REACH (Telegram) 48 - What are your thoughts on the ACRA incident and the move towards changing how NRIC numbers are used?

(SK)

20 Dec 2024 (10am - 7pm)

REACH (Telegram)

REACH Singapore, [20/12/2024 7:45 AM]

Dear contributors,

Welcome back! 😊

⏰ We will be opening the chat from 8am to 7pm today. ⏰

House Rules (short version of our Terms of Use) to keep in mind:

1. Be kind and respectful. We all want to be in a safe space to share our views. 

2. Any and all threatening, abusive, vulgar or racially, religiously and ethnically objectionable content is prohibited. 

3. Consider the quiet ones among us and give them a chance to comment. 

4. No need to repeat your comment or in differnet forms (including caps) - we heard you loud and clear the first time. 

5. Let's protect each other's privacy and keep contact details in this group what it should always be - confidential. 

Full set of Terms of Use: https://www.reach.gov.sg/Participate/reach-telegram-group/REACH-Telegram-Group-Chat-Terms-of-Use/

We will strive to uphold these rules to ensure this is a safe space for all. 

Please be assured that the points made by participants during the chat are aggregated and shared with relevant agencies. 

The topic will be posted shortly. 

Thank you. 

Megan 😊

REACH Singapore, [20/12/2024 8:01 AM]

📢 Topic 📢

In a press conference on 19 Dec, Minister for Digital Development and Information Josephine Teo, Second Minister for Finance Indranee Rajah and ACRA chief executive Chia-Tern Huey Min apologised for the anxiety caused regarding the unmasking of NRIC numbers on ACRA's Bizfile portal.

They also assured Singaporeans that the Government was taking the public’s concerns on the matter seriously, clarified how the lapse had occurred and explained the Government's direction regarding the treatment of NRIC numbers in the future.   

💬 What are your thoughts on the ACRA incident and the move towards changing how NRIC numbers are used?

📌 How the Bizfile Incident Occurred and Moving Forward

ACRA chief executive Chia-Tern said the authority had misunderstood an MDDI circular issued earlier to government agencies to cease any planned use of masked NRIC numbers in new business processes and services.

It had taken this to mean that it should unmask NRIC numbers in its new portal, for example, rendering *****456A as S0123456A.

“This was a mistake on ACRA’s part and I apologise for this. Our oversight has caused anxiety and confusion to the public,” she said.

The search function in question was disabled on Dec 13 night, and a new version will be launched next week with search results that do not show any NRIC numbers.

Users who want to view NRIC numbers and other information of people in ACRA's Bizfile directory will have to pay S$33 (US$24) for each profile.

📌 Disclosure of NRIC

The Government had intended for this move away from the use of masked NRIC numbers to first be a within-government effort, such as in cross-agency functions, said Mrs Teo.

This would improve efficiency and also address a false sense of security regarding the numbers within the Government itself.

The ministry knew that changing mindsets would have to be done over a period of time, and a major effort would be needed to help Singaporeans understand the risks, due to longstanding practices, said Mrs Teo.

Within the government, some steps to do this had already been taken. Agencies were instructed to stop using NRIC numbers as a password or to prove someone is who he claims to be.

The ministry had also made plans for a public education campaign covering three broad areas. These include the risks currently faced with NRIC numbers being used improperly, as well as how Singaporeans can better protect themselves and organisations can change their incorrect practices.

Organisations and individuals that have been careful and responsible in how they collect and use NRIC numbers should continue with their current practices.

Those who are using NRIC numbers – full or partial – as a password or authenticator, should stop as soon as possible.

“We are not making drastic overnight changes. We do, however, need to move decisively to phase out the incorrect uses of the NRIC number, the sooner, the better,” said Mrs Teo.

