Digital Privacy for Students: A Complete Guide

Lock Down Your Accounts Before Someone Else Does

Start with your college email password. If it is the same password you use for Instagram or Netflix or that random gaming account you made in first year, you have a problem. Data breaches happen constantly. When a smaller platform gets hacked and its user database leaks, attackers take those email-password pairs and try them against educational addresses. They do it with automated tools. They can test thousands of logins per hour. If your .edu password matches anything else you use, you are sitting in the crosshairs without knowing it.

Pick a passphrase. Not a password. A passphrase. Four or five unrelated words strung together with dashes or spaces. Something like “bicycle-monsoon-textbook-parrot” is both long and weird enough that no brute-force attack will crack it any time soon. You can actually remember it, unlike those random strings of letters and numbers that security advice always tells you to use. The trick is making the words genuinely unrelated. “delhi-india-cricket-kohli” is predictable. “shelf-umbrella-voltage-mango” is not.

After the password, go turn on two-factor authentication on your college Google Workspace or Microsoft 365 account. Your IT department almost certainly supports it, even if they have not forced it on students yet. Use Google Authenticator or Authy. Do not rely on SMS codes. SIM swap fraud has been a documented issue in India for years. Someone calls up your telecom provider, sweet-talks the customer service rep, gets your number ported to their SIM, and suddenly they are receiving all your OTPs. An authenticator app generates codes on your physical device, and there is nothing for a scammer to intercept remotely. It takes five extra seconds per login. That is the entire inconvenience. Trust me on this, the trade-off is worth it.

Now go through every account you have ever created with your college email. That quiz platform from the orientation week event? The Internshala registration? The random hackathon form you filled out at two in the morning? Every single one of those is a potential leak point. If any of those platforms get breached, your email address and whatever password you used there end up in a database that gets traded on Telegram channels and dark web forums. Going forward, split your usage. Keep the college email for academic stuff only. For everything else, create a personal Gmail or a free Proton Mail address. It takes two minutes.

While you are at it, check your social media privacy settings. On Instagram, switch your account to private unless you are genuinely running a professional portfolio page. On Facebook, go to Settings, then Privacy, and set your default post visibility to friends only. Turn off the option that lets search engines link to your profile. In WhatsApp, go to Settings, then Privacy, then Groups, and change it to “My contacts” so random people cannot add you to groups without your permission. These are small toggles. Ten minutes total. But they reduce the surface area that strangers can see.

One more thing. If your hostel or PG has a shared computer in the common room, never log into your college email from it. Shared machines can have keyloggers installed. Even if the machine looks clean, you have no way of knowing what software is running underneath. If you absolutely must use a shared computer for something, open an incognito window, do what you need, log out, close every tab, and then go change that password from your own phone immediately afterward.

Password managers are worth mentioning here too. Bitwarden is free and open-source. You install it on your phone and your browser, create one strong master password, and let it generate and store unique passwords for every account. I resisted this for a long time because I thought I would forget the master password. I wrote it down on a piece of paper and kept it in my wallet until I had it memorised. Not glamorous, but it works. After you set it up, you never have to think about passwords again. Every account gets a random, unique, twenty-character string, and Bitwarden fills it in automatically.

Campus Wi-Fi Is Not Your Friend

Your college Wi-Fi network is shared by hundreds, sometimes thousands, of people. Everyone connected to the same network can, with the right software, observe certain things about your traffic. If you visit a website that still uses HTTP instead of HTTPS (and some older college portals do), someone sniffing the network can see your login credentials in plain text. Even on HTTPS sites, a network observer can see which domains you visit, just not the specific content. They know you went to Instagram. They do not know which reel you watched. But that level of visibility is already more than you would want a stranger to have.

The bigger concern is rogue access points. It is trivially easy to set up a laptop or a phone as a Wi-Fi hotspot, name it something that looks official like “DU_Campus_Free” or “BITS_WiFi_5G”, and wait for people to connect. Once you connect to a rogue access point, all your traffic flows through that person's device. They can see everything. They can inject fake login pages. They can redirect you to phishing sites that look identical to your college portal. A guy in my hostel did this as a so-called experiment during third year. He captured browsing data from a dozen students before someone from the CS department noticed the extra SSID and reported it. He said he was just testing. He had still seen everyone's unencrypted traffic.

