Philippine Lawbytes 160: Technology Service Providers As Indispensable Parties in the Online MCLE and the Necessity for Understanding and Setting Standards (Copyright by Dr. Atty. Noel Guivani Ramiscal)

Last June of this year, I came out with an article that enumerated some of my comments on the Implementing Rules and Regulations of the Supreme Court on the Online Mandatory Continuing Legal Education (MCLE) seminars for lawyers. I circulated it with several entities and decided to publish it this month on this blogspace. I have gotten some comments to my comments since then, and I desire to highlight in this article one very important entity the Supreme Court missed in its enumeration of the parties involved in the provisioning of the online MCLE and their concomitant obligations, i.e., the technology service providers.

Perusing the IRR’s provision on the technical requirements, it was stipulated that:

a) Providers must have:

1) Reliable internet connection;

2) High bandwidth availability, able to scale and capable of supporting numerous simultaneous connections;

3) Encryption mechanism to protect users’ data;

4) High availability/uptime and low downtimes;

5) Data Retention and Destruction Policy;

6) Audit Trails and Logs;

7) Fast and reliable 24/7 Customer Service Support in case of technical glitches/issues [Rule 1, Section 2. Technical Requirements].

It was a mistake to exclude in the IRR any specific reference to technology service providers because most, if not all, the Supreme Court MCLE accredited government and private providers (hereinafter “accredited providers”) are not technologically and logistically equipped to provide all these technical requirements, and then some, to MCLE online participants. It is quite explicit that even in the accreditation process, these accredited government and private providers have to present a “working prototype of their online MCLE offering” [Rule 1, Section 1. c)], which requires a feasible proof of concept and evidence of viable technical capabilities that these accredited providers on their own, do not possess. So, in order to comply with these requirements, these accredited providers would have to outsource or seek the assistance of so-called “third party” technology providers who would be the ones that are actually equipped to provide the technology services and support to make the MCLE online seminars a reality.

The COMELEC example

One must be wary in treating technology providers as third parties, which are outside of the disciplinary purview of the Supreme Court. In my book “Cryptology: The Law and Science of Electronic Secrets and Codes” I dissected the contractual relationship between COMELEC and Smartmatic TIM and gave it as an example of a horrific relationship that had apparently served to oppress and disadvantage the Philippine electorate.

Cryptology Book of Dr. Atty. Noel G. Ramiscal

What happened in the inception? Well, we the Philippine electorate and citizens, through COMELEC, paid billions of pesos for the technology that was not yet tested when it was procured, and as it turned out Smartmatic TIM did not originally own the intellectual property rights to the technology, including the source codes, when they were procured way back in 2009. It was a mere licensee. The owner was Dominion Voting Systems, a third party, who was not involved in the contract between COMELEC and Smartmatic TIM.

Dr. Atty. Noel G. Ramiscal presenting his manuscript of “Cryptology: The Law and Science of Electronic Secrets and Codes” to then UP Institute of International Legal Studies Director, Atty. Harry Roque Jr. last January 27, 2015

This fact was not esoteric or hidden knowledge, and Atty. Harry Roque, in 2009 already warned that if the relationship between Smartmatic TIM and Dominion Voting Systems soured, COMELEC would just be a
bystander.

True enough, Smartmatic filed a complaint against Dominion Voting Systems in Delaware, USA last September 11, 2012, and in its complaint, one of its revelations was that Dominion Voting Systems never gave it access to the revised source codes of the election technologies, ever since the May 2010 e-elections in the Philippines because it was exacting more money from Smartmatic, which the latter apparently was not willing to pay. Due to the conflict between the two, COMELEC was reduced to waiting for the source codes to be given to it by Smartmatic TIM. The alleged revised source codes for the election technologies were given to COMELEC several days before the May 13, 2013 e-elections, which of course, made it impossible for any legitimate Philippine source code reviewers to conduct comprehensive source code reviews prior to the e-elections, which was provided by law.

Indispensable Parties and Accountability

The whole point of the above example is that the real actual technology providers for legitimate activities tinged with public interest, like the online MCLE seminars, cannot and should not be treated as unseen third parties. The IRR relegated them to the invisible sidelines. They are indispensable parties in the provision of services to what I still believe is an important sector of the public, i.e., the legal professionals.

The thing is, accountability must not be held to rest by implication. Technology providers must be properly named or included in the IRR, to be held accountable to certain technological and legal standards, and not merely on the data privacy aspects.

Also, it would certainly be inequitable that in situations where their services go awry, only the accredited providers would get the blame, primarily from the participants who deal directly with them, and who might not know the real technology providers. At the very least, by subjecting these technology providers to the administrative arm of the Supreme Court, they can be made to explain for the lapses in their service, and can be subject to fines and sanctions.

Technological Standards

In my first article, I insisted on certain technological standards that need to be spelled out by the Supreme Court which necessitate that its relevant personnel, researchers and officials that draft IRRs on technology related matters must be up to speed in technological developments that pertain to its legal and judicial activities. It is only by understanding and setting the relevant standards can accredited providers and the Supreme Court determine if, how, and when technological providers can be held accountable for their fault, negligence and outright breach of their responsibilities.

The Necessity for Setting or Defining Standards

Now one of the comments I have received from my first article sideswiped the need for establishing standards in favor of trust or belief in the technology provider’s services. Trust or belief in an IT system that will implement the online MCLE course offerings, cannot, and should not replace the compliance of such IT system with industry standards, evidenced by legitimate third-party certifications, coupled with proven good governance and customer satisfaction.

Finding out the relevant standards and insisting on their compliance, are as much a task for the accredited providers in their negotiation and dealings with the technology providers, and the Supreme Court MCLE Committee, in its oversight or supervisory role.

I must point out that technology providers, particularly those in the cloud industry, can be classified into several entities according to the NIST Cloud Computing Standards Roadmap.

The accredited providers are technically the “cloud consumers”, since they are the ones “that maintain a business relationship with, and uses the service from, a cloud provider”. The accredited provider is the one that “requests the appropriate service, sets up service contracts with the cloud provider, and uses the service” for the benefit of its end users, the MCLE participants.

The technology providers can be classed under the NIST Roadmap either as cloud providers or cloud brokers. A cloud provider is one “responsible for making a service available to cloud consumers. A cloud provider builds the requested software/platform/infrastructure services, manages the technical infrastructure required for providing the services, provisions the services at agreed-upon service levels, and protects the security and privacy of the services”. An example is the Amazon Web Services (AWS).

However, the accredited provider, as a cloud consumer, may not be able to create, and or manage all the services necessary to realize and deliver the MCLE online courses to the MCLE participants. This would probably be the case for most Philippine accredited providers. So, instead of dealing directly with the cloud provider, the accredited provider would enlist the services of a cloud broker. This entity would manage the use, performance, and delivery of cloud services, and negotiate the relationships between cloud providers and the accredited provider. The cloud broker would provide a single interface or platform for multiple cloud services that may be in public, private or hybrid clouds and provided by different providers. An example is the IBM Cloud Brokerage Managed Services.

