Philippine Cyber Lawbytes 210: Why Data Security Matters: Attention to the National Privacy Commission: The CBPRS website is Not Safe Nor Secure According to Four Web Browsers!

In February 11, 2022, the Legal Management Council of the Philippines (LMCP) and the UP Institute of Administration of Justice (UP IAJ) invited me to give a three (3) hour Mandatory Continuing Legal Education (MCLE) lecture on Data Privacy. The LMCP is a prestigious organization comprised of legal executives and managers of top law firms and Fortune 500/2000 companies in the Philippines. For this engagement, I decided to do a full lecture on the important intersections between “Data Privacy” and “Data Security” which had not been emphasized or even done in any MCLE lecture on data privacy in the Philippines.

The whole point of my lecture is that data privacy is not achievable without data security. Data security is the most vital requirement and prerequisite to data privacy, not the other way around. Thus, the legal importance given to data privacy, without any equal emphasis on the legal significance of data security is misplaced and is rife with grave repercussions. I illustrated this by giving detailed case studies, culled from the cases I have handled, and from my research.

One of the most important developments in the field of data privacy as far as the Philippines is concerned is being accepted as one of the members of the APEC Cross-Border Privacy Rules System (CBPRS).  Endorsed by APEC Leaders in 2011, this is a voluntary, accountability-based system that facilitates privacy-respecting data flows among APEC economies. It provides the recognition criteria for organizations, or countries, wishing to become an APEC CBPR System certified Accountability Agent. It establishes a regulatory cooperative arrangement to ensure that each of the APEC CBPR system program requirements can be enforced by participating APEC economies.

In order to join this system, applicant countries or organizations must fill-up an intake questionnaire, and their responses will be evaluated based on assessment criteria. The current nine participating APEC CBPR system economies: USA, Mexico, Japan, Canada, Singapore, the Republic of Korea, Australia, Chinese Taipei, and the Philippines. The website itself contains all the documentary submissions officially submitted by the member countries.

As is part of my due diligence tests for every website I visit, critique, document and present in my research and presentations, the CBPRS website failed that one vital requirement that all websites dedicated to data privacy must have: data security. According to these four web browsers I used, the CBPRS website is NOT SECURE and UNSAFE, even DANGEROUS. Please take note of the yellow marker encircling the areas where these warnings and indications are visible. The web browsers all note the insecurity of these websites even today, February 19, 2022.

---

1. MOZILLA FIREFOX

---

---

---

---

2. GOOGLE CHROME

---

---

---

3. MICROSOFT BING

---

---

---

---

4. OPERA

---

---

---

THE NATIONAL PRIVACY COMMISSION WEBSITE

In contrast, the National Privacy Commission’s website, in all four web browsers tested safe and secure. I will just give one example, the following were screenshots from the web browser Mozilla Firefox:

---

---

---

---

IMPLICATIONS:

---

The CBPRS.org does not have the “https” or “hypertext transfer protocol secure” protocol. This shows that the CBPRS.org site is not encrypted via the Transport Layer Security (TLS) encryption. TLS encryption protects all information that passes through the browser to the server, including logins and passwords, and even the web administration credentials. With the four web browsers’ warning of the website being “Not Secure”, it means that all transfer of information to and from this website, cannot be trusted.

The security warnings of the four web browsers show that the identity of CBPRS.org had not been validated by a legitimate 3^rd party source. According to the Opera Guidelines, the “best guarantee of a website’s identity is provided by Extended Validation (EV) certificates. Extended Validation means that the details of the organization buying the certificate have been audited by an accountable, third-party entity, who can therefore verify that the certificate owner is who it claims to be. EV websites are indicated by a black  security badge with a padlock in the address field”.

In contrast to all these, the NPC website follows the “https” encryption protocol and it is verified by Cloudflare Inc.

The non-encrypted state and non-secure state of the CBPRS website entails it is more prone to viruses and hacking attacks. A TSL Certificate provides an additional barrier that can prevent malicious actors from gaining access to the  information in this site, for example, by introducing fake documents, or uploading malicious scripts on the site. This is all the more pressing because the Philippines’ official documents submitted by the NPC, and all the other documents of the 8 member economies, which are retrievable from this site, are not secured.

---

---

Moreover, the “Not Secure” warnings also means that anyone that visits this site does not have any privacy while browsing. There will always be a risk of local attackers, users on other computers of the same network, to be able to monitor, view the pages that the viewer is browsing as well as the information s/he is sending or receiving. It does not provide trust or security to the viewing experience.

Unlike the NPC website, the CBPRS website is not privacy compliant at all. It is all the more baffling considering that the CBPRS website should be a paragon of data privacy standards for a website, given the fact that it houses the official documentations submitted by its member countries.

I therefore respectfully request for the NPC, as the representative of the Philippine economy in APEC to notify the CBPRS body about their website’s insecurity, and the probable consequences if this is not addressed. It behooves the NPC to inform the CBPRS organization about its website’s insecurity and unencrypted state, for it is truly horrendous and unexcusable that a website devoted to data privacy, can violate security standards, potentially breach the privacy of internet viewers, and be open for possible defacement, and even the deletion or alteration of the official public documents submitted by APEC member economies.

Philippine Lawbytes 141: A Critical Encounter with the Philippine SEC Personnel, the Insecurity of the SEC Website, and Comments on the SEC ICO Draft Rules (Copyright by Dr. Atty. Noel G. Ramiscal)

In August 14, 2019, I had the opportunity to have an audience with the Philippine Securities Exchange Commission (SEC) personnel who attended the SEC-UPIGLR professional development course training. Since my lecture was all about “Developments in Cybercrime, Security and Cryptocurrencies”, I took upon myself the task of giving them a taste of my criticisms of the SEC Draft Rules on Initial Coin Offerings (ICOs), and other matters, after I went through my usual discussion on the current trends in cybercrime cases, data privacy and data security.

Dr. Atty. Noel G. Ramiscal, in his lecture for the SEC people, on Cybercrime, Security and Cryptocurrencies, August 14, 2019

First off, I pointed out that the SEC website has been insecure for quite some time. I showed them evidence of screen shots from three popular web browsers in the Philippines: Google Chrome, Internet Explorer/Microsoft Edge, and Mozilla Firefox. The implications of their website’s insecurity are significant considering the SEC website gathers and contains the sensitive and often confidential personal information of data subjects all over the Philippines.

