Data Privacy and the 2018 Philippine Identification System Act
By David Holmes
The 2018 Philippine Identification System Act, signed into law on August 6, 2018, creates a new identification number, called the PhilSys for short, for each citizen. The act provides the legislative backing that the previous national ID system, the Unified Multi-Purpose ID, UMPID, lacked.
Is PhilSys a good idea for the Filipino people? Yes, absolutely. Several surveys (and my personal inquiries) suggest that most Filipinos agree. Why? Because the majority of modern nations that have a national ID system find it is difficult to provide efficient government services without one. On the other hand, one of the biggest challenges faced by nations that use national ID systems is the struggle to protect personal privacy.
The people of the United States, where I live, have always been distrustful of government and have pushed back against a truly national ID system. As a result, many US government services are unnecessarily inefficient. The one US national identification number, the social security number (SSN) is used for some services (such as taxes) but not others. A driver’s license is often used as proof of identification, and a US passport is considered proof of citizenship, but neither are required for every citizen or considered a national ID system. None relate to national voting records, and there is no national set of fingerprints tied to any of these, which makes identity theft possible.
Section 8 of 2018 Philippine Identification System Act specifies that the PhilSys record personal information about each resident in two categories: demographic data (the person) and biometric data (how to authenticate the person).
Demographic data includes name, sex, birth date and place, blood type, address, residency and marital status, and—this is important—optional contact information such as mobile number, email address.
The biometrics data includes photograph, iris scan, and full fingerprints. Section 8b4 allows for further biometric data to be defined and collected if necessary.
The Details of Data Privacy and PhilSys
While there are many good reasons to have a national ID system, there are three main security threats. As I see it, the solution to all three is for the PhilSys administrators to properly segregate that national ID data.
Threat 1: Government employees could abuse PhilSys. Government workers are not all angels and can suffer from human foibles like jealousy, obsession, and retribution. For example, a government employee could get the mobile number of any citizen he or she might be interested in. This recently happened to a friend of mine, and that employee started sending unwanted text messages to my friend. This is a legitimate and common enough occurrence (in all nations) that access to the optional contact information (address, phone number) of the national database information should be limited only to need-to-know government employees.
Citizens who have additional privacy concerns (celebrities, the wealthy, individuals involved in domestic disputes, who have been stalked, or those who have restraining orders) may not want to provide that optional contact information, even if it means that the efficiency of their personal services may be impacted.
Threat 2: Identify theft happens when a malicious person convinces the government that “they” are really someone else. For two decades in the United States, identity theft was a very, very lucrative, illegal business. A malicious actor would request a copy of a target’s birth certificate through US mail, and then use it to get a driver’s license, the de-facto national ID card in the US. The driver’s license would have the malicious actor’s photo, and with that they could open bank accounts, credit card accounts, and even, in some cases, assume the property of their victim by changing the target’s address to their own.
My advice to the implementors of PhilSys would be to make it very difficult (if not impossible) to change the primary biometric identifiers. The fingerprint and iris data should be able to prevent identity theft as long as it is never allowed to be changed.
The optional contact data is of concern, as well. Over their lifetimes, people have multiple email addresses, phone numbers, and even physical addresses. This means that the system will have to accommodate frequent changes to that data, and this is where identity theft actors can creep in. Biometric authentication must be provided whenever the optional contact data is changed.
Threat 3: A massive data breach will happen, so it is important to plan for it. We live in an “assume breach” world. Hackers will eventually get access to and perhaps disclose the entire PhilSys database. This has already happened with the Philippine COMELEC voting records, which included fingerprint data. Obviously, such a breach would be serious, but the impact could be lessened if it were properly planned for. Password resets for online banking sites often ask questions like “what was your place of birth?” Given how much of this type of information is freely available on social networks already, these types of challenge questions are quickly becoming useless for proof of identity and, in particular, would be useless in PhilSys if both the email address and place-of-birth for every Filipino becomes public during a breach.
This third threat, the massive breach, is the one most likely to impact the largest number of Filipinos.
My recommendation for the average citizen concerned about data privacy would be to not include both their email and mobile number in the optional contact data for PhilSys. Or if they feel they must provide both, provide an alternate email address—one that is not used for, say, online-banking, as well.
In general, PhilSys will be good for the national interests of the Filipino people. PhilSys will increase government efficiency, reduce tax avoidance, and help identify illegal residents. But it will be crucial to get the implementation details right to maintain the balance of data privacy.