On the 4 January 2021, Member of Parliament
Gerald Giam Christopher de Souza (correction: Mr Gerald Giam asked the follow-up question, but Mr Christopher de Souza asked the initial question. Thanks Shih Tung Ngiam for pointing it out) enquired about whether the Singapore Police Force (SPF) had access to the TraceTogether data. Minister of State for Home Affairs Desmond Tan responded that under the Criminal Procedure Code (CPC), they could. This led to a large public outcry as it was seen as a contradiction to earlier statements from Ministers Vivian Balakrishnan, Lawrence Wong, and Teo Chee Hean – that TraceTogether data will only be used for contact tracing purposes and nothing more.
The issue of privacy in contact tracing systems such as TraceTogether and SafeEntry has been weighing on my mind since they were first introduced. I had intended to write this post back in December, but like with many things in 2020, life got in the way. When TraceTogether-only-SafeEntry became a thing, I dropped GovTech an email on 21 October 2020.
After two weeks of back-and-forth, GovTech confirmed on 9 November 2020 in an email reply that the SPF is “empowered by the Criminal Procedure Code” to use TraceTogether data for investigations. Despite GovTech saying they “will look into the privacy statements that are displayed to better reflect the use of data, as necessary” in an email reply on 13 November 2020, they only did so on 4 January 2021 after the matter came up in Parliament.
This has been an area of public discussion over the past few days. However, my take is that many are barking up the wrong tree. There is more to this than meets the eye. Many assume that TraceTogether and SafeEntry are parts of the same application when they are in fact, two separate systems governed by a different set of policies. While TraceTogether’s Privacy Statement is currently taking the heat, SafeEntry has another Privacy Statement and means of working which is arguably different.
TraceTogether versus SafeEntry
According to the Government, TraceTogether captures the “Who” while SafeEntry captures the “Where” in the contact tracing process.
I want to point out that TraceTogether is pretty solid. BlueTrace – the open source protocol behind it – is audited by the security community and the idea is sound. The uproar that the SPF is able to seize this data and use it for investigations is interesting because honestly, TraceTogether is not as intrusive as people make it out to be.
Which is another problem: The Government has spent a considerable effort in establishing a rhetoric that TraceTogether has all the privacy preserving bells and whistles. This is echoed by companies like Cathay Cineplexes, and a constant talking point on platforms like GovSG’s marketing. It is true. TraceTogether does not have the ability to track your live location, it does not have a GPS inside it, and its data is
anonymous (correction: whoops, accidentally put this in. The data is anonymous to peers, but not to GovTech which can then look up the ID. Thanks @karlieeuh for pointing this out), offline, and requires a) your knowledge, b) your consent, and c) Ministry of Health (MOH)’s keys to use.
This is not true for SafeEntry, which has remarkably flown under the radar for the most part. SafeEntry stores your data on a Government server, not on your device. It violates the above promises and even has its own Privacy Statement which states “we may share necessary data with other Government agencies, so as to serve you in the most efficient and effective way unless such sharing is prohibited by law” – though no further elaboration is given. For the Government to constantly focus on TraceTogether, then add SafeEntry in as TraceTogether-only-SafeEntry without changing the messaging, is another glaring privacy concern. GovTech seeks to pretend that TraceTogether and SafeEntry are not the same system, but we are getting to a stage where we cannot have SafeEntry without TraceTogether.
To clarify, the scanning of the QR code at the back of the TraceTogether token also performs the same action as a SafeEntry check-in.
Public Trust in the Government
We’re in a time where public trust in the Government is paramount. Looking at the United States – where allegedly 39% of Americans (according to *ugh* Senator Ted Cruz) did not trust the 2020 Elections – we have seen appalling rifts in public cohesion over the past few months, culminating in the attack on the Capitol. While these grim events are unlikely to ever happen on Singaporean shores, public trust in the government remains crucial as we need the cooperation of the people in the next stage of fighting this pandemic: vaccinations.
The perceived flip-flop of policies in TraceTogether makes the Government look less legitimate and honest. If Singaporeans feel that the Government is out to deceive or mislead, there is less trust of future messaging surrounding vaccines. According to a poll by the Ministry of Communication and Information (MCI)’s “appointed third-party research company” HappyDot.sg, 33% of Singaporeans are not confident in the vaccine. Since the vaccine is not compulsory, combining the number of people who do not trust the vaccine with those that are advised against taking it (immuno-compromised, pregnant women, children, etc.), meeting the level required to achieve herd immunity may prove arduous.
Additionally, there are users who have decided to uninstall and deregister from TraceTogether because of the outcry surrounding the sharing of data with SPF. This will hurt contact tracing efforts at a time cooperation is needed.
Usefulness in Law Enforcement
I have a very good impression of our SPF. The few times I have reported a crime or worked with them, SPF attended to the cases expediently and professionally. YMMV. My opinion is that the SPF does not require this data. Criminals have ways to circumvent TraceTogether and SafeEntry, just as the SPF has better ways to track criminals. I have full faith that they will be able to use far better means to do their job as they have always done. To say that the SPF needs or requires this data would be an insult to the capabilities of our Home Team.
