Singapore police can access COVID-19 contact tracing data for criminal investigations

Under the country's Criminal Procedure Code, the Singapore Police Force can obtain any data -- including information gathered by the contact tracing TraceTogether app and wearable token -- to facilitate criminal probes, confirms cabinet minister.

Singapore has confirmed its law enforcers will be able to access the country's COVID-19 contact tracing data to aid in their criminal investigations. To date, more than 4.2 million residents or 78% of the local population have adopted the TraceTogether contact tracing app and wearable token, which is one of the world's highest penetration rates.

This figure is double that of the adoption rate just three months ago in September, when TraceTogether had clocked 2.4 million downloads or about 40% of the population. A recent spike likely was fuelled by the government's announcement that use of the app or token would be mandatory for entry into public venues in early-2021, when it was able to distribute the token to anyone who wanted one. 

Introduced last March, TraceTogether taps Bluetooth signals to detect other participating mobile devices -- within 2 metres of each other for more than 30 minutes -- to allow them to identify those who have been in close contact when needed.

Questions that still need to be asked as governments tap tech to contain coronavirus

Some compromise in personal privacy has been deemed necessary in countries such as Singapore, Taiwan, and South Korea that have turned to technology to aid in contact tracing and movement monitoring, but there are questions citizens should still ask to protect their cyber wellbeing.

Read More

In its efforts to ease privacy concerns, the Singapore government had stressed repeatedly that COVID-19 data would "never be accessed unless the user tests positive" for the virus and was contacted by the contact tracing team. Personal data such as unique identification number and mobile number also would be substituted by a random permanent ID and stored on a secured server. 

Minister-in-Charge of the Smart Nation Initiative and Minister for Foreign Affairs, Vivian Balakrishnan, also had insisted the TraceTogether token was not a tracking device since it did not contain a GPS chip and could not connect to the internet. 

He further noted that all TraceTogether data would be encrypted and stored for up to 25 days, after which it would be automatically deleted, adding that the information would be uploaded to the Health Ministry only when an individual tested positive for COVID-19 and this could be carried out only by physically handing over the wearable device to the ministry, Balakrishnan said.

In addition, "only a very limited, restricted team of contact tracers" would have access to the data, the minister had said, noting that this was necessary to reconstruct the activity map of the COVID-19 patient. All public sector data protection rules would apply to the data held by the Health Ministry, he added, including abiding by the recommendations of the Public Sector Data Security Review Committee.

However, the Singapore government now has confirmed local law enforcement will be able to access the data for criminal investigations. Under the Criminal Procedure Code, the Singapore Police Force can obtain any data and this includes TraceTogether data, according to Minister of State for Home Affairs, Desmond Tan. He was responding to a question posed during parliament Monday on whether the TraceTogether data would be used for criminal probes and the safeguards governing the use of such data.

Tan said the Singapore government was the "custodian" of the contact tracing data and "stringent measures" had been established to safeguard the personal data. "Examples of these measures include only allowing authorised officers to access the data, using such data only for authorised purposes, and storing the data on a secured data platform," he said.

He added that public officers who knowingly disclose the data without authorisation or misuse the data may be fined up to SG$5,000 or jailed up to two years, or both. 

Asked if police use of the data violated the TraceTogether privacy pledge, Tan said: "We do not preclude the use of TraceTogether data in circumstances where citizens' safety and security is or has been affected, and this applies to all other data as well."

He noted that "authorised police officers" may invoke the Criminal Procedure Code to access TraceTogether data for such purposes as well as for criminal investigation, but this data would, otherwise, be used only for contact tracing and to combat the spread of COVID-19.

The Singapore police, in fact, had played a key role since February in assisting the Health Ministry in identifying and locating individuals who had been in close contact with COVID-19 patients. Law officers would conduct ground enquiries and review CCTV footage to establish the location and movement of these individuals. 

The TraceTogether privacy statement was updated Monday to reflect the latest revelation about potential police use. It now contains this statement: "Also, we want to be transparent with you. TraceTogether data may be used in circumstances where citizen safety and security is or has been affected. Authorised Police officers may invoke Criminal Procedure Code (CPC) powers to request users to upload their TraceTogether data for criminal investigations. The Singapore Police Force is empowered under the CPC to obtain any data, including TraceTogether data, for criminal investigations."

Strong demand for TraceTogether token a surprise

During parliament Monday, Education Minister Lawrence Wong said the TraceTogether platform would continue to play an integral role in Singapore's efforts to contain the spread of COVID-19, slashing what used to take two days down to hours in contact tracing.

Contact tracing apps unsafe if Bluetooth vulnerabilities not fixed

With governments increasingly looking to use contact tracing apps to help contain COVID-19, such initiatives are likely to spark renewed interest in Bluetooth attacks which means there is a need for assurance that these apps are regularly tested and vulnerabilities patched.

Read More

The minister, who co-chairs the multi-ministry COVID-19 task force, said some SG$10 million had been spent on developing TraceTogether and SafeEntry, with costs optimised by the use of off-the-shelf components to minimise manufacturing complexities. This, however, had led to tokens that were not rechargeable. The wearables currently had a battery lifespan of between six and nine months.

Amongst the 4.2 million participants of TraceTogether, some 2 million currently use the app on their smartphones, indicating that more have opted to carry the token.

According to Tan, the government had not expected the strong demand for the wearable device, given the accessibility of the mobile app. This had resulted in delays in the manufacturing and distribution of the token. 

Such issues would be addressed soon as the government looked to build up inventory and resume distribution at community centres where this was currently halted, he added.

The mandatory use of TraceTogether would be rolled out once everyone who wanted a token had a chance to collect one, Wong said.

According to ProPrivacy's digital privacy and VPN expert Ray Walsh, however, that the police could access the data should serve as a reminder of why centralised systems can be harmful to personal privacy.

In a statement released in response to the news, Walsh said: "As suspected, location information collected in the centralised database for the purposes of preventing the spread of the virus can also be leveraged by Singaporean police -- thanks to existing legislation. This means citizens' location data is being stored in such a way that is extremely damaging to their privacy, their freedom of movement, and their right to free association.

"This is extremely concerning considering that the government is planning to make the use of the TraceTogether app mandatory for all citizens," he said. "Test and trace systems forced on the general public for the purposes of preventing the spread of the pandemic have no right being used to create an extensive surveillance network, and it is extremely unnerving to see a soon-to-be mandatory app being exploited in this way."

Balakrishnan, though, previously noted that TraceTogether data was not stored on a centralised database, but was "decentralised and encrypted on phones and devices". This data only would be uploaded when the individual tested posted for COVID-19, the Singapore minister had said.

Similar concerns about police access to contact tracing data in the UK had prompted the country's Department for Health and Social Care to say neither the police nor the government would receive any data from its contact tracing app. 

In a tweet last October, the UK National Health Service said user data of its COVID-19 app was anonymous and the app could not be used to track users' location, for law enforcement, or to monitor self-isolation and social distancing. The contact tracing app then had clocked more than 18 million downloads since its launch in September.

Singapore's TraceTogether app was updated last June to include the registration of passport numbers of foreign visitors, as it reopened its borders. 

During Parliament, Wong encouraged residents to download the TraceTogether app -- rather than use the token -- touting the former's benefits as it would be updated with new features.

RELATED COVERAGE