Published on:
17 Dec 2024
4
min read
https://www.singaporelawwatch.sg/Headlines/nric-numbers-may-not-be-secure-enough-for-authentication-purposes-but-how-will-companies-adapt
On personal identification numbers, privacy, and false pretenses: part 1.
I shared some views with Jun Yuan Yong of The Business Times¹ on the recent kerfuffle relating to:
(a) NRIC numbers now being considered public information;²
(b) NRIC numbers being (temporarily) retrievable via the search function on ACRA's Bizfile portal;³ and
(c) some circumstances in which individuals or organisations may have a legitimate reason to retrieve an individual's NRIC number.
I make 3 further observations for those of us interested in privacy and security issues.⁴
1️⃣ Should NRIC numbers be considered public information?
There's been a fair bit of debate on whether NRIC numbers should be considered public information. But this may miss the point. After all, while we can argue until the cows come home on whether NRIC numbers 𝘴𝘩𝘰𝘶𝘭𝘥 be considered public information, the discourse doesn't change whether our NRIC numbers are already sufficiently out there in the wild such that they 𝘢𝘳𝘦 public information (and whether we like it or not).
2️⃣ Assuming that NRIC numbers are public information, does it mean that we should freely grant access to NRIC numbers to all and sundry?
Many folks were unhappy that our NRIC numbers were retrievable from ACRA's Bizfile portal - by anyone, via any (mobile) web browser, and for free.
The Ministry of Digital Development and Information's position is that:
"As a unique identifier, the NRIC number is assumed to be known, just as our real names are known. There should therefore not be any sensitivity in having one’s full NRIC number made public, in the same way that we routinely share and reveal our full names to others."⁵
However, can I suggest a thought experiment?
Suppose the majority of households in Singapore use a particular brand of door locks. It subsequently becomes widely known that this lock can be easily jimmied open by using a particular brand of paperclips that are widely available. There is no point in trying to ban these particular paperclips, since there are already too many of them in circulation. So the authorities announce that this particular brand of door locks should no longer be used, and everyone should replace their locks. Well and good.
But right before the authorities made this announcement, they had quietly began selling these particular paperclips at Government-run stores.
And when asked why they had begun selling these paperclips, the authorities' response was that "well, everyone already has access to these paperclips, so there should not be any sensitivity in us selling these paperclips."
While it is not ideal that such paperclips are already widely available, I wonder whether it would be optimal for the authorities to make such paperclips even more easily available.
But hey, what do I know about paperclips?
--
In part 2, I'll share a final observation for what all this means for organisations moving forward.
Disclaimer:
The content of this article is intended for informational and educational purposes only and does not constitute legal advice.
¹ (🔒) https://www.businesstimes.com.sg/singapore/nric-numbers-may-not-be-secure-enough-authentication-purposes-how-will-companies-adapt;
https://www.singaporelawwatch.sg/Headlines/nric-numbers-may-not-be-secure-enough-for-authentication-purposes-but-how-will-companies-adapt (no paywall, but not permanently available).
² https://www.mddi.gov.sg/mddi-s-reply-to-media-queries-on-disclosure-of-nric-number-on-bizfile-system/.
³ https://www.businesstimes.com.sg/singapore/nric-should-not-be-treated-sensitive-unique-identifiers-mddi.
⁴ Which should be most, if not all, of us.
⁵ https://www.mddi.gov.sg/mddi-s-reply-to-media-queries-on-disclosure-of-nric-number-on-bizfile-system/.
