Viewing entries tagged
Coronavirus

Contact tracing data and function creep: A case study in Singapore

Contact tracing data and function creep: A case study in Singapore

By Sarah Bakar, Lisa Hooper and Chong Shao

In March 2020, upon the World Health Organisation’s declaration of the COVID-19 pandemic, Singapore became one of the very first countries to launch a contact tracing app to manage the spread of COVID-19. By October 2020, it became mandatory for citizens to either download the app onto their smart phone or carry an electronic token.

Timeline of events

  • March 2020

    Launch of TraceTogether – the digital system for contact tracing

  • April 2020

    Launch of SafeEntry – national digital check-in system 

  • October 2020

    Launch of BluePass – a specifically-designed contact tracing device for migrant workers

  • January 2021

    The country’s widely-used COVID-19 contact tracing application TraceTogether made international headlines after Minister of State Desmond Tan revealed during a parliamentary session that data collected through the TraceTogether app fell under the purview of the country’s Criminal Procedure Code and as such the data can be used for criminal inquiries. The Minister’s comment means that police can use data from the TraceTogether, SafeEntry and BluePass systems in criminal investigations unrelated to COVID-19 contact tracing efforts. Soon after this statement, it was revealed by another minister that such data had in fact already been used in a murder investigation.

    These revelations caused a public backlash.

  • February 2021

    In its attempt to rectify the situation, the government passed a law to restrict the use of the data: the COVID-19 (Temporary Measures) (Amendment) Bill. 

COVID-19 (Temporary Measures) (Amendment) Bill

The law allows for the personal data collected by a digital contact tracing system to be used for investigation into “serious offences”. Digital contact tracing systems include the three main ones noted above. 

The bill defines serious offences to include unlawful use or possession of explosives, firearms or dangerous weapons; any offence relating to terrorism; any offence relating to causing death or concealment of death; a drug offence that is punishable by death; kidnapping, abduction or hostage-taking; and any offence involving serious sexual assault such as rape.

As of January 2021, it is estimated that 4.2 million people or 78% of residents have downloaded the app. This is a significant number, illustrating how the public was eager to cooperate with the government in tackling COVID-19 but more importantly just how vast the amount of data available is. However, the revelation that contact tracing data had already been being used by enforcement authorities caused a public outcry with people calling out the government and some even deleting the app altogether. It is important to call out that this revelation came 10 months after the launch of the app, and after users were continuously assured that the data will only be used for contact tracing.

Function creep and its consequences

The pandemic triggered an emergency situation throughout the globe, creating urgency for governments to manage and respond effectively. As such, contact tracing apps emerged quickly, including in Singapore. However, the data generated by such apps has become a tempting honeypot for law enforcement.

On the one hand, the enactment of the Bill shows that the Singaporean government is explicitly limiting the (secondary) use of contact tracing data. On the other hand, as it comes 10 months after the launch of TraceTogether, the Bill can also be viewed as a way for the government to attempt to regain the public’s trust and fix its reputation after it was obvious that the public felt betrayed and cheated.

This is yet another lesson in how mishandling of data will no longer go unchecked by the public, even for a population who tends to be deferential to their government in the case of Singapore.

Privacy should not be undermined for the sake of other worthy but unrelated goals. There are consequences not only for the individuals involved, but also the broader public health goals of the government. Given that the effectiveness of contact tracing apps depends on the number of people who use them, public trust and confidence that their privacy will be respected is a key ingredient to controlling the pandemic.

Needless to say, this function creep will not be the only one of its kind as valuable data continues to be collected for contact tracing across the world. In light of this, we strongly advocate for the inclusion of Privacy By Design in the development of such apps, to ensure that privacy is not left as an afterthought.

This can include explicit purpose limitations on the use of data, as well as built-in data retention limits to prevent a honeypot situation. New South Wales’ COVID Safe Check-In tool is a good example of this – individuals’ details can only be used for contact tracing purposes, and if no such action is taken, their details are permanently deleted by Service NSW after 28 days.

COVIDSafe - A turning point for privacy?

COVIDSafe - A turning point for privacy?

