WIRED reported this week that the Indian government had, for over a year, exposed the personal data of nearly 600,000 students and more than a million teachers on the open web for anyone to find.
Human Rights Watch spoke to Nathaniel Fried, co-founder of Anduin, the intelligence software company that had identified the exposure, and learned that the students and teachers were from every state in India.
These students and teachers were users of Diksha, an app owned and used by the central government’s education ministry to provide online education to students in grades 1 to 12.
Our analysis found that the unprotected records included children’s names, schools, the state, district, and block where they live, test scores, and partially redacted phone numbers and email addresses.
Knowing a child’s name and school can jeopardize their safety. In May 2022, Human Rights Watch reported that Diksha had the capacity to collect children’s precise location data, which it failed to disclose in its privacy policy.
According to Fried and verified by Human Rights Watch, the data spanned March 2020 to December 2022 when many children were compelled to use Diksha as their only means of education during Covid-19 school closures. Some state education ministries set quotas to pressure teachers to get students to download the app.
The government thus made it impossible for children to protect themselves from misuse or exploitation of their data without abandoning their education. Moreover, the government violated students’ privacy at a time when many families made hard sacrifices to afford devices and Internet access so children could learn.
Human Rights Watch wrote to India’s education ministry in March, May, and July 2022 to raise concerns, but received no response. In a November 2022 letter to India’s education minister, member of parliament Karti Chidambaram questioned the government’s lack of oversight, given the absence of data protection laws, and said that the government’s “sheer disregard for children’s privacy and safety is appalling.”
The education ministry denied that Diksha collects precise location data, but acknowledged collecting state and district location data. It also denied that the app used users’ data for advertising or other commercial purposes, but Human Rights Watch found Diksha transmitting children’s data to a third-party company using advertising trackers.
The Indian government’s proposed data protection law fails to protect children. The government should pass a data protection law that would fully protect children online, and hold accountable all who fail to do so.