WhiteHat Jr is an ed-tech platform that teaches students from age 6 to 18, coding through one-on-one video classes with 7000 instructors on board. Not too long ago, White Hat Jr. was acquired by Byju’s, which is the poster boy of India’s EdTech startups, in an all-cash deal of $300 million.
No matter how many people WhiteHatJr. has impressed since it was founded by Karan Baja in 2018; it has become a target for online trollers for about several months now for bombarding users with advertisements across TV and digital platforms, who aren’t even parents, which are their target segment for ads. The ads are over the top, unrealistic and far fetched.
WhiteHatJr. ads have been criticised for using pictures of Bill Gates and Sundar Pichai for promotional purposes.
If that was not enough, according to the latest report by the Quint, WhiteHat Jr. reportedly exposed personal data of over 2.8 lakh students and teachers due to multiple vulnerabilities that existed in its servers until the middle of November. The platform said that it has fixed the flaws after it was informed by a security researcher. It is, however, unclear whether the affected data was compromised until the loopholes were not patched.
Just last month, Mumbai-based WhiteHatJr. was found to have another security issue that was also leaking students’ personal data and transaction details.
The security researcher who discovered the latest vulnerabilities within WhiteHat Jr made multiple disclosures to the platform for over a month between October 6 and November 20, The Quint reports. The issues reportedly existed due to a misconfigured backend server that exposed data including student names, age, gender, profile photos, user IDs, parents name, and progress reports. The data is said to have included the details of a large number of minor students.
WhiteHatJr. could have saved its image from getting spoilt in front of the public and also could have saved the data of thousands of children and its parents getting leaked, if they would have taken into consideration what Pradeep Poonia had to say since August 2020.
Pradeep Poonia, an IIT alumnus and a software engineer with Cisco emerged as a whistleblower and vocal critic of the company through social media platforms like Twitter and YouTube.
Poonia was also a part of Telegram groups comprising security researchers who had discovered vulnerabilities in the product and made responsible disclosures to the company. As he pointed the bug long ago, no one knows the number of people who downloaded the data, before it was reported and fixed.
The initial posts on Twitter by Pradeep Poonia were about alleged fake claims made by the company about a child codenamed “Wolf Gupta”. In the ads, the company claimed that big technology companies allegedly hired the kid for a handsome salary at the age of 13.
The allegations levelled by Poonia led to The Advertising Standards Council of India (ASCI) asking the company to withdraw the ‘misleading’ ads from all platforms. In a LinkedIn post, while talking if kids should learn to program, Bajaj said in the footnote, “Feedback on our marketing needing improvement is well-taken. We’ll do better with it.”
On November 13, Poonia published a series of tweets and posted some videos that recorded the alleged private conversation of the WhiteHatJr. employees on Slack. Poonia claimed that the company had silenced the media, and no one is ready to cover the allegations made by him as videos from all his three youtube channels were removed.
From his first YouTube channel, called WhiteHatSr. , six videos were removed; another eight were wiped off his second channel, called Safed Topi Sr 2.
This third channel, named Pradeep Poonia 3.0, stays away from the WhiteHat Jr references in its name and has seen two videos erased. The first two channels were suspended because of repeat strikes.
Jihan Haria, a 12-year-old from Pune, posted a roast of one of WhiteHatJr.’s advertisements on his YouTube channel, ‘Just Jihan’, which was taken down by the video-sharing platform the same day, on account of copyright violations as well. But he was further backed up by Pradeep Poonia when Jihan’s father brought this issue into light by tweeting about it and got Pradeep Poonia’s attention.
On November 13, Poonia took a major step and highlighted the alleged questionable practices at WhiteHatJr. by sharing screenshots and videos of the communication in the company’s Slack channels.
A week later, on 20 November 2020, WhiteHatJr. filed a $2.6 million case against Poonia, accusing him of defaming the coding startup, hacking into its servers to access internal communications as well as violating its trademark and copyrights.
According to Pradeep Poonia, all he did was pointed bugs but the team of WhiteHat Jr. never got back to him with the fix of the bugs that he discovered. WhiteHat Jr. when responded, came up with police cases and false women assault charges.
When the Delhi High Court heard the arguments in the defamation case launched by Karan Bajaj, WhiteHat Jr’s founder, against Pradeep Poonia, on November 24th, it accepted that the Infamous Wolf Gupta was just a fictitious character.
Page 5 of the legal notice by Karan Bajaj has this:
This is very misleading to the audience who believed that a kid name Wolf Gupta did exist and hence enrolled their kids in the platform, not knowing that it is a marketing gimmick.
According to Aniruddha Malpani, an angel investor in several edutech start-ups, NRIs should file a class-action lawsuit against them in the USA for consumer fraud.
Based on US students enrolled in the coding course, WhiteHat Jr. may attract United states COPPA fines.
The Children’s Online Privacy Protection Act is a federal law that protects the privacy of children under 13. COPPA’s foundational principle is one that most people can agree on: Parents – not kids, companies, platforms, or content creators – should be in control when it comes to information collected from children online.
The FTC enforces the law through the COPPA Rule. In general, COPPA requires operators of commercial websites and online services that are directed to children (more about that in a minute) to provide notice and obtain verifiable parental consent before they collect personal information from kids under 13.
If found guilty, WhiteHatJr. might end up paying fines in Billions (for up to $42,530 per violation). FTC considers a number of factors in determining the appropriate amount, including a company’s financial condition and the impact a penalty could have on its ability to stay in business.
Just like Pradeep Poonia, Malpani is also restrained from making defamatory commentary against WhiteHat Jr and its employees by the Delhi High Court in the court hearing on 23rd November. The next hearing for his case has been scheduled for January 14, 2021.
According to the Critics, WhiteHat Jr. hasn’t stood up to the standards that it talked about. WhiteHatJr. on it’s booking form called “We won’t use data for marketing” but they use it in the worst way possible by bugging parents on SMS, calls and etc. (Last time the message was seen in august 2020)
WhiteHatJr. claims they teach technology but they failed at basic data management.