Singapore’s Contact Tracing Wearable Causes Privacy Backlash

singapore contact-tracing devices privacy

Thousands have signed a petition that underscores data privacy issues with Singapore’s newly announced contact-tracing wearable, in development.

Singapore’s announcement that it is developing a wearable for contact tracing has caused citizens to voice concern for the technology’s impact on their data privacy, with more than 35,000 signing a petition against the devices.

On Friday during a parliament session, Vivian Balakrishnan, Minister-in-Charge of the Smart Nation Programme Office initiative and Minister for Foreign Affairs, said the wearables would help Singapore’s 5.7 million citizens track whether they were exposed to someone who has tested positive for the virus.

Previously, Singapore had created a contact tracing app, TraceTogether, which uses Bluetooth mobile phones’ functions to detect other phones nearby and track the spread of the virus (which Balakrishnan said has been voluntarily downloaded by 1.5 million users). However, this app came with a slew of road bumps. Only those who had phones could participate, for instance, and even those with phones reported various interoperability issues.

The soon-to-be-rolled-out wearable devices aim to solve these glitches by allowing users to report their health conditions and then use Bluetooth to detect the conditions of others nearby — sans mobile phones. Balakrishnan said, “if this portable device works, we may then distribute it to everyone in Singapore”; however, he did not clarify whether the government would make the wearable mandatory for citizens.

Singapore residents rebuked the technology over the weekend, with a petition called “Singapore says ‘No’ to wearable devices for COVID-19 contact tracing” rejecting the development of the device.

“With a failed smartphone app already scrapped, the Singapore government is implementing a wearable, always-on contact-tracing device under the guise of tracking interactions with those afflicted by COVID-19,” Matt Gayford, principal consultant at the Crypsis Group, told Threatpost. “Officials have stated that the device will only use Bluetooth’s proximity function and will not rely on GPS or cellular data for the purposes of contact tracing. Some may find this comforting; however, others may fear it is only lip service.”

Wilson Low, who started the petition, in a Sunday post voiced concerns about the wearables potentially allowing contact tracers to locate users’ whereabouts based on their proximity to others’ phones, cell towers or potentially other wearable devices themselves.

“We reject what could potentially be a new form of apartheid (those who wear devices being unable to interact, commune or live with those who reject the devices),” said Low. “Thus, we continue to send a strident and unwavering voice to any actor or authority that the preservation of our rights and freedoms will not be predicated upon the adoption of any wearable tracking device by the general population of Singapore.”

In response to concerns aired out on his Facebook page, Balakrishnan stressed that the devices would not track user locations, but would instead use Bluetooth proximity data to collate “prolonged, close” contacts. The data would then be encrypted on users’ personal devices and erased after 25 days, he said.

In a follow-up press conference, Monday, Balakrishnan said that the wearables would not have GPS, internet or cellular connectivity — meaning that collected data can only be extracted when physically handed over to health officials.

Balakrishnan said Singapore needs to “get the balance right between public health and personal privacy.” He added that he believes Singapore is actually being far more protective of privacy than in many other jurisdictions.

“We are NOT tracking movements,” he said on his Facebook page. “There is no GPS chip. But this as a pandemic that affects all of us. And we do want to know if we have been exposed to the virus or have inadvertently exposed others if we are infected.”

While retaining the data for only 25 days is a “step in the right direction,” Gayford told Threatpost a number of questions remain about the technology, including whether anyone would be permitted to review the code and its functions, and whether people can count on government officials to allow an independent review of the software and hardware.

“In heavily regulated environments such as finance and healthcare, systems and software are required to undergo rigorous assessment and testing processes,” he said. “Many would argue governments should face the same scrutiny, especially if they expect their citizens to freely give up data that is quite literally tracking their every step.”

Contact Tracing Privacy Concerns  

Contact-tracing apps have set off a slew of controversies over privacy concerns, even as contact tracing has emerged as a top idea for dealing with the coronavirus pandemic and is considered by many to be an important step towards reopening economies worldwide. As the National Health Service (NHS) in the U.K. test-drives its own contact-tracing app on the Isle of Wight, leaked documents showed that road-map features for the app include the ability for people to upload their health “status” on a self-reporting basis. Apple and Google’s April announcement that they would team up to launch contact-tracing technology, via apps for iOS and Android users, also drew privacy concerns. Others, such as the state of Utah, have eschewed the API model proposed by Apple and Google, and instead have settled on their own contact-tracing mobile apps to collect detailed user location information to track the spread of COVID-19 among citizens.

And, in a Threatpost reader poll, almost three in four respondents said they were not okay with sacrificing a portion of their personal privacy in exchange for some form of cellphone tracking that could – in theory – reduce coronavirus infection rates and save lives.

“The use of this data can have far-reaching implications for the citizens of Singapore and other nations, should similar constructs be implemented, ranging from law enforcement to immigration,” Gayford told Threatpost. “Consider the number of organizations that could potentially have access to the data – can employers raise your health insurance premiums based on your immunity status? Could your relative distance to the scene of a crime implicate you in some way? As citizens of the digital world, we need to advocate for ourselves until we have a governing body that advocates for citizens’ privacy.”

 

Suggested articles