An incident took place on 2 July 2020 in Delhi University (‘DU’) during the online distribution of admit cards . Students were provided an online portal on which they were to enter their exam roll number, name and a ‘Gateway Password’.
Since the admit cards were student-specific, it was only reasonable to expect that the gateway password would be unique to every student.
That, however, was not the case.
With the links to access this portal, a common ‘college code’ for each college was shared with all students openly via Whatsapp forwards.
In the Faculty of Law, DU with a batch size of about 2,000 students, every semester result is shared publicly via a PDF file which contains the exam roll no, name of student, and marks obtained. For anyone wishing to access any student’s data, they only required these two details and the college code.
A human stalker as well as a computer program could very well extract the exam roll no. and name from the widely circulated result sheets, and obtain the admit cards of each and every student.
The data included phone number, address, date of birth, email ID, gender etc. This was an open data goldmine: private information was laid bare for anyone to access.
After a storm was raised over this issue on Twitter, media portals caught attention of the matter and reached out to the authors of this article. The media reportedly received responses from the authorities, pursuant to which services on the platform were suspended after 6 PM on 2 July 2020.
Finally, an individualised password was enabled in the form of an ‘Admit Card Key’ by late morning on 5 July 2020.
As per available information, it is estimated that the portal was open to misuse– from the time of opening of the portal to its temporary suspension – for over 16 hours. It is crucial to note that this breach was not limited to the Faculty of Law, since 60 colleges were provided with a common ‘unique password’.
Worse still, a fresh report now indicates that this access to personal information was not restricted to final year students, and was in fact available from as early as 22 June.
As of writing this piece, the new URL format is reportedly still exposed and accessible, despite the additional security feature.
Legal framework
Penal
The Information Technology Act, 2000 (‘IT Act’) under Section 43A provides for ‘compensation for failure to protect data’ for a breach by a ‘body corporate’.
Reading the definition of ‘body corporate’ in the explanation to Section 43A with Section 3(1) of the Delhi University Act, 1922, it is submitted that DU comes within the ambit of Section 43A of the IT Act.
There are two requirements for the application of Section 43A of the IT Act: (1) That the body corporate be negligent in implementing and maintaining reasonable security practices and procedures handling sensitive personal data and, (2) This negligence thereby causes wrongful loss or wrongful gain to any person.
Pursuant to powers under Section 87(2)(ob) read with Section 43A of IT Act, the Central Government notified the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (‘2011 Rules’).
Rule 2(1)(i) defines ‘personal information’ as that relating to a natural person and capable of identifying them, but Rule 3 enumerates a list of ‘sensitive personal data or information’ which inter alia includes passwords, financial information, sexual orientation, medical history and biometric information.
The present case of breach concerns ‘personal information’ that is not ‘sensitive’, and hence no remedy lies under Section 43A of the IT Act.
However, Section 72A provides for punishment for disclosure of information in breach of lawful contract by any person, which would include a body corporate. There are 3 requirements:
1) Services are provided under a lawful contract and the access has been secured to the personal information
2) Intent or knowledge that wrongful gain/loss is likely
3) There is disclosure without consent
Firstly, it is submitted that a lawful contract is implied between the student and the university.1 The student entrusts the university with their data in good faith, and there is duty to protect the data with due care that forms a part of the education service provided for which the fees acts as a lawful consideration.
DU always provides a password protection to its portal or an OTP feature to access the information that has been compromised in the present case.
In an RTI reply from 2016, DU has also admitted its policy to ‘maintain the privacy of every student as it holds the data pertaining to a student in a fiduciary relationship with the student concerned’.
Secondly, there was knowledge that this data could be accessed freely as this information is always protected with a login requirement as per standard practice.
Further, Prof. Vinay Gupta, Dean of Examinations, DU is reported to have said that it was the ‘moral responsibility’ of students to not disclose the information: this attempt to shift the burden of protection begets a knowledge of the possibility of misuse.
With reference to2 the definition of ‘wrongful loss’ from IPC, 1860, students were unlawfully deprived of control over their personal information, and the same is exposed to the possibility of gross misuse.
Thirdly, consent of students was not obtained prior to deviating from the standard practice of hosting this data on a portal without password or OTP protection.
