Due process was not followed by Kerala’s IT Department in finalising the contract with US-based data analytics platform Sprinklr, a report by an enquiry committee set up by the state government concluded. All agreements were not negotiated or discussed “threadbare”, and the IT Department granted “omnibus rights” on data to Sprinklr. Alarmingly, the committee found significant inconsistencies in the auditing process of Sprinklr’s systems, and concluded that there was very little visibility into the data security practices of the company.
Chief Minister Pinarayi Vijayan’s—who also holds the Information Technology portfolio—approval was never taken, and the then Principal IT Secretary, M Sivasankar brokered the deal with Sprinklr, the committee found.
What’s Sprinklr, and why was it used? Kerala briefly used products made by Sprinklr, founded by a Malayali expatriate, for the purpose of COVID-19 containment on a pro-bono basis. The offer was to host people’s data placed under COVID-surveillance on Sprinklr’s data analytics platform, process the data, and provide analysis on it. Records of 1.82 lakh people were entered into Sprinklr’s platform. However, the deal was at the heart of a privacy-related furore when opposition leaders in Kerala questioned the basis of the government’s deal with the company, and accused the state government of sharing personal medical details of people placed under COVID-19 surveillance with a private American company. Congress’s Ramesh Chennithala had also demanded an anti-corruption enquiry into the Vijayan-led left government.
In the wake of that controversy, the state government had formed a two-member enquiry committee to investigate any potential inconsistencies in the deal, and whether citizens’ privacy was protected properly. The committee, which included former civil aviation secretary M. Madhavan Nambiar, and former cybersecurity coordinator, Gulshan Rai, had submitted its report in October 2020. Since then, the Kerala government has formed a new three-member committee to analyse the report (more on that at the end). MediaNama obtained the report from a source close to the development.
From the beginning, the deal was directly handled by Sivasankar, who “followed an ad hoc and unstructured approach”, the report said. The committee found no evidence of permissions from competent authorities before the deal was signed. Records of the meetings discussing Sprinklr were not drawn up and were not given to the committee despite repeated requests.
Sivasankar, the committee said, did not comply with laid out procedures in executing the agreement with Sprinklr. He acted “unilaterally, without any discussions with other stakeholder arms of the State Government including the Health Department, the Law Department and did not even inform the Chief Secretary of the Government of Kerala”, the committee concluded.
It is worth noting that Sivasankar was removed from his post of Principal Secretary in July 2020 after his name was embroiled in a high profile gold-smuggling case, and on Thursday he was taken into a 14-day judicial custody.
Key information was not provided to STQC while auditing Sprinklr’s systems
The committee found that citizens’ data started getting uploaded to Sprinklr’s system starting from March 25, initially to its AWS servers. Following that, on April 17, all that data was transferred to servers of the state government’s Centre for Digital Imaging Technology (C-DIT). However, no person from the IT Department or an external expert was entrusted with the job of monitoring the data that went into Sprinklr’s platform. Neither did anyone validate the data security procedures implemented during the processing of data, the committee concluded.
The Kerala State IT Mission (KSIT) appointed an unspecified CERT-In empanelled auditor to audit the data at Sprinklr’s AWS server. Following that, STQC, an agency of the Union IT Ministry was appointed for another round of auditing on July 17, 2020. The report made some alarming findings, including that data ranging in gigabytes was transferred to some other accounts at AWS, and the STQC could not correlate that data because of a lack in information available with the agency:
- STQC was provided log files from only between April 3 and April 19, even though the data collection exercise had started from March 25. The Committee said it could not get any answer as to why logs starting from March 25 were not provided to the STQC by C-DIT for auditing.
- The log files did not contain database logs, and other transactions. Database logs were restricted only to those events for which an error or warning was flagged.
- STQC had requested for additional information relating to the application, database and network architecture. This information was never provided to STQC.
“The analysis of log reflects outbound data of the range varying few Megabytes to Gigabytes during the period to some Private IP addresses which belonged to AWS thereby indicating data transfer to some other accounts at AWS. STQC could not correlate the outbound data as the clarifications as well a s the database logs and network diagram were not provided. The details of these IP’s could have been provided only by either AWS or Sprinklr Inc.” — the report found out [emphasis added]
The committee said that after studying the audit report submitted by the STQC and other information, it could not draw any conclusion regarding the flow of data out of Sprinklr’s servers, and the storing and processing of data sent to Sprinklr’s systems by the field offices of the Kerala government.
No clarity whether people’s data was ever anonymised: The committee said that it did not get any answer on whether the data handed over to Sprinklr was anonymised, as a directive by the state government had mandated. It said that no evidence was brought before it for the committee to verify the security measures put in place by Sprinklr.
“The Committee, therefore, is unable to comment on the Privacy, Confidentiality and Security of the data on the basis of the information provided by CDIT,” the report said.
Deal gave Sprinklr greater control over people’s data: Under the terms of agreement signed between Kerala and Sprinklr, the company got greater control over data that was being fed into the system. As per the agreement, the Kerala government allowed Sprinklr to copy, cache, store, reproduce, perform, display, use, distribute, and transmit all the data that was being added to the platform. It also allowed Sprinklr to access any connected data from accounts to offer its services.
Gaps in claims made by officials in-charge of the Sprinklr deal
As part of its investigation, the committee interacted with several key stakeholders that were involved in finalising the deal with Sprinklr. From these interactions, the committee learnt that an “informal discussion group” was formed within the state’s IT Department as an “IT Support Team” which met regularly to strengthen Kerala’s response to the COVID-19 pandemic.
