Of trust, transparency and privacy – TraceTogether

It was announced in parliament on 4th January 2021 (first time the proceedings were livestreamed which means item 7 in https://harishpillay.com/2015/08/23/what-i-want-for-the-future-of-singapore-starting-today/ now achieved), that should someone have some criminal charges against that person, his/her’s TraceTogether (TT) contact info might be retrieved if it is appropriate and relevant for the case. Just so that it is not taken out of context and conspiracy theories spun as a result of, there has to be a strong legal case for this “crossing of data jurisdiction” and I’d welcome clarification from those who know more of how it will be determined.

When TT was first released, the privacy safeguards were clearly stated as shown below. This is a screenshot of that the TT FAQ which was taken at 3:44pm on 4th January 2021.

As of 4th January 2021 3:44pm

And with due credit to GovTech, they’ve updated the page above with a new one below (screenshot taken at 7:48pm, 4th January 2021) following the statement in parliament.

See the section towards the bottom about data being made available via the Criminal Procedure Code.

The updated document does state that if there are criminal proceedings instituted against someone, the Criminal Procedure Code does empower the police to get to any and all relevant data – including TT contact tracing data.

What’s “new”?

The minister in charge of the Smart Nation project did specifically answer in parliament on 5 June 2020 captured in the following paragraph 7:

7. Yesterday, we issued a written response to Mr Murali Pillai who had asked about the confidentiality of the data, and I think it is worth me reiterating that again, that the data is stored only on your own phone in the first instance, and accessed by MOH only if the individual tests positive for Covid-19. This data is only used for contact tracing. There are safeguards, including encryption, in place to protect this from malicious hackers. The data that is older than 25 days will be automatically deleted from your phone. If the close contact data is required for contact tracing, only a small group of authorised officers in MOH will have access to it. All the public sector data protection rules will also apply.

It seems that as of 4th January 2021, “this data is only used for contact tracing” is no longer valid. We are well on our way down the slippery slope – or are we?

And at the sitting on 5th January 2021, the minister made the following statement in Parliament:

Frankly, and I think members know me well, I’m always very frank. Frankly, I had not thought of the CPC when I spoke earlier. After I realised that the CPC applied to this, I did have sleepless nights wondering: Should I persuade my colleagues to change the law? But having thought about it, discussed, consulted people both within and outside this House, I have come to the conclusion that right now we are doing well…I think we are still on the right track.

Vivian’s statement in parliament on 5 January 2021

So, there was an oops, mea culpa moment. There was trust asked for at the start of the program in March 2020 and many people, like me, felt that it was clear and transparent and was supportive. I was invited on many webinars around the world to talk about how TT’s trust model works and I was happily stating that I feel confident and comfortable with the safeguards.

Right now, despite Vivian’s assurances, I feel I was let down.

He does mention at around 5:00 above “phone and banking records” are also subject to the same provisions of section 20 of the Criminal Procedure Code as would TT data.

Let’s expand on the “phone and banking records” reference. I think those would be primarily around the calls made/received and bank account information.

Scenario 1:

Person A has been arrested for a stabbing incident outside a kopitiam in Yishun. The phone A has is not a smart phone and A does not have a TT token. Would the Police invoke Section 20 of the CPC and ask for cellphone tower records to triangulate information about people around the accused at the time of the incident? I am not aware of any criminal case in Singapore that has asked for cellphone tower data to be made available. I am also not sure how long those tower data is actually kept by the telcos – perhaps for 3-5 years – MUCH longer than the 25 days TT data is valid in the phone/token if Person A had such a device.

Vivian did say in his statement that the TT app was open sourced to gain trust. While it is 100% true that it was open sourced back in April 2020 (called OpenTrace), the version that was open sourced was the initial version 1 and all developments since then have not been pushed upstream. In other words, for all the good work done at the start, the commitment to open sourcing did not persist inspite of me pushing for it repeatedly. This is called ‘open washing’ to gain some brownie points and that’s about it. The act of “open sourcing TT” was mentioned in the 5 January 2021 statement, but it is not keeping to the spirit. That itself reduces the trust factor.

Where are we now?

As of 5 January 2021, there are 58,517 cases since the start with 29 fatalities. Any fatality is one fatality too many and is very sad, but that we’ve managed to keep it very low – which is just wonderful. We are managing this, and managing this well enough.

But this is Singapore. We can do better. The trust that was asked for in using the TT App was broken. Yes, an acknowledgement of the mistake was done, so thank you. But we can, and should be able to do better.

