ICT group says ‘rushed’ rollout of national ID poses risks

An organization of ICT professionals and advocates has expressed its “dismay” of what appears to be a rushed and haphazard implementation of Republic Act 11055 or the Philippine Identification System Act that places public privacy and security at serious risk.

In a statement, the Computer Professionals’ Union (CPU) called for both the government and the public “to be more critical and discerning of a policy, which centralizes and makes a tempting target of massive amounts of personal information.”

The Philippine Statistics Authority or PSA, which acts as the implementing agency of RA11055, has published the Implementing Rules and Regulations or IRR of the PhilSys Act on Saturday, October 6.

CPU said the publication was just a mere two weeks after the release of the draft IRR to the public. To date, the group said the PSA has conducted four public consultations in a span of a little over a week.

“The fourth supposedly ‘public’ forum last October 2 was not only poorly publicized, it was the last public consultation before the IRR [was] signed,” it noted.

CPU said the “hastily concluded consultations excludes concerned citizens, organizations and institutions from contributing meaningfully and substantially in the development of the IRR.”

It added: “Their rampant rush to get the IRR approved and signed betrays the little regard the PSA, and consequently the national government, has for ensuring the security and privacy of the Filipino public.”

The advocacy group observed that that PSA and PhilSys Policy Coordination Council (PSPPC) are not ready for pilot testing.

A panel composed of representatives from the Department of Information and Communications Technology or DICT, PSA, and the National Privacy Commission or NPC, admitted that the council has no detailed plans yet for the end of year target to register one million Filipinos, it said.

“With only three months to go, the PSPPC expects the public to place their full trust in their non-existent plans. Even private companies expect more due diligence from project leaders than this,” according to CPU.

The group said the recent breach into Facebook’s token system that has affected over 50 million users underscores the fact that even the biggest and richest companies cannot totally safeguard their users.

“The immense Philsys Registry containing private and sensitive information on every Filipino — one widely and instantaneously accessible from government offices, banks, and so on — poses enormous security risks.

“Thus, the least that we expect is a transparent technical implementation plan to secure this information from the point of collection to its transmission, storage, processing, and deletion. The IRR and inputs from the public consultations however do not provide clear and sufficient information to assuage us if proper safeguards are in place to secure the PhilSys. Again, the PSPPC expects the public to place our full and blind trust in them — at what price?” the organization said.

CPU said the law and its IRR appears intentionally ambiguous on two fronts: whether it is mandatory, and for what purpose it really serves.

The group noted that while its use is defined as a mere proof of identity, its aims to be a “social and economic platform through which all transactions can be availed” hints at loftier aspirations beyond identification.

“The law and its IRR further skirts from explicitly saying that the PhilID is mandatory — and even goes as far as saying that ‘proof of identity shall not necessarily be construed as proof of eligibility to avail of [public] services’. In the recent consultation, PSA officials admit that registration is mandatory, and while there is no penalty for not enrolling, going PhilID-less will make availing of government services very difficult,” it stressed.

“We do not need an expensive, ambitious, corruption-susceptible, and fault-prone technical and administrative monolith to prove our identity and/or streamline service. Now is not the time nor the place to do so, with a DICT that still has to grapple with rationalizing and securing public ICT infrastructures and an NPC that is still learning the ropes of securing the data privacy of 110 million Filipinos in an era of digital platformization,” the tech organization said.

Comment on this post