Two other entities must be mentioned for the sake of completion. A cloud carrier provides connectivity or access between cloud consumers (and their ultimate customers), and cloud providers. The cloud carrier also distributes cloud services through the physical transportation of storage media like high capacity hard drives. It is actually the cloud provider that will contract with the cloud carrier for the appropriate services, including encryption of connections between cloud consumers and cloud providers.

The last is the cloud auditor which the NIST Roadmap designated as the party that can “conduct independent assessment of cloud services, information system operations, performance, and the security of a cloud computing implementation. A cloud auditor can evaluate the services provided by a cloud provider in terms of security controls, privacy impact, performance, and adherence to service level agreement parameters”. This entity is especially crucial for the cloud consumer like an accredited provider which seeks proof of the technical viability of a cloud broker or cloud provider, prior to securing their services.

The Baseline Standards

Currently, there are different standards touted by different organizations concerning the evaluation of cloud computing technologies and environments by cloud customers. This article is not the place to discuss all of these, but I would like to point out a few technological standards that have received many citations from various entities which address the crucial features of cloud services. These standards should be asked by cloud consumers to, and verified by, cloud service providers and cloud brokers, via certifications or at the very least compliance reports.

The Cloud Standards Customer Council advises cloud consumers like accredited providers to look for verification or certification of compliance by cloud service providers/brokers with several ISO/IEC standards.

ISO/IEC 27001 is an advisory standard that is meant to be interpreted and applied to all types and sizes of organizations according to the particular information security risks they face. This is not specific to cloud computing, but its principles can be usefully applied to the provision of cloud services. Some cloud service providers already claim conformance to ISO/IEC 27001, many of them through third-party certifications.

ISO/IEC 27002 is a collection of security controls (often referred to as best practices) that are often used as a security standard. Security controls described in ISO/IEC 27002 highlight the general features that need to be addressed, including asset management, access control and cryptography, to which specific techniques and technologies can then be applied. Accredited providers are advised to look for cloud service providers that conform to the ISO/IEC 27002 standard for physical and environmental security. A company can assert on its own behalf as to its compliance with this standard, but a 3rd party certification is a stronger form of attestation.

ISO/IEC 27017, is the Code of practice for information security controls based on ISO/IEC 27002 for cloud services. It provides guidelines for information security controls applicable to the provision and use of cloud services. Specific guidance is included in ISO/IEC 27017 to clarify cloud service customer and cloud service provider responsibilities. Since this standard is specific to cloud computing, accredited providers should seek cloud service providers with ISO/IEC 27017 certification.

ISO/IEC 27018 is the Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors. As its name entails, it sets specific guidelines, control objectives and controls aimed at protecting PII which is stored or processed by public cloud services. It uses as its bases the principles defined in ISO/IEC 29100 Privacy Framework. Both the Privacy Framework and ISO/IEC 27018 greatly complement the Philippine Data Privacy Law and should be consulted by accredited providers. Since ISO/IEC 27018 pertain to PII of online MCLE participants, accredited providers should verify if the cloud service provider has been certified as compliant of this standard. If not, accredited providers are advised to seek data compliance report from the cloud provider, reflecting the strength or weakness of controls, services, and mechanisms supported by the provider in all security domains.

When it comes to network security requirements, ISO/IEC 27033-1 — Network security overview and concepts; ISO/IEC 27033-2 — Guidelines for the design and implementation of network security; and ISO/IEC 27033-3:2010 — Reference networking scenarios – threats, design techniques and control issues, are quite pertinent. If the cloud service provider has an ISO/IEC 27001 certification, then its conformance to these standards would typically be included in the documentation of its adherence.

Digital certificates and encryption are important aspects of Information Asset Management, in support of public key infrastructure (PKI) and the establishment of trust when using cloud services. Accredited providers should be aware of the support that the cloud service provider has for digital certificates, including PKCS, X.509, and OpenPGP. However, I hasten to add that in the last two years, developments in quantum computing have accelerated, and I would tackle the subject of encryption in a separate article. Suffice it to say that we are now entering the age of quantum computing, and the quantum Internet, where the classical cryptographic systems employed now to protect e-data would no longer be safe.

I would also like to mention that Service Level Agreements (SLA) or Cloud Service Agreements (CSA), which are usually laid down by cloud providers/brokers need to be scrutinized and negotiated by accredited providers. It has been said that these agreements are “often the best indicator of how, and how often, the provider expects their service to fail. Therefore, CSCs (Cloud Service Customers) must remember that downtime, poor performance, security breaches and data losses are ultimately their risks to bear” [Object Management Group, Feb. 2019, Practical Guide to Cloud Service Agreements]. Thus, in my first Comments, I explained the significance of the “9”s in the percentages as they reflect in the expected uptimes and downtimes of a cloud provider service. The standard that should be imposed for this requirement, which should be reflected in the SLA between the accredited provider and the cloud service provider/broker should be 99.999%. This means that the online participant should never expect, and not experience any real downtime at all in accessing the online MCLE seminars 24/7, absent any force majeure or electricity outage that cannot be attributed to the fault or negligence of the cloud provider.

Conclusion:

The provision of MCLE online courses all over the Philippines must be professionalized. And this could only be done by adhering to technical and industrial standards that pertain to the delivery of services by technology providers, to which they must be held accountable. It is high time that the accredited providers and the Supreme Court, through its MCLE Committee, be cognizant of these standards that can ensure not only professionalism, but assist in meeting the needs of Philippine lawyers.

LAWBYTES 129: BEWARE TO ALL: THE GOVERNMENT SERVICE INSURANCE SYSTEM WEBSITE IS NOT SECURE! A REQUEST FOR SUA SPONTE ACTION BY THE NATIONAL PRIVACY COMMISSION (Copyright by Dr. Atty. Noel Guivani Ramiscal)

Note: PLEASE CLICK ON PICTURES TO MAKE THEM BIGGER

In my Mandatory Continuing Legal Education (MCLE) lecture for the GSIS last July 26, 2017, I was informed by an unimpeachable source that the digital certificate authority (DCA) the GSIS is using for its website is “C Trust Wave(?)”. I placed the phrase in question marks because I know of TrustWave as a DCA, but I am not familiar with what the source said. This DCA is the one supposedly used by the pertinent reseller to GSIS. According to the unimpeachable source, the “GSIS management” [which was the term used by the source all throughout my discussion with this source] was informed that the digital certificate issued to GSIS was weak, and of the security risks involved. But GSIS is still using it because it was a “business decision”. The GSIS management figured that the risks of e-data breach were not great. Using the analogy of the unimpeachable source, to the GSIS management, it would not make sense in buying and using a P100,000 steel bolted door, when an ordinary wooden door would do, to secure the e-data assets of GSIS. The unimpeachable source does not even use the GSIS website in the source’s personal GSIS transactions.

