MAY 3 2000

Data privacy risk overlooked in IT rush

IN A Sunday Times special on the new economy ("Plug-And-Play", April 9), the National Library Board (NLB) was highlighted as an example of an old economy dinosaur being propelled into the new economy by a new chief executive officer.

From a machine's perspective, the use of information technology in libraries here today is certainly very new economy.

However, from a human perspective, the move to force the use of CashCards unilaterally can only be described as very "old civil service".

Recently, a Straits Times reader expressed concern that a library member's borrowing records could be accessed just by entering his surname and identity-card number in the NLB's web interface.

In its reply, "NLB feels there is no need for user passwords for now" (ST, Feb 14), the board said there was "no need to mandate the use of passwords or PINs for library users for now".

But it is missing the point. Shouldn't it be up to the individual member, not the NLB, to decide how much of his personal information he wants to disclose on the web?

Singapore, of course, has no data-privacy legislation, and Mr Lim Swee Say, Minister of State for Communications and Information Technology, has said self-regulation, and not legislation, is the way to go (" 'No' to cyber privacy laws"; ST, Feb 26).

This can be contrasted with the situation in Hongkong where the Data Protection (Privacy) Ordinance has been in effect since 1996.

It restricts private organisations and government departments severely in their use or disclosure of a Hongkonger's personal information. The NLB may argue that Hongkong's privacy laws were put in place by the British colonial government and are not relevant.

They may even point to the United States where there are no similar privacy laws at the federal level.

But, in the US, many states and municipalities have laws that prohibit public libraries from divulging members' records, except by court order.

Finally, the NLB may argue Singaporeans do not actually care about privacy.

A debatable point, but the lax security in the NLB's system has material implications as well.

The NLB allows its members to renew and reserve library materials at self-service terminals and over the Internet for a fee.

Thus, a prankster could rack up charges on another person's library account just by knowing that person's name and IC number.

How hard is it to get a list of names and IC numbers?

Class registers are an obvious source.

StarHub even published the names and IC numbers of several hundred "lucky winners" of free mobile-phone service in a newspaper advertisement not long ago.

The attack I have described is limited in the sense that the fee for each renewal or reservation is less than $2 and there is a $6 cap on each members' account anyway.

There is no cap on a member's liability, however, if a book or CD-ROM is charged to his account and not returned.

The NLB has installed self-service checkout terminals at all its branches.

Users now identify themselves by placing their ICs in a bar-code reader.

Unfortunately, the terminals have no way of verifying the bar codes are on genuine ICs.

Anyone can check out library materials on another person's account by presenting a bar code with somebody else's IC number.

When I first informed the NLB of this loophole in 1998, they said that they had "fully weighed the trade-off between security and privacy against the benefits of library automation".

One problem with this trade-off is that, whereas the benefits are shared between the NLB and its users, the risks are borne by the users alone.

If a single user falls victim to such an attack, it is highly unlikely that the NLB would believe his story.

It is only if many users are hit simultaneously that the NLB may be forced to grant a blanket amnesty to all members affected.

But then, how would it distinguish between genuine victims and members who lost library materials but declined to own up?

The NLB is essentially telling members that they should not lock their doors because it is inconvenient to carry keys around.

Some may choose to do that but not everyone would.

Unfortunately, the NLB is the one holding all the keys and is refusing to let anyone lock his own door.

But then, it is not the NLB's privacy or property which is at risk.

Ten years ago, the same committee which recommended introducing a Computer Misuse Act also recommended introducing a data-privacy law.

In the end, however, the Computer Misuse Act was passed but data-privacy legislation was never enacted. Why?

The Computer Misuse Act exists primarily to protect big organisations.

In contrast, data-privacy legislation would protect individuals but impose new duties and responsibilities on organisations, including the Government.

The Government must have felt that data-privacy laws would have been burdensome and would have retarded its efforts to promote "computerisation" in the public and private sectors.

Of course, even if Singapore had data-privacy legislation, the NLB may still have designed an insecure system.

The lesson to be learnt here is that poorly-designed information systems can and do pose risks to individuals.

In its rush to embrace information technology and the new economy, the Government seems to have forgotten to ask whether the interests of large organisations and those of individuals coincide.

Technologically, I am confident Singapore has what it takes to make it in the new economy.

The question is -- who will benefit from it, Singaporeans as individuals or only large organisations?

That is something that we, as a society, have to decide.

NGIAM SHIH TUNG

Copyright © 2000 Singapore Press Holdings Ltd. All rights reserved.