And so it has come to pass that the country will have its own national ID system, with President Duterte signing the Philippine Identification System Act into law on August 6 this year. Thereafter, the Philippine Statistics Authority (PSA), together with the PhilSys Policy and Coordination Council, hunkered down to draft the law’s Implementing Rules and Regulations.
The ID system will be the first of its kind in the country. In terms of scope, no other government-issued ID comes close. Its potential for good is high, but then the risks are even higher if it’s not done properly.
Given this, one would think the PSA and the other government agencies involved would give the matter serious thought and take their time when crafting the Rules for its implementation. They only need to look at India’s Aadhar—the system the PhilSys is patterned after—to see what happens when an ID program is done with little foresight and preparation: 130 million compromised IDs and counting!
But one would be wrong to think that. The government doesn’t seem interested in a guarded approach and appears hell-bent to go for the exact opposite, with its devil-may-care attitude.
The PSA is so determined to get the show on the road that it initially allotted a mere two days (September 24-25) for the public to read and comment on the draft Rules before approving them another two days later. This is in stark contrast to the thirteen-day period it provided for the PhilSys logo-making contest!
Fortunately, there was some public outcry. Organizations and concerned citizens quickly came up with a petition to ask the agency to extend the period for consultations to give everyone more time to scrutinize the Rules and appreciate the critical issues that plague it.
When September 27 came, there was no news about the Rules being approved. Instead, the PSA announced the following day that another public forum was set for October 2.
To a casual observer, this development would be a major victory for civil society and the public at large. The government has just been compelled to give way to more citizen engagement regarding a critical piece of legislation. And perhaps in a matter of speaking, it is.
However, one should not be fooled and lulled into complacency. As of this writing, it’s become apparent that the abrupt change in schedule does not go beyond the superficial. It turns out the PSA is allotting just three hours for this additional public “consultation” and then plans to approve the Rules three days later.
The PSA calls it a public forum. It’s probably more apt to call it a token public forum.
Three hours is barely enough to resolve a handful of tricky issues about the PhilSys, let alone the numerous questions about it that remain unanswered given the existing language of the Rules. The PSA should know this because, during its first public forum on September 24, it spent roughly the same amount of time just wrangling with the mandatory nature of the system. That event ended two hours later because, as some observers noted, “things were not going anywhere”.
But don’t take my word for it. Here are just a few of the crucial issues that need to be resolved regarding the Rules:
- Mandatory issuance of the PhilID. The Rules contain contradictory provisions as regards the mandatory nature of the issuance of the PhilID.
- Use of other identity documents. It is not clear if people will be allowed to present other identity documents when transacting with government or the private sector. They should. Government agencies and private entities should be prohibited from making the PhilID the only acceptable proof of a person’s identity. In other countries, people have actually died because they could not produce their national ID.
- Handling biometric exceptions. The Rules remain unclear how people who are unable to have their biometric information collected will be allowed to get an ID. This problem has led to discrimination, starvation, and even death in other countries.
- Introducer-based registration. Supposedly intended to benefit people who have traditionally been unable to get IDs, this system is very much prone to corruption and fraud. The Rules doesn’t say how this problem will be avoided, or at least minimized.
- Issues with function creep or seeding. In India, their constitutional court just prohibited the private sector from using the national ID for other purposes because of the many issues this has given rise to. The PhilSys, on the other hand, is encouraging this exact same thing. Something has to be done about this.
- “Shadow databases”. The Rules allow for “offline authentication”, which essentially means those able to conduct it must have a copy of the PhilSys database in their possession. This is a very dangerous proposition that exposes the system to more and greater risks.
- Deactivation of the ID number or the cancellation of the ID. The Rules talks about grounds for deactivating a person’s PSN or cancelling his or her PhilID, most of which do not make sense. It’s impossible to explain why a person’s ID number, which only means to prove his or her identity, should be deactivated simply because that person died or misused his or her ID.
- Handling of authentication failures. As more government agencies and private sector companies rely on the national ID for identity verification, authentication failures could also lead to worse consequences for every affected individual. How they will be avoided is not taken up in the Rules.
- Application in purely digital transactions. Considering the government is promoting the use of PhilSys for all dealings with government agencies and private companies, the Rules are surprisingly silent regarding its application in purely digital transactions.
These constitute a mere fraction of the questions that the government should be able to answer adequately before it goes all in with the implementation of the PhilSys. Try solving them in three hours.
Suffice to say, a responsible and risk-based approach is necessary for such a data-intensive system. The country’s data protection law—the Data Privacy Act of 2012—demands nothing less. But forget that. Even common sense is enough to make that obvious.
Jamael Jacob (@jamjacob) is a lawyer specializing in the field of law, ICT, and human rights. He is currently the Director of the University Data Protection Office of the Ateneo de Manila University, and Policy and Legal Advisor to the Foundation for Media Alternatives. The views expressed herein do not necessarily represent or reflect the views of the organizations he is currently affiliated with.