Key Findings
A. The Development of Digital Contact Tracing in Singapore
Singapore was among the earliest nations to develop a digital contact tracing application with the specific purpose to combat COVID-19. The country introduced TraceTogether, a contact tracing app developed by the government’s Government Technology Agency (GovTech), which was released to the public on March 20, 2020. The application is based on a homegrown protocol called BlueTrace which has also been developed by GovTech.
TraceTogether communicates with other installed devices via Bluetooth Low Energy (BLE). The information of those with whom the app’s user has been in contact during the past 14 days is stored on the user’s phone. This information includes a proxy distance between users, timestamp, and temporary user IDs. This information is stored on the device by the app in an encrypted form. As the app asks for the user’s phone number, the phone is stored in the Ministry of Health (MOH)’s server along with the temporary ID. The temporary ID is generated by the MOH’s server, which is changed after a period of time and can be encrypted with a private key that is also held by the MOH. The ID is then transmitted to the user and exchanged with other TraceTogether users when they are in close proximity of one another.
If an individual user is found to be COVID-19 positive, the user would be asked to upload the app’s encrypted data logs to the server. The data logs are then decrypted by the MOH which holds the private key. Through these data logs, the temporary IDs in the logs are used to contact other app users who have been in contact with the infected user. The authorities can trace the people with whom the individuals have been in close proximity during the past 14 days using the information collected from the installed device.
When TraceTogether was first launched, the app required only the user’s phone number which the government claimed would be the only personal data the MOH would withhold. It also claimed that the MOH’s server where phone numbers and the IDs are stored is highly secured, and that the quality of its security is comparable to those of the servers used to store other official information. The authorities also informed the public that the users’ phones will store the app data for 25 days (although another source has reported the duration of 21 days), after which the app data is automatically deleted; users would be asked to share these records only when contacted by MOH as part of its investigations for contact tracing. Those who refuse to share the records can be charged under the Infectious Diseases Act of Singapore.
TraceTogether has not turned out to be as effective as anticipated. For contact tracing via the app to be effective, 75% of the population must have downloaded it. However, since its usage is not mandatory, after one month after its launch, only around 20% of the population have used TraceTogether. It was later revealed that TraceTogether does not work well on iOS devices. This is because Apple does not allow developers to constantly broadcast Bluetooth signals, since background broadcasts have been previously exploited for targeted advertising. Therefore, on Apple devices, Bluetooth signals can be sent only when the app runs in the foreground. However, a signal would not be generated if the iOS phone which has installed TraceTogether is locked, or if users are not using the app.
In April 2020, the ‘reference implementation’ or software behind TraceTogether was made open-source and was given the name OpenTrace. OpenTrace allows the public to examine the app and address vulnerabilities; other countries that want to implement their own official contact tracing app can also learn how to build it based on the BlueTrace protocol. In the same month, the government also decided to enforce the circuit breaker measures (CB) or lockdown in response to the pandemic. The number of COVID-19 cases had surged significantly in Singapore at that time, with a large number of cases arising among migrant workers living in crowded dormitories.
Following the rising cases among migrant workers, the Ministry of Manpower (MOM) issued a press release on May 27, 2020 which required migrant workers to “download, activate, and maintain” the TraceTogether app. Workers are obliged to share their Identification Numbers (FINs) and work pass card serial numbers on the app. The government also launched the SGWorkPass, another app that requires workers to download to check whether they can leave their residence for work. Among its criteria, the SGWorkPass app requires that migrant workers register on the TraceTogether app.
Following the launch of the Exposure Notification System (ENS), which is the contact tracing technology jointly created by Apple and Google, there was some anticipation whether TraceTogether could adapt to the new technology in order for it to work better on the iOS system. In order to use the technology jointly developed by the two companies, the app had to meet certain requirements. Later on, Vivian Balakrishnan, Minister-in-charge of the Smart Nation Programme Office initiative, announced that the country would not use the Apple-Google contact tracing system as it would be “less effective” in the local context.