Dr. Atty. Noel G. Ramiscal, in his lecture for the SEC people, on Cybercrime, Security and Cryptocurrencies, August 14, 2019

I enlightened them about the National Privacy Commission decision concerning the COMELEC e-leaks and how potentially grave the criminal consequences are for the officers and employees of this Commission, if the personal information of data subjects contained in their databases would be hacked and published like what happened to the Philippine voters’ e-data. Unfortunately, even at the day when I published (October 13, 2019) and amended (October 15, 2019) this article, the SEC website is still insecure!

Screen shot of SEC website home page. on October 15, 2019, the day this article was amended, showing the website’s insecurity using the Google Chrome browser

Since 2018, when the SEC released its ICO Draft Rules, I have been critical of several essential provisions and important gaps in these rules. One of the significant and less known implication of the Draft Rules’ scope is that they are not applicable to any effectively and actually decentralized blockchain cryptocurrency like Bitcoin that is not totally represented nor centrally governed by any corporation or organization anywhere.

The “sandbox” approach by the SEC, while quite well intentioned also does two things which might be deemed anti-competitive. Since it does not apply to already existing cryptocurrencies like Bitcoin, its regulatory provisions would not cover the purveyors of these cryptocurrencies and would not protect Philippine investors. Second, since its regulatory provisions would only apply to cryptocurrencies that are going to be part of the ICOs which will fall directly in the Rules’ scope once they are approved, the purveyors of these cryptocurrencies would not be granted the essential leeway or governmental non-intervention that Bitcoin had enjoyed which resulted in its phenomenal global success.

I brought to the attention of these personnel, some of whom belong to the enforcement division of the SEC, how the SEC had utilized the current Securities Regulation Code extraterritorially with no adequate basis in going after promoters of cryptocoins offered in different jurisdictions, just because these offerings were accessible to Philippine investors, via the Internet.

While the Draft ICO Rules have provisions for the source code review of the software and the ensuing hardware to be utilized in rolling out the cryptocoins, the Draft rules apparently has the perspective that these cryptocoins would remain stable, codewise, and otherwise. This is evidenced by the fact that there are no provisions in the Draft Rules that address the consequences of hacking, and even forking, which are systemic risks of putting and investing e-assets in the block chain. As a parting shot, I also brought to the attention of the attendees of the real impending threat posed by advances in cryptanalysis that could render some forms of cryptography utilized by blockchains useless or vulnerable to hacking.

As always, I had hoped that by bringing these to their attention, they would act accordingly. That remains to be seen.

LAWBYTES 129: BEWARE TO ALL: THE GOVERNMENT SERVICE INSURANCE SYSTEM WEBSITE IS NOT SECURE! A REQUEST FOR SUA SPONTE ACTION BY THE NATIONAL PRIVACY COMMISSION (Copyright by Dr. Atty. Noel Guivani Ramiscal)

Note: PLEASE CLICK ON PICTURES TO MAKE THEM BIGGER

In my Mandatory Continuing Legal Education (MCLE) lecture for the GSIS last July 26, 2017, I was informed by an unimpeachable source that the digital certificate authority (DCA) the GSIS is using for its website is “C Trust Wave(?)”. I placed the phrase in question marks because I know of TrustWave as a DCA, but I am not familiar with what the source said. This DCA is the one supposedly used by the pertinent reseller to GSIS. According to the unimpeachable source, the “GSIS management” [which was the term used by the source all throughout my discussion with this source] was informed that the digital certificate issued to GSIS was weak, and of the security risks involved. But GSIS is still using it because it was a “business decision”. The GSIS management figured that the risks of e-data breach were not great. Using the analogy of the unimpeachable source, to the GSIS management, it would not make sense in buying and using a P100,000 steel bolted door, when an ordinary wooden door would do, to secure the e-data assets of GSIS. The unimpeachable source does not even use the GSIS website in the source’s personal GSIS transactions.

If the e-GSISMO site is not secure as I confirmed in my research, and interaction with the GSIS unimpeachable source during my MCLE lecture, I theorized that the whole GSIS website is not secure because the e-GSISMO site is essentially linked with the GSIS site.

To set about proving my theory, without hacking the GSIS system, I utilized the three search browsers that the GSIS website endorsed and recommended, i.e., Mozilla Firefox, Google Chrome and Internet Explorer.

GSIS expose NETOPIA time stamp and endorsement of GSIS site of Mozilla Firefox Google Chrome Internet Explorer picture copyright DRATTYNGRAMISCAL

BEFORE I CONTINUE, PLEASE NOTE THESE DISCLAIMERS AND DISCLOSURES:

1. I AM NOT CLAIMING COPYRIGHT OR ANY FORM OF INTELLECTUAL PROPERTY ON THE CONTENT FOUND IN THE PICTURES I TOOK OF THE GSIS WEBPAGES. BUT I DO HOLD THE COPYRIGHT TO THE PICTURES I TOOK OF THE COMPUTER SCREENS WHICH IS DIFFERENT FROM THE CONTENT ON THE GSIS SITE.

2. TAKING THE PICTURES AND REPRODUCING THEM ON MY BLOGSITE IS THE ONLY TECHNOLOGICALLY FEASIBLE AND DEMONSTRABLE WAY TO SHOW THE PROOF OF THE INSECURITY OF THE WHOLE GSIS WEBSITE AND ITS INDIVIDUAL WEBPAGES.

3. GSIS CANNOT CLAIM COPYRIGHT ON THE RELATED MESSAGES AND ARTICLES OF THE BROWSERS REGARDING THE INSECURITY OF ITS WEBSPAGES AND WEBSITE BECAUSE THESE EMANATE FROM THE BROWSERS.

4. I TOOK THE PICTURES AND WROTE THIS ARTICLE FOR ACADEMIC, RESEARCH AND NON-COMMERCIAL PURPOSES TO SHOW THE INSECURITY OF THE GSIS WEBSITE IN THE INTEREST OF PUBLIC SERVICE AND THE PUBLIC GOOD.

5. I DID NOT ENGAGE IN ANY HACKING ACTIVITY. WHAT I DID HERE CAN BE DONE AND CONFIRMED BY ANYONE WHO HAS ACCESS TO A COMPUTER THAT HAS THE THREE BROWSERS, AND ACCESS TO THE INTERNET. I USED GOOGLE, YAHOO! AND BING SEARCH ENGINES TO FERRET OUT THE GSIS WEBSITE.