The rollout of the TraceTogether tokens has been riddled with flaws. Granted, this is a unprecedented time but it is curious how the demand for the tokens was so grossly underestimated. The app has had its fair share of complaints too. I recall going to my EC House barber on the first day they required TraceTogether-only-SafeEntry, and the poor lady recounted to me how so many customers had berated her. Additionally, I have family members who have their app hang or crash after scanning a QR code. Both the tokens and app feel rushed out and unrefined, along with unclear messaging on whether those under 7-years old or those in school need the token, make me wonder if we are indeed ready to move to TraceTogether-only-SafeEntry.
Another point people keep bringing up is the Cybersecurity aspect of TraceTogether (and SafeEntry). TraceTogether, as previously mentioned, is sound. It would take an enormous effort for a bad actor (Government or otherwise) to use the data in an unintended way, because the data is local to the person. Even if MOH’s keys were compromised and a bad actor forms some meshed network of devices for an attack, I do not envision any useful outcome that could have been done in a much easier (and cheaper) fashion.
SafeEntry on the other hand is an additional vector that can be attacked. The data is no longer decentralized and lies in the hand of the Government. While I am sure there are safeguards to prevent external attackers, this opens the possibility of attack (no matter how unlikely, e.g. 2018 SingHealth data breach) and allows the Government to easily access the data without a person’s knowledge.
I also want to note that I reported a vulnerability on SafeEntry’s Application Programming Interface (API) on 27 May 2020 which has since been fixed. It was in the category of “Violation of Secure Design Principles”, classified by GovTech to be of Medium-level severity.
It is sad to see so many people using the “if you’ve done nothing wrong, you have nothing to fear” rhetoric. The Singapore Government does have some reputation as a “fine” city with trigger happy (and somewhat archaic) laws. For those whose immediate response was the above statement, the slow and “welcome” erosion of liberties is alarming. Stories like 1984 are not just stories – they are warnings. In a surveillance state, fear is the main motivator for citizens to behave. But if we constantly live in fear of ‘Big Brother’, are we truly living?
Technology should complement, not hinder. Enable, not oppress. It is strange that GovTech opted for the current SafeEntry implementation which is extremely intrusive, in place of the Gateway that they seem to be rolling out. If my understanding of the Gateway is correct, it uses Bluetooth beaconing to achieve the same effect of checking in, but the data will be stored locally. By tapping on the TraceTogether implementation of anonymous IDs and local storage, this should be more privacy preserving than the current SafeEntry implementation. It also has the benefit of being far more convenient.
A caveat is that there have not been any public audits of said protocol (or even of SafeEntry). It is unclear if the check-in data is stored locally at the terminals too, and only accessed in the event of a confirmed case.
Although, given the low rate of infection in Singapore, I wonder if the “Where” in the contact tracing process is important at all given that it is bound to turn up in interviews, and that the “Who” is probably far more important.
As I was writing this, it has been announced that a law will be passed to ensure the contact tracing data will only be used outside of their intended purpose for serious offences across seven categories. This is a step in the right direction, although my hope was that we would follow Australia and restrict the SPF from using the data at all. In all cases, contact tracing data is not really 100% anonymous and probably will always have some degree of tracking should the Government really want to (outside of their intended use).
Having the option to access this data is not worth the cost of eroding public trust, especially in a time where cooperation and coordination is required to overcome this public health crisis.
The best solution would be one that is convenient to use – helping us return to some sense of normalcy. It should also not be seen as intrusive. Thus, the rollout of the Gateways should be prioritized and remove the need for the existing SafeEntry implementation completely.
I hope further discussions on the upcoming law will alleviate these concerns and restore public trust.
Bonus Content: Requesting Deletion of Identification Data
As reported by Mothership, the TraceTogether Privacy Statement has a clause for you to request the deletion of your identification data by emailing them. Here is what happens when you do:
Texting that does give a response. So, one can indeed (at least, if the messages are to be trusted) get your TraceTogether data removed, as simply as texting ‘DEREGISTER” to +65-8318-4444. I have to reiterate – I see no point in this, because the important part of the data is not with the Government, it is on your device.
This is where I note that the data in question is the TraceTogether data. There appears to be no way to do the same for SafeEntry data.
Bonus Content: Additional Readings
- The Straits Times: Police’s ability to use TraceTogether data raises questions on trust: Experts
- BBC: Singapore reveals Covid privacy data available to police
- NPR: Singapore Says COVID-19 Contact-Tracing Data Can Be Requested By Police
- Yahoo Singapore: COMMENT: Can trust in TraceTogether be restored?
- Ben Leong: Another Year, Another Fiasco
- Kirsten Han: Whoops, turns out TraceTogether data isn’t only used for contact tracing
Bonus Content: Meme Gallery (Obviously, Don’t Take This Seriously)
P.S. the QR code is absolutely scannable 😉