In May 2020, Singapore’s digital contact tracing effort stepped up as the MOH and the Smart Nation and Digital Government Office (SNDGO) launched SafeEntry, a QR code system developed by GovTech for people to check-in and out of buildings and other public places. The app is compulsory in many locations; people have to download the app and scan the QR codes provided at the places they are visiting. This applies to many locations including workplaces, educational institutes, healthcare facilities, hotels, banks, malls, and sport centers. Users can utilize the SingPass Mobile app to scan the QR code, use SafeEntry’s check-in function to choose from a list of nearby locations, or have their National Registration Identity Card (NRIC) scanned in case they do not have a phone that can scan the QR code.
TraceTogether was updated in early June 2020, and those who have updated the app to its new version have been required to re-register with their identification numbers. GovTech reasoned that users’ personal data are required to use the app, because it would allow close contacts to be identified faster and more accurately. The updated TraceTogether app also includes a unique NRIC/FIN barcode scanner that allows users to experience a quicker check-in at stores, buildings and other locations that use SafeEntry. Following the update of TraceTogether and the introduction of SafeEntry, the Singapore government also introduced a new approach for contact tracing, which was a contact tracing wearable device known as the TraceTogether Token. The key features of the token include:
- Unique QR code that is personalized for the recipient’s individual use only
- Works by exchanging Bluetooth signals with other TraceTogether Tokens or mobile phones running the TraceTogether app nearby
- Data will be encrypted and kept in the TraceTogether Token for no more than 25 days
- Users will be alerted by an authorized officer from the Ministry of Health (MOH) contact tracing team if they were detected to be a close contact of a COVID-19 patient
- Battery life of 6 to 9 months and does not require any charging
- No GPS and therefore does not capture geolocation data – it captures only proximity data from other TraceTogether tokens or TraceTogether apps via Bluetooth technology
- No Internet or cellular connectivity, so the encrypted data cannot be remotely extracted from the TraceTogether Token. The user will be contacted for the data download only if they are confirmed to test positive with COVID-19
- Convenient, lightweight, and easy to use
When a user is suspected to have COVID-19, the data from the token will remain in the token until the individual has been confirmed to be COVID-19 positive. Only upon confirmation will the data be extracted by authorized contact tracers from the MOH for contact tracing purposes. Only a small number of personnel will have access to the data. Balakrishnan also assured the public that there will not be a giant database which will hold the data collected by the token devices. Furthermore, since the tokens do not have internet connectivity, users’ data cannot be extracted without their knowledge. The data that is uploaded will be protected by the public sector data security recommendations. All the officials involved will be held accountable under the Official Secrets Act. The government also stated its intention to carry out an audit to prevent any data breach. In early July, some 10,000 tokens were delivered to senior citizens who are the first group to use the devices.
Later in August, two bidders – first, a consortium comprising Siix Singapore Pte Ltd and iWOW Pte Ltd; and second, PCI Private Limited – were awarded the tender to design and manufacture subsequent batches of the TraceTogether Tokens. Siix Singapore is an electronics distributor, and iWOW is a wireless connectivity solutions firm. PCI is an electronics manufacturer that was awarded the tender for the first batch of the tokens. The production cost of the token is reportedly around SGD $10, which was reduced from $20 in the first batch.
On September 9, the MOH announced that TraceTogether Tokens would begin its distribution nationwide starting on September 14, 2020, and is expected to be completed by November. According to the announcement, the MOH also introduced a plan to enhance SafeEntry, in which the proximity data collected from TraceTogether would be supplemented to SafeEntry. The pilot program, called TraceTogether-only SafeEntry or “TT-only SafeEntry”, was planned to take place at selected venues where activities are considered higher risk, for example, large-scale business events. Under the program, people are required to use the TraceTogether app or TraceTogether Token (together called the TraceTogether (TT) Program) with SafeEntry installed to check in to the venue. This pilot program aimed to prepare the country with the necessary security measures before allowing events with no more than 250 participants to take place.
