Singapore Govt. justifies COVID-19 trace app data use by the police
Minister of State, Ministry of Home Affairs and Ministry of Sustainability and the Environment Desmond Tan, has justified the Singapore Police Force empowerment under the Criminal Procedure Code (CPC) to obtain any data, including TraceTogether (TT) data, for criminal investigations.
In a reply to Parliamentary Question on Whether TraceTogether Data will be Used for criminal investigations, Minister Tan said the Government is the custodian of the TT data submitted by individuals, and stringent measures are in place to safeguard this personal data.
“Examples of these measures include only allowing authorized officers to access the data, using such data only for authorised purposes, and storing the data on a secured data platform,” stated the Minister. “Under the Public Sector (Governance) Act, public officers who recklessly or knowingly disclose the data without authorisation or misuse the data may be liable of a fine up to S$5,000 or imprisonment of up to two years, or both.”
The TraceTogether program comprises of the TraceTogether App and the TraceTogether Token. The App was released on 20 March, and the Token was rolled out on 28 June 2020.
According to the website, the privacy-preserving, Bluetooth contact tracing functions of the App and the Token are similar. With a citizen’s consent, it exchanges encrypted and anonymised Bluetooth signals with nearby TraceTogether devices. The Bluetooth data exchanged does not contain any personal identifiable information, with the data automatically deleted after 25 days.
The only identity data the program stores is:
- Contact/mobile number
- Identification details
- A random anonymised User ID e.g. 9I8VPeQeWDofj39c8dPySoUXLqh2
When a user signs up, a random User ID is generated and associated with your contact/mobile number and identification details. Identification details are needed to help the Ministry of Health (MOH) contact the right person. Contact/mobile number, identification details, and User ID are stored in a secure server, and never shown to the public.
Although GPS location data is not collected, TraceTogether uses Bluetooth to approximate distance to other TraceTogether devices.
The lack of a persistent identifier means it is impossible for third parties to identify or track you. Users can request for their identification data to be deleted from servers. While identification data can be deleted from servers, by request, unless your proximity data has already been uploaded to the Government server as a confirmed case.