Is Comelec liable for website data leak?
MANILA, Philippines – The recent hacking of the Commission on Elections (Comelec) website has led to a data leak of millions of voter registration records in what can be considered the biggest leak of personal data in Philippine history.
The hackers have clearly violated cybersecurity and election laws and the Cybercrime Division of the National Bureau of Investigation (NBI) is already investigating the incident.
A data privacy lawyer believes that concerned Comelec officials are also liable for failing to secure the data from hackers. However, a lawyer who used to work at the poll body said the nature of the leaked data should be determined first before ascertaining liability.
Lawyer Marlon Anthony Tonson of the Philippine Internet Freedom Alliance (PIFA) told Rappler that the poll body, "as the data controller of the personal information of registered voters, is liable under Republic Act 10173, Section 26, on Accessing Personal Information Due to Negligence." RA 10173 is also known as the Data Privacy Act.
Tonson said the Comelec's negligence lies in its "failure to 'implement reasonable and appropriate measures to protect personal information against...unlawful access' under RA 10173, Section 20."
Tonson has been practicing cyberlaw and data privacy law since 2012, the same year he became a founding member of PIFA. In October that year, he was among the petitioners in the 15th and last petition filed before the Supreme Court against the implementation of RA 10175 or the Cybercrime Prevention Act.
He was also tapped by a non-governmental organization to assist in drafting the implementing rules and regulations (IRR) of the Data Privacy Act in 2012. He had also practiced media law, and served as an election lawyer in Sulu in 2007 and 2010.
As to who should be made liable in the Comelec, Tonson said it would be the individual(s) "who are accountable for the organization's compliance with the Data Privacy Act." He added, "Technically, it should be whoever was in charge of making the database accessible online. If that decision on accessibility required a Comelec resolution, then it could go as far up as the Commission en banc."
A criminal case may also be filed against the said poll officials, invoking Section 6 of the Cybercrime Prevention Act, in relation to the Data Privacy Act.
These cases could be filed by civil society groups if they opt to do so, said Tonson.
Rappler's examination of the files accessed by the hackers and shared online revealed that it was not only publicly-available information and data relevant to the Comelec website's functionality that was in the leaked files, but also the registration data of over 55 million voters. (READ: Experts fear identity theft, scams due to Comelec leak)
Writ of habeas data
Another remedy, said Tonson, is a writ of habeas data to protect voters' personal data, a recourse that can be had through the courts "even without the National Privacy Commission (NPC) being fully operational.
But this option, he explained, is still being studied. "As far as I know, the writ of habeas data has yet to be issued in favor of a group or entire class of persons. All of the habeas data cases that I know of have been filed by individuals, not groups."
The NPC was created through the Data Privacy Act in 2012. But its chairman and commissioners were appointed by President Benigno Aquino III only a few weeks ago, said Tonson. "In fact, they have yet to promulgate their own IRR."
As this is a cybersecurity issue, the hacking incident can also be handled by the Cybersecurity Inter-Agency Committee (CIAC) under the Office of the President. Aquino created the CIAC in 2015 through Executive Order 189.
The CIAC "will instruct the [Cybercrime Investigation and Coordinating Center or CICC] to investigate the cybercrime, as well as the Comelec's Computer Emergency Response Team (CERT) – if it has already been created – to coordinate with the authorities in order to patch the breach and secure the data and systems of the Comelec from future hacking," said Tonson.
Basic or sensitive information?
Election lawyer Emil Marañon III, who worked as chief of staff of former Comelec chair Sixto Brillantes, has a different take on the issue of the poll body's liability.
Marañon told Rappler that the nature of the stolen data should be resolved first before determining what kind of harm the leak caused.
He explained that there are two categories of voters’ information. The first one is basic information, like a voter’s name, precinct number, and barangay. As a rule, Marañon said, these are accessible to the public. “They are akin to public documents, and for transparency, they are made accessible to the public by the Comelec.”
He added that these are the same information posted outside voting precincts, and can be requested from the Comelec for a minimal fee, “but most requests would usually come from politicians, political parties, election watchdogs and observers.”
However, it’s the second type – sensitive information like photos, signatures, and fingerprints, collectively known as biometrics data – that are kept confidential as a policy, said Marañon.
These “may only be accessed by virtue of a subpoena or order coming from a court or the Ombudsman,” he said. Law enforcement and government agencies may also access this, but only under certain conditions, he continued.
