Singapore's contact tracing application Trace Together as presented by the Ministry of Communications and Information on March 20, 2020. Image: Facebook

SINGAPORE – When Singapore rolled out TraceTogether, a smartphone app and physical token that uses Bluetooth technology for contact tracing, assurances were given at the highest official levels that personal data collected would be used solely to combat the Covid-19 pandemic.

Harish Pillay, a software engineer and transparent technology advocate, was an early supporter of the government-developed app who emailed the minister in charge of the initiative last March to volunteer his services and request that the program’s source code be shared “to ensure that [the app] does what it claims to do.”

Vivian Balakrishnan, the minister in charge of Singapore’s Smart Nation initiative, accepted Pillay’s offer and released the source code, allowing developers from around the world to pick apart a technology that has become vital to the city-state’s successful coronavirus containment strategy.

“There was trust asked for at the start of the program,” said Pillay, who joined the TraceTogether campaign and publicly endorsed its use. “Many people, like me, felt that it was clear and transparent and [were] supportive. I was happily stating that I feel confident and comfortable with the safeguards.”

Now, Pillay says he feels like he was let down. In January, Minister of State for Home Affairs Desmond Tan revealed to Parliament that TraceTogether data could, in fact, be accessed by the Singapore Police Force for criminal investigations under the country’s broad Criminal Procedure Code (CPC) provisions, which allow police to obtain any form of data. He said app-collected data had already been used in a murder investigation last May.

The revelation triggered strong criticism from many Singaporeans who questioned why the government had not been forthright about the use of data from the onset. Authorities initially said the app’s contact tracing data was encrypted, stored locally and would only be accessed if individuals tested positive for Covid-19.

In a country where state surveillance is pervasive and average citizens don’t generally take an activist stance on privacy issues, the public uproar that ensued took authorities off-guard, forcing not only an acknowledgment that the government had made a mistake but also the swift passage of new legislation to restrict the use of TraceTogether data.

A TraceTogether token that enables quick tracking of people who have been exposed to confirmed Covid-19 cases. Photo: AFP

“The TraceTogether saga struck a chord because the lack of full disclosure spoke to the overarching issue of trust,” said Eugene Tan, an associate professor of law at Singapore Management University. “There is growing awareness in Singapore of data privacy and how indiscriminate data collection and use can constitute a risk to one’s safety and wellbeing.”

Offering a rare apology, Balakrishnan, who is also Singapore’s foreign minister, said during an address to Parliament this month that he took “full responsibility” for the government’s error and had not initially realized that TraceTogether data was accessible by police under CPC provisions.

“What we had in mind was digital contact tracing. We were not at all trying to create a surveillance tool,” said the minister. “I’m sharing this with you so that you understand that there is nothing to hide… and I deeply regret the consternation, the anxiety that was caused by my mistake.”

In a bid to restore trust in the program, new amendments to existing legislation were passed in Parliament on February 2 that limit police access to contact tracing data strictly for instances where “serious offenses” are being investigated, including rape, kidnapping, murder, terrorism, or drug offenses that in the city-state are punishable by death.

Authorities say the legislation intends to “remove any doubt about what personal contact tracing data can be used for.” Singapore’s government has also vowed to stop using contact tracing systems once the pandemic is over, with the bill explicitly requiring public agencies to stop collecting data at that point and delete all personal information collected.

“Authorities clearly felt the need to shore up public confidence and trust on data collection and use by the state,” said Tan. “The new law seeks to assuage public unhappiness…and engage head-on the public concerns about the use of TraceTogether data by circumscribing when and how the police can access that data.”

Opposition leader Pritam Singh, chief of the Workers’ Party (WP), offered his support for the amendments and encouraged the public to continue using the app, stating that while he preferred TraceTogether data to be used only for contact tracing purposes, the legislative changes constituted a “significant reduction” of the CPC’s wide ambit.

But the fact remains that authorities in Singapore ultimately chose to formalize law enforcement agencies’ ability to access contact tracing data, rather than carve out an exemption in keeping with originally given assurances, which observers say were aimed at assuaging privacy fears and promoting wide adoption of the app.

A Government Technology Agency staff demonstrates Singapore’s contact-tracing smartphone app TraceTogether on March 20, 2020. Photo: AFP/ Catherine Lai

“The Singapore government never misses an opportunity to increase its already overbearing surveillance of its people, so it’s not surprising they are doubling down on their expanded use of data collected from this app,” said Phil Robertson, Asia deputy director for Human Rights Watch (HRW).

Opposition lawmakers and critics have questioned whether the relatively limited data from TraceTogether, which works by swapping anonymous pings with other devices to generate a list of close contacts, would be useful to police investigators who already have several tools at their disposal under the CPC to gather physical evidence and conduct investigations.

Rights groups and privacy advocates also see the controversy setting an international precedent for governments, some of which have used TraceTogether’s underlying application protocols in their own contract tracing apps, to normalize the use of contact tracing data for non-pandemic purposes.

That is more so given that Singapore has found itself in a global leadership position for its gold standard Covid-19 response, winning praise from the World Health Organization (WHO) and serving as a preferred global venue for safely hosting events like the World Economic Forum (WEF), which will hold an in-person summit in the city-state later this year.

Pillay said that while the episode had “significantly eroded the trust factor” between citizens and the government, he believes authorities were “right to correct the mistake and put up a defined set of exceptions” for when data can be accessed. But the software engineer claims authorities have still fallen short on their initial open source commitments.

While the original source code for TraceTogether was published by the Government Technology Agency, which jointly developed the app with the Ministry of Health (MoH), the source code for subsequent updates that added several additional features and prompts to input personal information has not been made public.

“For all the good work done at the start, the commitment to open sourcing did not persist in spite of me pushing for it repeatedly,” Pillay lamented, accusing the government of “open-washing”, or essentially paying lip service to digital transparency in a bid to boost initially lukewarm uptake of the app following its launch last March.

Cinemagoers downloading the TraceTogether app on their mobile phones to check-in before entering Shaw Theatres at JCube mall on October 31, 2020. Photo: AFP

Only around 20% of Singapore’s population, or 1.1 million people, had downloaded and used the app within the first month. In October, the government indicated plans to make TraceTogether mandatory for entering schools, shopping malls and public places, and its adoption rate has since shot up to more than 80% of the city-state’s 5.7 million people.

Amid the controversy, at least 350 people have reportedly asked for their contact tracing data to be erased from government servers since January. Over 390,000 people began using TraceTogether over the same period, which suggests that the debacle has not significantly impacted public participation in the contact tracing program.

But with Singapore prioritizing digital innovation and technology as part of its Smart Nation initiative, observers say citizen data-dependent projects could struggle in future to secure public buy-in. Demands for further legislative safeguards on government use of personal data could also gain resonance as the city-state pushes its digital transformation agenda.

“Singaporeans will increasingly take government pronouncements about anything to do with their mobile phones and personal data with a grain of salt because the government’s mendacity was caught out this time,” said Robertson. “Next time, rather than just taking the minister at his word, Singaporeans will insist on seeing the fine print.”