The Singapore government has confirmed that data from its coronavirus contact tracing app TraceTogether can be used by law enforcement for criminal investigations. Speaking in the country’s parliament on Monday, Desmond Tan, Minister of State for Home Affairs, said the Singapore government is empowered under the Criminal Procedure Code to obtain TraceTogether data for criminal investigations.
Tan was responding to a question by Christopher De Souza, a politician for Holland-Bukit Timah Group Representation Constituency (GRC). De Souza had asked whether TraceTogether data will be used for criminal investigations and whether there are any legal provisions and safeguards when the authorities use such data.
Gerald Giam of the Workers’ Party asked if this violates the TraceTogether privacy statement, which stated that data shared with the Ministry of Health will only be used for contact tracing of people possibly exposed to COVID-19. In response, Tan said that while TraceTogether is conceived and implemented for contact tracing, the government does not “preclude the use of TraceTogether data in circumstances where citizens’ safety and security is or has been affected, and this applies to all other data as well“.
Privacy policy changed to reflect police access
TraceTogether’s privacy policy was changed on January 4 i.e. Monday to add a paragraph about how police can invoke the law to use data collected by the app. The update says that “authorised police officers can request users to upload their TraceTogether data for criminal investigations”.
“TraceTogether data may be used in circumstances where citizen safety and security is or has been affected. Authorised Police officers may invoke Criminal Procedure Code (CPC) powers to request users to upload their TraceTogether data for criminal investigations. The Singapore Police Force is empowered under the CPC to obtain any data, including TraceTogether data, for criminal investigations.” — An update to the privacy safeguards made on January 4 on the TraceTogether website
Tan said that stringent measures were in place to safeguard personal data on the app, including access to only authorised officers for authorised purposes. Public officers who recklessly or knowingly disclose the data without authorisation, or misuse the data, may be fined up to S$5,000 or jailed up to two years, or both, Under the Public Sector (Governance) Act.
In a strange response to a follow-up question from De Souza about data deletion of witnesses, Tan said the data of witnesses and not criminals would be extracted. Here is a transcript of the conversation:
Christopher De Souza: In an investigation, there are suspects and there are witnesses. In the event that TraceTogether information is used of a witness, would there be the possibility of deletion of this information if the investigation does not yield anything or if it comes to a close? I’m trying to draw the difference between a witness and a suspect.
Desmond Tan: Data will only be taken from the individual… In a criminal case where here is a suspect and a witness. We will extract the data from the witness. However for individuals that are suspects or under investigation, data will not be extracted for the purpose of security.
Earlier this year, Vivian Balakrishnan, Minister-In-Charge of the Smart Nation Initiative, had said that TraceTogether data would be extracted only if the user is infected by COVID-19.
About TraceTogether; mandatory use for accessing public venues
Singapore’s TraceTogether app and wearable — released in March and June respectively — uses Bluetooth signals to identify phones in proximity. It then tracks when one was in proximity to another person by recording the timestamps. The app uses the country’s own internally developed contact-tracing protocol Bluetrace. “The protocol relies on a centralised reporting structure wherein a user’s entire contact log is uploaded to a server administered by a government health authority,” according to Engadget.
The app and token is now used by 80% of the country’s 5.7 million population, per BBC; downloads surged after authorities began pushing for mandatory check-ins via the apps in nearly all public venues. In the past few months, the Singapore government had said it would gradually make checking in with the app or token at all public venues mandatory, via a feature called TraceTogether SafeEntry. The TraceTogether app includes a function for users to scan SafeEntry QR Codes that are displayed at venues. The token comes with a QR Code that can be scanned to get entry.
SafeEntry was going to become the only way to access any public venue, including restaurants, workplaces, schools and shopping malls; nationwide distribution of tokens on September 14. Last month, the deadline for implementation was moved from December to early 2021. The government itself had set one of the requirements of moving to the next phase of reopening — allowing larger gatherings for religious, marriage, and in commercial areas — as achieving a 70% onboarding of the TraceTogether app and token.
As of December 21, the 70% or 3.8 million people were using the TraceTogether app or token. In October, the Singapore government said TraceTogether SafeEntry should exclusively be used to resume large activities and reopen the economy.
The Smart Nation and Digital Government Office of the country said: “In order to resume larger-scale activities and further reopen our economy in a safer manner, TT-only SE will be progressively expanded to more venues. The use of TT-only SE will provide added assurance that everyone present at these larger-scale activities is better protected by effective contact tracing through participation in the TT Programme.”
