On Friday, May 5, Manila Standard reported that the Department of Information and Communications Technology (DICT) is going to launch “Project: SIM Check Mo” this week in an effort to fight cybercrime.
The project lets any mobile user to text “SIM Check” plus the phone number of any subscriber to 1326 (DICT’s hotline), and they will receive the registration status of the number, the initials of its owner, and if the record of the number is in good standing.
While the project aims to protect citizens by identifying the owners of SIM cards spreading scams, it does the opposite to Filipino mobile subscribers: exposing them to further risks such as number scraping attacks. We have seen how effective these number scraping attacks have been and how alarming they have been in recent times.
In fact, the SIM Registration Act was meant to stop such attacks. Instead of protecting our citizens from cybercriminals, when combined with other databases already scraped, such as those of certain electronic cash providers and “Comeleak”, we have fed these cybercriminals with all that they need to harass our fellow citizens.
Even more alarming, Alexander Ramos, executive director of the Cybercrime Investigation and Coordinating Center (CICC) of the DICT, says that compliance with data privacy requirements are still being ironed out with the National Privacy Commission (NPC). This implies that there was no Privacy-by-Design, much less Security-by-Design in the design and implementation of “Project: SIM Check Mo”.
It does not escape us that the telecommunications companies went through far greater scrutiny to prevent them from using the registered SIM information for other ends. This project allows them to circumvent those restrictions.
We are leading lambs to slaughter in the name of their protection.
We cannot assume that all the mobile numbers that “Project: SIM Check Mo” processes belong to scammers or cybercriminals. While it is true that scams and phishing attacks are proliferating right now via SMS, these attacks remain despite these scammers not having information they can use to extract the information that “Project: SIM Check Mo” willingly and freely hands to them.
The project allows anyone to gather information on SIM registrants without any safeguards. Moreover, the initials of a subscriber are of great value to a malicious user, as these can be used to verify the identity of a user targeted for harassment, extortion, phishing, scams and other potential crimes.
Without a doubt, this project will be used by malicious users to create a “golden list” of “live” phone numbers which can be used to target subscribers with any number of malicious attacks.
By going through every possible Philippine cellular phone number (around 700 million if there are currently 70 Philippine mobile number prefixes) at 10 seconds per response, it can take as little as 82 days to create such a list if 1,000 scraping operations were to be automated in parallel.
A list of live registered phone numbers alone is already of massive value to scammers and criminals. That they come with the initials of the subscriber and the status of their account is icing on the cake and can be massively used for further exploitation.
We do not need to treat this as a hypothetical: cyber-attacks on Filipinos have used far less information with far greater effect.
“Project: SIM Check Mo” is a “solution” looking for a problem that it can eventually become. Already, foreign numbers such as Malaysian ones are being used to spread spam and scam messages to Philippine mobile subscribers. SIM Check Mo simply cannot address that. As such, this project will be a failure from day one.
In contravention of the spirit of Republic Act 11934 also known as the SIM Registration Act, instead of the telcos guarding subscriber SIM registration data, exploitable information (phone numbers, subscriber initials, and registration status) may be transferred and centralized in Philippine government servers. This puts citizen data in an “all eggs in one basket” situation.
In the wake of an incident like the recent Philippine National Police data leak and other cybersecurity lapses by Philippine government agencies, the ability to protect against abuse of late has come into very serious question. This demonstrates an inability and an incapability to understand the responsibility placed by law on personal information controllers.
Finally, the proposed project violates R.A. 11934 which states:
“Sec. 9. Confidentiality Clause. – ANY information and data obtained in the registration process described under this Act shall be treated as ABSOLUTELY CONFIDENTIAL and SHALL NOT BE DISCLOSED to ANY person.”
“Sec. 10. Disclosure of Information. – Notwithstanding the provisions on confidentiality, the PTE shall be required to provide information obtained in the registration process ONLY UPON the issuance of a SUBPOENA by a competent authority pursuant to an investigation based on a sworn complaint that a specific mobile number was or is being used in the commission of a crime or that it was utilized as a means to commit a malicious, fraudulent or unlawful act, and that the complainant is unable to ascertain the identity of the perpetrator.”
“Project: SIM Check Mo” will reveal information obtained during the registration process such as the phone number and initials of a subscriber to anyone with a mobile phone. It also reveals SIM registrant information without the issuance of a subpoena.
Function creep such as this does not help, not only because it fails to consider Privacy-by-Design and Security-by-Design, but because it contemplates a use for this information for which it was never intended.
What can the government do about the proliferation of spam and cybercrime via SMS to Filipino citizens if this is not a solution?
It is very simple.
The DICT and other relevant agencies should mount aggressive education and information campaigns to stop SMS scammers in their tracks. As they say, kung walang magpapaloko, walang manloloko.
The author is a member of Democracy.Net.PH, an ICT rights, governance, development, policy, and security advocacy group.