- Joined
- Jun 4, 2024
- Messages
- 787
- Points
- 43
One teenage rite of passage for Singaporeans is the process of registering for a national registration identity card (NRIC), a physical manifestation of the bond between state and citizen. An adult rite is the act of moving into your own space. The sense of pride, safety and trust through citizenship under a forward-thinking and responsive government, alongside access to affordable housing in a fair and equitable market, have been two quintessential elements of being Singaporean since independence. Yet, two separate incidents in the past week have exposed their respective decay. And together they point to the increasing incompetence and short-sightedness of the ruling People’s Action Party (PAP).
First was the revelation that society should no longer consider NRIC numbers as sensitive and private. Consider the relationships the card mediates between an individual and others, between one’s personhood and the imagined community and state. On each person’s NRIC is printed a name, race, date of birth, sex, address, and an identity number. The NRIC accompanies one throughout life—school, employment, banking and telco services, office visitor registration—in the process reifying the markers through which the state gazes and the gaze is felt.
The only really unique identifier on the NRIC is the eight-digit alphanumeric. Guard it, keep it safe, utter its digits only when necessary. In 2018, the Personal Data Protection Commission (PDPC) announced that from September 2019, organisations would generally not be allowed to unnecessarily collect, use, or disclose the number where the law does not require it. (The government was exempt.) Among other warnings in its advisory guidelines, PDPC said: “Indiscriminate or negligent handling of NRIC numbers increases the risk of unintended disclosure with the result that NRIC numbers may be obtained and used for illegal activities such as identity theft and fraud.” The NRIC number is sacred, Singaporeans concluded.
We were wrong. Let’s recount the events that led to yesterday’s extraordinary press conference. Last Thursday, Bertha Henson, a former journalist turned acerbic social media commentator, revealed the ease with which a visitor to the Accounting and Corporate Regulatory Authority (ACRA) website could access Singaporeans’ NRIC numbers.
A security flaw? Don’t be silly. It was all part of the plan. On Saturday, the Ministry of Digital Development and Information (MDDI), which manages PDPC, said that it had always intended to “unmask” NRIC numbers, “after explaining the issue and preparing the ground”. Masking had apparently offered a false sense of security about the numbers. But before the government had had a chance to conduct “a public education effort”, ACRA had acted preemptively by updating its Bizfile system. “As a unique identifier, the NRIC number is assumed to be known, just as our real names are known.” Duh. Why would you think otherwise?
The patronising tone suggested, once again, that we are daft subjects led by rulers light-years ahead. There was an apology for ACRA’s mistake, but not a hint of contrition about the mixed messaging.
PDPC, 2018: NRIC numbers obtained can be used illegally for identity theft and fraud.MDDI, 2024: Your NRIC number, like your name, is assumed to be known by all.
Ironically, for a statement arguing for transparency with one’s name and NRIC number, not a single civil servant or politician put their name to it. “[T]o be attributed to MDDI spokesperson,” it said, in the typically cold, Orwellian, cover-backside language of late-stage PAP. Across social media, many Singaporeans said they felt gaslit.
In digital security parlance, the two relevant concepts are Identification (Who are you?) and Authentication (Are you who you say you are?). The NRIC number should ideally fulfil only the former—think of it as your digital name—but not the latter, which is perhaps best served by biometrics such as fingerprints. Unfortunately, partly because of Singapore’s inconsistent approach to digital security, individuals and organisations may still be using it for both Identification and Authentication, something alluded to on Monday by Ho Ching, former boss of Temasek, in her otherwise chest-thumping apologia for this brouhaha. (Unlike her elected comrades at the PAP, the unelected Ho is, pity our ears, not shy one.)
This incident has unleashed a wave of fear across society. Have hackers now gained access to Singaporeans’ NRIC numbers? Has it become easier to produce fake Singaporean NRICs? Can others access your housing, banking, and telco records with your NRIC number? Are Singaporeans, already prone to scams, now at even greater risk? What are the implications for Singpass, which partly relies on one’s IC number? (Ho’s son, Li Hongyi, was until recently director of Singpass.) Private sector businesses, who’ve invested in IT security to ensure their customers’ NRIC numbers are protected, must be fuming at the apparent double standards.
