State of Privacy Philippines
A study of privacy and surveillance issues in Philippines. The State of Privacy project was last updated on January 2019, unless otherwise provided on specific pages.
Table of contents
- Introduction
- Right to Privacy
- Communication Surveillance
- Data Protection
- Identification Schemes
- Policies and Sectoral Initiatives
Introduction
Acknowledgement
The State of Privacy in the Philippines is the result of an ongoing collaboration by Privacy International and Foundation for Media Alternatives.
Key privacy facts
1. Constitutional privacy protection: The constitution contains an explicit protection of the right to privacy (Art. III, section 3).
2. Data protection law: The Philippines have a data protection law, the Data Privacy Act of 2012.
3. Data protection agency: The Philippines have a data protection agncy, the National Privacy Commission.
4. Recent data breach: In March 2016, the Philippines were targeted with what was dubbed at the time the biggest breach in history concerning government-held data. The personal information of over 55 million Filipino voters were leaked following a breach on the Commission on Elections' (COMELEC's) database.
5. ID regime: The Philippines is currently working on the implementation of a new ID system.
Right to Privacy
The constitution
Communications surveillance is embodied or dealt with in various laws and rules, mostly involving penal statutes or otherwise bearing upon the privacy of communication (or communication privacy) which is a distinct species of privacy recognized in Philippine jurisprudence.
The term “communications surveillance” is not (yet) defined in Philippine law. Nonetheless, it is generally regarded as an act or activity that is proscribed or restricted by law. Such a conception is derived from the express recognition of “the privacy of communication and correspondence” in the Bill of Rights or Article III of the 1987 Philippine Constitution. Under Section 3 of the Philippine Charter, communication privacy is inviolable except upon lawful order of the court, or when public safety or order, by law, requires otherwise. Evidence obtained outside of these procedures is inadmissible for any purpose.
Regional and international conventions
The Philippines government is a signatory to a number of international human rights instruments, including:
- the Universal Declaration of Human Rights (UDHR);
- the International Covenant on Civil and Political Rights (ICCPR);
- the International Covenant on Economic, Social and Cultural Rights (ICESCR); and
- the International Convention on the Elimination of All Forms of Racial Discrimination.
Communication Surveillance
Introduction
The Philippines has a total population of over 105, 500,000 people as of November 2017. The country had a national internet penetration figure of 43.5 % in 2016, according to Internet Live Stats. Overall, 45 million people are active Internet users, while 32 million are active mobile internet users. The country ranks first in terms of average number of hours (6.3) spent using the internet per day using a laptop or desktop, according to one study. When access is through a mobile device, Filipinos spend on average 3.3 hours online per day. This is still considered high considering the global median of 2.7 hours. The number of active internet users has grown by 27% over 2016.
Out of 119 million mobile phone subscriptions, 95% are prepaid and 55% have a mobile broadband subscriptions.
The top social platforms in the country are as follows:
- Facebook (26%);
- Facebook Messenger (23%);
- Google+ (17%);
- Skype (16%);
- Viber (14%);
- Twitter (13%);
- Instagram (12%);
- LinkedIn (11%);
- Pinterest (9%) and
- WeChat (9%)
The Philippines is the country where people spend the most time on social media (4 hours and 17 minutes).
Surveillance laws
Interception and surveillance
The protection of the privacy of correspondence is echoed in international human rights instruments like Article 12 of the Universal Declaration of Human Rights and the International Convenant on Civil and Political Rights (ratified by the Philippines in 1986), which form part of Philippine law by virtue of the doctrine of incorporation. According to Section 3, Article II of the Constitution, the Philippines “adopts the generally accepted principles of international law as part of the law of the land”. Privacy of communications would therefore fall within the ambit of the Constitution’s declaration that “the State values the dignity of every human person and guarantees full respect for human rights” (Section 11, Article II).
Communications surveillance, to the extent that it impinges on communications and its attendant rights, may also be limited by the Constitutional provision that directs the State to “provide the policy environment for… the emergence of communication structures suitable to the needs and aspirations of the nation and the balanced flow of information into, out of, and across the country, in accordance with a policy that respects the freedom of speech and of the press” (Section 10, Article XVI, Constitution).
Outside the principles and policy pronouncements in the Constitution, communications surveillance is tackled, explicitly or implicitly, in several statutes or Republic Acts (RA) (Laws enacted by the Philippine Legislature or Congress) that provide a cause of action or remedies for breaches of privacy.
Under the Civil Code of the Philippines (RA 386 (1949)), anyone who “obstructs, defeats, violates or in any manner impedes or impairs” the privacy of communication and correspondence is liable for damages (Article 32).
Elsewhere, communications surveillance may be penalized as a felony or crime. Article 290 of the Revised Penal Code (Act No. 3815 (1930)) punishes any person who seizes the papers or letters of another in order to discover his/her secrets (Art. 290). Under the Electronics Engineering Law of 2004 (RA 9292), any registered electronics engineer or technician may be punished with a fine and/or imprisonment for involvement in “illegal wire-tapping, cloning, hacking, cracking, piracy and/or other forms of unauthorized and malicious electronic eavesdropping and/or the use of any electronic devices in violation of the privacy of another or in disregard of the privilege of private communications” (Section 35).
The Anti-Wiretapping Act of 1965 (RA 4200, entitled “An Act to Prohibit and Penalize Wire Tapping and other Related Violations of the Privacy of Communication, and for other Purposes”) prohibits and penalises wire tapping done by any person to secretly overhear, intercept, or record any private communication or spoken word of another person or persons without the authorisation of all the parties to the communication. Those who knowingly possess, replay, or communicate recordings of wiretapped communications (section 1) as well as those who aid or permit wiretapping (section 2), are likewise held liable. However, RA 4200 provides an exception for instances where a law enforcement officer is authorized by a written order of the Court to perform wire-tapping “in cases involving the crimes of treason, espionage, provoking war and disloyalty in case of war, piracy, mutiny in the high seas, rebellion, conspiracy and proposal to commit rebellion, inciting to rebellion, sedition, conspiracy to commit sedition, inciting to sedition, kidnapping as defined by the Revised Penal Code, and violations of Commonwealth Act No. 616, punishing espionage and other offenses against national security,” provided that a number of stringent requirements are complied with (Section 3).
