Note: PLEASE CLICK ON PICTURES TO MAKE THEM BIGGER
In my Mandatory Continuing Legal Education (MCLE) lecture for the GSIS last July 26, 2017, I was informed by an unimpeachable source that the digital certificate authority (DCA) the GSIS is using for its website is “C Trust Wave(?)”. I placed the phrase in question marks because I know of TrustWave as a DCA, but I am not familiar with what the source said. This DCA is the one supposedly used by the pertinent reseller to GSIS. According to the unimpeachable source, the “GSIS management” [which was the term used by the source all throughout my discussion with this source] was informed that the digital certificate issued to GSIS was weak, and of the security risks involved. But GSIS is still using it because it was a “business decision”. The GSIS management figured that the risks of e-data breach were not great. Using the analogy of the unimpeachable source, to the GSIS management, it would not make sense in buying and using a P100,000 steel bolted door, when an ordinary wooden door would do, to secure the e-data assets of GSIS. The unimpeachable source does not even use the GSIS website in the source’s personal GSIS transactions.
If the e-GSISMO site is not secure as I confirmed in my research, and interaction with the GSIS unimpeachable source during my MCLE lecture, I theorized that the whole GSIS website is not secure because the e-GSISMO site is essentially linked with the GSIS site.
To set about proving my theory, without hacking the GSIS system, I utilized the three search browsers that the GSIS website endorsed and recommended, i.e., Mozilla Firefox, Google Chrome and Internet Explorer.
BEFORE I CONTINUE, PLEASE NOTE THESE DISCLAIMERS AND DISCLOSURES:
1. I AM NOT CLAIMING COPYRIGHT OR ANY FORM OF INTELLECTUAL PROPERTY ON THE CONTENT FOUND IN THE PICTURES I TOOK OF THE GSIS WEBPAGES. BUT I DO HOLD THE COPYRIGHT TO THE PICTURES I TOOK OF THE COMPUTER SCREENS WHICH IS DIFFERENT FROM THE CONTENT ON THE GSIS SITE.
2. TAKING THE PICTURES AND REPRODUCING THEM ON MY BLOGSITE IS THE ONLY TECHNOLOGICALLY FEASIBLE AND DEMONSTRABLE WAY TO SHOW THE PROOF OF THE INSECURITY OF THE WHOLE GSIS WEBSITE AND ITS INDIVIDUAL WEBPAGES.
3. GSIS CANNOT CLAIM COPYRIGHT ON THE RELATED MESSAGES AND ARTICLES OF THE BROWSERS REGARDING THE INSECURITY OF ITS WEBSPAGES AND WEBSITE BECAUSE THESE EMANATE FROM THE BROWSERS.
4. I TOOK THE PICTURES AND WROTE THIS ARTICLE FOR ACADEMIC, RESEARCH AND NON-COMMERCIAL PURPOSES TO SHOW THE INSECURITY OF THE GSIS WEBSITE IN THE INTEREST OF PUBLIC SERVICE AND THE PUBLIC GOOD.
5. I DID NOT ENGAGE IN ANY HACKING ACTIVITY. WHAT I DID HERE CAN BE DONE AND CONFIRMED BY ANYONE WHO HAS ACCESS TO A COMPUTER THAT HAS THE THREE BROWSERS, AND ACCESS TO THE INTERNET. I USED GOOGLE, YAHOO! AND BING SEARCH ENGINES TO FERRET OUT THE GSIS WEBSITE.
6. I DID THIS ON MY OWN AS A DATA PRIVACY ADVOCATE, WITHOUT RECEIVING ANY FORM OF REMUNERATION OR EVEN TECHNICAL HELP FROM ANYONE.
7. I AM NOT A GSIS MEMBER. BUT I HAVE RELATIVES AND FRIENDS WHO ARE. I DID THIS FOR THEM AND FOR ALL THE MILLIONS OF GSIS MEMBERS, PARTICULARLY RETIRED GSIS PENSIONERS, WHOSE INTERESTS DESERVE PROTECTION.
