Wednesday, 10 June 2020

The Singapore wearable trac(k)er debate, ahum…



A few days ago, I saw the news that Singapore was developing a wearable contact tracing device; this would make it easier to inform people if they were in proximity to someone who turned out to be covid19 positive (1).

The main reasons for a wearable stated are that the current app (tracetogether) does not play well with apple devices (for the Bluetooth on which the app relies to work, it cannot be running in the background, blocking the user from other uses of the phone), and the battery consumption of the app (your bluetooth is on ‘all the time’).

Note that, today, downloading the app is not compulsory, unless you are someone on a work permit, living in a dorm; for these guys who are sadly bearing the brunt of the infection, the government has made it compulsory, 24/7 trac(k)ing.

2 days ago, the minister for smart nation declared contact tracing “absolutely essential”. Mr Balakrishnan specifically highlighted:
  • This is not a tracking device because it has no GPS component
  • There is no internet connection hence the data cannot be uploaded
  • The “data” never leaves the device unless you are found to be covid19 positive
  • “only a very limited restricted team of contact tracers” would have access to the data

Within the next couple of days, a petition was created on change.org (3) “Singapore says 'No' to wearable devices for Covid-19 contact tracing“. Over 40,000 people have signed.

The author of this petition, Mr Wilson Goh wrote a lengthy explanation that I will try to summarise below:
  • The device cannot be switched off and the user will have no choice.
    • “This will be done regardless of whether the person has a phone or not; regardless whether their phone is switched off or on; whether that person is within reception of a cell tower or not; and regardless whether their phone has wifi or Bluetooth switched off or on.”
  • Having a permanent ‘tracker’ is the final step to the police state
  • Tracing/tracking infringes on the rights, privacy and freedom of movement of people of Singapore
    • “We - as free, independent, and lawful members of the public of Singapore - condemn the device's implementation as blatant infringements upon our rights to privacy, personal space, and freedom of movement.”



(4)
“Are you pondering what I am pondering?” Do you think I agree more with the minister or the petitioner?

My answer is:


This is a red herring dragged by a horse that has bolted before someone can close the door.

The question is not whether the phone should be used, or a wearable device used. You most likely are already showing a lot of people your location and more 24/7 via a device you hold dear, so why the fuss now?

That device is called a mobile phone. Many organisations have access to your location. Do you use some map? Is your GPS on? How do you think you can be connected so quickly when calling a mobile phone, do you think the telco searches for the recipient of your call on demand, or do they roughly know where to look (which tower(s))? How do you think you get “relevant” advertising, sometimes even locally (contextual messages)?

If you don’t believe me, while on your phone, just try clicking on myactivity.google.com . I could never afford an iPhone so I don’t really know if there is an equivalent.

(4)

Hmmm, confused? Am I not supposed to be someone who values privacy and who believes that each individual’s data (s)he produces should belong to him/her?

At this stage, we are in a crisis, or trying to manage one, as a society. There may be a call to balance individual privacy against everyone’s safety.

The government is arguing that the data on ‘your’ wearable will only be read if you test positive. Then anyone is the list of people in close proximity to you will be contacted. On top of the proximity, there is a time limit, a maximum data retention period of 25 days.

Sounds reasonable, right?

But what about accusations of police state?

One of the keys here is compulsion, when people are compelled to do anything, they are likely to question. Now the tracetogether app is voluntary (around 20% of people have downloaded it), but it is compulsory for people living in dorms, leading to comparisons to animals being microchipped. Will the wearable device be compulsory?

A second question is that of enforcement. Even if the device is made compulsory, how will the government check if I am wearing one? Will there be Bluetooth scanners and you will be approached if you don’t have one? Will people be stopped and asked to show their thing?

A third question is for how long would people be required to carry the device? At the moment there doesn’t seem to be an end point, and the worry is that, even if covid19 treatment is found the tracing will continue, or one way out will be to take a potential vaccine.

A fourth question is, does that mean that all other systems such as logging visitors to a supermarket for example will be stopped? Or is this a supplementary measure? While the device may not keep location data, if it is added to location specific data (entries to buildings, onto modes of transport…) the journey of people can easily be reconstituted.

