Some might say it was inevitable that, once law enforcement and intelligence agencies realized the power of COVID-19 contact tracing applications to confirm proximity between persons, privacy would become a secondary issue. They would be right.
Australia: Incidental COVID-19 App Data Collection
The Office of the Inspector General of Intelligence and Security conducted a study on Australia’s implementation of their COVID-19 tracking app (we highlighted Australia’s efforts in April 2020 and noted that Australia was using the same tracking app, TraceTogether, as Singapore) from May to November 2020. What the inspector general found is that government entities conducting lawful data collection were, in fact, also “incidentally” collecting COVID-19 tracking app data.
The report continued, “… there is no evidence that any agency within IGIS jurisdiction (Australian Security Intelligence Organisation, Australian Secret Intelligence Service, Australian Signals Directorate, Australian Geo-Spatial-Intelligence Organisation, Defence Intelligence Organisation, and Office of National Intelligence) has decrypted, accessed or used any COVID-19 app data.”
The IGIS will be reviewing the activities of the aforementioned government agencies to ensure they don’t try and pry their way into the tracking app data. Kudos to them if they are able to resist the temptation.
Singapore: Not-so-Incidental COVID-19 App Data Collection
As we said, Singapore and Australia are using the same app, TraceTogether, for their COVID-19 contact tracing. As of January 2021, a large portion of Singapore’s population, 78%, have adopted the TraceTogether app. That equates to approximately 4.2 million residents, but that number is destined to increase, as the application will soon be mandatory for anyone who wants to enter public venues in Singapore.
As was the case in Australia, individual privacy was expected. Unlike Australia, where the IGIS inspection demonstrated the presence of checks and balances to ameliorate the incidental collection of COVID-19 contact tracing application data, Singaporean law enforcement is leveraging the app and its data for other purposes.
It didn’t take long for Singapore’s law enforcement agencies and intelligence agencies to discover the data’s usefulness for “criminal investigations.” The Criminal Procedure Code permits the Ministry of Home Affairs to access any data. The Ministry notes that use of the data would be restricted to situations where “citizens’ safety and security” is affected. In early-January, the privacy statement associated with the TraceTogether app explicitly noted the potential use of the application data for law enforcement purposes.
Counterintelligence Entities Salivate
It will surprise no one that counterintelligence professionals are primarily focused on the protection of secrets, the discovery of sources (insiders who have broken trust) and the identification of hostile intelligence officers (and their contacts). Applications like those used in Singapore and Australia provide yet another data point for the mosaics being pieced together by counterintelligence analysts and law enforcement sleuths.
Australia’s and Singapore’s implementations give us two different scenarios to consider, in which governmental entities either use or refrain from using the COVID-19 tracing application for purposes outside the technology’s original scope.
Advice to all: as tracking apps become more and more ubiquitous, personal privacy should be verified, and not assumed.