Skip to content

Whoops, turns out TraceTogether data isn't only used for contact tracing

I was hoping to ease into 2021 with a somewhat relaxed weekly round-up this weekend, but it turns out we have to hit the ground running…

Almost a year after the launch of TraceTogether, Singapore’s Bluetooth-enabled contact tracing system, Singaporeans have finally been told that, hey, the police had the power to obtain the data it collects for their investigations all along. So much for the promises that the data would “only be used solely for contact tracing of persons possibly exposed to COVID-19.”

TraceTogether was meant to be a win. It grabbed international headlines, when it was first launched in March 2020, for being among the first wave of tech solutions in the fight against COVID-19. At that time, Singapore was riding high on its “gold standard” test-and-trace strategy, and TraceTogether seemed like a way to further build our reputation, both domestically and abroad, as a “Smart Nation”.

Doubt and reluctance

Even when it was first introduced, there were already people — academics, civil society activists, and tech professionals, among others — who were apprehensive and concerned about such an app. (I wrote about my doubts about TraceTogether and giving the government leeway to introduce more tech surveillance during the pandemic then.) Given the sluggish adoption rate, it seemed as if Singaporeans generally weren’t convinced, either. By May 2020, only about 1.1 million people had downloaded the app, which meant that adoption wasn’t even high enough for the system to work effectively, leading The Straits Times to suggest that the app be made mandatory.

From the TraceTogether website.

Adoption of TraceTogether has since shot up, mostly because the government has indeed indicated that it will soon become mandatory for access to places that Singaporeans cannot live without, like shopping malls. On Monday, Lawrence Wong, co-chair of the multi-ministry task force on COVID-19, said that about 78% of residents in Singapore have since either downloaded the TraceTogether app, or collected a token. But signs of disquiet could still be discerned.

Demand for tokens has been higher than the government expected, given that the assumption was that those with smartphones would download the app. If people I’ve spoken to, as well as online comments, are anything to go by, some Singaporeans are opting for the token because they aren’t comfortable with downloading the app — in the looming bo pian scenario of TraceTogether becoming mandatory, people are choosing to collect the token because tear-downs have at least demonstrated that there’s no GPS chip, meaning that the token can only ping close contacts via Bluetooth and nothing else. Even so, the government had to warn people to stop tampering with the token.

These aren’t signs of voluntary and enthusiastic consent to the use of such technology.

TraceTogether’s privacy promise…

TraceTogether was made mandatory for migrant workers in dormitories in June 2020, but more effort was spent to placate and persuade Singaporeans. Plenty of emphasis has been placed on privacy: people were assured that TraceTogether does not track location, that it only exchanges encrypted and anonymised Bluetooth signals that can only be decrypted by the Ministry of Health (and that only authorised personnel would have access to this key), and that the data will only be used for contact-tracing purposes.

This was what TraceTogether’s privacy statement said before 4 January.

During a press conference in June 2020, Vivian Balakrishnan, the minister in charge of the Smart Nation initiative, clearly stated that data collected by TraceTogether would not be used for any other purpose: “TraceTogether app, TraceTogether running on a device, and the data generated, is purely for contact-tracing. Period.”

Given the high level of trust in the government, such promises were enough to reassure many Singaporeans. People were persuading their families and friends to download the app based on these reassurances. Those of us who were still unconvinced and apprehensive got into arguments about using the app; based on my own experience, as well as the fights I saw unfold between friends on Facebook, TraceTogether sceptics were dismissed as ill-informed about technology, paranoid, fear-mongering, or even irresponsible by undermining public health and safety with our criticism.

…that turned out not to mean very much

Even before this week’s revelation, tech surveillance framed as pandemic response was already gradually expanding. Does anyone remember now that, when TraceTogether was first launched, it didn’t even collect your IC number, only your phone number? It was later updated to require registration with IC numbers.

Claims that TraceTogether doesn’t track one’s location might be technically true, but is meaningless given that TraceTogether is also being merged with SafeEntry, the QR code-scanning check-in system required for entry to all sorts of venues. TraceTogether-only SafeEntry (what a mouthful) requires people to scan a QR code using the TraceTogether app, or to scan the QR code printed on their TraceTogether token, before entering a venue. Another device, the SafeEntry Gateway, is being tested: instead of scanning QR codes, the gateway would only require the user to bring their smartphone or token close to the device to register one’s presence by exchanging Bluetooth signals.

The merging of SafeEntry, where registering your location is the point, with TraceTogether means that it is possible for a person’s whereabouts to be tracked, along with lists of people they’ve been in close contact with. And of course, TraceTogether and SafeEntry are only two classes of data that the government can access about us; they have many more, through CCTV cameras and other records that they can access if they want to.

The bomb that has set off this recent uproar was the Ministry of Home Affairs’ response to a question in Parliament, stating that, despite the government’s earlier promises about TraceTogether data only being used for contact-tracing during COVID-19, the police can actually obtain such data for the purposes of criminal investigations. In fact, they’ve always had the power to do so, as stated in the Criminal Procedure Code, and they’ve already done it in one murder investigation.

What the privacy statement after it was amended on 4 January 2021.

Speaking in Parliament, Vivian Balakrishnan admitted that, when he’d said in June 2020 that TraceTogether would “purely” be used for contact-tracing, he hadn’t realised that the Criminal Procedure Code (CPC) would actually grant the police access to such data, allowing it to be used for other purposes. After it hit him that the CPC would apply, he considered persuading his colleagues to change the law (presumably to exempt TraceTogether data from what the CPC empowers the police to obtain) but eventually decided against it because he had “come to the conclusion that right now we are doing well” and that Singapore was on the “right track”.