TESTING MY THEORY
To test my theory, I browsed different pages of the GSIS site. I utilized different computers to access the GSIS site with these different browsers. I did my browsing on different days: July 27, 29, 31, August 1, 3, 2017.
Here are the results of my Internet examination of the browsers’ responses to queries about GSIS. For representative brevity, I chose samples of pictures I took of different screenshots of the GSIS website, and of the browsers’ responses to my GSIS queries. Any of you, my dear readers can follow and verify the steps I took. This does not require any special IT skill.
FOR MOZILLA FIREFOX
I present two samples of web pages from the GSIS website accessed through the Mozilla Firefox browser. Please notice dear readers the insecure padlock icon situated opposite the Universal Resource Locator (URL) on the page, utilized by the Mozilla Firefox, which is highlighted with the image of a sign that represents the mouse/pointing device. This would be located on the upper left portion of the computer screen.
Here is a picture of the pensioners’ page:
Here is a picture of the news release pertaining to the GSIS’ transitioning to ISO 9001:2015:
For now, let us just concentrate on the pensioner’s section. If any of you dear readers would click on the padlocked symbol, you would be greeted with a message bar on the left portion of the computer screen. The first message from Mozilla Firefox is “www.gsis.gov.ph Connection is Not Secure The login information you enter on this page is not secure and could be compromised”.
Picture of Message bar
If you click on the “>” sign, you would be led to the reiteration of the Pensioners’ page with a Message Bar highlighting in blue font the phrase “Learn More”.
Picture of Learn More
If you click on “Learn More”, you would be led to a different and secure Mozilla Firefox page containing an article that explains the “Insecure password warning in Firefox”.
Picture of Mozilla Firefox article
This page stated that “(t)his is to inform you that if you enter your password it could be stolen by eavesdroppers and attackers.” Furthermore, the article warned that personal information should not be entered in insecure pages like the GSIS site.
NOTE ON THE ICON:
In other computers, instead of the insecure padlock sign, the icon would resemble rotating blades:
Picture of blade icon:
ACCESSING THE E-GSISMO SITE
In going to the e-GSISMO site from the GSIS site, one would be confronted with this warning by the Mozilla Firefox:
Picture of warning
FOR GOOGLE CHROME
Using Google Chrome, once you access the GSIS active home page, you would notice that there is an icon comprising of the small letter “i” within a circle. This is located opposite the URL of the GSIS site. If you bring your mouse/pointing device near the icon, a message will pop saying “View site information”.
Picture of icon and message
Once you click on the icon, you would be shown a message saying “Your connection to this site is not secure” and other details. There is also a phrase in blue font that states “Learn more”.
Once you click on the phrase “Learn more”, you would be led to a different secure Google Chrome site with an article explaining what the icon of “i” with a circle means.
The Google Chrome article states that the icon signifies that “(t)he site isn’t using a private connection. Someone might be able to see or change the information you send or get through this site”.
FOR INTERNET EXPLORER
For those using Internet Explorer 10 or 11, and with private computers that are configured to have the most secure settings, the experience can be frustrating. I tried accessing the e-GSISMO and other pages of the GSIS website for several days, but could not. This is a typical message that I got:
Picture “This page cannot be displayed”.
At other times, when I type “GSIS” on the Bing engine on Internet Explorer, I would be confronted with a listing of search request rejections due to unavailability or web security violations.
Picture of the search request rejections
Since the search request rejections are cached, I decided to click on the cached version of one of the rejections.
Picture of the cached link
I was then confronted with this message from the cached page:
The Internet explorer experience mirrors what I experienced when I tried to access the e-GSISMO page within, the GSIS site using the Mozilla Firefox: Nothing. Both browsers prevented me from accessing the web page due to security reasons.
