Recent revelations that data from Singapore’s landmark TraceTogether app is being used by police “for the purposes of criminal investigation” has come as a shock to local citizens. The government had rightly encouraged uptake of the COVID-tracking app, targeting a 70 percent uptake rate, in order for the app to be effective in keeping people safe. Then, two weeks ago, TraceTogether’s privacy statement was updated to clarify that “the Criminal Procedure Code applies to all data under Singapore’s jurisdiction” and that “TraceTogether data may be used in circumstances where citizen safety and security is or has been affected.” This understandably shook citizens’ perceptions of TraceTogether and how their data is treated by the government.
In fact, TraceTogether’s data privacy terms are comparable to many other COVID tracing apps and broadly, Singaporeans have much to celebrate about their country’s approach to using tech to combat the spread of the pandemic. By putting TraceTogether’s data terms in context and increasing their transparency with citizens, the government has an opportunity to win back citizens’ trust and even become an exporter of data privacy best practices.
The rush to keep people safe
It’s important to highlight that, in quickly rolling out TraceTogether, the government was ahead of many other countries in using technology to keep people safe. The March 2020 launch made Singapore one of the first countries in the world to deploy such an app. Since unveiling a technical framework for COVID tracing apps in April, just six states in the United States have launched apps.
The centralised data model adopted by Singapore is also similar to the approach taken by many other nations. In choosing a centralised model, the Singaporean government was able to deploy TraceTogether more quickly than most others, and use a model that is proven to keep people safe. Resultantly, Singapore has been one of the most effective countries at combating the spread of the pandemic.
While centralised models are fundamentally less private, because one body will maintain control of the entire data set, many nations have accepted that healthcare needs trump the need to maintain privacy.
It’s also important to highlight that the government’s ability to access some TraceTogether data is not unusual. A recent study in the respected science journal Nature found that two fifths of COVID tracing apps don’t ask for permission to access information such as contacts, photos, location data, device ID, call information, the WiFi connection or the microphone. Troublingly, only 16 of the 50 apps surveyed indicated that user data would remain anonymous, encrypted and secured and will be transmitted online and reported only in an aggregated format.
For example, the UK’s COVID tracing app provides healthcare providers with access to user data and concerns have been raised that data is stored indefinitely. In the US, research has shown that the plethora of apps developed by US healthcare providers are “continuously collecting and processing highly sensitive personally identifiable information, such as health information, location and direct identifiers.” Finally, while Australia outlawed the collection of data for purposes other than contact tracing, initial confusion and uncertainty led to slow uptake of the app.
It’s important for Singaporeans to understand therefore that many apps being used globally to keep people safe are not fully transparent and, in the rush to keep people safe, many organisations were not fully transparent about how data is used.
Transparency is key
People are understandably sensitive about organizations knowing more about them than they would like. But people also understand that, in order to access free services that they love, some of their data may be passed to advertisers. The old quip that ‘if you’re not paying for the product, you are the product’ has not discouraged people from joining services such as Facebook, which has seen exponential user growth since its launch. According to Statista, 2.7 billion people use Facebook, a figure that has grown remarkably consistently since the company passed 1 billion users in 2012.
However, you only have to look at the uproar that Facebook caused in January when it updated WhatsApp’s terms of service to state that data from private conversations would be used to inform ads on Facebook’s other platforms, to see the value people put on transparency. The change led to a 4,200% increase in user growth for rival app Signal.
Actually, recent proprietary research from ForgeRock suggests that many Singaporeans are laissez-faire about their data being used by others. Just 28 per cent of 25-34 year olds and 35 percent of 35-44 year olds reported that keeping their data away from third parties was a top concern when downloading a new app.
Establishing trust from the beginning
ForgeRock’s research suggests that Singaporeans are not averse to providing access to their data, so long as they are told upfront what it will be used for. The outcry over TraceTogether provides a lesson on the importance of transparency when talking to people about how their data is going to be used. This is only going to become more crucial in the future. ForgeRock research also found that young people were much more concerned about data privacy – with those aged between 18-24 amongst the two age groups most concerned with data privacy.
There are some prominent initiatives putting transparency at the centre of consumers’ digital interactions. Apple’s new iOS 14 provides users with visual notifications when apps are using other apps (such as the camera), while Europe’s GDPR and Singapore’s PDPC give a user control and ownership of their own data. People are only going to get more used to the idea that their data is their identity. Whether you are a government trying to keep people safe, or a business trying to onboard new customers, transparency is therefore crucial to bringing people on board.