NGO revisits Comelec breach of 2016, proposes action points

Two years after the country’s biggest government data breach hit global headlines, non-government organization Foundation for Media Alternatives (FMA) has released a briefing paper that proposes some major takeaways and action points — both on the part of government and the private sector.

Then Comelec chair Andres Bautista held a press briefing to defend himself and the agency on the so-called “Comeleak” breach

When news of the so-called “Comeleak” first broke out, the NGO recalled that the ensuing public panic was exacerbated by wildly conflicting accounts from the Commission on Elections (Comelec), the hacker groups claiming responsibility for the incident (i.e., Anonymous Philippines and LulzSec Pilipinas), and law enforcement authorities.

“It would take a months-long investigation carried out by the then newly-minted National Privacy Commission (NPC) before some degree of clarity was achieved, through the agency’s December 2016 decision, and the brief preliminary report it issued a few months prior,” the NGO said.

The NPC found the Comelec and its then chairman, Andres Bautista, both liable for violating a number of provisions of the country’s Data Privacy Act (DPA). It went so far as to recommend to the Department of Justice the filing of criminal charges against Bautista, while making no other findings of liability on the part of the other respondents initially named in the case.

With the case is now pending before the appellate court, FMA said the world has since bore witness to a number of other election- or voter-related data crises. Mexico and the US, for instance, suffered even bigger information leaks just weeks after the incident, it noted.

“Then just these past month, this Facebook-Cambridge Analytica controversy has highlighted anew the extent by which misuse of data — even as innocuous as that shared via online quizzes — can threaten the very foundations of a democratic society,” it said.

In its paper, FMA suggested to the various stakeholders some steps it deems necessary to prevent similar privacy breaches in the future, namely:

• All Filipinos need to take data privacy seriously.

• The NPC must be competent (from the commission proper down to its operations staff), well-resourced, and independent.

• Additional data protection policies must be developed to help government agencies and the private sector comply with the DPA.

• State capacity in other areas (e.g., cybersecurity, cybercrime investigations, etc.) should also improve.

• Extreme caution should be observed when dealing with data-intensive systems.

• Civil society must continue advocating for privacy and data protection measures in government and the private sector.

These measures, according to the FMA, are even more relevant today as the Philippines prepares for another set of elections.

Comment on this post