NCERT starts DIKSHA security audit after data breach reports
The National Council of Educational Research and Training (NCERT) has initiated a third-party security audit of the Diksha (Digital Infrastructure for Knowledge Sharing) app, following reports of a breach of data belonging to the government-run platform.
Diksha is a national platform for school education developed by Bengaluru-based EkStep Foundation. It is an initiative of the NCERT under the aegis of the Ministry of Education. As per its website, Diksha has almost 167 million enrolments.
The audit is to further ensure that data remain secure on Diksha, said the Central Institute of Educational Technology (CIET), which is part of the NCERT to promote the use of technology in education.
CIET joint director Amarendra P Behera, who is in charge of the Diksha app, told ET that the NCERT had taken note of concerns regarding students and teachers’ personal data being stored in an unprotected cloud server, as claimed by a Human Rights Watch (HRW) report.
In its reply to the HRW, the NCERT confirmed that Diksha does not collect precise location data, time of current location, or last known location, he said.
“Diksha only gets approximate state and district information (based on device IP). The state and district of the user is stored in the system only after confirmation from the user and is used to show the user-curated content specific to the user’s school board or state. The IP address is also not stored,” Behera told ET in an email.
The HRW, in its report, said an app-specific analysis showed that Diksha collects and transmits children’s Android Advertising IDs (AAIDs) to Google through two software development kits (Google Firebase Analytics and Google Crashlytics) embedded in the application.
The fact that Diksha collects such data is not mentioned in its privacy policy, HRW said.
The NCERT has asked EkStep, the organisation managing the technical operations of Diksha, to further ensure that all the data are stored in a secured way, with access only to the approved users, Behera told ET.
“Besides, the NCERT has initiated a third-party security audit of Diksha to further ensure that data remains secure on DIKSHA,” Behera said.
In response to ET’s questions, EkStep said Ekstep Foundation is not operating Diksha and that it cannot make any comments on the report of data breach.
Launched in 2017, Diksha has been adopted by almost all the states, union territories, and central autonomous bodies/boards including CBSE. Diksha can be accessed by learners and teachers across the country and currently supports 36 Indian languages.
Each state/UT leverages the platform in its own way, to design and run programmes for teachers, learners, and administrators.
The 2022 report of the HRW came to the fore, after reports emerged in late January said a cloud server storing Diksha’s data was left unprotected for over a year, exposing that to hackers and scammers.
On February 15, the Internet Freedom Foundation wrote to the National Commission for Protection of Child Rights chairperson Priyank Kanoongo, expressing concerns that this breach violated the students’ fundamental right to privacy.