Questions prompted by this revelation

The government has sought to clarify and reassure the public once again in the light of this news, saying that the police will only access TraceTogether data when investigating “serious offences”, and that these powers will be “exercised judiciously”. Yet there are many questions that remain unanswered.

In admitting upfront that he’d overlooked the Criminal Procedure Code when making promises, Balakrishnan was trying to present himself as being transparent, and to dispel accusations of dishonesty and lying on the part of the government. His reassurances, which have now turned out to be false, were framed as an honest mistake.

This is hardly a preferable state of affairs. It suggests that even the minister-in-charge of all our Smart Nation rollouts doesn’t think sufficiently widely or deeply about the implications of the technology that’s being implemented, often at rapid speed without adequate public consultation or debate.

It’s also odd that this should never have occurred to him before, given that fears about increased surveillance and police powers are among the first things to emerge in discussions about technology and data collection these days — and indeed, could be divined from the reluctance of Singaporeans to download TraceTogether in the first place. In all his efforts to persuade Singaporeans that TraceTogether was privacy-focused and safe, did it not occur to him, or anyone in his office, to check in with the police or other government agencies?

Even if we accept that a massive oversight had been committed on Vivian Balakrishnan’s part, why didn’t other parts of the government who were better informed correct him and set the record straight? There are state organs and government agencies whose jobs it is to be acquainted with Singaporean law, and who must be intimately familiar with the Criminal Procedure Code. Did it not occur to them to highlight Vivian Balakrishnan’s blind spot? Are inter-agency communications within the government really so terrible, despite all our boasts about efficiency and whole-of-government coordination? And if they had corrected him privately, why wasn’t this made known to the public? Why are we only hearing, in January 2021, that the promise a minister made half a year ago was meaningless because he didn’t actually know what he was talking about?

We’ve since been told by Vivian Balakrishnan and Minister for Home Affairs and Law K Shanmugam that the police will only obtain TraceTogether data when investigating “serious offences”. But Shanmugam also made clear that this isn’t actually legally binding. “While that requirement is not in the legislation, it will be carefully considered within the police, and discretion will be exercised in seeking this information,” he said.

What we have, here, then, is just their word, in the same way that Balakrishnan’s June 2020 statement about TraceTogether was his word. And we’ve all seen how that turned out.

Balakrishnan has also said that the police will only be able to obtain the data directly from an individual’s phone or token, which presumably means that you either have to volunteer the data, be compelled to hand it over, or your device has to be confiscated (which happens even for investigations into offences like posing for photos with placards). But how does the police obtain the data? Do they just retrieve it first, then ask the Ministry of Health to decrypt it, or are they able to do the decryption themselves? If the former, what is the process of seeking MOH’s assistance, and what sort of oversight is there — will all requests from the police be automatically granted, or will there be some layer of review? If the latter, and the police can do the decryption themselves, then who in the police force can do this? Do they have to be of a certain rank? Who oversees this to ensure that they aren’t abusing this power?

If a civilian is of the opinion that their TraceTogether data has been unjustifiably obtained from their device, what avenues are there to lodge complaints? How will these complaints be handled, and what redress will there be if the complaint is deemed valid? MHA mentioned that “under the Public Sector (Governance) Act, public officers who recklessly or knowingly disclose the data without authorisation or misuse the data may be liable of a fine up to $5,000 or imprisonment of up to two years, or both.” But that doesn’t cover what sort of compensation or redress the victim of such misuse would be entitled to.

“Move fast and break things”

Facebook’s internal motto used to be “move fast and break things”. This motto, and the mindset behind it, has since been criticised as emblematic of the way in which the tech industry often speeds ahead, caught up in its own hype, without thinking carefully about the impact, implications, and potential harm that it could be causing. And we’ve seen in recent years what the consequences of “moving fast” without proper deliberation and care can be.

The same criticism can apply outside of Silicon Valley. Becoming a “Smart Nation” might indeed bring a lot of convenience and improve people’s quality of life, but we’ve so far never really had the space and time to consider the implications of what we’re doing. And, as we’ve seen with Vivian Balakrishnan’s admission, our leaders seem to be forging ahead without even fully thinking through the ways in which this tech will interact with existing legislation.

It might turn out that Singaporeans collectively decide that the privacy trade-off for the benefits of tech surveillance is one worth making. But we’ve not been able to make this informed decision ourselves — the technology, from facial recognition cameras on lamp-posts to facial and iris scanners at border checkpoints to TraceTogether, just keeps rolling out, presented as fait accompli. Before we can even wrap our heads around one thing, there’s already another. And throughout all this, the issues of lack of oversight and restraint are ever-present, but those who repeatedly bring these problems up are either dismissed as paranoid, or just talked over.

This debacle with TraceTogether should be a lesson. Transparency isn’t just a privacy statement on a website with a changelog. Public trust, once damaged, can be very hard to regain, and can have other detrimental effects. Singapore’s contact-tracing efforts might now be undermined as people seek ways to circumvent or subvert the TraceTogether system because they no longer trust the government’s reassurances (and in the absence of any other way to voluntarily and consensually participate in contact-tracing efforts).

The government should take steps to restore confidence by introducing legislation that will prevent data collected for contact-tracing from being used for any other purpose. Safeguards and restraints need to be legally binding, not political promises that can later be walked back, or waved away on the basis of “oh, I was mistaken back then”. It’s easier to trust when its substantiated by action and concrete commitments.

Situations like this will likely crop up again and again, since Singapore isn’t going to give up on tech any time soon. Nor should we; the point isn’t about dumping technology and going back to messenger pigeons. What’s important is that we as a society should be able to think and deliberate more deeply about all these things, and the robustness of our structures. And we need to start now.

If you found this piece useful, please share it!

Milo Peng Funders keep this newsletter going, and also help to support other independent work and activism that I do. Please considering becoming a Milo Peng Funder if you can:

Subscribe now