If the leak contained only basic information, Marañon said that there is “not much of a problem” in terms of liability. But it will be a different matter, he argued, if it included sensitive information like biometrics.
In that case, Marañon said that “it boils down to the issue of criminal negligence, basically inquiring if the leak happened because of nonfeasance, misfeasance, or malfeasance on the part of Comelec’s officials or employees involved.”
In this case, he said liability can arise from any penal, anti-graft or anti-crime legislation, "but certainly outside of the penal provision of the Omnibus Election Code, which surely could have not included the concepts of automated voters’ list, digital theft or even computers.”
Based on Rappler's own investigation, there seemed to be no indication that images containing voters’ photographs, signatures, and fingerprints were included in any of the files the hackers uploaded on their website.
Image files like these, in general, require significantly more space than plain text. Having a one-megapixel compressed image file for each of the 3 biometrics data for all 55 million voters will take up around 330 TB of space, around 1,000 times more than the total size of the leaked databases. This would be equal to over 94 million songs in MP3 format or 82,500 movies in DVD format.
Internet security software company Trend Micro, in its own probe, claimed however that it "found a whopping 15.8 million record of fingerprints" but in digitized or coded format. (READ: Comelec data leak puts Filipino voters 'at risk' – Trend Micro)
Nonetheless, Marañon said that determining negligence in this issue "would be a challenge.”
“Can negligence be automatically imputed, just because someone better than you was able to crack your code? Or would proving that security measures have been implemented using acceptable industry standards be enough to disprove it?” he asked.
As for the hackers themselves, Tonson said they are liable under the same set of laws.
"The hackers violated RA 10175 (Cybercrime Prevention Act), Section 4(a), regarding offenses against the confidentiality, integrity and availability of computer data and systems. In particular, section 4(a)(1) on Illegal Access of a Computer System, 4(a)(3) on Data Interference, and section 4(a)(4) on System Interference," said Tonson.
He added that the hackers, belonging to the LulzSec Pilipinas group, "are also liable under RA 10173 (Data Privacy Act), Section 29, for Unauthorized Access or Intentional Breach."
"Since they hacked into the database of registered voters, this is considered a large-scale breach under RA 10173, Section 35, calling for maximum penalties under the law," Tonson explained.
Likewise, the hackers – if identified – could be sued for committing election offenses under Sections 45(e) and (f) of Republic Act 8189 or the Voter's Registration Act.
Those found guilty of committing the violations will face 6 to 12 years of imprisonment, as provided for by RA 10175 – which sets cybercrime penalties one degree higher than those in the other two laws – and a fine ranging from P500,000 to P2 million, as set in RA 10173, said Tonson.
NBI probe ongoing
Sought for comment, Comelec spokesperson James Jimenez said that the intrusion had already been reported to the NBI. "At this point, it is best to await the findings of that investigation, on all aspects of this case," he said.
For its part, the NBI said that its probe into the website's defacement and hacking is ongoing.
"There has already been a formal coordination between the Comelec and the NBI. We have teamed up with them to determine what really happened. Hanggang doon lang muna (I will leave it at that)," said Vic Lorenzo, executive officer of the NBI Cybercrime Division.
"There are developments in this case, but as of this time, I could not discuss them because it would preempt the investigation," he said.
Asked about the presence of personal information based on Rappler's investigation, Lorenzo responded that they are still validating the files. "As investigators, we don't assume." There are many factors to consider first, he added. "Is it the whole database or is it just a snapshot? Is it genuine or not?"
As for the Comelec's liability following the website intrusion, Lorenzo said, "There should be criminal intent before anyone could be held criminally, administratively, or civilly liable. Kaya lang, ang titingnan mo diyan (But when you look at it), the Comelec is the victim. It's not as if it just uploaded the databases, right? People outside Comelec did [the hacking]."
Lorenzo added that holding the Comelec immediately liable for failing to protect voters' data is "too absolute". He explained that "even in other countries, even in first-world countries, hacking incidents are happening. There's no such thing as an impenetrable barrier or firewall. There will always be a way to go around the firewalls."
"Parang unfair naman yata sa (That thinking seems to be unfair to the) system administrator," he continued.
Lorenzo could not give a timeline yet as to when their investigation would end, but he said, "definitely, this should be resolved before the elections, to eliminate doubts, assumptions, rumors and fears."
The Comelec has vowed it can protect the votes on election day despite the hacking incident. – with Wayne Manuel/Rappler.com