This week, the Indian government announced a third-party security audit of Diksha, the educational app it owns and uses to provide online education to students in grades 1 to 12. The government also committed to better protect the data privacy of children and teachers using its app.
The news comes after Human Rights Watch reported in January that the app had, for over a year, exposed the personal data of millions of students and teachers. The unprotected records included children’s names, schools, the state, district, and block where they live, test scores, and partially redacted phone numbers and email addresses. Human Rights Watch also documented how the app had the capability to collect children’s precise location data, and that it transmitted their data to a third-party company using a tracker designed for advertising.
The New Delhi-based digital rights group Internet Freedom Foundation has called on the National Commission for Protection of Child Rights to initiate an inquiry into the government’s violations of children’s privacy.
The Indian government denied that Diksha collects precise location data but has acknowledged collecting state and district location data. It did not answer why the app was built with the capability to collect users’ precise location data, nor why the app transmits children’s data to a third-party company using an advertising tracker.
Amarendra Behera, the joint director of the government agency that owns and operates Diksha, said that in addition to commissioning a security audit of the app, his agency has requested EkStep, the organization he described as “managing the technical operations” of the app, to ensure protections for the secure storage of users’ data.
EkStep has denied that it operates Diksha, stating that while it has “support[ed]” the app for many years, the central government’s education ministry was responsible for implementing security and policies for how data is managed on the app.
It is ultimately the government’s responsibility to protect its students, and its decision to remedy some of its past violations of children’s privacy is a step in the right direction. Unfortunately, its proposed data protection law would not prevent such violations from happening again. The government should pass a data protection law that would fully protect children online, and hold accountable all who fail to do so.