'Record history' casts cloud of doubt
on proposed national ID system
Privacy experts warn that maintaining a record history in what could otherwise be a beneficial identification system
may pave the way for 'dataveillance'
BY JODESZ GAVILAN
'Record history' casts cloud of doubt on Philippine national ID system
AT A GLANCE
- The national ID system in the Philippines aims to improve the delivery of government services
- Data privacy experts warn that the inclusion of a record history, which will track each transaction made, may pave the way for mass surveillance
- Experts insist that maintaining a record history is completely unnecessary if the national ID system is indeed all about identify verification
- Proponents of the system and the National Privacy Commission say security measures are in place to keep personal information of Filipinos secure
MANILA, Philippines (UPDATED) – It has been more than two decades since the first time the Philippine government brought up the concept of a national ID system. Now the bill has been signed.
In the campaign for its approval, proponents highlighted how the Philippine Identification System (PhilSys) can help improve the delivery of government services. PhilSys, according to its proponents, will also help eliminate the redundancy of multiple IDs and addess the absence of government IDs.
In March 2018, Socioeconomic Secretary Ernesto Pernia said that this system "can open up opportunities especially for the poor and marginalized and will make public service delivery more efficient."
But while having a national ID system in the Philippines definitely has its benefits, privacy experts are wary about certain provisions in the bill that may go beyond acquiring the most basic personal information.
A part of the national ID system bill refers to a so-called “record history” which will include, among others, details of authentication requests which are made whenever a government-issued identification card is used in any transaction by a registered individual.
Aside from this, a record history will include a log of times of “disclosure, conveyance, dissemination, publication, and use of information” of 3rd parties and whenever relevant information is modified.
Privacy lawyer Jam Jacob, legal and policy adviser for technology and rights advocacy group Foundation for Media Alternatives (FMA), warned that maintaining a record history may pave the way for so-called "dataveillance".
“It can result in a centralized file that will give a detailed history of an individual’s activities over an extended period,” Jacob said. “That essentially makes it a comprehensive surveillance system.”
Dataveillance, he said, is similar to mass surveillance wherein there is no need to single out a person, or determine if he or she is engaged in criminal activity, because there would be a systematic collection of data about every person. (READ: What you need to know about state surveillance)
In short, surveillance may become the default.
‘Dangerous record history’
The most important feature of the PhilSys is a common reference number that is “randomly generated, unique, and permanent” and will be assigned to every citizen or resident alien” in the Philippines. Biometric information – photograph, fingerprints, and iris scan – will also be part of an individual’s file in the system’s database.
Information recorded may also include data related to the instances a person travels on a plane or ship, makes a physical purchase using a credit card, files a claim with any government agency, sends or receives money through remittance centers, and enrolls in any school, or works for any company, among others.
Quoting the Philippine Statistics Authority (PSA), Laguna 3rd District Representative and co-author of the bill Sol Aragones said that the purpose of a record history is to "track the transactions with PhilSys."
Commissioner Raymund Liboro of the National Privacy Commission (NPC) also highlighted how important it is for the system to have an audit trail or log and history of all that has changed in the record.
"This is for maintaining the integrity of the information contained therein and likewise for transparency to the registered person on how his registered information is being processed," he said.
Equating dataveillance with what the national ID system wants to achieve, Liboro said, "is too much of a stretch."
"Perhaps a way for those who oppose the national ID system to create fear and anxiety where it shouldn't be," he said.
Data privacy lawyer Cecilia Soria, however, sees no purpose in keeping a record of "disclosure, conveyance, dissemination, publication, and use of information by third parties."
Maintaining a record history simultaneously with the national ID system is worrisome, she said, as it seems akin to "actually trying to build a dossier of each person."
"The totality of an individual’s transactions tells you who the individual is," she said. "It’s not just the data, but the insights that you can glean about an individual’s beliefs, outlook, character from the record."
Anyone then can create a narrative based on such a wealth of information about an individual, according to Jacob.
“Being a narrative or a story, it can be shaped or formed in order to produce a profile that would suit the interests or objective of whomever is wielding that information – whether it's to make the subject look like a criminal, or at least engaged in suspicious activities,” Jacob said.
Securing the data
Amid the concerns about data breaches, Aragones gave assurances that the Philippine Statistics Authority (PSA) will keep the vital information secure.
"May mga safeguards na nagsasabi na masesecure ang data (There are safeguards that will ensure that the data is secure)," she said, adding that implementing rules and regulations (IRR), which will be released 30 days after the bill is signed by Duterte, will spell out more about how the agency will secure the data.
The bill, for example, explicitly states that there are only two ways by which the registered information can be accessed or used: if the registered individual agrees or if there is a court order issued in the interest of public health or safety.