Since Vivian asked for suggestions, here’s mine: introduce a bill specifically exempting TT Data from CPC – ONLY for the duration of this pandemic. It is time bound and very specific and targeted. I am very sure, the police investigators would not need additional TT Data to help with their investigations.

I do not, honestly, think that excluding CPC access to this data will hinder criminal investigations. The records are valid only for 25 days and the accused person could have deleted the app and hence data (see scenarios below).

There are plenty of other means – CCTVs, phone records, cellphone tower records etc etc – to get data from.

I want to now go back out to the world and say, yes, we are still doing the right thing. I am resigned to the possibility that this suggestion will be labelled as a non-starter as it might not be feasible since it makes an exemption in law for a specific case and duration.

But, to win back trust, to win back transparency and to win back privacy, please do the right thing.

Majulah Singapura.


If you need additional background to some of the tech and aspects of TT App, TT Token, SE etc, please read on

TT contact data is stored in 3 places: a) the TraceTogether app’s database b) Exchanged IDs from other phones/tokens c) MOH/GovTech servers when the app was first registered and when data is extracted following a positive Covid-19 detection.

Only the last 25 days of contact data sits in the sitting in the phone’s database (as well as in the token). All of that information is only sent to MOH/GovTech should a person be down with Covid for the actual contact tracing to happen.

So, if a person A is apprehended in a criminal case, and if that person has a TT enabled phone and/or token, the information in the device will first have to be retrieved by MOH/GovTech and from what is being said, also made available to the police investigators.

There are many, many issues here and I will talk about three more scenarios.

Scenario 2:

Person A’s phone shows 200 contacts and after extraction the MOH/GovTech contact tracers would have been able to point to people who were in the contact list. What would the Police investigators do now with this data? Would the investigators contact each of the people in the contact list? Would they need to then get the contacts list from these contacts to get more contacts? Yes, there is a natural limit, and it could be small. But this is a problem of scale and reach. What if, for whatever reason, the others have decided to delete all data from their phones? That throws up a deadend. Whatever the case, there has to be lots of effort that needs to be expended to go through all of these contacts. Investigators need as much data as possible to work on determining the innocence or guilt of Person A.

Scenario 3:

Person A realising that s/he has just done something (legal or otherwise), deletes the TT app in the phone or destroys the token. There is nothing left to get and it is a deadend.

Scenario 4:

Person A was apprehended after 25 days following some alleged criminal activity. All contact info in the phone that is older than 25 days will be now long gone. So, this becomes a deadend as well.

TT App vs TT Token vs SafeEntry

TT was rolled out first in March 2020 and SafeEntry in May 2020. Because they were separate efforts, it was confusing for many people who were wondering why there were two solutions.

SafeEntry QR codes are applied for by businesses, schools, malls, offices etc via GovTech which will then be posted at the various locations. These SafeEntry QR codes are customised for each location and would contain information about the location’s name and when the QR code is scanned, the phone will add in the date/time it was done. The URL that gets generated by the QR code will need his/her NRIC and phone number entered and then gets submitted to MOH/GovTech. The location owner does not get a copy of this.

Here’s an example. If you scan the QR code above from wherever you are now and you submit the scan, the system assumes that you are physically at the location!

The two separate systems did mean that even though I had TT app in my phone, I still needed to do the SE QR scan which betrays my location (in the case above NorthPoint).

It is clear that TT App itself does not do location tracking, SE, on the other hand, betrays your location upon log-in. Again, not via the phone’s GPS, but by the mere fact that a SE QR code was scanned and responded to. So, Vivian is right in that there is no GPS info collected by TT but he did not say anything about SE.

Fast forward a few months, the TT App has gotten feature creep and can now do QR code scanning as well (along with a few other bells and whistles).

And sometime from about October 2020, newly issued SE QR codes will ONLY work with the TT App.

I have been using the QR scanning functionality of the Firefox Mobile browser in my phone all this while but with this change, I have to use the TT App.

But each has it’s own use case. TT App is really the crux – to get the epidemiologically relevant data: a) how close were you to an infected person b) how long was the exposure.

SE, on the other hand, only says where you were and it is at a very coarse level of accuracy – the entrance of a mall, the entrance of a shop etc – a single data point. How different is that from GPS? GPS would be wherever GPS signals are available, while SE is only in places that have a SE QR code at entry. SE is, therefore, capturing a very tiny fraction of what GPS could capture.

I am OK with what TT does. TT’s focus is to do contact collection of those within a 10m radius (as is with the TT Token).

I’d reiterate that all TT contacts data is stored in device for 25 days and anything older that that is expired/deleted from the device.

