President Rodrigo Duterte has broached the idea of establishing a National Identification System (NIDS) that would help the government in its anti-crime and anti-terror campaign.
Proposed national ID system
Both the Senate of the Philippines and the House of Representatives heeded this call through the measures filed by Sen. Antonio Trillanes 4th and Rep. Feliciano Belmonte Jr.
As reported in the news, House Bill No. 12 seeks to “institutionalize the Filipino identification system to improve government services and limit red tape in government transactions.” On the other hand, Senate Bill No. 25 aims to establish a centralized database, where law enforcement agencies “would have easy access to information about suspects, fugitives and other lawless elements,” among others.
It was also reported that the Philippine Statistics Authority (PSA) is envisioned to implement the NIDS, maintain the centralized database and issue the “tamper-proof” cards to every Filipino. These cards would contain basic information about the cardholders, including some biometrics data.
There is no doubt that the issuance of a national ID to every citizen is “doable.” Is the collection of the individual’s private data safe? Well, read on.
Previous attempts to establish an NIDS
Then President Fidel V. Ramos, way back in 1996, issued Administrative Order (AO) No. 308, implementing a National Computerized Identification Reference System. However, the Supreme Court struck it down on July 23, 1998, in the notable case of Blas F. Ople versus Ruben D. Torres, et al.
Former Chief Justice Reynato S. Puno wrote the decision and even commended then Senator Ople in his effort to “prevent the shrinking of the right to privacy, which the revered Mr. Justice Brandeis considered as ‘the most comprehensive of rights and the right most valued by civilized men.’” In that petition, Sen. Ople prayed to invalidate Administrative Order No. 308 on “two important constitutional grounds, viz: one, it is a usurpation of the power of Congress to legislate, and two, it impermissibly intrudes our citizenry’s protected zone of privacy.” The Supreme Court granted the Petition and declared A.O. No. 308 null and void for being unconstitutional.
What are these Constitutional issues? First, the Supreme Court held that, “AO No. 308 involves a subject that is not appropriate to be covered by an administrative order.” Basically, Congress could have passed a law relative to the national ID system, instead of the President issuing an AO. Second, “because facially it violates the right to privacy.” Simply put, it breached the people’s zone of privacy, which are recognized and enshrined in several provisions of our Constitution.
On April 13, 2005, then President Gloria Macapagal-Arroyo issued Executive Order (EO) No. 420, requiring all government agencies and government-owned and-controlled corporations to streamline and harmonize their identification (ID) systems. Again, this was challenged by various groups and Petitions were filed before the Supreme Court. Likewise, the same two issues were raised: first, it was a usurpation of legislative power by the President and; second, it infringes on the citizens’ right to privacy.
This time the Supreme Court upheld the validity and constitutionality of EO 420. It held that, “Section 17, Article VII of the 1987 Constitution provides that the President shall have control of all executive departments, bureaus and offices. The same Section also mandates the President to ensure that the laws be faithfully executed. Certainly, under this constitutional power of control, the President can direct all government entities in the exercise of their functions under existing laws, to adopt a uniform ID data collection and ID format to achieve savings, efficiency, reliability, compatibility and convenience to the public.”
The High Court further ruled, “EO 420 does not establish a national ID card system. EO 420 does not compel all citizens to have an ID card. EO 420 applies only to government entities that under existing laws are already collecting data and issuing ID cards as part of their governmental functions. Every government entity that presently issues an ID card will still issue its own ID card under its own name.”
Collection of private data into one repository
A typical Information Technology (IT)-based infrastructure for the NIDS would entail a central computerized database system, remote online access points and telecommunications facilities.
All of the data that would be provided by the citizens – name, address, birth date, civil status, (even biometrics data) etc. – would be stored in one huge repository, the central computerized database. This would be under the care of the PSA.
Various government agencies, for example the Department of Foreign Affairs (DFA), would then have their own remote access facility, normally a computer workstation. In the course of its daily operations the DFA would access the central computerized database online, query the same and check the authenticity of a passport applicant, download the personal information of the applicant, and make some data updates if necessary (say, Passport number issued to the applicant). Over time, the central database would contain complete dossiers of each and every Filipino.
Considering that the government does not have its own national broadband network, most probably the remote access can be effected by using the existing commercial telecommunications facilities. This is where the danger lies. A commercial telecommunications facility is designed for public use. Couple this with inadequate network security on the part of the government agencies and you have a recipe for disaster.
With such vulnerabilities, it opens up the possibility that “would-be-hackers” might be interested in getting through the NDIS for their own personal gain.
It is still fresh in our memory that the Commission on Elections (Comelec) website was hacked prior to the 2016 National and Local Elections. On March 27, 2016, the website of the COMELEC was defaced, purportedly by a group of hackers, claiming to be members of Anonymous Philippines. Apparently, their hacking exposed the vulnerability of the entire electoral process, specifically the Automated Election System (AES). The hackers downloaded several databases containing private data of millions of registered voters. Although the Comelec belittled this event (later on dubbed as COMELEAK) and downplayed its importance, still, the damage was done. Private data was exposed to the public – free for the public to download and use for whatever purpose.
On April 21, 2016, agents of the NBI arrested 23-year old Paul Biteng, who allegedly easily owned up to the crime. He was charged with violating Sec. 4A-1 of the Cybercrime Prevention Act. Biteng claimed that he simply wanted the Comelec to ensure that security features of the AES would be implemented during the election.
To this date, no Comelec official was punished or penalized for that fiasco. At the very least Comeleak is tantamount to criminal negligence on the part of the supposed guardians of our private data.
Having the specter of Comelec lurking behind, it is not far-fetched that there would be a PSALeak in the future.
Exposure of private data to the public
Will this centralized database of the NIDS be secured? Is there a risk that our private data will be exposed to the public? What are the technical and internal controls to prevent data leakage?
As I have mentioned in my other published articles, all information technology systems and computer devices can be compromised. No software application is perfectly written. Any software system would tend to have bugs, which could be exploited.
I said before that, “the reality is that the government does not have an established and effective security mechanism to protect its computer systems and communications networks from determined hackers.”
And I say it now – the proposed NDIS is doable, but, in the hands of an incapable and technically clueless implementing government agency (probably together with their not sufficiently expert personnel), there is a great risk that the unsuspecting citizens’ private data would not only be exposed to the public, but be under the complete control of some scrupulous individuals and politicians – putting our fundamental right to privacy at stake. The potential for misuse of our private data, collectively gathered through time, would always be there.
“The concept of limited government has always included the idea that governmental powers stop short of certain intrusions into the personal life of the citizen. This is, indeed, one of the basic distinctions between absolute and limited government. Ultimate and pervasive control of the individual, in all aspects of his life, is the hallmark of the absolute state. In contrast, a system of limited government safeguards a private sector, which belongs to the individual, firmly distinguishing it from the public sector, which the state can control. Protection of this private sector – in other words, protection of the dignity and integrity of the individual – has become increasingly important, as modern society has developed. All the forces of a technological age – industrialization, urbanization and organization – operate to narrow the area of privacy and facilitate intrusion into it. In modern terms, the capacity to maintain and support this enclave of private life marks the difference between a democratic and a totalitarian society.” (Morfe v. Mutuc, 22 SCRA 424, 444).
Email your comments to firstname.lastname@example.org.