Trust, tracking, transparency – road bumps in Spore’s Smart Nation journey
Recent unhappiness over the Education Ministry’s tracking software and TraceTogether suggests a broader and better narrative on the national digital drive is needed to avoid an erosion of trust arising from such episodic outbreaks.
Netizens in online discussion groups have in past weeks taken issue with the decision by the Ministry of Education (MOE) to make compulsory the installation of a digital management application (DMA) on every secondary school student's personal learning device (PLD).
The complaints, which come on the heels of the TraceTogether episode, have even led to a petition calling on MOE to reconsider implementing the DMA which, as it is rolled out, will allow schools to manage students' usage of tablets or laptops used for learning.
Now, of course, government agencies involved in the two most recent flaps have good reasons for their approach.
In the case of TraceTogether, the Government, even as it has apologised for not being transparent at the outset, had put forward sound reasons why the data gathered by the app may be needed on a case by case basis for solving serious crimes.
In the case of the DMA, the assertion made by some in the online space that MOE was less than upfront cannot be supported. MOE briefing materials made available to parents at an early stage clearly spell out the DMA/PLD requirement and three reasons are given why it is needed.
One concerns security patches and the remote deployment of applications, another concerns monitoring use of the PLD during lesson time, and the third mentions "cyber wellness" and preventing "inappropriate use".
The ministry also assured that the software does not track data like location or keep tabs on details like the user's identification number or password.
Why then the brouhaha?
Two aspects in the case have raised eyebrows and caused consternation. One is that the DMA does track a great deal of information, including out of school activity (controls cannot be overridden). DMA controls extend to the school being able to remotely take control of laptops.
This seems to many to be overreach, given that the DMA will have to be installed on any device, including the ones used at home, so long as they are used to access school learning portals.
One gets the distinct feeling of the intrusion of Big Brother into the home.
Could this have been handled better in terms of communicating the need for the DMA?
MOE chose not to acknowledge the fact that for many, especially in the past year, lessons have been conducted outside the classroom, with students relying on computers and devices used by their parents or other family members for personal matters.
To be sure, some parents will be grateful that activity is monitored and that this responsibility will be taken off their hands. The DMA and the attendant monitoring would presumably curb unfettered consumption of objectionable content by youngsters.
But MOE would presumably have been cognisant that for parents and students who have concerns about compromising their privacy, installing the DMA with its far reaching controls was a non-starter on their home devices.
For this group, having to stop carrying out e-learning on multiple devices and restrict themselves to, presumably, the PDA purchased from the school effects a bifurcation they will feel is forced, and which for many will go against existing fluid arrangements for the use of devices already at the home.
If the PDA devices had been on loan for free from the MOE to students, few would question the reasonableness of the installation of the monitoring software.
But for many of those who will now be buying PDAs with their own money or through Edusave, there will be the feeling that they are in effect relinquishing control of the devices that they consider are rightfully theirs, and have the right to use as a private device.
MOE could have addressed some key points upfront and in doing so avoided the present troubles.
First, acknowledging the very real privacy concerns and addressing, early, the incorrect but developing narrative that students and parents are being "forced" to install the DMA on home devices.
Second, recognising that many parents and students would not want to install the DMA on personal home computers which may hold sensitive and private information.
Third, communicating clearly why the DMA is necessary and providing additional details on how the software can be removed after the students leave school.
It would be helpful too to disclose how long the information will be stored, and which agencies, if any, will have access to the data, including the Web-browsing history (necessary, given some agencies' recent patchy record on data protection); and also the scope for using such data. Can the information be used on a case by case basis for solving crimes, for instance?
Smart Nation journey
It is worth recalling Prime Minister Lee Hsien Loong's comment in a 2018 speech that the Smart Nation initiative was aimed at improving people's lives, and that he did not want it done in a way "which is overbearing, which is intrusive, which is unethical".
Agencies need to go beyond simply stating why they need to collect information to asking whether the implementation of any particular policy puts them, or their vendors, in a position of collecting data in a manner that might be perceived as overreach.
In the case of the DMA/PLD episode, agencies should have asked whether they had the right of egress in the first place into this part of someone's life, simply in an effort, however logical it might seem, to install security patches and prevent misuse. It is not so much a technical question as a philosophical one.
It seems odd and perhaps somewhat paradoxical that the Cyber Security Agency and its partners have been pushing the message that it is first and foremost one's responsibility from a young age to practise good cyber hygiene. Now, some people may be left with the conclusion that just in case you do not, good cyber hygiene will be imposed on you.
Taken together with the TraceTogether app episode, there is the palpable sense of a creeping encroachment on privacy and increasing surveillance.
It was not, it seems, meant to be like this. Government officials and leaders, when commenting in the past about privacy aspects of the Smart Nation initiative, have said that data collected by various initiatives will not be used "for the purposes of social credit scoring or moral policing".
But all this was before the pushback over TraceTogether and DMA. Clearer communication of the fundamental principles and direction of Singapore's Smart Nation drive by the key agencies involved in its implementation would be useful and timely in light of recent events.
This should go beyond the roll-out of talking points to allay specific concerns as and when a case arises. Rather, a more detailed account should be given on the overall approach taken, taking into account the issues that arise at the intersections of tech, surveillance, data and privacy.
This could, and should, encompass fake news and disinformation too, where questions have been raised about the intangible costs of the moves made in recent years to protect ourselves in different ways against them.
Individual agencies are good at explaining the need for policy measures or legislation in support of their Smart Nation efforts, but there has been no overarching narrative tying the entire story together.
We need a comprehensive vision of what we are trying to achieve - a meta narrative. This would give a sense to the people that there is overall coherence in the Smart Nation vision and, if done well, will provide reassurance and shore up public trust that Singaporeans are not constantly under surveillance.
More conversations should also be had among relevant agencies - discussions which will have to remain to some degree behind closed doors - where those responsible for the technical aspects of cyber security enter into deeper discussion with those responsible for overall policy.
Strengthening these conversations will in time mean coming closer to a common understanding of ethical roll-outs of tech-driven initiatives, even as individual agencies may have their own organisational culture when it comes to technology development and adoption.
What diverse agencies may well find too when they compare notes is that when it comes to cyber security, disinformation or cyber wellness, total protection is not possible.
Often, mitigation with appropriately calibrated protection is to be preferred over attempts at complete prevention.
Without a broader narrative of where we are headed and what we are aiming for, and without these conversations, more road bumps at the interstices of technology, surveillance, data and privacy will keep occurring as the Smart Nation journey progresses.
And some of these bumps will likely not simply be temporarily irksome but build up over time into a corrosive erosion of trust.
Shashi Jayakumar is head of the Centre of Excellence for National Security and executive coordinator, future issues and technology, S. Rajaratnam School of International Studies, Nanyang Technological University.
Source: Straits Times © Singapore Press Holdings Ltd. Permission required for reproduction.