HRW: The Egyptian government exposed the digital data of child students

58

Human Rights Watch has accused the Egyptian government and a private British company of sharing the personal information of tens of thousands of students over the Internet for at least eight months without protection, which violates the privacy of these children and puts them at risk of identity theft, blackmail and sexual exploitation, in violation of the protection of Data laws in Egypt and Britain.

Data available

According to the organization’s statement, the unprotected data included records of more than 72,000 students who took the “EST” test between September 2020 and December 2022, as the Ministry of Higher Education requires holders of American diplomas to get “EST” to apply to Egyptian universities. The data included the children’s names, dates of birth, gender, home addresses, email addresses, phone numbers, schools attended, grades attended, profile pictures, and copies of their passports or national IDs. The records identified 110 children by name as having some form of disability. “By disinterestedly making children’s private information available, the Egyptian government and the British Academy risk exposing children to serious harm,” said Hye Jong Han, children’s rights and technology researcher at Human Rights Watch. “For months, they allowed anyone with an Internet connection to know who these children were, where they live and go to school, and how can they be contacted directly.”

The unprotected data also included the names and locations of the universities students applied to, their test scores, whether or not they paid test registration fees, as well as detailed notes about student behaviour taken by proctors who monitored their exams, including such notes as “unethical behaviour” and “too late”. The disclosure of confidential information like this threatens the safety of these children. The risk of misuse and exploitation of their data exposes children to serious harm, including impersonation, extortion and sexual exploitation. It may have long-term consequences affecting the opportunities available to them.

The government refuses to respond

The Egyptian Ministry of Education established the “EST” entrance exam in September 2020, two weeks after the American company “College Board” suspended the university entrance exam known as the “SAT” in Egypt indefinitely due to “repeated incidents related to securing the confidentiality of the exam.” By the time the Egyptian exam was held for the second time in March 2021, then-Minister of Education Tarek Shawky had announced that EST would be the “only recognized exam for admission to local Egyptian universities” for American diploma students and transferred its management to the British company Academic Evaluation Ltd, headquartered in London.

Human Rights Watch said, “It is not clear why or how the government sold or transferred ownership of the EST exam and its student data to the British company,” adding that the Egyptian government and the company did not respond to a written letter sent by the organization to them about changing ownership of the exam, or even about if the government had required the British company to protect student data or not. Neither the Egyptian Ministry of Education nor the National Council for Human Rights responded to a written request from Human Rights Watch in February 2023 to fix the data exposure. While the CEO of the British company said that the company took the matter seriously and conducted an investigation, he refused to answer the organization’s questions.

Exposure of this data violates data protection laws in Egypt and Britain, which require agencies dealing with personally identifiable data to protect it, ensure its security, and immediately notify the government and affected users in the event of a data breach. The Egyptian government has also put children at risk of harm when it sells or transfers their personally identifiable data to a third party, apparently without stipulating its protection. The government does not appear to have informed the children of the sale or transfer of their data, denying them the opportunity to object or take measures to protect their privacy.