There’s been much talk since a wearable contact tracing device was announced by Smart Nation Programme Office Minister-in-charge Vivian Balakrishnan, chief of which are privacy concerns.
Roland Turner, Chief Privacy Officer at a software company, attended a GovTech session featuring the upcoming TraceTogether token last Friday (19 Jun), along with 3 others.
In a post on his website detailing the session, he noted that the token’s battery power means there’s little room for any malicious actor to use the device for location-tracking.
You can read the full account here, but we’ve summarised some of the key points below.
Mr Turner enjoyed the fact that the token’s battery, a large coin cell, is not only non-rechargeable but can also last for around 9 months.
This means that one can hook the token like a keychain and forget that it exists, he said, which is great in terms of ease of use.
However, the battery generates little to no power, and Mr Turner believes there are some downsides to this.
One of these is that a less secure encryption code can be used, which might lower the token’s security. Someone from GovTech did tell him, however, that there were “multiple layers providing cumulative protection”, although he couldn’t go into detail.
He doesn’t quite agree with this approach, specifically due to the fact that the token’s sensitive secrets can be accessible to adversaries.
Attendees were allowed to examine the components of the token, and Mr Turner confirmed that there was no GPS receiver present.
This does mean that the token doesn’t track locations.
What he did find were the following:
None of these, he says, were obviously out of the ordinary.
In conclusion, what Singaporeans are most concerned about — the token is safe for use for its intended purpose, which is contact tracing.
Certainly, its features means that it won’t serve as a useful tracking device.
However, much of the device’s security was shrouded in secrecy and Mr Turner expected more disclosures on that front. Regardless, he believes that the token has appropriate security measures in place to prevent exploits.
So, the token seems very much like a work in progress. However, as far as the main feature goes, the token can’t really be used as a location tracking device.
Given the token won’t be compulsory to use, that should be one fear assuaged by those concerned about privacy losses.
Featured image adapted from Facebook.
A record of more than 553,000 travellers crossed both checkpoints on 13 Dec.
There has been no year-end Covid-19 wave, as had been expected.
The beef was imported without a veterinary health certificate and halal certification.
One fan started queueing as early as 7am.
The company made the change after parents said they wanted to make sure their gifts…
An incredible twist of fortune for the police -- and a stroke of bad luck…