👉🏼 [ST] Govt apologises for Acra lapse, will accelerate efforts to educate public on proper NRIC use: https://str.sg/kvrR

👉🏼 [ST] Misunderstanding of internal govt circular led to unmasking of NRIC numbers on Bizfile: Acra: https://str.sg/bjRG

👉🏼 [CNA] https://www.channelnewsasia.com/singapore/nric-unmasking-acra-josephine-teo-apologises-confusion-anxiety-4816066

👉🏼 [CNA] https://www.channelnewsasia.com/singapore/acra-bizfile-search-nric-numbers-masking-restore-4816006

----

REACH Singapore, [20/12/2024 8:10 AM]

[ Poll : 1) The response to the incident is adequate and timely. Please elaborate on your views in the chat. ]

- Agree

- Neutral

- Disagree

REACH Singapore, [20/12/2024 8:10 AM]

[ Poll : 2) I understand why masked NRICs are slowly being phased out. ]

- Yes

- Unsure 

- No

REACH Singapore, [20/12/2024 10:01 AM]

Dear Contributors,

We want to HEAR from you!

💬 What are your thoughts on the ACRA incident and the move towards changing how NRIC numbers are used?

We have had good feedback from this group, and we hope that we can keep the discussion robust and active! 

Do also share your opinion by participating in our polls! The poll questions are pinned for easy reference, and your vote is anonymous.

Thank you!

Megan 😊

Jun Ming, [20/12/2024 10:50 AM]

NRIC is tagged along with other information such as where you stay etc. It should not be revealed easily as it cause privacy issues. 

I agree that it should not be use as authenticator but it should not be no restrictions on getting the ic number due to information tagged along and potential misuse. For eg. In army for sensitive information they ask us to shout NRIC rank and name which I feel that it should not be the case.

Jun Ming, [20/12/2024 10:51 AM]

Some people NRIC very easy remember. Like my nric a lot of same numbers

Jun Ming, [20/12/2024 10:54 AM]

On the other hand I also don't really care to use nric as password for some not so important account such as my school portal as it's only my horrible grades and assignments

Steven Ong, [20/12/2024 11:38 AM]

IMO, there should a choice for the individual to decide for himself/herself to disclose personal info to the public, similar to how social media allow users to decide, even when NRIC is declared as 'non-sensitive' by Gov.

REACH Singapore, [20/12/2024 12:01 PM]

📢 Topic 📢

Moses Kor kwang loong, [20/12/2024 1:23 PM]

Maybe can explain further

REACH Singapore, [20/12/2024 2:01 PM]

📢 Topic 📢

REACH Singapore, [20/12/2024 2:01 PM]

Dear Contributors,

We want to HEAR MORE from you!

💬 What are your thoughts on the ACRA incident and the move towards changing how NRIC numbers are used?

We have had good feedback from this group, and we hope that we can keep the discussion robust and active! 

Do also share your opinion by participating in our polls! The poll questions are pinned for easy reference, and your vote is anonymous.

Thank you!

Megan 😊

G, [20/12/2024 2:11 PM]

Sounds very amateurish with this "misunderstanding" of a circular 

Looks like this "misunderstanding" has exposed Singaporeans more to the threat of having their personal data being used by scammers.

G, [20/12/2024 2:12 PM]

Why did it take so long before the ministers did this press conference?

G, [20/12/2024 2:15 PM]

Now that this 4G PAP govt has exposed Singaporeans to the risk of personal data being extracted (possibly for scams) what's their solution to eliminate future risks? 

What's their solution for Singaporeans who's personal data have been retrieved?

Do they know which Singaporeans' personal data were extracted?

They need to update Singaporeans on the extent of personal data extractions during the vulnerable window

Joomua Tng, [20/12/2024 2:16 PM]

it is a mistake to say misunderstanding.

just need to say it is a mistake on the part where the agnecy should wait for public education on the issue then implement the policy..........

G, [20/12/2024 2:16 PM]

This feels like govt leaders throwing their staff under the bus when mistakes were made, to appease Singaporeans

G, [20/12/2024 2:18 PM]

It does not feel good to know that actions from this 4G PAP have resulted in our personal data protection being breached by the very govt that put up this protection in the first place

G, [20/12/2024 2:22 PM]

The more this govt tries to explain away their mistake, and try to "educate" Singaporeans on their NRIC, the more it sounds like "rules for thee, but not for me"

Joomua Tng, [20/12/2024 2:24 PM]

The government should do the public education first the explaining the reason and rationale of why NRIC no longer considered as sensitive information.

