Why I have yet to install TraceTogether, Singapore’s COVID-19 contact tracing app

tracetogether

In a perfect world with complete trust in Government, every Singaporean would download the TraceTogether App to assist in national COVID-19 contact tracing efforts. Thus it is unfortunate that some of us do not yet have the requisite level of trust.

Unfortunate firstly because it seems like our brilliant techies engineered an app that has sufficient safeguards for those concerned about government surveillance.

The location and nearby-contact data sit on your phone, and are accessed by MOH only in specific COVID-19 circumstances with the user’s consent; TraceTogether is quite clearly designed to assuage privacy concerns, to allay fears of Big Brother.

The technical solution is so elegant and light, in fact, that governments around the world have asked us for the source code. Now that is something for Singaporeans to be proud of, not some humdrum comment by Barbara Streisand.

(All that said, an oversight by the TraceTogether team has just been exposed, reconfirmed directly by a contact of mine at GovTech. The original app included in its build wogaa.sg, a government data collection service, which means that TraceTogether collects more data than necessary and compromises its supposed anonymity and 21-day data hygiene. Thankfully GovTech is working to remove wogaa, a standard feature in such products, in TraceTogether’s next iteration. However the oversight, specifically the team’s unconscious acceptance of code that collects and sends your data to the government, is worrying for those of us concerned about social conditioning to surveillance. Separately, Digital Reach has also raised concerns in an article titled “TraceTogether: Disassembling Was Not Easy to Verify the State’s Privacy Claims“.)

For us not to download TraceTogether is also unfortunate because this pandemic is akin to a war with shadowy enemies such as ISIS. It is a time when some suspension of civil liberties, including privacy, may be warranted.

Many civil rights advocates will disagree. After all, we are living in an era of creeping authoritarianism around the world, when individuals seem to be unwittingly signing away their rights to Big Government and Big Tech. Yuval Harari articulates many of these concerns in “The World after Coronavirus”.

Nevertheless, there does appear to be a more conscious acceptance, especially during this COVID-19 period, of the need for intrusions into our private lives when it comes to dire issues of national security.1

The important caveat is that there must be accountability and transparency regarding the intrusion, and any other suspension of civil liberties, in order to prevent abuse. There must be appropriate societal checks and balances, whether through independent commissions, government watchdogs or the media. Citizens need to know that we can seek redress for any injustice or suffering because of the intrusion.

And this is where Singapore fails.

There are countless episodes in our history that prove the point. The most obvious one is the alleged Marxist Conspiracy of 1987.

That year Singapore’s Internal Security Department (ISD), under orders from the People’s Action Party (PAP) leadership, arrested twenty-two Singaporeans, a mix of activists, church and social workers, and theatre performers. The government accused them of plotting a Marxist conspiracy to overthrow the state. They spent different amounts of time in prison, the longest three years, without ever being charged for anything. The ISD tortured some of them into making false confessions (so they claim).

Lee Hsien Loong, Singapore’s prime minister, and most others in parliament then, including K Shanmugam and Goh Chok Tong, have maintained these allegations. However people such as politicians Tharman Shanmugaratnam and S Dhanabalan, former attorney-general Walter Woon, and Singapore’s pre-eminent historian Mary Turnbull have raised doubts about them.

Many of us believe Tharman and the latter group. If they are right, this suggests that the alleged Marxist Conspiracy was a horrible attempt by the PAP to fix its perceived opponents.

What is the relevance of all this to TraceTogether? Well, put another way, it appears that in 1987, the ISD relied on intelligence unethically gathered, including its knowledge of friend networks, to help the PAP execute a dastardly political manoeuvre.

For TraceTogether, on the one hand, GovTech has told us about its privacy safeguards and about the special circumstances under which MOH can request data. On the other, GovTech reports to the Prime Minister’s Office (PMO), helmed by the same person—take note, Barbara—who helped oversee the Marxist Conspiracy manoeuvre.

What assurances do we have that PMO (or ISD) will not somehow obtain and abuse the TraceTogether data sent to MOH, the same way personal network and contact data was (seemingly) abused in the arrest and detention of the “Marxist Conspirators”?