The Mozilla Firefox was quite emphatic in its explanation for the error code I showed to the GSIS lawyers last July 26, 2017. It said that “Firefox must verify that the certificate presented by the website is valid. If the certificate cannot be validated, Firefox will stop the connection to the website and show a “Your connection is not secure” error message instead [https://support.mozilla.org/en-US/kb/insecure-password-warning-firefox?as=u&utm_source=inproduct]”.
CAVEAT: PUBLIC COMPUTERS
But when I tried accessing the GSIS website on public computers in internet cafes like Netopia and other cafes in Laguna, I was able to access the site without any apparent issue. However, the different pages of the GSIS website are not encrypted. I will say more about this in the next section.
POSSIBLE LEGAL BASES OF VIOLATIONS OF R.A. 10173 BY THE “GSIS MANAGEMENT”
Even if one uses the public computers in internet cafes and access the GSIS website, that does not mean that such access can be safe. If you dear reader would right click on a GSIS webpage (not the e-GSISMO site), like the Pensioners’ page and click on “Properties” using the Internet Explorer browser like so:
You, my dear reader, would be confronted with this message on the left upper portion of the computer screen, stating that the connection is not encrypted.
If you click on “Certificates” you would have the message that this “(t)ype of document does not have a digital certificate”.
The Mozilla Firefox browser’s message alerts made it very clear that the GSIS website is not encrypted. I offer two illustrations of this.
Let us go back to the Pensioners’ page. When any of you dear readers would click on the unsecure padlock sign, you would encounter this message on the upper left portion of your computer screen, with the phrase “More Information” on the gray lower portion of the message.
When you click on the phrase “More Information” you will be given a different message regarding the status of encryption of the GSIS website, in this case of the Pensioners’ page:
Picture of the encryption status
This message repeats itself on different pages of the GSIS website. For example, let us go back to that News Press regarding the GSIS transitioning to the ISO 9001:2015. You, my dear reader would encounter the same message.
Picture of the encryption status
The messages concerning the non-encryption status of the GSIS website shows that the digital certificate for the website had not, and could not be verified by Mozilla Firefox. The unimpeachable GSIS source mentioned “C (See?) Trust Wave(?)” as the DCA which Mozilla Firefox does not recognize.
The messages also contained the warning that “(i)nformation sent over the Internet without encryption can be seen by other people while it is in transit”.
THE LEGAL REQUIREMENT OF ENCRYPTION WHICH THE GSIS MANAGEMENT DID NOT FOLLOW
Under SEC. 23 of R.A. 10173, “(a)ny technology used to store, transport or access sensitive personal information for purposes of off-site access approved under this subsection shall be secured by the use of the most secure encryption standard recognized by the Commission”.
The National Privacy Commission (NPC) required in Sec. 8 of “NPC Circular 16-01 – Security of Personal Data in Government Agencies” dated 10 October 2016, “(a)ll personal data that are digitally processed must be encrypted, whether at rest or in transit. For this purpose, the Commission recommends Advanced Encryption Standard with a key size of 256 bits (AES-256) as the most appropriate encryption standard”.
These provisions can and should be made to apply to government websites like the GSIS, which store personal information of its clients, employees and officials, which are made accessible to these people anywhere, via the Internet. Both the law and the NPC Circular are quite clear in their absolute directive. There are no exemptions or excepting circumstances that allow for the non-encryption of the personal data contained in these websites.
Furthermore, the law and the NPC directive did not make any instance as a precondition for encryption. So it is immaterial if no GSIS member had ever been actually harmed by using the unencrypted site of the GSIS.
THE VULNERABILITY OF THE GSIS SITE AS THE DIRECT RESULT OF THE GSIS MANAGEMENT’S “BUSINESS DECISION”
I must re-emphasize that according to the admission of the GSIS unimpeachable source whom I directly spoke to during my July 26, 2017 lecture, the GSIS management were apprised of the risks of having an unsecured website but they decided to continue the site’s operation as a “business decision”.
