Singapore government assures SingPass-MyInfo will stay secure
The Singapore government has assured that the move to link all 3.3 million citizen accounts, used to access e-government services, to an autofill form system will not leave user data any less secured.
Its CIO agency GovTech announced earlier this week that all registered SingPass users would be given a MyInfo profile, enabling certain fields to be automatically pre-filled once the data had been previously provided to another government agency. This "tell-us-once" concept was designed so users would not need to repeatedly enter information into online forms sent to government agencies, it said.
Since its launch in early-2016, MyInfo had garnered 200,000 enrolments, according to GovTech. By December 2017, this number would be significantly boosted when all 3.3 million SingPass accounts would automatically be linked to their MyInfo profiles.
With the tie-up, citizens' personal details such as their name, identification number, and date of birth, would be used to automatically fill up online government forms--after they had logged in via their SingPass account. This meant that data in their MyInfo profile would be made available to all government agencies.
"SingPass acts as an authentication gateway, while the MyInfo service provides the user's basic personal data to form the digital user profile, to make transactions easier and more secure," GovTech said.
And SingPass users would not have the option to opt out of the service, according to a GovTech spokesperson, who said this move was necessary as the government worked towards its aim to establish a national digital identity.
The Singapore government in February said it was exploring plans to build a national identification system that could be used to access both public and private sector services, hence, expanding the functions of SingPass to include access to a wider range of transactions.
MyInfo currently was available on 24 e-government services, with another 140 to be added by 2018. Access in May this year also was extended to four banks, including DBS and Standard Chartered, but explicit user consent had to be provided before personal details were allowed to be retrieved from MyInfo to facilitate 19 online services, such as credit card application.
There now were plans to extend the service to more locally-registered private organisations by year-end, said GovTech, which added that user consent would be sought for transactions that required financial data such as income tax statements, before personal data was released.
Its spokesperson told ZDNet that credit card or bank account details would not be captured by the system.
She added that citizens still would have the option to preview any pre-filled data before submitting it or delete the data and manually key the required information into the form.
MyInfo data not stored in single repository
While often had been described in local reports as a "digital data vault", MyInfo was not a centralised repository that stored user data in a common database. Instead, it extracted the relevant citizen data provided to--and archived by--the respective government agencies, as and when they were required to pre-fill forms.
Stressing that the government took a "serious stance" on security, the GovTech spokesperson said: "MyInfo data is stored across multiple systems [that] are safeguarded by cybersecurity measures, including a combination of end-to-end encryption and multi-layered security. In line with industry best practices, these measures are reviewed and updated on a regular basis to enhance data protection."
Data available via MyInfo ranged from personal details such as passport number and residential status, to contact information including mobile number, e-mail address, and billing address.
ZDNet also asked if the SingPass-MyInfo system would be considered a critical information infrastructure (CII) and, therefore, impacted by the country's upcoming cybersecurity bill. While GovTech was unable to provide a confirmation, Singapore-based tech lawyer Bryan Tan said it should be a function related to "government" under the list of 11 CIIs outlined in the proposed bill.
If passed, the bill would require operators of local CIIs to take steps to safeguard their systems and swiftly report threats and incidents. The proposed new laws also would facilitate information sharing across critical sectors and require selected service providers as well as individuals to be licensed.
The bill listed 11 "essential services" sectors considered to operate CIIs: water, healthcare, maritime, media, infocommunications, energy, banking and finance, security and emergency services, land transport, aviation, and the government.
A partner at law firm Pinsent Masons, Tan said the proposed bill defined CII as "a computer or a computer system that is necessary for the continuous delivery of essential services...Singapore relies on.
"The loss or compromise of which will lead to a debilitating impact on the national security, defence, foreign relations, economy, public health, public safety or public order of Singapore," he said, citing the draft bill.
ZDNet asked about possible recourse SingPass users could take if their accounts suffered a security breach, resulting in their personal data being leaked.
Tan explained that Singapore's Cybersecurity Act did not outline specific recourse, so general laws should apply. "Specifically, breach of statutory duty," he noted. "I am not sure if receiving money also is a good way to compensate. For instance, getting credit protection services might be a more appropriate remedy."
Providers of such services typically helped customers track their credit movement and would trigger an alert--notifying their bank or credit providers--if any unauthorised charges were made to their account.
Originally scheduled to be tabled later this year, Singapore's proposed cybersecurity bill now was expected to be introduced in parliament next year.