6. I DID THIS ON MY OWN AS A DATA PRIVACY ADVOCATE, WITHOUT RECEIVING ANY FORM OF REMUNERATION OR EVEN TECHNICAL HELP FROM ANYONE.

7. I AM NOT A GSIS MEMBER. BUT I HAVE RELATIVES AND FRIENDS WHO ARE. I DID THIS FOR THEM AND FOR ALL THE MILLIONS OF GSIS MEMBERS, PARTICULARLY RETIRED GSIS PENSIONERS, WHOSE INTERESTS DESERVE PROTECTION.

TESTING MY THEORY

To test my theory, I browsed different pages of the GSIS site. I utilized different computers to access the GSIS site with these different browsers. I did my browsing on different days: July 27, 29, 31, August 1, 3, 2017.

Here are the results of my Internet examination of the browsers’ responses to queries about GSIS. For representative brevity, I chose samples of pictures I took of different screenshots of the GSIS website, and of the browsers’ responses to my GSIS queries. Any of you, my dear readers can follow and verify the steps I took. This does not require any special IT skill.

FOR MOZILLA FIREFOX

I present two samples of web pages from the GSIS website accessed through the Mozilla Firefox browser. Please notice dear readers the insecure padlock icon situated opposite the Universal Resource Locator (URL) on the page, utilized by the Mozilla Firefox, which is highlighted with the image of a sign that represents the mouse/pointing device. This would be located on the upper left portion of the computer screen.

Here is a picture of the pensioners’ page:

GSIS expose Pensioners page insecure padlock symbol picture copyright DRATTYNGRAMISCAL

Here is a picture of the news release pertaining to the GSIS’ transitioning to ISO 9001:2015:

GSIS expose News regarding GSIS transitioning to ISO 9001 2015 picture copyright DRATTYNGRAMISCAL

For now, let us just concentrate on the pensioner’s section. If any of you dear readers would click on the padlocked symbol, you would be greeted with a message bar on the left portion of the computer screen. The first message from Mozilla Firefox is “www.gsis.gov.ph Connection is Not Secure The login information you enter on this page is not secure and could be compromised”.

Picture of Message bar

GSIS expose pensioners page greeting of insecurity picture copyright DRATTYNGRAMISCAL

If you click on the “>” sign, you would be led to the reiteration of the Pensioners’ page with a Message Bar highlighting in blue font the phrase “Learn More”.

Picture of Learn More

GSIS expose Pensioners page connection not secure learn more picture copyright DRATTYNGRAMISCAL

If you click on “Learn More”, you would be led to a different and secure Mozilla Firefox page containing an article that explains the “Insecure password warning in Firefox”.

Picture of Mozilla Firefox article

GSIS expose Pensioners page learn more leading to Mozilla Firefox page detailing insecurity of page picture copyright DRATTYNGRAMISCAL

This page stated that “(t)his is to inform you that if you enter your password it could be stolen by eavesdroppers and attackers.” Furthermore, the article warned that personal information should not be entered in insecure pages like the GSIS site.

NOTE ON THE ICON:

In other computers, instead of the insecure padlock sign, the icon would resemble rotating blades:

Picture of blade icon:

GSIS expose NETOPIA Rotating Blade Icon Mozilla firefox insecure GSIS site picture copyright DRATTYNGRAMISCAL

ACCESSING THE E-GSISMO SITE

In going to the e-GSISMO site from the GSIS site, one would be confronted with this warning by the Mozilla Firefox:

Picture of warning

GSIS expose NETOPIA EGSISMO site uses an invalid security certificate Mozilla firefox picture copyright DRATTYNGRAMISCAL

FOR GOOGLE CHROME

Using Google Chrome, once you access the GSIS active home page, you would notice that there is an icon comprising of the small letter “i” within a circle. This is located opposite the URL of the GSIS site. If you bring your mouse/pointing device near the icon, a message will pop saying “View site information”.

Picture of icon and message

GSIS Google Chrome expose view site information active home page picture copyright DRATTYNGRAMISCAL

Once you click on the icon, you would be shown a message saying “Your connection to this site is not secure” and other details. There is also a phrase in blue font that states “Learn more”.

Picture

GSIS Google Chrome expose connection is not secure active home page picture copyright DRATTYNGRAMISCAL

Once you click on the phrase “Learn more”, you would be led to a different secure Google Chrome site with an article explaining what the icon of “i” with a circle means.

Picture

GSIS Google Chrome expose connection is not secure GOOGLE CHROME explanation active home page picture copyright DRATTYNGRAMISCAL

The Google Chrome article states that the icon signifies that “(t)he site isn’t using a private connection. Someone might be able to see or change the information you send or get through this site”.

FOR INTERNET EXPLORER

For those using Internet Explorer 10 or 11, and with private computers that are configured to have the most secure settings, the experience can be frustrating. I tried accessing the e-GSISMO and other pages of the GSIS website for several days, but could not. This is a typical message that I got:

Picture “This page cannot be displayed”.

Internet Explorer simple search for GSIS yields no display, picture copyright DRATTYNGRamiscal

At other times, when I type “GSIS” on the Bing engine on Internet Explorer, I would be confronted with a listing of search request rejections due to unavailability or web security violations.

Picture of the search request rejections

Internet Explorer rejections of request for GSIS site or pages, picture copyright DRATTYNGRamiscal

Since the search request rejections are cached, I decided to click on the cached version of one of the rejections.

Picture of the cached link

Internet Explorer rejection of GSIS website request cached page, picture copyright DRATTYNGRAMISCAL

I was then confronted with this message from the cached page:

Picture

Internet Explorer content of GSIS website rejection cached page picture copyright DRATTYNGRAMISCAL

The Internet explorer experience mirrors what I experienced when I tried to access the e-GSISMO page within, the GSIS site using the Mozilla Firefox: Nothing. Both browsers prevented me from accessing the web page due to security reasons.

The Mozilla Firefox was quite emphatic in its explanation for the error code I showed to the GSIS lawyers last July 26, 2017. It said that “Firefox must verify that the certificate presented by the website is valid. If the certificate cannot be validated, Firefox will stop the connection to the website and show a “Your connection is not secure” error message instead [https://support.mozilla.org/en-US/kb/insecure-password-warning-firefox?as=u&utm_source=inproduct]”.