On the other hand, in other statutes, communications surveillance is sanctioned as a legitimate law enforcement activity. The Expanded Anti-Trafficking in Persons Act of 2012 (RA 9208, as amended by RA 10364) expressly mandates the Philippine National Police (PNP) and National Bureau of Investigation (NBI) to be the primary law enforcement agencies “to undertake surveillance, investigation and arrest of individuals or persons suspected to be engaged in trafficking” (Section 16(g), RA 9208, as amended by RA 10364. Emphasis added).
In October 2016, a bill to create the Expanded Anti-Wire Tapping Act of 2016 was presented at the Senate. The bill would include additional crimes for which wire-taping could be conducted and allow "law enforcement agencies and the military [...] to prevent and detect crimes by being able to intercept communications, conversations, discussions, data, information, messages in whatever form, kind or nature, spoken or written words through the use of electronic, mechanical or other equipment or device or technology now known or may hereafter be known to science." The bill is currently pending a second reading.
The Human Security Act of 2007 (RA 9372), entitled “An Act to Secure the State and Protect our People from Terrorism”, explicitly allows the surveillance of terrorism suspects and interception and recording of communications “between members of a judicially declared and outlawed terrorist organization, association, or group of persons or of any person charged with or suspected of the crime of terrorism or conspiracy to commit terrorism” upon a written order of the Court of Appeals (Sec. 7, RA 9372), even as it declares that in its implementation “the State shall uphold the basic rights and fundamental liberties of the people as enshrined in the Constitution” (Sec. 2, RA 9372). Similar to the Anti-Wire-Tapping Act, this law mandates compliance with many requirements, from applying for judicial authorization to the deposit and disposition of intercepted and recorded materials (see Sections 7-14, RA 9372). The Human Security Act also prohibits “the surveillance, interception and recording of communications between lawyers and clients, doctors and patients, journalists and their sources and confidential business correspondence”(Sec. 7, RA 9372).
The Anti-Child Pornography Act of 2009 (RA 9775) may be read as effectively facilitating communications surveillance by internet service providers (ISPs) – private entities – since this law requires ISPs, under pain of penalty, to: (1) notify the PNP or the NBI of facts and circumstances indicating that any form of child pornography is being committed using its server, (2) preserve evidence of the same for purpose of investigation and prosecution, and (3) install software to ensure that access to or transmittal of any form of child pornography will be blocked or filtered (Section 9, RA 9775). Ironically, the same provision states that “[n]othing in this section may be construed to require an ISP to engage in the monitoring of any user, subscriber or customer, or the content of any communication of any such person” (Section 9, RA 9775).
Data retention
Data retention is most clearly outlined in the Implementing Rules and Regulations of the Electronic Commerce Act (2000). The original act is intended to provide for the “recognition and use of electronic commercial and non-commercial transactions and documents, penalties for unlawful use thereof and for other purposes” Section 20 of its Implementing Rules and Regulations outlines appropriate forms of data retention and the mandate of “relevant government agencies” to impose regulations on data retention:
“ (a) The requirement in any provision of law that certain documents be retained in their original form is satisfied by retaining them in the form of an electronic data message or electronic document which:
(i) Remains accessible so as to be usable for subsequent reference;
(ii) Is retained in the format in which it was generated, sent or received, or in a format which can be demonstrated to accurately represent the electronic data message or electronic document generated, sent or received; and,
(iii) Where applicable, enables the identification of its originator and addressee, as well as the determination of the date and the time it was sent or received.
(b) The requirement referred to in paragraph (a) is satisfied by using the services of a third party, provided that the conditions set forth in subparagraphs (i), (ii) and (iii) of paragraph (a) are met.
(c) Relevant government agencies tasked with enforcing or implementing applicable laws relating to the retention of certain documents may, by appropriate issuances, impose regulations to ensure the integrity, reliability of such documents and the proper implementation of Section 13 of the Act.”
As part of its regulatory function, the National Telecommunications Commission released a memorandum (MC 04-06-2007) in June 2007 on the data log retention of telecommunications traffic. Section 1 states:
“PTEs shall retain the call data records on voice calls and similar records for non-voice traffic. on-voice traffic includes SMS, MMS and other similar telecommunications services.”
Section 2 states:
“Records indicating traffic data on the origin, destination, date, time, and duration of communications shall be retained within the following periods:
a) two (2) months for non-metered services with fixed monthly charges; b) four (4) months for other telecommunications services not covered in (a); or c) until excused by NTC for records requested in connection with pending complaints.”
A bill - entitled the Big Data Act of 2014 - proposed in June 2014 called for the "establishment of a Big Data Center where large volume of datasets used for research and development and other important purposes will be facilitated and protected." If the bill is passed, the Center would "develop a range of standards and use software and other tools for analytics on massive amounts of data being generated from the use of Internet and other technology." It would also be "responsible for disseminating the knowledge gained from its research activities to stakeholders in both the public and private sectors to strengthen policy making and industrial competitiveness." As of November 2017, the bill is still pending in the committee.
Surveillance Actors
Inteligence and Security Agencies
National Security Council
The National Security Council (NSC) is the lead government agency coordinating the formulation of policies relating to national security (Sec. 3, Chapter 2, Subtitle I, Title VIII, Book IV, Executive Order No. 292 (1987)). It was created through Executive Order No. 330 (s. 1950), and reorganized through Executive Order Nos. 115 (s. 1986), and 34 (s. 2001). Among other things, the Council advises the President on the integration of domestic, foreign, military, political, economic, social and educational policies relating to national security (Sec. 5(1), Chapter 2, Subtitle I, Title VIII, Book IV, Executive Order No. 292 (1987)). It also formulates government policies relating to national security and makes recommendations to the President regarding the same (Sec. 5(3), Chapter 2, Subtitle I, Title VIII, Book IV, Executive Order No. 292 (1987)). It has administrative supervision over the National Intelligence Coordinating Agency (NICA, discussed below), even as the latter may report directly to the President (Sec. 5, Executive Order No. 246 (s. 1987)). Apart from the NICA, the Council also provides guidance and direction to the operations of the Philippine Center on Transnational Crimes (PCTC), and coordinates, at the policy level, the fight against terrorism through the Anti-Terrorism Task Force.