On September 14, 2020, TraceTogether Tokens were distributed. More than 100,000 devices were collected as of October 4, 2020. The tokens can be collected at community centers/clubs or TraceTogether Mobile Booths. The government also launched a website, Token Go Where, to provide information about where the tokens can be collected and how to collect and care for the tokens. As of October 4, 2020, the adoption rate of TraceTogether reportedly reached 2.4 million users, which is equal to 40 percent of the population.
The SNDGO announced on October 2020 that TraceTogether check-ins or “TT-only SafeEntry” (TT-only SE) would become compulsory at public venues by the end of December 2020. These public venues include cinemas, restaurants, workplaces, schools, and shopping malls. In the venues that implement the TT-only SE, visitors would not be able to enter them by scanning SafeEntry’s QR codes with a phone camera, the SingPass mobile app, or the bar code on the NRICs. Instead, they would have to enter by using either the TraceTogether app to scan the venue’s QR code or have the entry staff scan the QR code on the TraceTogether Token. This announcement was made as part of the country’s preparation for Phase 3 of its re-opening. The scheme aims to have at least 70 percent of the population to participate in the country’s digital contact tracing efforts. Following the distribution of the tokens nationwide, it was reported that the percentage of TraceTogether users has increased to 45 percent since the beginning of October. As of October 22, 2020, it was reported that about half of the population was on the TraceTogether platform.
The Singapore government announced on December 23, 2020 that the TraceTogether Tokens will start to be distributed at schools. The announcement was made after the government stated that the all schools in Singapore would start the “gradual implementation” of TT-only SE from December 1, 2020 onwards.
On January 4, 2020, during the parliament, the Singapore government announced that data collected from TraceTogether would be able to support local law enforcement for criminal investigations according to the Criminal Procedure Code. As it has been addressed that the situation might violate the Privacy Policy of TraceTogether which originally stated that the data collected would be used for public health only, the Policy has been updated on the same date following the announcement. The following sentences were added;
“TraceTogether data may be used in circumstances where citizen safety and security is or has been affected. Authorized police officers may invoke Criminal Procedure Code (CPC) powers to request users to upload their TraceTogether data for criminal investigations. The Singapore Police Force is empowered under the CPC to obtain any data, including TraceTogether data, for criminal investigations.”
Following the nationwide distribution of the tokens that started in September, 2019, it is reported that more than 4.2 million people or 78 percent of the population has participated in the TraceTogether Programme as of January 4, 2020, The percentage of the population that engages in the TraceTogether Programme is likely to continue increasing as the tokens is still undergoing distribution.
B. Implications on Surveillance and the Right to Privacy
The COVID-19 pandemic has proven to be an exceptional situation. In response to the pandemic, the development of Singapore’s digital contact tracing efforts raises three significant issues. These are identified as (1) technical vulnerabilities and lack of transparency , (2) people are targeted en masse as newer approaches of contact tracing are introduced, and (3) the lack of policy enforcement to protect personal data and the right to privacy in the face of more invasive digital contact tracing.
1. Technical vulnerabilities and lack of transparency
When TraceTogether was first rolled out, the government assured that people’s right to privacy was not at risk by providing details about how the app would work and making clarifications on the myths surrounding the app. The decision by GovTech to release the reference implementation of the BlueTrace Protocol, OpenTrace, was welcomed by experts as it helped them to examine the software behind the app.
A study revealed that OpenTrace uses Google’s Firebase service, a Google-backed application development software that enables developers to develop iOS, Android and Web apps in order to store and manage the data of users. This means that Google is also a main party, apart from the MOH, that is involved in handling data transmitted from the app. OpenTrace was also found to use Firebase Analytics, a development platform that enables the IP-based location of devices installed with TraceTogether to be tracked by Google.
