Commentary: Singpass and digital ICs make our lives much easier, but at what cost?
The recent spate of online scams shows that there are real risks of digitalising national identities and government services, which malicious agents are all too happy to exploit, says lawyer Bryan Tan.
SINGAPORE: Forgetting to bring along your IC is much less of a hassle today.
With Singapore’s national digital identity project, we no longer have to carry our National Registration Identity Card (NRIC) or driving licence, as digital versions of our identity cards are available on the Singpass mobile app.
Digital ICs can be used to verify one’s identity at government service counters, book polyclinic appointments and even borrow library books. Besides doing away with physical ICs, the Singpass app enables users to access government services seamlessly online. Users can check their CPF accounts, apply for public housing and more.
As a one-stop app for a resident’s personal data, Singpass has lent itself to other useful applications. For instance, the online platform SGFinDex builds on Singpass infrastructure to aggregate users’ financial information across multiple banks and government agencies.
The move towards a digital national identity is not unique to Singapore. At least 30 other countries, including Canada, India and the United Kingdom, have or will put in place digital national identity programmes.
By doing so, governments expect to reap “digital dividends”: Reduced government transaction costs, shorter waiting times and more digital economy growth and jobs.
PUBLIC CONCERNS WITH DIGITAL ID
Digital national identity makes mobile phones the centrepiece for all transactions. But the memory of the OCBC phishing scam late last year is still fresh for many, after nearly 800 customers lost a combined S$13.7 million after spoofed SMSes appeared in legitimate conversation threads with the bank.
Many may remain wary of transacting online and disclosing personal information as a form of verification, even with bona fide business or government agents.
Forum letters in recent months have expressed discomfort with having to share their full IC number when asking for a quote on car insurance or in phone calls to troubleshoot issues with accessing government services. After all, there have been warnings of phishing emails and calls impersonating government agencies like the Supreme Court and the Singapore Police Force.
More concerning is the rise of new Singpass-related scams.
In February, scammers masqueraded as staff from reputable organisations and recruited victims to participate in surveys, promising monetary rewards. The scammers then asked victims to scan a QR code with their Singpass app as part of a verification process.
This would grant access to the victim’s account to register businesses and open bank accounts, which could be used to receive illegal proceeds from scams, launder money and take loans. Scammers can also register new mobile lines to communicate with new victims.
These scams show that there are real risks with digitalising national identities and business or government services, which malicious agents are all too happy to exploit.
There is also a “treasure trove” risk when all valuable and potentially irreplaceable data is stored in one singular central location. A bigger and more valuable store of data is always a more enticing target to perpetrators looking to score big.
RISKS AND INCONVENIENCES OF PHYSICAL IDENTIFICATION CARDS
On that score, it is incumbent on the government, as the gatekeeper of all the information about its citizens, to apply the highest level of cybersecurity necessary to protect its data from unwanted eyes.
Singpass, for instance, requires an extra round of passcode or biometric authentication (such as a fingerprint or facial recognition) whenever users attempt to log in.
Measures are also in place for users to sound the alarm in case of unauthorised access. Singpass sends notifications to the app inbox if personal details have been retrieved, so users are alerted if they did not initiate the retrieval.
Authorities have also stressed that Singpass will never send QR codes or links through SMS or WhatsApp.
The conventional thinking is that a centralised, fully monitored facility is better than little silos where cybersecurity resources will be spread thinly.
Besides, there are risks with physical identity cards too that don’t apply to digital ones. They can also be forgotten or lost, and worse, we may not even notice a lost card until a situation calls for it.
In the event that the phone is lost, Singpass’ extra layer of passcode or biometric verification can prevent outsiders from signing in. The app can also be disabled remotely using a web browser.
But all these cybersecurity measures cannot completely remove the risks of user complacency and human error, when all it takes is a moment when we let our guard down and click on a malicious link.
Therefore, there is a constant need for public education in cybersecurity and cyber wellness.
Users can protect themselves by staying vigilant against scams, using the security features of their digital identity and taking proactive steps such as reporting the loss of their mobile phones as soon as possible.
CLEARING THE CONFUSION ON DIGITAL ID
In the transition to this new digitalisation effort, there will be confusion and a lack of awareness of what must or cannot be disclosed.
Stricter rules on sharing NRIC details kicked in on Sep 1, 2019, under which organisations can collect, use or disclose identification numbers only when necessary by law or for accurately verifying one’s identity. Situations in which it is not necessary include signing up for retail memberships or participating in lucky draws.
Phishing scams are growing increasingly sophisticated, involving emails, texts and even hacking. Who the targets of these crimes and how can we get ahead of this cybercrime curve? CNA's Heart of the Matter finds out:
But for Singapore’s national identity project to take off, more can be done to increase uptake on the ground. It is of note that the rollout of digital identities has been led by government agencies, meaning that some private businesses are not yet on board with digital ICs.
A forum letter written in April 2021 described how, in terminating a contract, a cable TV service did not accept digital ICs due to the possibility that it was a copy and hence required the customer to present a physical NRIC.
A representative from the Smart Nation and Digital Government Office wrote back, noting that government agencies should accept digital ICs by the end of 2021 and encouraged businesses to follow the Government’s lead and accept them too.
The road ahead for Singapore's digital national identity project is an exciting one.
But nudging the adoption of any new product or feature, especially when they deal with something as sensitive as one’s personal data, is an uphill task. Clear communication, to prevent uncertainty, and adjustments, where policies can be simplified, are required to ensure the journey works for all.
As with new technology and any effort to digitalise services, the answer to risks cannot be simply to revert to an older way of doing things and leave it as that.
Bryan Tan is a Technology, Media and Telecom partner at Reed Smith and former president of the Singapore chapter of the Internet Society.