If you want more security, you’ll have to lose some privacy. That’s the oft-cited tradeoff that has become more apparent amidst the COVID-19 pandemic, as more governments worldwide turn to contact tracing apps and other movement monitoring technologies to aid efforts in containing the virus.
Most in this region have accepted there has to be some compromise on their personal privacy in return for the wellbeing of the wider population. It’s about community before self and this common belief has largely enabled governments such as those in Singapore, Taiwan, and South Korea to implement movement monitoring policies, amongst others such as drones, with little protest.
That’s not to say there hasn’t been any grumblings and murmurs about whether the government as taken the pandemic opportunity to step up its surveillance, even here in Singapore where its citizens have been commonly described as obedient and submissive.
Over the past few years, fuelled by an increased in terrorism activities in the region, CCTVs began popping up over the past few years at train stations, apartment blocks, and other public spaces across Singapore. While some amongst my friends appreciated the added sense of security the heightened surveillance was presumed to offer, others lamented the loss of privacy.
Therein lies the struggle, again, to balance security and privacy. But these are unprecedented times, some may argue, and that means we need to let go of some our concerns. Even Singapore’s Prime Minister Lee Hsien Loong suggested that much.
In a televised address Tuesday evening when he announced an extension and tightening of the country’s social-distancing measures, Lee said the use of ICT was critical in facilitating more efficient contact tracing. The government’s TraceTogether app was designed specifically for this purpose and that more apps currently were in development to further aid such efforts, he noted, but did not provide details on what these might be.
“For these apps to work, we need everyone’s cooperation to install and use them like what the South Koreans have done,” he said. “There will be some privacy concerns, but we will have to weigh these against the benefits of being able to exit from the circuit breaker and stay open, safely. We are making progress but we have not yet succeeded, by a long way.”
Singapore had rolled out stricter measures that forced non-essential businesses to shut or have all of their employees work from home, while food and beverage operators to provide only takeaway or delivery options. This “circuit breaker” period, originally scheduled to end on May 4, was extended to June 1 and with more stringent measures in place including the shutting of more retail services previously allowed to operate, such as standalone dessert and beverages outlets, hair salons, and pet stores.
This move followed a sharp spike in infected COVID-19 cases over the past couple of weeks, pushing the local number past 10,100, with migrant workers living in dormitories accounting for the majority of recent infections. The death toll currently stands at 12.
Not just a question of privacy
However, getting people to download TraceTogether or any contact-tracing apps isn’t simply a question of privacy. There are cybersecurity issues to address as well.
Because these apps, including TraceTogether, use Bluetooth signals to detect others in close proximity, it may leave the smartphone vulnerable to threats such as Bluesnarfing attacks. Just in February, Google released a patch to plug a critical security flaw in Android’s Bluetooth component that, if left unfixed, could be exploited without any user interaction and used to create self-spreading Bluetooth worms.
More alarmingly, a proposed mobile app to help the Netherlands track COVID-19 already was found to have leaked user data earlier this week. The shortlisted mobile app’s source code was published and analysed by developers who uncovered user data–originating from another app–in the source files, including full names, email addresses, and hashed user passwords.
To its credit, Singapore’s government agency behind TraceTogether has made significant efforts to–presumably–ease privacy concerns about the app. GovTech published a host of information including its development work, technical details about the contact-tracing app and its source codes, which have been made available online. It also addressed potential misconceptions about the purpose of the app, stressing that TraceTogether would not collect any location data and the government would not be able to locate the user’s whereabouts with the app.
To date, more than 1 million–or one in five–residents in Singapore have downloaded the app, according to GovTech.
But while the government agency clearly has tried to address any concerns about privacy, there still are questions that need to be addressed.
For one, GovTech said the TraceTogether was developed “in an eight-week sprint”. How much time within this two-month period was dedicated to testing, specifically, for potential vulnerabilities? While years old, do existing Bluesnarfing and Bluejacking tools still have the ability the exploit the Bluetooth component in mobile phones?
There also are issues related to data management and audits that should be looked at. For instance, what is the recourse for users who suffered a breach after hackers exploited the Bluetooth function, which was turned on to enable the TraceTogether app?
Also, does the data fall under Singapore’s Personal Data Protection Act or is it excluded since the public sector does not fall under the purview of the legislation? If it is the latter, what does it mean in terms of data management and privacy since the details of the public sector’s own data protection guidelines have never been made public?
For instance, what happens to all the user data after it has been used to aid in contact tracing efforts? Is there an audit trail to ensure the data is removed completely after it is no longer needed?
In its privacy statement, GovTech notes that users will be prompted to disable TraceTogether’s functionality, but makes no mention of whether the Health Ministry–which will have access to the users’ data–will permanently delete the information once it is used for contact tracing purposes.
The privacy statement, though, does offer an email address that users can refer to should they wish to revoke consent for the Health Ministry to use their TraceTogether data. Following which, the user’s mobile number and device User ID will be removed from the ministry’s server.
Singapore’s public sector in recent years has had a less-than-stellar track record in cybersecurity, so it will need to invest more effort in assuring public trust and confidence in its ICT initiatives.
There are proponents who say the emphasis should be on educating users to take steps to safeguard their own cyber wellbeing and hygiene. Sure, self-awareness and user education are just as important in any cybersecurity strategy, but app developers and tech vendors have just an important role to play in ensuring their products are safe for use, right off the shelf.
The recent Zoom security debacle, for instance, had prompted some to argue that the security features already were there and the onus was on the users to know how to enable them. While that may be true, with so many instances of security breaches including in Singapore and Zoom stepping up to acknowledge it fell short, this episode demonstrates the need for critical security features to be automated or configured such that users are prompted to enable the settings before they are able to proceed to access the function.
it’s about security by design and automated controls so it takes the guesswork out of the user’s hands, especially if it involves critical cybersecurity components, and mitigates the risk of human error.
That may mean contact-tracing apps such as TraceTogether should come coupled with security features that can detect attempts to breach a smartphone via the Bluetooth function.
Such efforts will go a longer way in easing security and privacy concerns about the use of these apps.