Concerns over privacy have also been raised due to the fact that the temporary ID is generated by the MOH’s server; the MOH also holds the private key to decrypt the data. The temporary ID generated from the server can protect the user’s privacy from other app users and cybercriminals. However, the function does not protect the app users from authorities. As the MOH can decrypt and read the information stored in the server, it can link the temporary IDs to the real identity of users. This can allow mass surveillance to happen.
The temporary IDs that are generated using MOH’s key also uses reversible encryption which is not the optimal security option. If the MOH key is compromised, any given temporary ID can be reversed to reveal both the User ID and the timestamp which can reveal a lot of information. All of this information is processed via Google’s cloud server; this means that even though MOH personnel may have limited access to the information, Google can still access it. Following the release of the 2.0 version which required people to re-register with their national ID number, more concerns have been raised over the privacy aspects of the TraceTogether app. The requirement of the ID number contrasts with the privacy assurances of the authorities, as this information is clearly personal identifiable information (PII). There have been no significant updates to OpenTrace since the release of TraceTogether’s 2.0 version at the time of the writing.
Altogether, the SafeEntry app collected more data than TraceTogether. SafeEntry collected more data, as it is compulsory in many places including offices, schools, shopping malls, restaurants, and sport facilities. This makes its use unavoidable for many people. The app has also been integrated into SingPass which is a system used by the majority of people who live in Singapore as it provides them convenient access to e-government services including tax payment. Since the use of SafeEntry is compulsory in many places, people are left without other options but to follow the requirement. SafeEntry can also scan people’s NRIC/FIN if they do not have a phone that works with QR code scanning. Unfortunately, there is not much information available for SafeEntry, especially from independent sources regarding how the privacy and personal data collected by the app are managed. As the lockdown in Singapore is easing and more places are re-opening, there are concerns over the privacy of some vulnerable groups, including LGBTQI+ and HIV-positive people. As Singapore society leans towards conservative attitudes, sensitive places like specialized clinics, gay bars, or some religious places can be risky for those who wish to visit these places anonymously.
The mandatory requirement for migrant workers to use and activate TraceTogether is an example of how minorities may be more vulnerable to surveillance compared to the majority of the population. Many migrant workers in Singapore are of South Asian origin, and are usually discriminated against due to their migrant status. The number of COVID-19 positive cases in Singapore hit its peak in April, 2020, a large number of cases of which were recorded from migrant workers living in already cramped and unsanitary dormitories. As part of the government response to the situation, migrants workers are required to download TraceTogether, while the app is still voluntary for the general population. However, the use of any contact tracing app should always be voluntary regardless, and this policy should apply to all people indiscriminately. Prior to the pandemic outbreak in the workers’ dormitories, the government had been warned by some groups that the spread of COVID-19 among migrant workers would be unavoidable due to their living conditions. However, no known precaution was taken to prevent the incident from happening. The enforced digital contact tracing approach that has been applied to migrant workers may not work to curb infections unless appropriate remedies, such as adequate distancing and timely testing, are put in place.
Before the TraceTogether token was distributed, the government invited a small number of independent technical experts to test the device. Even though their comments were positive, privacy gaps persist. The time of examination was short as the experts were reportedly given only about an hour for testing the token. A suggestion for improvement would be to have the tokens examined by a broader selection of individuals and organizations. There is also still a lack of transparency about the storage, generation, exchange, storage, and validation of IDs. In order to have secure ID validation, cryptographic algorithms are needed. In the case of the TraceTogether Tokens, there is still a lack of transparency in many areas.
One issue requiring greater transparency is the cryptographic algorithms. Ordinarily, any cryptography used in a system should be well-known and peer reviewed. Only the keys are usually kept secret. It is easier to gain users’ trust when cryptographic algorithms are known; scrutiny usually helps improve security woes found in the system. In the case where the cryptography is not available for scrutiny, concerns are raised over the security of the device.
As the tokens have to be small and portable, while the battery must have a long life (as it is not rechargeable), they require the use of a low-power processor. The design creates a technical limitation as it prevents the use of any high-powered encryption algorithm. Encryption is necessary for validating that the device is an official token and not an inauthentic device. To enhance its security, the TraceTogether Tokens system needs to be broken down so that each function can be adequately examined.