If the e-GSISMO site is not secure as I confirmed in my research, and interaction with the GSIS unimpeachable source during my MCLE lecture, I theorized that the whole GSIS website is not secure because the e-GSISMO site is essentially linked with the GSIS site.

To set about proving my theory, without hacking the GSIS system, I utilized the three search browsers that the GSIS website endorsed and recommended, i.e., Mozilla Firefox, Google Chrome and Internet Explorer.

GSIS expose NETOPIA time stamp and endorsement of GSIS site of Mozilla Firefox Google Chrome Internet Explorer picture copyright DRATTYNGRAMISCAL

BEFORE I CONTINUE, PLEASE NOTE THESE DISCLAIMERS AND DISCLOSURES:

1. I AM NOT CLAIMING COPYRIGHT OR ANY FORM OF INTELLECTUAL PROPERTY ON THE CONTENT FOUND IN THE PICTURES I TOOK OF THE GSIS WEBPAGES. BUT I DO HOLD THE COPYRIGHT TO THE PICTURES I TOOK OF THE COMPUTER SCREENS WHICH IS DIFFERENT FROM THE CONTENT ON THE GSIS SITE.

2. TAKING THE PICTURES AND REPRODUCING THEM ON MY BLOGSITE IS THE ONLY TECHNOLOGICALLY FEASIBLE AND DEMONSTRABLE WAY TO SHOW THE PROOF OF THE INSECURITY OF THE WHOLE GSIS WEBSITE AND ITS INDIVIDUAL WEBPAGES.

3. GSIS CANNOT CLAIM COPYRIGHT ON THE RELATED MESSAGES AND ARTICLES OF THE BROWSERS REGARDING THE INSECURITY OF ITS WEBSPAGES AND WEBSITE BECAUSE THESE EMANATE FROM THE BROWSERS.

4. I TOOK THE PICTURES AND WROTE THIS ARTICLE FOR ACADEMIC, RESEARCH AND NON-COMMERCIAL PURPOSES TO SHOW THE INSECURITY OF THE GSIS WEBSITE IN THE INTEREST OF PUBLIC SERVICE AND THE PUBLIC GOOD.

5. I DID NOT ENGAGE IN ANY HACKING ACTIVITY. WHAT I DID HERE CAN BE DONE AND CONFIRMED BY ANYONE WHO HAS ACCESS TO A COMPUTER THAT HAS THE THREE BROWSERS, AND ACCESS TO THE INTERNET. I USED GOOGLE, YAHOO! AND BING SEARCH ENGINES TO FERRET OUT THE GSIS WEBSITE.

6. I DID THIS ON MY OWN AS A DATA PRIVACY ADVOCATE, WITHOUT RECEIVING ANY FORM OF REMUNERATION OR EVEN TECHNICAL HELP FROM ANYONE.

7. I AM NOT A GSIS MEMBER. BUT I HAVE RELATIVES AND FRIENDS WHO ARE. I DID THIS FOR THEM AND FOR ALL THE MILLIONS OF GSIS MEMBERS, PARTICULARLY RETIRED GSIS PENSIONERS, WHOSE INTERESTS DESERVE PROTECTION.

TESTING MY THEORY

To test my theory, I browsed different pages of the GSIS site. I utilized different computers to access the GSIS site with these different browsers. I did my browsing on different days: July 27, 29, 31, August 1, 3, 2017.

Here are the results of my Internet examination of the browsers’ responses to queries about GSIS. For representative brevity, I chose samples of pictures I took of different screenshots of the GSIS website, and of the browsers’ responses to my GSIS queries. Any of you, my dear readers can follow and verify the steps I took. This does not require any special IT skill.

FOR MOZILLA FIREFOX

I present two samples of web pages from the GSIS website accessed through the Mozilla Firefox browser. Please notice dear readers the insecure padlock icon situated opposite the Universal Resource Locator (URL) on the page, utilized by the Mozilla Firefox, which is highlighted with the image of a sign that represents the mouse/pointing device. This would be located on the upper left portion of the computer screen.

Here is a picture of the pensioners’ page:

GSIS expose Pensioners page insecure padlock symbol picture copyright DRATTYNGRAMISCAL

Here is a picture of the news release pertaining to the GSIS’ transitioning to ISO 9001:2015:

GSIS expose News regarding GSIS transitioning to ISO 9001 2015 picture copyright DRATTYNGRAMISCAL

For now, let us just concentrate on the pensioner’s section. If any of you dear readers would click on the padlocked symbol, you would be greeted with a message bar on the left portion of the computer screen. The first message from Mozilla Firefox is “www.gsis.gov.ph Connection is Not Secure The login information you enter on this page is not secure and could be compromised”.

Picture of Message bar

GSIS expose pensioners page greeting of insecurity picture copyright DRATTYNGRAMISCAL

If you click on the “>” sign, you would be led to the reiteration of the Pensioners’ page with a Message Bar highlighting in blue font the phrase “Learn More”.

Picture of Learn More

GSIS expose Pensioners page connection not secure learn more picture copyright DRATTYNGRAMISCAL

If you click on “Learn More”, you would be led to a different and secure Mozilla Firefox page containing an article that explains the “Insecure password warning in Firefox”.

Picture of Mozilla Firefox article

GSIS expose Pensioners page learn more leading to Mozilla Firefox page detailing insecurity of page picture copyright DRATTYNGRAMISCAL

This page stated that “(t)his is to inform you that if you enter your password it could be stolen by eavesdroppers and attackers.” Furthermore, the article warned that personal information should not be entered in insecure pages like the GSIS site.

NOTE ON THE ICON:

In other computers, instead of the insecure padlock sign, the icon would resemble rotating blades:

Picture of blade icon:

GSIS expose NETOPIA Rotating Blade Icon Mozilla firefox insecure GSIS site picture copyright DRATTYNGRAMISCAL

ACCESSING THE E-GSISMO SITE

In going to the e-GSISMO site from the GSIS site, one would be confronted with this warning by the Mozilla Firefox:

Picture of warning

GSIS expose NETOPIA EGSISMO site uses an invalid security certificate Mozilla firefox picture copyright DRATTYNGRAMISCAL

FOR GOOGLE CHROME

Using Google Chrome, once you access the GSIS active home page, you would notice that there is an icon comprising of the small letter “i” within a circle. This is located opposite the URL of the GSIS site. If you bring your mouse/pointing device near the icon, a message will pop saying “View site information”.

