Data breach row haunts Kerala CM amid battle against COVID-19
If the COVID-19 epidemic raging through Kerala wasn’t enough trouble for Chief Minister Pinarayi Vijayan, a controversy has ignited criticism of his hiring a US firm to analyse data about the viral infection. Already, there have been reports of data breach.
For nearly two weeks, Vijayan has been attacked relentlessly by politicians and the media for bypassing government norms to rope in Sprinklr, a US firm with ties to a Bengaluru software company owned by his daughter.
Three petitions have been filed before the Kerala High Court over the contract to collect the data of suspected and positive COVID-19 patients. The court has asked the state to anonymise the data on patients and ordered Sprinklr from committing any breach of confidentiality, advertising the project or using the government’s emblem. It also asked the government to get the consent of citizens before collecting data about them.
Yet, the chief minister sees the court verdict as a victory for his stand. As the court had not cancelled the agreement, he called it a rebuttal of all the allegations.
Possible holes in contract
But just when Vijyan thought his woes were over, the central government stepped in and asked Kerala why it inked a deal with Sprinklr in the first place. The American company offered its services for free, which by itself should have rung alarm bells as there is no such thing as a free lunch.
The contract does not safeguard the rights to compensation as provided for by the IT Act. But the Kerala government says that the data is secure and the rights of patients are protected. Any dispute with the company can be heard only by American courts, but the lawyer for the state disputes that argument. The Centre has said that many Indian firms, including the government-owned National Informatics Centre, are capable of analysing the data. But Vijayan has insisted that given the urgency of tackling the epidemic, it found that only this firm could process big data.
Related news: Kerala deploys robots to serve meals, medicines to COVID-19 patients
The government says that it is necessary to balance the public’s right to life and health and the right to privacy. “No choice can be given to individuals in such exigencies when society’s right to health is at state,” the government told the court.
The court rejected the government’s argument that the data was not sensitive. A bench of justices Devan Ramachandran and TR Ravi said, “We do not want you to upload data unless you can tell us that data s confidential from Sprinklr also. Cannot accept the submission that the data collected is not sensitive. If Kerala government thinks the information is not sensitive, something is amiss.”
Opposition up in arms, allies unhappy
The deal with Sprinklr has not gone down well even with the communist coalition partner, the Communist Party of India (CPI), saying data breach is a serious matter. But the chief minister sent the IT chief to placate the CPI leaders and made peace with them. The Congress and the BJP, however, are unrelenting in their criticism.
Balu Gopalakrishnan, a Kerala-based lawyer, who was one of the petitioners—the others were the Congress and the BJP—said that sensitive medical information about 1.5 lakh infected patients have been given to Sprinklr, which already faces some cases of data theft in the US.
Reports of data breach
Already, reports of data breach have surfaced in Kasargod and Kannur districts. Patients who recovered in these districts have said they received calls from unknown numbers asking for details such as their passport number. Some of the calls have since been traced to a Bengaluru-based private company involved in data collection, according to PS Sabu, the superintendent of police of Kasargod district, in the north.
In the southern district of Kannur, a Google Maps link prepared by the cyber cell with the number and address of 54 COVID-19 patients and 9,000 of their contacts that was prepare to track down people is now out in the open. Calling it a “serious breach” district collector TV Subash, has said that police should have ensured data security while preparing the link.
CM in denial of mess?
Chief minister Vijayan, however, has ordered an inquiry into the data breach, suggesting that it was “not a severe breach” and that initial reports indicate that some people had canvassed the recovered people for further treatment.
Opposition parties have demanded a probe by the CBI into both the Sprinklr deal and the latest data breach.
At this juncture, the best way out for Vijayan would have been to say that he messed up under pressure during the pandemic and would set right things. Instead, he has gone on the offensive and rubbished the allegations, asking political parties and the media to bring evidence of wrongdoing by him.
He could have at least yielded to the opposition demand for a probe by the CBI. Instead, he set up a committee of two retired IAS officials with expertise in the IT field. Critics point out that it is not going to be difficult to get a favourable opinion out of them. No one is also buying the explanation of the state IT secretary M Sivsankar who has claimed the sole responsibility of inking the deal without consulting the chief minister and bypassing the law department.
Related news: Kerala starts special initiatives for the elderly during COVID-19 crisis
More serious is the revelation that Sprinklr has a tie-up with drug manufacturer Pfizer, which is working on COVID-19 vaccines. Pfizer, however, denied it is going to use any of the information collected by Sprinklr. Congress leader PT Thomas said Sprinklr has links with Exalogic Solutions Ltd., which is owned by the chief minister’s daughter, T Veena. Exalogic has suspended its website ever since the controversy broke out. The chief minister merely said that he has no time to answer such “loose charges”. His reply to most charges is that those who make the allegations should also bring the evidence.
(The writer has reported on national and international events for four decades)