By Sarah Bakar, Lisa Hooper and Chong Shao
In March 2020, upon the World Health Organisation’s declaration of the COVID-19 pandemic, Singapore became one of the very first countries to launch a contact tracing app to manage the spread of COVID-19. By October 2020, it became mandatory for citizens to either download the app onto their smart phone or carry an electronic token.
Timeline of events
March 2020
Launch of TraceTogether – the digital system for contact tracing
April 2020
Launch of SafeEntry – national digital check-in system
October 2020
Launch of BluePass – a specifically-designed contact tracing device for migrant workers
January 2021
The country’s widely-used COVID-19 contact tracing application TraceTogether made international headlines after Minister of State Desmond Tan revealed during a parliamentary session that data collected through the TraceTogether app fell under the purview of the country’s Criminal Procedure Code and as such the data can be used for criminal inquiries. The Minister’s comment means that police can use data from the TraceTogether, SafeEntry and BluePass systems in criminal investigations unrelated to COVID-19 contact tracing efforts. Soon after this statement, it was revealed by another minister that such data had in fact already been used in a murder investigation.
These revelations caused a public backlash.
February 2021
In its attempt to rectify the situation, the government passed a law to restrict the use of the data: the COVID-19 (Temporary Measures) (Amendment) Bill.
COVID-19 (Temporary Measures) (Amendment) Bill
The law allows for the personal data collected by a digital contact tracing system to be used for investigation into “serious offences”. Digital contact tracing systems include the three main ones noted above.
The bill defines serious offences to include unlawful use or possession of explosives, firearms or dangerous weapons; any offence relating to terrorism; any offence relating to causing death or concealment of death; a drug offence that is punishable by death; kidnapping, abduction or hostage-taking; and any offence involving serious sexual assault such as rape.
As of January 2021, it is estimated that 4.2 million people or 78% of residents have downloaded the app. This is a significant number, illustrating how the public was eager to cooperate with the government in tackling COVID-19 but more importantly just how vast the amount of data available is. However, the revelation that contact tracing data had already been being used by enforcement authorities caused a public outcry with people calling out the government and some even deleting the app altogether. It is important to call out that this revelation came 10 months after the launch of the app, and after users were continuously assured that the data will only be used for contact tracing.
Function creep and its consequences
The pandemic triggered an emergency situation throughout the globe, creating urgency for governments to manage and respond effectively. As such, contact tracing apps emerged quickly, including in Singapore. However, the data generated by such apps has become a tempting honeypot for law enforcement.
On the one hand, the enactment of the Bill shows that the Singaporean government is explicitly limiting the (secondary) use of contact tracing data. On the other hand, as it comes 10 months after the launch of TraceTogether, the Bill can also be viewed as a way for the government to attempt to regain the public’s trust and fix its reputation after it was obvious that the public felt betrayed and cheated.
This is yet another lesson in how mishandling of data will no longer go unchecked by the public, even for a population who tends to be deferential to their government in the case of Singapore.
Privacy should not be undermined for the sake of other worthy but unrelated goals. There are consequences not only for the individuals involved, but also the broader public health goals of the government. Given that the effectiveness of contact tracing apps depends on the number of people who use them, public trust and confidence that their privacy will be respected is a key ingredient to controlling the pandemic.
Needless to say, this function creep will not be the only one of its kind as valuable data continues to be collected for contact tracing across the world. In light of this, we strongly advocate for the inclusion of Privacy By Design in the development of such apps, to ensure that privacy is not left as an afterthought.
This can include explicit purpose limitations on the use of data, as well as built-in data retention limits to prevent a honeypot situation. New South Wales’ COVID Safe Check-In tool is a good example of this – individuals’ details can only be used for contact tracing purposes, and if no such action is taken, their details are permanently deleted by Service NSW after 28 days.