Picture of icon and message

GSIS Google Chrome expose view site information active home page picture copyright DRATTYNGRAMISCAL

Once you click on the icon, you would be shown a message saying “Your connection to this site is not secure” and other details. There is also a phrase in blue font that states “Learn more”.

Picture

GSIS Google Chrome expose connection is not secure active home page picture copyright DRATTYNGRAMISCAL

Once you click on the phrase “Learn more”, you would be led to a different secure Google Chrome site with an article explaining what the icon of “i” with a circle means.

Picture

GSIS Google Chrome expose connection is not secure GOOGLE CHROME explanation active home page picture copyright DRATTYNGRAMISCAL

The Google Chrome article states that the icon signifies that “(t)he site isn’t using a private connection. Someone might be able to see or change the information you send or get through this site”.

FOR INTERNET EXPLORER

For those using Internet Explorer 10 or 11, and with private computers that are configured to have the most secure settings, the experience can be frustrating. I tried accessing the e-GSISMO and other pages of the GSIS website for several days, but could not. This is a typical message that I got:

Picture “This page cannot be displayed”.

Internet Explorer simple search for GSIS yields no display, picture copyright DRATTYNGRamiscal

At other times, when I type “GSIS” on the Bing engine on Internet Explorer, I would be confronted with a listing of search request rejections due to unavailability or web security violations.

Picture of the search request rejections

Internet Explorer rejections of request for GSIS site or pages, picture copyright DRATTYNGRamiscal

Since the search request rejections are cached, I decided to click on the cached version of one of the rejections.

Picture of the cached link

Internet Explorer rejection of GSIS website request cached page, picture copyright DRATTYNGRAMISCAL

I was then confronted with this message from the cached page:

Picture

Internet Explorer content of GSIS website rejection cached page picture copyright DRATTYNGRAMISCAL

The Internet explorer experience mirrors what I experienced when I tried to access the e-GSISMO page within, the GSIS site using the Mozilla Firefox: Nothing. Both browsers prevented me from accessing the web page due to security reasons.

The Mozilla Firefox was quite emphatic in its explanation for the error code I showed to the GSIS lawyers last July 26, 2017. It said that “Firefox must verify that the certificate presented by the website is valid. If the certificate cannot be validated, Firefox will stop the connection to the website and show a “Your connection is not secure” error message instead [https://support.mozilla.org/en-US/kb/insecure-password-warning-firefox?as=u&utm_source=inproduct]”.

CAVEAT: PUBLIC COMPUTERS

But when I tried accessing the GSIS website on public computers in internet cafes like Netopia and other cafes in Laguna, I was able to access the site without any apparent issue. However, the different pages of the GSIS website are not encrypted. I will say more about this in the next section.

POSSIBLE LEGAL BASES OF VIOLATIONS OF R.A. 10173 BY THE “GSIS MANAGEMENT”

PHOTOGRAPHIC PROOF

INTERNET EXPLORER

Even if one uses the public computers in internet cafes and access the GSIS website, that does not mean that such access can be safe. If you dear reader would right click on a GSIS webpage (not the e-GSISMO site), like the Pensioners’ page and click on “Properties” using the Internet Explorer browser like so:

Picture

GSIS expose Internet Explorer Pensioners GSIS page Properties picture copyright DRATTYNGRAMISCAL

You, my dear reader, would be confronted with this message on the left upper portion of the computer screen, stating that the connection is not encrypted.

Picture

GSIS expose NETOPIA Unencrypted state of GSIS site in Internet Explorer picture copyright DRATTYNGRAMISCAL

If you click on “Certificates” you would have the message that this “(t)ype of document does not have a digital certificate”.

GSIS expose NETOPIA No Digital Certificate of GSIS site in Internet Explorer picture copyright DRATTYNGRAMISCAL

MOZILLA FIREFOX

The Mozilla Firefox browser’s message alerts made it very clear that the GSIS website is not encrypted. I offer two illustrations of this.

Let us go back to the Pensioners’ page. When any of you dear readers would click on the unsecure padlock sign, you would encounter this message on the upper left portion of your computer screen, with the phrase “More Information” on the gray lower portion of the message.

Picture

GSIS expose Pensioners page how do you know status of encryption click more information picture copyright DRATTYNGRAMISCAL

When you click on the phrase “More Information” you will be given a different message regarding the status of encryption of the GSIS website, in this case of the Pensioners’ page:

Picture of the encryption status

GSIS expose Pensioners page connection not encrypted picture copyright DRATTYNGRAMISCAL

This message repeats itself on different pages of the GSIS website. For example, let us go back to that News Press regarding the GSIS transitioning to the ISO 9001:2015. You, my dear reader would encounter the same message.

Picture of the encryption status

GSIS expose News regarding GSIS transitioning to ISO 9001 2015 no encryption of GSIS site Mozilla Firefox picture copyright DRATTYNGRAMISCAL

The messages concerning the non-encryption status of the GSIS website shows that the digital certificate for the website had not, and could not be verified by Mozilla Firefox. The unimpeachable GSIS source mentioned “C (See?) Trust Wave(?)” as the DCA which Mozilla Firefox does not recognize.

The messages also contained the warning that “(i)nformation sent over the Internet without encryption can be seen by other people while it is in transit”.

LEGAL BASES:

THE LEGAL REQUIREMENT OF ENCRYPTION WHICH THE GSIS MANAGEMENT DID NOT FOLLOW

Under SEC. 23 of R.A. 10173, “(a)ny technology used to store, transport or access sensitive personal information for purposes of off-site access approved under this subsection shall be secured by the use of the most secure encryption standard recognized by the Commission”.

The National Privacy Commission (NPC) required in Sec. 8 of “NPC Circular 16-01 – Security of Personal Data in Government Agencies” dated 10 October 2016, “(a)ll personal data that are digitally processed must be encrypted, whether at rest or in transit. For this purpose, the Commission recommends Advanced Encryption Standard with a key size of 256 bits (AES-256) as the most appropriate encryption standard”.

These provisions can and should be made to apply to government websites like the GSIS, which store personal information of its clients, employees and officials, which are made accessible to these people anywhere, via the Internet. Both the law and the NPC Circular are quite clear in their absolute directive. There are no exemptions or excepting circumstances that allow for the non-encryption of the personal data contained in these websites.

Furthermore, the law and the NPC directive did not make any instance as a precondition for encryption. So it is immaterial if no GSIS member had ever been actually harmed by using the unencrypted site of the GSIS.

THE VULNERABILITY OF THE GSIS SITE AS THE DIRECT RESULT OF THE GSIS MANAGEMENT’S “BUSINESS DECISION”

I must re-emphasize that according to the admission of the GSIS unimpeachable source whom I directly spoke to during my July 26, 2017 lecture, the GSIS management were apprised of the risks of having an unsecured website but they decided to continue the site’s operation as a “business decision”.

