Unfortunately, data management is so bad in the Philippines...
This column originally appeared in The Manila Times on January 15, 2019.
IN this day and age, whoever has data and can do analytics rules. Government or the state is a holder of premium data. Anyone who transacts with government surrenders key information and with it comes trust, that the data will be guarded like gold. Unfortunately, data management is so bad in the Philippines that you get the full 55 million registered voters leaked with such ease, first by hacking courtesy of Anonymous Philippines and then by a hacker group, LulzSec Pilipinas. That was on May 27, 2016, or two years ago; the case remains pending (not moving) and the Comelec website is still poorly maintained. The data dump was complete with fingerprints and email addresses.
In an online exchange with an officer of the National Privacy Commission (NPC), the NPC’s position was that they have done what they needed to do and that it is up to the courts to run after the concerned parties responsible under the Data Privacy Act (DPA or Republic Act 10173). “Sections 20 and 21 of the DPA require entities that hold and control personal information to ensure that security measures are in place to protect the personal information they hold.” It also “requires them to notify the people whose personal information was leaked.” We wait under suspended animation.
In its decision dated Dec. 28, 2016 (NPC Case 16-001), the NPC underscored Comelec Chairman Andres Bautista’s “lack of appreciation” of the principle that data protection is more than just implementation of security measures. “Data privacy is more than the deployment of technical security; it also includes the implementation of physical and organizational measures, as well as regular review, evaluation, and updating of Comelec’s privacy and security policies and practices,” the decision reads. The NPC said the Comelec “violated Sections 11, 20 and 21 of the Republic Act No. 10173” in the dispense of the agency’s duty as “personal information controller.” The document, meanwhile, mentioned Chairman Bautista as having “violated the provisions of Section 11, 20, 21 and 22 in relation to Section 26” of the same law.
The NPC stated that “the personal data in the breach is contained in several databases kept in the website: (a) the voter database in the Precinct Finder web application, containing 75,302,683 records; (b) the voter database in the Post Finder web application, which contains 1,376,067 records; (c) the iRehistro registration database, with 139,301 records; (d) the firearms ban database, containing 896,992 personal data records and 20,485 records of firearms serial numbers; and (e) the Comelec personnel database, containing records of 1,267 Comelec personnel,” the document reads, making the incident the worst recorded breach of a government-held personal database in the world, based on sheer volume.
Recently, a month before the 2019 elections to be exact, we read about the Department of Foreign Affairs (DFA) losing its data set [just like that], and this one is even worse because it was done by a contractor. The provider for passports just took the whole data set. Unbelievable, right? And days after, it seems the DFA is not even running after the service provider since they just want to rebuild and start all over again! And the illegal subcontracting that has been discovered in 2016 by the Duterte administration via then Foreign Secretary Perfecto Yasay remained in force. When Yasay already recommended the abrogation of the contract, the succeeding head just allowed it to fester. No wonder the issuance of electronic passports has been slow and badly managed. Who was playing with the gods of DFA? Or were the gods replicating the data base for future use? The well-being of 10 million overseas Filipinos is at stake and so is that of 2.3 million overseas Filipino workers, together with the total number of Filipinos who have been issued passports.
Interestingly, when the Aquino administration took office, it appears that most data bases were targeted across government institutions, from licenses, plates, etc. With it comes new service providers. Nothing wrong with new service providers if they are vetted in terms of security and they can do the job a lot better than the previous one. You can actually cross-reference licenses with voter data and passport and create models along the way to target supporters for political use. One can also do a lot of fundraising across new providers. But the Duterte administration has failed to come clean on the matter. The public has not been informed at all on what happened to the ComeLeak, LTO, DFA, etc. Yes, the LTO has improved its service delivery, but taxpayers need to know what really happened with the change of service providers. Remember, taxpayers paid for delayed service and there was no refund, LTO continued collecting fees without the issuance of licenses and plates then.
With the ComeLeak and DFA data theft, how will the Duterte administration implement RA11055, or the “Philippine Identification System Act” which was signed by PRRD Aug. 6, 2017? The law seeks to harmonize, integrate, and interconnect the countless and redundant government IDs by establishing a single national identification system to be known as the Philippine Identification System, or PhilSys. The Phil-ID will contain information such as the PhilSys number, full name, facial image, sex, date of birth, blood type, and address. With all the leaks, dumping and theft, how will government ensure that PhilSys is not another free download for a huge data set that can be mined for a presidential run?
Transparency in an era of digitization is vital. Accountability is at the heart of such good seal, and the sooner we embrace distributed, decentralized, public ledger set-up, the better for all. Singapore, Thailand, Indonesia, Malaysia are moving in that direction. Can we? The Duterte administration must put an end to these leaks and get to the bottom of it and make the malefactors accountable. We can’t be traversing from one leak to a dump to data theft without anyone getting jailed, or else we end up the laughingstock, attracting more and more data pirates to our shores.
Enough with the innuendoes and the verbal tussles with age-old gatekeepers. Get mad at this, show your mettle, Mr. President, on that which matters and get it done. The best way to get things done is to simply begin.