The Price to be Paid for an Unencrypted State
It bears noting that the continued unencrypted and unsecured state of the GSIS website makes it a prime target for several cybercriminal activities, including defacement and hacking. The information sent by GSIS members using this unsecured site can be intercepted and even altered. The content of that information can be stolen if valuable to the eavesdropper or interceptor.
The IoT and E-Data Aggregation
I must emphasize that all users of computers and e-devices all over the world are now connected to the “Internet of Everything” (IoT). You, my dear readers, who use your laptops, your smart phones, your Fitbit devices, other wearable devices and other smart appliances that are connected to the Internet, are subject to data collection by entities like the manufacturers of these devices, and other entities whose intent may be malicious. In using the Google Chrome browser in accessing the GSIS website, the insecure message posted by Google Chrome also include the notice that “Cookies” are utilized to collect information about the user of the site.
Depending on the type and nature of the cookies, this means that the user’s log-in information, device information, telephony details, IP address, and other identifying data about the user and/or his/her e-devices are collected. Since the GSIS site is unencrypted, any information entered by the user, for example, matters pertaining to auto shield insurance or home insurance in the GSIS site, can be seen by any interceptor or eavesdropper. At the hands of a knowledgeable and efficient cyber criminal, all these e-data can be aggregated to pinpoint the identity, habits and concerns of a particular user and used against that user.
In my lecture for the GSIS lawyers, I mentioned also the possibility of their organization being targeted with ransomware. Because the GSIS website is not encrypted, it is easier for any attacker to hijack the information, encrypt it, demand ransom, thus making it inaccessible, not merely to the GSIS members and pensioners, but even to the GSIS website administrator/operator/maintainer.
Possible Liability of GSIS Management
Sec. 20 (b) of R.A. 10173 imposes the legal obligation on a personal information controller, like the GSIS to “implement reasonable and appropriate measures to protect personal information against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination”.
As I made very clear in my book “Cryptology: The Law and Science of Electronic Secrets and Codes”, encryption is one of the necessary safeguards that are crucial in protecting the security, confidentiality and authenticity of e-data. It is also one of those cyber-hygiene tools that should be utilized by any organization that processes the personal data of anyone. Employing encryption should be considered part of a corporation’s social and legal responsibility.
In this case, the “business decision” of GSIS management in letting the GSIS website remain unsecured, unencrypted and basically a target for hacking, as shown by the Mozilla Firefox message, evidently violates the unequivocal letter and intent of the law and the NPC directive.
Sec. 34. of R.A. 10173 provides that if the offender is a corporation, partnership or any juridical person, the penalty shall be imposed upon the responsible officers, as the case may be, who participated in, or by their gross negligence, allowed the commission of the crime.
As I pointed out in my previous article on the insecurity of the e-GSISMO website, the Directors’ and Officers’ Liability Insurance (DOLI) policy of the GSIS will NOT cover any claim against the insured BOT members and officials in these two clear instances:
Where the court, tribunal, or administrative agency finds that the GOCC, acting through its Board of Directors or Management, has violated its charter or caused unreasonable damage to its identified stakeholders.xxx
Where liabilities arise from the director’s/trustee’s or officer’s fraud, breach of fiduciary duties, or unethical conduct.
THE GSIS MEMBERS BEING DENIED ACCESS TO THE GSIS SITE DUE TO THE INSECURITY OF THE WEBSITE
Another important violation here of the GSIS members’ and pensioners’ rights is the right to access their personal information in the GSIS website, including the e-GSISMO site. GSIS members and pensioners using the Internet Explorer (depending on several factors) and the Mozilla Firefox would be denied access to the e-GSISMO site because of “web security” violations, or the site’s connection is “untrusted” as evidenced from the messages that the two browsers would post to the computer screen of anyone who tried to access the e-GSISMO site. Due to the site’s insecurity, GSIS members and pensioners are actually discouraged to use the website. They cannot access their personal information, e.g., the status of their GSIS loans, the amount of their loans and the interests, the tentative computation of their pensions, etc., which are all very personal, sensitive and exclusive to each of them.