1.) should discuss with corporations and companies...when NRIC is no longer sensitive information, how or what the corporation and companies should do in order to verify the authenticity of any person. especially through online or telephone..

2.) what other methods to authenticate a person?

the assumption of using NRIC as authentication has be around for decades...which is why without first educating and explaining to the public the reason and rationale...you will get a backlash from the public.

Human is animal of habits and emotions. Not all can override their emotions and habits and consider deepy into the issue.

Jun Ming, [20/12/2024 2:32 PM]

I want to ask is there any form of authentication in acra before the green light is given to proceed the searches of nric

Jun Ming, [20/12/2024 2:34 PM]

Is there any mechanisms in the gov to prevent such mistakes happening

Jun Ming, [20/12/2024 2:39 PM]

Cause I think it is common sense not to publish people's private information through searches. And I understand that this happens on a Saturday so things may have finalised on the Friday

LCL (Danny 心), [20/12/2024 3:16 PM]

*Analysing the response of the unmasking of NRIC number*

1. Looking at the reactions of the participants about the revealing of NRIC number saga, I feel that the overwhelming negative responses are fuel by :-

a. Psychological fears - as old habit die hard (being subject to many years of belief that NRIC number are used for identification and authentication (as adopted by some enterprises - be it public and private).

b. Social perspective with the proliferation of social media platform that can post people's privacy information, pictures and videos onto the social media

c. Desire for privacy

d. Proliferation of scams - that can lead unsuspecting victims to fall for scam - as scammers are mastery in social engineering to fool victims.

2. This is despite the fact that many IT professionals know that NRIC numbers are not safe or foolproof - to be used as authentication mechanism - as NRIC numbers are known to some strangers and can be "reverse engineered" to reveal its algorithm and derive the NRIC numbers with some known parameters.

3. It didn't help when trusted enterprises such as polyclinics, hospitals, banks, financial companies etc uses NRIC number to verify a person's identity.

4. Hence, to uproot the people's habit or psychological fear to keep their NRIC number private - will require a lengthy and convincing approaches to alleviate people's belief that revealing their NRIC number will not compromise their well-being and put them at scammer risk through social engineeing (as uniquely identified a particular person can also pull out the personal information such as names, date of birth, address, telephone number, sex, the schools they attended, university they attended, workplace etc).

5. So I guess, alot of work need to be done - because privacy are valued by many people.

6. I have no doubt that NRIC number should not be used as authentication to complete financial transaction and other transactions --- because NRIC number is not safe.

7. But revealing NRIC number will need more effort - to address the psychological fear, social perspective and most important, not allowing NRIC number to pull out a person's other privacy information such as name, address, telephone number etc - that can be misused by hostile actors to harass the victims.

For example, we have been receiving scammers call, scammers message, even cold call from salesman eg. insurance agents, property agents, and other salesman --- even wonder how they get our telephone number and other private information.

G, [20/12/2024 3:18 PM]

It's one thing for individuals to safe guard their identity and personal information. 

It's another for govt entities to treat individuals' personal information so casually and flippantly

Khairil Baharudin, [20/12/2024 3:20 PM]

I was just reading this article - https://www.straitstimes.com/singapore/misunderstanding-of-internal-govt-circular-led-to-unmasking-of-nric-numbers-on-bizfile-acra

Khairil Baharudin, [20/12/2024 3:20 PM]

Acra chief executive Chia-Tern Huey Min said staff from her agency had “interpreted the requirements to cease the use of masked NRIC numbers as needing to unmask the numbers in our new Bizfile portal”.

Khairil Baharudin, [20/12/2024 3:21 PM]

This whole NRIC unmasking issue really highlights how a single misstep in communication can spiral into public distrust.

Khairil Baharudin, [20/12/2024 3:21 PM]

The government’s original intent to shift away from using NRIC numbers for authentication was a good move, after all, data privacy and security are big concerns these days.