More at https://url1.io/gPXie
First was the revelation that society should no longer consider NRIC numbers as sensitive and private. Consider the relationships the card mediates between an individual and others, between one’s personhood and the imagined community and state. On each person’s NRIC is printed a name, race, date of birth, sex, address, and an identity number. The NRIC accompanies one throughout life—school, employment, banking and telco services, office visitor registration—in the process reifying the markers through which the state gazes and the gaze is felt.
The only really unique identifier on the NRIC is the eight-digit alphanumeric. Guard it, keep it safe, utter its digits only when necessary. In 2018, the Personal Data Protection Commission (PDPC) announced that from September 2019, organisations would generally not be allowed to unnecessarily collect, use, or disclose the number where the law does not require it. (The government was exempt.) Among other warnings in its advisory guidelines, PDPC said: “Indiscriminate or negligent handling of NRIC numbers increases the risk of unintended disclosure with the result that NRIC numbers may be obtained and used for illegal activities such as identity theft and fraud.” The NRIC number is sacred, Singaporeans concluded.
We were wrong. Let’s recount the events that led to yesterday’s extraordinary press conference. Last Thursday, Bertha Henson, a former journalist turned acerbic social media commentator, revealed the ease with which a visitor to the Accounting and Corporate Regulatory Authority (ACRA) website could access Singaporeans’ NRIC numbers.
A security flaw? Don’t be silly. It was all part of the plan. On Saturday, the Ministry of Digital Development and Information (MDDI), which manages PDPC, said that it had always intended to “unmask” NRIC numbers, “after explaining the issue and preparing the ground”. Masking had apparently offered a false sense of security about the numbers. But before the government had had a chance to conduct “a public education effort”, ACRA had acted preemptively by updating its Bizfile system. “As a unique identifier, the NRIC number is assumed to be known, just as our real names are known.” Duh. Why would you think otherwise?
The patronising tone suggested, once again, that we are daft subjects led by rulers light-years ahead. There was an apology for ACRA’s mistake, but not a hint of contrition about the mixed messaging.
PDPC, 2018: NRIC numbers obtained can be used illegally for identity theft and fraud.MDDI, 2024: Your NRIC number, like your name, is assumed to be known by all.
Ironically, for a statement arguing for transparency with one’s name and NRIC number, not a single civil servant or politician put their name to it. “[T]o be attributed to MDDI spokesperson,” it said, in the typically cold, Orwellian, cover-backside language of late-stage PAP. Across social media, many Singaporeans said they felt gaslit.
In digital security parlance, the two relevant concepts are Identification (Who are you?) and Authentication (Are you who you say you are?). The NRIC number should ideally fulfil only the former—think of it as your digital name—but not the latter, which is perhaps best served by biometrics such as fingerprints. Unfortunately, partly because of Singapore’s inconsistent approach to digital security, individuals and organisations may still be using it for both Identification and Authentication, something alluded to on Monday by Ho Ching, former boss of Temasek, in her otherwise chest-thumping apologia for this brouhaha. (Unlike her elected comrades at the PAP, the unelected Ho is, pity our ears, not shy one.)
This incident has unleashed a wave of fear across society. Have hackers now gained access to Singaporeans’ NRIC numbers? Has it become easier to produce fake Singaporean NRICs? Can others access your housing, banking, and telco records with your NRIC number? Are Singaporeans, already prone to scams, now at even greater risk? What are the implications for Singpass, which partly relies on one’s IC number? (Ho’s son, Li Hongyi, was until recently director of Singpass.) Private sector businesses, who’ve invested in IT security to ensure their customers’ NRIC numbers are protected, must be fuming at the apparent double standards.
More at https://url1.io/gPXie
