In a blog post on 28 March, a Singaporean coder raised concern on data privacy from the recently introduced contact tracing app called TraceTogether, suggesting that the app sends user data to a government data collection service.
Recently, SGUnited, GovTech, and the Ministry of Health (MOH) introduced TraceTogether for Singaporeans to track close contacts.
The app uses Bluetooth to identify other nearby phones with the app installed. It then tracks the distance between users that are in close proximity. If the need arises, the information will be used to identify close contacts based on the proximity and duration of an encounter between users.
Upon hearing about the app, Kevin Chu, a coder and software developer, decided to satisfy his curiosity by testing the app to see how it works. However, Mr Chu noticed something was amiss regarding the data collection process of the app.
While he was going through the code, he saw that the app was using Firebase Analytics and Crashlytics. Although he hinted that “it is common for apps to use these two analytics libraries to track user engagement and app crashes”, he pointed out that the “inclusion of such libraries undermines the developers’ goal to keep data collection minimal”.
What’s more, Mr Chu also spotted another library that was included in the app called Snowplow Analytics. He said it was the first time he heard about it, and a quick Google-search showed that it is an open-sourced analytics platform with traces leading to an obscure domain “snowplow-mobile.wogaa.sg“.
Wogaa is a government data collection service that logs users’ IP addresses, device type, carrier, location, etc.
Interestingly, it turns out that wogaa.sg is actually a government data collection service.
“The FAQ on wogaa describes itself as ‘a centralized internet-facing government platform to analyze and improve digital services’. A quick look at wogaa’s documentation tells me that it can log user ip addresses, device type, carrier etc and deduce the user’s location based on this information. With this library packaged in the app, there’s no point in anonymising any information because your data is logged on another service anyway.” said Mr Chu in his blog post.
Next, he used a proxy to intercept the requests to wogaa to find out what data is sent back. From what he gathered, there were 19 requests sent to wogaa – from download to setup.
A raw request can be viewed here.
“Clearly, some parts of the app’s FAQ are wrong. I went back to the press releases and tried to verify statements about the app. On data hygiene, I found that all data is uploaded even if the data is older than 21 days. There is no code to purge local data beyond a certain time,” noted Mr Chu.
After that, he contacted the team behind the app to ask them about his findings.
“Their response was that wogaa is built by the same team and it’s standard practice to include wogaa in their products. They overlooked the fact that the app is sending more data than necessary so they’re removing wogaa and working to purge local data after 21 days in the next update,” Mr Chu wrote.
He complimented the team for their effort, saying that “they are a team with great intentions”. He went on to recommend users to install the app after the update has been rolled out to ensure there are no grey areas surrounding users’ data privacy.
“Otherwise, this app is a great initiative to improve our contact tracing efforts,” Mr Chu concluded.
App’s FAQ section says data collected is anonymised and encrypted, and is used to improve the app
Referring to the app’s FAQ section, which was updated on 1 April, it is said that with users consent, TraceTogether exchanges Bluetooth proximity data with nearby phones running the same app. “However, this data is anonymised and encrypted, and does not reveal your identity or the other person’s identity. Also, this data is stored only on the user’s phone.”
Additionally, it is also stated that anonymised analytics data is used to improve the app. “TraceTogether collects anonymised analytics data about your device and app (e.g. device model, app version) to help us improve the app to work across different phone models.
TOC has reached out to the team at TraceTogether to verify if Mr Chu’s concern has been properly addressed with the removal of wogaa and purging of local data after three weeks, and have yet to receive a reply.
Meanwhile, there doesn’t seem to be any update on Mr Chu’s blog since he voiced his concern on this issue last Saturday (28 March).
