TraceTogether: Balancing privacy issues with proper contact-tracing

AS Singapore prepares to enter its third and final phase of the reopening of the economy, likely before the end of this year, enhanced and effective contact-tracing will be more critical.

The government is already piloting TraceTogether-only SafeEntry (TT-only SE) check-ins and will implement them pervasively at more venues, such as schools, malls and workplaces in the coming months.

With TT-only SE, individuals are required to download the TraceTogether app or carry a TraceTogether Token. That leaves many citizens with questions and concerns about whether they are being monitored by their TraceTogether devices.

Developed by the Government Technology Agency to help fight the pandemic, the TraceTogether Token and mobile app identify those in close contact with people who tested positive for Covid-19, by using proximity data collected via Bluetooth technology.

These close contacts of a confirmed case will then be alerted immediately so that they can take preventive measures and help curb the spread of the novel coronavirus.

Because of TraceTogether, Singapore was able to halve the duration of contact-tracing from four days to less than two days.

A NEWSLETTER FOR YOU

Friday, 8.30 am

SGSME

Get updates on Singapore's SME community, along with profiles, news and tips.

Sign Up

Despite its efficacy, the TraceTogether programme - in particular, the token itself - has continued to elicit a fair amount of public scepticism.

The most common questions I hear about the programme are concerns about data privacy and security such as: "Is my data getting stored and shared?", "Does using Bluetooth technology make my device vulnerable to malware from nearby devices?", and "Can the token be hacked in order to obtain my personal details and location?".

From what the government has said, data collected through TraceTogether is anonymous and will only be shared with the Ministry of Health if the user tests positive for Covid-19. If not, the data will be automatically deleted within 25 days.

Global examples

Countries around the world are following Singapore's example of digitally-enabled contact tracing.

Having looked into the NHS Test and Trace in the UK, Covid-Safe App in Australia, and the Corona-Warn-App in Germany, among many others, my assessment is Singapore's TraceTogether looks exemplary at first glance - in the collection of data and how contact tracing is enabled.

Among contact-tracing applications, StayHomeSafe in Hong Kong, DDC-Care in Thailand, and StopCovid in France were among those that came in for criticism - for collecting and storing more personal data than initially advertised.

China took its contact-tracing a step further, enabling telcos like China Mobile, China Unicom and China Telecom to provide a tracking record of users' locations in the past weeks, with no consent required from individuals.

A case could also be made for large countries like the US and Russia which have yet to develop a universal nation-level contact tracing tool - and are now facing a massive surge in cases.

Tearing down the token

Having been invited by a media outlet recently to "tear down" the TraceTogether Token, I can share that the device does what it claims to do, and does not do what public rumours claim it is "set out" to do.

The token is based on an off-the-shelf chip containing the processor, a memory storage, and a Bluetooth connection.

The chip is optimised for only low-energy operations and spends most of the time in "sleeping mode"; to provide context, such chips are commonly used in watches, fitness trackers, and other wearables. Having gone through the documentation for the chip, I did not see any GPS functionality in it, despite some rumours claiming that the token is a location-tracking device.

With two separate batteries (one for the chip, one for the real-time clock), the token is able to operate for as long as six to nine months. GPS power consumption is usually quite high, compared to periodic Bluetooth beaconing.

The device is powered with a 1000mAh battery that is commonly used in fitness trackers.

If there were a GPS tracker installed, this battery would not have lasted more than a day.

That tells me there is no tracker installed, meaning the token does not know and is unable to transmit your location at any moment - unlike the smartwatches worn by many people these days.

Additionally, there was no SIM card inside and therefore, no cellular function. The size of the token simply does not allow for these functions to be added.

My experiments showed the token goes "live" roughly between every 30 seconds and one minute. I was able to determine this using a freely available Bluetooth scanner for MacOS.

During normal operation, the token transmits a different random identifier (it changes its name) every 30 seconds. This means any potential threat targeting your device would not be able to track you after 30 seconds.

Earning the public trust is no mean feat, and one of the main steps is to provide key security experts with extended access to the token's internal workings.

Such transparency will bolster security research and increase the public's confidence in the safety and privacy preserving features of any platform or digital application.

Multiple requirements

The creators of the TraceTogether Token have had to satisfy multiple requirements - the device needed to be inexpensive, yet durable and secure.

The token is important to help contain the spread of the virus. It is also useful if you do not own a smartphone, or do not wish to use the TraceTogether app on your phone.

Overall, it is a good initiative by the Singapore government to roll out an inclusive portable device such as the token to help expand contact-tracing coverage, with the necessary safeguards in place to preserve people's privacy.