SIM card registration: a perfect storm

In 2018, I utilized this space to outline five essential points that argued strongly against the adoption of a SIM card registration system. I stand by those statements even as the country is now set to welcome an ill-conceived law on this subject.

All those reasons I gave back then are just as valid today. The only difference is that the system our legislators ended up designing is much worse than the kind those arguments were meant for. How they managed to pull this off is remarkable.

For starters, the coverage of the law is vague, especially when it relates to institutional SIM card end-users and social media account registration. Unlike most other statutes, it doesn’t define its scope. Take SIM card registration. The law explicitly says that an end-user can be a juridical entity. What it doesn’t say is how its sale and registration guidelines apply to such a user.

Things get murkier with social media account registration. The law doesn’t even say who needs to register. Will the criteria for SIM card registration also apply? That’s simply impossible unless a social media platform requires all of its users to register, or at least prove their real identity. But if they do that, they might violate the laws of other countries where such invasive data collection is not permitted.

The law also imposes an implementation period that is unrealistic and could disenfranchise vulnerable groups. Worse, it seems at odds with the law’s transition year. Counting from the time the law takes effect, SIM card owners only have a maximum period of 300 days to register. Telcos, though, have, at most, 420 days to comply with the law’s implementing rules. This means the registration period could expire even before telcos are ready to roll out their registration systems. People could end up with deactivated or retired SIM cards through no fault of their own.

SIM card owners and third-party resellers will also shoulder a considerable burden because of the registration scheme. Unlike today where one can buy SIM cards from the neighborhood sari-sari store, under the new regime, SIM card sale will likely be limited to fewer establishments, many of them located in urban or heavily populated areas. This is because the law requires an electronic registration system that not every individual or small business could be capable of maintaining.

Consequently, end users based in far flung areas will incur more expenses just to register. Those who lose their SIM card or who need to make changes to their registration information face an even greater challenge because updates or changes are processed only in telco facilities.

Meanwhile, for third-party resellers, having more personal data under their custody means they are duty-bound under applicable laws to adopt stronger security measures. One is rarely able to meet such obligation without expending additional resources.

These realities make the law’s declaration that registration “shall be implemented at no cost to the end users or the third-party resellers” a complete farce.

Now, let’s talk about the fact that the law is calling for another massive database that automatically becomes a major security risk. The nature of this repository is hazy. It’s not clear if there will only be one centralized database to which all telcos are expected to pool their collected information. If so, the law doesn’t say who owns it. Is it all the telcos? For purposes of data protection, will they be considered joint controllers? Who reports to the government in the event of a cyberattack? On the other hand, if the law contemplates multiple centralized databases (i.e., each telco has one), it defeats the entire concept of centralized storage. Either way, the risk of us having another massive data breach is real and ever-present.

It's amazing how, despite its very poor track record when it comes to securing databases, the Philippine government’s appetite for creating them remains unrestrained. If it has any qualms at all, it isn’t showing any.

Going back to social media account registration, it’s also worth pointing out that the law fails to provide details and standards that would allow for its proper implementation. Apart from scope, the other missing details include registration requirements and pertinent deadlines. The law simply says that all social media account providers must require real names and phone numbers from people who will create accounts in their platforms. It doesn’t say how the information will be verified. Are social media platforms also supposed to collect government-issued IDs?

As regards deadlines, the law is silent when it comes to social media accounts. How much time do social media platforms have to compel covered account owners to register? Will the latter also see their accounts deactivated or retired if they do not register?

Two other things make the social media component of the law highly irregular. First, the law appears to ignore existing technologies (e.g., TOR browser, VPN software, etc.) that make it easy to circumvent its registration scheme. Any suggestion that geolocation would determine who must register will be immediately shot down by the mere existence of such tools. An even more crucial point is that the absence of imposable penalties for social media companies that refuse or fail to enforce the registration requirements makes it more than likely that the registration system will fail. Why did our lawmakers go through all the trouble of creating a controversial scheme that is inherently impotent?

Lastly, from a human rights perspective, the implications of the law on privacy rights have to be highlighted. In particular, the policy features a peculiar ground government agents can invoke when compelling telcos and social media companies to disclose registration information: compliance with an “enforceable administrative request for information”. What is this creature? The law already speaks of court orders, legal processes, and subpoenas, so it cannot be referring to them. Will a government request made via a letter, a phone call, or even one made in person qualify as one? Also, what are the permitted use cases for the requested information? That, too, is nowhere to be found.

There are also plenty of potential abuse or misuse scenarios on the ground. After all, people will be providing their personal data—including sensitive ones—to entities that would ordinarily have no business asking for such information. During this pandemic, we’ve already seen how information given away via health declaration forms have been misused. That and yet the law is asking us now to expose ourselves to greater risks (since more sensitive information is involved) just because we want to use our mobile phones.

From these alone, it is evident that the law is bursting with flaws and questionable content. It is a showcase of shoddy policymaking. Naturally, it reflects poorly on our lawmakers who have had all the time in the world to study this system they want to establish. Let’s not forget that they have filed similar proposals for the better part of this decade—maybe even longer. How can they mess it up this bad?

But the blame is not entirely theirs. There is a lot of that to go around.

Telcos, for instance, have historically been opposed to this system. There was a time when they stood with civil society in describing this scheme as intrusive, ineffective, and a complete waste of resources. That fact is on record. In 2011, through the Philippine Chamber of Telecommunications Operators, they even submitted position papers opposing a similar proposal. Listening to them now welcome this development as if they’ve been behind it all along is unsettling, to say the least.

They are joined by regulators like the National Privacy Commission who also has its own version of an about-face. Early last year, the agency was still describing how such a system would result in “heightened risk of personal data breaches, unauthorized processing, intrusion into the privacy of people, and the restriction of other rights and freedoms”. Last December, however, the former Privacy Commissioner was singing a different tune. Utterly frustrating for a human rights advocate.

All these different factors and circumstances have led to a perfect storm. For the people who stand to suffer the most under this prospective broken system, they will now have to pin their hopes on the President. May he have enough wisdom to appreciate the serious problems posed by this law so that he can reject it. Should he also fail them, their last resort may have to involve the courts.

Jamael Jacob (@jamjacob) is a lawyer specializing in the field of law, ICT, and human rights. He works for the University Data Protection Office of the Ateneo de Manila University, the Foundation for Media Alternatives, and the LIGHTS Institute. The views expressed herein do not necessarily represent or reflect the views of the organizations he is currently affiliated with.