The IT Department has responded to the allegations, stating that a server cloud in Mumbai owned by the US company was hosting the data of suspected and infected cases of COVID-19.

Explained Allegations against Kerala govt on privacy breach of COVID-19 patientsRamesh Chennithala and Ragy Thomas
Coronavirus Controversy Tuesday, April 14, 2020 - 16:32

Four days ago, Leader of the Opposition in the Kerala Legislative Assembly, Ramesh Chennithala, called a press conference to raise a serious allegation against the state government. He alleged that all the data collected from people under observation for or susceptible to coronavirus in the state were being sent to a United States-based company. The data, he said, was stored in a server of a foreign company and not the government’s, terming it a breach of the people’s right to privacy.

The Kerala government, which has been hailed for its way of handling the COVID-19 pandemic, initially failed to provide clear answers. However, netizens, including Information Technology experts, attributed this to cloud computing — the use of a remote network, hosted on the Internet, for different services of data storage.

It emerged that the US company was founded by tech executive Ragy Thomas, who hails from Kerala. He had worked for several years in the US prior to launching his own venture, Sprinklr, in 2009. However, the company is a social media management company that provides software for customer experience management, and makes no mention of big data.  

“Without getting into the details of the data sharing - details of what data was being proposed to be shared is not yet in the public domain - it is important to note that any kind of big data application would involve choice of a trade-off between data privacy and utility. To derive any kind of meaningful information requires collective access to data from a number of users. Kerala, as a people, have always been very cautious and doubtful of any such trade-off when there is an involvement of a private firm,” Deepak P, big data and Artificial Intelligence researcher at Queen's University, Belfast, told TNM.

Government explanation

The Principal Secretary of the Information Technology Department, M Sivasankar, who appeared in a video posted on Sprinklr’s website, released a detailed statement on Monday evening.

In the statement released by the IT Department, it said, “A large amount of data (regarding COVID-19 cases) comes through several formats. This unstructured data should be analysed very quickly so that help can be sent immediately where it is required. Since Ragy Thomas’s company provides a brilliant tool to handle this, the government had agreed to accept the software service. Sprinklr provides the SaaS (Software as a Service) application. All the information collected for the application will be owned by the government.”  

This came hours after Finance Minister Thomas Isaac published an explanation on Facebook after Chennithala questioned why a tender had not been called for. "The software provided by Sprinklr was free," Isaac said. He wrote that there was no need to call a tender when there is no money being charged for the service. Addressing Chennithala’s concerns about why the data couldn’t be analysed in the state-run C-DIT (Centre for Development of Imaging Technology) or IT Mission, the Minister said that they were not yet equipped to handle such a large volume of data. 

The data was not stored in the US, but in the company’s server in India, he said. 

There was also a non-disclosure agreement with the company, he added.

On data privacy and ownership

Srinivas Kodali, independent researcher working on data, governance and internet, questioned the government's claim that owned the patients’ data. He told TNM, “It is wrong for the government to claim they have ownership of data. It is an individual’s data and he owns it, not the government.”

He explained that privacy needn’t be about which company handles the data, but how it is given away without people’s permission. “The issue of privacy is lack of control for people. If an individual’s data is being shared to any third party organisation without the explicit consent of the individual, that is a violation of his privacy. On the question whether it will harm the individual or not, only time will tell. But the individual has lost control of the data,” he said.

The IT Department release said that information, collected across five categories, are fed to the SaaS software for analysis. These include information about– 1) people who have come to the state from abroad, 2) those who have come to the state from other parts of the country, 3) health workers, who have to continuously interact with patients, 4) those who are most susceptible to contract the disease, and 5) the updates of those under observation, as provided by health workers.

The press note also said that all this information was initially passed on to the sub-domain, citizencentre.sprinklr.com. Later, it changed to citizencentre.kerala.gov.in. The name change does not change the fact that the information is collected in the Amazon web server cloud in Mumbai, said the note. The SaaS application can work completely only on this server and it is not currently available in the state data centre, it added.

“C-DIT, which works under the state’s IT Department, has an Amazon web server cloud account. However, it is not equipped to handle such a large amount of data yet. Once it is upgraded to do so, all the data will be transferred to the server space of the government,” the note said.

Srinivas Kodali questioned this claim. “The argument that state-owned firms are not capable of doing it is so flawed when India is the back-end IT service provider for most IT firms. Without a personal data protection law and the government taking adverse decisions, without the individual’s permission, people should approach the court to stop this data sharing,” he said.

There is, at present, no data protection law in India. However, there is the fundamental right to privacy, Kodali pointed out.

‘May be beneficial to be more open’

However, Belfast researcher Deepak says, “Given that such big data capabilities cannot always be developed in-house within government or publicly funded institutions, it may be beneficial to be slightly more open to such trade-offs. The one thing that is avoidable is making outrageous allegations; the allegation here seems to be that pharma companies may benefit from the data. From the look of it, there is a data sharing and confidentiality agreement in place between Kerala govenrment and Sprinklr, and that agreement would have to be breached by Sprinklr if pharma companies were to get such data. While it is easy to allege that something like it may happen to turn the anger against the government, perhaps for political gains, such possibilities seem to be very farfetched.”

TNM has reached out and is yet to receive a response from Ragy Thomas of Sprinklr regarding the matter. This story will be updated if/ when a response is received. 

Also read: Palakkad man who died of COVID-19 not counted in Kerala or TN’s death tally