Data Trade in Guise of Education: Students Fall into Theft Trap While Trying to Learn!

A large portion of the country's 40 million students are now dependent on one or another online education platform. In the post-COVID era, this expansion of digital education has unlocked immense possibilities, but at the same time, it has created an invisible yet significant risk.

A technical analysis of 8 popular online coaching and educational platforms in the country, conducted by Agamir Somoy, has revealed alarming results. It shows that every click, reading habit, and even intellectual weakness of students is being recorded by multiple foreign tracking software programs. This sensitive data regularly flows to servers in India, Singapore, and the United States. A vast number of underage students, aged 12 to 18, are unknowingly stepping into this commercial data trap, which is pushing them into targeted negative advertising and cyber risks.

According to IMARC, an organization that provides data on the online education market's revenue, Bangladesh's education market reached $446.4 million in 2025. With a projected growth rate of 22.50% from 2026 to 2034, the market is expected to reach $2,918.5 million by 2034. However, beyond this, online educational institutions are generating massive hidden revenues, putting students' personal digital data at risk.

The investigation found that several top online coaching platforms and educational websites in the country are using multiple foreign tracking software programs on their apps and sites. A large portion of the users of these online educational institutions are children or adolescents, aged between 12 and 18. Because their personal data is being transferred from these websites, they are easily exposed to advertisements from various negative sites, and many students are falling into those ad traps.

The analysis revealed data across four key indicators: number of ad trackers, number of third-party cookies, HTTP (Hypertext Transfer Protocol) security score, and Content Security Policy (CSP) score.

10 Minute School
This most popular platform in the country was found to have 14 ad trackers and 28 third-party cookies—the highest among the eight platforms analyzed. This means that as soon as a student enters the site, at least 14 advertising companies begin collecting their data. The HTTP security score is only 50, and the Content Security Policy score is negative (-25), indicating that the site is not adequately protected against hacker attacks either.

Diksha
The HTTP security score is zero—meaning this platform has no basic security measures in place. A student's data here is practically as exposed as through an open window.

Shikho and Bohubrihi
Shikho was found to have 6 trackers and one third-party cookie. Bohubrihi has 4 trackers but no third-party cookies; however, with a negative CSP score, security risks remain.

Khan Academy (Bangla)
Among the eight, Khan Academy was the only one with a CSP score of zero. It has one tracker. However, the HTTP score is only 15, which remains a concern.
CSP Scores Negative for Seven Platforms

Among the eight analyzed, seven have negative Content Security Policy scores. This means these platforms are practically unprotected against cross-site scripting (XSS) attacks, which leaves the door open for theft of students' sensitive information.

What Do the Trackers Do?

Ad trackers primarily do three things. First, they record every activity of the student—which subjects they are weak in, how long they study, and where they get stuck. Second, they send this data to the advertising companies' servers. Third, based on that data, ads are targeted and shown to the student—even on other websites.

Third-party cookies are even more dangerous. Even after the student leaves the site they visited, these cookies can track them across the entire internet. As a result, students' entire internet browsing behavior can be monitored through third-party cookies.

What the Online Educational Institutions Say

After highlighting these concerning issues, all relevant platforms were given two weeks to provide written explanations. However, barring 10 Minute School, all other institutions remained silent in their response. Among the institutions, the Gmail addresses listed on the websites of 3 platforms were also found to be incorrect. The remaining platforms did not provide any answers to the questions asked of them.

10 Minute School states that they treat student data security and privacy with the utmost importance. They claim that their platform only collects and processes necessary information from users for service provision, account management, improving learning experiences, providing support, ensuring security, and relevant communication. The institution claims they do not sell users' personal information. They regularly review security, privacy, and user trust issues and take developmental steps as needed. 10 Minute School further said that any student or guardian can, if they wish, permanently delete their account and all associated data directly from the profile/settings option on their app or website.

Legal Loopholes

The country still lacks a comprehensive personal data protection law. The Personal Data Protection Ordinance, 2025, and the Digital Security Act, 2018, address cybercrimes but lack specific provisions explicitly regulating data collection and sales. The Consumer Rights Protection Act also does not clearly mention digital data protection. As a result, these platforms are safely exploiting legal gaps to use students' data.

Expert Opinion

IT professionals are worried about this trend of commercial use of personal data. Cybersecurity expert Rakib Ahmed told Agamir Samay, "If information about which subject a student is weak in, what they are anxious about, what age they are, and when they go online—is combined with their phone number, then a complete 'digital profile' can be created. Data broker companies in the developed world analyze human behavior exactly this way to craft advertising, influence, and sales strategies."

Noting that a large portion of online education platform users are minors, the cybersecurity expert said, "The most terrifying aspect is that the majority of users on these platforms are adolescents. Once a student's phone number moves to an ad network, data broker, or insecure server, it can spread across countless databases over time. After that, targeted influence operations begin."