The website of the International Film Festival of India has put up personal information and documents of registrants in plain sight. 

This includes government ID, curriculum vitae (which includes one’s phone number and address, and often date of birth) and a document listing the registrant’s filmography or portfolio. 

This information is easily accessible for anyone who’s tech-savvy. Registrants include the general public, film professionals, and students.

IFFI is organised by the National Film Development Corporation of India under the Ministry of Information and Broadcasting. Started in 1952, it’s one of the leading film events across the globe – the only film festival in South Asia that is accredited by the International Federation of Film Producers’ Associations.

The festival, which became an annual event from 1975, has been organised in Goa since 2004 in collaboration with the Entertainment Society of Goa. This year, the 54th edition of IFFI Goa is scheduled to take place from November 20 to 28. Registrations across categories opened in September.

Data leak

The official website of IFFI Goa – iffigoa.org – gives public access to the file storage on its server which can be exposed by visiting a specific URL. This directory contains the documents submitted by over 550 registrants, as of October 16. I cannot confirm if these are all the registrants, or just a segment of them.

Here’s a screenshot of this directory after cropping out the directory path. I will not share the URL either for privacy reasons.

This is a screenshot of the ‘id_proof’ folder which has identity documents easily available and downloadable as well. Names and personally identifiable information are masked from the file names.

To register as a ‘film professional’, the website requires candidates to upload their biodatas and a government-issued ID. To register as a ‘cine enthusiast’, it requires just the ID. Registration for students is free but requires a letter from college and a college ID card. I could not find the student information in this directory path – either these are stored differently or elsewhere.

Since registrations are still ongoing in some categories, more such data will be available closer to the event for anyone to misuse.

Data privacy concerns

I spoke to two young filmmakers whose personal details can be accessed on IFFI’s website. Both did not want to be named for this story since they didn’t want to jeopardise their chances at the competition and IFFI is, after all, a sarkari event.

The first filmmaker had registered for the event as a candidate for IFFI’s ‘75 Creative Minds of Tomorrow’ section. I could access his CV (which included his phone number, address and work experience), his PAN, and a document that had links to his filmography.

The filmmaker was more worried about the latter – links to his work – than his personal information being compromised. That’s because his work is uploaded on unlisted YouTube links (that are not visible to subscribers or available via search) and Google Drive links. 

Only those with the links can access the videos. They’re kept private because filmmakers are scouting for producers or publishers to buy them and make them available on their YouTube channels or streaming services. Additionally, independent filmmakers apply to film festivals for reward and recognition and also to jumpstart their professional careers. Most film festivals have a clause in their eligibility requirements for debut/independent filmmakers, permitting only films that aren’t released already. 

For example, the Short Film Competition at the recently concluded Himalayan Film Festival 2023 has the following as an eligibility requirement: 

“The film must not be previously available to view online, and should not have been screened at any festival or event prior to this. You are encouraged to submit fresh works produced for this competition.”

If a filmmaker’s work is leaked, it dents his chances of participating at IFFI and other film festivals.

However, the second film professional was appalled when I told her that her personal details were on IFFI’s website for anyone to peruse. Considering she’s a young woman, her concern is not misplaced. “This is very worrying for anyone; definitely shouldn’t happen for such a big event,” she said over a call.

According to Soutik Banerjee, an advocate from New Delhi, the breach of data privacy by a body corporate – an organisation that is considered to have its own legal rights and responsibilities – is liable for action under Section 43A of the Information Technology Act, 2000.

“Failure to maintain and implement reasonable security measures and practices which results in wrongful loss or wrongful gain would render the body corporate liable to compensate the victims,” he said.

That said, the procedure is tedious. It involves filing a complaint before an adjudicating officer, followed by an appeal to the cyber appellate tribunal, with a further appeal to the high court. 

“The threshold is of reasonable security measures, which is a low bar to meet for these agencies, and a very high bar to achieve for a victim whose data is breached. Thus, successful complaints will be a rarity, and this likely is why most people are deterred from pursuing the legal remedy,” Banerjee said. 

It is therefore unlikely that any young filmmaker would pursue legal recourse. The need of the hour is to have exemplary compensation as the standard for data breach, which will force institutions to maintain the best security systems and not merely reasonable ones. 

“That is the premium that needs to be placed on privacy for it to have any real meaning,” Banerjee said. 

I sent IFFI Goa a questionnaire asking whether they’re aware of the data leak on their website and if they’ll inform the registrants whose data has leaked. This report will be updated if they respond. 

Update on October 17

After this story was published, IFFI Goa locked the directory access on its server which prevents anyone from browsing through the files and folders. However, the leak hasn't been fixed since the files can still be downloaded directly by typing their URLs.

Abhishek Baxi is an independent technology journalist who explores the intersection of technology, culture, and society. He writes on consumer tech, analyses Big Tech and its moves, and shares unsolicited opinions on X as @baxiabhishek.