The Price to be Paid for an Unencrypted State

It bears noting that the continued unencrypted and unsecured state of the GSIS website makes it a prime target for several cybercriminal activities, including defacement and hacking. The information sent by GSIS members using this unsecured site can be intercepted and even altered. The content of that information can be stolen if valuable to the eavesdropper or interceptor.

The IoT and E-Data Aggregation

I must emphasize that all users of computers and e-devices all over the world are now connected to the “Internet of Everything” (IoT). You, my dear readers, who use your laptops, your smart phones, your Fitbit devices, other wearable devices and other smart appliances that are connected to the Internet, are subject to data collection by entities like the manufacturers of these devices, and other entities whose intent may be malicious. In using the Google Chrome browser in accessing the GSIS website, the insecure message posted by Google Chrome also include the notice that “Cookies” are utilized to collect information about the user of the site.

GSIS Google Chrome expose connection is not secure active home page picture copyright DRATTYNGRAMISCAL

Depending on the type and nature of the cookies, this means that the user’s log-in information, device information, telephony details, IP address, and other identifying data about the user and/or his/her e-devices are collected. Since the GSIS site is unencrypted, any information entered by the user, for example, matters pertaining to auto shield insurance or home insurance in the GSIS site, can be seen by any interceptor or eavesdropper. At the hands of a knowledgeable and efficient cyber criminal, all these e-data can be aggregated to pinpoint the identity, habits and concerns of a particular user and used against that user.

Ransomware

In my lecture for the GSIS lawyers, I mentioned also the possibility of their organization being targeted with ransomware. Because the GSIS website is not encrypted, it is easier for any attacker to hijack the information, encrypt it, demand ransom, thus making it inaccessible, not merely to the GSIS members and pensioners, but even to the GSIS website administrator/operator/maintainer.

Possible Liability of GSIS Management

Sec. 20 (b) of R.A. 10173 imposes the legal obligation on a personal information controller, like the GSIS to “implement reasonable and appropriate measures to protect personal information against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination”.

As I made very clear in my book “Cryptology: The Law and Science of Electronic Secrets and Codes”, encryption is one of the necessary safeguards that are crucial in protecting the security, confidentiality and authenticity of e-data. It is also one of those cyber-hygiene tools that should be utilized by any organization that processes the personal data of anyone. Employing encryption should be considered part of a corporation’s social and legal responsibility.

In this case, the “business decision” of GSIS management in letting the GSIS website remain unsecured, unencrypted and basically a target for hacking, as shown by the Mozilla Firefox message, evidently violates the unequivocal letter and intent of the law and the NPC directive.

Sec. 34. of R.A. 10173 provides that if the offender is a corporation, partnership or any juridical person, the penalty shall be imposed upon the responsible officers, as the case may be, who participated in, or by their gross negligence, allowed the commission of the crime.

As I pointed out in my previous article on the insecurity of the e-GSISMO website, the Directors’ and Officers’ Liability Insurance (DOLI) policy of the GSIS will NOT cover any claim against the insured BOT members and officials in these two clear instances:

Where the court, tribunal, or administrative agency finds that the GOCC, acting through its Board of Directors or Management, has violated its charter or caused unreasonable damage to its identified stakeholders.xxx

Where liabilities arise from the director’s/trustee’s or officer’s fraud, breach of fiduciary duties, or unethical conduct.

THE GSIS MEMBERS BEING DENIED ACCESS TO THE GSIS SITE DUE TO THE INSECURITY OF THE WEBSITE

Another important violation here of the GSIS members’ and pensioners’ rights is the right to access their personal information in the GSIS website, including the e-GSISMO site. GSIS members and pensioners using the Internet Explorer (depending on several factors) and the Mozilla Firefox would be denied access to the e-GSISMO site because of “web security” violations, or the site’s connection is “untrusted” as evidenced from the messages that the two browsers would post to the computer screen of anyone who tried to access the e-GSISMO site. Due to the site’s insecurity, GSIS members and pensioners are actually discouraged to use the website. They cannot access their personal information, e.g., the status of their GSIS loans, the amount of their loans and the interests, the tentative computation of their pensions, etc., which are all very personal, sensitive and exclusive to each of them.

Furthermore, due to the website’s insecurity, GSIS members and pensioners are forced to conduct their transactions with the GSIS personally, which defeats the purpose of setting up the website to prevent long queues in GSIS offices and avoid waste of time, travel and other expenses on the part of the GSIS members and pensioners.

Under Sec. 16 (c) of R.A. 10173, the GSIS members and pensioners are granted the right of reasonable access to their personal information that is stored and processed through the GSIS website. The law allows GSIS members and pensioners access to, and upon demand, retrieve the “(1) Contents of his or her personal information that were processed; (2) Sources from which personal information were obtained; (3) Names and addresses of recipients of the personal information; (4) Manner by which such data were processed; (5) Reasons for the disclosure of the personal information to recipients; (6) Information on automated processes where the data will or likely to be made as the sole basis for any decision significantly affecting or will affect the data subject; (7) Date when his or her personal information concerning the data subject were last accessed and modified; and (8) The designation, or name or identity and address of the personal information controller” which can be contained in the e-GSISMO or GSIS website. The purpose for this access is to allow GSIS members and pensioners to check the accuracy of their personal information and the data that GSIS had processed, and to demand indemnity for damages due to “inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal information” [Sec. 16 (f)] that GSIS processed.

Thus, the insecurity of the GSIS website and webpages actually prevents GSIS members and pensioners to exercise these rights granted to them as data subjects under R.A. 10173.

RES IPSA LOQUITUR

There is an applicable legal principle that law students learn in their Statutory Construction class, i.e., res ipsa loquitur, which means “the thing speaks for itself”. “(W)here the thing which caused the injury, without the fault of the injured, is under the exclusive control of the defendant and the injury is such that it should not have occurred if he, having such control used proper care, it affords reasonable evidence, in the absence of explanation that the injury arose from the defendant’s want of care, and the burden of proof is shifted to him to establish that he has observed due care and diligence” (Professional Services Inc., v. Agana, G.R. No. 126297, January 31, 2007, Supreme Court, 1st Division). In case any GSIS member or pensioner suffers any injury due to the insecurity of the GSIS website, that injury may be attributed to the “GSIS management” because the business decision to unleash this insecure website is theirs alone and they had exclusive control in terms of the decision power to set the course of operation of the GSIS website.

NPC ACTION ON THIS MATTER, SUA SPONTE

One of the lawyers represented during my MCLE lecture that GSIS is seeking a one year extension from the National Privacy Comission (NPC) to observe the R.A. 10173’s requirements. I asked the audience why should GSIS be given this extension, unlike the other PICs. I reminded them that R.A. 10173 has been passed in 2012 and the GSIS should have striven to comply with its requirements way back then. Besides, the NPC has been operating on this principle and set the deadline for all PICs as September 2017.