To be clear, this is not to suggest that TraceTogether is vulnerable or has a “backdoor”, or that it was cobbled together for some Orwellian purpose. There is widespread acceptance of its virtuous intent.

Rather, it is a belief that the dominant political forces have, can, and will abuse democratic norms for their own ends, with little recourse for victims or unsuspecting handmaidens.

To think of it another way, the technologists’ brilliance is clouded by their political masters’ (perceived capacity for) chicanery.

What can we do to rectify this situation? In the short term, not much. We are in the middle of a pandemic and have far more important things to do. (Like hold an election.)

But in the longer term, techies, policy wonks and others, this is what you can do: lobby your leaders and representatives, make sure they understand the need for accountability and transparency. 2 Perhaps we need a Commission of Inquiry into the alleged Marxist Conspiracy? And systematic declassification of documents after X years?

Only when Singaporeans trust the integrity of the entire socio-political process will we easily get buy-in for (seemingly defensible) surveillance. Some argue that surveillance in Singapore is already so widespread that any marginal risk from TraceTogether is negligible. Perhaps, but there is a fundamental difference between a government spying on its citizens and citizens voluntarily capturing and sending data whose integrity might later be compromised. Moreover, TraceTogether’s use of Bluetooth provides an additional level of granularity not otherwise available (say, through regular mobile phone user data).

So we need to have these conversations before the next crisis, natural or man-made, which probably won’t be far off. We need to nurture a society which, in the words of writer Jolene Tan, does not instinctively poo pooh claims of state abuse.

On that note, it is sad to see several on the pro-TraceTogether side dissing privacy advocates: “Oh you think you are so important that the G wants to track you?” Ad-hominem attacks like this only poison otherwise genuine exchanges.

The very essence of a panopticon, in fact, is to blur the lines between irrelevance and importance, to ensure that everybody excessively self censors. Singapore’s history is littered with examples of persecuted people—from the “Marxist” church workers to Jolovan Wham, social worker currently in jail for a Facebook post criticising the judiciary—who might have hitherto been considered by many to be “unimportant”.

Without doubt, GovTech deserves praise for TraceTogether, a nifty, well-intentioned addition to our COVID-19 arsenal. But one hopes GovTech can appreciate Singapore’s broader socio-political environment; and the numerous ethical issues we must work through, together, before such initiatives can achieve broad success here.

“Technology does not exist in a vacuum,” as a friend says. “The values and past histories of those who make it and own it influence how a technology will be perceived and accepted/resisted.”

***

1 Countries everywhere, from Israel to South Korea, have implemented or are considering enhanced measures, which might worry civil rights activists, in order to deal with COVID-19.

2 Nobody is under any illusions that this will be easy. Given Singapore’s one-party dominance, there seems very little political impetus for this sort of accountability and transparency.

Note: I have yet to install TraceTogether. Am undecided. Ultimately, with countries everywhere rolling out their own contact tracing apps, we may all be forced, by custom or otherwise, to install it. (For the sake of our species! Gosh, are we there yet?)

Nevertheless, with a lot of misinformation and straw man arguments out there, it is important that people in GovTech and elsewhere understand the reasons for resistance among some Singaporeans. I hope this piece is read in that spirit, not as some attempt to undermine an impressive technology intervention to a public health crisis.

***


Enter your email address to follow this blog and receive notifications of new posts by email.

***

9 thoughts on “Why I have yet to install TraceTogether, Singapore’s COVID-19 contact tracing app

  1. Well said, Sudhir. I think it is important also to view this in conjunction with the Singapore judicial view that all evidence before the court may be taken into consideration, even if improperly obtained. With the existence in a government database of such location and association data, this mixes a very lethal cocktail.

