[Editorial update: 4 May, 11:25am] We have updated the article with clarifications from GovTech. The rating has been changed from unproven to false.
We came across this conversation thread on a Singapore-based Telegram group:
One commenter alleges that the app “leaves cookies in your phone”, and claims that the reader still beeps whenever they walk past it. According to another commenter, individuals can allegedly still be tracked and traced even after deleting their TraceTogether app because the government “already [has] your bluetooth hardware address”.
As of 26 April, the TraceTogether app and token have become somewhat obsolete as most places will no longer require individuals to do SafeEntry check-ins in lieu of vaccination-differentiated safe management measures (VDS) being eased. Other than events with more than 500 participants, nightlife establishments and F&B outlets, VDS will be removed for all other settings.
On 22 April, Health Minister Ong Ye Kung clarified that “[In places] where VDS still applies […] SafeEntry check-in will still be required to verify the vaccination and test status of the participants.”
He added that the use of TraceTogether as a contact tracing tool will be stepped down, and will restrict the application to “purely verifying vaccination status”.
He also shared that “All SafeEntry data to a premise or event will not be retained and they will be purged within a day”.
Privacy concerns about TraceTogether and the ‘reader’
To deduce whether there is any ounce of truth in the comments made on the Telegram group, let’s first do a quick refresher of how data is collected and stored under the TraceTogether programme.
According to the TraceTogether website, TraceTogether exchanges Bluetooth proximity data with other devices participating in the TraceTogether Programme. The data collected is anonymised and encrypted, and does not reveal an individual’s identity or the other person’s identity. To estimate distance, device models and signal strength recorded is also shared, since different devices transmit at different power.
However, TraceTogether does not collect geolocation data.
The Bluetooth data is stored only on one’s phone, and will be automatically deleted from the device after 25 days. However, if one chooses to delete the app from their phone, all locally-stored data in the app will be deleted and the individual will no longer be able to share the stored logs should they be contacted by a contact tracer.
Next, the ‘reader’ as mentioned is the SafeEntry Gateway system (SEGW Box) which works by exchanging Bluetooth signals with the TraceTogether app on a phone or token within a 25cm range.
The SEGW Box beeps and shows a green light when a TraceTogether app or token is held near it. The system was implemented at venues with higher throughput of visitors (e.g. malls, hospitals and polyclinics, selected popular wet markets, ticketed attractions) and where people are likely to be in close proximity for prolonged periods with their masks off (e.g. dine-in food and beverage outlets, gyms, personal care services).
When we reached out to GovTech, a representative clarified both claims.
First of all, they explained that TraceTogether is “not used to track and trace individuals” and that it “does not collect Bluetooth hardware address, and only records anonymised proximity information”. They added that the “anonymised proximity information is stored only in the device, and is automatically deleted from the device after 25 days”.
Next, the only possibility that the SEGW Box beeps even after an individual deletes the TraceTogether app is if the Box is faulty. They explained: “SEGW devices will only beep if they detect a TraceTogether proximity Bluetooth signal. This means that if the phone does not have the app installed, the SEGW devices would not be able to pick up these signals.”
“If the user is certain that the SEGW is beeping because of his phone, he should contact the SafeEntry Helpdesk to check if the SEGW Box is faulty,” they added.
Therefore, the claims that the app “leaves cookies in your phone” (leading to the SafeEntry Gateway beeping even after deleting the app), and that the government can continue to track you because it “already [has] your bluetooth hardware address” are false.