FORGET BIG BROTHER; TRACETOGETHER IS “WATCHING YOU” — HAVE OUR LEGAL RIGHTS TO DATA PRIVACY BEEN ERODED?

Clement Karim Lim, a member of alt+Law, digs deeper into what TraceTogether reveals about our legal rights to data privacy.

Image taken from: https://www.tech.gov.sg/media/technews/two-reasons-why-singapore-sticking-with-tracetogether-protocol

Introduction

In a Singaporean-style, community-driven, ‘war on pandemic’, the TraceTogether app was launched by Singapore’s Government Technology Agency (GovTech) on 20 March 2020 as a nation-wide COVID-19 contact-tracing app to enhance tedious manual contact-tracing efforts. The application was launched together with the TraceTogether Token, a dainty dongle which was proposed on 5 June 2020 by Minister-in-charge of the Smart Nation initiative, Vivian Balakrishnan. TraceTogether (in both its virtual and physical form) used to be optional for all except foreign dormitory workers. Not anymore. TraceTogether will be made mandatory to access all public spaces by the end of December 2020.

The initial announcement of TraceTogether drew significant backlash to the tune of a protesting petition which drummed up over 50,000 signatories. According to the petition (“Singapore says ‘No’ to wearable devices for Covid-19 contact tracing ”) on Change.org, TraceTogether is an opportunistic blitz on our data privacy rights. Other reasons given for repudiating adoption of the device include fears that the device, with its potential to “track citizens’ movements 24/7”, will be a “blatant infringement upon [our] rights to privacy, personal space and freedom of movement” that can ultimately result in Singapore’s devolution into a dystopian “surveillance state”.

Is there any truth to such allegations? Can the very technology promising to protect us be repurposed and redirected against us? Can the data we obediently offer up be intentionally misused and/or unintentionally compromised?

Surely there are legal safeguards against the infringement of our data privacy? Not quite.

Existing Data Protection Laws in Singapore

Singapore’s Constitution does not recognise a right to data privacy. Singapore has not ratified the International Covenant on Civil and Political Rights (‘ICCPR’) which under Article 17 of the ICCPR, provides that “no one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence”. A few domestic laws regulate the processing of personal data, including in the public sector, such as the Computer Misuse and Cybersecurity Act which criminalises unauthorised access to data, but does not regulate or address the lawful collection of data. The primary legislation setting out personal data protections for private sector entities is the Personal Data Protection Act 2012 (“the PDPA”).

Part III and IV of the PDPA sets out certain compliance requirements known as the Data Protection Provisions, such as making reasonable security arrangements to protect personal data in one’s possession from unauthorised access and to ensure that the personal data is usually not collected or used without consent. According to the Personal Data Protection Commission (PDPC)’s advisory on contact tracing, the personal data of visitors/employees (including NRIC/FIN/Passport numbers) can be taken without consent for the purposes of contact tracing and other responses in the event of an emergency. This reflects the position taken by Section 17(1) of the PDPA which allows for organisations to collect individual personal data without consent in the various circumstances laid out under the Second Schedule. Under the Second Schedule’s Section 1(b) and 1(d), the exigent circumstances are broadly worded to include an “emergency that threatens the life, health or safety of other individuals” and whenever is “necessary in the national interest”. Notably, the contact tracing solutions implemented by the Singapore government are exempt from PDPA. However, this does not mean that these solutions need not follow the key principles of data privacy and protection. Public sector agencies have to comply with Government Instruction Manuals and the Public Sector (Governance) Act (PSGA). Collectively, these provide comparable, if not higher, standards of data protection compared to the PDPA, and similar investigations and enforcement actions will be taken against data security breaches.

In summary, Singapore does not recognise international obligations to safeguard our privacy. Domestically, PDPA still affords a great deal of discretion for agencies and organisations to collect and store personal data. Consent also need not be obtained in an “emergency” — which we unfortunately found ourselves mired in now.

How the TraceTogether app and Token works

The app utilises a custom open-source protocol (BlueTrace) which allows for a distributed approach whereby participating devices exchange proximity information using Bluetooth “digital handshakes”. Specifically, the Bluetooth Relative Signal Strength Indicator (RSSI) readings between devices are used to estimate the proximity and duration of an encounter between two users to determine how high the risk of transmission is. According to the government website, the information exchange is ‘anonymised’ and ‘encrypted’, ‘stored securely on the phone, and only shared with the Ministry of Health (MOH) if a user tests positive for COVID-19’. The information stored is supposedly automatically deleted after 25 days.