  2. Someone put it very aptly: it is an app, not a vaccine. So people should not be throwing shade at those who choose, for one reason or other, not to install the app. I for one have a very old hand-me-down iPhone 5 with a battery that is running on 50% capacity (yes, yes, I should send it in to swap out a replacement battery) and the iOS app need to have the app running with the phone unlocked (I was told). So I have decided not to install the app and as I am one who log my activities everyday and who I met and I wear a mask when out in public space, so that contact tracers would likely thank me for a relatively easy task, app or no app … *touch wood

      1. Thank you for the article. I think SG also needs to up testing level to match South Korea’s – the app seems to give the false reassurance that I just need to continue my daily routine as someone will contact me if something is not right – whereas we need to be going about with the awareness that I may be the carrier and so need to modify behaviour to reduce spread. I see the same problem with the messaging about no need to wear mask unless sick. Hopefully, that is taking a turn to wear one if you can make one – and there are lots of resources to get one home-made.

  3. Good article Sudhir! Hope this helps people to think about the issues you have raised.
    How are you and Liling coping? I guess you are not really in lockdown as we are or the family in Malaysia. We are currently at level 3 which means no going out unless absolutely necessary! Most people are working from home but schools are supposed to reopen on the 14th but who knows, they may change their minds unless there is a significant decrease in cases.

    Do take care and may God bless you both richly. I can’t tell you how much I enjoy your articles and books – always interesting and somewhat challenging! Thank you.

    With love always,
    A Sharon

    1. No personally identifiable info is collected regularly, true. However, if you are suspected/confirmed of being a carrier, MOH will request for your data. (Failure to comply may be punished.)

      It is at that point that MOH may get access to more personal info of you and your network. And once MOH has that data, the risk I worry about is that it will be shared and used unethically for other purposes–as has been done in different circumstances in the past in Singapore.

      In other words, the risk I see is not in the app per se, but in the broader socio-political environment and lack of safeguards for mission creep and other abuses of state power.

      Hope that’s clear, thanks for seeking clarification!
      S

  4. From Joshua Loo on my Facebook wall:

    > There is of course a political problem of trust, but I think in this case there is also a non-political solution. As you note, the source code can be published. Now, we can make sure that the source code does nothing nefarious by reading it. All that is required is then to make sure that the app installed on the user’s phone comes from that verified source code. There are a variety of ways of doing this, some of which would probably be infeasible for mass usage. However, F-Droid has had a pretty good stab at making a fairly usable system for downloading Android apps that also ensures that the downloaded app is verifiably compiled from publicly available source code.¹

    > Importantly, it isn’t necessary for every user to understand this process—indeed, I don’t fully myself; all that is needed is for a sufficiently large community of people to pay attention, which in this case I imagine could be anyone with a CS undergrad degree or who has some knowledge of the process of building Android apps: any nefarious circumvention of the process would be fairly easy to spot, because the source code wouldn’t match.

    > Of course there are vulnerabilities in this process, but I should think that if such a system were implemented they would probably not exceed existing vulnerabilities either in severity or scale. Governments already manipulate telcos, Google already bamboozles its users into consenting to granting them their complete location history, and social networks already have a pretty good idea of the people with whom we interact. Computer systems are so complex and contain so many subsystems that a sufficiently motivated and resourced adversary will successfully penetrate any system—that’s why the Americans can’t stop China from obtaining blackmail-worthy information about millions of employees in sensitive government positions. This isn’t to say that we should just throw out hands up in the air and do nothing—unmitigated, the risks of universal uptake of Trace Together would represent something meaningfully worse than the status quo. Nevertheless I think the tradeoff becomes much more palatable with reproducible builds.

    As Sudhir pointed out in replying, there are two possible problems.

    One possible problem is misappropriating data—the MOH receive some data to do contact tracing, and then someone else in the government seizes it for some other nefarious purpose. You can’t really do anything about that. (Perhaps there is something with blockchains and so on but I doubt it—if there is I don’t understand it!)

    The other problem is that the app could surreptitiously seize all sorts of data whilst pretending not to.

    As I realised on rereading the initial post, the problem Sudhir was actually pointing out was not the second problem but the first. However, it is the second that F-Droid would stop (modulo vulnerabilities due to human error etc. etc.) Nobody would be able to modify the app to covertly obtain data without it becoming apparent that the app users download differs from the source code it’s supposed to come from.

    The two problems are not entirely unconnected, however. We might be willing to grant a tracing programme access to some data even if other agencies could seize it—provided that we knew exactly what data we could assume was available to the entirety of the government. That is what something like F-Droid could ensure.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s