Given the aforementioned concerns, there have also been the lack of official human rights impact assessments (HRIA) and privacy impact assessments (PIA) on the current contact tracing efforts, especially as these types of efforts deal with mass data. Any data breach or misuse of collected data may have severe adverse consequences, especially for children, LGBTQ+, people with HIV, and people who are considered to be against the regime. While the government would like to combat COVID-19, a balance has to be made between tackling an infectious disease and protecting privacy. Even though the government claims that digital contact tracing efforts would make contact tracing more effective, it is still not clear as to how effective the digital contact tracing efforts have been in supporting traditional contact tracing. These technical vulnerabilities and the lack of transparency are especially important to address as the TraceTogether Program, which encompasses both the TraceTogether app and TraceTogether Token, has been made mandatory for all people in Singapore to use.
2. Targeting people en masse as newer approaches are introduced
When observing the digital contact tracing systems that have been rolled out by the Singapore government, it appears that newer systems are introduced to overcome the challenges found in previous product releases, as well as broadening the coverage of digital contact tracing, i.e. including more people in the digital contact tracing efforts. While digital contact tracing is expanding, certain aspects of consent are somehow being pushed aside. Following the low adoption rate of TraceTogether, the government implemented SafeEntry and the TraceTogether Token with the idea to trace people en masse while also overcoming the technology limitations found in TraceTogether. Apart from the low download rate of TraceTogether, the incompatibility of the app with iOS devices was also an issue that makes the app ineffective.
SafeEntry is compulsory in many places, especially those where people visit on a daily basis, such as offices and schools. The app has enabled the digital contact tracing effort while overcoming the challenges found in TraceTogether. As SafeEntry has a QR code check-in and check-out system, it does not face the same challenges as TraceTogether, because it does not rely on Bluetooth technology. It also has not experienced the same difficulty as TraceTogether, which was incompatible with the Application Programming Interface (API); as a result, SafeEntry is able to run in the background on iOS devices without issue. Furthermore, as SafeEntry is compulsory in many places, it is able to collect data from a greater number of people compared to TraceTogether. SafeEntry’s function is also able to accommodate people who are not able to use QR codes on their phones by scanning their identity cards as an alternative.
Regarding the TraceTogether Token, the introduction of this device has made it possible for the government to overcome the technical limitations found with TraceTogether on iOS devices. The token is also targeted towards those who do not have smartphones, or compatible smartphones, such as children and elderly people. Children can be particularly vulnerable when the privacy protection measures in the tokens are not transparent. They are also unlikely to make a careful consideration for themselves whether they would like to use the device. These concerns are important as the TraceTogether Program has now been made mandatory for all people in Singapore to use, which will likely enable the government to successfully target the majority of the population in its digital contract tracing approach.
3. Lack of policy enforcement
Although Singapore has its Personal Data Protection Act (PDPA) in place, the 2012 law still needs improvement. Under the law, personal data is defined as “data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organization has or is likely to have access”. The government has previously stated that the government agencies operate differently, and therefore they are not governed by this law. Passed in 2018, the Public Sector Governance Act is a separate law that specifically addresses the role of public agencies based on the government’s claim that personal data has to be “managed as a common resource within the public sector.” Many questions were raised by Members of Parliament regarding the practicality of a number of the Act’s provisions. In 2019, the Public Sector Data Security Review Committee (PSDSRC) was appointed. However, it is not known how the Act would be applied to the protection of the personal data collected by the TraceTogether and SafeEntry apps, and the TraceTogether Token.
