In a world where big data is at your fingertips, information has ceased to become knowledge. It is currency.
As currency, keeping big data safe is the most sensical thing to do. In this matter, it is clear that the Philippines is way, way behind its neighbors.
It’s only proper, therefore, to remember a major data breach which exploded in the summer of 2016.
It was election year. The automated voting systems were being geared for the huge job ahead. Critics feared that its safety nets were not as sturdy as government wanted us to believe. Anyone familiar with digital technology and the internet knew it was vulnerable to ‘hacking’.
As the country slowly inched its way to the presidential polls, these fears were confirmed.
Sometime March of the same year, the poll body’s website was hacked and breached. Voters’ registration records were stolen, and later on, made public over the internet.
The National Privacy Commission confirmed the break-in. Reports said a little over 75 million registration records from the Comelec’s Precinct Finder web application had been ‘hacked’.
This included data in its iRehistro portal, gun ban database, firearms serial number records, and archives of Comelec personnel.
The National Privacy Commission lost no time pointing its fingers on Comelec chairman Andres Bautista, who they claim should be liable for the breach.
The recent appearance of Comelec Executive Director Jose Tolentino Jr. in the Senate was an assurance that such a leak would never happen again in the 2019 mid-terms. To strengthen that resolve, the Comelec sought the participation of the Department of Information and Communications Technology (DICT).
On that very same day, Pres. Rodrigo Duterte signed the Philippine Identification System (PhilSys) Act of 2018 into law, also known as the National ID System.
The ID would require 13 sets of information, according to the government: the PhilSys number (PSN), full name, sex, blood type, date of birth, place of birth, marital status, and photo of the ID owner. More information will be stored in the PhilSys registry, such as mobile number, email address, and biometrics data, including full set of fingerprints and iris scan
Through the years, and across several administrations, the National ID System has had little success. As far back as 1998, the Supreme Court had decided against it (A.O. No. 308), calling it unconstitutional.
The Supreme Court enbanc (G.R. No. 127685 of July 23, 1998) deciding on Blas Ople vs. Ruben D. Torres, did not mince words:
“The right to privacy is one of the most threatened rights of man living in a mass society […] In the case at bar, the threat comes from the executive branch of government which by issuing A.O. No. 308 pressures the people to surrender their privacy by giving information about themselves on the pretext that it will facilitate delivery of basic services. Given the record-keeping power of the computer, only the indifferent fail to perceive the danger that A.O. No. 308 gives the government the power to compile a devastating dossier against unsuspecting citizens.”
A more enlightened Supreme Court at the time summed up its decision by saying “the disturbing result could be that everyone will live burdened by a record of his past and his limitations. In a way, the threat is that because of its record-keeping, the society will have lost its benign capacity to forget.’ Oblivious to this counsel, the dissents still say we should not be too quick in labelling the right to privacy as a fundamental right. We close with the statement that the right to privacy was not engraved in our Constitution for flattery.”
The Supreme Court, thereafter, brought the gavel down: “In view whereof, the petition is granted and Administrative Order No. 308 entitled ‘Adoption of a National Computerized Identification Reference System’ declared null and void for being unconstitutional.” (Supreme Court En Banc, G.R. No. 127685, July 23, 1998, Blas Ople vs. Ruben D. Torres).
By creating the system under the pretext of delivering basic services with ease and convenience, the 1998 National ID System and the Philippine Identification System (PhilSys) Act of 2018 are in essence the same.
And such, one should ask: if the marketing spiel focuses only on the convenience of the user, then why all the hubbub of keeping 13 sets of information when a few would suffice? Retinal and fingerprint scans? Emails and mobile numbers? Is the government preparing a system to collect dossiers?
Manila Bulletin columnist Atty. Mel Sta. Maria, in a social media post, reminds the public that we cannot surrender our privacy in exchange for convenience.
