“Health records” hacking: “Protection” vs “Surveillance”?

Electronic-health-records

Are we spending too much on “surveillance, propaganda and influencing”, relative to protecting our systems? 

I refer to the article “Here’s why we should all be concerned about the hack on SingHealth” (unscrambledsg, Jul 21).

It states that “First concern is whether this is just a dress rehearsal for something bigger, something more sinister.

Are the culprits just sending a message with this hack? It could be them telling us: “Today I can hack your medical systems. Tomorrow, it’ll be something more deadly”.

And even if they can’t really do more harm than stealing medical histories, planting that seed of doubt alone is already harmful.

Then there is the loss of confidence in the government. There are already people blaming the government.

It will take immediate action to strengthen our public sector IT systems and databases against similar cybersecurity attacks. And a Committee of Inquiry will be formed to conduct an independent external review. We will get to the bottom of this.”

According to the article “Singapore an advanced surveillance state, but citizens don’t mind” (techinasia, Nov 26, 2013) – “Leaks of top secret documents by intelligence whistleblower Edward Snowden has exposed Singapore as a key “third party” providing five countries, including the United States and Australia, secret access to Malaysia’s communications data.

However, the news, which suggests that the state has the resources to spy on its own citizens, got little traction within the country. Revealed in August, the pageviews only snowballed recently, and even so, it garnered a weaker reaction than the entrance of extra-marital dating site Ashley Madison into Singapore, a move which sparked an outcry among conservative Singaporeans.

It seems that citizens are more concerned about moral policing than the possibility of having their actions monitored by the state.

Singapore has unfettered access to citizen’s data

The recent leaks about the NSA’s highly organized attempts to spy on the world has not led to an outcry in Singapore. Few ask if the government has PRISM-like programs in place to monitor citizens, but few doubt that the state can get private data whenever it wants. It’s an accepted but hidden fact of life.

Online services and Internet Service Providers (ISPs) in Singapore are at the mercy of the government. Laws are so broadly phrased that the government can obtain access to sensitive data like text messages, e-mail, call logs, and web surfing history without court permission. Contrast this with the United States, where a court order or search warrant is required to obtain data without the user’s knowledge.

Singapore’s Computer Misuse and Cybersecurity Act has been amended to let the government compel organizations to do pre-emptive surveillance. The Criminal Procedure Code is phrased in such a way to enable investigators to forcibly obtain any information they need.

The newly enacted Personal Data Protection Act, meanwhile, is aimed more at restricting companies’ use of private data. Government agencies are exempted from most parts of the Act.

The state’s obtaining of user data without permission is historical fact. In 1999, SingTel was found to have scanned its customers’ computers surreptitiously under the orders of the Ministry of Home Affairs. In 2008, ISPs were forced to disclose personal details of its subscribers in a lawsuit involving copyright infringement.

Then between 2008 and 2009, a police officer was arrested for using his office database to obtain the addresses and criminal records of several individuals, including past girlfriends, while an immigration officer was charged with helping his foreign mistress enter the country with a fake identity.

This year, a group of youths were rounded up for questioning for holding illegal public protests held under the banner of the Anonymous movement. These individuals coordinated their plan on Facebook.

Government data requests

According to a Global Government Request Report released by Facebook, the Singapore government has made 107 information requests in the first half of 2013, which when adjusted to population size, makes it one of the highest in requests per capita (but still lower than the United States). It has made 111 information requests to Google over the same period.

In response to a question made in Parliament about these data requests, Deputy Prime Minister Teo Chee Hean responded that the government has made about 600 combined requests a year to Google, Facebook, and Microsoft from 2010 to 2012, of which the majority were for investigating Computer Misuse and Cybersecurity Act offenses, while the rest were for crimes like corruption, terrorist threats, cheating, theft, gambling and vice. These requests were for non-content data like account-related information and login details.

While the government says that it uses its powers in a lawful manner, it’s worth bearing in mind that Singapore law is noted for its broad and all-encompassing phrasing.

Under the Sedition Act, anything deemed to “excite disaffection against the Singapore government” could be grounds for arrest. The law was recently wielded against political cartoonist Chew Peng Ee and a number of political dissidents in the past.

This creates paranoia which causes citizens to stop debating openly or participate in civil activism due to the state’s ability to penetrate deep into our most intimate behavior.”

According to the article “When your defenders are trolls—the PAP Internet Brigade” (The Indpendent, Jun 4, 2018) – “Similar to other countries around the world, Singapore also has its share of internet trolls whose main job is to defensively comment on social media or other web forums. One such group is the PAP Internet Brigade or PAP IB, as written about in the Tumblr site papbrigade.tumblr.com, as well as other websites.