Khairil Baharudin, [20/12/2024 3:22 PM]

But ACRA’s misunderstanding of that directive, resulting in full NRIC numbers being publicly accessible, feels like a serious oversight that could have been avoided with clearer instructions and better internal processes.

G, [20/12/2024 3:22 PM]

People put in effort to protect themselves and their personal information, especially after they heeded PDPA/PDPC guidelines. 

After this episode, 4G PAP is effectively telling us:

Protect for what, what you have is not worth protecting. In fact, I have put up your personal information for just $33! That whole NRIC episode was just an early  Christmas giveaway. After this, need to pay $33 again

Khairil Baharudin, [20/12/2024 3:23 PM]

For me, this reflects a broader issue: when it comes to handling sensitive data, trust is everything. We expect our systems and agencies to safeguard such information, and any lapse—intentional or not—damages that trust.

Khairil Baharudin, [20/12/2024 3:24 PM]

The apology and immediate action by ACRA to fix the error are necessary, but it also raises questions about how much effort goes into ensuring such directives are well understood before they’re implemented.

Khairil Baharudin, [20/12/2024 3:25 PM]

This is a lesson in the importance of clarity. Moving forward, I hope they’ll prioritize proper coordination to avoid similar incidents.

Khairil Baharudin, [20/12/2024 3:25 PM]

It’s not just about fixing the mistake - it’s about rebuilding confidence in how our personal data is managed from now on.

G, [20/12/2024 3:26 PM]

I think it is clear as day that NRIC is to be used as an identifier rather than authenticator. 

It is right, you ask me to identify myself, I say I am xxx, you ask for me last 4 digits of my NRIC to match my name to those last 4 digits, I am identified as the person I claim myself to be.

To authenticate, you ask me to key in my 7 digit pin or ask me my mother's name, dog's name etc. Data that I have input in your system to help you authenticate my identity.

Correct, its clear as day.

What does the above have anything to do with the government letting people have access to my full and NRIC number, just because the NRIC is not the authenticator but only the identifier?  

Nothing.

I don't even tell you my name if I don't need to; because it is my right and prerogative to decide whom I want to share my name with, and its my name, I decide right?

G, [20/12/2024 3:34 PM]

PDPC's current guidelines on NRIC:

"The Singapore National Registration Identification Card (“NRIC”) number is a unique identifier assigned by the Singapore Government to Singapore citizens and permanent residents of registrable age under the National Registration Act. It is often used for transactions with the Government as well as in commercial transactions. The NRIC number of an individual is considered personal data as the individual can be identified from the unique sequence of numbers and letters. "

"As the NRIC number is a permanent and irreplaceable identifier which can potentially be used to unlock large amounts of information relating to the individual, the collection, use and disclosure of an individual’s NRIC number is of special concern. Indiscriminate or negligent handling of NRIC numbers increases the risk of unintended disclosure with the result that NRIC numbers may be obtained and used for illegal activities such as identity theft and fraud. The retention of an individual’s physical NRIC is also of concern. The physical NRIC not only contains the individual’s NRIC number, but also other personal data, such as the individual’s full name, photograph, thumbprint and residential address."

LCL (Danny 心), [20/12/2024 3:49 PM]

My close friend comments:-

The scariest thing about revealing nric is that half of my Singpass authentication is lost.

More and more establishments are using Singpass for authentication. Once Singpass password is breached, we are all very vulnerable.

But then again, when we avoid using nric number for personal identification, establishments switch to handphone numbers for identification.  Think about it, it is equally scary. 

Another eg. Gov stopoed establishments from sending links on sms. A move to protect its people from inadvertently falling prey to malicious links. Then? I receive them on whatsapp to click on links for ....

道高一尺，魔高一丈。

We have to run faster than the devil. 

Lets help to give ideas on what to use for personal identification. We have to help protect ourselves..

