9 geeky myth busting facts you need to know about TraceTogether

TraceTogether is a mobile app that supports Singapore’s efforts to mitigate the spread of COVID-19 through community-driven contact tracing. Through the exchange of short-distance Bluetooth signals between mobile phones with the installed app, each phone can detect other participating TraceTogether phones that are in close proximity.

Here’s a handy list of nine geeky facts you need to know about TraceTogether.

Myth #1 — The government uses the TraceTogether app to track or spy on citizens' whereabouts.

No, the TraceTogether app does not collect any location data, and there is no way for the government to locate your whereabouts with this app. The app uses Bluetooth technology to exchange connections with nearby devices that have the app. The app only has the ability to show connections between devices and not their locations. Furthermore, the logs stay in your phone. Should MOH need the logs for contact tracing, they will seek your consent to share the logs with them.

Myth #2 — With the TraceTogether app running on my Bluetooth-enabled mobile phone, anyone, including the government, can hack into it and extract all information.

TraceTogether uses Bluetooth, a short-range peer-to-peer communications technology that is ubiquitous in mobile phones and devices today. It can only transmit signals within a range of about 10 meters. Using TraceTogether is no different from connecting other devices or wearables to your phone via Bluetooth. Ensure that your phone operating system is updated to use Bluetooth safely. It is difficult for anyone to get close enough to you and use a computer to extract information from your phone without you noticing.

Myth #3 — If I download TraceTogether and give consent to all in-app functions, I am essentially allowing the Ministry of Health (MOH) and the government to collect and gain access to all my personal data, as well as the data in my phone.

When you set up TraceTogether, you will only be asked for your mobile number. This is the only personal data that MOH will hold about you, and it is stored in a highly secured server together with a random anonymised User ID that is linked to your mobile number. The security level of this server is as high as that of servers that store other official information.

All MOH will get is your phone number. Commercial apps for emails, web browsing and movie-watching collect more data about you than this app.

When the app is running on your phone, it will create a temporary ID generated by encrypting the User ID with a private key that is held by MOH. The temporary ID is then exchanged with nearby phones and renewed regularly, making it impossible for anyone to identify or link the temporary IDs to you. The temporary ID can only be decrypted by MOH using MOH’s privately-held key. Your phone will store the temporary IDs from nearby phones, together with information about the nearby phone’s model, Bluetooth signal strength, and time. All this information is stored locally on your phone and not sent to MOH unless you are contact-traced.

These measures protect users from malicious actors who may seek to eavesdrop and track interactions over time.

Myth #4 — If MOH contact-traced to me and asks me to upload the data stored in the TraceTogether app, the Ministry can also extract any other data that they want from my phone.

When a TraceTogether user is a confirmed COVID-19 case and agrees to upload the data log in the TraceTogether app to MOH, MOH will decrypt the temporary IDs in the user’s app using its privately-held key and obtain a list of phone numbers from the uploaded data log. Each phone number will only have the information related to the Bluetooth signal strength and time information. That is all the information that MOH will get from the user’s app log. Based on the signal strength and time information, MOH will then determine which devices were in physical proximity to the confirmed case.

Myth #5 — I do not wish to download this TraceTogether app, which will increase the risk of a data breach on my phone.

The TraceTogether app does not increase the risk of a data breach on your phone. Given the app’s security and privacy safeguards, the risk of a data leak from your phone as a result of TraceTogether is very low. By downloading the app, you can tap on technology to enhance contact tracing – a key pillar of Singapore’s fight against COVID-19. The choice is yours to make.

Myth #6 — All information in the TraceTogether app is uploaded onto a server that faces a perpetual threat of being hacked into.

Apart from your mobile number, at the point of registration, all data collected through the TraceTogether app is stored locally in your phone in an encrypted form. It is not uploaded to any central server. The data will be accessed when you have been confirmed as a COVID-19 patient. The MOH contact tracing team will then ask you for explicit approval to access the data in your app, and it is transferred to private storage that is not exposed to the Internet.

Myth #7 — Other TraceTogether users can see my phone number.

Mobile numbers are not revealed to other TraceTogether users. Only temporary IDs, generated by encrypting the User ID with a private key that is held by MOH, are exchanged between phones. Your mobile number remains secret and is not exchanged with other mobile phones. As an added layer of protection, the temporary IDs are refreshed regularly. Even if you could decrypt the temporary IDs, you would still not be able to obtain the mobile numbers of people you have been in contact with.

Myth #8 — Even after I uninstall the TraceTogether app, my mobile number and the randomised User ID will remain on the server forever.

Once TraceTogether is uninstalled or the app’s functionality disabled, all connection data collected on your phone will be lost. You can also request that your mobile number and User ID be removed from the server. This immediately renders all data collected by other TraceTogether phones about their interactions with you meaningless because that data can no longer be associated with you.

Once contact tracing activities cease, the TraceTogether app will prompt users to deactivate its functionality.

Myth #9 — Running the TraceTogether app in the background uses up a lot of data and phone battery.

The app uses about 1MB of data in a day, equivalent to the data used by watching 1 second of a high-definition movie, and consumes only marginally more battery than phones that already have Bluetooth enabled.