Published daily by the Lowy Institute

Singapore: data leaks in a “Smart Nation”

Robust processes and security apparatus are needed before embracing the collection of vast amounts of sensitive data.

Photo: Lucas Gallone/Unsplash
Photo: Lucas Gallone/Unsplash
Published 12 Feb 2019   Follow @kixes

Medical advances have turned HIV into a manageable condition, allowing people living with HIV (PLHIV) to live as long and healthy as anyone else. But there is, unfortunately, no medication that can combat stigma and prejudice. It’s unsurprising, then, that many PLHIV choose to keep quiet about their status, keeping it from employers and acquaintances, sometimes even family and friends.

Then, on 28 January 2019, Singapore’s Ministry of Health announced that the personal data of 14,200 PLHIV – along with 2,400 of their contacts – had been “illegally disclosed online”.

The flip side of such large-scale data hoarding is far less discussed in Singapore.

The repercussions of such a leak are serious. While Singapore has labour laws meant to protect employees from wrongful dismissals, there are still reports of PLHIV facing discrimination while job-hunting or being fired for reasons that are related but not directly due to their HIV status – such as failure to declare their health status in their job applications.

The government has identified the suspected culprit: American Mikhy Farrera-Brochez, who had been previously been convicted for swapping blood samples with his then-partner Ler Teck Siang to hide his own HIV status so he could get a work visa in Singapore. It is alleged that Ler, a doctor who had headed the National Public Health Unit, had mishandled confidential information from the HIV registry, leading to it ending up in Farrera-Brochez’s hands.

While this incident was apparently brought about by mischief, it isn’t the only data or privacy breach in recent years. Last year, the non-medical information of 1.5 million patients – including that of Prime Minister Lee Hsien Loong – was stolen from SingHealth, the largest group of healthcare institutions in the country. The incident has been described as the “most serious breach of personal data” in the city-state’s history. The government has said that “appropriate action” has been taken against the cyberattacker, but declined to name the perpetrator for national security reasons.

In 2014, the government said that 1,560 SingPass accounts could potentially have been accessed without authorisation. SingPass is a password system that allows Singaporeans access to a variety of online government services, from paying taxes to applying for public housing or even redeeming subsidies for skills-training courses.

These incidents demonstrate the risks and challenges of maintaining cybersecurity and protecting individual privacy while amassing large quantities of data. But Singapore has so far been undeterred in its desire to forge ahead, embracing technology in its “Smart Nation” push.

More “high-tech” initiatives are underway or being proposed. The government is looking into a satellite-based road toll system that tracks cars and charges them based on the distance they’ve travelled on congested roads. There is interest in facial recognition lamp-posts, on top of plans to use thermal cameras to catch people smoking in places they shouldn’t. There is a push for the National Electronic Health Record system, which would compel private doctors to forward the medical information they’ve collected from their patients to the centralised database.

In his speech at a police force seminar last year, Minister for Home Affairs K Shanmugam also brought up the importance of harnessing technology in law enforcement, singling out China as a model. 

“As we are doing it, we can look at what other countries are doing. Of course, I think one of the leaders in this has been China – one of the largest CCTV networks in the world,” he said. “What is very impressive is that their officers already seem to be cutting edge.”

Our capabilities must similarly be that if something happens, we want to trace the person, we need to have complete real-time capabilities … We are not there yet. We have to get there.

These moves are often presented to Singaporeans as necessary for convenience, efficiency, and security. It’s not hard to see the benefit of a database that would allow doctors to get a holistic view of a patient’s medical history, instead of having the information scattered across different clinics and hospitals. For those of us hooked on to police procedural dramas, it also seems highly logical and persuasive that comprehensive CCTV networks help cops catch bad guys.

But the flip side of such large-scale data hoarding is far less discussed in Singapore. Decisions about the collection and centralisation of data should only happen after critical reflection and discussion over the trade-offs involved, yet questions about how and where data is stored, who gets access to it and for what reason, are rarely addressed in depth. While Singapore does have personal data protection laws, the legislation specifically exempts the government, which means that citizens have limited avenues to monitor and restrain the way in which the government uses our data.

Following each security breach, the government has taken steps to improve security and protect confidential information, introducing two-factor authentification, adding new rules to restrict access, convening committees to look into failures and meting out punishments.

These are important and necessary moves to make, but it’s worth considering if some of these breaches could have been avoided in the first place if there had been a more open and robust discussion about why and how things are done. For instance, why does the head of the National Public Health Unit – who presumably doesn’t do frontline work with PLHIV – have such easy access to information such as the addresses and phone numbers of PLHIV? Why had that information not been compartmentalised or anonymised?

“We knew that becoming a Smart Nation would expose us to serious online threats. But not adopting IT was not an option,” Finance Minister Heng Swee Keat recently wrote in an op-ed published in the mainstream media. This statement, while correct, misses the point – it’s not a simple question of “do or don’t do”, but about the need for robust processes and scrutiny before uncritically embracing of technology and data. Without this, the rush to be a “Smart Nation” could turn out to be a rather stupid move.

You may also be interested in