COVID-19 Tracing: How the Kerala Media Missed the Chance to Properly Debate Privacy

Allegations of corruption took centre stage as TV anchors took up the opposition's charges on the government contract given to Sprinklr, leaving fundamental questions on privacy in the time of pandemics unasked.

Primetime television debates in Kerala often tackle progressive issues much before other regions in the country. Already in early April, the privacy of citizens’ health data and mode of engagement with private aggregators rocked the public sphere. Nowhere else in the country had this issue – privacy – moderated a government’s efforts to control the pandemic.

The trigger was the Left-front led government’s decision to engage Sprinklr – a New York-based company – for analyzing health data and contact tracing. The use of aggregated contact and mobility metrics using private firms has become an unavoidable, even central feature of the coronavirus response across the world. The opposition, however, objected to the engagement with a private firm, that too an American one, and alleged impropriety in the contract. The allegations were eagerly and uncritically absorbed by the trio of major Malayalam news channels Asianet, Mathrubhumi and Malayala Manorama.

The media frenzy culminated in petitions in the high court. For a few days, the government stood to lose the public recognition it had received, even if grudgingly, for its response to the pandemic. It was let off only after the high court accepted the government’s argument that the decision to engage Sprinklr was taken with the intention of preventing the spread of the virus and the assurance that safeguards to protect personal data are in place.

This episode exposed a troubling feature of mainstream television news channels in Kerala – an unwillingness or incapacity to handle a technically and philosophically freighted issue like data privacy, requiring specialised knowledge and patience to disentangle. Devoid of both, and inclined towards sensationalism, the lines of inquiry adopted by these channels were particularly harebrained and untenable.

In doing, so they wasted an opportunity to confront serious and nuanced questions being asked across the world: How can privacy be preserved when responding to COVID-19 involves contact tracing? How to prevent the inescapable encroachment on privacy from turning into a permanent erosion?

Sprinklr signed a deal with the Kerala government.

The “issue”

By early March, projections for the spread of COVID-19 in Kerala painted a dire situation: soon, 8 million cases could be recorded, with 0.8 million possibly requiring hospitalization, estimates suggested. Though Kerala’s robust public health and local government bodies – not to mention the unique social solidarity and strong political leadership – helped in limiting the spread, collection and processing of information was a struggle. Data on international passengers from different airlines and the Bureau of Immigration, location data for contact tracing and surveillance of patients in isolation, information from hospitals on the availability of beds and ventilators were in multiple formats. Aggregating them into actionable information manually was taking days and risked duplication of the data.

It was at this point that the decision to engage Sprinklr was taken. The state had no capacity to develop the required software, at least not with such short notice. Sprinklr was already in talks with the government to start a venture in the state. Its offer to provide its propriety software free of cost was swiftly agreed to and the purchase concluded in a couple of days.

Also Read: How Can COVID-19 Contact Tracing Techniques be Formulated Without Violating Privacy?

On April 10, the opposition parties held a press conference alleging privacy breach and corruption in the contract with Sprinklr. The targets were obvious – the popularity of the government and of chief minister Pinarayi Vijayan, who holds the electronics and information technology portfolio. Fancying an opportunity, they opted for overkill by alleging that the personal information of 8 million ration cardholders had already been transferred to Sprinklr, and that the chief minister’s daughter, an IT professional, played a key role in the ‘deal’.

Ever since the pandemic gripped the state, the usually volatile prime time shows were refreshingly sober discussions featuring doctors and public health officials and administrators informing viewers of medical aspects of the virus, latest research findings and the government’s responses. Daily briefings involving  matter-of-fact answers – initially by health minister K.K. Shailaja and later by Pinarayi himself – had replaced the talk shows in popularity.

Once Sprinklr entered the public domain, the briefings turned combative. Journalists were hell-bent on extracting a response from the CM on corruption allegations, particularly those raised against his daughter. He dismissed, literally laughed off, the questions and requested the journalists to ask for or find evidence on their own. News anchors of prime-time debates  – Newshour on Asianet,  Super Prime Time on Mathrubhumi, and Counter-Point on Malayala Manorama – assumed an air of indignation. One could almost hear the collective sigh of relief that things had returned to normal.

Shockingly, none of these journalists or anchors ever bothered to ascertain the veracity, or at least the plausibility, of the claims against the government. Indeed, the corruption and nepotism allegations, including the transfer of ration card data, turned out to be baseless (for now) and were not included in court petitions. Only the allegations of administrative lapses in engaging Sprinklr and risks of a privacy breach were seriously pursued.

The electronics and information technology department, entrusted with answering these technical matters, published the contract documents online and gave extensive live interviews with the three main news channels. The lines of scrutiny deployed fell mostly flat. Senior journalists kept arguing that standard procedures were not followed when engaging Sprinklr, seeming or feigning ignorance of the powers granted to Central and state governments under emergencies. Their claims that the data was being gathered without consent was also proved wrong – the usual procedures for consent in online forms were followed. The lazy conjecture that Sprinklr, an American company, would store its data in the US also turned out to be false – following national localisation guidelines, data was stored in servers in India.

