The majority of modern nations implement a national ID system to achieve greater efficiency in the provision of services. Many of these nations, however, continue to struggle with the competing interest of personal privacy.
The 2018 Philippine Identification System Act creates a new identification number or PhilSys, for each Filipino. The act provides the legislative backing that the previous national ID system, the Unified Multi-purpose ID or UMID, lacked.
F5 Networks Global Security Evangelist David Holmes is optimistic about the recently ratified national ID system, acknowledging that it will do well for Filipinos. But as with all good things, he underscores the need to be wary of the potential threats to such a massive data center. Holmes shares his thoughts on the national identification system and lists down three main security threats.
Threat 1: While external forces are the top-of-mind immediate threat for PhilSys, the system may also be compromised from the inside. Government employees with access to the data can take advantage of that access to get the contact details of other people. This is a legitimate and common enough occurrence (in all nations) that’s why access to optional contact information such as address and phone number should be limited to need-to-know government employees.
Citizens who have additional privacy concerns, including celebrities, the wealthy or individuals who have stalkers, may not want to provide that optional contact information even if it means that their personal service efficiency may be impacted.
Threat 2: Identity theft happens when a person intentionally uses another person’s important data for his or her personal gain. For two decades in the United States, identity theft was a very, very lucrative illegal business. A malicious person would request a copy of their target’s birth certificate over the mail and use it to get a driver’s license, the de-facto national ID card in the US. The driver’s license, which would have the impersonator’s photo, would be used to open bank accounts and credit card accounts and, in some cases, appropriate the property of their victim by changing the target’s address to their own.
Holmes then advises PhilSys implementers to make it very difficult, if not impossible, to change the primary biometric identifiers. The fingerprint and iris data should be able to prevent identity theft as long as they are never allowed to be changed.
The optional contact data provide a cause of concern as well. People have multiple email addresses and phone numbers, even physical addresses. This means that the system will have to accommodate frequent changes to these data, something that identity thieves can take advantage of. It is then crucial that biometric authentication is provided whenever optional contact data are changed or updated.
Threat 3: A massive data breach will happen so it is important to plan for it. We live in an “assume breach” world. Hackers will eventually get access to and perhaps disclose the entire PhilSys database. This has happened with the Philippine COMELEC voting records, which included fingerprint data. But such a breach won’t be the end of the world if it is properly planned for.
Password resets for online banking often ask questions such as “What was your place of birth?” These questions will no longer be good identification questions for re-establishing identity if both the email address and place of birth for every Filipino become public during a breach.
It is always a good idea to treat problems before they occur, and taking pre-emptive measures will help the average citizen. Holmes recommends excluding both email address and mobile number from the optional contact data for PhilSys. If both details need to be provided, Holmes suggests having an alternate email address – one that is not used for, say, online banking as well.
In the unfortunate event that Filipinos experience an attack on PhilSys, it is crucial for affected citizens to contact the Philippine Statistics Authority, the main implementing agency of the national ID system.
The implementation of the national ID system will bring to the fore security concerns given that there has been a history of cyber-attacks involving government agencies. With the government requiring compliance to ensure a successful implementation, it is crucial that Filipinos become fully aware of how they can protect their personal data and stay vigilant amid potential threats.