Office of the National Security Adviser (ONSA)
The National Security Adviser is also referred to as the National Security Director (Sec. 8, Chapter 2, Subtitle I, Title VIII, Book IV, Executive Order No. 292 (1987)) or NSC Director General (Executive Order No. 69, s. 2002). As a member of both the NSC and the Council’s Executive Committee, the NSA advises the President on matters pertaining to national security and, when directed by the President, shall see to the implementation of decisions or policies that have a bearing on national security, as adopted by the President or the Council (Sec. 8, Chapter 2, Subtitle I, Title VIII, Book IV, Executive Order No. 292 (1987)). The NSA is also a member of the Presidential Anti-Organized Crime Commission (PAOCC), by virtue of Executive Order No. 8 (s. 1998) (Sec 5).
In 2006, through Executive Order No. 492, the ONSA was accorded the “principal authority to oversee and supervise the implementation of a program to build up, integrate and employ reconnaissance and surveillance capabilities of civilian agencies and armed services”. It was also made “principal adviser on national reconnaissance and surveillance activities” (Sec. 1, Executive Order No. 492, s. 2006). For this purpose, the NSA was tasked to carry out “measures to coordinate inter-agency requirements and supervise the acquisition of reconnaissance and surveillance equipment, including but not limited to unmanned aerial vehicles (UAVs) (Sec. 1, Executive Order No. 492, s. 2006). Accordingly, he was given the authority to coordinate the securing of funds necessary to acquire the required facilities and equipment (Sec. 1, Executive Order No. 492, s. 2006). The EO explicitly mandated the NSA to oversee the formulation of the terms of reference for the joint use of the UAVs, which shall enable the acquisition of the facilities and equipment by allocating the cost among the beneficiary agencies that will have actual use of such resources in their respective operations (Sec. 4, Executive Order No. 492, s. 2006; see also: Sec. 6, Executive Order No. 492, s. 2006).
Under the same EO, the Maritime Aerial Reconnaissance and Surveillance (MARS) Program was established (Sec. 3, Executive Order No. 492, s. 2006). The program is charged with the reconnaissance and surveillance of the country’s maritime zones and terrestrial/land areas, using “modern reconnaissance and surveillance systems” (Sec. 2, Executive Order No. 492, s. 2006). Its objective is “to enhance the national capability to gather near real-time video recording and information for decision-making needs” (Sec. 2, Executive Order No. 492, s. 2006), as well as to “provide law enforcement personnel and ground operators near real-time high accuracy, sustainable capability for reconnaissance and surveillance and dominant situational awareness to swiftly and effectively interdict when an illegal activity occurs” (Sec. 2, Executive Order No. 492, s. 2006). To facilitate the operations of the program, a National Maritime Aerial Reconnaissance and Surveillance Center (NMARSC) was established, through the efforts of the NICA (Sec. 3, Executive Order No. 492, s. 2006). As focal point for national reconnaissance and surveillance activities and operations, the NMARSC is under the supervision and control of the ONSA (Sec. 3, Executive Order No. 492, s. 2006).
In 2007, with the establishment of the National Security Clearance System for Government Personnel with Access to Classified Matters, the ONSA was charged with acting on the recommendations of the NICA as to who shall be granted security clearances (Sec. 2(b), Executive Order No. 608, s. 2007). Decisions by the ONSA in this regard may be appealed to the Office of the President (Sec. 3, Executive Order No. 608, s. 2007).
National Intelligence Coordinating Agency (NICA)
The National Intelligence Coordinating Agency (NICA) functions under the Office of the President, and is under the administrative supervision of the National Security Adviser (Executive Order No. 69, s. 2002; see also: Sec. 5, Administrative Order No. 68, s. 2003). Originally created in 1949 under then President Elpidio Quirino, its current mandate is to be “the focal point for the direction, coordination and integration of government activities involving intelligence, and the preparation of intelligence estimates of local and foreign situations for the formulation of national policies by the President" (Sec. 2, Executive Order No. 246, s. 1987).
In 2002, it was reorganized by then President Gloria Macapagal-Arroyo through Executive Order No. 69. The following year, its role and authority was further strengthened when, through Administrative Order No. 68, its Director General (DG-NICA) was assigned as principal adviser to the President on Intelligence (Sec. 1, Administrative Order No. 68, s. 2003). The DG was also tasked to establish the Directorate for Counterintelligence, which now serves as the focal point for the national government’s counterintelligence activities and operations. Three other offices were also created to further assist the NICA in its mandate:
- the National Intelligence Committee, which serves as an advisory board to the DG (Sec. 2, Administrative Order No. 68, s. 2003);
- the Counter-Terrorism Intelligence Center, a multi-agency body under the direct control of the DG, which provides “over-all coordination in the conduct of intelligence operations to facilitate gathering, processing, disseminating and sharing of intelligence on terrorism, especially on international terrorism”(Sec. 3, Administrative Order No. 68, s. 2003); and
- Area Counter-Terrorism Intelligence Centers (Area CTICs), which are principally tasked to “capture and fuse at the operational and tactical levels the intelligence outputs, with emphasis on domestic and international terrorism, of all intelligence agencies-- civil, military and police-- in their respective areas of operations”(Sec. 3, Administrative Order No. 68, s. 2003).
The NICA may detail “liaison officers” to other government offices both inside and outside the country (Sec. 3, Administrative Order No. 68, s. 2003). In fact, as regards its foreign liaison program, it coordinates the same with other government agencies that regularly post representatives overseas (Sec. 4, Administrative Order No. 68, s. 2003). At the same time, through its DG, it is also expected to establish and strengthen liaison work between the agency and its foreign counterpart intelligence and security organizations (Sec. 4, Administrative Order No. 68, s. 2003).
In 2006, the NICA was designated as the technical operator of the Maritime Aerial Reconnaissance and Surveillance (MARS) Program (Sec. 3, Executive Order No. 492, s. 2006). This authorized the Agency to “procure UAVs or enter into lease agreements governing such vehicles” (Sec. 3, Executive Order No. 492, s. 2006).