LCL (Danny 心), [20/12/2024 3:51 PM]

I have checked:-

Singpass login come in 2 forms:-

1. Singpass QR code - digital token.

2. Singpass login that uses NRIC number and retrieval of password using NRIC number if forget password.

G, [20/12/2024 3:51 PM]

Does this risk get eliminated by whatever education campaign this 4G PAP wants to do to educate Singaporeans on their NRICs, and the definitions of "identification / verification / authorisation"?

What is being done about the govt's own "indiscriminate or negligent" handling of NRIC numbers?

G, [20/12/2024 3:55 PM]

Link to the current guidelines 👇

https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/Advisory-Guidelines-for-NRIC-Numbers---310818.pdf

REACH Singapore, [20/12/2024 4:00 PM]

📢 Topic 📢

G, [20/12/2024 4:07 PM]

Why is it "psychological fear"?

How does revealing NRIC NOT compromise people's well being and put them at scammer risk through social engineering?

LCL (Danny 心), [20/12/2024 4:12 PM]

Hence the 1st thing that the government need to phase out is Singpass password login using NRIC number.

As well as phasing out using NRIC number to reset or retrieve Singpass password.

G, [20/12/2024 4:28 PM]

Privacy and personal security

LCL (Danny 心), [20/12/2024 4:28 PM]

As long as more public enterprises and private enterprises root out using NRIC number for identifier and authenticator, then the timing is right to unmask the NRIC number.

Because NRIC number no longer preoccupied and implant into people's memory that NRIC number is the defacto important information to safeguard.

Psychologically, it will fade from people's cognitive process of associating NRIC number to our identifier and authenticator.

Only then, habitual attachment to the need to safeguard nric number can be slowly uprooted - and people can slowly accept NRIC number as our individual name.

It is a lengthy process because mental, cognitive habit - is a strong psychological attachment that take deliberate process to uproot.

G, [20/12/2024 4:30 PM]

AND delink NRIC from everything we know it today because:

"As the NRIC number is a permanent and irreplaceable identifier which can potentially be used to unlock large amounts of information relating to the individual, the collection, use and disclosure of an individual’s NRIC number is of special concern. Indiscriminate or negligent handling of NRIC numbers increases the risk of unintended disclosure with the result that NRIC numbers may be obtained and used for illegal activities such as identity theft and fraud. "

G, [20/12/2024 4:32 PM]

NRIC is linked to our:

1. CPF

2. TAX

3. Property

4. Bank

5. Paynow

6. Singpass

7. SAF obligations (for men)

etc

etc

etc

LCL (Danny 心), [20/12/2024 4:37 PM]

1. Hence biometric data become the best identifier and authenticator of a person's identity and authentication.

2. But looking at the horizon of the rapid development of quantum computing with some States able to build quantum computers to compute millions of quantum bits (notably US and China) - the chances of quantum computing cracking all current cryptography and cybersecurity are getting higher.

3. Hence using biometric data is able to make NRIC number redundant but consideration to the cybersecurity in protecting the integrity of biometric data become especially critical.

4. Hence even though I understand employing biometric can immediately make NRIC number saga redundant - but my hesitation is what quantum computing and AI deepfake can do to biometric authentication.

5. Certainly need the massive government resources as well as worldwide IT expertise to look deep into biometric adoption, the risk pose by AI deepfake and deep learning as well as the worrisome computing power of quantum computing that can crack all current cybersecurity measures.

LCL (Danny 心), [20/12/2024 4:46 PM]

1. Of course deploying biometric liveliness, contextual information, geolocation data, personal health biodata (pulses, heart rate, eye movement etc) as discuss with your Ministry digital staff - can overcome AI deepfake, quantum computing overwhelming computing power.

2. But need the government R&D AI and IT and quantum physics expertise to do deep study and development to ensure they are foolproof.

3. Also need developed countries expertise like US, China, EU and other smart nations collaboration to ensure future advanced biometric technologies can overcome cyberscammer and cyber hackers.

4. Understand the 4G government is running deep into the advanced technologies.

5. But just need to wait for the right time to unleash the information to pacify the public.

6. If successfully developed, then noticed that NRIC number as identifier and authenticator is just a kindergarten stuff.

