As shocking and disturbing as it may sound, buying sensitive personal data from students from across India is as easy as ordering a household appliance from an e-commerce portal. The Internet Freedom Foundation (IFF) has revealed how the privacy of lakhs of students hailing from different education streams across the country is on sale, with vital contact information available to interested parties for a nominal amount.
How was the student data breach detected?
In June 2021, Ukhrul Times and Nagaland Express broke the news of a seller named ‘Shastri Nagar Charkya Puri’ retailing databases of Class 10 and 12 students from Bihar, Haryana, and Nagaland on the e-commerce website Amazon. These databases – embellished with an elaborately designed cover image – contained not just students’ names but the names of their parents, residential addresses, names of their education institutes, phone numbers, and email addresses. All this data, for a measly sum of Rs 299. These ‘commodities’ continued to be available until several individuals reported the items for breach of privacy, which is when they were finally pulled off the site.
Which websites in India are selling student data?
IFF also reveals two full-fledged websites – Students Database and Students Database India – that engaged in the same practice. According to the digital rights organization, data of as many as 13,14,756 students from the All India Class XII CBSE 2020-21 batch are available for purchase on the Students Database website. Additionally, the website offers personal data of as many as 9,04,963 students as part of 16 databases available at no cost for anyone interested in obtaining them.
Students Database – which has an office in Bengaluru – claims its database is obtained from a ‘reliable source’ and ‘verified before listing.’ It even provides a discount on bulk purchases of data and even provides a GST invoice. It also provides region and stream-specific students’ data, with a ‘free sample’ available for potential buyers to examine.
We obtained two databases – in Microsoft Excel sheet form – containing sensitive personal data of students from two states, which was almost as easy as downloading an app installation file.
The websites say the purpose of selling this data is to enable parties to present ‘new technology, job opportunity, and career counseling and facilitate ‘marketing or branding exercises of educational institutions.’
What are the potential issues caused by this student data breach?
The ease of availability of such sensitive information online can spell trouble for young children.
IFF says this data breach violates the students’ fundamental Right to Privacy; minors do not have the legal capacity to consent.
While such breaches will, of course, mean students receiving unsolicited calls from ed-tech institutions and the like, this also leaves them vulnerable to being victims of fraudulent activities, identity theft, extortion, and having their contact details being shared on pornographic websites, to be subjected to harassment. This also leaves young girls vulnerable to the threat of sexual predators who may use this data to stalk, threaten and exploit them – something that came to light in Hyderabad in 2015.
What has the IFF done to urge authorities to act on the student data breach?
On 16 July, the IFF wrote to 28 State Commissions for the Protection of Child Rights and four Union Territories Commissions for the Protection of Child Rights to raise the issue of the student data breach. It urged the commissions to begin an inquiry into the breaches and forward these cases to a Magistrate. IFF also suggested implementing remedial measures and guidelines to prevent students’ personal data leakage in the future.
On 11 July, IFF filed an RTI request with the Ministry of Education’s Department of School Education and Literacy relating to information about student data privacy. However, on 19 July, IFF says the department only replied to a query about the National Achievement Survey and disposed of the request. IFF says this is concerning because the department has either willfully chosen not to disclose information. Even if the non-disclosure of information was not deliberate, it points to the possibility of the department not possessing the specific information requested.
What is the need of the hour when it comes to protecting students’ personal data?
By law, it is illegal to sell the personal information of students in India. Section 43A of the Information Technology (Amendment) Act, 2008, holds establishments accountable for failing to implement “reasonable security practices and procedures” to protect students’ sensitive, personal data. As per Section 72A of the Act, the websites, school managements, and individuals involved in student data breaches can be imprisoned for up to three years or/and can be fined up to Rs 5 lakh.
However, IFF notes that since websites seem to be retailing student data obtained from what they assure openly are ‘reliable sources,’ the laws to prevent such breaches appear to be inadequate. In addition to adopting thorough and up-to-date data security measures, IFF says governments on both state and national levels “must set up mechanisms to ensure accountability and transparency of education departments and school managements.” It says there is an imminent “need to overhaul legal and policy frameworks” to secure minors’ Right to Privacy in an increasingly digital environment.