No surprise here. TraceTogether can be used for purposes other than COVID-19 contract tracing needs. It was revealed in parliament yesterday that the police can, indeed, obtain TraceTogether data for criminal investigations. The same is likely true for SafeEntry data too.
TraceTogether, along with SafeEntry, are fantastic ways to track people. In fact, it’s probably every government’s dream to have such a capability to track everyone in the country. The health safety needs brought about by the COVID-19 pandemic has made such mechanisms essential, when during ordinary times, privacy concerns would have made them quite hard to sell.
However, after the Singapore government had put in so much effort to convince the public that TraceTogether doesn’t invade your privacy, and that its data is used only for contract tracing purposes, we are now getting confirmation of the obvious. The police can use the data for criminal investigation purposes.
Desmond Tan, Minister of State for Home Affairs, responding to a question by Holland-Bukit Timah GRC MP Christopher de Souza, said that the police are empowered by the Criminal Procedure Code to obtain TraceTogether data for criminal investigations. (Yahoo News: TraceTogether data can be used for criminal investigations: Desmond Tan)
An update to the privacy statement on the TraceTogether website yesterday has clarified that authorised police officers may invoke powers in the Criminal Procedure Code to request (or perhaps compel might be a better word) users to upload their TraceTogether. This ought to be for criminal investigation purposes only, or at least that’s what we can hope.
However from a technology perspective, it is easy to see how TraceTogether can be misused to perform passive contact surveillance. Dummy tokens can be planted in any area of interest, or everywhere, to collect contact information. Since the location of these dummy tokens are known, the location of those learned contacts is also known. This location information can arguably by more accurate than GPS data. The best thing is that no data upload needs to be compelled, since the dummy tokens are already in the hands of the government (or police, or whoever runs this covert passive monitoring network).
This scenario is entirely possible from the start. But it had seemed that our government was trying very hard to convince everyone that there is no invasion of privacy. They got experts to tear part the TraceTogether token, and they posted the source code of the TraceTogether app. The doubters will, of course, still say none of that means anything. They have a point. But I liked to believe that TraceTogether was meant to for a good purpose.
Catching criminals is a good thing too. In the grand scheme of things, one could argue that such use of the data by the police is legitimate and justifiable.
However, I do feel disappointed seeing this charade fall apart. If not for COVID-19, it may be alright to extend use for other health emergencies and crisises. I think to open the data up to the police for criminal investigrations is too much a stretch, and not congruent with how TraceTogether had been marketed to serve.
I liked to have believed that TraceTogether would be a completely different, independent, system that lived outside of the usual legal and data-sharing frameworks that most other things are subject to. I liked to have believed that TraceTogether would be used soley to keep everyone safe during this COVID-19 pandemic, exactly like how it has been marketed to us, and not used for any other purposes.
TraceTogether was to be an extraordinary tool needed during these extraordinary times. While it is still a much needed tool, to now say it is just like any other data that the government is custodian of, some trust is going to be lost, and its efficacy in contact tracing could be compromised.