When the need arises, however, the registered person will be notified of the disclosure within 72 hours.
The existence of the Data Privacy Act of 2012 also reinforces the state's "commitment" to having a legal recourse in the event of a violation of one's privacy.
"The bill puts emphasis on safeguarding the information against unauthorized access, use, disclosure, and against accidental or intentional loss, destruction, or damage, as well as strict limitation on authorized access," Liboro said.
In fact, NPC Circular 16-01 states that only a government agency shall "strictly regulate" access to personal data. The head of a certain agency is the only one who can issue a security clearance to any personnel who will access the database, while strictly adhering to his or her task.
The PSA, Liboro added, is expected to implement "reasonable and appropriate organizational, technical, and physical security measures to ensure that the information gathered for the PhilSys, including information stored in the PhilSys Registry, is duly protected."
Public perception, however, mostly falls on being cautious. The massive data breach involving the Commission on Elections, however, casts doubt on the ability of government to store and secure personal information. (READ: What have we learned a year since 'Comeleak'?)
"If people were angered by the Comeleak, wait until the PhilSys record history gets out," Soria said.
There is also the risk of "functionality creep", which means that the national ID system can be used beyond its intended purpose. For example, the government may use it for political repression and monitoring critics. (READ: State surveillance as a tool to silence dissent)
"While we should worry about hackers and other unauthorized persons gaining access to the PhilSys, we should also be concerned about how government will use the system," Soria said.
"Authorities who take pride in disrespecting human rights will probably find it tempting to exploit this mother lode of data for their own ends," she added.
Jacob, meanwhile, emphasized that giving any entity access to this information is dangerous especially in the context of what’s been happening in the Philippines now.
“What if you’re part of an unpopular administration and you’re trying to come up with a trumped up charge against a government critic or an activist?” he asked. “There are plenty of ways a person’s record history can be used against him or her, and he or she doesn’t necessarily have to be guilty of anything."
Liboro, however, said that the existence of several penal provisions in the PhilSys ensures that individuals or groups that will abuse the information will be held accountable.
"The above provisions and the strict implementation thereof may allay the fear of surveillance," he said.
"The NPC is ready to work with the other government agencies involved in the PhilSys to help address the privacy risks and will continue our mandate of recommending standards for data protection," he added.
Remove ‘record history’
The only thing that can limit the coverage of such recording of activities depends on the extent that government agencies and the private sector or businesses will patronize the system. But certain provisions mandate them to accept and recognize the PhilID as the “official government-issued identification document.”
The bill imposes a fine on persons or entities who “without just and sufficient cause, refuse to accept, acknowledge, and/or recognize the PhilID and PSN as the only official identification of the holder.”
For the national ID system to be at least less vulnerable to dataveillance, the government should completely remove portions of the bill that make any reference to “record history", Jacob said.
A provision that explicitly prohibits the permanent storage of transactional information should be included in the bill. Or at the very least, the government should provide a reasonable period after which the data must be deleted from the system.
Soria and Jacob both agreed that maintaining a record history is completely unnecessary if the national ID system is indeed all about identify verification. What should happen only is that the requesting entity should get a confirmation from the system that the person presenting the PSN or PhilID is legitimate.
"If the objective of the law is just to provide a valid proof of identity to simplify transactions, then the keeping of a detailed record history appears to go far beyond the boundaries set by this purpose," Soria said.
Liboro acknowledged that it is necessary to monitor the actual implementation of the record history.
"Factors such as adherence to proportionality, retention periods, and implementation of security measures such as pseudonymization, access controls, are material and should be duly considered," he said.
"Given the existence of these risks and the necessity of maintaining these records, there is a need to clearly define and set limitations in the implementing rules and regulations and actual operationalization of the PhilSys," Liboro added.
Really time for a national ID system?
Debate surrounding the extent of the government's power to track citizens and its capability to secure private information put a cloud of doubt over what could otherwise be a beneficial system.
Soria pointed out that the national ID system is not the only way to improve government services. The proponents should also look into their inefficiencies and go back to the basics.
"What exactly is the purpose of the PSN and the PhilID? Once the purpose is clear, then we will be able to determine what is the least amount of personal information necessary to achieve the objective," she said.
Liboro, meanwhile, said that believing that a national ID system is opposed to data privacy and security is a dated mindset.
"We can have a national ID system and we already have a robust law and policy structures in place to make sure that our privacy rights are upheld," he explained. "Our job in the NPC is to ensure that the law is followed if ever the govenrment decides to implement a national ID policy."
"The learnings from the challenges that other jurisdictions have encountered in implementing their national ID systems would help us better implement the PhilSys," Liboro added. – Rappler.com