Singapore has passed new legislation detailing the scope of local law enforcement's access to COVID-19 contact tracing data. It does so amidst questions whether the bill offers sufficient clarity and if police access should be excluded in the interest of public health.
The COVID-19 (Temporary Measures) (Amendment) Bill was debated, and eventually passed, in parliament Tuesday under a Certificate of Urgency, which allows the government to more swiftly introduce new legislation deemed urgent. The move comes weeks after it was revealed the police could access the country's TraceTogether contact tracing data for criminal investigations, contradicting previous assertions that this information would only be used when the individual tested positive for the coronavirus.
It sparked a public outcry and prompted the government to announce plans for a new bill that would limit police access to seven categories of "serious offences", during which contact tracing data could be used for criminal probes, inquiries, or court proceedings. These included cases involving terrorism, use or possession of dangerous weapons, kidnapping, and serious sexual offences.
Trust plays an important role in consumers' willingness to share their personal data, but trust will erode if businesses continue to be given wider access to personal data and Singaporeans do not feel empowered to safeguard their own cyber hygiene.Read now
The new legislation also encompasses data collected through other digital contact tracing apps, such as location visitor log SafeEntry and BluePass tokens, which are issued to migrant and local workers living or working in dormitories as well as those in construction, marine shipyard, and process sectors. BluePass data is interoperable with the TraceTogether platform.
Introduced last March, TraceTogether taps Bluetooth signals to detect other participating mobile devices -- within 2 metres of each other for more than 30 minutes -- to allow them to identify those who have been in close contact when needed. Data collected is encrypted and stored for 25 days, before it is automatically deleted from the app or token.
There currently are more than 4.2 million TraceTogether users, or about 80% of the local population.
The new bill does not cover aggregated or anonymised data and supersedes existing laws. Public officers or contractors engaged by government agencies who are found guilty of unauthorised use or disclosure of contact tracing data face fines of up to SG$20,000 or imprisonment of up to two years, or both.
TraceTogether and SafeEntry systems would cease once the pandemic is declared over -- a timeframe that must be specified by the government. Public sector agencies then must stop collecting such data and remove collected personal contact tracing data "as soon as practicable".
This means the police can no longer access data unless it has been previously retained and used in criminal investigations and court proceedings.
In debating the bill during parliament Tuesday, members raised questions on whether details laid out were overly vague and whether it was necessary in the first place to provide police access at the risk of public health.
Lead of the opposition Workers' Party, Pitram Singh, noted that the missteps leading up to the revelation that police could access TraceTogether data had bred scepticism and eroded public trust. The perceived lack of empathy towards personal privacy on the government's part had prompted some to circumvent the app's tracing ability, such as turning off Bluetooth after checking into a location, he said.
Singh said the Workers' Party believed anything that compromised the use of TraceTogether should take a backseat and its use should be limited to contact tracing, which also then would align with the government's original assurance.
"I am of the view that such an approach would also engender greater confidence, given that a public conversation on privacy has hitherto not been ventilated in a significant way in Singapore," he said.
With governments increasingly looking to use contact tracing apps to help contain COVID-19, such initiatives are likely to spark renewed interest in Bluetooth attacks which means there is a need for assurance that these apps are regularly tested and vulnerabilities patched.Read now
The police, too, already had an abundance of tools that was sufficient to aid in their criminal investigations, including access to CCTVs, forensic examinations of mobile phones, and old-fashion police work such as the use of informants and collecting physical evidence.
That said, however, he said the opposition party would lend its support to the bill since Singaporeans' right to privacy could be better protected with it, rather than without.
Singh's colleague Sylvia Lim, who is also a Member of Parliament, called for further clarifications to be made regarding the definition of the seven categories of serious offences, which she said were broad and could lead to ambiguity in their application. She suggested that specific examples of what could constitute, or not, as serious offences under these categories would provide a clearer guideline.
In further supporting her party's stance that TraceTogether should exclude police access, Lim noted that the Australian government was amongst countries that had opted to prohibit such access to contact tracing data.
Singh also asked if the government could detect if an individual had deactivated Bluetooth upon gaining entry to a venue and whether such circumvention indicated a need for the government to review the effectiveness of TraceTogether and, hence, use by the police.
Minister-in-Charge of the Smart Nation Initiative and Foreign Affairs, Vivian Balakrishnan, some 58% of individuals used the contact tracing app at least once daily and this figure had remained largely the same even after it was revealed police had access to the data.
There were, however, no details on how many turned off the app or Bluetooth connectivity because the platform was designed specifically with privacy concerns in mind, he said.
Balakrishnan explained that the app, when activated, would query a central server to determine if the individual had been in the same vicinity and at the same time as a COVID-19 patient. If there was such an overlap, an alert would be pushed to the individual so they would know to monitor their health for any potential symptoms. They would be contacted directly by health officials if they were a close contact.
He acknowledged that some individuals were "gaming" the contact tracing system and urged them against doing so in order to better protect themselves against the pandemic.
According to the minister, 350 people had requested their TraceTogether data to be deleted from the central server over the past month.
He stressed that TraceTogether, by design, was created for contact tracing purposes and not intended for police use. Data collected was stored locally on the user's device or token and uploaded to the central server only when the user entered a pin, which would be provided if they were identified as a close contact, or when the token was physically handed over to health authorities.
"GovTech took great pains to create an app that was fundamentally privacy-protecting at its core, by design," the minister said, adding that the platform collected only proximity data and did not capture GPS or movement data. The token also did not have cellular connectivity. "These were conscious design decisions made at conception."
Based on these considerations, he said it would be reasonable to argue that for most cases, TraceTogether data would not prove very useful for police use. However, law enforcers also should not be unnecessarily hindered in investing any possible leads that could help in their criminal investigations, he added.
Noting that the new bill was not established to set a precedence, Balakrishnan said the government had taken "this exceptional step" to encourage public participation of TraceTogether whilst maintaining public confidence in the contact tracing programme.