SECURITY TECHNOLOGIES, ITS USE AND PRIVACY SAFEGUARDS DURING COVID-19 PANDEMIC
Written By: Adrian LEE, MSc (Security Management), MBA, CCTP, ACTA, PMC 10928
On 18 Jun 2020, Singapore and Tokyo-headquartered Cyfirma, a cybersecurity group warned that prominent hacker group Lazarus Group was planning a phishing campaign based on threat assessment it conducted between 1 to 16 Jun 2020.
“Opportunistic cybercriminals have been using the Covid-19 situation to conduct malicious cyber activities, and, with the increasing reliance on the Internet during this period, it is important to be vigilant,” Cyfirma added.
The Lazarus Group was reported to target six countries namely Singapore, Japan, South Korea, India, the US and the UK as these governments had announced substantial fiscal support to individuals and businesses given the impact that was the result from the pandemic.
On 19 Jun 2020, the Cyber Security Agency of Singapore notified “relevant parties” about the potential phishing campaign. It had issued an advisory to be vigilant against such cyberattacks on businesses and individuals.
Cyfirma warned that Lazarus Group would target Singapore businesses by impersonating government agencies, departments, and trade associations to get individuals to disclose personal and financial information or click on malicious links with a spoofed Ministry of Manpower (MOM) email. An example of the spoofed MOM email account citing a fake government initiative on an additional one-time subsidy of S$750 per employee.
SINGAPORE’s SMART NATION FIGHT AGAINST COVID-19
In Singapore, the Government had announced that it would roll out a portable and wearable contact tracing device, Minister-in-charge of the Smart Nation initiative Dr. Vivian Balakrishnan told Parliament on 5 Jun 2020.
“If this portable device works, we may then distribute it to everyone in Singapore,” he said. “And I believe this will be more inclusive, and it will ensure that all of us will be protected.” Dr Vivian Balakrishnan said.
This is one of many technological innovations that the Government had progressively implemented considering the COVID-19 pandemic. Over the years, the Government had been gradually building the foundation of Singapore’s Smart Nation with the digital infrastructure and engineering capabilities as the cornerstone. These had enabled the Government to respond decisively and swiftly to the COVID-19 pandemic with a suite of digital tools to help disseminate timely and accurate information to Singaporeans and to enable various ministries/agencies to manage the COVID-19 crisis better.
Some notable digital solutions are:
Ask Jamie chatbot
Developed by Government Technology Agency (GovTech), Ask Jamie is a virtual assistant designed to answer queries within specific domains on Government agency websites. Launched in 2014, Ask Jamie has been implemented across 70 Government agency websites.
COVID-19 Situation Report
The COVID-19 Situation Report dashboard presents the vital statistics and figures on the current situation in Singapore. The solution is developed by GovTech in collaboration with the Ministry of Health.
FluGoWhere
FluGoWhere is a website to search through a list of Public Health Preparedness Clinics (PHPCs), providing special subsidies conveniently and easily for those diagnosed with respiratory illnesses. There are more than 900 participating clinics as of 19 Mar 2020. Access the website via www.FluGoWhere.gov.sg. GovTech develops the website in collaboration with the Ministry of Health (MOH) and the Public Health Preparedness Clinics.
Gov.sg WhatsApp
The official Gov.sg WhatsApp account provides citizens with timely and trusted updates on the COVID-19 situation. This service is available in 4 languages, and the system has been optimised to send multi-lingual messages to all subscribers within 30 minutes.
MaskGoWhere
MaskGoWhere is a website that helps Singaporean households find the designated location, day, and time to collect their allocation of masks. GovTech had been making regular updates and improvements to the website based on the latest available information and insights gathered through real-time user feedback function embedded within the website.
Leave of Absence & Stay-Home Notice Tracking Solution
The Leave of Absence & Stay-Home Notice Tracking Solution is an SMS and mobile web-based solution that allows people serving out their Leave of Absence (LOA) or Stay-Home Notice (SHN) to report their locations to the Ministry of Manpower quickly and accurately.
