I thought I didn’t need to care about what has come to be called the ComeLEAK, or the Commission on Elections (Comelec) data leak. After all, soon after Anonymous Philippines took the official Comelec site down on March 27, the agency itself downplayed the hack.
Comelec Spokesman James Jimenez said then: “For the most part, the databases are intact. But as I said, as standard with every intrusion, we are taking the time to really make sure na natanggal natin lahat ng [malware]code na pinasok dyan. You think you’ve gotten rid of the problem and you will realize that there is a backdoor that makes it easier for the next time around to do the same sort of things. That’s why we are taking this step by step.” (Interaksyon.com, 28 March)
The automated election system, Jimenez said, remained protected despite the hack: “The Comelec website has been available to the public, so if there are people who want to hack it, they have the opportunities to study its security features. We do not give high level of security in the website, even the precinct finder function, we have backup, so it is protected.” (Philstar.com, 29 March)
Jimenez also said that they “could protect voters on May 9, despite the hack.” According to him, “the information in their website does not contain any sensitive information that will affect the votes of the voters <…> the security for its website ‘is not as tight’ compared to the voting process that it really needed to secure ‘come hell or high water.’” (Manila Standard, 29 March)
Hell and high water
Well, we’ve been in hell, and now we’re drowning in the high waters.
It didn’t help that Comelec was in denial – still is! – about this data hack, downplaying it because what will be used for the elections is a different website altogether.
Yet the world was calling this the largest-ever government data breach. Yet, two weeks after, on April 14, James Temperton, acting deputy editor of Wired UK, said, “The Philippines election hack is ‘freaking huge’ ” (Wired.co.uk).
Via Temperton: “Earlier this month security researchers uncovered what appears to be the largest ever government data breach, affecting 55 million voters in the Philippines. The data, which has been widely distributed on both the dark and clear web, comprises of 228,605 email addresses; 1.3 million passport numbers and expiry dates of overseas Filipino voters; and 15.8 million fingerprint records.”
Security expert Troy Hunt said to Wired: “Other data <other than fingerprints> contained within the breach, which security researchers believe to be authentic, includes physical address, place of birth, height, weight, gender, marital status and parents’ names. All of this information was unencrypted. Some data, such as first and last names and dates of birth, was encrypted. ‘Once you start combining these attributes, your ability to impersonate someone is greatly enhanced.’ ”
For Hunt, and Temperton, this was a security hack far bigger than Comelec and government was letting on. And this next bit might explain why. For Hunt, the leak of the unencrypted passport information of the OFWs was reason for concern: “With it being leaked, we might be looking at the revocation of these passports.”
Who has our data?
Apparently anyone at all who knows to navigate both the dark and clear web.
But probably because government and the Comelec were in denial about the magnitude of this hack, and probably because it thought that the database was not going to be accessed by us low-tech Pinoys with slow internet anyway – and therefore we would be unable to prove what is “out there” – this pushed hackers to build the website WeHaveYourData.com.
That is, for a stretch of time on April 21, and until 10 a.m. on April 22, this site put up the database on a user-friendly site, whereby inputting your name you could find the data that you thought was being held in the most secure hands of government. People who didn’t register for biometrics had their addresses on there. People who registered for biometrics in the past year had about as much data as they put when they registered, including fingerprints. If you’re an OFW and you registered too, then your passport, with all its information, plus your email address, would be on there, too.
We received a hasty lazy apology from a Comelec official: “I apologize for this continuing attack on your privacy and assure the public that the Comelec is doing everything we can to resolve this matter at the soonest possible time.” (Manila Bulletin, 21 April)
And yet the resolution was merely to take down the site. There has been no press conference to even apologize for the data breach. No admission even of the dangers that this government has put us all in, given all our information now ready for the taking. No damage control, no requiring banks to have extra safeguards, no requiring government offices to look at ways in which this data could be used against us all.
On April 21 lawyer Marlon Anthony Tonson on Twitter posted a screenshot showing Malacañang itself was seeding the database. That is, it downloaded the database, and then the Palace itself started making it accessible to anyone else who wanted to download it, too. (Manila Standard, 23 April)
And then all we’ve gotten from Malacañang is radio silence.
Once again with feelings: Nasaan ang Pangulo?
What could have been done?
Plenty. And certainly none of it includes falling silent in the face of hackers, or saying things like: O sige, magaling na kayo, tama na ‘yan! – a paraphrase of what Comelec Commissioner Rowena Guanzon said on April 21. (GMANetwork.com, 21 April)
From a friend who worked for government in a past life: “We passed the Data Privacy Law in 2012. The Privacy Commissioner was appointed last March. There is no IRR yet. In the four years in between, we’ve suffered without this law: from the stupid credit card calls we get, the unwanted texts from NTC, the lack of opt-outs for various spam and other stupid promos. With the Comelec data leak, we should demand that the newly appointed Privacy Commissioner (Raymond Liboro, formerly of DOST) make this a priority. There are penal provisions for the keepers of sensitive personal info that do not exert the best effort to safeguard these data. I hope someone goes to jail for this. Otherwise, well, we get the usual treatment of being fucked over and over and over again.”
And then from my tech guy: “Is there a way to keep that data safe? No. There ARE a fucking MULTITUDE of ways to keep it safe. Of varying degrees of tediousness and – with equivalent levels of security.
“Can something like that ever be totally secured? Probably not. I’ve seen too many Hollywood heist movies. But if it’s valuable enough, it can be secured so that it would take the resources of a country and a legion of hackers to get to it. And it should take so much time that the information would be useless by the time they get it. That’s totally possible.”