The following year, the NICA was tasked to formulate the Implementing Rules and Regulations of Executive Order No. 608, which provided for the establishment of a national security clearance system for all government personnel with access to classified materials. Under the EO, the Agency was tasked to receive the names of personnel granted by their respective agencies Interim Security Clearances (Sec. 2(a), Executive Order No. 608, s. 2007). From the list of names, it was expected to recommend to the ONSA who among the individuals shall ultimately be given Security Clearances (Sec. 2(b), Executive Order No. 608, s. 2007). For this purpose, the Agency was authorized to conduct further background investigation on the personnel involved, on its own or by acting upon a request (Sec. 2(a), Executive Order No. 608, s. 2007).
In 2011, The DG of the NICA was made a member of the Presidential Anti-Organized Crime Commission (PAOCC), by virtue of EO No. 46 (s. 2011), which amended EO No. 799 (s. 2009) (Sec. 1).
National Intelligence Committee (NIC)
The NIC is an advisory body to the DG-NICA for the “coordination, integration and fusion of all intelligence activities relating to the preparation of the National Intelligence Estimate (NIE) and in addressing other issues of national intelligence concern” (Sec. 2, AO No. 68 (s. 2003)).
With the DG-NICA as Chair, its membership include: (1) Undersecretary for Policy, Department of Foreign Affairs; (2) Director, National Bureau of Investigation; (3) Commissioner, Bureau of Customs; (4) Commissioner, Bureau of Immigration; (5) Deputy Chief of Staff for Intelligence, J2, Armed Forces of the Philippines; (6) Director for Intelligence, Philippine National Police; and the (7) Commanding Officer, Presidential Security Group (Sec. 2, AO No. 68 (s. 2003)).
The NICA is assisted by Regional Intelligence Committees (RICs), whose mandate is to coordinate the efforts of all government intelligence units and agencies at the regional and local levels to ensure the integration and fusion of all information of national intelligence concern gathered at the aforesaid levels.
National Intelligence Board (NIB)
The NIB is another advisory body to the DG-NICA for the coordination and integration of intelligence activities in the Government (Sec. 6, EO No. 246 (s. 1987); see also: Sec. 5, AO 217 (s. 1991)). Its members are appointed by the President, although the National Security Director/Adviser may sit in all meetings of the Board (Sec. 6, EO No. 246 (s. 1987); see also: Sec. 5, AO 217 (s. 1991)). Through Administrative Order No. 217 (s. 1991), the membership of the NIB was expanded to include twelve (12) civilian agencies and seven (7) military offices (Sec.1).
As in the case of the NIC, the DG-NICA is also the Chairperson of the NIB (Sec. 3, AO 217 (s. 1991)). The presence of the National Security Adviser/Director in all meetings of the Board is mandatory Sec. 4, AO 217 (s. 1991)).
In relation to the NIC, the Board shall utilize the NIC as its principal arm for purposes of “providing direction and control of intelligence operations and activities of NIB members, departments, agencies, and offices (Sec. 5, AO 217 (s. 1991)).
Intelligence Service, Armed Forces of the Philippines (ISAFP)
The ISAFP is one of the AFP-Wide Support and Separate Units (AFP-WSSU).
A “New Agency”
In April 2014, some reports revealed a purported plan by the government to create a new intelligence agency akin to that of the U.S. Defense Intelligence Agency. This new spy institution will supposedly incorporate the ISAFP, effectively making the unit an integral part of the defense department. It will engage in the “gathering and analysis of security-related foreign, domestic, political and economic, industrial, geographic, military and civilian intelligence data.” Sources privy to the matter have recently indicated that this plan has been scuttled because of fundamental differences between the merging institutions.
Law Enforcement
Directorate for Intelligence (Directorial Staff), Philippine National Police
Little is known about this Directorate.
Police Intelligence Group (Operational Support Unit) Philippine National Police
The Police Intelligence Unit is one of several operational support units of the PNP (Sec. 2, AO No. 68 (s. 2003); Sec. 35, Republic Act No. 697). Headed by a Director with a rank of chief superintendent, the PIU serves as the intelligence and counterintelligence operating unit of the PNP (Sec. 35(b)(2), Republic Act No. 6975). According to at least two news reports, this unit (specifically, its counter-intelligence component) is also charged with providing physical security to police camps, as well as official documents of the PNP; it also monitors the illegal activities of certain police officers.
Philippine National Police
The Anti-Cybercrime Group (ACG) was activated in March 2013, pursuant to Section 10 of the Cybercrime Prevention Act, which provides that the PNP, along with the National Bureau of Investigation (NBI), shall “organize a cybercrime unit or center manned by special investigators to exclusively handle cases involving violations” of the law. Today, it serves as the primary police unit responsible for the implementation of pertinent laws on cybercrimes and anti-cybercrime campaigns of the PNP and the national government. The Group focuses on cybercrime offenses, computer-related offenses, and other content-related offenses such as cybersex, child pornography, unsolicited commercial communication, and other related offenses.
Office of the Deputy Director for Intelligence Services, National Bureau of Investigation
The Intelligence Services units falling under this Office include: (1) Counter Intelligence Division (CID); (2) Criminal Investigation Division (CRID); and the Technical Intelligence Division (TID).
Cyber Crime Division (CCD), National Bureau of Investigation
The CCD falls under the Office of the Deputy Director for Investigation Services. Presumably, the establishment of this division was also brought about by the need to comply with Sec. 10 of the Cybercrime Prevention Act.
Surveillance capabilities
IMSI Catchers
In April 2014, The Tribune reported that the Philippine government Department of National Defense (DND) had acquired a 135 million peso (US$ 3.4 million) surveillance equipment surfaced. Supposedly covered by a 26 October 2011 purchase request, the device was described as a “Radio Frequency Test Equipment” (RFTE) provided by Rohde & Schwarz (R&S), an electronic surveillance company based in Germany. Rohde & Schwarz specializes in military and dual-use equipment, including spectrum analysers and encrupted communications systems.
According to media reports, the equipment would have the capability to hone in on and intercept calls and text messages sent within a 500-metre radius of the device. The revelation prompted concerns by opposition groups that the government would use the technology to spy on them. The government denied these claims.
