Our Blog

Good Intentions May Still Be Destructive To Privacy

Eddie Koh | Kenneth Citarella | Allison Spagnolo | DECEMBER 17, 2020


As demonstrated by the Singaporean government, aggressive contact tracing is an effective means of preventing the spread of COVID-19. This is one of the reasons why its healthcare system was never overwhelmed throughout this crisis, and the survivability of infected residents is one of the best in the world. It is hard to argue with that objective or result.

Singapore has invested heavily in two smartphone apps for contact tracing to help flatten the curve. This was well-intentioned by the Singaporean government, and there are strong arguments to be made in support of the program. There is no attempt here to criticize the wisdom of the Government of Singapore, especially in the middle of a public health crisis caused by an international pandemic. But data collected from separate sources can create a significant threat to personal privacy when information about persons is combined with information about locations.

SafeEntry[1] is a location-based system designed to simplify the recording of visitors to a location, such as a restaurant or retailer. Rather than maintaining a physical log of the names of visitors, the business can scan an ID photo or allow the user to scan a QR code unique to that location.

TraceTogether[2] is a contact tracing app, designed to exchange Bluetooth IDs with other devices. In the absence of a smartphone, a person can also carry a government-issued token as a substitute for the TraceTogether app. If the bearer of the token gets ill, he must surrender it to the government, which will conduct contact tracing.

It is worth noting the official website for TraceTogether[3] says: “We do not collect data about your GPS location.”

On the back of the token is a QR code that can get scanned upon entry to a SafeEntry facility. TraceTogether-only SafeEntry enhances the TraceTogether app to be able to scan the SafeEntry QR code at facilities. Additionally, the Government is piloting TraceTogether gateways which require visitors to locations to bring their phone or token within 5-15cm of the gateway to facilitate check-ins[4].

According to the Singaporean government,[5] taken together, these apps address both the people with which an infected person has been in contact and the locations in which an infected person has been and has reduced contact tracing time from four days to two.

It is important to note that both apps are government-issued. The description of the privacy safeguards for TraceTogether[6] states the government does store the mobile number, personal identification and a randomized ID for each person who downloads the app. The FAQ for SafeEntry[7] states: “The data collected via SafeEntry is encrypted and stored in the Government server, which will only be accessed by the authorities when needed for the purpose of preventing or controlling the transmission of COVID-19.” With access to the data from both apps, the good intentions of any government are the only barrier to improper use of the data. In the hands of the wrong government, the combination is rife with the potential for misuse, and could create a surveillance state beyond the wildest dreams of Orwell’s 1984.

It appears that the Government is trying to fold both systems into one, in an effort to streamline the number of applications in play This can happen once the TraceTogether token is widely distributed to the populace. This would also allow the country to reopen safely to international travel with each overseas visitor required to carry a token during his visit.

Consider this scenario. With an overt declaration of the best of intentions, such as contact tracing for virus control, a government more concerned for its own security than for that of its citizens requires all commercial locations[8] (and why not private homes?) to implement the equivalent of SafeEntry QR codes and scanners, not using QR scanning, but Bluetooth signals. The government also installs the same capabilities at entry points for as many public locations, such as transportation hubs, as possible. Using the Bluetooth signal of each phone or token, the government records who is at what location at what time and can construct a real time database of the movements of the entire population. In the event of a terrorist attack, such a database would be an invaluable source of information, even permitting a look back in time to identify who was recently in the vicinity. Once any suspect was identified, access to her/his phone will identify all those who have been in proximity with her/him. Of course, the same investigation techniques can apply to those participating in a peaceful demonstration protesting a government policy.

Does this technology promote contact tracing and virus control? Sure. But in the hands of an authoritarian state, this combination can be a tool for mass population control. Trust is key, that citizens and visitors alike will do the right thing to enable swift contact tracing and treatment responses to outbreaks, and that the Government is acting in the best interests of the country, as in the case of the Singaporean government.

[1] safeentry.gov.sg

[2] tracetogether.gov.sg

[3] tracetogether.gov.sg/common/privacystatement

[4] https://www.channelnewsasia.com/news/singapore/safe-entry-gateway-device-trial-trace-together-downtown-east-13657180

[5] support.tracetogether.gov.sg

[6] tracetogether.gov.sg/common/privacystatement

[7] www.support.safeentry.gov.sg

[8] The locations already required to install SafeEntry include workplaces, schools, preschools, student care centers, healthcare facilities, residential and community based care centers, places of worship, funeral parlors, hotels, financial institutions, retailers, personal and food service locations, pet services, sports and recreation facilities, cultural and entertainment facilities, home-based businesses with extended personal contact, event-hosting facilities and car services. Safeentry.gov.sg/announcements#news-15.

This post is tagged: Contact Tracing, COVID, Privacy

Eddie Koh CPP

Eddie Koh CPP

Regional Director, APAC

Eddie Koh brings more than 15 years of experience in varied industries and roles to Guidepost Solutions as the APAC regional director. He has developed a wide range of experience in the APAC security technology market and leading security technologies that include multiple security system manufacturers. Mr. Koh spent eight years with a leading integrator in Asia where he advanced from a technical and pre-sales role into a full solution sales position, eventually leading a five-person commercial sales team supporting the gamut from small organisations to the big names in the field of data centres, oil & gas, education and business services with program management and end-to-end project oversight.

Kenneth Citarella JD, MBA, CFE, CIPP/US

Kenneth Citarella JD, MBA, CFE, CIPP/US

Senior Managing Director, Investigations and Cyber Forensics, Chief Privacy Officer

Ken Citarella is the Chief Privacy Officer for Guidepost Solutions. In that capacity he guides the international compliance efforts of the firm in its investigative, security consulting, due diligence and compliance consulting practices, including advising clients on how to create and maintain a privacy compliance program. An attorney and Certified Information Privacy Professional by the International Association of Privacy Professionals, Mr. Citarella was one of the earliest prosecutors in the nation involved in the investigation and prosecution of computer-based crime. The High Technology Crime Investigation Association bestowed its Lifetime Achievement Award on Mr. Citarella in 2011.

Allison Spagnolo

Allison Spagnolo

Managing Director, Deputy Privacy Officer

Allison Spagnolo is deputy to Guidepost Solutions’ Chief Privacy Officer. In that role, she assists with global internal compliance matters, including issues related to the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Ms. Spagnolo also advises clients on privacy matters, including developing and strengthening privacy compliance programs, assessing vulnerabilities, evaluating data privacy policies, and enhancing procedures. She also has extensive experience in developing risk reviews and assessments for public and private entities in a variety of contexts, and has traveled extensively in Europe and Asia for the purpose of conducting on-site inspections and reviews related to monitorships and other compliance matters.