Singapore has been lauded in some quarters as one of the Asian success stories of the coronavirus crisis.
Along with Taiwan, it was immediately suspicious of Communist China’s claims about the initial outbreak in Wuhan and its strong and early measures helped to limit the initial outbreak of the virus there.
Not all news coming out of Singapore has been positive though. We reported last week on how the Singaporean authorities are using their controversial anti-fake news laws to censor legitimate content about the virus and criticism of the government’s handling of the outbreak.
It is not just online censorship but also personal privacy which is being placed under threat by the Singaporean government in its attempts to halt the spread of the disease.
As you might expect from a technocratic city-state, Singapore has turned to a mobile app to try and facilitate the challenging task of contact-tracing; finding out who an infected person caught the disease from.
How TraceTogether works
The app is called TraceTogether and it was built by the Singapore’s Government Technology Agency (GovTech) in collaboration with the Ministry of Health (MOH).
It works by automatically exchanging short-distance Bluetooth signals with other devices carrying the app. It is able to detect other devices with the app that are within a radius of between two and five metres for around 30 minutes.
In response to questions about the impact this app will have on the privacy of Singaporeans, the government has issued a series of clarifications. These insist that the app will store all data locally and only retain data for 21 days. They claim that the information will only be shared with authorities as part of active contact-tracing investigations.
However, not everyone is convinced by the Singaporean authorities claims, which is understandable given the country’s rather dubious record on human rights and personal freedoms.
As a result, Digital Reach in conjunction with third-party discoveries decided to examine the app in more detail to see just how intrusive it actually was. Their findings make for extremely interesting reading.
The truth about TraceTogether
One of the first things they discovered was that several important parts of the app’s coding had been deliberately obfuscated by the developers. As they note, this practice is generally only used when developers have something in an app they want to hide.
This obfuscation made it very difficult to reverse engineer the app and prove or disprove the claims of the Singaporean authorities. They have said that the app will be open source but to date, there is no timeframe for this to happen.
Despite this, the team Digital Reach consulted were able to perform some reverse engineering using a combination of static and runtime analysis. These tests revealed some interesting features.
Firstly, they discovered that the TraceTogether app scans for other devices in its vicinity for about 8 seconds every 40 seconds. When it finds a device, it queries it and each device sends the other a set of encrypted information.
This information includes a timestamp, a temporary ID of the sender, details of the sender’s phone model, information about the signal strength of the connection to estimate the distance, and various other bits of miscellaneous technical data. It also records the start and end time of the connection.
The analysis showed that there are actually three different types of analytic systems built into the app. These are Firebase Analytics, Crashalytics, and Snowplow Analytics and the presence of all three appears to contradict the Singaporean governments claim that the app is conducting minimal data collection and analysis.
Even more damningly, inspection of the app’s traffic has found that it does send data to an address operated under the Whole-of-Government Application Analytics (WOGAA), the Singapore government’s centralized analytics platform for its digital services.
When the Singaporean authorities were informed of this finding, they promised to remove the function in the next update. However, there is no guarantee that this update will be run on all devices and, at the time of writing, no suggestion of when it will be pushed out at all.
Major privacy concerns
Even with the limited analysis of TraceTogether that is currently possible, it is clear that the app presents a major threat to the privacy of people in Singapore.
Contrary to official claims, it appears to be collecting a lot of data and has been proved to be sending at least some of this data back to a central collection point.
The storage of such personal data on a central database could mean it can be accessed by other government agencies and for reasons beyond the contact-tracing function it is intended for.
Throw in the fact that analysis also uncovered a variety of flaws and vulnerabilities that could expose users and their data to hackers and other malicious actors and it is clear that this app is far from the privacy-friendly anti-pandemic tool that the Singaporean authorities want you to believe it is.
Singapore is far from the only country that is trying to use technology in the way to tackle the coronavirus outbreak. But this analysis shows the huge risk apps of this type can pose to individual privacy, especially in the hands of the wrong type of government.