Comelec's Bautista: Punish the hackers, not the hacked
MANILA, Philippines – Commission on Elections (Comelec) Chairman Andres Bautista on Thursday, January 5, argued that it's the hackers who should be punished, not those who were hacked.
"The focus should be on arresting the perpetrators of hacking, and not on policy, those that are being hacked," Bautista said in a press conference.
He argued that the hacking or breaches of websites "is a global phenomenon," citing incidents during the recent election campaign in the United States.
"This data hacking that happened is most unfortunate. Hindi dapat nangyayari ito, pero kahit na sinong kumpanya o gobyerno ay puwedeng maging biktima ng data hacking," he said. (This should not be happening, but any company or government may be victim to data hacking.)
"To recommend the filing or the investigation by the Department of Justice for potential criminal liability...is too much," he said.
"Merong kanya-kanyang areas of responsibility, at ang isang head of agency has to rely on the experts... Hindi ba mali 'yung logic na 'yun? Kung lahat ng pagkakamali ay ibibigay sa head of agency, eh mauubos 'yan," Bautista said.
(Officers each have their own areas of responsibility, and a head of agency has to rely on the experts. Isn't that wrong logic? If all wrongdoings will be attributed to the head of agency, they will all be wiped out.)
"I think ang dapat pagtuunan ng pansin, ano 'yung mga remedial measures na puwedeng gawin para talagang pahirapan [ang hackers]," he continued.
(I think we should focus on remedial measures so that hackers would have a hard time.)
Bautista also pointed out that the hacking took place 6 weeks before the May 2016 elections. "Hindi naman sa binabale-wala ko 'yung data security. Kaya lang, at that point in time, marami kaming pinagtutuunan ng pansin."
(It's not that we are setting aside data security. But, at that point in time, we were paying attention to a lot of things.)
Bautista added, "I think I did what I had to do, together with the Comelec en banc, to oversee the operations of the IT department."
He also argued that at the time of the hacking incident, the Implementing Rules and Regulations (IRR) of Republic Act 10173 or the Data Privacy Act, which created the NPC, had not yet been in existence.
RA 10173 was passed in 2012, but its IRR was promulgated by the NPC only in August 2016. Bautista was appointed Comelec chairman in May 2015.
"When I arrived at the Comelec, there was no data protection officer yet because I was told NPC had not yet passed an IRR," he said, adding that the appointment of such officer is done by the Commission en banc, not just by the chairman.
Bautista was found liable for violating Sections 11, 20, 21, and 22 of the Data Privacy Act, while the Comelec as personal information controller was found to have violated the first 3 of those provisions.
During an earlier press conference, NPC Commissioner Raymund Liboro argued that the law also punishes those who fail to protect personal information.
The privacy body, meanwhile, cleared from criminal responsibility the other respondents, Comelec commissioners Christian Robert Lim and Al Parreño, Executive Director Jose Tolentino Jr, Spokesperson James Arthur Jimenez, and information technology officers Ferdinand de Leon, Jeannie Flororita, and Eden Bolo.
Nonetheless, Bautista said he will welcome an investigation into the matter. "Wala naman kaming tinatago. In fact, maganda rin, para malaman natin kung meron bang pagkukulang. But more than that, ano ang puwedeng gawin para hindi na mangyari ulit ito."
(We are not hiding anything. In fact, it's also good, so that we'll know if there are deficiencies. But more than that, let's find out what can be done so that this won't happen again.)
Bautista said that the Office of the Solicitor General, representing the Comelec, will file a motion for reconsideration with the NPC.
'Wrong appreciation of facts'
Reading his statement sent to reporters, Bautista said that with all due respect to NPC, its decision "was based on 'misappreciation of several facts, legal points, and material contexts.'"
He added that even before the hacking incident, the Comelec was "already following generally accepted standards and international best practices with regard to its technology-related services."
"In this regard, we are coordinating with the Department of Science and Technology. Also, bear in mind that the Comelec website [has been] in existence for several years, way before my time, and is operated by IT experts," Bautista said in his press conference.
He then argued that as the head of agency, "in areas where I did not have specific expertise, I generally trusted the advice and recommendations of our IT experts."
"If Comelec IT specialists directly in charge of operating the website were found not liable, what more those who merely oversee their work, and in particular, the head of agency?" he added.
Following this logic, he argued, "if there is a breach in the Supreme Court, will the Chief Justice be potentially liable?"
Nonetheless, Bautista said that the poll body will "continue to take strict measures to further improve our system in coordination with relevant government agencies."
He also said that it will follow the corrective measures stated in the NPC's decision. – Rappler.com