NATIONAL ID SYSTEM: Two security experts share tips on how citizens can protect their data

(Image from Pixabay)

On Aug. 6, 2018, Philippine President Rodrigo Duterte signed into law Republic Act No 11055 or the Philippine Identification System ID Act (PhilSys), which “will (aim to) consolidate all government-issued ID systems into one to improve government services.”

While the proponents of the law, sponsored by Sen. Panfilo Lacson, assure the public that it is done with good intention, it is still met with hostility and fear of privacy invasion.

The national ID will contain the following information: biometrics, common reference number, driver’s license, passport number, Philippine Health Insurance Corp. number (PhilHealth), Professional Regulation Commission number (for licensed professionals), tax identification number (TIN), voter’s ID number, and other relevant citizen information.

Past administrations have attempted to implement a national ID system but were met with strong opposition from the public and some government officials.

In a report by the Inquirer, Lacson was quoted as saying that “many Filipinos could expect an easier time transacting with the government.” At present, Filipinos have multiple identification cards depending on the government institution that they have business with. The Unified Multi-Purpose ID (UMID) attempted to simplify the process by combining four government agencies into one card: Social Security System (SSS), Government Service Insurance System (GSIS), PhilHealth, and Pag-IBIG Fund. The task of managing the ID system under the PhilSys Act falls on the Philippine Statistics Authority (PSA).

Privacy rights

In the same Inquirer report, it quoted Akbayan Rep. Tom Villarin as saying that the passage of the law “casts a pall of gloom over privacy rights and an ominous threat to human rights.”

The growing curiosity on cybersecurity and data privacy spawned by high-profile data breaches here and overseas could be the cause for concern among the opposition.

In the Inquirer report, the President assured the Filipinos that the ID system is meant for faster government transactions. The Inquirer quoted the President, “This will not just enhance administrative governance but reduce corruption, curtail bureaucratic red tape, and promote the ease of doing business, but also avert fraudulent transactions, strengthen financial inclusion, and create a more secure environment for our people,”

Amid the concerns of data privacy and user protection, the National Privacy Commission (NPC) led by Commissioner Raymund Liboro gave the assurance, through a statement on the agency’s Facebook page, that it will uphold the “Commission’s dual mandate to ‘protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth,’ as inscribed in the Data Privacy Act of 2012 (DPA), ”

The Philippines is a relatively young country in terms of data privacy in cyberspace. The NPC, an independent body, was formed in March 2016 under Republic Act No. 10173 or the Data Privacy Act of 2012.

A few weeks after the commission was formed, the Commission on Election reported a data breach that leaked voter information, including birthdates and addresses.

Protect your data

Back End News sought the opinion of two security experts regarding citizens’ cybersecurity worries and what they can do in the event of a data breach, that the government assures is less likely to happen.

“While the concerns of data privacy are relevant, it is good that organizations and individuals in the Philippines are starting to take the issue of data privacy seriously,” said Julius Suarez, manager, Security Solutions Engineering, Asean, at Sophos.

“The recent passage of Republic Act No 11055 or the Philippine Identification System (PhilSys) Act challenges government institutions to demonstrate that they are adopting the most stringent data handling, protection, and privacy practices and behavior at par with international standards,” he said.

“The concerns of Filipinos are of a valid nature given that there has been a history of cyberattacks that targeted government agencies,” said David Holmes, global security evangelist for F5 Networks. “Given that the administration is asking for the compliance of citizens to put together an identification system that encapsulates all relevant information, it is crucial that Filipinos become aware and stay vigilant.”

Suarez, an IT professional focusing on information, network, and system security, explained that the responsibility of data protection is shared between the institution and the individual.

“At the same time, data privacy works both ways,” he said. “While the government collects data from citizens and resident aliens, individuals should also be aware of their legally protected rights to data privacy and how they can protect it.

“According to the National ID system law, it mandates penalties of fines or imprisonment for any person who illegally discloses any PhilSys information or uses it for unauthorized purposes. Personal data may only be disclosed to enforcement or security agencies in the interest of public safety and only upon court order.

“In addition, the Philippines also has the Republic Act (RA) 10173, more commonly known as the Data Privacy Act of 2012, which is dedicated to the protection of Filipinos’ fundamental right to privacy. It gives Filipinos greater control over how their personal data is obtained, processed and shared and enables them to place greater accountability on the organizations — both public and private — responsible for it.”

Holmes, who has authored white papers on security topics such as global cryptography trends and modern DDoS threat spectrum, believes that a national ID system can boost efficiency among government agencies but recognizes the difficulty of reconciling having a national ID system and data privacy.

“PhilSys will increase government efficiency, reduce tax avoidance, and help identify illegal residents. But it will be crucial to get the implementation details right to maintain the balance of data privacy,” he said. “The majority of modern nations has a national ID system because it is difficult to provide efficient services without one. But many of the nations that use them struggle with the competing interest of personal privacy as it relates to a national ID system.”

Businesses and government institutions are encouraged to move their data to the cloud for efficiency. However, it increases the risk of a data breach with cybercriminals getting more and more sophisticated after each and every cybercrime. The two security experts shared the following advice on how citizens can protect their data, which is applicable not only in the implementation of PhilSys but also in other online transactions.

Holmes said:
“In the unfortunate event that Filipinos experience an attack on PhilSys, it is crucial for affected citizens to contact the proper authorities. It is always a good idea to treat problems before they arrive and taking preemptive measures will help the average citizen. My recommendation for the average citizen concerned about data privacy would be to not include both their email and mobile number in the optional contact data for PhilSys. Or if they feel they must provide both, provide an alternate email address – one that is not used for, say, online-banking, as well.

“There are three main security threats for a national identification system: government exploitation, identity theft, and data breach. The solution to all three is for the PhilSys administrators to segregate properly that national ID data. This third threat, the massive breach, is the one most likely to impact the most number of Filipinos.”

Suarez said:
“Data lost to breaches have a high chance of ending up on the dark web. This is good news to those in the scamming business because a simple list of personal details that include things like names and email addresses can offer a whole lot of information about oneself to cybercriminals. Not to mention, many times, personal passwords are derived from personal information such as names, birth dates, and phone numbers. By having these personal details, hackers can potentially guess your password and obtain clues about how you create passwords, giving them the chance to find their way into hacking your other personal accounts and putting you closer to identity theft and other cyber crimes.

“Change your passwords. Use different passwords for different accounts, rather than having one master password for everything. Try using a password manager that chooses strong passwords for you.

“Use two-factor authentication (2FA), also known as two-step verification. This means that every time you log into an account, you will need a one-time login code in addition to your password. By doing so, having passwords alone will be less useful to cybercriminals.

“Have the habit of logging out when you are done. More often than not, we tend to remain logged-in even though we are done with a particular website. Many mobile apps also like to ensure ease of log-in by keeping you connected at all times, so you don’t have to input your password every time you log in. This gives cybercriminals the best opportunity to hack into your accounts.”

PhilSys is already a law and no citizen could evade its implementation no matter the degree of anxiety when it comes to data privacy. There are so many information at stake, but nothing that has been already provided in SSS, driver’s license, TIN, etc. However, the difference is criminals could harvest these data in one attack. It’s as if one’s whole identity could be stolen in one massive data breach that as the security expert said might end up in the dark web.