Serious allegations emerge against Diksha app for breach of personal data of millions of teachers and school students

In a letter addressed to the National Commission for Protection of Child Rights, the Internet Freedom Foundation raises concerns surrounding data collection by the Diksha app.

 —

ON February 15, the Internet Freedom Foundation (IFF), a non-profit organisation that endeavours to ensure protection of fundamental rights with technological advances, addressed a letter to the Chairperson of the National Commission for Protection of Child Rights (NCPCR), Priyank Kanoongo, on the breach of personal data by the Digital Infrastructure for Knowledge App (DIKSHA).

Diksha is an educational technology application owned and operated by the Union Education Ministry. Launched in 2017, the application became the primary platform for delivering online education to students between 2020 and 2022. Presently, the application has 166,211,232 enrolments, the letter noted.

The letter points to a report published by Wired on January 23, 2023, which states that due to the application, personally identifiable information of millions of teachers and students continues to be in the public domain. The complete names, contact information and email addresses of one million instructors and six lakh students are stored in files on the app’s unprotected cloud server, the letter explained.

The letter also points out a report by Human Rights Watch that named Diksha as one of the 21 applications that enable third-party companies to access children’s precise location data, thereby potentially enabling these companies to analyse, trade and monetise this information. Moreover, the letter highlights Diksha’s collection and transmission of children’s Android Advertising IDs (AAIDs) to Google through two software development kits (Google Firebase Analytics and Google Crashlytics) embedded in the application. The fact that Diksha collects such data is not mentioned in its privacy policy.

According to the letter, the state government of Uttar Pradesh pressurised teachers to get students to download the application in order for the students to continue their education. Remarking on the draft Digital Personal Data Protection Bill, 2022, the letter said that it fails to protect children against inappropriate use of data by vendors and insecure data transfer/storage, rendering it incapable of protecting the sensitive personal data of children.

According to the IFF, the breach violates the students’ fundamental right to privacy, as upheld by the Supreme Court in the K.S. Puttaswamy versus Union of India (2017). The judgment, the IFF noted, stressed the need to secure children’s right to privacy since minors lack the legal capacity to give consent.

The IFF’s letter explained that since India had accepted two Optional Protocols to the United Nations Convention on the Rights of the Child (UNCRC), it is obligated, particularly under Article 16 of UNCRC, to protect children from all forms of exploitation. It flagged the concern of the collected information leaving several students and teachers vulnerable to fraud and identity theft, and depriving children and their parents of the opportunity to make informed decisions about such data sharing.

The letter also emphasised the consequences of compromising children’s right to privacy in crimes committed against children, including instances of sexual predators contacting and luring students, as well as the risk of students’ contact numbers being uploaded on pornographic websites.

The IFF, through the letter, further made recommendations to the Commission and urged it to take three broad measures in addressing the personal data breach by exercising its powers under Sections 13(1) and 14(2) of The Commissions for Protection of Child Rights Act, 2005. The letter firstly recommended the NCPCR initiate an inquiry about the alleged nature of personal information data collected by the application.

Secondly, it advised the Commission to frame remedial measures to safeguard children’s sensitive data through the aid of key insights from the General Data Protection Regulation in the European Union and the Family Educational Rights and Privacy Act, 1974 in the United States. Both are data privacy regulation enactments.

Thirdly, it laid emphasis on the effective implementation of remedial measures by drafting comprehensive guidelines to sensitise schools, educational institutions and other stakeholders to protect students’ sensitive data.

The IFF concluded by urging the Commission to consider its representation with its concerns and recommendations, considering students’ privacy and personal data at stake.