T5E conducted a survey, the purpose of which was to assess the concerns of students, if any, about their privacy and to know about issues they feel unsettling or worth rectifying. We received more than 600 overwhelming responses regarding the same and many comments and suggestions about data privacy in insti. Prima facie, it looks as if most of them are worried or in the dark about the security of their online information and browsing history. In this article, Aroon Narayanan and Sanket Warad try to shed some light on this issue.
“Is insti reading our emails? Are they screening for certain words and phrases in our messages? We are increasingly becoming more and more of a police state. I feel scared of the administration. Sigh.”
“I had once accessed the hostel name, email id and room number of a girl student with a simple Google search from a data sheet uploaded by CCW… I think it’s very alarming.”
“There is an excel sheet among students through which the personal information of all BTech and DD Freshers like JEE adv roll number, house address, phone number, email ID, and category is available…”
― A few of the many responses on T5E’s Data Privacy Survey
Every age has its cause célèbre, from colonialism in the 19th century to human rights in the 20th century. Our generation, fortunately or unfortunately, has been straddled with the most ubiquitous of them all – privacy. The Internet age has ushered in a paradoxical maxim – accede to surveillance to ensure continued safety and privacy. Our Institute, being a reserve of a mind-boggling reserve of information, is also a potential site of controversy and to the administration’s credit, it has recognized this as much, even if belatedly.
All of us have wondered at one point or another whether our browsing history on the Institute’s network is logged in the Institute servers, and surely some of us have pondered on the possibility that someone might be keeping tabs on our download history. And speaking of keeping tabs, did you know that practically anyone in the entire world can access your Institute photo online? (For all you skeptics out there, we’ve done our homework – we had an Insti alum in the US access our institute photos! Read on to find out where they’re stored and how they can be accessed.)
The issue at hand
The gravity of this situation has thus far been understated, but T5E decided to explore this issue in depth, in order to uncover its true potential. We initially collated a list of websites that could potentially be hosting personal data, and as we dug deeper, we realized that the range of Insti students’ personal data freely available on the internet is staggering. According to the present system, any person inside insti or otherwise can gain access to the name and roll number of a student enrolled in a program at IIT Madras, using the academic.iitm.ac.in website. Using the roll number thus obtained, anybody can access the student’s photo on the photos.iitm.ac.in website. Such exposure can inadvertently give rise to cyberstalking, identity thefts, and misuse for malicious intent. Along similar lines, there happens to be information about a student’s hostel name, room number, and even the category to which he/she belongs available on the academic portal of IITM. Many students we interviewed as a part of this article, and a majority of the respondents on our Data Privacy survey, find this gravely concerning, if not borderline unscrupulous.
Policies regarding the same
We wondered whether there was a clear policy that the Institute followed, with concrete reasoning, for what data is made public and why, but we were unable to find any mention of such a policy anywhere. The Institute could probably take a leaf out of IIT Bombay’s book since they have a concrete Privacy Policy in place about internet usage and security of individual accounts. Having such a policy would show that the authorities care about the privacy and security of the students and faculties, and would also allow them to take stringent actions were there any instances of internet misuse by the students. Here’s a sample list of what websites contain publicly accessible information about students:
- http://placement.iitm.ac.in/students/new_registration.php – The placement website.
- https://www.iitm.ac.in/students/dept – Department wise split of students.
- https://photos.iitm.ac.in/ – Photo archive of the faculty, staff and students of IIT Madras.
- https://www.iitm.ac.in/students/byprog/b – List of enrolled students by program.
- https://ccw.iitm.ac.in/ – The hostel management website.
Opinions
After this preliminary exploration, we reached out to all concerned parties. First, we spoke to the Computer Centre and they assured us that our browsing history and download data “are no cause for concern”. However, they also mentioned that the CC does log in our browsing data but their argument against concern was that the logs run into millions of lines and Institute has neither the resources nor the interest in looking into our browsing history, barring a few incidents that require due attention.
So, does that mean your browsing history is safe? No, here’s the catch: The ‘Acceptable Use Policy’ on the netaccess page states that “For security and network maintenance purposes, authorized individuals within IIT Madras Computer Centre may monitor equipment, systems and network traffic at any time.” This implies that although the activities and download data are not actively monitored, you might want to think twice before sending that junk mail or opening that banned website or even downloading tagged/ sensitive/ unauthorized/ pirated data.
Then, we tried to understand the Institute administration’s attitude towards data privacy by speaking to the faculty responsible for institute networks, Prof. Nitin Chandrachoodan. His responses were along similar lines as the Computer Centre – information such as the IP address of the user and the MAC address is stored in accordance with the IT Act, according to which it is mandatory to keep this information for a year. This means that CC can technically figure out which site is being visited. Prof Nitin outlines two scenarios in which they might need to figure out the origin of the browsing requests – to track complaints about distribution of copyright material by someone in Insti and to repair glitches in institute’s internet connection by analyzing the logs. A recent example of the latter is the following – when the new firewall was not opening the authentication page for some people, the logs helped identify that the respective computers had viruses. Interestingly, these logs may be made accessible to outside actors on request, and these requests are dealt on a case-by-case basis by the Registrar or the Dean (Administration). Prof Nitin mentioned that the information may even be handed over to the police if it is deemed pertinent to their investigation, in which case your personal data could become a matter of public record. However, under Section 72A of the (Indian) Information Technology Act, 2000, disclosure of information, knowingly and intentionally, without the consent of the person concerned and in breach of the lawful contract has been made punishable with imprisonment for a term extending to three years and fine extending to INR 5,00,000.
This contradicts the Institute’s current way of functioning, which does not take into account whether the consent of the person concerned would be taken into consideration.
Next, we met the Dean of Students, Prof Sivakumar. He assured us that the Institute respects the students’ privacy and that the administration’s intention is never to harm the students in any manner. When we brought up the fact that IIT Bombay has a comprehensive Privacy Policy, he informed us that the Institute is in the process of drafting its own Privacy Policy, and that we should wait for the Institute to release it before wrapping up this article. However, in the months following this meeting, we’ve not had information on what progress has happened with respect to this policy.
Infographics
A few instances
One important area when we speak of privacy is biometric data taken in the form of fingerprints. The institute has stored the biometric data of students for multiple requirements – courses, mess registration, and for authorizing entry to (freshie) hostels – and the safety of this rather sensitive data is of paramount importance. We were unable to trace the person in charge of the storing of this data for academic purposes, but we spoke with Mr.Sethuramalingam, the Admin Officer of the Office of Hostel Management, who shed light on a notorious incident where the biometric data of some students was fiddled by some hostel secretary and multiple entries were recorded against a single person. This not only gave the students access to more than one messes, but also endangered the security of the biometric data of these students. He assures us that the data is better secured now and that he alone has access to it.
There have been other instances of privacy breach in the Institute. There was an unfortunate incident this year, which had been happening for the past few years as well, when a loophole in the internship portal made the resumes of every student registered on it, available to others. This enabled some students to download the resumes of their peers. The Academic Affairs Secretary assures us that this issue has been fixed.
This goes hand in hand with countless other examples of privacy breaches such as the distribution of grade cards of the entire batch of a department via a single person.
Conclusion
The purpose of this article is to start a discussion within the campus on data privacy, which is a topic that has been egregiously ignored by both the students and the administration. Even though it provides a medium for these privacy breaches to become known more widely than before, we believe that bringing these out in the public domain is important to induce action and prevent blunders in the future.
“The Internet, my fickle friend, my two-faced enemy, what would life be like without you? Where else can I be anonymously anyone and yet, have no anonymity at all?”
― Susan Schussler, Between the Raindrops