He didn't hack, he scraped ICSE results and look what he found

Share on Facebook Tweet Share Share Reddit
He didn't hack, he scraped ICSE results and look what he found

The Internet was buzzing Wednesday thanks to a blog post by Debarghya Das that raised questions about the privacy of CISCE results and indeed its marking process. CISCE, or Council for the Indian School Certificate Examinations, is one of country's leading education boards, alongside CBSE, that holds the ICSE (Class X) and ISC (Class XII) examinations.

Many reports have claimed that Das, a 20-year-old Cornell University student of Indian origin, 'hacked' into the CISCE system to expose 'vulnerabilities' in their security and 'fallacies' in their marking system. Let's take a few moments to set things straight.

First, Debarghya Das didn't 'hack' or break into any system, regardless of the headline of his post, to get access to ICSE and ISC results of all students. What he did was scrape through publicly available data to get results for all students by automating the process via scripts. Is it illegal? No. Should the data be available publicly for all? Probably not, but that's for CISCE, the board that conducts these examinations, to decide.

CISCE co-ordinates with leading media houses of the country (including NDTV) to host the ICSE and ISC results on their websites. Everything, including how the websites look to what kind of security they have, and what kind of privacy controls to have, is controlled and approved by CISCE. For example, CISCE mandates that one cannot see the results of an entire school at one go.

Similarly, CISCE say that personal information like name, date of birth, and school information of a particular student be made visible when showing the result. Should the board mandate asking for some personal information (like last name of the candidate) when showing the result for someone? Probably, but that's a decision for the board to make. Does the date of birth need to be present? Again, probably not, but, again, that's a decision made by the board, not the websites that host the data.

As mentioned earlier, what Das has done is automate the process of fetching these results that are already available for anyone to see. What he's done does not involve 'hacking' in that no systems were broken into. And he's definitely not modified the results themselves, like some have suggested. However, his findings do make for interesting reading and raise a few question marks on the CICSE marking process.

Das plotted the marks obtained by ICSE and ISC students in various subjects on a graph and found they followed a pattern that usually wouldn't exist in a set of data as random as marks obtained by students. Certain marks were not obtained by any of the students in any subjects. For example, Das said, the marks 81, 82, 84, 85, 87, 89, 91 and 93 were not obtained by any student in any subject in ICSE exams (see graph above).

NDTV.com was able to independently verify that the English ICSE 2013 marks distribution graph that Das shared mirrors the actual marks distribution pattern. No student was awarded an odd-numbered score between 38 and 80 (except for a few that got 69). We are not sure if this is a case of rounding up, or a case where the examination carried questions that had even-numbered marks. Even then, not having a single student that scored any odd-numbered score between 38 and 80 (except 69) is really strange.

Tags: Hacking, ICSE, India
Kunal Dua

Editor by day. Editor by night. Wannabe writer. Full-time cynic.

Smartphone users still prefer websites for online shopping: Report
Documents point to US effort to get web data