A one year extension might give GSIS another one year of institutional inertia or delay to fix the insecurity of its website. This must not be allowed because the GSIS website and its related sites, particularly the e-GSISMO contain crucial personal information that are vital to the economic security of millions of GSIS members and retired pensioners. If the GSIS management continue to use insecure websites, then GSIS must stop altogether the processing, including the storage of all the personal information of all its active and inactive members on these sites.

Since I am not a current GSIS member, I have no legal standing to bring a complaint against the GSIS to the NPC. I would leave it to you, dear reader, who may be a GSIS member to do this.

However, the NPC under its own rules, declared that the Commission, “sua sponte, or persons who are the subject of a privacy violation or personal data breach, or who are otherwise personally affected by a violation of the Data Privacy Act, may file complaints for violations of the Act” [Sec. NPC Circular 16-04 – Rules of Procedure, dated 15 December 2016].

“Sua sponte” means that the NPC itself can take cognizance of this matter. It is a Latin term that means “of one’s own accord” or “voluntarily”.

That is the reason why I have emailed the URL of this article to Commissioner Liboro and Deputy Commissioner Patdu and to the email address for complaints to NPC. With this expose, I trust that the NPC would do their own investigation and confirm and rule on this matter.

FOR GSIS MEMBERS: WHERE TO FILE COMPLAINT

If any of you, dear readers, have been affected by the unsecured, unencrypted website of the GSIS, if your e-data regarding your personal information, membership, loans, pensions have been compromised, or if you cannot even access these personal information because you had been prevented from doing so by the browsers which did not accept the digital certificate of the GSIS website or had warned you of its insecurity, and thus did not proceed to bring you to the GSIS page or site you desired, you definitely suffered damage.

Under R.A. 10173, you can file a complaint against GSIS and seek for damages, as part of your legal rights as a “data subject”. The privilege of government agencies known as immunity from suit, should not prevent the NPC from proceeding with your complaint because, the damage was done by responsible and informed officials in this agency, acting clearly in disregard of R.A. 10173, not the agency itself.

To proceed with your complaint, kindly read the procedural rules of the NPC Circular 16-04 – Rules of Procedure here:

Click to access sgd-npc-circular-16-04-rules-of-procedure.pdf

You can electronically file your complaint by email, bearing in mind this instruction:

[If] submissions are made through e-mail, all electronic documents must be submitted to complaints@privacy.gov.ph, copy furnished any and all other parties to the complaint (Sec. 8).

Please take heart in the fact that the NPC has previously dealt with another major data privacy violator, the COMELEC, admirably. Its decision against COMELEC and against its current Chair, Andres Bautista, showed that it did not apply the immunity from suit principle, but the letter and intent of R.A. 10173 to vindicate all our data privacy rights as voters.

CONCLUSION:

What has been happening here is truly and absolutely inexcusable. It is mind boggling and unconscionable that an agency of the government, in charge of managing billions, if not trillions of Philippine pesos constituting the contributions and pensions of its members, and which has deep pockets for utilizing the Internet and its innovations to supposedly serve its clients and members, had intentionally scrimped on its budget as a “business decision” and left its website vulnerable to hacking.

The GSIS purportedly received several ISO certifications. Those in the know would know that getting these certifications entailed a lot of money and hard work. Its latest ISO certification bandied about in its “news” last July 28, 2017, was ISO 9001:2015. GSIS Officer in Charge Nora Malubay Saludares presented in the annual forum on Quality Management System the GSIS experience.

GSIS expose News regarding GSIS transitioning to ISO 9001 2015 picture copyright DRATTYNGRAMISCAL

The press release ran:

The Forum which was held last Wednesday and Thursday (26 to 27 July 2017), highlighted the impact of ISO 9001 9001:2015-based QMS on business operations. GSIS received the ISO 9001:2015 certification for its QMS on loan processing and membership administration in March this year. In 2015, GSIS was conferred the ISO 9001:2008 for its loan processing only [bold italicized emphasis supplied].

The question that must be asked then: How can an agency that processes millions of personal information regarding its members’ loans and other membership details which are contained in its e-GSISMO website receive an ISO certification on these matters, when its own website that houses these relevant e-data is completely insecure and vulnerable to hacking, and does not even have a decent encryption system?

This is not mere ignorance or mere misappreciation by the GSIS BOT/management. They had been forewarned by the risks by their own people. They do not have to be warned by any outsider. This is wilful mismanagement of e-data. It shows simply, the utter and gross disregard by the GSIS BOT/management of the importance of securing the personal e-information of all its members that goes against the very principles of data processing and the legal rights of data subjects enshrined in R.A. 10173.

And take note dear readers, GSIS recently concluded a contract with another provider to operate their Skype appointment system. When I questioned the audience concerning the e-data privacy requirements that should have been included in the Terms of Reference in the procurement process, no one could answer me.

Paraphrasing Edmund Burke, in order for this iniquitous state to continue, it is enough that those in the know, do nothing. I refuse to let this state continue. Now my dear readers, all of you also know. I trust you all to do something!

Thank you.

God Bless Us!

Lawbyte 112: ENCRYPTION OR CRYPTOGRAPHY AS A HUMAN RIGHTS AND PRIVACY TOOL AGAINST GOVERNMENT ABUSES AND CYBERPRIVACY PREDATORS, WHAT THE NATIONAL COMMISSION ON PRIVACY, DTI AND DCIT MUST DO, AND IBP BULACAN’S HUMANITARIAN OUTREACH PROGRAM

Over the last five years and since the start of this year, I have informed all the people who have attended and cared enough to listen to my lectures and guest stints in different fora about the importance of cryptography, which is all about the science and art of encrypting messages, documents and images, in mathematical algorithms, and in some cases with biological, DNA, and nanomolecular ciphers, to retain the secrecy of the encrypted data, and prevent unauthorized eyes (of embittered spouses, disgruntled employees, curious hackers, nefarious crackers, unfriendly and friendly governments) from discovering the content, which could mean the saving or wrecking of countless lives, the toppling of dictatorships and the crashing of economies.

The Private Launching of my book on Cryptology

The discussion of the science and law of cryptography is central to my most recent book “Cryptology: The Law and Science of Electronic Secrets and Codes”, which I am glad to say, finally saw the light of a launching, albeit privately, last June 18, 2016 at the Makati Shangrila, during the General Assembly of the Philippine Australian Alumni Association (PA3i) members from all parts of the Philippines. In this private launching, I apprised the PA3i members of the essential hows and whys of cryptography and its impact on their lives. Since the theme of the event pertains to the fundamental bonds of friendships and links between the Philippines and Australia, I stated that my cryptology book could not have been written by me, without the influence of Australia on me, personally and professionally.

