of as many as 13,14,756 students from the All India Class XII CBSE 2020-21 batch are available for purchase on the Students Database website. Additionally, the website offers personal data of as many as 9,04,963 students as part of 16 databases available at no cost for anyone who may be interested in obtaining them.

The Students Database website even allows interested parties to download a 'free sample' containing sensitive personal information of students with a single click - no registration required.

Students Database – which has an office in Bengaluru – claims its database is obtained from a ‘reliable source’ and ‘verified before listing’. It even provides a discount on bulk purchases of data and will even provide a GST invoice for the purchase. It also provides region and stream-specific data of students, with a ‘free sample’ available for potential buyers to examine.

Tech2 was able to obtain two databases – in Microsoft Excel sheet form – containing sensitive personal data of students from two states, which was almost as easy as downloading an app installation file.

The websites say the purpose of selling this data is to enable parties to present ‘new technology, job opportunity and career counselling’ and facilitate ‘marketing or branding exercises of educational institutions.’

The Students Database India website claims to have been supplying sensitive student data to clients for the last six years.

What are the potential issues caused by this student data breach?

The ease of availability of such sensitive information online can spell trouble for young children.

IFF says this data breach violates the students’ fundamental Right to Privacy; minors do not have the legal capacity to give consent.

While such breaches will of course mean students receiving unsolicited calls from ed-tech institutions and the like, this also leaves them vulnerable to being victims of fraudulent activities, identity theft, extortion and having their contact details being shared on pornographic websites, to be subjected to harassment. This also leaves young girls vulnerable to the threat of sexual predators who may use this data to stalk, threaten and exploit them – something that came to light in Hyderabad in 2015, as reported by Firstpost.

What has the IFF done to urge authorities to act on the student data breach?

On 16 July, the IFF wrote to 28 State Commissions for the Protection of Child Rights and four Union Territory Commissions for the Protection of Child Rights to raise the issue of the student data breach. It urged the commissions to begin an enquiry into the breaches, and to forward these cases to a Magistrate. IFF also suggested implementation of remedial measures and guidelines to prevent leakage of students’ personal data going forward.

Sensitive personal data such as contact and residential details in the wrong hands, could spell a world of trouble for minors. Image: Tech2/Amaan Ahmed

On 11 July, IFF filed an RTI request with the Ministry of Education’s Department of School Education and Literacy relating to information about student data privacy. However, on 19 July, IFF says the department only replied to a query about the National Achievement Survey and disposed of the request. IFF says the reason this is concerning is that the department has either wilfully chosen to not disclose information, and even if the non-disclosure of information was not deliberate, it points to the possibility of the department not possessing the specific information requested.

What is the need of the hour when it comes to protecting students’ personal data?

By law, it is illegal to sell personal information of students in India. Section 43A of the Information Technology (Amendment) Act, 2008, holds establishments accountable for failing to implement “reasonable security practices and procedures” to protect sensitive, personal data of students. As per Section 72A of the Act, the websites, school managements and individuals involved in student data breaches can be imprisoned for up to three years or/and can be fined up to Rs 5 lakh.

However, IFF notes that since websites seem to openly be retailing student data obtained from what they assure are ‘reliable sources’, the laws in place to prevent such breaches appear to be inadequate. In addition to adopting thorough and up-to-date data security measures, IFF says governments on both state and national levels “must set up mechanisms to ensure accountability and transparency of education departments and school managements.” It says there is an imminent “need to overhaul legal and policy frameworks” to secure minors’ Right to Privacy in an increasingly digital environment.

Post a Comment