CAVEAT: PUBLIC COMPUTERS

But when I tried accessing the GSIS website on public computers in internet cafes like Netopia and other cafes in Laguna, I was able to access the site without any apparent issue. However, the different pages of the GSIS website are not encrypted. I will say more about this in the next section.

POSSIBLE LEGAL BASES OF VIOLATIONS OF R.A. 10173 BY THE “GSIS MANAGEMENT”

PHOTOGRAPHIC PROOF

INTERNET EXPLORER

Even if one uses the public computers in internet cafes and access the GSIS website, that does not mean that such access can be safe. If you dear reader would right click on a GSIS webpage (not the e-GSISMO site), like the Pensioners’ page and click on “Properties” using the Internet Explorer browser like so:

Picture

GSIS expose Internet Explorer Pensioners GSIS page Properties picture copyright DRATTYNGRAMISCAL

You, my dear reader, would be confronted with this message on the left upper portion of the computer screen, stating that the connection is not encrypted.

Picture

GSIS expose NETOPIA Unencrypted state of GSIS site in Internet Explorer picture copyright DRATTYNGRAMISCAL

If you click on “Certificates” you would have the message that this “(t)ype of document does not have a digital certificate”.

GSIS expose NETOPIA No Digital Certificate of GSIS site in Internet Explorer picture copyright DRATTYNGRAMISCAL

MOZILLA FIREFOX

The Mozilla Firefox browser’s message alerts made it very clear that the GSIS website is not encrypted. I offer two illustrations of this.

Let us go back to the Pensioners’ page. When any of you dear readers would click on the unsecure padlock sign, you would encounter this message on the upper left portion of your computer screen, with the phrase “More Information” on the gray lower portion of the message.

Picture

GSIS expose Pensioners page how do you know status of encryption click more information picture copyright DRATTYNGRAMISCAL

When you click on the phrase “More Information” you will be given a different message regarding the status of encryption of the GSIS website, in this case of the Pensioners’ page:

Picture of the encryption status

GSIS expose Pensioners page connection not encrypted picture copyright DRATTYNGRAMISCAL

This message repeats itself on different pages of the GSIS website. For example, let us go back to that News Press regarding the GSIS transitioning to the ISO 9001:2015. You, my dear reader would encounter the same message.

Picture of the encryption status

GSIS expose News regarding GSIS transitioning to ISO 9001 2015 no encryption of GSIS site Mozilla Firefox picture copyright DRATTYNGRAMISCAL

The messages concerning the non-encryption status of the GSIS website shows that the digital certificate for the website had not, and could not be verified by Mozilla Firefox. The unimpeachable GSIS source mentioned “C (See?) Trust Wave(?)” as the DCA which Mozilla Firefox does not recognize.

The messages also contained the warning that “(i)nformation sent over the Internet without encryption can be seen by other people while it is in transit”.

LEGAL BASES:

THE LEGAL REQUIREMENT OF ENCRYPTION WHICH THE GSIS MANAGEMENT DID NOT FOLLOW

Under SEC. 23 of R.A. 10173, “(a)ny technology used to store, transport or access sensitive personal information for purposes of off-site access approved under this subsection shall be secured by the use of the most secure encryption standard recognized by the Commission”.

The National Privacy Commission (NPC) required in Sec. 8 of “NPC Circular 16-01 – Security of Personal Data in Government Agencies” dated 10 October 2016, “(a)ll personal data that are digitally processed must be encrypted, whether at rest or in transit. For this purpose, the Commission recommends Advanced Encryption Standard with a key size of 256 bits (AES-256) as the most appropriate encryption standard”.

These provisions can and should be made to apply to government websites like the GSIS, which store personal information of its clients, employees and officials, which are made accessible to these people anywhere, via the Internet. Both the law and the NPC Circular are quite clear in their absolute directive. There are no exemptions or excepting circumstances that allow for the non-encryption of the personal data contained in these websites.

Furthermore, the law and the NPC directive did not make any instance as a precondition for encryption. So it is immaterial if no GSIS member had ever been actually harmed by using the unencrypted site of the GSIS.

THE VULNERABILITY OF THE GSIS SITE AS THE DIRECT RESULT OF THE GSIS MANAGEMENT’S “BUSINESS DECISION”

I must re-emphasize that according to the admission of the GSIS unimpeachable source whom I directly spoke to during my July 26, 2017 lecture, the GSIS management were apprised of the risks of having an unsecured website but they decided to continue the site’s operation as a “business decision”.

The Price to be Paid for an Unencrypted State

It bears noting that the continued unencrypted and unsecured state of the GSIS website makes it a prime target for several cybercriminal activities, including defacement and hacking. The information sent by GSIS members using this unsecured site can be intercepted and even altered. The content of that information can be stolen if valuable to the eavesdropper or interceptor.

The IoT and E-Data Aggregation

I must emphasize that all users of computers and e-devices all over the world are now connected to the “Internet of Everything” (IoT). You, my dear readers, who use your laptops, your smart phones, your Fitbit devices, other wearable devices and other smart appliances that are connected to the Internet, are subject to data collection by entities like the manufacturers of these devices, and other entities whose intent may be malicious. In using the Google Chrome browser in accessing the GSIS website, the insecure message posted by Google Chrome also include the notice that “Cookies” are utilized to collect information about the user of the site.

GSIS Google Chrome expose connection is not secure active home page picture copyright DRATTYNGRAMISCAL

Depending on the type and nature of the cookies, this means that the user’s log-in information, device information, telephony details, IP address, and other identifying data about the user and/or his/her e-devices are collected. Since the GSIS site is unencrypted, any information entered by the user, for example, matters pertaining to auto shield insurance or home insurance in the GSIS site, can be seen by any interceptor or eavesdropper. At the hands of a knowledgeable and efficient cyber criminal, all these e-data can be aggregated to pinpoint the identity, habits and concerns of a particular user and used against that user.

Ransomware

In my lecture for the GSIS lawyers, I mentioned also the possibility of their organization being targeted with ransomware. Because the GSIS website is not encrypted, it is easier for any attacker to hijack the information, encrypt it, demand ransom, thus making it inaccessible, not merely to the GSIS members and pensioners, but even to the GSIS website administrator/operator/maintainer.

Possible Liability of GSIS Management

Sec. 20 (b) of R.A. 10173 imposes the legal obligation on a personal information controller, like the GSIS to “implement reasonable and appropriate measures to protect personal information against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination”.

