‘If you’re not paying for it…you are the product…’, goes the old saying.
A contract for analysis of data collected from quarantined persons, at ‘zero cost during COVID-19’, has landed the Kerala government in a novel controversy. Now, the Kerala High Court has put a spoke in the wheels, directing that the data be anonymised before it is handed over to the contractor (New York-based data analytics firm Sprinklr), as well as ‘informed consent’ be taken from citizens at the time of data collection. Other directions include a prohibition on Sprinklr sharing the data with any third party, or breaching confidentiality of the data in any way.
The latter directions might well be sufficient to safeguard the privacy of the data sources (those from whom it is collected). However, the first two (anonymisation and ‘informed consent’), laudable as they are in intent, are merely a mirage from the point of privacy — and expose our lack of understanding of the true nature of data security. Again, these very same privacy concerns arise out of the Aarogya Setu app, aggressively promoted by the Union government.
Kerala signed an agreement with Sprinklr to analyse data (including personal details, co-morbidities, presence of elderly in their households, etc) collected by ASHA workers, apparently to assess the need and urgency for individual medical assistance. The State’s response to the high court sought to diminish concerns by claiming that the data was being stored in servers within India, and that the agreement contained confidentiality and privacy provisions.
Data Security Chimera
If data has earned the moniker of ‘the new oil’, it is for its immense economic value. Take the example of Facebook, a product that is free for the consumer, and yet, is also one of the most valuable companies in the world. That is because Facebook’s algorithms categorise the data, which is then sold to advertisers. Advertisers, in turn, customise their targeted ads for viewers’ beliefs.
For example, it recently emerged that social media algorithms can predict with a high level of accuracy the likelihood a person will believe fake news (let’s say, a conspiracy theory). This information, if sold to a political party, can be used to programme gullible voters’ minds against rival parties and candidates. Mind you, none of the parties involved have broken any law in this scenario — but electoral outcomes have been influenced.
Let’s take the data collected by Kerala. Information about co-morbidities is a goldmine in the hands of insurance companies, for instance. Information regarding presence of aged persons can be used to target products specially tailored to appeal to that demographic. (This is not to say that Sprinklr was planning to sell the data).
Now look at the safeguards directed by the high court: data anonymisation and informed consent — the usual go-to safeguards when it comes to privacy regulations. That, though, is just an illusion, borne from a complete ignorance of the scale and capabilities of data analytics firms, often operating illegally. Sensitive data can, when combined with other pieces of data, often be traced back to the data source with reasonable accuracy.
Or take ‘informed consent’. Does the quarantined person have the choice to not part with the data? Would that also not mean being deprived of medical attention, since hospitals will triage patients on the basis of data thrown by Sprinklr?
How informed is the consent? Is it based merely on the information that an analytics firm will be given the data (‘oh, I have no problem. All my neighbours know anyway’), or will they be also told that the intelligence thrown by the data analysis could be potentially sold to third-parties without them having a clue?
It is quite likely the parties in the Sprinklr controversy acted bona fide. However, the indiscriminate sharing and analysis of data, especially when the data source has little or no control over such sharing or usage, was simply irresponsible.
The Kerala government’s big sin, then, would be awarding a contract with such ramifications, without following any due process. Not even a pandemic justifies putting your citizens at risk, a ‘data pandemic’, as the high court called it.
Abraham C Mathews is an advocate based in Delhi. Twitter: @ebbruz. Views are personal.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