“The computer is capable of producing a comprehensive dossier on individuals out of information given at different times and for varied purposes. It can continue adding to the stored data and keeping the information up to date. Retrieval of stored data is simple. When information of a privileged character finds its way into the computer, it can be extracted together with other data on the subject. Once extracted, the information is putty in the hands of any person. The end of privacy begins.”
Anyone familiar with technology and its swift innovations know that as computer systems and applications grow and advance, so too their ability to breach digital safeguards. I personally don’t think this government is prepared to launch—and safely sustain—such a project, what with the data breaches and leaks that had been happening.
And even if the National ID contains only the minutest and the most basic details about who we are—say, our names and addresses—the vagueness of how the information will be used while under the hands of government should be subject to question.
The 1998 Supreme Court ruling said in this regard, “We can even grant, arguendo, that the computer data file will be limited to the name, address and other basic personal information about the individual. Even that hospitable assumption will not save A.O. No. 308 from constitutional infirmity for again said order does not tell us in clear and categorical terms how the information gathered shall he handled. It does not provide who shall control and access the data, under what circumstances and for what purpose. These factors are essential to safeguard the privacy and guaranty the integrity of the information. Well to note, the computer linkage gives other government agencies access to the information. Yet, there are no controls to guard against leakage of information. When the access code of the control programs of the particular computer system is broken, an intruder, without fear of sanction or penalty, can make use of the data for whatever purpose, or worse, manipulate the data stored within the system (https://www.lawphil.net/judjuris/juri1998/jul1998/gr_127685_1998.html).
No law, however strongly and consistently implemented, even Sen. Angara’s Data Privacy Act, will be able to stop leaks and breaches dead in its tracks. Computer hacking applications, once applied and set to work, run in synchronized automation. It can multitask with ease, and process millions worth of data in seconds and minutes even without a man behind the machine.
Furthermore, in the digital world and the internet, a hacker or group of hackers can remain anonymous either by simply ‘disappearing’ or throwing off people as to their whereabouts using programs and applications for the purpose. Call it ‘hacker magic’.
Data leaks are as real as real can get. Remember Cambridge Analytica? The British consulting company sparked renewed interest in data breaches after the 2016 U.S. elections. A third-party developer reportedly hacked its way into Facebook and culled the information of close to 90 million Facebook users and sold it to Cambridge Analytica.
A report by CNN Philippines said that the data was then used by Cambridge Analytica “to develop techniques that reportedly influenced U.S. voters. The data scandal affected over 1.18 million Filipino Facebook users and shined a light on how technology can ‘manipulate data for a firm to achieve its objectives.’”
Pres. Duterte himself was rumored to have employed the services of Cambridge Analytica in the Philippine presidential elections of the same year. Duterte denied the allegations.
I cannot say it enough: behind the success or efficiency of every system stands the people who run the system. Even something as innocent as a spoon and fork can be used as a weapon in the hands of a master.
Imagine a National ID System with your digital information stored in a chip, information you don’t find in other identification cards.
Think about it, seriously. The ID card is being peddled as the be-all and end-all of convenience, a singular pass to be used in every transaction with government, even private entities.
The more you use it, the more information about you is gathered and stored in government databases. How and for what the data would be used is not clearly defined.
The fears raised by critics are not mere biased presumptions. Easily, the National ID System, when used as a tool for oppression, harassment, blackmail, and breach of privacy, passes with flying colors.
With the current government lurching toward dictatorship, the National ID System would seal its autocratic ambitions by creating millions of dossierswhich could be used for the purpose of either persecution and profit. Or both.
This is George Orwell’s “Big Brother” rearing again its ugly head.
If billion-dollar data giants Yahoo, eBay, credit bureau Equifax, and credit card company TJX, suffered exposure and leaks of millions worth of data, despite the money they pour in for safety nets, what more a seemingly clumsy and mediocre government which can’t even tell a real photograph from a fake one?
The warning to brace ourselves for a coming firestorm is apt. G