As I made very clear in my book “Cryptology: The Law and Science of Electronic Secrets and Codes”, encryption is one of the necessary safeguards that are crucial in protecting the security, confidentiality and authenticity of e-data. It is also one of those cyber-hygiene tools that should be utilized by any organization that processes the personal data of anyone. Employing encryption should be considered part of a corporation’s social and legal responsibility.

In this case, the “business decision” of GSIS management in letting the GSIS website remain unsecured, unencrypted and basically a target for hacking, as shown by the Mozilla Firefox message, evidently violates the unequivocal letter and intent of the law and the NPC directive.

Sec. 34. of R.A. 10173 provides that if the offender is a corporation, partnership or any juridical person, the penalty shall be imposed upon the responsible officers, as the case may be, who participated in, or by their gross negligence, allowed the commission of the crime.

As I pointed out in my previous article on the insecurity of the e-GSISMO website, the Directors’ and Officers’ Liability Insurance (DOLI) policy of the GSIS will NOT cover any claim against the insured BOT members and officials in these two clear instances:

Where the court, tribunal, or administrative agency finds that the GOCC, acting through its Board of Directors or Management, has violated its charter or caused unreasonable damage to its identified stakeholders.xxx

Where liabilities arise from the director’s/trustee’s or officer’s fraud, breach of fiduciary duties, or unethical conduct.

THE GSIS MEMBERS BEING DENIED ACCESS TO THE GSIS SITE DUE TO THE INSECURITY OF THE WEBSITE

Another important violation here of the GSIS members’ and pensioners’ rights is the right to access their personal information in the GSIS website, including the e-GSISMO site. GSIS members and pensioners using the Internet Explorer (depending on several factors) and the Mozilla Firefox would be denied access to the e-GSISMO site because of “web security” violations, or the site’s connection is “untrusted” as evidenced from the messages that the two browsers would post to the computer screen of anyone who tried to access the e-GSISMO site. Due to the site’s insecurity, GSIS members and pensioners are actually discouraged to use the website. They cannot access their personal information, e.g., the status of their GSIS loans, the amount of their loans and the interests, the tentative computation of their pensions, etc., which are all very personal, sensitive and exclusive to each of them.

Furthermore, due to the website’s insecurity, GSIS members and pensioners are forced to conduct their transactions with the GSIS personally, which defeats the purpose of setting up the website to prevent long queues in GSIS offices and avoid waste of time, travel and other expenses on the part of the GSIS members and pensioners.

Under Sec. 16 (c) of R.A. 10173, the GSIS members and pensioners are granted the right of reasonable access to their personal information that is stored and processed through the GSIS website. The law allows GSIS members and pensioners access to, and upon demand, retrieve the “(1) Contents of his or her personal information that were processed; (2) Sources from which personal information were obtained; (3) Names and addresses of recipients of the personal information; (4) Manner by which such data were processed; (5) Reasons for the disclosure of the personal information to recipients; (6) Information on automated processes where the data will or likely to be made as the sole basis for any decision significantly affecting or will affect the data subject; (7) Date when his or her personal information concerning the data subject were last accessed and modified; and (8) The designation, or name or identity and address of the personal information controller” which can be contained in the e-GSISMO or GSIS website. The purpose for this access is to allow GSIS members and pensioners to check the accuracy of their personal information and the data that GSIS had processed, and to demand indemnity for damages due to “inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal information” [Sec. 16 (f)] that GSIS processed.

Thus, the insecurity of the GSIS website and webpages actually prevents GSIS members and pensioners to exercise these rights granted to them as data subjects under R.A. 10173.

RES IPSA LOQUITUR

There is an applicable legal principle that law students learn in their Statutory Construction class, i.e., res ipsa loquitur, which means “the thing speaks for itself”. “(W)here the thing which caused the injury, without the fault of the injured, is under the exclusive control of the defendant and the injury is such that it should not have occurred if he, having such control used proper care, it affords reasonable evidence, in the absence of explanation that the injury arose from the defendant’s want of care, and the burden of proof is shifted to him to establish that he has observed due care and diligence” (Professional Services Inc., v. Agana, G.R. No. 126297, January 31, 2007, Supreme Court, 1st Division). In case any GSIS member or pensioner suffers any injury due to the insecurity of the GSIS website, that injury may be attributed to the “GSIS management” because the business decision to unleash this insecure website is theirs alone and they had exclusive control in terms of the decision power to set the course of operation of the GSIS website.

NPC ACTION ON THIS MATTER, SUA SPONTE

One of the lawyers represented during my MCLE lecture that GSIS is seeking a one year extension from the National Privacy Comission (NPC) to observe the R.A. 10173’s requirements. I asked the audience why should GSIS be given this extension, unlike the other PICs. I reminded them that R.A. 10173 has been passed in 2012 and the GSIS should have striven to comply with its requirements way back then. Besides, the NPC has been operating on this principle and set the deadline for all PICs as September 2017.

A one year extension might give GSIS another one year of institutional inertia or delay to fix the insecurity of its website. This must not be allowed because the GSIS website and its related sites, particularly the e-GSISMO contain crucial personal information that are vital to the economic security of millions of GSIS members and retired pensioners. If the GSIS management continue to use insecure websites, then GSIS must stop altogether the processing, including the storage of all the personal information of all its active and inactive members on these sites.

Since I am not a current GSIS member, I have no legal standing to bring a complaint against the GSIS to the NPC. I would leave it to you, dear reader, who may be a GSIS member to do this.

However, the NPC under its own rules, declared that the Commission, “sua sponte, or persons who are the subject of a privacy violation or personal data breach, or who are otherwise personally affected by a violation of the Data Privacy Act, may file complaints for violations of the Act” [Sec. NPC Circular 16-04 – Rules of Procedure, dated 15 December 2016].

“Sua sponte” means that the NPC itself can take cognizance of this matter. It is a Latin term that means “of one’s own accord” or “voluntarily”.

That is the reason why I have emailed the URL of this article to Commissioner Liboro and Deputy Commissioner Patdu and to the email address for complaints to NPC. With this expose, I trust that the NPC would do their own investigation and confirm and rule on this matter.

FOR GSIS MEMBERS: WHERE TO FILE COMPLAINT

If any of you, dear readers, have been affected by the unsecured, unencrypted website of the GSIS, if your e-data regarding your personal information, membership, loans, pensions have been compromised, or if you cannot even access these personal information because you had been prevented from doing so by the browsers which did not accept the digital certificate of the GSIS website or had warned you of its insecurity, and thus did not proceed to bring you to the GSIS page or site you desired, you definitely suffered damage.