The fix is simple. Get a VPN.

ProtonVPN has a completely free tier with servers in Japan, the Netherlands, and the US. The free plan has no data cap and no time limit. Windscribe gives you 10 GB per month free, which is enough for casual use. Either of these encrypts all traffic leaving your device before it hits the campus network. Even if someone is sniffing packets or running a rogue access point, all they see is encrypted gibberish flowing to the VPN server. They get nothing useful.

Install the VPN app on your phone and your laptop. Turn it on any time you are connected to campus Wi-Fi. The speed drop is minimal on a decent connection. I used ProtonVPN throughout my final year and barely noticed a difference except on video calls, where there was maybe a half-second extra delay. For browsing, email, and messaging, it is invisible.

There is one exception. When you need to make UPI payments, transfer money, or use any banking app, switch from campus Wi-Fi to your mobile data. Yes, it costs a few megabytes. But mobile data goes directly through your carrier's network, and intercepting that requires equipment and access that a random student with Wireshark does not have. The risk difference is significant enough that this one habit alone can save you from the worst-case scenarios.

For shared computers in the library or computer lab, the rules are different because you have zero control over the machine. Always use incognito mode. Never save a password when the browser prompts you to. Never click “remember me” or “stay signed in” on any website. When you are done, log out of every account you touched, clear the browser history manually, and check the Downloads folder for any files you might have saved or opened. If you logged into anything sensitive — email, bank, college portal — change that password from your own device as soon as you can.

Trust me on this: the students who get burned by campus Wi-Fi are never the ones doing anything unusual. They are checking email. They are logging into the placement portal. They are paying for food on Swiggy. It is the ordinary, everyday actions that become dangerous on an unsecured network, because those are the actions where you let your guard down.

Spot Scams Targeting Students

Two specific types of scams go after Indian college students more than any other group: fake job offers and exam result phishing. Both exploit the exact moments when you are anxious and distracted, which is what makes them so effective.

Fake job offers show up on WhatsApp, Telegram, email, and sometimes even through Instagram DMs. The message congratulates you on being “selected” for a position at a well-known company. The salary is impressive. The role description is vague. You cannot quite remember applying, but maybe you did during that late-night application binge last month. Then comes the catch. They want money. They call it a “registration fee” or a “training material deposit” or a “background verification charge.” The amount is usually between Rs 500 and Rs 5,000, low enough to seem believable but high enough to be worth running the scam.

No legitimate employer in India charges you money to join. Not Infosys. Not TCS. Not Wipro. Not any startup, consultancy, or agency. Not for registration. Not for an ID badge. Not for training materials. Not for anything. If someone is asking you to send money before a joining date, that is the scam. Period. There is no exception to this.

Before you respond to any job-related message, do a basic check. Search the company name on Google. Go to their official website. Look up the person who contacted you on LinkedIn. If the message came from a Gmail or Yahoo address rather than the company's own domain, it is fake. Someone claiming to represent “Deloitte” but emailing from [email protected] is not from Deloitte. Real recruiters use company email addresses on company domains. Even messages that come through your college placement cell deserve a second look. Scammers have impersonated placement coordinators at multiple Indian universities. They clone the coordinator's WhatsApp profile picture, use a similar phone number, and send messages to the batch group. A friend of mine in Hyderabad lost Rs 2,500 this way during campus placements. She was too embarrassed to talk about it for weeks.

Exam result phishing is the other big one. It follows a seasonal pattern. Every time NEET results, JEE scores, board exam results, or university semester grades come out, fake result websites pop up everywhere. They circulate through WhatsApp forwards and show up in Google search results, sometimes even appearing above the real website because the scammers have paid for ads. These fake portals look nearly identical to the actual result sites. You enter your roll number, date of birth, maybe your Aadhaar number if they are feeling bold. Then you either see a fake result page that asks you to pay a fee to “download the official marksheet” or you see nothing at all because the entire point was to collect your personal data for identity theft.

