Last June of this year, I came out with an article that enumerated some of my comments on the Implementing Rules and Regulations of the Supreme Court on the Online Mandatory Continuing Legal Education (MCLE) seminars for lawyers. I circulated it with several entities and decided to publish it this month on this blogspace. I have gotten some comments to my comments since then, and I desire to highlight in this article one very important entity the Supreme Court missed in its enumeration of the parties involved in the provisioning of the online MCLE and their concomitant obligations, i.e., the technology service providers.
Perusing the IRR’s provision on the technical requirements, it was stipulated that:
a) Providers must have:
1) Reliable internet connection;
2) High bandwidth availability, able to scale and capable of supporting numerous simultaneous connections;
3) Encryption mechanism to protect users’ data;
4) High availability/uptime and low downtimes;
5) Data Retention and Destruction Policy;
6) Audit Trails and Logs;
7) Fast and reliable 24/7 Customer Service Support in case of technical glitches/issues [Rule 1, Section 2. Technical Requirements].
It was a mistake to exclude in the IRR any specific reference to technology service providers because most, if not all, the Supreme Court MCLE accredited government and private providers (hereinafter “accredited providers”) are not technologically and logistically equipped to provide all these technical requirements, and then some, to MCLE online participants. It is quite explicit that even in the accreditation process, these accredited government and private providers have to present a “working prototype of their online MCLE offering” [Rule 1, Section 1. c)], which requires a feasible proof of concept and evidence of viable technical capabilities that these accredited providers on their own, do not possess. So, in order to comply with these requirements, these accredited providers would have to outsource or seek the assistance of so-called “third party” technology providers who would be the ones that are actually equipped to provide the technology services and support to make the MCLE online seminars a reality.
The COMELEC example
One must be wary in treating technology providers as third parties, which are outside of the disciplinary purview of the Supreme Court. In my book “Cryptology: The Law and Science of Electronic Secrets and Codes” I dissected the contractual relationship between COMELEC and Smartmatic TIM and gave it as an example of a horrific relationship that had apparently served to oppress and disadvantage the Philippine electorate.
What happened in the inception? Well, we the Philippine electorate and citizens, through COMELEC, paid billions of pesos for the technology that was not yet tested when it was procured, and as it turned out Smartmatic TIM did not originally own the intellectual property rights to the technology, including the source codes, when they were procured way back in 2009. It was a mere licensee. The owner was Dominion Voting Systems, a third party, who was not involved in the contract between COMELEC and Smartmatic TIM.
This fact was not esoteric or hidden knowledge, and Atty. Harry Roque, in 2009 already warned that if the relationship between Smartmatic TIM and Dominion Voting Systems soured, COMELEC would just be a
bystander.
True enough, Smartmatic filed a complaint against Dominion Voting Systems in Delaware, USA last September 11, 2012, and in its complaint, one of its revelations was that Dominion Voting Systems never gave it access to the revised source codes of the election technologies, ever since the May 2010 e-elections in the Philippines because it was exacting more money from Smartmatic, which the latter apparently was not willing to pay. Due to the conflict between the two, COMELEC was reduced to waiting for the source codes to be given to it by Smartmatic TIM. The alleged revised source codes for the election technologies were given to COMELEC several days before the May 13, 2013 e-elections, which of course, made it impossible for any legitimate Philippine source code reviewers to conduct comprehensive source code reviews prior to the e-elections, which was provided by law.
Indispensable Parties and Accountability
The whole point of the above example is that the real actual technology providers for legitimate activities tinged with public interest, like the online MCLE seminars, cannot and should not be treated as unseen third parties. The IRR relegated them to the invisible sidelines. They are indispensable parties in the provision of services to what I still believe is an important sector of the public, i.e., the legal professionals.
The thing is, accountability must not be held to rest by implication. Technology providers must be properly named or included in the IRR, to be held accountable to certain technological and legal standards, and not merely on the data privacy aspects.
