Surveillance on Students Raise Privacy Concerns on Online Education Platforms
COVID-19 has accelerated the process of digital learning since schools are left with no option apart from delivering remote instructions via e-learning. The government is coming up with schemes to make digital classrooms accessible even in far-flung places. Owing to this immediate need, educational institutions are openly adopting easy to use technology without addressing the privacy concerns that they entail.
There are several government initiatives, e.g. SWAYAM (Study Webs of Active Learning for Young Aspiring Minds), Diksha, e-pathshala, National Repository of Open Educational Resources, NIOS, and IT initiatives like e-yantra, Free/Libre and Open Source Software for Education, virtual labs and spoken learning programmes. The usage of these platforms is not limited to only communication between teachers and students (recording of which is equally privacy-invasive), but also student assessment, test results, attendance, class participation, chat-box and other educational activities.
These platforms have extensive data collection and processing capabilities making it privacy-invasive and critically insecure. Thus, these platforms become fodder for government and private players to build a society of control and exploitation that view data as an extension of the body via datafication of bodies of children.
This resembles Michael Foucault’s ‘Panopticism’ where the school administrators are observing children (top-down institutional hierarchy) observe, manage and control and thereby generate a report on student analytics – including their levels of participation, time spent on tasks, quiz results, etc.
Surveillance through virtual classrooms violates physical and decisional privacy.
The collection of personal information into large databases and its subsequent use, often without consent, presents risks to data protection and privacy. This especially happens when private actors process data for profiling purposes, aiding them to target children by way of advertising.
There is also uncertainty on whether the school administrator stores the videos of a class or relies on external, cloud-based providers. Lack of consent, absence of security safeguards, and post-hoc supervision of data trails infringe privacy, self-expression and autonomy of a child.
Children’s Right to Privacy
A child’s right to privacy is recognised explicitly under Article 16 of the United Nations Convention on the Rights of the Child (UNCRC). India is a signatory to it that prevents any arbitrary or unlawful interference with his or her privacy in family, home or correspondence.
In India, the absence of regulation of education platforms has led to ambiguity, vagueness and information asymmetry between educational institutions and the service they have hired. It also contributes to a lack of awareness of the handling of personal data by platforms that present unwanted or unintentional threats to privacy and security, such as breaches and inappropriate processing.
Failure to establish and enforce universal standards can result in inconsistent enforcement of individual rights and responsibilities.
The Indian judiciary has not worded any judgement specifically on the privacy of the children, but the right to privacy has been examined in detail. Surveillance through virtual classrooms violates physical and decisional privacy.
Physical privacy as encapsulated in Gobind v. State of M.P. includes the right to seclusion and solitude, free speech and involves respect for a person’s physical integrity, home, correspondence, and one’s surrounding environment. Whereas, decisional privacy, examined in Anuj Garg v. Hotel Association of India, pertains to individual autonomy which includes both the negative right of not to be subject to interference by others and the positive right of individuals to make decisions about their life, to express themselves and to choose which activities to take part in.
The three pillars of any data protection privacy-respecting regime are consent, transparency and accountability, and security safeguards.
Data Protection in e-learning
India should have an amended version of the Personal Data Protection Bill, 2019 in place which establishes policies, procedures and operational standards for engaging online learning platforms. Till the passage of the bill, the government should follow International Conference of Data Protection & Privacy Commissioners Resolution on E-Learning Platforms.
The legal framework should define types of data to be stored, disclosed, location of storage and retrieval, maintenance conditions and data principal’s privileges. It will also set down financial, physical and technological protections and specifications for notification of infringements.
The three pillars of any data protection privacy-respecting regime are consent, transparency and accountability, and security safeguards.
It is essential to receive the consent of the child or the guardian. Educational authorities, e-learning service providers and manufacturers should ensure consent is provided directly by the child or guardian in a way that is informed, clear, and specific.
Educational authorities should be prepared to accommodate opt-out choices, especially in cases of video (laptop camera) and audio monitoring (microphone). In case it is of utmost necessity to share educational records with a third-party, the administration should ensure parental consent in the case of minors.
Transparency in the use of and collection of data works towards maintaining accountability. Algorithms, protocols, designs and implementations should be made open-source for external review and testing. Extensive audits by trusted entities can help to assure that the e-learning platform will not generate unfair or discriminatory predictions. The data collected should be processed only for the purposes stipulated while seeking consent (purpose limitation principle). The personal data should not be used for prediction, profiling or analytical purposes.
The mechanism must prioritize and implement security safeguards. Students should be allowed to use the e-learning platforms anonymously or with unlinkable pseudonyms. The platform should ask permission for access to the camera and microphone before each lecture.
Encrypt the transfer of data between online learning network servers and consumers. The use of encryption techniques must be investigated separately for this reason, based on the specific online learning site. In the case of a loss of records, operators of e-learning services and educational institutions will alert students or their parents and other relevant authorities.
The effect of surveillance is disturbing, as it makes children aware of the conduct that is being observed and changes legitimate behaviour due to fear that the watchers misunderstand their acts. Soon, daily observation creates a routine for the body thus, normalising surveillance into an everyday part of school life.
Although PRAGYATA – Guidelines for Digital Education and Cyber Safety – Handbook for students of secondary & senior-secondary schools is cognizant of privacy and self-expression issues, it still lacks privacy-respecting mechanisms in the age of big data.
(Harsh Bajpai, is a Ph.D. candidate at Durham Law School, United Kingdom. Views expressed are personal.)
First Published in The Leaflet
Get the latest reports & analysis with people's perspective on Protests, movements & deep analytical videos, discussions of the current affairs in your Telegram app. Subscribe to NewsClick's Telegram channel & get Real-Time updates on stories, as they get published on our website.