Leakage of Sensitive, Private Information Could Lead to Serious Harm
The Egyptian government and a private British company, Academic Assessment Ltd., exposed vast amounts of personal information about tens of thousands of children online for months, Human Rights Watch said today. The exposure violates children’s privacy, exposes them to the risk of serious harm, and appears to violate the data protection laws in both Egypt and the United Kingdom.
The sensitive data included over 72,000 records of children’s names, dates of birth, gender, home addresses, email addresses, phone numbers, schools that they attend, grade level, personal profile photos, and copies of their passport or national ID. It was left unprotected on the open web for at least eight months. The records identified 110 children by name as having some form of disability.
“By carelessly exposing children’s private information, the Egyptian government and Academic Assessment put children at risk of serious harm,” said Hye Jung Han, children’s rights and technology researcher and advocate at Human Rights Watch. “For months, they allowed anyone with an internet connection to find out who these children are, where they live and go to school, and how to contact them directly.”
The children had taken the Egyptian Scholastic Test (EST), which is required by Egyptian universities for secondary school students studying under the American Diploma, an English-language high school curriculum in Egypt. The unprotected data contained 356,797 files, and included children who applied to take the EST between September 2020 and December 2022.
The unprotected data also included the names and locations of the universities that students applied to, their test scores, and whether they had paid their test registration fees. The records included detailed notes about students taken by the proctor who monitored their exam, including allegations of “unethical behavior,” “won’t stop talking we gave him many warnings and he attempted to cheat so many times,” and “late late late.”
The exposure of such confidential information jeopardizes these children’s safety. The risk of misuse and exploitation of their data exposes children to serious harm, including identity theft, blackmail, and sexual exploitation, and may have long-term consequences that affect their opportunities.
The data exposure was identified by Nathaniel Fried, co-founder of Anduin, an intelligence software company, and was verified by Human Rights Watch. Further analysis by Human Rights Watch found that the affected students come from all 27 governorates in Egypt. A small number – 0.2 percent or 168 – are from other countries: Algeria, Bahrain, Comoros, Iraq, Jordan, Kuwait, Lebanon, Libya, Oman, Palestine, Qatar, Saudi Arabia, Sudan, Syria, or the United Arab Emirates.
Egypt’s Education Ministry created the entrance test in September 2020, two weeks after a United States company, the College Board, indefinitely suspended administering its university admissions exam, the SAT, in Egypt due to “recurring test security incidents.” By the time the EST was administered for the second time in March 2021, then-Education Minister Tarek Shawki announced that it would be “the only recognized exam for admission into local Egyptian universities” for American Diploma students.
In or around March 2022, and without announcement, ownership of the exam appeared to have changed, from the Egyptian government to a UK company, Egyptian Scholastic Test Ltd., formed in 2021 and renamed in November 2022 as Academic Assessment Ltd.
The government-owned test website was taken down in March 2022 and replaced with one stating that the “EST is owned by Academic Assessment Ltd. in London.” The Egyptian government publicly distanced itself from the exam a few months later, with Shawki stating that the Education Ministry “had nothing to do with” the EST, which “is managed by an international institution in Britain, not the Egyptian Ministry of Education.”
The unprotected database includes children’s records collected by the government as well as by Academic Assessment, both before and after the apparent change in ownership.
It is unclear exactly when, why, or how the government sold or transferred ownership of the EST and its students’ data to Academic Assessment. Human Rights Watch did not find evidence of a public procurement process. It is also unclear why the government would sell or give away the highly personal details of children who had taken the test, such as disability status, that are not necessary for the company to manage the EST. The Egyptian government and Academic Assessment did not respond to questions from Human Rights Watch about the change in ownership, or whether the government had stipulated that Academic Assessment must provide protection for data that is sold or transferred to it.
Egypt’s Education Ministry and the National Council for Human Rights did not respond to a written request from Human Rights Watch in February 2023 to fix the data exposure. Chief Executive Officer of Academic Assessment Habib Khalil Sayegh said that the company took the exposure seriously and that it had investigated, but declined to answer Human Rights Watch’s questions.
The unprotected data was hosted on Amazon Web Services, Amazon’s cloud storage services. The data remained accessible until it was taken down on March 15, after Human Rights Watch notified Amazon of the child data privacy violation. Amazon declined to comment.
Though neither the government nor the company would confirm ownership of the data, the exposure violates children’s privacy. It also appears to violate the data protection laws of both Egypt and the UK, which require entities that handle personally identifiable data to protect it and ensure that it is secure, and to promptly notify the government and affected users in the event of a data violation.
The Egyptian government further exposed children to the risk of harm by selling or giving away their personally identifiable data to a third party seemingly without stipulating protections for this data. The government did not appear to have informed the children that their data was being sold or transferred, denying them the opportunity to object or to take measures to protect their privacy.
The country’s constitution guarantees the right to privacy. Egypt has also ratified the United Nations Convention on the Rights of the Child, which guarantees children’s right to privacy, which is vital to ensuring their safety, agency, and dignity.
Egypt’s 2020 data protection law recognizes that children are entitled to special protections for their data privacy but does not specify or provide them, and no enacting regulations have been issued. Moreover, the law lacks a governmental body that could enforce it: The data protection authority that was created by the law has yet to be established almost three years later.
Lawmakers should amend the law to establish comprehensive child data protection rules. These should require companies and government agencies to provide the highest levels of protection and security for children’s data and their privacy, and to contractually oblige the same of any entity that they share, transfer, or sell children’s data to. The government should urgently establish the data protection authority and give it the mandate and resources to protect everyone’s data privacy, including that of children.
“Children are entitled to special protections for their privacy,” Han said. “The Egyptian government needs to start protecting children and their data privacy, and to legally compel all actors to do the same.”