The rule for checking results is simple and rigid. Only go to URLs ending in .gov.in, .ac.in, or .nic.in. Type the URL yourself. Do not click links forwarded in WhatsApp messages. Do not trust Google ads at the top of search results. If a result website asks for your Aadhaar number, close the tab immediately. No legitimate result portal needs your Aadhaar to show your marks.

If you think you may have entered your details on a fake site, act fast. Change your student portal password. If you gave out financial information, call your bank and report it. File a complaint at cybercrime.gov.in or call the national cybercrime helpline at 1930. Tell your college IT department so they can warn other students. Report the fake website URL to Google through their Safe Browsing reporting tool. The faster you act, the less damage spreads.

There is a third category of scams that targets students specifically: scholarship fraud. You see an ad on social media for a “national scholarship” with a large payout and a form that asks for your bank details “for direct benefit transfer.” Genuine government scholarships in India go through the National Scholarship Portal (scholarships.gov.in) or state-specific portals. They do not advertise on Instagram. They do not ask for your bank PIN or UPI PIN. They do not charge application fees. If a scholarship opportunity reaches you through a social media ad or a forwarded message, assume it is fake until you verify it through official channels.

Build an Online Presence That Helps Instead of Hurts

A 2024 survey by a major Indian recruitment platform found that more than 70% of HR professionals check a candidate's social media before extending an offer. Not just LinkedIn. Instagram, Twitter, Facebook, Reddit. Some of them Google your name and scroll through whatever comes up on the first two pages of results. What they find can disqualify you even if your resume and interview were strong.

The obvious red flags get you eliminated instantly. Posts showing illegal activity. Hate speech. Slurs. Harassment. But it goes beyond that. Recruiters also notice patterns. A feed full of constant complaints. Publicly trashing professors or previous internship supervisors. Getting into ugly arguments in comment sections. Posting memes that are funny to your friend group but look terrible to a 40-year-old hiring manager scrolling through your profile at 9 AM on a Monday. None of this means you cannot have opinions or be yourself online. It means you should think about who can see what.

Here is an exercise that takes thirty minutes. Open an incognito window in your browser. Google your full name. Then try your name plus your college name. Your name plus your city. Your email address. Your phone number. Look at everything that shows up on the first three pages. Screenshots of old tweets, tagged photos on someone else's public Instagram, comments on YouTube videos, your profile on some forum you forgot you signed up for. Would you be comfortable if a recruiter from your dream company saw all of it?

For anything you want removed, start with the platform itself. Most social media sites let you untag yourself from photos, delete old posts, or change post visibility after the fact. On Instagram, you can archive posts instead of deleting them, which hides them from everyone but keeps them in your account in case you want them back. On Twitter/X, tools like TweetDelete can bulk-remove old tweets. On Facebook, the Activity Log lets you review and hide or delete individual posts, photos, and comments going back years.

For search engine results that you cannot control at the source — maybe someone else's blog post mentions you, or an old forum post shows up, you can submit a removal request to Google through their “Remove outdated content” tool. It does not always work, and Google prioritises removal of content that includes personal information like phone numbers or addresses. But it is worth trying for results that genuinely misrepresent you.

Setting up your accounts properly matters more in the long run than doing periodic cleanups. Make your personal accounts private. Keep your professional accounts public and well-maintained. The separation does most of the work for you. Your private Instagram where you post jokes with college friends stays invisible to recruiters. Your public LinkedIn where you list projects, internships, certifications, and skills is what they find instead.

The other side of all this is that a well-managed online presence actually helps during placements. A LinkedIn with projects, a GitHub with actual code, a clean Google result when HR searches your name. Privacy is not just about hiding. It is about controlling what shows up.

Start now. Do not wait until placement season. I put this off until companies were already visiting campus and had to scramble to clean up years of accumulated social media in a single weekend. It was stressful and I definitely missed things. If you are in first or second year, you have time to build the online presence you want instead of frantically dismantling the one you have. That is a much better position to be in.