SafeEntry
SafeEntry is used for contact tracing and data verification through (1) scanning of QR codes or (2) scanning of NRIC at hotspots and high traffic locations. Developed by GovTech, SafeEntry is a national digital check-in system that logs the name, NRIC and mobile number of individuals visiting hotspots and venues providing essential services, as well as the information of people working at places providing essential services.
TraceTogether
The TraceTogether app, which was developed by the Government Technology Agency (GovTech) in collaboration with MOH over the past eight weeks, can be downloaded by anyone with a Singapore mobile number and a Bluetooth-enabled smartphone.
FASTER CONTACT TRACING — THE WHY?
The contact tracing after a COVID-19 case is identified as a complex and arduous process. It includes an interview of the patient, compiles a list of their activities in the past 14 days, and to identify every person they had come into close contact with. This contract tracing is a crucial step to detect potential cluster, investigate and to prevent further spread of the COVID-19. To mitigate these problems, SGUnited, GovTech and the Ministry of Health (MOH) developed a tech solution through a simple app. TraceTogether is an app that is downloaded voluntarily and facilitates the contact tracing process.
The TraceTogether app exchanges short-distance Bluetooth signals to other phones when the mobile phone is in proximity, making it easier for authorities to conduct contact tracing when an individual is tested positive for COVID-19. Current MOH guidelines defined proximity as two metres apart, or up to five metres, for 30 minutes. With individual’s consent, it exchanges encrypted and anonymised Bluetooth signals with nearby mobile phones running the same app for up to 25 days.
Once a COVID-19 individual is identified, the individual must agree to allow MOH to access the data log in the TraceTogether to help identify close contacts. It is useful, especially when there are problems with the recall of contacts by the individuals.
MOH then decrypt the temporary IDs in the user’s app using its privately held key and obtain a list of phone numbers from the uploaded data log. Each phone number will only have the information related to the Bluetooth signal strength and time information. That is all the information that MOH will get from the user’s app log. Based on the signal strength and time information, MOH will then determine which devices were in physical proximity with the confirmed case.
SECURITY FEATURE AND PRIVACY SAFEGUARDS
As per the Personal Data Protection Act (PDPA), the Government had stressed that the use of the app is voluntary and that users must give “explicit consent” to participate in TraceTogether. This consent can be withdrawn anytime, according to GovTech. The app had several security layers and privacy safeguards in place. The Authorities, including MOH and GovTech, have no knowledge of the user’s data as these logs are only deciphered and analysed after the user sends the information.
Users will submit only their mobile numbers after downloading the app. Each phone will then be assigned a user ID. The user ID is then used to generate temporary IDs at regular intervals. It is this temporary ID that is exchanged between the phones of TraceTogether users. Such regular generation of temporary IDs protect users from eavesdropping and tracking overtime by malicious actors, according to GovTech. No other personal detail, such as names, will be collected.
TraceTogether uses Bluetooth, short-range peer-to-peer communications. It does not collect or use location data of any kind, such as GPS. This means that contact tracers can only establish location information during verbal interviews. All TraceTogether logs will be stored locally on the users’ phone in an encrypted form.
When the app is running on the mobile phone, it will create a temporary ID, generated by encrypting the User ID with a private key that is held by MOH. The temporary ID is then exchanged with nearby phones, and regularly renewed, making it impossible for anyone to identify or link the temporary IDs to the individual. The temporary ID can only be decrypted by MOH, with MOH’s privately held key. The mobile phone can store the temporary IDs from nearby phones, together with information about the nearby phone’s model, Bluetooth signal strength, and time. All this information is stored locally on the mobile phone, and not sent to MOH, unless the individual is a COVID-19 case.
“These security measures protect users from malicious actors who may seek to eavesdrop and track interactions over time. However, the Government has decided not to make the download of the app compulsory as it does not work equally well across different smartphone operating systems,” Dr Vivian Balakrishnan said.
The Government had made it compulsory for foreign workers living in dorms to download the app, and Dr Balakrishnan urged more people to adopt the TraceTogether.
TECHNOLOGY BEHIND TRACETOGETHER
This generic codebase is called OpenTrace and comprises the reference implementation source code for an iOS app, an Android app, as well as a central server that is built around Google Firebase (although implementations built on other cloud service providers are also possible). It includes basic calibration data for a range of popular mobile phones.
