Balancing cyber security with data confidentiality

During the National Day Rally this year, Prime Minister Lee Hsien Loong highlighted cashless payment systems as one of the areas to improve as we move towards becoming a Smart Nation.

Cashless payment systems range from digital mobile wallets such as Android Pay, Samsung Pay, Apple Pay and Dash, to contactless credit payments such as Visa payWave and Mastercard PayPass.

Most notably, Alipay’s announcement last month got many Singaporeans excited. After an initial pilot test to provide cashless payments in taxis, the company has decided to expand its services to more local merchants here. The company joins existing cashless payment systems in Singapore to provide consumers with even more choices and convenience.

The announcement also comes at a time when the country is going through public consultation for the Cybersecurity Bill. If passed in its current form, the Bill might threaten the confidentiality of the data that is stored and processed in Singapore, casting a shadow on future cashless payment companies — and other exciting digital innovations — in terms of entering the Singaporean market.

It is logical to assume that digital services have to deal with issues of cyber security, but there is a closer relation than most expect.

As the Internet Society of Singapore’s Cybersecurity Bill public consultation on July 28 has shown, many industry experts are concerned about the broad provisions written in the proposed Bill, which can have a chilling effect on our desire to be a digital hub.

Consider for a moment how a cashless payment system such as Alipay works. While the consumer enjoys convenience through the app, behind the sleek interface is a rich ecosystem of data hosting and analytics, which provide hygiene services such as real-time fraud detection and business insights to retailers.

Crucial to the success of the system is the ability to store and analyse data close to the source — in this case, if payments are made in Singapore, efficiency will be best achieved if analytics can be conducted here.

In the current version of the Bill, the commissioner is granted broad powers to conduct investigations, including, but not limited to, seizing information assets and servers, and forcing companies to hand over proprietary business information.

From a security point of view, this makes sense: Investigators, after all, require the most amount of data available to swiftly conduct an investigation. However, from a business point of view, this can be potentially disastrous. If the commissioner has the right to seize assets in the event of a breach, they can sieve through confidential client data, forcing companies to break their promise to customers on keeping sensitive data protected from third parties.

Furthermore, the lack of assurance potentially applies to data of non-Singaporeans as well. For any Singapore-based data analytics company serving South-east Asia clients in the event of a cyber incident, the company can be compelled to surrender its assets, which will invariably include data about users across the region. Companies who host their data in Singapore will consequently be unable to assure their clients that their data is secure from third parties such as the commissioner, gradually making Singapore a less attractive place to do business.

Although the Bill is only in its draft version and major companies have been reticent in issuing public statements about it, its economic impact should not be underestimated.

Back in 2012, when commenting on the Personal Data Protection Act (PDPA), Microsoft had highlighted a similar concern with regard to the PDPA granting government discretionary powers in deciding when to enforce the act. Although explicitly acknowledging that flexibility is needed to ensure public safety and national security, the firm also explicitly mentioned that “customers may actually lose confidence in the security of their data being hosted in Singapore and choose to host their data in another jurisdiction”.

Cyber security is obviously important, but our future economy crucially depends on our ability to attract investments in big data and analytics.

As a smart nation leading the world in intelligent regulations, it would be prudent to specify policies that outline the limits of the commissioner in on-boarding firm premises to seize assets. The current version of the Bill dictates that systems that are designated as a critical information infrastructure will be classified as official secrets under the Official Secrets Act. Under such circumstances, companies affected by breaches are unable to be transparent to their customers about who gets access to their data. A more transparent alternative, for example, would be allowing companies to notify their customers that they are being investigated during breaches, upholding the greater good of reasonable privacy for consumer data.

Granting discretionary powers for an emergent digital ecosystem may seem like good policy in this high-trust regulatory climate; but what we might lose in return is our credibility in thoughtfully balancing security and economic needs in this new digital economy.


Leave a Reply