Privacy issues with constitution75.com and the exposure of data

Around December 2025, I came across a post by Internet Freedom on Instagram about the privacy issues with constitution75.com Checkout the instagram post here. I got curious and decided to check it out. I was shocked to see the data that was exposed. I decided to write about it to create awareness and the way govt. websites sometimes don't take privacy seriously.

Major concerns

1. Open access to photos and videos at https://constitution75.com/media

Technical issues

1. Open APIs to external services.

In one of the features, they seem to use Elevenlabs for converting text to voice. This API is open and can be accessed directly.

  curl --location 'https://asia-south1-samvidhan-75.cloudfunctions.net/getAudio?=How%20are%20you' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'userText=How are you'

Some of the random findings on the website

1. Report - Event type https://asia-south1-samvidhan-75.cloudfunctions.net/getCachedResult?url=https%3A%2F%2Fasia-south1-samvidhan-75.cloudfunctions.net%2FgetReports%3Freport_type%3Devent

2. Report - Heatmap data https://asia-south1-samvidhan-75.cloudfunctions.net/getCachedResult?url=https%3A%2F%2Fasia-south1-samvidhan-75.cloudfunctions.net%2FgetHeatMapDataV2%3Freport_type%3Devent

3. Report - getDashboardDataCountV2 - https://asia-south1-samvidhan-75.cloudfunctions.net/getCachedResult?url=https%3A%2F%2Fasia-south1-samvidhan-75.cloudfunctions.net%2FgetDashboardDataCountV2%3Freport_type%3Devent

4. Report - getLandingCountV2 https://asia-south1-samvidhan-75.cloudfunctions.net/getCachedResult?url=https%3A%2F%2Fasia-south1-samvidhan-75.cloudfunctions.net%2FgetLandingCountV2%3Freport_type%3Devent

5. There is a link to this chatbot which is commented but visible in the client source https://statuesque-biscochitos-01b3d8.netlify.app/