Besides, GovTech had published the BlueTrace protocol, which both OpenTrace and TraceTogether are built on. Apps that implement the BlueTrace protocol are assured of interoperability across jurisdictions.
CONTACT TRACING IS CENTRALISED
Though the contact data log had been decentralised, the fundamental design of TraceTogether is a hybrid system rather than a fully decentralised system. “While it is possible to have a completely decentralised system, positive COVID-19 diagnoses still have to be authenticated to prevent abuse and fraudulent reports leading to unnecessary panic. Capacity permitting, having a human-in-the-loop system is prudent and reliable,” TraceTogether product lead Mr Jason Bay explained.
Centralised contact tracing occurs once users provide consent and upload their data to MOH. This gives the contact tracing experts room to make their professional assessment in classifying contacts as either transient, casual, or close contacts. The thresholds for classifying contact between individuals can be adjusted for individual circumstances and tuned as necessary to fill gaps in a COVID-19 patient’s memory.
UNFLATTERING HYPE ON TRACETOGETHER
Currently, the hype and attention focused is on TraceTogether, but its sister software app SafeEntry should be of grave concern. Unlike TraceTogether, the data is stored in the mobile phone and is created with layers of security protocol and Personal Data-By-Design principle such as based on Personal Data Protection Act (PDPA) nine obligations[1] in the Data Protection Provision and with a random anonymised User ID. In using the TraceTogether app, the only data required is the users’ mobile number. This is the only personal data that MOH requires, and it is stored in a highly secured server together with a random anonymised User ID that is linked to the users’ mobile number. The security level of this server is as high as those servers that store other official information.
However, in comparison, from a PDPA’s perspective, this is a little grey when it comes to SafeEntry app. Essentially, the use of the SafeEntry visitor management system is to record the entry and exit via the app. However, the app requires No consent and for FULL Details in Identification Number such as NRIC, FIN etc. and has location log of all the various positions and locations that the individual had been based on GPS and time stamp of the individual mobile phone.
“As a start, the deployment will be made mandatory for places where individuals are likely to be in close proximity for prolonged periods or in enclosed spaces, or where there is higher traffic,” said the Government on 9 May 2020 joint press release.
As mentioned earlier, to check-in with SafeEntry, it can be done by scanning the barcode on an ID card, or equivalent such as MOM-issued work-pass cards, MOM-issued visit passcards and Barcode of TraceTogether app. Among the SafeEntry venues that are implementing this solutions include workplaces such as offices and factories, schools, healthcare facilities, community care facilities, hairdressers, supermarkets, popular wet markets, malls and hotels.
Next, unlike TraceTogether, the data is stored in the mobile phone, SafeEntry data is stored in servers and can be breached unless security infrastructure protection and firewalls are continuously updated and in place against malicious cyberattacks. From SafeEntry.gov, as at 29 Jun 2020, the latest SafeEntry NRIC v1.0.6 had been launched to “fix bugs”; this has been the six version since the 28 May 2020’s SafeEntry NRIC v1.0.1 update.
As such, though SafeEntry it is an innovative technological solution by GovTech and MOH, it does not explicitly state and fulfil the nine obligations based on Data Protection Provision. Some of these obligations that need to be reviewed in the Gov.sg website for SafeEntry include (1) Consent Obligation, (2) Purpose Limitation Obligation, and (3) Retention Limitation so that the public can be assured like the use of TraceTogether app.
Hence, I will continue to monitor and research more on SafeEntry and de-mystify the “safeness” of SafeEntry in my future analysis.
Be Safe, Stay Vigilant and stay healthy!
Thank you.
[1] The nine obligations in the Data Protection (DP) Provision are (1) Consent Obligation, (2) Purpose Limitation Obligation, (3) the Notification Obligation, (4) Access and Correction Obligation, (5) Accuracy Obligation, (6) Protection Obligation, (7) Retention Limitation Obligation, (8) Transfer Limitation Obligation and (9) Openness Obligation.