- No structured minutes of meeting recorded: Sivasankar told the committee that this “IT Support Team” was in fact part of a larger group that was steering all aspects of the pandemic in Kerala, and used to meet everyday after 5 PM. This larger group had representation from the state’s Health Department, he claimed. However, no structured minutes of these meetings were ever prepared or recorded, the committee found. The interaction provided somewhat varied versions of discussions, deliberations and their roles in the IT Support Group, it added.
Sivasankar also admitted to the committee of the constraints in expertise in the area of cybersecurity.
- Confusion over roles and responsibilities: Two of the members of the IT Support Team — the Director of Indian Institute Of Information Technology and Management, Kerala, and Jayasankar Prasad, managing director of Kerala State IT Infrastructure Ltd also examined the techno-legal aspects of the proposal of Sprinklr. IIITM-K’s director told the committee that he was under the impression that the log analysis of transactions on Sprinklr’s platform would be processed by C-DIT to ensure privacy and security of that data. He, however, in general expressed his “ignorance” on the legal and contractual issues of the agreement as well as subsequent involvement in the project, the committee said.
- Prasad on the other hand, insisted that adequate provisions were built in the agreement signed with Sprinklr to ensure privacy and confidentiality of the data stored and processed on Sprinklr. He, however, could not comment on the process of verifications and mechanisms implemented by Sprinklr
“A Technical assessment of the solution by a team of Technical Experts was essential. None of the persons involved in this exercise had the necessary technical expertise in dealing with the subject…It is clear that there was no team in the IT Department with appropriate knowledge and understanding of to assess Sprinklr’s deal from a techno-legal viewpoint.” — The enquiry committee (emphasis added)
Crucial institutions such as health, law departments were never formally consulted
As per the rules of business, since Covid-19 is a health issue, data management issues should have been initiated and managed by the Health Department, as was done earlier during the Nipah crisis, the committee noted. However, the state’s Health Secretary, Dr. Rajan N. Khobragade confirmed to the committee that that there was no formal consultation with the Health Department before signing the deal with Sprinklr. The Health Secretary also told the committee that he had clearly recorded in the file from the IT Department that this was under the purview of the Health Department, and the IT Department should only “play the role of a facilitator”.
In fact, the Health Secretary also mentioned to the committee that his department had developed a similar kind of monitoring system which was used effectively during the Nipah Virus outbreak in the state. It isn’t clear whether this system was ever considered.
The committee said that before signing the deal with Sprinklr, the IT Department should have consulted the Law Secretary since data privacy issues can have legal implications for the state. The committee found no evidence on record that suggests that the Law Department was ever formally consulted.
The agreement with Sprinklr was ‘not in Kerala’s interests’
The enquiry committee noted that all agreements with Sprinklr were in the standard format, and no clause was tailor-made for their deal with the Kerala government. The terms of the agreement did not appear to have been properly discussed or negotiated, the committee concluded.
Jurisdiction would have been a problem: One of the key aspects of the agreement which the committee specifically pointed out was that the agreement fell under the jurisdiction of a US Court. “By agreeing to the jurisdiction of the US Court, the Kerala Government would not practically, have been able to take any action against Sprinklr Inc. for any infringement and violation in Privacy and Data security of data of Citizens of the State,” the committee said. It added that this was “clearly not in he interest of the State of Kerala”.
Domain specific projects must be left to concerned departments: Recommendations
Some of the recommendations made by the committee:
- Need to analyse proposals better: The C-DIT and the state IT Department must equip themselves to carefully analyse proposals received from companies like Sprinklr. Had adequate care been used by the IT Department, Sprinklr would have delivered better services to the Kerala government, the committee said.
- Let relevant departments handle operations: These kind of projects are generally of specialised nature and require domain expertise. Therefore, domain specific projects including digital platforms should be necessarily implemented by the concerned department rather than IT/C-DIT. The latter may only assist the concerned departments in implementation.
- Adequate training: The staff of the IT Department and particularly C-DIT must be trained in understanding, selecting, developing, and handling of emerging technologies, digital platforms, and cybersecurity.
- Regular security audits: C-DIT must empanel cyber security auditing companies for the audit of ICT systems of the Kerala government on a regular basis.
Kerala govt sets up new committee to analyse report by the two-member expert committee
In November, the Kerala government has formed a new three-member committee to study the report prepared by the Nambiar-Rai committee. The government argued that a detailed examination by experts in the legal, administrative and information technology domain was required on many aspects of the report, on which the previous committee “has not offered its comments”.
The new committee’s mandate: This new three-member committee is headed by K Sasidharan Nair, former District Judge, and former secretary of the Law Department, and includes Dr. A. Vinaya Babu, retired professor computer science and engineering, JNTUH College of Engineering, Hyderabad and Dr. Umesh Divakaran, professor, computer science and technology, College of Engineering, Thiruvananthapuram as experts. The mandate of this committee is to find:
- Whether the procedures laid down in the rules of business of the Kerala government were followed while signing the deal with Sprinklr, and whether there were any unjustifiable lapses while striking that deal
- The measures taken to ensure data security at various periods of the partnership
- The procedures that might not have been followed while signing the deal
- Analyse the report submitted by the previous two-member Committee headed by Nambiar, and suggest guidelines to be followed in future.
- Explicit consent, anonymisation of personal data collected for COVID-related activities must: Kerala govt
- State government must anonymise COVID-19 data from Sprinklr, Kerala HC rules
- Kerala govt shares COVID-19 personal heath data with American company, row erupts: Reports
*Update at 12:10 PM on Feb 2, 2021: We had misidentified the Director of IIITM-K, and have removed the incorrect references in the paragraph titled ‘Confusion over roles and responsibilities’. Error is deeply regretted. Story was originally published at 03:10 PM on Jan 29, 2021.