Opinion
Bullseyes and blunders: When justifications miss the mark
The exposure of NRIC numbers in Acra’s portal was a clear privacy breach. While the Ministry now insists NRICs are “not secret,” this response feels like justifying a mistake after the fact. A better approach? Apologize, tighten security, and avoid cavalier remarks that stir public unease.
by Michael Han
Should I be worried?
It all started innocently, I guess. Acra launched its new Bizfile web portal on Dec 9. They allowed all and sundry to search for and view the full NRIC numbers without having to log in.
A member of the public had the common sense to raise the alarm of privacy issues. And Acra temporarily disabled its function five days later (that is, on 13 Dec, which happened to fall on a Friday).
So, our personal NRIC numbers are exposed to any Tom, Dick and Harry for a five-day window. That is clearly a privacy breach.
That said, I can imagine other breaches from promoters collecting our NRIC numbers, names and addresses and losing them to hackers via big servers’ data leaks, which carry the nation’s private data.
Admittedly, for every firewall we build, crooks and scammers will come up with more innovative ideas to find loopholes or break the walls down.
The race of digital one-upmanship will go on and on. That is the common humanity we have to put up with, that is, the commonality of our human nature, especially our baser instincts for a quick gain at other’s expenses.
That’s all part and parcel. We just have to keep up with the hackers, scammers, crooks and digital Trojan horses with preventive and anticipatory strategies to counter them.
But now, there seems to be a spin to the Acra’s boo-boo. The ministry is asking us to have a mindset shift.
In a nutshell, our NRIC numbers are not secret. It appears to be an open secret. We, therefore, need to shift from using our NRIC numbers as passwords. If we have been doing so, it is advisable to change it for more secure protection (wait, isn’t this like locking the barn doors after the horses have all bolted?)
So, after temporarily shutting down the function where anyone could have access to our NRIC numbers and leaving them exposed for five days (9 Dec to 13 Dec), the Ministry came up with this statement a day later: –
“There should therefore not be any sensitivity in having one’s full NRIC number made public, in the same way that we routinely share and reveal our full names to others.”
The Ministry said that the NRIC number is assumed to be known, just as names are known.
Well, the last time I checked, I don’t remember telling someone this when he or she asked me, “Sorry, who are you?”. “I am Michael Han and my NRIC number is S70-blah-blah-blah”.
This is not the Army, where you have a dog tag with your NRIC numbers on it, for easy identification or authentication as causality of war.
Although the Ministry and Acra apologised for causing anxiety over the boo-boo and statement, and they will clarify at a later date, I am concerned because, between my NRIC number and my name, my NRIC number has a higher degree of anonymity. Mind you, I am not known by the last four digits of my NRIC numbers.
In some rare circle, I am known as “Hean”. At times, still rare, I am known as Han” when in native company. But mostly ”Michael Han” to all. No one ever hollers out my NRIC number, and I readily respond with a hand raised (doesn’t that feel like the Hunger Games from Block 17?)
So, the level of exposure for names are higher, and for NRIC numbers, it is lower, if not much lower. A crook has to ask for more details in order to get us to reveal our NRIC numbers, and that includes our telephone numbers too.
My point is, the whole slip and the statement resemble the sharpshooter fallacy. You let go of the arrow, and wherever it lands, you then walk over and draw a bulls-eye around it. You are thus always spot on. You never miss. You are like the dealer’s hand, you always win.
Now the cat is out of the bag, you then shut it down, and a day later, you tell all and sundry your NRIC number is no secret anyway; so don’t be so sensitive about it.
Alas, I’d rather they just apologise and quietly move on. Leave the sensitivity part alone so as not to stir the hornet’s nest. You have already released the arrow, it was not on target, just start all over. We all make mistakes.
Human nature, right?
Cloak ourselves with humility and human sensitivity, and not arm with shovels and dig even deeper into a pit.
Another point is to make it harder for hackers and scammers to unearth our identity for easy exploitation by setting up more security hurdles for them to jump over, and not just come out and say so cavalierly that our NRIC number is no secret. So don’t sweat it.
Even if there is a point to alert people about the risk of NRIC numbers and avoid using it as a password, the timing of it is just unfortunate as it came right after the Acra boo boo.
It may thus be perceived as an afterthought justification instead of an earnest caution unrelated to the misstep. Many things at that level are about optics, even if one has the best of intentions.
Not every one of us is issued rose-tinted sunglasses to wear when we are asked to assess the actions and intentions of the government.
This opinion piece was first published on Michael Han’s Facebook page and reproduced with permission
-
Politics2 days ago
Tan See Leng and K Shanmugam threaten Bloomberg with legal action over GCB transaction report
-
Crime2 weeks ago
Singapore police did not arrest fugitive due to no request from China
-
Property6 days ago
Bloomberg: Nearly half of 2024 GCB transactions lack public record, raising transparency concerns
-
International1 week ago
Israel conducts large-scale military operations in Syria and seizes Golan Heights positions
-
Community2 weeks ago
Jalan Besar residents question MP Josephine Teo on Gaza and border policies
-
Community7 days ago
Hougang knife attack: Dispute over medical claim reportedly leads to mother of three’s death
-
Opinion2 days ago
Ho Ching defends NRIC as “digital name,” calls for practical policies over secrecy
-
Politics1 week ago
Parties may not display face of individuals other than party leader: ELD