According to documents obtained by Privacy International, a UK-based company sought two export licenses for “telecommunications interception equipment”, most likely for IMSI catchers, to the Philippines in 2015. An IMSI Catcher is a phone monitoring kit that provides active intercept capabilities. Traditionally, IMSI Catchers (or Stingrays as they are known in the US) can capture a number of different pieces of identifiable information including the IMEI and the IMSI: identifiers for your phone and SIM card respectively. IMSI Catchers can also record voice and message data as they travel through mobile networks.
In February 2018, it was revealed that the UK had sold £150,000 worth of spying equipment, including IMSI catchers in 2016.
Intrusion Malware
The Philippines government reportedly sought to acquire an intrusion malware tool, the Remote Control System, from Italian surveillance company Hacking Team. RCS is used to monitor a particular device through the direct installation of a malicious program on a target's device, usually by way of fallacious updates, fake websites, or false documents that a target is encouraged to download, inadvertently allowing the RCS tool to infect his or her device.
Documents leaked from Hacking Team in 2015 revealed a significant amount of interest from several parties purporting to represent different agencies of the Philippine government.
On 13 March 2011, an individual claiming to belong to the National Bureau of Investigation’s (NBI) Cyber Center, working under of the Office of the Director, reached out to the company seeking a proposed solution to a potential “cyber attack offensive”, similar to what was then a common occurrence in Australia. Hacking Team responded to this request by outlining the salient features of the RCS.
FMA reported that in January 2013, an individual named “Gadburt Mercado” began communicating with Daniel Maglietta, Chief of HT’s Singapore Representative Office, to set up a product demonstration meeting between HT executives and Mr. Mercado’s supposed principal, Col. Manuel Lucban, Chief of Police of Makati City. Spanning a period of more than a year, the email thread suggests that no actual meeting took place during such time due to the conflicting schedules of the parties.
In March 2015, a person claiming to be an officer of the Intelligence Services of the Armed Forces of the Philippines (ISAFP) relayed his unit’s interest in the capabilities of HT’s Galileo Remote Control System. He requested additional information from the company, as well as a product demonstration.
US government surveillance
The US government conducts extensive surveillance activities in and around the Philippines that it justifies in part in relation to its activities against Islamist militant groups in the “war on terror”. These include joint military exercises with the Philippine military. A downed US military surveillance drone was discovered in the Philippines' restive Quezon province in early 2015, according to the Philippines Daily Inquirer. The embassy responded that the drone was an “expended” aerial target launched during military exercises,during September 2014 off the coast of Guam.
The US has also been conducting large-scale interception of communications in and out of the Philippines. Documents released by Edward Snowden in May 2014 show that the US National Security Agency (NSA) had "access via DSD asset in a Philippine provider site. Collects Philippine GSM, short message service (SMS) and Call Detail Records.” This, the NSA predicted “[w]ill soon become a source of lucrative intelligence for terrorist activities in Southern Philippines.” The 2013 project codenamed MYSTIC, involved the interception of large amounts of the communications of five countries, including the Philippines, from undersea cables.
Surveillance oversight, checks and balances
In addition to the safeguards apparently built in the abovementioned laws, there are other laws and rules that can serve to counter or check the conduct of communications surveillance permitted by the foregoing.
The Rule on the Writ of Habeas Data (A.M. No. 08-1-16-SC) issued by the Supreme Court in 2008 provides the writ as a remedy available to persons whose right to privacy in life, liberty, or security is violated or threatened by an unlawful act or omission of a public official or employee, or of a private individual or entity engaged in the gathering, collecting, or storage of data or information regarding his person, family, home, and/or correspondence (Sec. 1, A. M. No. 08-1-16-SC). The writ of habeas data basically enables people to find out what information is being collated about them by law enforcement agencies as well as by private entities, and the use and purpose of collecting it. The petitioner may then seek such reliefs as the updating, rectification, suppression, or destruction of the database or information or files kept by the erring party, or, in the case of threats, an order enjoining the act that is the subject of the complaint (Sec. 6, Sec. 1, A. M. No. 08-1-16-SC).
Examples of surveillance
The most controversial case of communications surveillance in the Philippines to date is the “Hello Garci” scandal which involved former President Gloria-Macapagal Arroyo and one election commissioner. The wiretapped conversation concerned an electoral fraud in favor of Arroyo which was purportedly committed during the 2004 Presidential Elections.
The source of the copy of the wiretapped conversation never became clear. Several personalities, both from the administration and the opposition, presented their own copy of the record but no one claimed actual ownership. An agent of the Intelligence Service of the Armed Forces of the Philippines (ISAFP) admitted his involvement in the surveillance operation dubbed “Project Lighthouse” and pointed the Military Intelligence Group 21 of the AFP as the unit that carried out the activity. An employee of a local telecommunications company was also implicated in the wiretapping. However, the company denied its knowledge of the operation.
Another former President became subject to at least two surveillance-related incidents. In 1986, during her visit to the U.S., Corazon Aquino’s conversation with two Cabinet members regarding the impact of the new constitution was recorded. The conversation reflected the concerns of the administration regarding the impact of the ban of nuclear weapons on the existence of U.S. military bases in the country. The transcript of the recording was leaked by the opposition days before the ratification of the new constitution.
The second incident was in 2007 wherein a surveillance equipment was found near her private residence. The police and again, the ISAFP and another telco employee were implicated in the illegal activity, but they denied their involvement. No clear reason was given for the intercept.
Another confirmed wiretapping incident occurred in 2008, when the phone conversation between two witnesses to a graft-laden, albeit botched, government project with China was captured on record. While no one admitted to carrying out the surveillance operation, a copy of the recording wound up in the hands of the chairman of the elections commission, who was then being implicated in the controversial project. The witnesses accused the official of attempting to dissuade them from testifying by threatening to make public their private conversation. As they went ahead with their exposé, the recording ended up being posted online in YouTube.
Guillermo Luz, a prominent business executive and a known critic of the administration, filed petitions for the writs of Habeas Data and Amparo with the Supreme Court in order to stop the government from conducting state-sponsored military surveillance he believed he was then subject to. His cases were granted but brought to the appellate court for hearing. The case closed after the AFP declared that he was not under any surveillance or case-building activity.
