Singapore is using spyware, and its citizens can’t complain

• Leaked Hacking Team documents lists industry regulator IDA as a customer
• Citizens have no rights to privacy, but Govt concerned about public trust

THE Singapore Government is using spyware that can copy files from your hard disk; record your Skype calls, e-mails, instant messages and passwords; and even turn on your webcam remotely – and if you’re Singaporean, you have no constitutional right to complain.
 
Yes, that’s right – the Singapore Constitution does not include a right to privacy. In addition, because of various pieces of legislation including the Criminal Procedure Code (amended in 2012) and the Computer Misuse and Cybersecurity Act (amended in 1997), the Government does not need prior judicial authorisation to conduct any surveillance interception.
 
Indeed, the regulatory structure governing the surveillance of citizens is very much controlled by the Executive branch, with little judicial oversight, according to Eugene Tan, assistant professor with the School of Law at the Singapore Management University (SMU).
 
“I would say that we are in a state of affairs in which very little is known about what the Government conducts surveillance on, how it does it, and the regulatory controls in place.
 
“The courts have placed a lot of premium on the Executive's assessment of what national security requires,” he told Digital News Asia (DNA) via email.
 
The use of surveillance tools – or spyware – by nation-states was brought to the forefront again in July after Italian spyware maker Hacking Team was hacked, and information on its business released on the Internet.
 
The leak of 300GB worth of data offered a look inside a segment of the security industry that is typically hidden in secrecy.
 
Disclosed documents showed that Hacking Team had 70 current customers, mostly military, police, federal and provincial governments across the world, and that it had recorded revenue above €40 million (US$44.5 million).
 
Three Malaysian government entities were named in these records: The Malaysia (sic) AntiCorruption Commission, the Prime Minister (sic) Office and an unknown entity known only as Malaysia Intelligene (sic).
 
The Infocomm Development Authority of Singapore (IDA) was also listed as a current customer, after it renewed its maintenance contract with Hacking Team for the company’s Remote Control System software in February.
 
Malaysian civil liberties lawyer Syahredzan Johan told DNA that if it were indeed true that the Malaysian Government was spying on its people, “then major violations of our fundamental liberties would have taken place.”
 
“Article 5 of the Federal Constitution provides that all persons have the right to life and personal liberty. Personal liberty here includes the right to privacy, as recognised by the Federal Court,” he said.
 
“So the law recognises the right to privacy. Spying on citizens is a violation to this right to privacy. As such, it contravenes Article 5 of the Federal Constitution,” he added.
 
The colonial context
 
Singapore, however, does not afford its citizens such rights. Tan told DNA that the regulatory regime in Singapore was geared towards concerns of national security from the outset.
 
“So matters like judicial authorisation and where the constitutional rights fit in were probably not incorporated from the start.
 
“We must remember that we inherited the colonial British apparatus in internal security matters, and so rights did not feature prominently,” he said.
 
However, Tan said that beyond legal controls, the Government is mindful that any improper use of surveillance apparatus and internal security laws would result in a massive loss of public confidence.
 
“So this abiding need to maintain the legitimacy, trust and confidence is foremost. It would be accurate to say that the regulatory regime in Singapore is [guided] by non-legal restraints like maintaining public confidence, rather than a reliance on legal mechanisms.
 
“In short, [it’s] a very different approach altogether from what we see in other liberal democratic controls,” he said.
 
Depth of surveillance unknown
 
In its June 2015 report entitled The Right to Privacy in Singapore: Stakeholder Report Universal Periodic Review 24th Session, Privacy International said that despite some evidence from security researchers, details of the capacity of the Singaporean Government to conduct surveillance and the scope of its surveillance infrastructure remain unknown.
 
Privacy International is a human rights organisation that works to advance and promote the right to privacy around the world.
 
“Yet, it is widely acknowledged that Singapore has a well-established, centrally-controlled technological surveillance system designed to maintain social order and protect national interest and national security,” the report said.
 
