Tue Jan 05 00:26:33 +0000 2021

Ok, seems like as good a time as any to take another look at where the data used by #TraceTogether is stored, and what are the implications of the police having access to it. 1/

First, let's talk about identities. There are 3 kinds of identities in TT. First is your actual PII: your NRIC number, contact number, etc. Second, a unique ID that is generated per user, the ttID. Third, temporary IDs that are broadcasted to other users, TempIDs. 2/

The server holds a mapping between the permanent ttID, and your PII. So with access to the server, it can determine who (in "real life") a ttID is. The phone holds your ttID, and it also appears in comms between client and server (including Firebase). 3/

TempIDs contain the ttID, but are encrypted using a secret key that only the server has. TempIDs are broadcasted to other devices, and so your TempID might be in somebody else's phone. To map from TempID to PII, you first need the secret key, and then the ttID to PII map. 4/

So with that out of the way, there are 3 main data stores we need to think about: 1. the server-side ttID-to-PII map and TempID decryption key, 2. the client-side database containing TempIDs (known as the StreetPassRecord database), and 3. the client-side TempID cache 5/

So, suppose the police have full access to the server-side info, and they seize your device with TT installed. They can then find out the full identity of every other person (running TT) that you were in proximity to over the past 2 weeks. 6/

Suppose you delete TT from your phone, or the police can't access your device for whatever reason. Then they can't obtain your list of contacts. But they would still be able to tell you were nearby some other person running TT, if they could access that person's records. 7/

Because that person's phone would contain your TempIDs, which the police can decrypt. 8/

If you ask the server to delete your data, and they honour that? IIRC GovTech says this includes the key used to decrypt your TempIDs. If true, then TempIDs residing in other devices can't be mapped to you anymore. There's no way of confirming this though. 9/

A clarification on this point: I took a quick look at the open sourced server side code, and there should be a single key used to decrypt all TempIDs (somebody who knows GCP better than me please verify). So what they delete is the link between your PII and your ttID.

Wed Jan 06 05:08:59 +0000 2021