According to papbrigade.tumblr.com, the PAP IB is composed of youths who are members of PAP. They do their “intelligence” work in shifts starting early in the morning, often using fake accounts. They purposely watch discussions closely, and comment with opposing perspectives when needed, or even post fake news items to mislead readers.

The PAP IB is not a new organization, in fact the seed of it has been in existence even before 2007, when reports concerning a “counter-insurgency” against critics of PAP emerged.

Another question brought up on the Tumblr site regards who is paying for the site—whether it’s the party or the government itself.”

According to the article “Singapore is using spyware, and its citizens can’t complain” (digitalnewsasia, Aug 3, 2015) – “THE Singapore Government is using spyware that can copy files from your hard disk; record your Skype calls, e-mails, instant messages and passwords; and even turn on your webcam remotely – and if you’re Singaporean, you have no constitutional right to complain.

Yes, that’s right – the Singapore Constitution does not include a right to privacy. In addition, because of various pieces of legislation including the Criminal Procedure Code (amended in 2012) and the Computer Misuse and Cybersecurity Act (amended in 1997), the Government does not need prior judicial authorisation to conduct any surveillance interception.

Indeed, the regulatory structure governing the surveillance of citizens is very much controlled by the Executive branch, with little judicial oversight, according to Eugene Tan, assistant professor with the School of Law at the Singapore Management University (SMU).

“I would say that we are in a state of affairs in which very little is known about what the Government conducts surveillance on, how it does it, and the regulatory controls in place

The Infocomm Development Authority of Singapore (IDA) was also listed as a current customer, after it renewed its maintenance contract with Hacking Team for the company’s Remote Control System software in February.

In its June 2015 report entitled The Right to Privacy in Singapore: Stakeholder Report Universal Periodic Review 24th Session, Privacy International said that despite some evidence from security researchers, details of the capacity of the Singaporean Government to conduct surveillance and the scope of its surveillance infrastructure remain unknown.

“Yet, it is widely acknowledged that Singapore has a well-established, centrally-controlled technological surveillance system designed to maintain social order and protect national interest and national security,” the report said.

The surveillance structure in Singapore spreads wide from CCTVs (closed-circuit televisions), drones, Internet monitoring, access to communications data, mandatory SIM card registration, identification required for registration to certain websites, and the use of big data analytics for governance initiatives including traffic monitoring.

In 2013, Citizen Lab of the University of Toronto found evidence that PacketShaper, produced by the US-based security firm Blue Coat Systems Inc, was in use in Singapore.

PacketShaper allows the surveillance and monitoring of user interactions on various applications such as Facebook, Twitter, Google Mail, and Skype.

Citizen Lab also found command and control servers for FinSpy backdoors, part of Gamma International’s FinFisher “remote monitoring solution,” in a total of 25 countries, including Singapore.

However, the Singapore Government has denied using spy software.

Asked about what controls there were to prevent the use of private surveillance industry products to facilitate human rights abuses by the Government, Tan said he was not aware of any such controls in place.

“But the Singapore Government treads very carefully to ensure that it stays within the law and does not run afoul of its human rights obligations,” he said.

Tan said that judicial review could be one mechanism by which concerned citizens could challenge the Government’s decisions and actions.

“But the difficulty is always obtaining evidence that one has been ‘surveilled’ indiscriminately or for unlawful purposes,” he said.

Refusal to ratify international covenant

The Privacy International report also noted that Singapore has not ratified the International Covenant on Civil and Political Rights (ICCPR).

Article 17 of the ICCPR provides that “no one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.”

“This raises significant concerns in light of the fact that the legal framework regulating interception of communication falls short of applicable international human rights standards, and judicial authorisation is sidelined and democratic oversight is non-existent,” the Privacy International report said.

Tan said that Singapore has not indicated any intention to sign the ICCPR.

“A third challenge is the need for civil society to meaningfully engage the Government without the Government being concerned that a more robust regime would curb its operational effectiveness and efficacy – while ensuring that the maintenance of national security does not result in abuses of rights,” he added.”

So, how much are we spending on “protection” of our systems, versus “surveillance, propaganda and influencing”?

Leong Sze Hian

 

 

About the Author

Leong
Leong Sze Hian has served as the president of 4 professional bodies, honorary consul of 2 countries, an alumnus of Harvard University, authored 4 books, quoted over 1500 times in the media , has been a radio talkshow host, a newspaper daily columnist, Wharton Fellow, SEACeM Fellow, columnist for theonlinecitizen and Malaysiakini, executive producer of Ilo Ilo (40 international awards), Hotel Mumbai (associate producer), invited to speak more than 200 times in about 40 countries, CIFA advisory board member, founding advisor to the Financial Planning Associations of 2 countries. He has 3 Masters, 2 Bachelors degrees and 13 professional  qualifications.