Under R.A. 10173, you can file a complaint against GSIS and seek for damages, as part of your legal rights as a “data subject”. The privilege of government agencies known as immunity from suit, should not prevent the NPC from proceeding with your complaint because, the damage was done by responsible and informed officials in this agency, acting clearly in disregard of R.A. 10173, not the agency itself.

To proceed with your complaint, kindly read the procedural rules of the NPC Circular 16-04 – Rules of Procedure here:

Click to access sgd-npc-circular-16-04-rules-of-procedure.pdf

You can electronically file your complaint by email, bearing in mind this instruction:

[If] submissions are made through e-mail, all electronic documents must be submitted to complaints@privacy.gov.ph, copy furnished any and all other parties to the complaint (Sec. 8).

Please take heart in the fact that the NPC has previously dealt with another major data privacy violator, the COMELEC, admirably. Its decision against COMELEC and against its current Chair, Andres Bautista, showed that it did not apply the immunity from suit principle, but the letter and intent of R.A. 10173 to vindicate all our data privacy rights as voters.

CONCLUSION:

What has been happening here is truly and absolutely inexcusable. It is mind boggling and unconscionable that an agency of the government, in charge of managing billions, if not trillions of Philippine pesos constituting the contributions and pensions of its members, and which has deep pockets for utilizing the Internet and its innovations to supposedly serve its clients and members, had intentionally scrimped on its budget as a “business decision” and left its website vulnerable to hacking.

The GSIS purportedly received several ISO certifications. Those in the know would know that getting these certifications entailed a lot of money and hard work. Its latest ISO certification bandied about in its “news” last July 28, 2017, was ISO 9001:2015. GSIS Officer in Charge Nora Malubay Saludares presented in the annual forum on Quality Management System the GSIS experience.

GSIS expose News regarding GSIS transitioning to ISO 9001 2015 picture copyright DRATTYNGRAMISCAL

The press release ran:

The Forum which was held last Wednesday and Thursday (26 to 27 July 2017), highlighted the impact of ISO 9001 9001:2015-based QMS on business operations. GSIS received the ISO 9001:2015 certification for its QMS on loan processing and membership administration in March this year. In 2015, GSIS was conferred the ISO 9001:2008 for its loan processing only [bold italicized emphasis supplied].

The question that must be asked then: How can an agency that processes millions of personal information regarding its members’ loans and other membership details which are contained in its e-GSISMO website receive an ISO certification on these matters, when its own website that houses these relevant e-data is completely insecure and vulnerable to hacking, and does not even have a decent encryption system?

This is not mere ignorance or mere misappreciation by the GSIS BOT/management. They had been forewarned by the risks by their own people. They do not have to be warned by any outsider. This is wilful mismanagement of e-data. It shows simply, the utter and gross disregard by the GSIS BOT/management of the importance of securing the personal e-information of all its members that goes against the very principles of data processing and the legal rights of data subjects enshrined in R.A. 10173.

And take note dear readers, GSIS recently concluded a contract with another provider to operate their Skype appointment system. When I questioned the audience concerning the e-data privacy requirements that should have been included in the Terms of Reference in the procurement process, no one could answer me.

Paraphrasing Edmund Burke, in order for this iniquitous state to continue, it is enough that those in the know, do nothing. I refuse to let this state continue. Now my dear readers, all of you also know. I trust you all to do something!

Thank you.

God Bless Us!

Lawbytes 128: WARNING TO GSIS PENSIONERS AND MEMBERS: THE E-GSISMO SITE IS NOT SECURE! Attention National Privacy Commission (Copyright by Dr. Atty. Noel Guivani Ramiscal)

I braved the rains last July 26, 2017 to deliver my lecture for the Mandatory Continuing Legal Education (MCLE) Seminar Series for the lawyers of the Government Service Insurance System (GSIS). Since my topic is on the “Operationalization of the E-Data Privacy and Security Requirements Under the Data Privacy Law”, I decided to concentrate on several IT systems and internet innovations that the GSIS have incorporated in its laudable goal of reaching out to its clients online, particularly the retired pensioners who cannot go to GSIS offices around the Philippines and those members who are overseas. As what I have done in all my lectures with government agencies, I zone in on IT issues that implicate the law which concern these entities to give value added service, instead of just merely lecturing on general privacy/legal issues.

The audience was comprised of over fifty lawyers, some of whom came from different parts of the country. I repeatedly requested for a representative of the IT Department, the HR Department, and if possible, the GSIS Data Privacy Officer so that we could have a dialogue regarding some of the issues I prepared to raise with them. The Chief Information Security Officer arrived and we had a productive repartee. The GSIS is one of the most important agencies in the Philippines that serve millions of stakeholders who are government pensioners so I strove to find out from the limited internet resources available, what are the pressing data privacy concerns that implicate the rights of government pensioners and GSIS members.

The GSIS had a “Skype Appointment system” which at the time of this blog’s publication (July 29, 2017) still carried the “Pilipinas Teleserv” (PT) name as the 3rd party provider/facilitator. The appointment system served to connect GSIS with people from all over the Philippines and the world via the Skype, which is offered primarily free by Microsoft as a communication tool/system. The GSIS, through the services of PT, developed a protocol for taking in the concerns of the GSIS members who used the service. PT in its website stated: Pilipinas Teleserv handles an average of 2,000 calls for the GSIS daily. Our total abandonment rate since operations began is remarkably low, coming in at only 3%. We are proud of our consistently excellent deliveries, with our First Call Resolution rate very close to 100% and our performance within a very tight 98%-100% range of the Service Level Agreement [https://teleserv.ph/how-we-do-things/gsis, accessed July 27, 2017].

I learned during my lecture that PT’s SLA just ended and the contract for this type of service was awarded to another bidder. One of the crucial things I pointed out is the obligation of PT, and whoever was awarded the current contract to comply with the requirements of the Data Privacy Law (R.A. 10173). It was not clear from the information I researched and from the information I gathered from the participants the type of arrangement GSIS and PT had with Skype. PT basically operated as a call center for GSIS using the Skype system. It was not clear if PT or GSIS paid Skype for the use of its system. I pointed out that under the policies of Microsoft and the Skype’s Fair Use Policy, anyone who is using the Skype tool as a free service is prohibited from doing any act that would not be considered Legitimate Use, which would include the following:

(i) Using subscriptions for telemarketing or call centre operations; xxxxxx

(iii) Sharing subscriptions between users whether via a PBX, call centre, computer or any other means; xxxxxx

Furthermore, “Skype may at its option, terminate its relationship with you, or may suspend your subscription immediately if it determines you are using your subscription contrary to this FUP or Skype’s Terms of Use”[Fair Use Policy, 19.3].

