The Progress Singapore Party (PSP) member Harish Pillay has weighed in on the recent revelation of police being given access to data collected from TraceTogether (TT) programme for criminal investigations, which was announced by Minister of State for Home Affairs Desmond Tan in Parliament on Monday (4 January).
During the Parliament session, Mr Tan explained that police is empowered under the Criminal Procedure Code (CPC) to get hold of any data, and that includes the data gathered from TraceTogether.
Responding to this, Mr Pillay expressed in a post published on his blog on Wednesday (6 January), that he felt “let down” by the Government for going against its earlier assurance that TT will solely be used for contact tracing purposes in order to contain the spread of COVID-19 in Singapore.
During a Multi-Ministry Taskforce (MTF) press conference on 8 June last year, Education Minister Lawrence Wong, who co-chairs the MTF, and Minister-in-charge of the Smart Nation Initiative Vivian Balakrishnan both stressed that data from the TraceTogether app and token would not be used for anything else other than for the purposes of contact tracing.
Dr Balakrishnan was quoted saying then: “TraceTogether app, TraceTogether running on a device, and the data generated is purely for contact tracing. Period.”
Before that, on 5 June last year, Dr Balakrishnan gave the same response to MP Murali Pillai in Parliament when the latter questioned the confidentiality of the data collected.
Despite initially saying that TT will only be used for the purposes of contact tracing, Dr Balakrishnan clarified in Parliament on Tuesday (4 January) that police can get TT data for criminal cases.
Commenting on this, Mr Pillay suggested that a bill should be introduced to exempt TT data from Criminal Procedure Code (CDC), only for as long as this pandemic lasts.
“It is time bound and very specific and targeted. I am very sure, the police investigators would not need additional TT Data to help with their investigations,” said Mr Pillay, who works with global open source communities and government technology policy makers in driving policies and setting direction for open source technologies that are driving disruptive changes globally.
He continued, “I do not, honestly, think that excluding CPC access to this data will hinder criminal investigations. The records are valid only for 25 days and the accused person could have deleted the app and hence data,” adding that other means like CCTVs and phone records can help police gather information for criminal cases.
Technical aspects to TT App, TT token and SafeEntry
In the post, Mr Pillay, who is the founder of Red Hat Singapore, extensively explained about the technical aspects of TT App, TT token and SafeEntry (SE), and how data gathered from these three platforms may not be very helpful to the police when it comes to investigating a criminal case.
The PSP member explained that TT contact data is stored at three different places – the TT App’s database, exchanged IDs from other phones or tokens, and the Ministry of Health (MOH) or GovTech servers.
He went on to note that only the last 25 days of contact data remains in the user’s phone’s database, and all that information will be only sent to MOH or GovTech if the person is infected with COVID-19 given that actual contact tracing needs to take place.
Based on this, Mr Pillay said that there are different scenarios in which the TT data may not be useful for the police.
Some of the scenarios include criminal deleting all data from their phone, or deleting the app altogether and destroying the token, as well as police apprehending them after 25 days of committing the crime. All these situations will bring the police to a deadend in their investigation even with the access of TT data, Mr Pillay said.
Separately, he also highlighted that the SE is not an accurate indicator of individuals who have been in close contact with a COVID-19 patient since it only scans the QR code of a location.
“Nothing in SE suggests proximity to others other than perhaps time of scanning of the QR code – which is still not a accurate indicator because the QR scanning could be done at entrance of the facility and the person does not enter but leaves,” he said.
If that’s not all, the PSP member also voiced concern on GovTech assuring one’s privacy as it does not track location.
“Now, while the large granularity of SE’s location information is still there, the fact that one has to use the TT App for that, does throw some caution to the statement from GovTech that TT App honours privacy in that it does not track location.
“This exclusive functioning of SE scanning only via TT App, does taint the TT App’s privacy stance – even if it does not actually store the location info in the phone,” he said.
“SE broke the privacy fallacy/bubble and it is indeed disappointing to see how TT App with SE has evolved.”