Kerala Govt's Tie-Up With IT Startup For Covid-19 Management Raises Privacy Concerns

Over the past week, the Kerala government has had to put out fires caused by Sprinklr. The cloud-based app “donated” to the state from March to September to augment its COVID-19 response helps with the collation and analysis of select data pertaining to pandemic management, including sensitive medical information on those at risk and under surveillance. But its terms of use, opposition parties contend, leaves the state vulnerable to leaks. Even as the LDF government claimed transparency by releasing a tranche of documents related to the Sprinklr collaboration, the Opposition has attempted to corner it by alleging a “huge data scam” to the tune of Rs 700 crore.  

M. Sivasankar, the principal secretary of the IT department and CM Pinarayi Vijayan’s private secretary, says, “I exercised my discretionary powers to enter into an agreement after examining it in minutiae. Among the various stakeholders, there was a consensus that a robust technology platform was the need of the hour. It was my decision to choose Sprinklr and I will rectify any error that is a result of my decision.” He adds that the law department’s permission was not required for the purchase order. Sivasankar did not disclose whether the CM, who also holds the IT portfolio, was aware of the details of the deal. Opposition parties, however, claim he possessed no such discretionary power. They allege that he is being made a ‘fall guy’ to shield the government, and the CM in particular, from further criticism.

On April 10, leader of Opposition Ramesh Chennithala raised concerns over privacy and ownership of data collected by healthcare workers from about 1.75 lakh people. He has since ramped up the rhetoric, going so far as calling Vijayan the “prime accused” in the case. On April 16, BJP state president K. Surendran met governor Arif Mohammad Khan to seek his intervention in the row. Speaking to reporters later, he termed the deal a “Rs 500-crore scam”. Chennithala’s valuation differed slightly. Although he first pegged it at Rs 200 crore, he now claims the firm—which, he alleges, is ‘blacklisted’ in the US due to an ongoing data theft court case—could sell the information stored on its Mumbai servers to pharmaceutical companies for anywhere between Rs 10,000 and Rs 75,000 a person.

A senior IT professor from a reputed tech institution in the state says, “Neither has been especially successful in convincing the public. The layperson is likely to believe that the Opposition, in targeting the Malayalee-led unicorn (Sprinklr, valued at $1.8 billion in 2016, was founded by Ragy Thomas, a native of Alleppey), is simply making political hay out of something imaginary.”

Vijayan, for his part, has been weathering a barrage of queries at his daily press briefs on the COVID-19 crisis. His decision on April 16 to hold the briefings every other day—ostensibly a result of the improving situation in the state—has the Opposition smelling blood.

Regardless, the government stands by the IT department’s initial press note released on April 13, which states, “The huge amount of data being inputted on COVID-19 cases is unstructured and comes in a variety of formats. It needs to be analysed on the fly to ensure help is dispatched right away to where it is most required. Since Sprinklr offers an excellent SaaS (software as a service) application to handle this, the government had agreed to accept the software service. The government owns all the information collected through the application.”

As to the type of data being fed into the software, the note states that the details of overseas arrivals to Kerala; domestic tourists and arrivals from other states; health workers interacting with patients and suspected cases; and those most susceptible to contracting the disease are being collected. Health workers were also entering updates about those under observation. The statement added that while all this information was initially passed on to the sub-domain, citizencentre.sprinklr.com, this later changed to citizencentre.kerala.gov.in.

In response to the Opposition’s queries as to why the department-run Centre for Development of Imaging Technology (C-DIT) servers were not used, the statement notes, “While C-DIT has an Amazon web server cloud account, it is not equipped to handle such a large volume of data yet. Once it is upgraded, all the data will be transferred from Sprinklr’s Amazon web server cloud in Mumbai. Currently, the SaaS app can work completely only on this server.”

Besides the press release, the Kerala government has made public the order and purchase form, Sprinklr’s master services agreement, a non-disclosure agreement, Sprinklr’s service level agreement, its privacy policy and two versions of a letter of affirmation sent via email from Sprinklr’s general counsel Dan Haley to Sivasankar. The media has picked apart these letters— the “revised” letter (dated April 12) is reportedly less assertive and more accessible in terms of legalese, language and tone than the letter dated April 11.

The revised letter also notes, “Kerala at all times retains all rights to and responsibility for customer data uploaded to or accessed by the Sprinklr platform. This means that any and all data used for provision of the Sprinklr platform that is obtained by Sprinklr, including all citizen data accessed or obtained by Sprinklr from Kerala or directly from citizens, belongs to the government and/or citizens. Upon termination of Kerala’s use of the platform, or at any time upon Kerala’s request, all customer data will be removed from the platform and retained by Kerala. Nothing in this relationship gives Sprinklr any rights to such data, other than to provide the platform as agreed with and instructed by Kerala.”

A COO of a Kerala firm that works with healthcare tech says, “From a cursory reading, the terms of the agreement appear to be general clauses applicable to any SaaS-related activity requiring a degree of trade-off between user privacy and product viability and operability. How it will be enforced (the non-disclosure agreement states that any dispute would fall under the purview of a Manhattan court) is another matter. The language used is not exactly watertight. This is important because while issues of data ownership and privacy are enshrined in stringent laws overseas, the inside joke in tech circles here is that anything goes ‘kyunki SaaS bhi kabhi BAU (business as usual) thi’.”

In the absence of dedicated data protection legislation—a joint parliamentary committee is still analysing the Personal Data Protection Bill 2019—it remains to be seen how a PIL filed before the Kerala HC on April 17 seeking a probe and forensic audit by the Union ministry of electronics and information technology (MeITY) into the Sprinklr deal and collected data of COVID-19 patients will pan out. Among other concerns, the petition echoes the Opposition’s charge that the Kerala government did not seek permission of patients as to who can access their data. Slated to come up for a court hearing, it is expected to further add to the wider dialogue on individual privacy vis-a-vis public interest—besides the raging global debate on surveillance regimes—rekindled by the Union government’s 50-million-user-strong Aarogya Setu contact tracing app.

Among those closely following the PIL is Prem Kamath, a Kochi-based cyber-law consultant. Speaking to Outlook ahead of the PIL filing, Kamath said there existed sufficient grounds for an RTI query and PIL to be brought forward. “This is a transition period of data protection laws here. We have some checks and balances with the Information Technology Act, 2000, specifically section 43(a) that refers categorically to cases where there is failure to protect data. In addition, there are the MeITY’s Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, that classify the types of sensitive personal data to rely on,” explains Kamath. “In any potential court proceedings in this case, the Indian Contract Act (1872) would be in play since there is an agreement between the two parties, but the IT Act and Rules would play crucial parts.”

“Many high-profile lapses in data protection in recent years, such as the UIDAI leak, have dented the average citizen’s confidence in data collection authorities” says Kamath. “Data is volatile. It is the goldmine of the digital age. If citizens’ data isn’t safe with the government, who is it safe with?”

By Siddharth Premkumar in Thiruvananthapuram