I asked the attendees if GSIS had any protocol as to the retention and destruction of those Skype video/messages from its clients all those years that PT ran the service. None of them apparently knew. This is actually crucial if any of those e-data became the subject of litigation. Moreover, PT, which was actually considered a personal information processor (PIP) for GSIS, did not have any privacy code or protocol in its website which can explain as to how it handled the privacy issues pertaining to GSIS’ clients. I suggested to the attorneys, particularly those engaged in procurement matters, to include data privacy requirements as part of the terms of reference (TOR) in procuring this type of service in the future.

Since GSIS utilized cloud service providers (CSPs) like Facebook, YouTube/Google and Microsoft/Skype to reach out to its clients, I apprised the audience of several perils in entrusting their clients’ e-data to the cloud. One of the dangers is the commingling of their clients’ e-data with the e-data of other clients of the cloud service providers in the same data files, specially if these different users use the same application in the cloud servers. This now becomes a “one stop shop for hackers”. In using the services of these cloud providers, GSIS and all its clients who use these services to communicate are subject to the untrammelled collection of e-data about them, including information about the computers, mobile phones and other e-devices they use to connect to these services, their locational data, their log-in information, including their phone numbers and the phone numbers of the people in their contact lists, and so on. One of the most notorious features about the CSP provider contracts is that they do not make the CSPs liable to the users of the services, from outages, to losses of e-data, to the introduction of computer malware that harm their IT systems, etc.

E-GSISMO insecurity as shown from an IMGUR posted apparently on January 12, 2017, photo of site by Dr. Atty. Ramiscal taken on July 29, 2017

Without doubt, the most disturbing thing that I raised with GSIS is the fact that its e-GSISMO website is NOT secure. I found an imgur message [https://imgur.com/r/Philippines/peI1L3a, last accessed July 29, 2017] and a Reddit thread [https://www.reddit.com/r/Philippines/comments/5nhbgn/look_gsis_egsismo_online_records_service_is/, last accessed July 29, 2017] pertaining to the insecurity of this website.

E-GSISMO’s insecurity as posted in REDDIT, photo of site taken by Dr. Atty. Ramiscal, July 29, 2017

The e-GSISMO site is quite significant for government retirees/pensioners and GSIS members because it contains their membership records, statement of loan accounts, and in a press release of GSIS last year, it was stated that it will allow members to view tentative computation of retirement and social insurance benefits, dividend payments, claim and loan records, and pensioners’ data.

E-GSISMO’s insecurity with REDDIT COMMENTS, photo taken of website by Dr. Atty. Ramiscal, July 29, 2017

The respondents in the Reddit thread were not specific or detailed in their discussion of what and how this site is insecure. I decided to investigate on my own.

When I accessed the site using MOZILLA FIREFOX, I was confronted with this message, which I showed to the audience:

E-GSISMO as an INSECURE WEBSITE determined by MOZILLA FIREFOX, presentation by Dr. Atty. Ramiscal to GSIS lawyers, July 26, 2017

By clicking on “Advanced” I was able to unearth the “ERROR CODE”.

E-GSISMO Statement of ERROR CODE underlined in yellow ink, presented by Dr. Atty. Ramiscal to GSIS lawyers last July 26, 2017

By clicking on the error code, I got the following message, and the insecure certificate chain:

E-GSISMO contents of the error code from Mozilla Firefox as presented by Dr. Atty. Ramiscal to GSIS lawyers last July 26, 2017

https://egsismo.gsis.gov.ph/
Peer’s Certificate issuer is not recognized.
HTTP Strict Transport Security: false
HTTP Public Key Pinning: false
Certificate chain: —–BEGIN CERTIFICATE—–
MIIFhjCCBG6gAwIBAgITBnt0NmDHvT4FazmLK9KYKr2P/DANBgkqhkiG9w0BAQsF ADCBtTELMAkGA1UEBhMCVVMxETAPBgNVBAgTCElsbGlub2lzMRAwDgYDVQQHEwdD aGljYWdvMSEwHwYDVQQKExhUcnVzdHdhdmUgSG9sZGluZ3MsIEluYy4xPTA7BgNV BAMTNFRydXN0d2F2ZSBPcmdhbml6YXRpb24gVmFsaWRhdGlvbiBTSEEyNTYgQ0Es IExldmVsIDExHzAdBgkqhkiG9w0BCQEWEGNhQHRydXN0d2F2ZS5jb20wHhcNMTUx MDIzMDIxNzUzWhcNMTgxMDE4MDgxNzUzWjBgMRYwFAYDVQQDDA0qLmdzaXMuZ292 LnBoMQ0wCwYDVQQKDARHU0lTMRMwEQYDVQQHDApQYXNheSBDaXR5MRUwEwYDVQQI DAxNZXRybyBNYW5pbGExCzAJBgNVBAYTAlBIMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEA8SpYUBHvWyNPOj06t/HWEem3Zue6bP7vO7TP/gziP+RO0gL3
jE2ObqZHPM+eGgq4+TD+928pJa7jnT05IZxFoJFMF/h6EBWcdKe/sk4r39AgJAf3 ETw2jmNKiChw7fANAfFW0e9nb7UykQjN1h6rN2JaeQW8OpkyujXyswoUHnG1nup/ /e5kOmJXnkSd+RszvhpBfvs6HQ66rowimNq5seWJ+StltuOsxp4XVAvjUnQE2bsk
dZo/rDj1hji++vUblWP/b/dS3cnPVOPhQD9GrtGdjDnxIiC9GSSNs1ynmPqO9kky U0sdvW8uaRmprbTBKrBEXIy0kwelY4Pvpk2aUQIDAQABo4IB4TCCAd0wDAYDVR0T AQH/BAIwADALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUF BwMBMB0GA1UdDgQWBBTKyN3opKvHsKoieedveTqw/uJojDAfBgNVHSMEGDAWgBTK zh0YA3ceHPN8WLKacKgIgBb0rjBIBgNVHSAEQTA/MD0GDysGAQQBge0YAwMDAwQE AzAqMCgGCCsGAQUFBwIBFhxodHRwczovL3NzbC50cnVzdHdhdmUuY29tL0NBMGwG A1UdEQRlMGOCDSouZ3Npcy5nb3YucGiCC2dzaXMuZ292LnBoghBrZXlzLmdzaXMu Z292LnBoghB3aXNlLmdzaXMuZ292LnBoghB0ZXN0LmdzaXMuZ292LnBogg93d3cu Z3Npcy5nb3YucGgwNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC50cnVzdHdh dmUuY29tL09WQ0EyX0wxLmNybDBxBggrBgEFBQcBAQRlMGMwJgYIKwYBBQUHMAGG Gmh0dHA6Ly9vY3NwLnRydXN0d2F2ZS5jb20vMDkGCCsGAQUFBzAChi1odHRwOi8v c3NsLnRydXN0d2F2ZS5jb20vaXNzdWVycy9PVkNBMl9MMS5jcnQwDQYJKoZIhvcN AQELBQADggEBAGamlyW1N+fuR54IdO9o0qw2/09Xppz2j1MDm9IemZDadXJIai6m 7JdPeL2+rTOrzfVDlbsTcBBw0QVkzpFoZLJ1cI9PYSAGXqA1pR8t6DcpnKVRV0yH sThrrKfJZag2FwIA4cns+4qmwf44s6O7LfJ6VoZhTVjIsrbacZrGmaHvsODi9NlW 1wX0rsJA5Hjv58nIKjv/Ptyu5sdl4KmaVyIlPoDtu1Jta+nCYGKF8TJ0X9HwrHzu 3Dt9UqD+jKUDDOe06wqMFy8ME89vE9NHjghv0L5aPrIDE5UAuEBl4lpieQ0Zkv9q
gZiBPcY9hFm9XSQo67FRnqYX4al8AxcdPiM=
—–END CERTIFICATE—–

