Zit Seng's Blog

A Singaporean's technology and lifestyle blog

LKY Day Petition Remains Phishy

lkyday.comTruth be told, when I first heard of the LKY Day petition, and saw their two websites, I thought they looked suspicious. Not totally fraudulent perhaps, but certainly not entirely aboveboard. Viral messages were circulated about the purported scam. I only knew about the petition because of those warnings.

Today, a Straits Times article interviewed the husband and wife pair, Dr John Lim and Mdm Tan Lay Geok, behind the petition websites www.lkyday.com and www.1923-2015.org. They are apparently legit Singaporean people. They started the online effort in their personal capacities to petition the government to gazette 23 March a public holiday to commemorate Mr Lee Kuan Yew. Although there are two domain names, it looks like there’s basically just one website behind them.

While their intentions may be good, I can’t help but question the manner in which they carried out their petition. Dr Lim purported that they would observe the Personal Data Protection Act (PDPA) and other laws on the information they collect.

One of the requirements of the PDPA is for the disclosure of the purpose of the information collected. Unfortunately, the website doesn’t quite comply with this. In the Straits Times interview, Dr Lim claimed the phone numbers were required for random checks, but this was not stated in his website.

On the matter of NRIC numbers, the website only explains that the petition is for Singaporeans and PRs only. I guessing he is going to verify the legitimacy of the NRIC numbers based on the NRIC checksum. Doesn’t Dr Lim know that the algorithm is public knowledge? In fact, if he can verify the checksum, so too can others generate random but valid NRIC numbers for fictitious people. So how does Dr Lim propose he identifies legitimate Singaporeans and PRs?

Sidenote: I certainly hope he doesn’t have a secret database of all Singaporean NRIC particulars on his website, which is hosted overseas, or anywhere else.

There is no explanation for the need to collect email address, or how it will be used.

The website carried a brief privacy policy that simply states:

Your information will not be sold, exchanged, transferred, or given to any company for any reason whatsoever, without your consent, other than for the purpose of this petition.

It appears his privacy policy implies that he may sell, exchange, transfer or give your personal information to any company, without your consent, as long as it is for the purpose of this petition. Pray tell, under what circumstances could that possibly happen? Couldn’t Dr Lim simply hand over the information directly to the government?

There are many requirements in the PDPA. It doesn’t appear to me that these websites have satisfactorily addressed those requirements. For example, on the protection obligations, have this website put in place proper measures to ensure the secure storage and transmission of the personal data? You can see that the forms to collect personal data are submitted through plain HTTP. Recall I (unintentionally) started the NDP Website ruckus last year because of the same thing.

For posterity, here’s the screenshot of the www.lkyday.com website today.

lkyday.com-1

My greatest concern is how an individual, or individuals, is making use of this sad event, the passing of Mr Lee Kuan Yew, to amass a database of personal information, and in particular, NRIC numbers.

I’m also really curious, why not use existing well-known online petition services, and not ask for NRIC? Like www.change.org for example. It seems like the custom crafted petition website is a lot of unnecessary effort.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.