The Singapore government has defended its decision to allow the police to access the country's COVID-19 contact tracing data when necessary, in order to safeguard public safety and interest. It reveals that data collected via the TraceTogether platform already has been tapped at least once to assist in a homicide investigation.
Its defence came a day after it confirmed COVID-19 contact tracing data could be pulled by local law enforcers to aid in criminal cases. This contradicted previous assertions the government repeatedly made that the data would only be be accessed if the user tests positive for the virus and was contacted by the contact tracing team.
Minister-in-Charge of the Smart Nation Initiative and Minister for Foreign Affairs, Vivian Balakrishnan, also previously stressed TraceTogether data would be used solely for contact tracing purposes and accessed by "only a very limited, restricted team of contact tracers" to reconstruct the activity map of the COVID-19 patient.
Introduced last March, TraceTogether taps Bluetooth signals to detect other participating mobile devices -- within 2 metres of each other for more than 30 minutes -- to allow them to identify those who have been in close contact when needed.
To date, more than 4.2 million residents or 78% of the local population have adopted the contact tracing app and wearable token. This figure is double that of the adoption rate just three months ago in September, when TraceTogether had clocked 2.4 million downloads or about 40% of the population. A recent spike likely was fuelled by the government's announcement that use of the app or token would be mandatory for entry into public venues in early-2021, when it was able to distribute the token to anyone who wanted one.
Speaking outside the parliament session's scheduled agenda Tuesday, Balakrishnan said he had failed to consider Singapore's Criminal Procedure Code (CPC) when he previously spoke about the use of TraceTogether data. Under Section 20 of the CPC, the local police has the power to order anyone to produce any data, including TraceTogether information, for the purpose of its criminal investigation. He noted that phone or banking records, which were protected by specific privacy laws, also were subjected to the same provisions under the code.
The minister said: "I think Singaporeans can understand why Section 20 of the CPC confers such broad powers. There may be serious crimes -- murder, terrorist incidents -- where the use of TraceTogether data in police investigations may be necessary in the public interest. The police must be given the tools to bring criminals to justice and protect the safety and security of all Singaporeans."
He noted, however, that the police should access the data judiciously and with "utmost restraint".
He added that the contact tracing platform was not designed to allow any government agencies to track the user, and efforts were taken in the system design and coding of the app to protect personal privacy. He said this had led to the move to make the software open source, so it was open to public scrutiny, and could be shared with other foreign jurisdictions.
In addition, Balakrishnan said TraceTogether did not collect GPS location or movement data and kept temporary record of who the user had come in close contact with. Data also would be stored, encrypted, locally on the user's device or token and automatically purged after 25 days.
Asked how often the police had tapped the contact tracing data, the minister said he was aware of only one instance that had involved a homicide investigation. He would not provide other details on the case as he was not involved in its operations and, hence, was unable to comment further.
He did point to discussions that were held over the last few weeks to mull over whether to change the law involving TraceTogether data, before the government decided to retain the CPC as it stood. This, he said, was necessary to ensure the police could remain effective in safeguarding public safety and interest.
Balakrishnan noted that every jurisdiction had to strike a balance between how much power its police should have and an individual's rights to privacy, and this would differ from country to country. He pointed to the US, where the FBI in 2016 paid professional bug hunters to access the smartphone of the shooter involved in the terrorist incident in San Bernardino. Investigators resorted to doing so after facing legal obstacles in accessing the data.
Asked under what circumstances would the Singapore police be able to call up access to TraceTogether data, Minister for Law and Home Affairs K. Shanmugam said this was restricted to "very serious offences", given the "national importance" of the contact tracing platform in dealing with the COVID-19 pandemic.
"While that requirement is not in the legislation, it will be carefully considered within the police and discretion will be exercised in seeking this information," Shanmugam said.
He added that any TraceTogether data collected for a criminal investigation would be deleted if it no longer served any importance and was not needed in legal proceedings.
According to Balakrishnan, once the pandemic was over and contact tracing data was deemed not necessary, the TraceTogether programme would be stood down.
Noting that three quarters of the local population had adopted the platform, he said the high adoption rate not only reflected people's "willingness" to participate in the "collective fight" against COVID-19, but also "their confidence in the government's commitment to protect the data so collected".
"We do not take trust of Singaporeans lightly. We cannot prevail in battle against COVID-19 if Singaporeans did not trust the public health authorities and the government," the minister said. "I want to again assure Singaporeans your confidence is not misplaced. We will protect your privacy."