The concept of a digital certificate is like a passport or an ID that validates the identity of the user to the recipient of a message or e-data, so that they can communicate securely over the internet using the public key infrastructure system. It is not within the scope of my article to give the details of digital certification systems. It suffices for now to say that digital certificates are issued by digital certification authorities (DCAs) to users to attest to their identity, and to provide evidence that a certificate is valid, it is digitally signed by a root certificate belonging to a trusted certificate authority. A receiver of digitally signed/encrypted information from a user can validate the Certification Authority (CA) signature, and can check the additional information in the certificate [e.g. expiration period of certificate] to honor it. Operating systems and browsers maintain lists of trusted CA root certificates so they can easily verify certificates that the CAs have issued and signed. In this case, Mozilla Firefox did not recognize the certificate of the e-GSISMO DCA, proving the insecurity of the website.

When I presented the powerpoint slide that shows the Mozilla Firefox message, error code and the report on the false certificate, I asked the people in attendance if the GSIS management knew about this. It was confirmed by an unimpeachable GSIS source during my lecture that the DCA of e-GSISMO did indeed lack certain requirements which made the website insecure. Further, this fact was actually revealed to the GSIS management which was notified of the risks. But the management made a business decision to actually release and continue the website’s operation, despite the risks. This is the core of GSIS e-data and services, because they contain very specific detailed confidential and highly sensitive information about specific GSIS members that cannot be retrieved or accessed in other government websites, including the hacked COMELEC sites and computer. For the GSIS management to have approved the operation of the unsecured e-GSISMO site and to advertise it to be used by all GSIS members and retired pensioners, is a very bad business decision that can harm the privacy rights of GSIS members and pensioners and impact on their well being.

If the continued operation of this insecure site results in the actual harm of any GSIS stakeholder, or in the perpetration of a criminal act against any GSIS stakeholder, the GSIS management can be held accountable. I impressed upon the audience that the members of the GSIS Board of Trustees, and its officers, who were apprised of the risks and yet decided to run the site cannot find refuge in the Directors’ and Officers’ Liability Insurance (DOLI) policy. The policy does NOT cover any claim against the insured:

Where the court, tribunal, or administrative agency finds that the GOCC, acting through its Board of Directors or
Management, has violated its charter or caused unreasonable damage to its identified stakeholders.xxx

Where liabilities arise from the director’s/trustee’s or officer’s fraud, breach of fiduciary duties, or
unethical conduct.

I pointed out that a violation of the pertinent provisions of R.A. 10173 is a criminal offense, and a criminal offense is more than mere unethical conduct.

Under SEC. 34. of this law, if the offender is a corporation, partnership or any juridical person, the penalty shall be imposed upon the responsible officers, as the case may be, who participated in, or by their gross negligence, allowed the commission of the crime. One lawyer asked if a cybersecurity insurance policy, which I discussed in connection with the protection of GSIS e-data would cover the members of the BOT, I said that cybersecurity insurance policies generally cover the losses of the corporation itself, like GSIS, due to e-data breaches, not individual corporate officials’ liabilities to the GSIS and to the GSIS members and retired pensioners.

The GSIS and its BOT must be reminded of the NPC decision re: the breach of electorate data kept in the custody of COMELEC, i.e., “the duty to obey the law should begin at the top and should not be frustrated simply because no employee recommended such action.” In this case, as the unimpeachable source during my lecture confirmed, the GSIS management were already warned of the risks by its own people, and yet decided to continue inflicting this unsecured website on its members and pensioners.

Finally, even if no GSIS member or retired pensioner is actually harmed by the unsecured e-GSISMO website, the BOT members and GSIS officials are still bound by the R.A. 10173 to implement the necessary safeguards to protect the edata of all GSIS stakeholders as a personal information controller (PIC). I apprised the attendees that these measures, together with the cyber hygiene practices that all PICs in the Philippines must observe on a regular basis, should be part of the corporate social responsibility of all PICs. The National Privacy Commission and the Civil Service Commission must look into this matter.

I wrote this article for the sake of millions of GSIS members (I am not one of them) and retired pensioners who may have used the e-GSISMO insecure website. They deserve better service and treatment. Actually, they deserve the best.

As always, I am grateful to God for this opportunity to ferret out matters like this in the interest of public service. Let us hope that the GSIS BOT and all its officials who are connected to safeguarding the privacy rights of the GSIS members do their jobs properly. God bless us!