Go Ad-Free
    My Alerts
    Moneycontrol
    Moneycontrol PRO
    HomeNewsOpinionCOVID-19 | How the State must deal with citizen’s personal data

    COVID-19 | How the State must deal with citizen’s personal data

    The same privacy concerns in the Kerala government’s Sprinklr deal exist with the Union government’s Aarogya Setu app too. Anonymising data or even obtaining ‘informed consent’ hardly addresses these

    Abraham C Mathews
    May 10, 2020 / 12:19 IST

    ‘If you’re not paying for it…you are the product…’, goes the old saying.

    A contract for analysis of data collected from quarantined persons, at ‘zero cost during COVID-19’, has landed the Kerala government in a novel controversy. Now, the Kerala High Court has put a spoke in the wheels, directing that the data be anonymised before it is handed over to the contractor (New York-based data analytics firm Sprinklr), as well as ‘informed consent’ be taken from citizens at the time of data collection. Other directions include a prohibition on Sprinklr sharing the data with any third party, or breaching confidentiality of the data in any way.

    The latter directions might well be sufficient to safeguard the privacy of the data sources (those from whom it is collected). However, the first two (anonymisation and ‘informed consent’), laudable as they are in intent, are merely a mirage from the point of privacy — and expose our lack of understanding of the true nature of data security. Again, these very same privacy concerns arise out of the Aarogya Setu app, aggressively promoted by the Union government.

    Kerala signed an agreement with Sprinklr to analyse data (including personal details, co-morbidities, presence of elderly in their households, etc) collected by ASHA workers, apparently to assess the need and urgency for individual medical assistance. The State’s response to the high court sought to diminish concerns by claiming that the data was being stored in servers within India, and that the agreement contained confidentiality and privacy provisions.

    Data Security Chimera

    COVID-19 Vaccine

    Frequently Asked Questions

    View more
    How does a vaccine work?

    A vaccine works by mimicking a natural infection. A vaccine not only induces immune response to protect people from any future COVID-19 infection, but also helps quickly build herd immunity to put an end to the pandemic. Herd immunity occurs when a sufficient percentage of a population becomes immune to a disease, making the spread of disease from person to person unlikely. The good news is that SARS-CoV-2 virus has been fairly stable, which increases the viability of a vaccine.

    How many types of vaccines are there?

    There are broadly four types of vaccine — one, a vaccine based on the whole virus (this could be either inactivated, or an attenuated [weakened] virus vaccine); two, a non-replicating viral vector vaccine that uses a benign virus as vector that carries the antigen of SARS-CoV; three, nucleic-acid vaccines that have genetic material like DNA and RNA of antigens like spike protein given to a person, helping human cells decode genetic material and produce the vaccine; and four, protein subunit vaccine wherein the recombinant proteins of SARS-COV-2 along with an adjuvant (booster) is given as a vaccine.

    What does it take to develop a vaccine of this kind?

    Vaccine development is a long, complex process. Unlike drugs that are given to people with a diseased, vaccines are given to healthy people and also vulnerable sections such as children, pregnant women and the elderly. So rigorous tests are compulsory. History says that the fastest time it took to develop a vaccine is five years, but it usually takes double or sometimes triple that time.

    View more
    Show

    If data has earned the moniker of ‘the new oil’, it is for its immense economic value. Take the example of Facebook, a product that is free for the consumer, and yet, is also one of the most valuable companies in the world. That is because Facebook’s algorithms categorise the data, which is then sold to advertisers. Advertisers, in turn, customise their targeted ads for viewers’ beliefs.

    For example, it recently emerged that social media algorithms can predict with a high level of accuracy the likelihood a person will believe fake news (let’s say, a conspiracy theory). This information, if sold to a political party, can be used to programme gullible voters’ minds against rival parties and candidates. Mind you, none of the parties involved have broken any law in this scenario — but electoral outcomes have been influenced.

    Let’s take the data collected by Kerala. Information about co-morbidities is a goldmine in the hands of insurance companies, for instance. Information regarding presence of aged persons can be used to target products specially tailored to appeal to that demographic. (This is not to say that Sprinklr was planning to sell the data).

    Now look at the safeguards directed by the high court: data anonymisation and informed consent — the usual go-to safeguards when it comes to privacy regulations. That, though, is just an illusion, borne from a complete ignorance of the scale and capabilities of data analytics firms, often operating illegally. Sensitive data can, when combined with other pieces of data, often be traced back to the data source with reasonable accuracy.

    Or take ‘informed consent’. Does the quarantined person have the choice to not part with the data? Would that also not mean being deprived of medical attention, since hospitals will triage patients on the basis of data thrown by Sprinklr?

    How informed is the consent? Is it based merely on the information that an analytics firm will be given the data (‘oh, I have no problem. All my neighbours know anyway’), or will they be also told that the intelligence thrown by the data analysis could be potentially sold to third-parties without them having a clue?

    It is quite likely the parties in the Sprinklr controversy acted bona fide. However, the indiscriminate sharing and analysis of data, especially when the data source has little or no control over such sharing or usage, was simply irresponsible.

    The Kerala government’s big sin, then, would be awarding a contract with such ramifications, without following any due process. Not even a pandemic justifies putting your citizens at risk, a ‘data pandemic’, as the high court called it.

    Abraham C Mathews is an advocate based in Delhi. Twitter: @ebbruz. Views are personal.

    Invite your friends and family to sign up for MC Tech 3, our daily newsletter that breaks down the biggest tech and startup stories of the day

    Abraham C Mathews
    first published: Apr 27, 2020 10:46 am

    Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!

    Subscribe to Tech Newsletters

    • On Saturdays

      Find the best of Al News in one place, specially curated for you every weekend.

    • Daily-Weekdays

      Stay on top of the latest tech trends and biggest startup news.

    Advisory Alert: It has come to our attention that certain individuals are representing themselves as affiliates of Moneycontrol and soliciting funds on the false promise of assured returns on their investments. We wish to reiterate that Moneycontrol does not solicit funds from investors and neither does it promise any assured returns. In case you are approached by anyone making such claims, please write to us at grievanceofficer@nw18.com or call on 02268882347