Other reported cases of wiretapping were false alarms. In one case, a legislator was accused of having violated the law after recording an executive session of a Congressional committee. In another, a government executive filed charges against a well-known Filipino journalist for allegedly recording their phone conversation without her consent. Both incidents were eventually resolved, with no case being filed against the legislator, while that filed against the journalist was later dropped, after prior consent of the complainant was properly established.
Data Protection
Data protection laws
The Data Privacy Act of 2012 (RA 10173) (“DPA”) is another potential source of legal remedies against communications surveillance. It is not primarily concerned with communication privacy, let alone, communication surveillance, dealing, as it does, with data privacy which is a distinct category of privacy. However, the law includes in its scope privileged information, a term it defines as “any and all forms of data which under the Rules of Court and other pertinent laws constitute privileged communication"(Sec. 3(k), Republic Act No. 10173. Emphasis supplied). As a result, any Philippine legal regime purporting to govern communication privacy (and communication surveillance, by extension) must include the DPA as a component.
The DPA establishes the general rule that the processing of privileged information (i.e., privileged communication) is a prohibited activity (Processing is defined as referring to “any operation/set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating, or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data” (Sec. 3 (j), RA 10173). It does, however, provide certain exceptions (Sec. 13, Republic Act No. 10173):
- when all the parties to the exchange have given their consent prior to the processing;
- when the processing is authorized by existing laws and regulation, provided that:
- the authorizing law/regulation guarantees the protection of the privileged information, and
- the authorizing law/regulation itself does not require the consent of the parties to the exchange
- when the processing is necessary to achieve the lawful and noncommercial objectives of public organizations and their associations, provided that all of the following conditions are present:
- the processing is limited to the members of the public organization/association involved;
- the sensitive personal information is not transferred to third parties; and
- the consent of the data subject is secured
- when the processing is necessary for purposes of medical treatment, which is carried out by a medical practitioner or a medical treatment institution, and the processing ensures an adequate level of protection
- when the processing concerns sensitive personal information which is necessary for (a) the protection of lawful rights and interests of natural and legal persons in court proceedings, or (b) the establishment, exercise or defense of legal claims
- when the sensitive personal information is to be provided to the government or a public authority
Notwithstanding these exceptions, the law does grant personal information controllers the ability to invoke the “principle of privileged communication” over the privileged information that they have in their lawful control or possession. Presumably, this would render the privileged information inadmissible as evidence in any court or legal proceeding wherein they may be presented (Sec. 15, Republic Act No. 10173).
It is also important to note that the DPA expressly amends Section 7 of the Human Security Act which authorizes the surveillance of terrorism suspects (discussed above) (SEC. 44. Repealing Clause. – The provision of Section 7 of Republic Act No. 9372, otherwise known as the “Human Security Act of 2007", is hereby amended. Except as otherwise expressly provided in this Act, all other laws, decrees, executive orders, proclamations and administrative regulations or parts thereof inconsistent herewith are hereby repealed or modified accordingly).
In August 2016, the National Privacy Commission (NPC) published the Implementing Rules and Regulations of the DPA, after several months of public consultation, involving the Foundation for Media Alternatives. The Rules aim to “enforce the Data Privacy Act and adopt generally accepted international principles and standards for personal data protection.” The Rules are written for both private companies handling personal data but also for the state.
In October 2017, the NPC published its first two memorandum circulars. The first one was on the Security of Personal Data in Government. It defines the duties and responsibilities of government bodies that process personal data. Among those responsibilities is the designation of a Data Protection Officer in charge of conducting Privacy Impact Assessment.
The second circular is on Data Sharing Agreements Involving Government Agencies. It defines data-sharing safeguard that personal information controllers will have to implement for data to be transfer among government bodies.
Examples of data breaches
In March 2016, the Philippines fell prey to what has been dubbed as the biggest breach in history concerning government-held data when the personal information of over 55 million registered Filipino voters were leaked following a breach on the Commission on Elections' (COMELEC's) database. This incident shed light on and directed attention to the extent of personal information being collected and held by government authorities, as well as their capabilities (or the lack thereof) in securing such information. It caused a stir in both local and global news and has developed into the first case for the NPC.
In September 2016, the NPC concluded that:
- There was a security breach that provided access to the COMELEC database that contained both personal and sensitive information, and other information that may be used to enable identity fraud. The personal data included in the compromised database contained passport information, tax identification numbers, names of firearm owners and information about their firearms, e-mail addresses, among others; and
- In addition to the defacement of the COMELEC website on the evening of 27 March 2016, it is reasonably established that access to the database containing personal data occurred in the week before the defacement, from around eight different networks, over four to five days.
A preliminary report identifies two indicators of negligence on behalf of COMELEC:
- The lack of a clear data governance policy, particularly in collecting and further processing of personal data, unnecessarily exposed personal and sensitive information of millions of Filipinos to unlawful access; and
- The vulnerabilities in the website, and failure to monitor regularly for security breaches allowed unlawful access to the COMELEC website.
Accountability Mecanism
i. Freedom of Information
There is currently no FOI law in the Philippines. A consolidated bill was approved by the public information panel and is now with the Committee on Appropriations. It is pending a second reading but has not been included in the Common Legislative Agenda for the 17th Congress.
However, following his election president Duterte signed an Executive Order on FOI. Executive Orders mean FOI requests can only pertain to the work of the executives, and can be ended at any point. The Order contained 11 pages of exceptions.
Identification Schemes
ID cards and databases
The Philippines currently has no national ID card system. However, the National ID bill (House Bill 6221) was approved on third reading by the House of Representatives in September 2017. In October 2018 the Philippine Statistics Authority finalised the implementing rules and regulations for the national ID.
Voter registration
Pursuant to Republic Act No. 10367, voters are required to have their biometrics data (i.e., fingerprints, photograph, and digital signature) captured by the COMELEC before they are allowed to vote. The law considers the absence of biometrics in a voter’s registration record as a ground for the deactivation of an individual as a registered voter. To register to vote, a person has to first establish his or her identity by presenting a valid ID, which may be any of the following:
- Employee’s identification card, with the signature of the employer or an authorized representative;
- Postal ID;
- Person with Disability (PWD) Discount ID;
- Student’s ID or library card, signed by the school authority;
- Senior Citizen’s ID;
- Driver’s license;
- NBI clearance;
- Passport;
- SSS/GSIS ID;
- Integrated Bar of the Philippines (IBP) ID;
- License issued by the Professional Regulatory Commission (PRC);
- Certificate of Confirmation issued by the National Commission on Indigenous Peoples (NCIP) in case of members of ICCs or IPs; or
- Any other valid ID.