The fact that unprotected access was blocked only when this issue gained media attention, and protection was later added, also confirms the initial lapse.
It is thus submitted that a case under Section 72A is made out, attracting upto 3 years of punishment or a fine of Rs. 5 lakh or both.
Furthermore, Rule 4 of the Rules clearly mandates that the privacy policy must be published on the website of the body corporate. Unlike other colleges, DU does not provide this and instead only provides a disclaimer which in fact indicates that they must make every effort to secure network communications.
The disclaimer, of course, does not absolve them of a data breach as a result of their own negligence. There are, however, no penal consequences provided for violating Rule 4 in this context.
Compensatory
The above scheme provides only a penal consequence for the breach.
However, since the Supreme Court of India in KS Puttaswamy v. UOI declared the right to privacy as a fundamental right, the action of DU in the present case also gives rise to a claim for compensation through an action of constitutional tort.
It is well settled that DU comes within the definition of ‘State’ under Article 12 of the Constitution of India, 1950 (‘Constitution’).
The Supreme Court in Sanjay Gupta v. State of Uttar Pradesh cited with approval the observation in Nilabati Behera v. State of Orissa that a relief for monetary compensation under Article 32 or 226 of the Constitution is a ‘remedy available in public law and is based on the strict liability for contravention of the guaranteed basic and indefeasible rights of the citizen’, to penalise the wrongdoer and fix liability ‘for the public wrong on the State which has failed in its public duty to protect the fundamental rights of the citizen’.
This right is independent of any compensatory tortious liability under private law. The action of DU violates the right to privacy of its students, and since it was unsupported by law, the proportionality analysis by the 4 tests of Puttaswamy (supra) is not attracted.
The main difficulty in a writ is to quantify the compensation, since the extent of breach is unknown. However, a claim for damages for loss of control of data arises even in the absence of financial loss or distress, as was held by the Court of Appeal in the United Kingdom in Lloyd v. Google.
Personal Data Protection Bill 2019
The Personal Data Protection Bill (‘PDP Bill’) seeks to provide for greater penalties for data privacy breaches. While Clause 98 seeks to omit Section 43A and 87(2)(ob) of the IT Act, Section 72A is unaltered.
Clause 24 of the Bill proposes a widening of reasonable security practices and procedures by a ‘data fiduciary’ and ‘data processor’. Clause 57(2)(c) of the Bill suggests massive penalties for non-adherence to such security safeguards, and Clause 63(4)(c) states that while determining whether a penalty should be imposed and computing the same, the fact of the violation being negligent or intentional in character shall be considered.
This throws light on the importance being accorded to data safety in the time to come.
Conclusion
The woeful disregard to privacy concerns by public authorities threatens to have very real world consequences. In a country where women safety is in a deplorable state, such compromise of their protected personal information is alarming. It is beyond comprehension how DU could be under the impression that students’ data was not at risk. Prof. Vinay Gupta, Dean of Examinations, DU has dismissed this issue as a ‘fuss over nothing’ being created by some students.
It is reported that a police complaint has been filed on 6 July 2020 in this context, and alleges that the personal data of lakhs of students has been compromised and is prone to misuse. Further, a recent report states that this exposed ‘personal information’ can be used to access Aadhar and bank details on DU portals, which qualify as ‘sensitive personal information’. The indirect consequences of the breach are clearly of a much larger magnitude than the law presently penalises. Thus, the action for constitutional tort assumes a much larger significance.
As our batchmate Vivek Prasad, the Twitter user @mallufideintent who was the first to call attention to this issue stated later, our authorities probably think that privacy is something that happens off the coast of Somalia!
[1]Buchter, Jonathan Flagg (1973) "Contract Law and the Student-University Relationship," Indiana Law Journal: Vol. 48 : Iss. 2 , Article 5.
[2]Government of India, “Fiftieth Report: Information Technology (Amendment) Bill, 2006” (Ministry of Communications and Information Technology, 2007). The report on page 22 states that the terms ‘wrongful gain’ and ‘wrongful loss’ are in tune with Section 23 of the IPC, 1860.
The authors are final-year students at the Faculty of Law, University of Delhi.