Security on NDP website tightened

Work to tighten security on the National Day Parade (NDP) website began yesterday, after concerns were raised about users' privacy.

It came a day after blogger Zit Seng claimed in a blog post that a page taking citizens' e-balloting submissions for NDP tickets does not use encryption technology - such as Secure Sockets Layer (SSL) - to secure its Web links.

The page, launched last Saturday, asks for personal information such as an applicant's name, and identity card and phone numbers.

The post gained widespread attention online with netizens criticising the apparent lack of security.

However, the NDP Executive Committee insisted that "no personal information had been compromised" and thanked the public for their feedback.

Although he did not admit there had been a security flaw, the executive committee chairman of ticketing, Lieutenant-Colonel Jason See, said: "The level of security can be further enhanced, and we will do so."

Singaporeans can still apply for tickets during the upgrading of the NDP website, he added. But no further details were given on the completion date of the upgrade and what it entails.

Applications close on Sunday, and can also be made via SMS, and AXS and SAM machines.

Encryption is the process of encoding information so only authorised parties can read it. It is considered to be a norm for protecting personal credentials.

"Encryption is the industry's standard practice when handling sensitive data," said Mr Vincent Oh, regional director of security software firm McAfee South-east Asia.

Mr Aloysius Cheang, Asia- Pacific managing director of global computing security association Cloud Security Alliance, agreed.

"Implementing SSL is very elementary nowadays," he said.

Without encryption, credentials sent can be easily intercepted and read by hackers, causing "irreparable damage" to the user and the website owner's reputation, said Mr Eugene Teo, senior manager of security response at security software firm Symantec Singapore.

Copywriter Lee Teen Yen, 40, said she will not use the NDP website for now due to the potential risks of data theft.

"It could be unsafe," she said. "When you collect data you must encrypt the data to ensure privacy."

Events project consultant Roy Nahar, 34, said: "For now, there is no security breach but it does not mean everything is safe."

Companies are required by the Personal Data Protection Act, which will be enforced from July 2, to protect consumers' personal data via "reasonable security arrangements" including encryption.

However government bodies are exempt from this Act.

"The NDP organising committee, being a unit of the Ministry of Defence, would be exempt from the Act," confirmed intellectual property and technology lawyer Jonathan Kok, partner at RHTLaw Taylor Wessing.

The public sector follows an internal set of rules which are not disclosed to the public. It has prompted some people to question what rules regulate government agencies and their contractors, and whether they are enforced.

Engineer Ngiam Shih Tung, 47, said: "This incident, if it is true, illustrates how in practice the Government's internal rules - whatever they may be - are not as well-enforced as the Government claims."

BUSINESS AS USUAL

Singaporeans can still apply for tickets during the upgrading of the NDP website.

Applications close on Sunday, and can also be made via SMS, and AXS and SAM machines.

itham@sph.com.sg

This article was published on May 22 in The Straits Times.

Get a copy of The Straits Times or go to straitstimes.com for more stories.