Absent these, an applicant may be identified under oath by any registered voter of the precinct where he/she intends to be registered, or by any of his/her relatives within the fourth civil degree of consanguinity or affinity. A registered voter shall only be allowed to identify up to three applicants.
SIM card registration
There is currently a total of 12 bills in the House of Representatives (including House Bill No 5231) and seven bills in the Senate (including Senate Bill No 105) on SIM card registration. The technical Working Group at the House of Rep has consolidated those bills. As of November 2017, the draft has not been publicly released.
Policies and Sectoral Initiatives
Cybersecurity policy
We are not aware of any specific cybersecurity policy in the Philippines. Please send any tips or information to: [email protected]
Cybercrime
Section 12 of the Cybercrime Prevention Act of 2012 (RA 10175) originally authorized law enforcers, “with due cause… to collect or record by technical or electronic means traffic data in real-time associated with specified communications transmitted by means of a computer system,"until this provision, among others, was declared void for being unconstitutional by the Philippine Supreme Court in 2014 (see: Disini, et al. v. Secretary of Justice, et al., G.R. No. 203335 (11 February 2014)).
This Decision ruled upon 15 consolidated petitions seeking to declare several provisions of RA 10175 unconstitutional and void. The Court said that “[t]he authority that Section 12 gives law enforcement agencies is too sweeping and lacks restraint”.) Despite the nullification, however, this law still allows the interception (Interception refers to listening to, recording, monitoring or surveillance of the content of communications, including procuring of the content of data, either directly, through access and use of a computer system or indirectly, through the use of electronic eavesdropping or tapping devices, at the same time that the communication is occurring (Sec. 3(m), RA 10175) of communications and the disclosure (Sec. 14, RA 10175) and preservation (Sec. 13, RA 10175) of computer data (defined in Sec. 3(e), RA 10175.), provided certain requirements are complied with.
Under this law, the disclosure of computer data, that is, an order by law enforcement authorities requiring a person or service provider (defined in Sec. 3(n), RA 10175) to disclose or submit subscriber’s information (defined in Sec. 3(o), RA 10175), traffic data (defined in Sec. 3(p), RA 10175) or other data in his/its possession or control must be: (1) based on a court warrant secured for this purpose; (2) in relation to a valid complaint officially docketed and assigned for investigation; and (3) necessary and relevant for the purpose of investigation (Sec. 14, RA 10175). It must be pointed out, however, that there appears to be no provision for the requirements for the issuance of a court warrant. Requirements for the issuance of a court warrant could originally be found in the last paragraph of Section 12 which was nullified by the Supreme Court in the Disini case.
On the other hand, RA 10175 requires the preservation of data (i.e. traffic data and subscriber information) for a minimum period of six months from the date of the transaction (Sec. 13, RA 10175). Similarly, content data—not specifically defined by the law—shall be preserved for six months from the receipt of an order from law enforcement authorities requiring its preservation (Sec. 13, RA 10175). The law also allows law enforcement authorities to order a one-time extension for another six months, except that once computer data stored by a service provider are used as evidence in a case, the mere furnishing to such service provider of the transmittal document to the Office of the Prosecutor shall be deemed a notification to preserve the computer data until the termination of the case (Sec. 13, RA 10175). Furthermore, the service provider ordered to preserve computer data is directed to keep the order and its compliance confidential (Sec. 13, RA 10175). Again, as in the case of a court warrant, the law does not appear to state any prerequisites for the issuance of the aforementioned orders by law enforcement authorities.
Licensing of industry
Regulatory Bodies
The National Telecommunications Commission is the local telecommunications industry’s regulatory body. Its legal mandate consists of the following:
- Regulation of the installation, operation and maintenance of radio stations both for private and public use;
- Regulation and supervision of the provision of public telecommunications services;
- Management of the radio spectrum; and
- Regulation and supervision of radio and television broadcast stations, cable televisions and pay television.
In pursuit of such objectives, it performs the following functions:
- Granting certificates of Public convenience and Necessity/Provisional Authority to install, operate and maintain telecommunications, broadcast and CATV services;
- Granting licenses to install, operate and maintain radio stations;
- Allocating/sub-allocating and assigning the use of radio frequencies;
- Type-approving/type-accepting all radio communications, broadcast and customer premises equipment;
- Conducting radio communications examination and issue radio operators certificate;
- Preparing, planning and conducting studies for policy and regulatory purposes;
- Monitoring the operation of all telecommunications and broadcast activities;
- Enforcing applicable domestic and international laws, rules and regulations, prosecuting violations thereof, and imposing appropriate penalties/sanctions;
- Issuing licenses to operate land, maritime, aeronautical and safety devices; and
- Performing such other telecommunications/broadcast-related activities as may be necessary in the interest of public service.
Communications Service Providers
Only two companies control the telecommunications industry in the Philippines, Globe Telecoms (Globe) and Smart/Philippine Long Distance Telephone (PLDT).
Globe is the nation's predominant phone service provider with 65.5 million subscribers of a total population of approximately 100 million, as reported in October 2015. Smart, an operator fully owned by PLDT, has approximately 54.5 million subscribers.
E-governance/digital agenda
In 2012, the Data Privacy Act was signed into law, thereby putting into place several data protection standards. The Act applies to “personal information” One of the exemptions cited in the law pertains to “information necessary in order to carry out the functions of public authority which includes the processing of personal data for the performance by the independent, central monetary authority and law enforcement and regulatory agencies of their constitutionally and statutorily mandated functions.”
Nevertheless, the law also contains several provisions that explicitly concern government agencies. For example, it provides the following functions to the Commission: “(d) Compel or petition any entity, government agency or instrumentality to abide by its orders or take action on a matter affecting data privacy; (e) Monitor the compliance of other government agencies or instrumentalities on their security and technical measures and recommend the necessary action in order to meet minimum standards for protection of personal information pursuant to this Act; (f) Coordinate with other government agencies […] on efforts to formulate and implement plans and policies to strengthen the protection of personal information in the country;” The law also contains an entire chapter dedicated to Security of Sensitive Personal Information in Government.