The private launching of Dr. Ramiscal’s CRYPTOLOGY book during the PA31General Assembly at MAKATI SHANGRILA, June 18, 2016

I was introduced to cryptology via my “Law and Internet” Master class way back in 1999 where the first word I deciphered using the PGP software was “apple”. The ramifications of this technology and the multidisciplinary fields that gave rise to it shook me to the core! I remember staying up way into the morning and staring at the Brisbane river as the sun rises, thinking that Einstein and Heisenberg were on some kind of intellectual drug for them to come up with otherworldly theories that have seen some awesome demonstrations as the years have gone by. It was in Australia where I felt real genuine freedom in academic research and inquiry, and I am forever grateful to the University of Queensland and its law faculty for supporting me in my Master of Laws (Advanced) and my Ph.D in law studies and research. Australia is one of those countries that have a sophisticated understanding of the grasp and reach of cryptology. As part of my recommendations in my book, I proposed that the Philippine government should look into the Australasian Information Security Evaluation Program (AISEP) used in Australia that reviews, among others, the source codes of cryptographic products. The Defense Signals Directorate (DSD) conducts a DSD Cryptographic Evaluation (DCE) “to analyse a product to determine whether the security architecture and cryptographic algorithms used have been implemented correctly and are appropriately strong for the product’s intended use by the recommending government agency.” This efficient and effective program is light years apart from the way that the COMELEC had handled source code reviews for the Automated Election Systems used in the 2010, 2013 and 2016 elections.

Dr. Atty. Noel G. Ramiscal with Her Excellency, the Australian Ambassador Amanda Gorely, June 18, 2016

My great appreciation to Her Excellency, the indefatigable and inimitable Australian Ambassador Amanda Gorely!
Heartiest thanks are in order to the brilliant and generous officers of PA3i, most especially to Ms. Vivian Valdez, Mr. Arvin Yana, Col. Ariel Querubin, Atty. Teresita Tuazon, Dr. Jean Loyola, Mr. Vic Badoy, Ms. Abee Generao and Mr. Ramon Santos, and of course to the fabulous PA3i members, some of whom are Drs. Rey Ramos, Fe Hidalgo, Wendell Capili and Emanuel Florido, Attys. Ma. Nena German and John Titus Vistal, Messrs. Joey Baril, Jay Juan, Edson Lopez, Greg Quimio, Kitz Arellano, Jong Belano, Ruel Limbo, the spouses Freddie and Norma Fajardo, Ms. Neri Torreta, and Ms. Dane Zuyco (apologies to the very many whose names I cannot remember). Congratulations as well to all 2016 Australian Alumni Awards Nominees and Winners, some of whom I had been privileged to meet, including, Ms. Loda Grace Dulla, Mr. Arsenio Ella and Chief Inspector Kimberly Molitas! They all make us proud!

How Cryptography has become a Crucial Liberation Technology

I expounded on the extent of cryptography and its significance in the digital global world in my MCLE lectures for the Philippine Deposit Insurance Corporation (January 28, 2016), the Arellano Law Foundation (February 27, 2016), the IBP Leyte (April 29, 2016), the IBP Negros Oriental (May 17, 2016), UP IAJ (July 2, 2016), the IBP Lanao del Norte (July 12, 2016), the ACLEx (July 22, 2016) and the most recent being the IBP Bulacan Chapter (July 23, 2016).

Dr. Ramiscal’s MCLE Lecture on Cryptology for the ALF, MIDAS HOTEL, FEB 27 2016

I strove to explain the mathematical and scientific bases for the cryptographic products that are being sold or developed by research institutions in different parts of the world, and how the multidisciplinary fields and endeavors that nurture cryptology are being threatened by the stringent export and licensing restrictions of countries implementing the Wassenaar Arrangement, which was geared at stopping the flow of cryptographic products to states that have known terrorist elements.

Dr. Atty. Noel G. Ramiscal’s MCLE lecture at PDIC last JANUARY 28, 2016

To be candid, this is easy to understand. There are infamous criminals and criminal activity that rely on cryptology to assure their continued operations. Cryptographic products have been implicated in drug trafficking, human trafficking, arms trafficking, online child pornography, murders for hire, and a slew of criminal conduct. It was said that the late Osama bin Laden used to send his extermination orders via encrypted text messages.

But, cryptography is also a beacon of hope, trust, and survival. As a tool for securing basic human rights to life, liberty, security and privacy, I highlight the fact that many international human rights organizations including Amnesty International rely on strong cryptographic software to secure their information. The Onion Router (TOR) system which relies on a system of virtual encrypted channels operated by exit node operators has been considered a crucial “liberation” technology. This allows a tool for the masses to reveal government corruption, oppression, tortures and killings motivated by politics, religion, money and greed, and escape the censorship and wrath of these governments. In the memorable Arab Spring, I tell and show the audiences of the tragic story of Neda Agha Soltan, a woman targeted by a Basilij sniper, all because she loved to sing passionately, about her life in Iran, and how the video of her murder and the picture of her dead face with the disjointed eyes, managed to get worldwide circulation, through the TOR system. That was one of the crucial moments when millions of people all over the globe became overnight activists and Neda Agha Soltan became an iconic image of the oppressed and silenced victims of tyranny and intolerance everywhere.

Dr. Ramiscal’s CRYPTOLOGY lecture for UPIAJ, July 2, 2016

Finally, cryptography is a first line of defense against all forms of unwarranted and illegal access or intrusions into the personal, sensitive information of natural and juridical persons. It is also a technology that is at the core of many personal and business transactions that involve currency. As I point out in all my lectures, every time anyone types their PIN or access codes into an ATM or secure website, cryptographic techniques are employed. I apprised the lawyers who attended my IBP Bulacan lectures last July 23, 2016, that cryptography is also at the heart of the Europay Mastercard Visa (EMV) chip cards that the Bangko Sentral ng Pilipinas have mandated all Philippine banks to roll out by January 2017! I also mentioned this fact in my July 22, 2016 lecture for the ACLEx. Apparently, this fact is not well known among the lawyers in these two fora, because only one lawyer professed to know about this.

Dr. Noel G. Ramiscal donating a copy of his Cryptology book to the CEU Law Library thru ACLEX’s Mr. Canata

The importance of cryptography in all our lives is such that I have been donating copies of my books to several universities in the Philippines as part of my advocacies as a Law and I.T. Evangelist to spread the word about the proper appreciation and ethical use of cryptography. Greatest gratitude to the UP IAJ, the different IBP Chapters all over the Philippines, the ALF, and the ACLEX for providing me with the opportunity to impart the current trends and important rules that pertain to the protection of the rights of digital denizens to my fellow brothers and sisters in Law and Life!

