Acra rolled out its new Bizfile portal on 9 Dec 2024. The database now allowed the public to access full NRIC numbers via a search for free. Under ACRA’s previous system, users could search for people who are office holders or business owners in Singapore. Their names, as well as their masked NRIC numbers, would turn up in the search results. Users could then pay for the complete set of information about an individual, which would include his or her full NRIC number as well as an address. Some people provide a different contact – such as an office address – for the database. The availability of this information, said ACRA, supports corporate transparency and trust in the business environment. The agency acknowledged in a statement, sent shortly after MDDI’s, that the new portal had displayed a person’s full NRIC number in the search results, which meant people no longer had to pay for that information.
Many of us were shocked. Isn’t our NRIC supposed to be confidential? Was this a mistake? Should we have worried less about hackers and more about some negligent IT team in the government? There was an outrage and the fire extinguishers were swiftly deployed – in the form of experts and pathetic academics.
MDDI said in its statement that NRIC numbers are meant to be used to identify individuals and “should be used as such. As a unique identifier, the NRIC number is assumed to be known, just as our real names are known.
Yao mo gao chor ah? I remember before I was wheeled in for operation, I was asked my NRIC number to confirm my identity. I remember reservists taking their IPPT were asked for their IC Nos to make it harder for those who are taking the test on someone else’s behalf. Sure, it’s not foolproof, someone can learn your IC no by heart, but it makes it harder to cheat.
Acra chief executive Chia-Tern Huey Min said staff from her agency had “interpreted the requirements to cease the use of masked NRIC numbers as needing to unmask the numbers in our new Bizfile portal. As the owner of the Bizfile portal, Acra should have been more mindful that many Singaporeans have long treated their NRIC numbers as private and confidential information, and would not want to have their full NRIC numbers searchable on the new portal,” she said.
Yao mo gao chor ah? Why do we treat our NRIC numbers as private and confidential? Is it merely a cultural thing. Hell no. It’s because organisations are required to mask our NRIC numbers when they print it out on receipts and other documents.
Prof Paul Tambyah said:
Many organizations spent a lot of time and money to safeguard the privacy of NRIC numbers. Some (like the Singapore taekwondo federation) were fined for “leaking” NRIC numbers. Singpass even used NRIC numbers as the default user IDs. The sudden U-turn this weekend took many of us by surprise. Hopefully the organizations which spent time and effort in protecting NRIC numbers or were fined for violations will be appropriately compensated.
At a press conference, Minister J Teo, Indranee Rajah and CEO Acra gave explanations and “apologies”.
Yao mo gao chor ah? Is this civil service lingo? What’s the meaning of “cease any planned use of masked NRIC nos in new business processes and services”? We won’t have a unique national registration number associated with our non-unique names anymore? A new identification method is going to be introduced? Frankly, I’m confused. It would take a lot of creativity to come to the conclusion that NRIC nos are to be unmasked. Maybe it’s because I lack the education that these highly paid civil servants have, but they should have been more considerate and used plebeian language at a press conference meant for us. Ironically, even though I won’t survive one day as a civil servant, I might have avoided the mistake if I were the CEO of ACRA. Meanwhile, in the opposition camp, Lim Tean had asked for a COI convened by our non-partisan, independent ong lai president. Dr Chee Soon Juan asked for the exact contents of the misunderstood circulars to be disclosed to rule out any attempts at 李代桃僵
Minister J Teo went on to outline several ways in which NRIC numbers are being misused. First, they are used as proof that people are who they claim to be, and hence grant people access to privileged information.
Yao mo gao chor ah? Does it mean that an earlier claim about NRIC being as “sensitive” as one’s name is wrong? (On Dec 14, a Ministry of Digital Development and Information (MDDI) spokesperson had said that the full NRIC numbers should not be treated as sensitive information, and instead be viewed as full names currently are). The logic (or lack of it) is unbelievable. If NRIC can grant access to privileged information, then all the more they should be kept private and masking it from unauthorised individuals is prudent. Sure, if someone puts in the effort, the number can be deciphered, but does it then mean that it should be revealed?
In 2019 former presidential candidate Mr Tan Kin Lian publicly disclosed his NRIC number online. Shortly after, an unknown individual repeatedly attempted to log into his SingPass account using his NRIC as the login ID, locking him out after six failed attempts. At the time, Mr Tan described the incident as a loophole that could be exploited to harass individuals. “All it needs is for someone to have the NRIC number and make six attempts to get the SingPass account blocked,” he said.
While SingPass requires two-factor authentication (2FA) for access, the use of NRIC numbers as default login IDs ties them into the authentication process, creating vulnerabilities when identifiers are publicly known. Minister Teo’s statement contradicts an earlier statement from MDDI that that puts NRIC numbers at the same privacy level as full names – something which is more common than common sense. Remember the time when we could find out somebody’s phone number and home address simply by consulting a thick, bulky book called the telephone directory? It’s the telemarketer’s gift from God. Did we feel vulnerable then? Probably not back then as you may not be able to tell which of the 30 or 40 Tan Ah Kows is the one you’re looking for in the phone directory.
Unfortunately, Minister J Teo went on to say that secondly, IC nos are seen as information that only the authorities know, which can make us vulnerable to scammers.
Huh? Are we that dumb? Don’t our banks, our insurance companies, our credit card issuer, our schools, our doctors etc know our IC nos as well? We trust these organisations. Revealing our IC nos to them is one thing. Revealing them to the general public is another.
She went on to say that thirdly, masked NRIC numbers have been used as a way to conceal the full numbers, but that creates a “false sense of security” that the full numbers are not known. In reality, the full NRIC number of an individual can easily be guessed with the help of simple algorithms, especially if the person’s birth year is also known. To better protect members of the public, policy involving NRIC numbers needs to change, said Mrs Teo. “We had wanted to give them better protection, and this required a change in our policy involving the use of NRIC numbers, because the current situation leaves us vulnerable.”
Wear or don’t wear also the same. So, don’t wear lor. But what does she mean that “The current situation leaves us vulnerable”? The algorithms? The masked numbers? Well, what will make us really vulnerable would be a complete exposure of our NRIC numbers. Meanwhile, the “pragmatic” people are preoccupied with licking their free ice cream and cuddling their free Labubu. As long as property prices keep going up, some folks will tell us not to rock the boat. Who cares what the “better protection” Minister J Teo is talking about to replace our publicly exposed NRIC as a form of identification?