The surveillance structure in Singapore spreads wide from CCTVs (closed-circuit televisions), drones, Internet monitoring, access to communications data, mandatory SIM card registration, identification required for registration to certain websites, and the use of big data analytics for governance initiatives including traffic monitoring.
 
[Download the full Privacy International report here.]
 
In 2013, Citizen Lab of the University of Toronto found evidence that PacketShaper, produced by the US-based security firm Blue Coat Systems Inc, was in use in Singapore.
 
PacketShaper allows the surveillance and monitoring of user interactions on various applications such as Facebook, Twitter, Google Mail, and Skype.
 
Citizen Lab also found command and control servers for FinSpy backdoors, part of Gamma International’s FinFisher “remote monitoring solution,” in a total of 25 countries, including Singapore.
 
FinSpy is malware – a software program that gives its operator the ability to observe and control an individual's computer or mobile device – produced by British-German company Gamma International.
 
However, the Singapore Government has denied using spy software.
 
Lack of concern
 
Asked about how the general Singaporean population felt about the carte blanche permission the Government has when it comes to surveillance, SMU’s Tan said it perhaps is a case of “ignorance is bliss.”
 
“There is implicit trust that surveillance is specifically for security concerns alone, and that there is no mass surveillance.
 
“Most of the time, people don't think about these things. But all it takes is for one scandal to occur and the state of play will be very different,” he added.
 
Asked about what controls there were to prevent the use of private surveillance industry products to facilitate human rights abuses by the Government, Tan said he was not aware of any such controls in place.
 
“But the Singapore Government treads very carefully to ensure that it stays within the law and does not run afoul of its human rights obligations,” he said.
 
“And where there is use of third-party products, I believe the controls are robust, particularly with what information and surveillance data is provided to or obtainable by private vendors and how they are used,” he said.
 
Some laws in Singapore regulate the processing of personal data, including in the public sector, such as the Computer Misuse and Cybersecurity Act which criminalises unauthorised access to data. However, they do not regulate or address the lawful collection of data.
 
Other safeguards for privacy and personal data are included in the Official Secrets Act, the Statistics Act, the Statutory Bodies and Government Companies (Protection of Secrecy) Act, and the Electronic Transactions Act.
 
Laws that regulate data held by private sector entities include the Personal Data Protection Act, the Banking Act, and the Telecommunications Act; whilst other relevant legislation include the law of confidence, which addresses misuse and publication of confidential information.
 
Tan said that judicial review could be one mechanism by which concerned citizens could challenge the Government's decisions and actions.
 
“But the difficulty is always obtaining evidence that one has been ‘surveilled’ indiscriminately or for unlawful purposes,” he said.
 
Refusal to ratify international covenant
 
The Privacy International report also noted that Singapore has not ratified the International Covenant on Civil and Political Rights (ICCPR).
 
Article 17 of the ICCPR provides that “no one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.”
 
“This raises significant concerns in light of the fact that the legal framework regulating interception of communication falls short of applicable international human rights standards, and judicial authorisation is sidelined and democratic oversight is non-existent,” the Privacy International report said.
 
Tan said that Singapore has not indicated any intention to sign the ICCPR.
 
“But the Government here is conscious of the need to do right – especially by the law. So while the regulatory regime is relatively opaque, there are probably internal controls to ensure proper use of the extensive powers of surveillance,” he said.
 
But Tan also argued that the first challenge is to recognise that there is a need for a regulatory regime that is not centred exclusively on the Executive. This recognition is particularly relevant to the Government.
 
“Once there is this recognition, then there would be a need to consider the type of regulatory regime,” he said.
 
“In the Singapore context, we can be sure that the Government would rather [have] a regime that grants it generous latitude about how it conducts surveillance and the broad liberty to exercise discretion in making such decisions.
 
“A third challenge is the need for civil society to meaningfully engage the Government without the Government being concerned that a more robust regime would curb its operational effectiveness and efficacy – while ensuring that the maintenance of national security does not result in abuses of rights,” he added.
 
Next Page: A look behind the surveillance curtain