According to a report released today by Human Rights Watch, the Egyptian government and a British private corporation called Academic Assessment Ltd did expose enormous amounts of personal data about tens of thousands of chil
Sensitive Data Left Unprotected for Months Without Child Data Protection. According to a report released today by Human Rights Watch, the Egyptian government, and a British private corporation called Academic Assessment Ltd., exposed enormous amounts of personal data about tens of thousands of children online for months.
Children's privacy is being violated; they risk suffering substantial harm. In addition, the disclosure is breaking Egypt's and UK's data protection rules.
More than 72,000 records containing children's names, dates of birth, gender, homes, email addresses, phone numbers, schools they attend, grade level, individual profile images, and copies of their passports or other government-issued identification made up the sensitive data.
It was exposed to the public for at least eight months before being secured. In addition, the records listed 110 kids with specific disabilities by name.
The Egyptian government and Academic Assessment risk children of serious harm by carelessly disclosing children's private information," according to Hye Jung Han, a Human Rights Watch researcher and advocate for children's rights and technology.
Read Also: EgyptAir Suspends Flights To Khartoum As Fighting In Sudan Enters Its Fourth Day
They made it possible for anyone with an internet connection for months to learn these kids' names, addresses, places of attendance, and ways to contact them.
The kids had taken the Egyptian Scholastic Test (EST), a prerequisite for secondary school pupils enrolled in Egypt's American Diploma high school program, which offers an English-language curriculum. The 356,797 files in the unencrypted data belonged to kids who applied for the EST between September 2020 and December 2022.
The unsecured data also contained the names and locations of the universities to which students applied, their test scores, and whether or not they had paid their test registration costs.
In addition, the documents included specific comments about students taken by the proctor who watched their exam, including claims of "unethical behavior," "won't stop talking. We gave him many warnings, and he attempted to cheat so many times," and "late late late."
The release of such sensitive material jeopardizes the safety of these children. The risk of misusing and abusing their data exposes children to substantial harm, including identity theft, blackmail, and sexual exploitation. Moreover, it may have long-term effects that limit their chances.
Nathaniel Fried, a co-founder of the intelligence software company Anduin, discovered the data vulnerability, and Human Rights Watch confirmed it. Human Rights Watch conducted more research and found that the impacted students are from all 27 governorates of Egypt.
Read Also: Egypt's Press Syndicate Elects Khaled El-Balshy As Its Leader
In addition, they hail from Algeria, Comoros, Bahrain, Iraq, Jordan, Kuwait, Libya, Lebanon, Oman, Palestine, Qatar, Saudi Arabia, Sudan, Syria, and the United Arab Emirates, making up 0.2% or 168 people.
Egypt's Education Ministry developed the entrance exam in September 2020, two weeks after a US business, the College Board, temporarily stopped offering the SAT in Egypt owing to "recurring test security incidents."
The second time the EST was given in March 2021, the Education Minister, Tarek Shawki, declared that it would be the only recognized admission exam into Egyptian universities" for students with American Diplomas.
Ownership of the exam has shifted in or around March 2022, without announcement, from the Egyptian government to a UK firm, Egyptian Scholastic Test Ltd., created in 2021 and renamed Academic Assessment Ltd. in November 2022.
In March 2022, the government-controlled exam website was decommissioned and replaced with one saying that Academic Assessment Ltd. owns the "EST in London." The Egyptian government formally distanced itself from the exam a few months later.
Shawki asserted that the Egyptian Ministry of Education did not cooperate with the EST, a foreign organization in Britain. The unsecured database contains information on children obtained by the government and Academic Assessment both before and after the apparent change in ownership.
It needs to be clarified when, why, or how the government sold or transferred control of the EST and the data it collected from its pupils to Academic Assessment.
Amazon Web Services, Amazon's cloud storage services, held the unprotected data. The data remained available until March 15, when Human Rights Watch notified Amazon of the infringement of child data protection. Amazon didn't respond to a request for comment.
Although neither the government nor the company will acknowledge the ownership of the data, the disclosure violates children's privacy.
It also appears to breach Egyptian and UK data protection regulations, which require organizations who handle personally identifiable data to protect and secure it and notify the authorities quickly and impacted individuals in the event of a data breach.
Children are entitled to specific rights for their data privacy, according to Egypt's 2020 data protection law; however, it doesn't explain or offer any of these protections, and no implementing regulations have been released.
Additionally, there is no government entity to enforce the law: Nearly three years after the law's enactment, the data protection authority still needs to be established.
Children have a specific right to privacy protection, according to Han. "The Egyptian government must begin safeguarding children's privacy rights and enforcing legal obligations on all parties to do the same."