Also, it would certainly be inequitable that in situations where their services go awry, only the accredited providers would get the blame, primarily from the participants who deal directly with them, and who might not know the real technology providers. At the very least, by subjecting these technology providers to the administrative arm of the Supreme Court, they can be made to explain for the lapses in their service, and can be subject to fines and sanctions.
Technological Standards
In my first article, I insisted on certain technological standards that need to be spelled out by the Supreme Court which necessitate that its relevant personnel, researchers and officials that draft IRRs on technology related matters must be up to speed in technological developments that pertain to its legal and judicial activities. It is only by understanding and setting the relevant standards can accredited providers and the Supreme Court determine if, how, and when technological providers can be held accountable for their fault, negligence and outright breach of their responsibilities.
The Necessity for Setting or Defining Standards
Now one of the comments I have received from my first article sideswiped the need for establishing standards in favor of trust or belief in the technology provider’s services. Trust or belief in an IT system that will implement the online MCLE course offerings, cannot, and should not replace the compliance of such IT system with industry standards, evidenced by legitimate third-party certifications, coupled with proven good governance and customer satisfaction.
Finding out the relevant standards and insisting on their compliance, are as much a task for the accredited providers in their negotiation and dealings with the technology providers, and the Supreme Court MCLE Committee, in its oversight or supervisory role.
I must point out that technology providers, particularly those in the cloud industry, can be classified into several entities according to the NIST Cloud Computing Standards Roadmap.
The accredited providers are technically the “cloud consumers”, since they are the ones “that maintain a business relationship with, and uses the service from, a cloud provider”. The accredited provider is the one that “requests the appropriate service, sets up service contracts with the cloud provider, and uses the service” for the benefit of its end users, the MCLE participants.
The technology providers can be classed under the NIST Roadmap either as cloud providers or cloud brokers. A cloud provider is one “responsible for making a service available to cloud consumers. A cloud provider builds the requested software/platform/infrastructure services, manages the technical infrastructure required for providing the services, provisions the services at agreed-upon service levels, and protects the security and privacy of the services”. An example is the Amazon Web Services (AWS).
However, the accredited provider, as a cloud consumer, may not be able to create, and or manage all the services necessary to realize and deliver the MCLE online courses to the MCLE participants. This would probably be the case for most Philippine accredited providers. So, instead of dealing directly with the cloud provider, the accredited provider would enlist the services of a cloud broker. This entity would manage the use, performance, and delivery of cloud services, and negotiate the relationships between cloud providers and the accredited provider. The cloud broker would provide a single interface or platform for multiple cloud services that may be in public, private or hybrid clouds and provided by different providers. An example is the IBM Cloud Brokerage Managed Services.
Two other entities must be mentioned for the sake of completion. A cloud carrier provides connectivity or access between cloud consumers (and their ultimate customers), and cloud providers. The cloud carrier also distributes cloud services through the physical transportation of storage media like high capacity hard drives. It is actually the cloud provider that will contract with the cloud carrier for the appropriate services, including encryption of connections between cloud consumers and cloud providers.
The last is the cloud auditor which the NIST Roadmap designated as the party that can “conduct independent assessment of cloud services, information system operations, performance, and the security of a cloud computing implementation. A cloud auditor can evaluate the services provided by a cloud provider in terms of security controls, privacy impact, performance, and adherence to service level agreement parameters”. This entity is especially crucial for the cloud consumer like an accredited provider which seeks proof of the technical viability of a cloud broker or cloud provider, prior to securing their services.
The Baseline Standards
Currently, there are different standards touted by different organizations concerning the evaluation of cloud computing technologies and environments by cloud customers. This article is not the place to discuss all of these, but I would like to point out a few technological standards that have received many citations from various entities which address the crucial features of cloud services. These standards should be asked by cloud consumers to, and verified by, cloud service providers and cloud brokers, via certifications or at the very least compliance reports.
The Cloud Standards Customer Council advises cloud consumers like accredited providers to look for verification or certification of compliance by cloud service providers/brokers with several ISO/IEC standards.
