By MARYA SALAMAT
MANILA – Holders of Philippine passports are at risk now of identity theft and other scams as a result of the failure of the Department of Foreign Affairs (DFA) to secure the Filipinos’ passport data.
The alarm is reverberating loud especially among the overseas Filipino workers and their families. In a statement, Migrante International is demanding not only for an investigation and accountability of the DFA into the passport data mess but also for the government to end its practice of privatizing various functions and services.
Last week the problem about the passport data surfaced in candid posts in social media by Foreign Affairs Secretary Teodoro Locsin Jr. Locsin who revealed the company the DFA contracted to print passports did not turn over the data at the end of contract (in 2014 or 2015) because it was “pissed off” when the contract was not renewed.
This resulted in added burden for those renewing their passports as they are required again to provide authenticated birth or marriage certificates to the DFA.
But that is not the only or the most worrying burden facing the passport holders.
Angel Averia, an information security practitioner and IT consultant, told Bulatlat in an email interview that there are many ways those ‘hostaged’ passport data may be used to the disadvantage of the owners of the data.
Data of passport applicants include complete name and address, birthdate and birthplace, names of parents, among others. The applicant retains ownership of these data which he or she just entrusted to the DFA.
Averia said the DFA contractor or whoever it has subcontracted to can use those data without the permission of the persons owning these data. This includes receiving unsolicited service offerings, or having their data sold to other parties without their knowledge or permission.
Worse, the data required by the government to issue a passport to an applicant may also be used for committing identity theft, Averia said.
It is more dangerous, he said, if the birth certificates were to be used for this. Averia recalls cases where the birth certificate was fraudulently used to apply for a marriage license.
“A birth certificate has no picture in it and it can be used in applying for, say, a marriage license, SSS, Philhealth, TIN, and eventually these can be used in turn to apply for a bank loan,” Averia explained.
Asked what Filipino passport holders can do to safeguard against identity theft, Averia said, “wala nang safeguards.” (There are no more safeguards.) More often, he said, the person would only learn his or her identity has been used fraudulently by another, for example in getting bank loans, when the bank is already sending the bill.
“Once you learn you have been a victim of identity theft, that’s only the time you can seek appropriate action such as reporting it to the police or to the National Privacy Commission,” Averia said.
DFA accountable to passport data fiasco
According to Republic Act 10173 or Data Privacy Act , the head of agency is responsible for complying with the security requirements cited in the law.
“The DFA should have ensured the data entrusted to them by passport applicants are secured or protected,” Averia said.
RA 10173 or Data Privacy Act was enacted in September 2012. The reported “loss” or failure to turn over the passport data happened in 2014 or 2015 according to reports.
Averia said the DFA officials should have appointed a Data Protection Officer to ensure the data are protected and within their control. The agency should also have reviewed the contract and made sure that even if the service was outsourced the data it worked with were protected.
“There should have been a declaration in the outsourcing contract that the database is the property of the DFA and should be turned over to the DFA at the end or termination of the service in a ‘format that is accessible to the DFA.’”
Privatization a burden to the people
The migrants advocate Migrante International said the DFA must present to the public a clear list of all the actions it will undertake to oblige the private contractor to turn over and subsequently delete the data it currently holds.
“The fact that its contract has already been terminated means that it should no longer have any business in retaining all the private information it collected from passport applicants. Their continued possession of enormous volumes of sensitive data is already a serious form of leakage and an infringement on the right to privacy,” said Migrante.
Migrante International also traced the problem of data insecurity to the increasing use of services of “profit-driven private entities in many government transactions and projects.”
“With government’s adoption of neoliberal policies such as privatization, public officials have increasingly been involved in deals with big private contractors whose only aim is to maximize their profits at the expense of the welfare and security of OFWs and the Filipino people in general,” Migrante said.
Additional scare on implementation of National ID system
The “loss” of data by the DFA is not the first time the government has lost or compromised significant data of Filipinos. In 2016, the Comelec website was hacked and the voters’ data were stolen. The way the government lost control of some Filipinos’ data differed in the two cases, but both showed how these data were clearly not secured or protected enough by the government.
“We can have a broad idea of how much worse it can get once the implementation of the national ID system is in full swing,” Migrante said.
Describing the government’s privatization as “a strong preference to prostituting our sovereignty,” Migrante warned against awarding fat contracts to “dubious foreign contractors just like the 12-year Php1.6 Billion contract awarded by the Philippine Statistics Authority to US-based firm UNISYS which has figured prominently in data breach controversies overseas.”
Migrante said mere investigations of data privacy will not suffice now for the DFA and all government agencies as long as they continue to outsource to private profit-driven entities important government functions. They urged the government to improve instead its in-house capacities.
“Blaming previous administrations and holding the culprits accountable while sticking to the same old rotten system of privatization are mere grandstanding unless the government and the DFA adopt a nationalized program in the processing of public data,” Migrante said. The group also warned the DFA not to make life more difficult for all the people affected by this data mess.