n the badly-made movie which passes for an average sixteen-year-old's internal life, the notice board is where the camera lingers for an eternity, before the epic suspense – your examination results – is broken. But to be honest, the shift in imagery from a notice board to a computer screen had already happened a while back. What most of us (yes, even the ones who aren't Luddites) remain wary about is the extent of information which can be sourced online, given the right set of skills.
Debarghya Das, a computer science student at Cornell (currently an intern at YouTube), put up a Quora post titled 'Hacking into the Indian Education System' last week. Using techniques which seasoned hackers described variously as 'elementary' and 'ABC stuff' on the thread, Das successfully broke into the ICSE, CBSE and ISC websites, acquiring all the results therein, including the Class X ICSE results which he analysed graphically. In his own words, "One person had just acquired the exam results for the whole country. Not only was this a violation of any and all forms of privacy associated with something as personal as your examination marks, but a mass divulsion of all sorts of personal information; names, date of birth and school." Within days, Das' intervention of sorts had already caught the attention of the Hindustan Times, Times of India, Daily Mail and Outlook.
But Das was just getting warmed up. By analysing the resultant graphs for each of the subjects, Das showed that a lot of commonly assumed notions about Indian schools are painfully accurate. For instance, nobody had scored 32, 33 or 34 in the Class X ICSE exams. "This chain of 3 consecutive numbers is the longest chain of absent numbers. Coincidentally, 35 happens to be the pass mark." These, then, are the apocryphal 'grace marks' which one hears about. (Unfortunately, most of my old teachers liked their graces with the 'g's removed.) Also conspicuous by absence were 36, 37, 39, 41, 43, 45, 47, 49, 51 and as many as two dozen other scores. Nobody in India had received these scores in any subject in the ICSE. Given the number of candidates and the number of subjects here, this amounts to impossibility, as any statistician will tell you.
||There is no provision of the IT Act (or any other legal provision) that I know of that should penalise Debarghya Das. Many of the provisions of the IT Act are too broad; much worse than the equivalent provisions in the US’s CFAA (Computer Fraud and Abuse Act). — Pranesh Prakash
Das wrote, "Could this mean that all of these unattained marks were simply promoted to the next mark, making it unattainable? Possibly, but we'll never know which ones are promoted or demoted and by how much. (...)In my opinion, there is not a shadow of doubt in my mind that the CICSE board (which conducts the ICSE exams) is fraudulent and guilty of mark tampering. Whether they changed some results by plus or minus 1 or plus or minus 5 is irrelevant."
Common sense tells us that Das' actions are praiseworthy, to say the least. After all, he pointed out a serious security issue with an important official website. Nikhil Pahwa, founder-editor of Medianama, said, "In my opinion, what Das appears to have done is core to data journalism. Das did not break into the ICSE/ISC websites. Using a script, Das appears to have scraped data which was publicly accessible on the web; and compiled and analysed it for the purpose of educating the wider public about issues related to marking. This is fantastic, and more journalists need start collaborating with coders and working on data. If Das is punished for this activity, it's harmful for the evolution of journalism, and will limit the freedom of the press."
However, India's vaguely-worded cyber laws may prove to be Das' downfall yet. In recent years, there have been several cases where security researchers have been found convicted, particularly in Europe and the United States. After AT&T hacker Andrew Auernheimer, aka 'Weev' was sentenced to three years in prison, security expert Charlie Miller had tweeted, "We could all go to jail for security research at any moment, and a jury would happily convict us." Cyber security expert Pranesh Prakash (of the Centre for Internet and Society (India)) said, "There is no provision of the IT Act (or any other legal provision) that I know of that should penalise Debarghya Das. I continue to argue that many of the provisions of the IT Act (including sections 43 and 66) are too broad; much worse than the equivalent provisions in the US's CFAA (Computer Fraud and Abuse Act)."
The CFAA, of course, was the law under which programmer-activist Aaron Swartz was facing a sentence of 35 years, at the time of his suicide in January. Historically, it has fallen upon young upstarts like Swartz and in this case, Das, to smash officious inertias the world over. Prakash and other observers of Internet issues in India will hope that CISCE and co. respond to Das' initiative not with a lawsuit, but by coming clean themselves. And while they're at it, perhaps we could persuade them to invest in some cyber security?