At the recent National Privacy Commission’s Data Privacy Conference, cybersecurity guru Paul Prantilla of Globe Telecom had a sobering message for attendees: every single computer network has vulnerabilities; it is an inevitability that can only be delayed with constant vigilance.
Prantilla had been speaking at a session aimed at explaining what was meant by appropriate security for personal information; he later shared the stage with ePLDT’s Angel Redoble. The two men had over forty years of experience between them.
Redoble later highlighted an important point: there was this impression that if you had lesser resources, it was somehow acceptable to adopt less stringent security measures when handling data. On the contrary, Redoble countered that the standards were not going to be set by the resources of the personal information controller, but by the nature of the personal information being handled by the controller. Redoble noted, further, that such personal information had value in the dark web, and that hackers were then more likely to target these small data handlers as low-hanging fruit.
Instead, both Redoble and Prantilla advocate a threat-based approach: an awareness of possible threat vectors should guide what is an appropriate security. They also preached the virtue of unending, unceasing vigilance over the sanctity of data. “Cybersecurity is my [other] religion; data privacy is my faith,” said Redoble.
Indeed, appropriate scrutiny should attend levels of security that surround the coming National ID System. Past efforts at creating such a system were often stymied in Congress. However, with the President’s pen poised over the bill, a National ID system is soon going to be reality. With this system, the powers that be finally understand the power that can be had with understanding large data sets. An examination of the criminal provisions of the proposed law show that they are more punitive than those provided for in the Data Privacy Act. It is a recognition that we now live in an era where a large amount of data is available on us, made readily available through a common identifier.
As usual, we are late to catch up. The efficiency advantages brought forward by a national ID system are too great to ignore.
This is not to say that we should brush aside concerns; rather we should embrace them. In our rush to bridge the technology gap, we have put aside considerations of information privacy and data security. This is done in part because, cyber lawyer JJ Disini says, threats to data security are often abstract. The dangers may even elude policy makers and opinion leaders. Such a tendency to brush aside security concerns directly caused the Aadhar data breach, in which data in the Indian national ID system became exposed.
Among those who seek to dispel fears about the national ID system, an oft-heard refrain is: why do we have to worry about information privacy when we readily make the information on our birth certificates available? Or when we share so much of ourselves on social media? This line of questioning misses the point. Philippine law does not craft an exception for publicly available information. Unlike other countries, even if there is a stack of paper out in the open with all our sensitive personal information exposed for all and sundry, that is no license for anyone to start perusing that data. An attitude like this, which sweeps concerns under the rug, does not keep data safe.
Countries with stringent data protection regimes also have national ID systems. Critics’ concerns are addressed, and fears are allayed. It is clear: their data protection authorities’ strict eye on these systems create an environment where people gain trust in the system to use the national ID with confidence.
The authors of the proposed system understand as much. Together with the DICT, under the bill, the PSA has the obligation to determine appropriate organizational, physical, and technical security measures. There is also an understanding that the threats to the data can come from within: strict requirements for the use of the national ID by any entity, including any government agency, ensure that the hawkish and intrusive among us find that their imagined use may not meet reality—the absence of provisions regarding the metadata generated from the use of the national ID are still regulated by the provisions of the Data Privacy Act. It will be up to the National Privacy Commission to ensure that fears of dataveillance do not come true.
As Redoble says, “Daig ng masinop ang praning.” It is hoped that the National Privacy Commission be as vigilant over those holding the controls over our data not only from external threats but also from those within. Otherwise, we might as well send the PSA Director and the Secretary of ICT straight to jail.