Countries vowed to restrict use of COVID-19 data. For one government, the temptation was too great

February 1, 2021, 9:21 AM UTC

In early 2020, as the coronavirus began to ricochet around the world with terrifying consequence, Harish Pillay decided to do whatever he could to help stop the spread.

The software engineer, who lives in Singapore, heard the government was designing an app to track the virus so he emailed the minister in charge and asked how he could help. He was part of a fellowship of developers and engineers who volunteered their services, ready to pitch in on a solution.

“The problem was being solved by creating this tool, but there were aspects of trust and confidentiality which also needed to be addressed,” said Pillay, who has worked on Red Hat’s open-source software much of his career and fervently believes in transparent technologies. “We understand all of these things. Let the community help you do the right thing.”

In the beginning, Singapore was held up as a model for other nations. As the government encouraged people to download the TraceTogether app to their smartphones, it published the source code and promised strict limits on data use. Developers from around the world pitched in to hone and debug it in real time.

Now the early optimism is fading. Public support took a hit after authorities disclosed in January that police had used the app’s data in a murder investigation — only months after the minister in charge vowed it would only be used for COVID containment. The government issued a rare apology. But rather than back down, it plans to formalize the ability of police to access such data in specific cases, introducing the proposed legislation in parliament Monday.

Pillay had put aside his politics as a member of the opposition Progress Singapore Party to be part of the TraceTogether campaign, but he’s become concerned.

“I felt disappointed,” he told Bloomberg News. “The trust factor that was there was reduced.”

Now Singapore could become a very different kind of model. After countries from the U.S. to Australia to Israel collected reams of data during the pandemic, largely with public support, they may start to see uses for that information beyond the original intent.

“Singapore is saying to other governments, with a wink and a nod, that we’ve done it and you can do it too,” said Phil Robertson, the deputy director in Asia for Human Rights Watch. “Many countries look to Singapore as a success story, so they think whatever Singaporeans do must be good, and that’s a problem.”

Singapore has tried to explain the changes. The legislation would allow access to contact tracing data under seven categories of serious crime including murder, rape and drug trafficking. In response to queries, a government spokesperson referred to Minister Vivian Balakrishnan’s comments in January.

“The police must be given the tools to bring criminals to justice, and protect the safety and security of all Singaporeans,” he said at the time. “Especially in very serious cases, and where lives are at stake, it is not reasonable for us to say that certain classes of data should be out of reach of the police.”

He added that TraceTogether data is automatically purged after 25 days and that the whole program will be retired once the COVID-19 pandemic is over.

A government minister said in January TraceTogether is used by about 78% of Singapore’s residents, or about 4.2 million people. A smartphone app and token use Bluetooth technology to gauge the distance between users, allowing the government to notify them if they’ve been in contact with someone who’s tested positive for the virus.

Initial acceptance from the general public was sluggish, with downloads of the app hovering at around 20%. The slow pace paralleled a general wariness that coursed through the region, amplified by breaches in data security that governments in other countries struggled to address.

In South Korea, private sector contact tracing apps became increasingly invasive – one provided the exact location of every place of business or home visited by a positive case – and government workers are able to review hundreds of hours of surveillance camera footage and go through mobile phone and credit card transactions to track people down.

In China, a digital website reported last December that hackers were able to breach Beijing’s health code system and access government ID numbers and sell them online; such ID numbers are used to access a person’s COVID-19 test records.

There has been pushback from the public. In Thailand, the government was forced to walk back a threat from the spokesman for the government pandemic center that anyone found to have tested positive without downloading the virus tracking app would face jail time.

In Malaysia, the health ministry mandated businesses destroy the personal records of visitors to their premises within six months after government-ordered tracing ended.

In Israel, the Supreme Court banned the country’s intelligence agency from using technology to track COVID-19 cases.

In Australia, federal legislation was passed to prevent data collected in the country’s COVID app from being used for any purposes beyond contact tracing.

The World Health Organization has issued guidelines to governments on the “ethical” considerations of using tracking technologies for contact tracing. Member states are obliged to develop surveillance systems to capture “critical data” to monitor the virus, “while ensuring that such systems are transparent, responsive to the concerns of the communities, and do not impose unnecessary burdens, for example infringements on privacy,” the guidance issued in May 2020 reads.

One major risk from governments seeking to expand their use of COVID-19 tracking data is that people will be deterred from participating.

“Is this one of the laws of unintended consequences where it reduces the usage rate and be worse for society?” said Troy Hunt, an information security expert and the creator of the data breach aggregation service, “Have I Been Pwned.”

He points out that governments can present virus technologies as benign and then reverse legislation or regulations later. The risk of Singapore’s move is that it shows not just governments, but citizens as well, how easily changes can be made.

“There is a slippery slope, where data retention periods are increased because it does add value to law enforcement, and suddenly the scope of the privacy risk changes so much more,” he said.

Singaporeans tend to be sanguine about such moves when it comes to their government, but unusually forceful arguments have broken out over the proposed legislation. When one local posted online that he thought concerns were overblown and privacy overrated, he triggered fierce blowback.

“The government is using COVID-19 as an excuse to put in place social engineering and public surveillance platforms and policies that ordinarily would never have been considered nor publicly palatable,” wrote Andy Wong, a 27-year-old freelance defense writer and risk analyst. “I wonder how many sane foreigners will want to work in a country like that.”

He wrote that Singapore, with its high quality of life and tough government, is sometimes described as Disneyland with the death penalty, but he worries it will become “North Korea with a smile.”

The episode is “a massive betrayal of trust for ordinary citizens like myself,” he told Bloomberg News.

Jonathan Kok, an intellectual property lawyer in Singapore, said there was limited value to the data that police could get from the contact tracing app for their investigations. A person’s interaction history provided circumstantial evidence at best, he said.

“So, the data has really limited use. I’m just surprised why the police want to go through all that trouble to collect data when it only shows you who that person was with within the last few weeks or so,” he said.

“Many people have written in and said they may just turn on the device when they need to go out instead of having it run all the time. That’s not going to help the national effort to contain the virus,” he added.

As for Pillay, he spent his compulsory national service as a police officer, so he understands the context of using the data in rare and exceptional cases. But police have plenty of other ways to get data for their investigations, including CCTV footage and cellphone tower records.

“It’s less than ideal to have specific instances where the TraceTogether data could be accessed,” he said. “This will be a tarnished gold standard.”