In the case of SE QR scan, the record is saved on some MOH/GovTech servers and I have to assume that it is also expired after 25 days (taking their word for it, having not seen the code). Again, SE only captures the fact that an individual was at a certain location (or now because you can scan the QR above from anywhere in the world :-)) at a specific point in time. Nothing in SE suggests proximity to others other than perhaps time of scanning of the QR code – which is still not a accurate indicator because the QR scanning could be done at entrance of the facility and the person does not enter but leaves.

Now, while the large granularity of SE’s location information is still there, the fact that one has to use the TT App for that, does throw some caution to the statement from GovTech that TT App honours privacy in that it does not track location.

This exclusive functioning of SE scanning only via TT App, does taint the TT App’s privacy stance – even if it does not actually store the location info in the phone.

SE broke the privacy fallacy/bubble and it is indeed disappointing to see how TT App with SE has evolved.

The TT Token

The TT Token only runs the bluetrace.io contact tracking protocol like the original version 1 of the TT App. These tokens have a button cell battery that has a power budget of about 6-9 months of use. There isn’t a means to recharge the TT Token (other than opening it up and replacing the battery).

Each TT Token has a specific, unique QR code printed on the outside of the device. When the devices are issued, the QR on the token and the NRIC # of the person is linked together and kept by the Ministry of Health.

So, when a person enters a building only using the TT Token, that token’s QR code is scanned at entry by some device at the entrance. This is the reverse of the TT App scanning the SE QR at the entrance. I believe that TT Token QR scan information is sent straight to MOH/GovTech’s servers.

Do check out this tweet thread from Zerotypic as well.

9 comments

  1. The main issue here is trust in the Government not contact tracing per se. To pick a trivial example, you argue that the 25 day limit on data retention limits the privacy risks in SE and TT. But how do we know now that the limit really is 25 days ? Were they lying about that too ? Once they are caught out lying on something so fundamental, how can you trust anything they say ?

    • Hence lies the dilemma of trust when it is broken. It is very, very hard to gain trust and trivial to break it. Once bitten twice shy. Thanks for the link to the SE data retention info. It needs to be screenshoted.

  2. If one has sleepless nights after learning about this fact it speaks volumes to the issue. He knows it is wrong to leave this door open and he should not accept it. Phone records or any other form of two party consented communication should be part of a criminal investigation. But TT data is not a two party consented communication only under the subject of COVID tracing. Using this data for anything else is ethically wrong IMHO. Not the Singapore i believe in, we should not stand for it.

    • Thanks Frank for your comments. It is quite disappointing how this has spiralled. Leadership needs to be shown. I hope the Cabinet will take the long view and sort this out.

  3. If the updated app’s code has not been pushed back upstream, I suppose it’s also a bit hard to verify what is happening with the data – and whether it still is deleted after 25 days and/or where else it’s going. The other point is that wherever copies of the data are kept e.g. on the MOH server, I would imagine that server has automated backups spanning multiple periods of time – that implies copies of the data potentially still exist beyond the ’25 days’.

    • Thanks, Raj for the comment. Sending to OT the improvements to TT is a trivial process but it was not done and so, the value of saying “TT is open sourced” is only for, as I note, for brownie points. I did ask in the initial process of open sourcing TT about the server side, but that was not forthcoming. So, even from the get go, there was nothing we (as in the open source community) could do to verify that the server was indeed setup and have to take GovTech’s word for it.

  4. Even if we ignore section 20 of CPC, we’ve this simple eqn when SafeEntry -> ToS in the very near future:

    TraceTogether-only SafeEntry (ToS) && SafeEntry Gateway [deployed at premises to meet SMM required by the law] == (Indirect) GPS

    SMM == Safe Management Measures

    Regardless of TT App or Token

    References:

    ToS:https://www.safeentry.gov.sg/tracetogether-only-safeentry

    The SafeEntry Gateway device on trial at Downtown East:https://www.todayonline.com/singapore/new-safeentry-gateway-device-trial-downtown-east-make-tracetogether-check-ins-more

    (Updated Dec 2020) Places where SafeEntry must be deployedhttps://www.safeentry.gov.sg/announcements#news-36-anchorhttps://support.safeentry.gov.sg/hc/en-us/articles/900000861343-Where-does-SafeEntry-need-to-be-deployed-

    Quote: “the following list of facilities/places should deploy the SafeEntry system to log the check-in of customers, clients, students and visitors entering their premises in order to meet the safe management measures required by the law¹.”
    “¹ This list will be updated as more activities and services are resumed.”

Leave a Reply