The stand of the organisation supposed to protect individual privacy on the safe-entry app is enlightening “In the event of a COVID-19 case, relevant personal data can be collected, used and disclosed without consent during this period to carry out contact tracing and other response measures, as this is necessary to respond to an emergency that threatens the life, health or safety of other individuals.” And “Collection of personal data for Government’s contact tracing purposes should only be done through the use of SafeEntry. The data collected will only be stored in Government’s servers”(5) (highlights are mine)

While the wearable itself may not be what the petitioners deem a police state, adding it to the safe entry app, where all log-ins are captured, is likely to be.

A fifth question is what happens to the data captured. The proliferation of databases today has increased the chances of loss of privacy. A single database may not have enough data to identify people, but if matched with another database, the combined data may be sufficient to identify people. Furthermore, I believe that when people consent to give their data, it is done for a purpose, and data should be used purely for that purpose. This should apply in all cases.

The thing is, despite the PDPA and the PDPC (Personal Data Protection Act and Council respectively), data is being used for purposes other that what it was collected for. In fact, for the Covid19 case, the PDPC is vague “In the event of a COVID-19 case, relevant personal data can be collected, used and disclosed without consent during this period to carry out contact tracing and other response measures” (5) (highlights are mine)

In the same line of thought, OCBC bank, while arguing that data sharing is safe as long as you are in charge of your data (6) (full business times article (7)) actually shows an example of how data from telcos is being used to plan transport(8); unless telcos are now in the transportation business, this looks like misuse of data to me, PDPC or not. This practice has to stop, especially when extremely granular data is being captured centrally.

A sixth question is, how secure is the data on the device? While the government stresses that only in cases of positive tests would individuals be asked to give the data captured, can individuals look into the data captured by their devices? Even if I can’t tell which device and its related information belongs to you when I am in a crowd, if I bump into you often enough (may be 4 times), I could easily figure out your identity and the related captured information. 

(4)

So, what is my conclusion?

Basically, if you are worried about the wearable, it is perfectly understandable. However, you need to realise that you have been leaking this information, or this information already culled from you for a long while.

I actually think that, if it is made compulsory to have such a piece of software, I would prefer a standalone device and no other tracing mechanism. However the questions above (and probably more) should be addressed to build trust. At the same time, since the government is looking into this area, it would be fantastic if they made data ownership in all cases to the people who generate it, and force permission, even retroactively, to be required from the owners/creators of the data by other parties who want to have access to the data, including stating the usage of the data.

I think that would be a nice compromise that could meet the aims of most people.

Only after we as individuals are in control of the data we generate, thereby having the right to choose who, for what purpose, and for how long to share it with, and the right to have the data deleted, will there possibly be enough trust to move away from the “police state” idea, and from abuses by corporations (‘cambridge analytica’ is a classic case of data being misused (9)).

  1. https://www.channelnewsasia.com/news/singapore/covid-19-contact-tracing-device-trace-together-app-12806842
  2. https://www.channelnewsasia.com/news/singapore/covid-19-contact-tracing-wearable-devices-trace-together-12815796
  3. https://www.change.org/p/singapore-government-singapore-says-no-to-wearable-devices-for-covid-19-contact-tracing
  4. https://en.wikipedia.org/wiki/Pinky_and_the_Brain
  5. https://www.pdpc.gov.sg/Help-and-Resources/2020/03/Advisory-on-Collection-of-Personal-Data-for-COVID-19-Contact-Tracing
  6. https://www.linkedin.com/posts/ken-wong-ab35842_data-sharing-is-safe-as-long-as-you-are-activity-6671646060701736960-uV1b/
  7. https://www.businesstimes.com.sg/opinion/data-sharing-is-safe-as-long-as-you-are-in-charge-of-your-data
  8.  https://www.linkedin.com/feed/update/urn:li:activity:6671646060701736960?commentUrn=urn%3Ali%3Acomment%3A%28activity%3A6671646060701736960%2C6671658524692615168%29
  9. https://en.wikipedia.org/wiki/Facebook%E2%80%93Cambridge_Analytica_data_scandal

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)