ISO/IEC 27001 is an advisory standard that is meant to be interpreted and applied to all types and sizes of organizations according to the particular information security risks they face. This is not specific to cloud computing, but its principles can be usefully applied to the provision of cloud services. Some cloud service providers already claim conformance to ISO/IEC 27001, many of them through third-party certifications.
ISO/IEC 27002 is a collection of security controls (often referred to as best practices) that are often used as a security standard. Security controls described in ISO/IEC 27002 highlight the general features that need to be addressed, including asset management, access control and cryptography, to which specific techniques and technologies can then be applied. Accredited providers are advised to look for cloud service providers that conform to the ISO/IEC 27002 standard for physical and environmental security. A company can assert on its own behalf as to its compliance with this standard, but a 3rd party certification is a stronger form of attestation.
ISO/IEC 27017, is the Code of practice for information security controls based on ISO/IEC 27002 for cloud services. It provides guidelines for information security controls applicable to the provision and use of cloud services. Specific guidance is included in ISO/IEC 27017 to clarify cloud service customer and cloud service provider responsibilities. Since this standard is specific to cloud computing, accredited providers should seek cloud service providers with ISO/IEC 27017 certification.
ISO/IEC 27018 is the Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors. As its name entails, it sets specific guidelines, control objectives and controls aimed at protecting PII which is stored or processed by public cloud services. It uses as its bases the principles defined in ISO/IEC 29100 Privacy Framework. Both the Privacy Framework and ISO/IEC 27018 greatly complement the Philippine Data Privacy Law and should be consulted by accredited providers. Since ISO/IEC 27018 pertain to PII of online MCLE participants, accredited providers should verify if the cloud service provider has been certified as compliant of this standard. If not, accredited providers are advised to seek data compliance report from the cloud provider, reflecting the strength or weakness of controls, services, and mechanisms supported by the provider in all security domains.
When it comes to network security requirements, ISO/IEC 27033-1 — Network security overview and concepts; ISO/IEC 27033-2 — Guidelines for the design and implementation of network security; and ISO/IEC 27033-3:2010 — Reference networking scenarios – threats, design techniques and control issues, are quite pertinent. If the cloud service provider has an ISO/IEC 27001 certification, then its conformance to these standards would typically be included in the documentation of its adherence.
Digital certificates and encryption are important aspects of Information Asset Management, in support of public key infrastructure (PKI) and the establishment of trust when using cloud services. Accredited providers should be aware of the support that the cloud service provider has for digital certificates, including PKCS, X.509, and OpenPGP. However, I hasten to add that in the last two years, developments in quantum computing have accelerated, and I would tackle the subject of encryption in a separate article. Suffice it to say that we are now entering the age of quantum computing, and the quantum Internet, where the classical cryptographic systems employed now to protect e-data would no longer be safe.
I would also like to mention that Service Level Agreements (SLA) or Cloud Service Agreements (CSA), which are usually laid down by cloud providers/brokers need to be scrutinized and negotiated by accredited providers. It has been said that these agreements are “often the best indicator of how, and how often, the provider expects their service to fail. Therefore, CSCs (Cloud Service Customers) must remember that downtime, poor performance, security breaches and data losses are ultimately their risks to bear” [Object Management Group, Feb. 2019, Practical Guide to Cloud Service Agreements]. Thus, in my first Comments, I explained the significance of the “9”s in the percentages as they reflect in the expected uptimes and downtimes of a cloud provider service. The standard that should be imposed for this requirement, which should be reflected in the SLA between the accredited provider and the cloud service provider/broker should be 99.999%. This means that the online participant should never expect, and not experience any real downtime at all in accessing the online MCLE seminars 24/7, absent any force majeure or electricity outage that cannot be attributed to the fault or negligence of the cloud provider.
Conclusion:
The provision of MCLE online courses all over the Philippines must be professionalized. And this could only be done by adhering to technical and industrial standards that pertain to the delivery of services by technology providers, to which they must be held accountable. It is high time that the accredited providers and the Supreme Court, through its MCLE Committee, be cognizant of these standards that can ensure not only professionalism, but assist in meeting the needs of Philippine lawyers.