Kerala chief minister Pinarayi Vijayan. Photo: Wikimedia Commons

In short, the government asserted that its decisions were legally sound and made under “extraordinary circumstances”. Like the lockdown restrictions on assembly and mobility (both fundamental rights), the state argued, somewhat controversially, that privacy too had to, and can be, curtailed under pandemics.

The interviewers and hyperventilating anchors had no coherent response to this position. Questions that should have been pursued, but were not, included whether the assumptions underlying the projections used to justify the decision were sound, whether the prevailing process of informed consent is adequate, whether data can be considered secure just because the servers are located in India and what is to be done with the data after the pandemic. Moreover, they simply lacked the wherewithal or interest to direct public debates towards discussions on the contours of proportionality which might have helped them raise a more robust challenge on the privacy front.

Setting limits of extraordinariness.

Though even privacy advocates acknowledge the need to enable contact tracing and data analysis, usually involving private firms, for containing the pandemic, they are alert to the huge risk that once compromised, privacy might never be recovered. As a recent statement by the European Data Protection Board (EDPB) clearly notes, data protection need not be sacrificed under the shadow of a pandemic. They recommend data management systems that will not be “misused or extended far beyond their initial purpose and lifetime of the crisis” and suggest their  “graceful dismantling” after the pandemic.

A consortium of epidemiologists from the Harvard School of Public Health and private firms have placed concerns around privacy at the forefront of contact tracing procedures. Private firms collecting data spike it to prevent even researchers from identifying personal information. They have created thoughtful restrictions on public access to aggregate level and not to the individual. Individual level information can lead to, among other things, profiling of poorer neighbourhoods that are typically unable to maintain social distancing.

Also Read: How Reliable and Effective Are the Mobile Apps Being Used to Fight COVID-19?

There is a real risk that these tech companies can become even more entrenched and powerful in the process. Apple, Facebook and Google are developing software ostensibly to facilitate the use of their data on customers for contract tracing. Public policies on engaging with these companies vary from rejection in the case of the UK, to partnerships in the case of Germany. Sensitive personal data collected by the Indian government is stored in Amazon’s servers. Privacy advocates are demanding legal frameworks that impose strict penalties for mishandling pandemic data.

Centralised data pooling would inevitably lead to surveillance creep – the possibility that data collected for the pandemic may be used in future for law enforcement by authoritarian governments to further violate civil liberties. It’s a misconception, often deliberately propagated, that anonymising data ensures foolproof protection – the unprotected data is still being held by someone. Lack of protocols preventing the state from requisitioning data from these firms and the use of services from shadowy firms involved in military surveillance and spyware make this concern grimmer.

To preempt a permanent erosion of privacy, experts have argued for decentralised models wherein data is stored in the individual’s devices and uploaded, with consent, when needed (for instance, only when a person is infected). No data is stored in a permanent server for later misuse. Tracing using Bluetooth technology is compatible with decentralised models and less intrusive as it only shares information on proximity between other phones, i.e. not the location data.

Experts have argued for decentralised models wherein data is stored in the individual’s devices and uploaded, with consent, when needed. Photo: Reuters

Both centralised and decentralised systems have their limits, however. Bluetooth systems can be hacked into through devices in the proximity, while centralised databases give more powers of surveillance to the state. The question really boils down to whether we trust each other or the state. In a society where, on the one hand, solidarities are frayed and, on the other, authoritarian states are using the pandemic to further trample on civil liberties, this dilemma is worth resolving or, at least, confronting.

In stark contrast to how debates unfolded in Kerala, politicians and firms around the world are not being allowed to get away with the argument that the “context is extraordinary”. Reputed news organisations are forcing sophisticated public debates on the adequate safeguards to limit the inescapable encroachments into privacy to what is absolutely required to respond to the pandemic. Not an inch more.

Also Read: Aarogya Setu: Six Questions for the Centre on the COVID-19 Contact Tracing App

A wasted chance

An opposition’s use of dubious strategies to tarnish a government’s success can be attributed to electoral ambitions. Troublingly, mainstream news channels in Kerala were cheerfully complicit spreaders of misinformation and clung onto a formulaic sensationalism. They missed an opportunity to raise the quality of public debate on privacy to the highest levels possible.

Understanding these issues and goading the public and the governments to confront the limits of extraordinariness would require intellectual effort not just from journalists but viewers too. The Sprinklr debate erupted at a time when, against the odds, Kerala had temporarily flattened the pandemic curve. A literate and apprehensive public under lockdown might have appreciated in-depth discussions on developing a privacy framework that takes into account the local specificities of the state.

Commercial and ideological interests of for-profit media have been blamed for the deteriorating standards of television journalism. But that is not the complete picture. The unwillingness of journalists to take the effort to focus, grasp, explain and re-imagine philosophically and technically freighted issues, particularly when the easy option to fuel conspiracies and trigger political slugfests are within reach, is also to blame.

Prabhir Vishnu Poruthiyil is a faculty member at the Centre for Policy Studies, Indian Institute of Technology, Bombay.