The Singapore government gave assurances in June 2020 that contact tracing devices and applications would only be used for pandemic control but announced in January 2021 that it would also be used for criminal investigations. Following the situation that authorities can obtain data collected from TraceTogether for criminal investigations, a device that was first designed with a claimed objective to tackle the pandemic can easily turn out to a surveillance device. Critics of the governments have also potentially become more vulnerable to surveillance as their efforts to exercise the right to freedom of expression can also be considered as a crime in Singapore. In November 2020, a Singapore activist was charged for a one person “illegal assembly” where he held up a sign with a smiley face. Singapore’s Criminal Procedure Code does not distinguish the seriousness of crimes for the purposes of investigation. Investigation into one murder case using TraceTogether already took place before the January 2020 announcement in Parliament.
As its contact tracing efforts continue to be rolled out, the Singapore government should consider having a specific regulation to legislate how privacy and personal data are treated by digital contact tracing. This includes specifying which kind of data digital apps are allowed to collect, how this data should be processed and stored, and who has control of it. Preventive measures should also be in place to prevent data breaches. These measures are necessary in light of the country’s history of various government’s data breaches. SingPass experienced a breach in 2014 in which approximately 1,500 accounts were affected. The biggest data leak to date in Singapore occurred in 2018 when the data of around 1.5 million people collected by SingHealth, a cluster of public healthcare institutions, was breached due to the lack of basic security. Other reasons why it is difficult for people to trust the government on privacy protection arise from Singapore’s use of controversial technology such as facial recognition throughout the island, as well as allegedly having been found to use surveillance technology provided by controversial private companies such as Gamma International.
C. Conclusion and Recommendations
Singapore was one of the earliest countries to roll out digital contact tracing apps to the public. However, this was done so hastily that there are still gaps in terms of privacy and security. From the TraceTogether app to the TraceTogether Token, digital contact tracing efforts have improved to cover an increasing number of people. However, the voluntary aspects of these apps have been pushed aside following the low adoption rate of the TraceTogether app when it was first rolled out. At the time of the writing, there is still no information about the effectiveness of either TraceTogether or SafeEntry in terms of the number of cluster infections identified from the apps.
Transparency is also an issue. The changes in the TraceTogether app means that it now requires more personal data from users, but its security cannot be independently verified. These changes have raised concerns over privacy since there has been no update about the release of the code of the TraceTogether 2.0 version. There is also no transparency on how SafeEntry operates, nor is there information from verified technical experts about its security and privacy. Regarding the TraceTogether Token, there are still areas that need to be more transparent.
The history of human rights abuses and surveillance in Singapore, previous data breach incidents that were not handled properly, and legal loopholes make it difficult for people to place trust in the digital contact tracing efforts of the government. It is not only the specific digital contact tracing efforts, but also the government that people do not trust when it comes to ensuring that their personal data can be kept safely and will not be used for other purposes. As the TraceTogether Program is made mandatory for all people living in Singapore, the technical vulnerabilities and lack of transparency are especially concerning as people are required to provide their personal data. These concerns are further heightened due to the lack of policy enforcement mechanisms to oversee how the data is collected, and to ensure that it will not be used for surveillance or exposed to a possible data breach.
In order to build trust from the people as well as to ensure that digital contact tracing efforts respect individual privacy, it is recommended for the Government of Singapore to take the following actions:
- Release the actual source code of the TraceTogether in its latest updated version. As it is likely that the app will continue to receive more updates in the future, the code should also be regularly updated along with the app.
- Issue a specific regulation requiring all its digital contact tracing efforts to protect the right to privacy. The regulation should stipulate what data is allowed to be collected, ensuring that only the most minimal and necessary data is collected. It should also state how personal data is to be stored and processed, as well as the retention period of that data. The regulation should also apply to all stakeholders, especially state parties. The legal channels for remedies should also be clear for any potential violation of users’ privacy.
- Conduct human rights impact assessments (HRIA) and privacy impact assessments (PIA) on the TraceTogether Program which contains of TraceTogether app and TraceTogether Tokens and make these results publicly available.
- It is not recommended for the TraceTogether Token to be distributed to children due to the many existing privacy gaps in the token. Children are also a very vulnerable group whose right to privacy should be protected at all costs.