Furthermore, due to the website’s insecurity, GSIS members and pensioners are forced to conduct their transactions with the GSIS personally, which defeats the purpose of setting up the website to prevent long queues in GSIS offices and avoid waste of time, travel and other expenses on the part of the GSIS members and pensioners.
Under Sec. 16 (c) of R.A. 10173, the GSIS members and pensioners are granted the right of reasonable access to their personal information that is stored and processed through the GSIS website. The law allows GSIS members and pensioners access to, and upon demand, retrieve the “(1) Contents of his or her personal information that were processed; (2) Sources from which personal information were obtained; (3) Names and addresses of recipients of the personal information; (4) Manner by which such data were processed; (5) Reasons for the disclosure of the personal information to recipients; (6) Information on automated processes where the data will or likely to be made as the sole basis for any decision significantly affecting or will affect the data subject; (7) Date when his or her personal information concerning the data subject were last accessed and modified; and (8) The designation, or name or identity and address of the personal information controller” which can be contained in the e-GSISMO or GSIS website. The purpose for this access is to allow GSIS members and pensioners to check the accuracy of their personal information and the data that GSIS had processed, and to demand indemnity for damages due to “inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal information” [Sec. 16 (f)] that GSIS processed.
Thus, the insecurity of the GSIS website and webpages actually prevents GSIS members and pensioners to exercise these rights granted to them as data subjects under R.A. 10173.
RES IPSA LOQUITUR
There is an applicable legal principle that law students learn in their Statutory Construction class, i.e., res ipsa loquitur, which means “the thing speaks for itself”. “(W)here the thing which caused the injury, without the fault of the injured, is under the exclusive control of the defendant and the injury is such that it should not have occurred if he, having such control used proper care, it affords reasonable evidence, in the absence of explanation that the injury arose from the defendant’s want of care, and the burden of proof is shifted to him to establish that he has observed due care and diligence” (Professional Services Inc., v. Agana, G.R. No. 126297, January 31, 2007, Supreme Court, 1st Division). In case any GSIS member or pensioner suffers any injury due to the insecurity of the GSIS website, that injury may be attributed to the “GSIS management” because the business decision to unleash this insecure website is theirs alone and they had exclusive control in terms of the decision power to set the course of operation of the GSIS website.
NPC ACTION ON THIS MATTER, SUA SPONTE
One of the lawyers represented during my MCLE lecture that GSIS is seeking a one year extension from the National Privacy Comission (NPC) to observe the R.A. 10173’s requirements. I asked the audience why should GSIS be given this extension, unlike the other PICs. I reminded them that R.A. 10173 has been passed in 2012 and the GSIS should have striven to comply with its requirements way back then. Besides, the NPC has been operating on this principle and set the deadline for all PICs as September 2017.
A one year extension might give GSIS another one year of institutional inertia or delay to fix the insecurity of its website. This must not be allowed because the GSIS website and its related sites, particularly the e-GSISMO contain crucial personal information that are vital to the economic security of millions of GSIS members and retired pensioners. If the GSIS management continue to use insecure websites, then GSIS must stop altogether the processing, including the storage of all the personal information of all its active and inactive members on these sites.
Since I am not a current GSIS member, I have no legal standing to bring a complaint against the GSIS to the NPC. I would leave it to you, dear reader, who may be a GSIS member to do this.
However, the NPC under its own rules, declared that the Commission, “sua sponte, or persons who are the subject of a privacy violation or personal data breach, or who are otherwise personally affected by a violation of the Data Privacy Act, may file complaints for violations of the Act” [Sec. NPC Circular 16-04 – Rules of Procedure, dated 15 December 2016].
