However you see it, the fact that TraceTogether can be used by the Singapore police to investigate so-called “serious” offences looks bad. This is not how you build trust.
To be sure, the revelation yesterday that the contact tracing data meant for fighting Covid-19 has been used in a murder investigation should be no surprise.
The Criminal Procedure Code, which grants the police broad powers to ask for “any document or other thing” for investigations, has been in place all this while.
That said, citizens had genuinely thought that TraceTogether was an exception. In a crisis, they wanted to trust the government in the fight against a deadly disease. They cooperated in good faith.
Minister-in-charge of the Smart Nation programme, Dr Vivian Balakrishnan, had given them an assurance last year.
He said the data collected was solely for contact tracing. He even went to lengths to explain that the TraceTogether token did not have GPS tracking or 4G connectivity so the data stayed in there.
Trust, after all, is built through concrete actions and here was a great attempt to do that. Independent experts were invited to tear down the token to verify what was inside.
Dr Balakrishnan now admits he had not thought of the wide-ranging powers that the police has in seizing data, including what’s on a TraceTogether token or app.
Trying to reassure citizens today, he explained that the data might be needed for serious crimes such as terrorism or murder.
Now, nobody will argue against the police having the right tools to combat these serious crimes, but what else might be considered serious crimes besides murder and terrorism?
Currently, the police have the authority to ask for data that is desirable or necessary for any investigation, inquiry, trial or other proceeding under the Criminal Procedure Code.
Dr Balakrishnan has said he is open to hearing suggestions to legislative changes. One way to fix this is to introduce amendments that require a stricter standard for the contact tracing data to be released for police investigations.
Already, the law spells out different types of data and who can ask for them. An officer with or above the rank of sergeant may ask for regular documents or data but an inspector or higher-ranking officer is needed to make a request for customer information from a financial institution.
So, clearly, some forms of data are considered more sensitive and important to citizens and thus require a higher bar for the police to access.
Can a similar provision be made for contact tracing data that citizens are providing for public health purposes? Perhaps a public prosecutor would be needed to make a case for access to that data.
The issue here goes beyond TraceTogether. Realistically speaking, the token or app holds limited data, compared to, say, your phone, which tracks your whereabouts and holds your private messages.
But what about other data that the government regularly collects from citizens? There surely have to be better safeguards than simply telling citizens to “trust us”.
With tighter legislation, you get more transparency, which helps build trust. Remember, without citizen buy-in, the fight against Covid-19 is going to be so much tougher. Privacy and trust are not mere conveniences here.
Another way to build trust is to set up an independent ombudsman’s office, of sorts, to look into data protection in the public sector.
It can represent citizens by recommending better practices and suggesting legislative amendments to better safeguard private data. Let’s be clear, citizens deserve better than this letdown.
Ironically, winning over citizens was exactly what the TraceTogether team had tried to do. What a pity. This episode is a reminder that trust is hard earned; sadly, it is also quickly lost.
There is “nothing much to worry”. Any users of Google & Apple devices already enable the authorities with the right correct level of ‘access & security clearance” to track any of the devices. Even without the TT App or Token, our devices are already emitting WIFI & BlueTooth beacons in our quest for “free wifi’ and bluetooth streaming of music.
The TT token & TT App today, listen for all BlueTooth becons. Your device/App might record 100 BLE nearby, and maybe more than half will be untraceable directly as they might not be on the TT database. However, with proper clearance and supply chain mgt, they could trace to the first purhcaser/owner of the device, unless it was reported stolen.
In the old computing days, we were given network cards (Especially Token Ring), where we need to change/clone the MAC address in order to access the SNA (nor SAN), network of the mainframes & AS/400…