Health sector and e-health
In January 2016, the Department of Health, Department of Science and Technology, and Philippine Health Insurance Corporation signed Joint Administrative Order No. 2016-0002, or the Privacy Guidelines for the Implementation of the Philippine Health Information Exchange (PHIE). The PHIE allows participating health care providers to share health information and harmonizes health data from various electronic medical record (EMR) and hospital information systems. Given that the data collected and processed in the PHIE is both personal and sensitive information, the Privacy Guidelines complement the Data Privacy Act of 2012 and other specific legislation on health privacy in ensuring that the implementation of the PHIE is in line with data protection and privacy principles.
Smart policing
There has been no news regarding the use (or planned use) of predictive policing in the Philippines. Nevertheless, the Philippine National Police currently uses an automated fingerprint identification system (AFIS), which includes the use of a central comprehensive database for criminal identification. The AFIS enables the police to compare fingerprints recovered in a crime scene against those stored in an existing database of both identified and unidentified prints. As of June 2015, the PNP crime laboratory’s database already contained more than 761,000 records.
If you know more about smart policing in the Philippines, please send any tips or information to: [email protected]
Transport
Since 2015, the Philippines is now among the few Asian countries that use a smart transportation card. Although less widespread than its contemporaries, the beep™ card is gradually becoming a central and necessary transportation device in Metro Manila. The system first went live for LRT2 in May 2015, shortly followed by MRT3 and LRT1. At present, beep™ cards may also be used in the HM Transport Airport Loop buses and in BGC Buses. Like with many other “smart cards” such as Oyster cards in the UK , the extent of personal information collected, held, and used by these systems makes for a crucial privacy issue. As of this writing, however, beep™ card registration is not yet available, and users are not required to register their cards or submit personal information to be able to avail of the system. An exemption is in case of the issuance of a Concessionary beep™ card, for which some personal data may be required. The card’s Privacy Policy does not provide a comprehensive list of such data.
According to the beep™ website, the personal data of users may be used to comply with legal requirements, processes, and obligations, or to prevent imminent harm to public security, safety, or order. Their Privacy Policy also states that the “[p]rocessing of beep™ holder’s personal data may be outsourced to third parties, such as but not limited to, the Transport Establishments, vendors, service providers, partners or other agents, to fulfill any of the above purposes. They may have access to beep™ holder’s personal data for a limited time under reasonable contractual and technical safeguards to limit their use of such information.”
Smart cities
Most smart city initiatives in the Philippines have been implemented by the private sector, sometimes in cooperation with local government units. For instance, the Davao City government tapped IBM Philippines to provide an Intelligent Operations Center platform, which became operational in 2015. The platform “allows the authorized government bodies (including multiple local government agencies such as police, fire, and anti-terrorism task force) to use analytics software and monitor events and operations in real-time.” At the capital, the Metro Manila Development Authority (MMDA) collects and processes traffic data through its Traffic Signalization System (TSS). The TSS uses a monitoring network that initially involved 150 CCTVs in 25 video surveillance locations in Metro Manila. The MMDA also has a mobile application that lets users view real-time traffic information in major roads. A quick look at the app’s download page shows that it requires access to the user’s location.
Migration
High-security passports
The Presidential Communications Operations Office (PCOO) has announced that starting 15 August 2016, the Philippines started issuing new “high-security passports” through an expedited process. PCO Secretary Martin Andanar said that the new passport will include security features and qualities that would prevent incidents of fraud. One such feature is a microchip that contains personal data of the passport holder. There have been no reports, however, as to what types of personal data will be stored in the microchip.
Biometric data
In 2015, FMA reported that the Philippines government was considering adopting PISCES, a US-government developed biometric identification technology at its border points (including the Ninoy Aquino International Airport), as indicated in certain classified documents acquired by privacy activists. PISCES is the acronym for "Personal Identification Secure Comparison and Evaluation System," a customizable software application that provides border control officials with information that allows them to identify and detain or track individuals of interest. The system can be used to quickly retrieve information on persons entering or leaving a particular country.
The US introduced the software in 1997 through its Terrorist Interdiction Program (TIP) “a highly effective, low-cost proven tool in the global fight against terrorism.... [which] ...provides participant countries with the ability to collect, compare and analyze traveler data to assist the country in securing its borders and, if necessary, detain individuals of interest."
In 2004, a local paper quoted a Bureau of Immigration officer stationed at the NAIA making a remark about an impending upgrade of the PISCES program they were then using in the facility. Thus, it is likely that the 2015 document represents either an upgrade of an existing program, or a reintroduction of the program (if its use was discontinued at some point in the past).
Emergency response
On 1 August 2016, 911 was launched as the Philippines’ national emergency hotline. The Department of Interior and Local Government (DILG) said that calling the hotline will connect the caller to emergency, rescue, police, or fire services. The two telecommunications giants in the country have also expressed their support for the initiative.
As of this writing, there has been no information as to how the response center processes and protects the data collected from these calls. Meanwhile, a DILG official has stated plans to include in the emergency response system CCTV that will monitor public places.
Humanitarian and development programmes
One of the more prominent uses of biometric technology in the Philippines is in the welfare services, particularly in the government's Pantawid Pamilyang Pilipino Program. The Department of Social Welfare and Development (DSWD) first launched a biometric payout system for the Program in 2012.
Social media
In 2015, FMA reported capacities that the Philippines government was considering adopting Signal, a software used for large-scale social media analysis, as part of its emergency management and policing.
Initially developed by the New Zealand Police as part of its security measures during the Rugby World Cup hosted by the country in 2011, the application later underwent significant enhancements, owing to the Police’s subsequent partnership with Intergen and Microsoft. Among others, all information gathered by the application are now funneled into a single platform known as Real-Time Intelligence for Operational Deployment (RIOD). This platform is based on Microsoft SharePoint and allows for improved collaboration, process optimization and information discovery. Meanwhile, the Microsoft Azure cloud platform is used to secure real-time intelligence and provide situational awareness on specific incidents.