Home Front

Time to end overuse of the NRIC

You need to hand it over to enter buildings. Even booking cinema tickets online requires you to key in your NRIC details. This must change, to safeguard the privacy of each person's NRIC and its data.

Ms Jamie Tan, 42, has two different identities: one for official purposes and the other for gym and reward card memberships. The identities are complete with their separate Facebook, LinkedIn and e-mail accounts. They also have their own legitimate mobile phone numbers.

With this set-up, she could ignore unsolicited calls and messages addressed to her alter ego "Jamie", a personal assistant at an advertising agency.

Ms Tan, a Singaporean, is actually working in a financial institution under her dialect name, which she declined to reveal.

She created the different identities in 2001 as she was appalled at how frivolously the NRIC (National Registration Identity Card, or IC for short) was used in Singapore. That year, she had just returned home from the US, where she had studied and worked for 10 years.

"What I found and still find appalling is that practically every service provider - from massage and foot reflexology provider to malls offering loyalty rewards - is asking for NRIC data," Ms Tan said.

Awareness of identity theft and fraud is higher in the United States, where use of the equivalent social security card is more restricted, she said.

She has since given up arguing with retailers and building owners here. She only uses her real name for government transactions and at work.

TIGHTER RULES FOR NRIC USE

Ms Tan's concerns and those of privacy advocates here have been finally heard by the Personal Data Protection Commission (PDPC), which recently decided to get tough on NRIC use.


ST ILLUSTRATION: MANNY FRANCISCO

Last Tuesday, it launched a public consultation outlining proposed new rules for stricter protection of NRIC data, following initial feedback from the public.

The privacy watchdog wants NRIC details to be collected only when the law requires it, or when it is vital to verify someone's identity "to a high degree of fidelity".

For instance, the law requires NRIC details when people seek medical treatment in hospitals and clinics, enrol their children in childcare centres, check into a hotel and subscribe to a mobile phone line.

There are also cases where service providers need to ascertain one's identity to prevent fraud or harm. These include property transactions, emergencies where medical workers need to determine the blood type or allergies of a patient, and entry into secured buildings.

Other than these official uses, consumers must have the right to refuse to hand over their NRIC details or the card. The privacy watchdog wants the onus to be on service providers to use other methods to identify them.

The new rules are expected to kick in around mid-2018, after which organisations have up to 12 months to comply or risk fines of up to $1 million as already spelt out under Singapore's Personal Data Protection Act (PDPA).

IMPETUS FOR CHANGE

The change is overdue. Service providers have had free rein for too long to request NRIC data - in the name of fraud prevention and payment dispute management.

As privacy advocate and engineer Ngiam Shih Tung, 50, said: "They are guilty of a classic fallacy. How does collecting NRIC numbers prevent fraud?"

Moreover, fraud prevention is already built into the credit card payment system - and many online shopping sites know not to ask for NRIC details. Even airlines do not collect NRIC or passport details when people buy air tickets online. Why should cinema operators Shaw Theatres and Golden Village be allowed to collect online customers' NRIC numbers? If NRICs are needed to verify the ages of patrons for movies with an age limit, checking patrons' NRICs manually at cinema entrances would suffice.

Consumers' lack of a say over the years has permitted service providers and building owners to opt for the easy way out and ask for NRIC data. Even after the PDPA went fully into force in July 2014, their disregard for consumers' privacy persisted. Tellingly, many malls and retailers have become bolder and installed automated systems that make data collection a breeze - all the data residing in the NRIC is captured with one scan of the barcode on the card.

Consumers must be given the right to say no to sharing such information. The risks of identity fraud are theirs to bear as any damage from fraud related to one's NRIC cannot be reversed so easily.

The NRIC number is a permanent and irreplaceable identifier, which can be used to unlock vast amounts of personal information, including income details, residential address, medical status and property and vehicle ownership.

"It's far harder and almost impossible to change these identifiers," said Mr Lennie Tan, regional vice-president and general manager of cyber security firm One Identity.

The value that hackers place on NRIC data speaks volumes. Compared with credit card numbers, which can be easily deactivated and changed, NRIC numbers cost a few times more on the black market, according to industry estimates.

Over the last eight years, more than 7.1 billion identities worldwide have been exposed in data breaches, according to cyber security software firm Symantec. Over-collection of data increases the risk of leaks.

EXTEND RULE TO PUBLIC SECTOR

Some privacy advocates also argue that the same rules should be followed by the public sector, with government-owned entities setting a good example.

The public sector, which follows a different set of unpublished rules, is not bound by the PDPA. But having a double standard will cause confusion. The public would not know when to exercise their rights, especially when entering commercial buildings.

For instance, JTC Corporation's The Metropolis at one-north, The Treasury and MND Building retain people's NRICs for visitor badges. The security guards managing access to these buildings work for third parties. Should the public kick up a fuss when these security guards insist on keeping their ICs, which the newly proposed privacy rules forbid?

The National Gallery Singapore also retains visitors' NRICs when they take a guided tour with borrowed audio headsets. Should it continue to do so?

Mr Ngiam argued: "There are legitimate reasons for inspecting a person's identity card to verify his particulars when he enters a building. But there are no legitimate reasons for retaining it."

What's more, the cost of replacing rented equipment and visitor badges is disproportionately lower than the cost of replacing one's NRIC.

DIGITAL IDENTITY

Since stricter rules for NRIC use were mooted last week, there have been talks about using one's mobile phone number as an alternative way to identify consumers for parking redemption and rewards programmes.

But care must be taken when using one's mobile number too. It should be noted that one's mobile phone number is increasingly being used to receive one-time passwords to secure online transactions.

To fulfil its ambition to become a Smart Nation, Singapore has also announced plans to build a national digital identity, which could be in the form of a software-based security token, for every resident.

The mobile number is also the key identifier for receiving and making peer-to-peer fund transfers under a banking scheme called PayNow - which lets users transfer money by entering the recipient's mobile phone or identity card number in any bank's app.

Lawyer Gilbert Leong, senior partner at Dentons Rodyk & Davidson, said: "The mobile number is increasingly becoming a part of one's digital identity."

Consumers could get into trouble with the law when they do not report suspicious payments made to their mobile numbers. "Being in knowing receipt of stolen property is an offence," said Mr Leong.

Any damage from fraud related to one's mobile phone number cannot be reversed so easily. "It would be a hassle to update all the accounts that use the mobile number for receiving one-time passwords and fund transfers," said Mr David Siah, country manager for security software firm Trend Micro in Singapore and Indonesia.

The consultation is expected to generate a lively debate on the risks of casually using one's NRIC and mobile number. The local authorities need to consider scenarios in the digital space, amid a nationwide push to go digital, and come up with protection measures now.

A version of this article appeared in the print edition of The Straits Times on November 16, 2017, with the headline 'Time to end overuse of the NRIC'. Print Edition | Subscribe