By Malcolm Crompton and Chong Shao

The Australian Government’s COVIDSafe app has been met by both widespread scrutiny and widespread adoption. Is the app safe? Is the public’s response revealing the true Australian character? Are the privacy fears overblown? The picture is fascinating when you step back and look at what this app says about privacy in Australia both now and going forward.

Making the grade

Let’s address the most important thing upfront: the app appears to be mostly sound from a privacy and security perspective. Contrary to the FUD (fear, uncertainty and doubt) swirling around – no, the app does not collect any location information; no, it does not “track and monitor” you at all times (contrary to existing apps in other countries). Here is a good explainer on how the app actually works. 

The Australian Government commissioned a Privacy Impact Assessment from a law firm which it has published. From our perspective, the key privacy protections are:

  • The layers of opt-in consent and control built into the app, from registration to uploading information to the National COVIDSafe Data Store

  • Access to the information in the Data Store will be strictly limited to health officials in the States and Territories, and the purpose will be strictly limited to COVID-19 contract tracing and notification – these restrictions will be backed by federal legislation

  • All data held in the Data Store will be deleted at the end of the pandemic – this is very important because retaining information is a necessary feature of the centralised model (as opposed to the decentralised model proposed by the Apple-Google partnership), which could lead to potential misuse or compromise of the information.

There are some remaining issues where more clarification would be welcome:

  • What will be the arrangements that govern how State and Territory officers use the gathered information? What will be the mechanisms for oversight, enforcement and responding to failure in those jurisdictions?

  • The government has stated that it will introduce regulations to prevent police and other government agencies from accessing the information collected by the app. This is a good move to increase trustworthiness, but will it extend to national security agencies (as it should)? Will it extend to State and Territory police forces?

  • Why the delay in the promised release of the source code and will the source code of the inevitable updates also be released? Has it been sufficiently security tested? 

  • Can we be sure about the assurances that Amazon Web Services will abide by Australian law rather than US laws should the US demand (secret) access to the data?

  • Why hasn’t there been wider consultation with interested parties beyond the chosen federal agencies? Will there be such consultations from now on?

The big missing piece

While the app’s privacy protections are commendable, as always, the proof of the pudding is in the eating. A recent post by the UK Information Commissioner, summarising the discussions of more than 250 participants from the privacy domain on the use of technology to combat the pandemic, highlighted the importance of governance and accountability processes.

This is where we think the government’s current implementation is lacking. For example: how will we know that only the right people are accessing the information and using it for the right reasons? How will we know that the information will be deleted once the pandemic is over? How secure is the system – in the exchange of Bluetooth signals, the information in transit to and from the Data Store, and information at rest in the Data Store?

The PIA recommends additional independent assurance and testing from security experts, and to make this publicly available. This should extend to all aspects of data handling by participants in the ecosystem including Commonwealth, State and Territory agencies as well as private sector participants such as Amazon.

To maximise privacy and trust, the government should not only make the right promises, but also (i) explain how it will keep them and (ii) demonstrate, via expert and independent validation, that they are indeed being kept.

The creation and the creator

We have observed an interesting dichotomy in the responses to the COVIDSafe app. There is widespread recognition, even from usually sceptical voices, that the app is not especially problematic from a privacy perspective. At the same time, there is a general sense of concern about a new method of data collection by the Australian Government. The problem is not with the creation, but with the creator.

It would be an understatement to say that the government has a chequered past with respect to privacy and data handling (see here for a recent history lesson). This has resulted in a trust deficit where anything it proposes is subject to negative publicity. So far, adoption rates indicate that many Australians are willing to try the app notwithstanding the government’s track record. 

Is this because of the objectively strong privacy measures implemented and promoted by the government? And/or is this because of the extraordinary circumstances we are in, with Australians doing their part to help combat the pandemic and hasten the reopening of our society? It may be too soon to tell, although it is fair to hypothesise that both are playing a role.

Our hope is that this augurs well for future government initiatives, that the Australian Government will take lessons from the positive response to the app – achieved through a combination of taking privacy seriously (including legislatively) and appealing to public solidarity. This represents a break from its past behaviour and could serve as the new and better precedent going forward.