The upside of using Bluetooth technology is that it does not require geolocation data like in a GPS-system. What is captured is only the relative proximity data between Tokens or among TraceTogether apps. Since there is no need for Internet or cellular connectivity, the encrypted data cannot be remotely extracted from the Token. Only when an infected user is identified, then the government can request for the Bluetooth information to be decrypted. Contact logging is decentralised. This means that all records are stored locally on our phones, as opposed to having our information automatically exported and uploaded to a cloud-based database.

It should be noted that Bluetooth itself is still not impervious to security vulnerabilities. The latest compromise in Bluetooth security is "BlueFrag" which affects Android 8, 8.1 & 9, and critical bugs in Apple Bluetooth may allow anyone in the vicinity to remotely execute code — that is, run any software they like — without any user interaction.

To use the TraceTogether smartphone app or Token, users have to upload a photo of their NRICs and furnish their contact details. Under the Infectious Diseases Act 2003, a user cannot withhold or provide misleading contact or personal information. Consent to give out personal data is deemed to be given by the user upon ‘voluntarily’ downloading and registering of the app, or upon registration of the token. Whether or not ‘consent’ here is contrived is a separate issue — of course, everyone has the freedom not to download the app or register the Token, but at what cost? The price is the forfeiture of one’s right to ingress to almost all public premises by end-December 2020. As practical Singaporeans, the choice between entering a shopping mall or doggedly championing our sacrosanct right to data privacy will certainly be an easy one.

Conclusion

In short, TraceTogether does not erode our legal right to data privacy. One could argue this is because we never had much legal right to data privacy to begin with. In any event, it is unfair to say that TraceTogether is a looming threat that will push our society to the brink of an Orwellian police-state. TraceTogether is not sui generis. In fact, there is a plethora of contact-tracing smartphone apps around the world: COVIDSafe (Australia), MyTrace (Malaysia), NHS Covid-19 App (UK), and at least 38 more. Conspiracy theorists who allege that TraceTogether was deliberately created to be used to collect, monitor or exploit our data, are tilting at windmills. This is made obvious from the many limitations and safeguards the government has self-imposed through the app and the Token, such as the decentralisation of records, the use of Bluetooth instead of GPS-technology and the automatic deletion of stored data after 25 days. That is not to say that we can completely eliminate the possibility of a data leak. In recent years, we have been plagued by systemic data breaches; to name a few: the SingHealth attacks involving more than a quarter of our population, the leaking of personal data of thousands of service personnel from MINDEF and SAF, and compromising HIV leaks. Where law and tech do not give us watertight protection, perhaps the possibility of information leakages just has to always be put up with as the pesky attendant Gremlins in our valiant quest to become a “smarter nation”. The seemingly unlimited potential of tech in creating convenience and maximising efficiency is simply too tempting to not tap into. Blazing a path comes first; putting off the flames can always follow later... right?

We can only hope that the law will not be left too far behind or smothered in the smoke.

Note: The information contained in this site is provided for informational purposes only and should not be construed as legal advice on any subject matter. You should not act or refrain from acting on the basis of any content included in this site without seeking legal or other professional advice.

Sources:

1. https://www.straitstimes.com/singapore/use-of-tracetogether-app-or-token-mandatory-by-end-dec
   
2. https://www.change.org/p/singapore-government-singapore-says-no-to-wearable-devices-for-covid-19-contact-tracing
   
3. https://www.pdpc.gov.sg/help-and-resources/2020/03/advisory-on-collection-of-personal-data-for-covid-19-contact-tracing#advisory1
   
4. Chong and Velpula, “Data Protection and Privacy in Covid-19 Times”, ISCA Journal
   
5. https://support.tracetogether.gov.sg/hc/en-sg/articles/360043543473-How-does-TraceTogether-work-
   
6. https://insinuator.net/2020/02/critical-bluetooth-vulnerability-in-android-cve-2020-0022/
   
7. Wen et al, “A Study of the Privacy of COVID-19 Contact Tracing App” [2020]