7. Psychologically, NRIC number will no longer hold a place in people's memory if biometric technologies deployment take hold.

8. I know our government can do it - but need a little stretch - because notice that all government R&D agencies, Universities and technology agencies are firing at all cylinders.

Just awaiting for the outcomes not in the far future.

LCL (Danny 心), [20/12/2024 4:59 PM]

Also noticed the ICA immigration checkpoint biometric scan - is a very positive experience.

QR code scan to ascertain a person identity - less than 1 minute identification - clear 1st egate.

Then facial and iris biometric scan for authentication - less than 1 minute - clear 2nd egate.

No passport, no NRIC number.

Only handphone with myica mobile apps and just our beautiful face and eyes - clear the checkpoint in a breeze.

So advance biometric technologies is already there.

Only how to roll out to all public and commercial online transactions (keeping in mind biometric solutions need to move from a close private network into the open internet network - whereby all crocodile cyber scammers and hackers are out there).

And tackling the risk from AI deepfake, deep learning and quantum computing - that can crack the binary encryption protecting the biometric data with quantum bits computing.

This is my only fear.

But biometric technologies - everything is ready to go - 只欠东风。

LCL (Danny 心), [20/12/2024 5:59 PM]

My close friend comments:-

Our nric has been exposed for a long time. Remember those days before PDPA? We gave away our NRIC without second thoughts. 

An immediate consideration is to consider issuing an asynchronous code to pair with our NRIC.

Eg masking out NRIC first 4 digits actually doesn't help if we have been giving away for full NRIC # for the past decades ☺️. Instead now we pair our NRIC with another code.  And we guard this code tightly. 

An analogy would be - our credit card number has a pairing CVC and merchants also request for card expiry to validate validity of the card. 

This is not absolutely strong but we can't just throw the baby out with the bath water.

REACH Singapore, [20/12/2024 6:00 PM]

📢 Topic 📢

LCL (Danny 心), [20/12/2024 6:11 PM]

My comments:-

I think this is a good interim measure.

LCL (Danny 心), [20/12/2024 6:22 PM]

"Powell says Fed cannot hold bitcoin, not seeking to change that".

https://www.channelnewsasia.com/business/powell-says-fed-cannot-hold-bitcoin-not-seeking-change-4815206#:~:text=Powell%20says%20Fed%20cannot%20hold%20bitcoin%2C%20not%20seeking%20to%20change%20that

The Federal Reserve (Fed) has not officially recognized Bitcoin as a strategic financial asset for several reasons:

1. *Lack of intrinsic value*: The Fed views Bitcoin as a speculative asset, lacking intrinsic value and a stable store of value.

2. *Volatility*: Bitcoin's price is highly volatile, making it unsuitable as a reliable store of value or medium of exchange.

3. *Limited adoption*: While Bitcoin has gained popularity, its adoption as a widely accepted form of payment is still limited.

4. *Regulatory concerns*: The Fed has expressed concerns about Bitcoin's regulatory environment, including issues related to anti-money laundering (AML) and know-your-customer (KYC).

5. *Security risks*: The Fed has highlighted the potential security risks associated with Bitcoin, including the risk of hacking and cyber attacks.

6. *Lack of central authority*: The decentralized nature of Bitcoin, without a central authority, raises concerns about its stability and reliability.

7. *Not a fiat currency*: Bitcoin is not a fiat currency, meaning it's not issued or backed by a central bank or government.

These concerns have led the Fed to maintain a cautious stance toward Bitcoin, focusing instead on exploring the potential benefits of central bank-issued digital currencies (CBDCs).

REACH Singapore, [20/12/2024 6:44 PM]

Dear Contributors,

⏰ We will be closing the chat in 15 minutes ⏰

Thank you very much for being part of our Telegram chat and participating actively.

Goodnight!

Megan 😊

REACH Singapore, [20/12/2024 7:00 PM]

Dear Contributors

We will be closing the chat for today.

Thank you very much for being part of our Telegram chat and participating actively.

Goodnight!

Megan 😊

====