TraceTogether Token Doesn’t Need Recharging

There’s been much talk since a wearable contact tracing device was announced by Smart Nation Programme Office Minister-in-charge Vivian Balakrishnan, chief of which are privacy concerns.

Roland Turner, Chief Privacy Officer at a software company, attended a GovTech session featuring the upcoming TraceTogether token last Friday (19 Jun), along with 3 others.

Source

In a post on his website detailing the session, he noted that the token’s battery power means there’s little room for any malicious actor to use the device for location-tracking.

You can read the full account here, but we’ve summarised some of the key points below.

Long battery life

Mr Turner enjoyed the fact that the token’s battery, a large coin cell, is not only non-rechargeable but can also last for around 9 months.

Source

This means that one can hook the token like a keychain and forget that it exists, he said, which is great in terms of ease of use.

However, the battery generates little to no power, and Mr Turner believes there are some downsides to this.

One of these is that a less secure encryption code can be used, which might lower the token’s security. Someone from GovTech did tell him, however, that there were “multiple layers providing cumulative protection”, although he couldn’t go into detail.

He doesn’t quite agree with this approach, specifically due to the fact that the token’s sensitive secrets can be accessible to adversaries.

Lack of GPS receiver

Attendees were allowed to examine the components of the token, and Mr Turner confirmed that there was no GPS receiver present.

This does mean that the token doesn’t track locations.

What he did find were the following:

  • System on a chip
  • 64MB of flash memory
  • Bluetooth radio
  • Real-time clock
  • Coin cell
  • Power regulator
  • Option resistors
  • LEDs
  • Joint Test Action Group (JTAG) pads (unsure)

None of these, he says, were obviously out of the ordinary.

TraceTogether token is fine for contact tracing use

In conclusion, what Singaporeans are most concerned about — the token is safe for use for its intended purpose, which is contact tracing.

Certainly, its features means that it won’t serve as a useful tracking device.

However, much of the device’s security was shrouded in secrecy and Mr Turner expected more disclosures on that front. Regardless, he believes that the token has appropriate security measures in place to prevent exploits.

So, the token seems very much like a work in progress. However, as far as the main feature goes, the token can’t really be used as a location tracking device.

Given the token won’t be compulsory to use, that should be one fear assuaged by those concerned about privacy losses.

Featured image adapted from Facebook.