“Sua sponte” means that the NPC itself can take cognizance of this matter. It is a Latin term that means “of one’s own accord” or “voluntarily”.
That is the reason why I have emailed the URL of this article to Commissioner Liboro and Deputy Commissioner Patdu and to the email address for complaints to NPC. With this expose, I trust that the NPC would do their own investigation and confirm and rule on this matter.
FOR GSIS MEMBERS: WHERE TO FILE COMPLAINT
If any of you, dear readers, have been affected by the unsecured, unencrypted website of the GSIS, if your e-data regarding your personal information, membership, loans, pensions have been compromised, or if you cannot even access these personal information because you had been prevented from doing so by the browsers which did not accept the digital certificate of the GSIS website or had warned you of its insecurity, and thus did not proceed to bring you to the GSIS page or site you desired, you definitely suffered damage.
Under R.A. 10173, you can file a complaint against GSIS and seek for damages, as part of your legal rights as a “data subject”. The privilege of government agencies known as immunity from suit, should not prevent the NPC from proceeding with your complaint because, the damage was done by responsible and informed officials in this agency, acting clearly in disregard of R.A. 10173, not the agency itself.
To proceed with your complaint, kindly read the procedural rules of the NPC Circular 16-04 – Rules of Procedure here:
You can electronically file your complaint by email, bearing in mind this instruction:
[If] submissions are made through e-mail, all electronic documents must be submitted to firstname.lastname@example.org, copy furnished any and all other parties to the complaint (Sec. 8).
Please take heart in the fact that the NPC has previously dealt with another major data privacy violator, the COMELEC, admirably. Its decision against COMELEC and against its current Chair, Andres Bautista, showed that it did not apply the immunity from suit principle, but the letter and intent of R.A. 10173 to vindicate all our data privacy rights as voters.
What has been happening here is truly and absolutely inexcusable. It is mind boggling and unconscionable that an agency of the government, in charge of managing billions, if not trillions of Philippine pesos constituting the contributions and pensions of its members, and which has deep pockets for utilizing the Internet and its innovations to supposedly serve its clients and members, had intentionally scrimped on its budget as a “business decision” and left its website vulnerable to hacking.
The GSIS purportedly received several ISO certifications. Those in the know would know that getting these certifications entailed a lot of money and hard work. Its latest ISO certification bandied about in its “news” last July 28, 2017, was ISO 9001:2015. GSIS Officer in Charge Nora Malubay Saludares presented in the annual forum on Quality Management System the GSIS experience.
The press release ran:
The Forum which was held last Wednesday and Thursday (26 to 27 July 2017), highlighted the impact of ISO 9001 9001:2015-based QMS on business operations. GSIS received the ISO 9001:2015 certification for its QMS on loan processing and membership administration in March this year. In 2015, GSIS was conferred the ISO 9001:2008 for its loan processing only [bold italicized emphasis supplied].
The question that must be asked then: How can an agency that processes millions of personal information regarding its members’ loans and other membership details which are contained in its e-GSISMO website receive an ISO certification on these matters, when its own website that houses these relevant e-data is completely insecure and vulnerable to hacking, and does not even have a decent encryption system?
This is not mere ignorance or mere misappreciation by the GSIS BOT/management. They had been forewarned by the risks by their own people. They do not have to be warned by any outsider. This is wilful mismanagement of e-data. It shows simply, the utter and gross disregard by the GSIS BOT/management of the importance of securing the personal e-information of all its members that goes against the very principles of data processing and the legal rights of data subjects enshrined in R.A. 10173.
And take note dear readers, GSIS recently concluded a contract with another provider to operate their Skype appointment system. When I questioned the audience concerning the e-data privacy requirements that should have been included in the Terms of Reference in the procurement process, no one could answer me.
Paraphrasing Edmund Burke, in order for this iniquitous state to continue, it is enough that those in the know, do nothing. I refuse to let this state continue. Now my dear readers, all of you also know. I trust you all to do something!
God Bless Us!