A little over two years ago, in the run-up to the 2016 national elections, a massive data breach earned the Philippines an unenviable place in the global spotlight. The headlines then said it all: Personal data of 55 million Filipino voters exposed! 55M people at risk! PH suffers biggest breach involving government-held data!
All those headlines, provocative and incendiary, were enough to work everyone into a frenzy: privacy practitioners, IT specialists, law enforcement agents, politicians, and just about everyone with a social media account. They all had something to say. There was no shortage of self-proclaimed experts willing to speak their minds before anyone and everyone with the time to spare. They talked, they opined, they surmised, over and over again, until public attention — one of the more fleeting things in life — was no more. People appeared to no longer care. They seemed to have moved on.
This May, Filipinos will be heading to the polls again. This time, to vote for their barangay and Sangguniang Kabataan officials. It’s an ideal time to recall that fateful incident, not only to remind ourselves that that story is far from over, but also to emphasize anew the importance of data protection. After all, before this current Facebook controversy that’s in everyone’s crosshairs, Comeleak was (to Filipinos, at least) the first real opportunity to confront the notion that the use (and misuse) of personal data can negatively impact democracy, or at least one of its fundamental pillars. It would be a pity to put that to waste.
For those with failing memory, here are some important things to remember about that case, by the numbers:
- 0 — number of years the Department of Information and Communications Technology (DICT) had been in existence at the time of the data breach. As parent agency of the National Privacy Commission (NPC), it was only established in June that year.
- <1 — number of months the NPC had been in existence at the time of the data breach. It investigated the case and came up with a decision later that year. The first two members of the Commission took their oath of office on 7 March 2016.
- 2 — number of hacking groups reportedly involved in the incident (Anonymous Philippines and LulzSec Pilipinas). Incidentally, it’s the same number of individuals arrested in relation to the hack.
- 3 — number of mirror links put up by LulzSec Pilipinas when they posted online the data they supposedly stole from the Commission on Elections (Comelec).
- 4-5 — number of days it supposedly took to perpetrate the data breach.
- 5 — number of Comelec databases affected by the breach.
- 20 and 23 — ages of Paul Biteng and Jonel de Asis, respectively, when they were arrested on the charge that they were among those responsible for the breach. It is worth noting, though, that some articles claim that Biteng was also 23 at the time of his arrest.
- 28 — date in March 2016 when the National Bureau of Investigation was officially informed by the Comelec that their website was the subject of a defacement attack. There was no mention of the data breach yet.
- 340 — size of the data (in gigabytes) supposedly exfiltrated by LulzSec Pilipinas from Comelec’s databases.
- 2012 — year of enactment of the two laws (Data Privacy Act and Cybercrime Prevention Act) most-often cited in relation to the breach.
- 77,736,795 — total number of records affected by the breach. This made it the biggest data breach involving government-held data the world had seen, at that time. The previous record was held by the U.S. Office of Personnel Management, which affected 20 million citizens. Comeleak has since been eclipsed by data breaches subsequently experienced by Mexico and the U.S. (again).
- 90,000,000+ — number of Mexican voters whose personal data were exposed by a data breach that occurred just a couple of weeks after Comeleak.
- 198,000,000+ — number of U.S. voters affected by a 2017 data breach involving the database owned by conservative data firm, Deep Root Analytics.
It’s now well into the second quarter of 2018. Public outcry about Comeleak has died down, and so have the initial outbursts demanding full accountability on the part of Comelec, and the government in general. Former Chairman, Andres Bautista, is no longer with the Commission and is not even in the Philippines. He has not returned from abroad because of a supposed illness. What important lessons did that entire episode leave behind? Here are some humble suggestions:
- Filipinos need to take data privacy seriously. It took a disastrous data breach on the part of the government to put a 3-year old law on the map. The attention it generated should be sustained—enough to convince people and organizations to adopt and embed data privacy measures in their respective sectors and industries.
- There has to be a competent and independent NPC. The breach was an extraordinary test for a new agency lacking in resources. A couple of years has come to pass and now it has to be asked: Is the NPC now better equipped to handle a similar case? Has its competence in this new and specialized field of data protection improved significantly? Is its capacity mature enough to handle the more substantial and more formidable aspects of its mandate? How about its ability to set itself apart from the rest of government, including the DICT, its parent agency? NPC’s credibility as a regulator depends on its competence and independence—just like its foreign peers.
- Congress and NPC need to legislate additional data protection policies. Critics and proponents of the DPA both acknowledge that it has numerous policy gaps. Congress and the NPC need to address them. Their wisdom and expertise are important guide posts for the rest of the country.
- The government should also improve its capacity in other areas such as cybersecurity and cybercrime investigations. Data privacy is an inter-disciplinary matter. This means its effectiveness is also contingent on these other areas going through similar improvements.
- Everyone must exercise caution when dealing with data-intensive systems. The work of public authorities everywhere involve the processing of sizable amounts of personal data. It’s no different with the private sector. If there’s anything that Comeleak has shown, it’s that a responsible approach to technological advancements is imperative. Integrating them into existing data processing systems requires foresight and careful planning. With the Philippine government still keen on establishing data-hungry systems like a mandatory SIM card registration regime and a national ID system, sticking to its dated approach to information systems can only spell disaster for everyone. The NPC should fully assert its mandate here, as primary enforcer of the DPA.
- Civil society must continue promoting privacy and data protection measures in both government and the private sector. Civil society and the public at large will continue to play a major role in the country’s data privacy story. They need to call out those entities who refuse to heed the clamor for better handling and security of personal data, while giving due credit to those who do. Collaborations must always be explored, too, for it is only by having all parties work together that an effective and lasting data protection regime can be ensured.
For a more extensive account of what transpired, you may check out the briefing paper prepared by the Foundation for Media Alternatives (FMA), a non-profit civil society organization working to promote human rights in the context of ICTs.
Jamael Jacob is a lawyer specializing in the field of law, ICT, and human rights. He is currently the Director of the University Data Protection Office of the Ateneo de Manila University, and Policy and Legal Advisor to the Foundation for Media Alternatives. The views expressed herein do not necessarily represent or reflect the views of the organizations he is currently affiliated with.