Skip to Content
Pandemic Technology Project

Broken promises: How Singapore lost trust on contact tracing privacy

Guarantees that Singaporean phone data would only be used to fight covid-19 were hollow. The implications could stretch beyond the country’s borders.
January 11, 2021
Singapore safeentry app
Singapore safeentry app
Shutterstock

For Singaporeans, the covid-19 pandemic has been closely intertwined with technology: two technologies, to be specific. The first is the QR code, whose little black-and-white squares have been ubiquitous all over the country as part of the SafeEntry contact tracing system rolled out in April and May. 

Under SafeEntry, anyone entering a public venue—restaurants, stores, malls—must scan a code and register with a name, ID or passport number, and phone number. If somebody tests positive for covid-19, contact tracers use it to track down those who got close enough to be potentially infected.

There’s also TraceTogether, an app that launched in March 2020. It uses Bluetooth to ping close contacts; if two users are in proximity, their devices trade anonymized and encrypted user IDs that can be decrypted by the Ministry of Health should one person test positive for covid-19. 

For those who can’t or don’t want to use a smartphone app, the government also offers TraceTogether tokens, small digital fobs that serve the same purpose. And while TraceTogether is currently voluntary, the government has announced that it is going to merge the two systems, which would make it mandatory to either download the app or collect a token.

When the two systems were launched, there wasn’t much space for the public to discuss apprehensions: they were seen as necessary to fight the pandemic, and the Singaporean government acted in typical top-down fashion. It did seek to assuage fears, however, by repeatedly assuring Singaporeans that the data collected with such technology would be used only for contact tracing during the pandemic. 

And that’s where things went wrong.

Private data being used by police

Earlier this month, it emerged that the government’s claim was false. The Ministry of Home Affairs confirmed that data could actually be accessed by the police for criminal investigations; the day after this admission, a minister revealed that such data had, in fact, already been used in a murder investigation. It rapidly became clear that despite what ministers had previously said, Singaporean law meant it had been possible for law enforcement to use TraceTogether data all along.

These revelations triggered public anger and criticism, not necessarily because Singaporeans are particularly privacy conscious—in fact, state surveillance is largely normalized in the country—but because people felt they’d been subjected to a bait-and-switch. Many people had reservations about TraceTogether when it was first launched, and only began using it in large numbers after the government indicated that it would soon become mandatory. (According to the cochair of the task force on covid-19, nearly 80% of Singapore’s residents have adopted TraceTogether.)

The government has since announced that it will introduce new legislation to limit law enforcement’s use of contact tracing data to probes into seven specific categories of offense, including terrorism, murder, kidnapping, and the most serious drug trafficking cases. (The MIT Technology Review Covid Tracing Tracker, which monitors the policies around exposure notification apps worldwide, is being updated to reflect this shift.)

“We acknowledge our error in not stating that data from TraceTogether is not exempt from the Criminal Procedure Code,” said the Smart Nation and Digital Governance Office in its statement. The new law, it said, “will specify that personal data collected through digital contact tracing solutions … can only be used for the specific purpose of contact tracing, except where there is a clear and pressing need to use that data for criminal investigation of serious offences.”

Not in the original spirit

There is no timeline yet as to when the proposed legislation will be brought before parliament, and details are scant. 

“In Singapore, where laws grant sweeping executive and legislative powers to state actors, I think any commitment to accountability and restraint is welcome,” says digital rights activist Lee Yi Ting. “But it remains to be seen if the bill will make substantive commitment to these proposed limitations. For example, if state actors flout these regulations, what investigative bodies will come into play, and what consequences will state actors be held to?” 

Some doubt how useful such data can really be to police investigations and are concerned that even the proposed limits still formally expand its use beyond contact tracing.

“We like to reiterate that extending police powers to [TraceTogether] data is not aligned to the original spirit of what the dataset was intended for,” said the opposition Progress Singapore Party in a statement. “Covid tracing data must solely and strictly be used for fighting the pandemic and nothing else.” 

Trust is on the line

The confusion could not come at a more difficult time. Concerns that governments could abuse contact tracing systems have been raised around the world. Many of these worries have been misplaced, especially in countries that use Google and Apple’s exposure notification technology, which does not allow centralized collection by local authorities. The Singapore government had previously rejected Apple and Google’s system, saying that it would be “less effective” in the Singaporean context. 

But while digital systems could speed up contact tracing and aid in the fight against the virus—one that could be more vital over time, not less—most countries have struggled with adoption. One major issue: trust.

Lee worries that even if legislation is enough to placate many Singaporeans, the implications outside the country could be serious. Singapore’s early move to build digital contact tracing put it in a global leadership position, and TraceTogether’s underlying systems have been used by other nations—though there is no suggestion that the same legislative mistakes were made elsewhere. 

Still, “Singaporeans do care about the extent to which the state intrudes into their private lives,” says Lee. And, she adds, the country is setting an international precedent “for repressive governments to likewise normalize the use of contact tracing data for the purposes they define.”

This story is part of the Pandemic Technology Project, supported by the Rockefeller Foundation.

Deep Dive

Pandemic Technology Project

Kirsch funds fluvoximine research
Kirsch funds fluvoximine research

This tech millionaire went from covid trial funder to misinformation superspreader

After boosting unproven covid drugs and campaigning against vaccines, Steve Kirsch was abandoned by his team of scientific advisers—and left out of a job.

vaccine credetialing concept
vaccine credetialing concept

What you need to know about US vaccine proof on your phone

How and where you may need to show digital vaccine proof—and what the bigger picture looks like for covid credentials and apps.

What’s happening with covid vaccine apps in the US

The world is debating apps that prove you've been vaccinated. We're keeping track of what you really need to know.

excelsior pass
excelsior pass

We tried out the Excelsior Pass, New York’s state vaccine passport

When we tested the first statewide vaccine passport, we found privacy concerns, technical glitches, and questions over who it’s really for.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.