DR. ATTY. NOEL G. RAMISCAL DONATING COPY OF HIS CRYPTOLOGY BOOK TO ARELLANO LAW LIBRARY THRU ALF

What the National Privacy Commission (NPC), Department of Trade and Industry (DTI), and the Department of Communication Information Technology (DICT) should do to secure the e-data of millions of Philippine citizens from security breaches

In the Philippines, the awareness of cryptography began with the famous case filed by Atty. Harry H. Roque Jr. (who is now a Congressman) against the Commission on Election (COMELEC) in the latter’s use of the AES machines in 2009. Due to the current hearings on the I.R.R. on Data Privacy Law, interest in cryptography has newly arisen.

In my lecture for the MERALCO lawyers last June 24, 2016, on the “Legal Challenges and Complications of the Data Privacy Law”, I told the lawyers that I have been involved with the Data Privacy bills that were being pushed since 2008. In fact I was even a Technical Consultant of the former Commission on Information Communication Technology (CICT) and wrote a white paper on the cyberprivacy bills, before the CICT was downgraded into the ICTO and now formally elevated to the DCIT. This law mentioned “encryption” only once. I protested the fact that it only required encryption of data for purposes of off-site access (see Sec. 23, 3). This huge oversight has apparently been fixed in the current modification of the I.R.R., which has yet to be passed by the NCP.

The security breach of the unique personal information of the over forty million Philippine voters contained in the COMELEC database by Anonymous Philippines, and the subsequent irresponsible, unwarranted and illegal publication of these pieces of information by a U.S. website (wehaveyourdata.com) underscore the grave need to understand cryptography and how it could be used to protect the information of Philippine citizens, and the accountability and criminal liability of irresponsible government agencies. The State of the Nation Address (SONA) of President Duterte last July 25, 2016 showed how keenly he believes that computers and I.C.T. products can actually prevent corruption and lead to efficient public service.

My book traces the legal issues concerning the cryptographic features of the AES machines and the veritable absence of any comprehensive source code reviews by Philippine legitimate source code reviewers since the Roque case up to the 2015 Pabillo case and ties all the related issues, to come up with several major proposals that are quite valid and useful in the legal, political and social milieu of the Philippines after the 2016 elections.

These proposals include overhauling the cryptosystem evaluation of any I.C.T. products that will be sold or used in the Philippines, and making the source code reviews for these products, not a piecemeal process, nor a per agency process, but a systematic process to be overseen by the three agencies I identified, which are the NPC, the DTI and the former Information Communication Technology Office, which has now been upgraded to the DCIT. This must be done to prevent the monumental fiascos committed by the COMELEC in its handling of the source code reviews of the AES machines in the past three automated elections from ever happening again. The justifications and the extensive details of my proposal are in my book.

For this article I desire to emphasize that these agencies, particularly the NPC, must consider not only the AISEP program I referenced earlier, but also the U.S. and Canadian Cryptographic Module Validation Program (CMVP) which the US National Institute of Standards and Technology (NIST) and the Communications Security Establishment Canada (CSEC) jointly developed, and the process observed by the Communications-Electronics Security Group (CESG) in the United Kingdom which conducts the CESG Assisted Products Service (CAPS) on cryptographic products. Together with AISEP, these systems or processes establish I.C.T. standards in the proper review of source codes of cryptographic goods.

Another matter that these agencies must look into are the practices of these governments in choosing the right set of cryptographic products to safeguard the data of their respective governments and citizens. The U.S. and Australian government have, for example, selected a suite of cryptographic technologies that are suited for protecting the security, integrity and non-repudiability of different types of electronic data, including digital signatures. These are very important, specially for the NCP, because its I.R.R. placed it as the lead agency when it comes to setting the guidelines for data protection and encryption [See Sec. 9, a., 1. Rule III].

The IBP Bulacan Chapter’s Humanitarian Outreach Program

One of the best things about taking my advocacies to the road is the opportunity to meet new people as well as get in touch with former classmates and schoolmates who are doing so well, not only in their personal and professional lives but in their advocacies as well.

Dr. Atty. Noel G. Ramiscal’s Cryptology MCLE Lecture for IBP Bulacan, July 23, 2016

I was in Bulacan last year and totally enjoyed myself in my MCLE lectures. This year, I was truly amazed at the huge and warm support I got from the lawyers attendees, with the added bonus of seeing and conversing for quite some time with one of my classmates in UP Law, Atty. Pingki Bartolome Bernabe, who was the past IBP Bulacan President. Pingki is one of those kind, brilliant, creative souls, who would do wonders in her life, no matter what profession she is in. She was one of the very few people I could talk with in law school and I felt she never judged me in any way, which meant so much to me during that trying time. My mom and I were quite fortunate and appreciative in joining her in the ride back to Manila in her SUV. She’s got four amazing children, a doting husband, a successful career and a wonderful advocacy that has blossomed into a thriving movement in IBP Bulacan.

Dr. Ramiscal with current IBP Bulacan Pres. Atty. Topico, the past IBP Pres. Atty. Bartolome Bernabe and a lawyer gentleman from Bulacan, July 23 2016

She and the current IBP Bulacan President, the dashing and jovial Atty. Arni Topico, and several other lawyers (including the fabulous Atty. Francine Longid and the suave Atty. Paul Alcudia) have banded together, and through their own resources have given lectures and pro bono services to our overseas foreign workers stationed in different countries. They have been tapping into the international network of pro bono lawyers with strong positive results, working with foreign lawyers and helping acquit some of our countrymen criminally charged in other countries and creating goodwill for our country by helping foreign nationals who get into legal trouble in the Philippines. This year, their group will be presenting a paper in an international conference and will participate in a European summit on pro bono/legal aid service. They are performing a very specialized service that answers a niche need that should be emulated by other IBP Chapters and recognized by the Supreme Court. I am so proud and uplifted by the accomplishments of this group of devoted, exceptional lawyers! May their initiative be blessed with more connections and the necessary funds to make it sustainable! This is a perfect example of lawyers bettering the world with their talents! May their tribe increase and prosper!

Dr. Atty. Ramiscal with the great IBP Bulacan officers, July 23 2016

As always, thank you to the excellent IBP staff of Bulacan, Ms. Aida Oasay, and IBP National, Ms. Flora Arguson. To all the wonderful, gorgeous IBP Bulacan lawyers I met last July 23, 2016, and the great IBP Bulacan officers, I would like to say that it was truly a privilege and an honor to have served as one of your MCLE lecturers! I am genuinely moved by your generousity of Spirit and Kindness. Ilah’s dulce de leche and Eurobake’s inipit, were good, Rosalie’s Suman sa Pinipig were heavenly, but Il-Jamie’s crispy pata is worth coming all the way from Laguna to Bulacan! Thank You! God Bless Us! Insha Allah!