Commentary: Crux of NRIC debate isn't future misuse of identification numbers but current poor practices by organisations

SINGAPORE: On Dec 9, the Accounting and Corporate Regulatory Authority (ACRA) launched its new Bizfile portal featuring a search function that displayed people's names and full National Registration Identity Card (NRIC) numbers, causing a public stir due to rising rates of scams related to identity theft. 

The Ministry of Digital Development and Information (MDDI) on Dec 14 announced that our NRIC numbers shouldn't be viewed as sensitive information any more than our names are – but instead of assuaging the public, this seems to have generated more anxiety.

Has there been a policy shift? In terms of the Personal Data Protection Act (PDPA) – no, as legislation has not changed. The PDPA has always been business-friendly, giving only baseline protection for personal data and encouraging data analytics – this has not changed either. 

But the Personal Data Protection Commission's (PDPC) advisory guidelines do have to change in line with the announcement from MDDI.

So why is this happening now?

IDENTIFICATION VS AUTHENTICATION

At the outset, we must distinguish between identification and authentication, which are related but quite different.

To identify a person is simply to say this person is Mary and not Martha. But if there are two persons named Mary, for us to know which Mary we are referring to, we need the NRIC number to identify the person – to tell us whether it is Mary who is 50 years old, or Mary who is 20 years old. This is the identification purpose of the NRIC.

In my book on Singapore’s PDPA and Europe’s General Data Protection Regulation (GDPR) published in May 2017, I criticised the PDPA legislation for not protecting NRIC numbers and argued why they need to be protected. 

One of my main concerns was the identification purposes of NRIC numbers that can be used by private entities to link with other data for nefarious purposes. 

Being a common identifier, a third party can use the common identifier of NRIC number to link and determine that the Mary who went to a hospital yesterday is the same Mary who went to the bank today – because the same NRIC number appears in both sets of records. This is primarily an issue of privacy.

In 2018, Singapore’s PDPC released guidelines stating that the use and disclosure of NRIC numbers is a special concern. The arguments and concerns highlighted in the guidelines were similar to those published earlier in my book. In the same guidelines, the Commission introduced the practice of masking NRIC numbers.

Authentication is quite different. Authentication is about proving to others that you are who you are and you are entitled to perform an action or access a service – for example, a banking transaction. 

When you log into an online banking service, the bank needs to be assured that it is really you doing the transaction and not a fraudster. This is different from identification as it’s not about distinguishing one Mary from another Mary or Martha – it’s about making sure that you are the Mary who owns the money in this bank account.

There are a few methods for authentication. In the olden days, well before electronic banking, a thumbprint was commonly used by banks to authenticate a person, with no two Marys having the same thumbprint. 

There’s also Public Key Infrastructure (PKI), which uses public key cryptography – a secure and complex computer science and mathematics methodology that uses several different forms of encryption. 

In 2003, I was invited to Singapore from Australia to give a keynote on the legal issues associated with this technology, as well as the technology itself, in relation to e-commerce practices. Although the technology was available then, it was expensive and slow to function, and most lawyers and regulators throughout the world were not familiar with it. 

Instead of PKI, possibly for simplicity’s sake, the Singapore government instead chose to employ what we now know as Two-Factor Authentication (2FA), starting with internet banking in 2006. 

WILL THERE STILL BE A NEED TO MASK NRIC NUMBERS?

According to MDDI’s statement, the problem was not ACRA’s new Bizfile portal displaying full names and NRIC numbers – it was that the portal had been launched prematurely, ahead of authorities’ plans to “prepare the ground”. 

From this, I believe that the Singapore government has plans to move fully to the more secure PKI system of authentication in 2025, possibly even using the NRIC number as the public key, hence its relaxed stance on the disclosure of NRIC numbers. However, PKI technology is extremely complex that most lawyers around the world today still do not understand it properly. It will require significant ground preparation and community engagement and education before any large-scale implementation.

Singapore won’t be the first. Australia has been using PKI for authentication since 2003, starting from the land titles system in the state of Victoria and moving to the national healthcare system, and finally for a national digital identity system. Of course, there were some hiccups along the way – but on the whole, it has been relatively successful and well-received.

If the Singapore government adopts the PKI system for authentication, there will no longer be a need to continue masking NRIC numbers. 

The truth is, while such loosening of the reins may make many uncomfortable right now, this makes sense for the digital future. 

So many parties are already allowed to collect NRIC numbers. For example, real estate agents are required to check NRICs and residency passes to ensure potential tenants are not illegal immigrants, so they usually collect NRIC numbers, often with photos of physical NRICs, along with other details such as your mobile number. (If the agent is renting out the property, they would obviously know the home address.) 

Telecommunications companies also have this information. 

In short, NRIC numbers are too readily available and accessible. 

Regarding privacy, there are now many other de facto common identifiers. Since the COVID-19 pandemic, many of us have become used to freely giving our names, home address and phone number to online retailers and delivery services, along with credit card details – these too have become common identifiers via which our privacy can be compromised.

What about identity theft? 

This was one of the main concerns I raised in the first chapter of my 2017 book. But now, I would say that the train has left the station because too many parties already hold NRIC numbers. 

THE ROOT CAUSE

The announcement by MDDI may come as a shock to many but it’s nothing new. 

The problem for individuals now is that many organisations have been using the NRIC not just for identification purposes, but as part of authentication processes. 

This should never have happened in the first place. It is really organisations' sloppy attitudes to authenticating their clients and/or customers that is the root cause of the current problem. 

To put it simply, thumbprints would be perverse tools to use to identify a person, that’s why they are primarily used for authentication. A photo of a person’s face on the other hand would be useful to identify a person but useless for authentication. 

Similarly, with NRIC numbers so easily available, their proper use would be to identify, not to authenticate.

Once NRICs are not used for authentication, their use for identity theft and other crimes will be much reduced.

Do I still believe in what I wrote in 2017 that NRIC numbers should be protected? Yes – but only as long as NRICs are still being used to not just identify but to authenticate a person.

Professor Hannah Yee-Fen Lim is an associate professor in business law at Nanyang Technological University, holding double qualifications in computer science and law with Honours. She is the author of six research books, including the first research monograph on the PDPA and GDPR, and hundreds of research papers. She has been appointed legal expert to advise many international organisations, including the World Health Organization and United Nations commissions and other institutes, in areas of technology and law.