I braved the rains last July 26, 2017 to deliver my lecture for the Mandatory Continuing Legal Education (MCLE) Seminar Series for the lawyers of the Government Service Insurance System (GSIS). Since my topic is on the “Operationalization of the E-Data Privacy and Security Requirements Under the Data Privacy Law”, I decided to concentrate on several IT systems and internet innovations that the GSIS have incorporated in its laudable goal of reaching out to its clients online, particularly the retired pensioners who cannot go to GSIS offices around the Philippines and those members who are overseas. As what I have done in all my lectures with government agencies, I zone in on IT issues that implicate the law which concern these entities to give value added service, instead of just merely lecturing on general privacy/legal issues.
The audience was comprised of over fifty lawyers, some of whom came from different parts of the country. I repeatedly requested for a representative of the IT Department, the HR Department, and if possible, the GSIS Data Privacy Officer so that we could have a dialogue regarding some of the issues I prepared to raise with them. The Chief Information Security Officer arrived and we had a productive repartee. The GSIS is one of the most important agencies in the Philippines that serve millions of stakeholders who are government pensioners so I strove to find out from the limited internet resources available, what are the pressing data privacy concerns that implicate the rights of government pensioners and GSIS members.
The GSIS had a “Skype Appointment system” which at the time of this blog’s publication (July 29, 2017) still carried the “Pilipinas Teleserv” (PT) name as the 3rd party provider/facilitator. The appointment system served to connect GSIS with people from all over the Philippines and the world via the Skype, which is offered primarily free by Microsoft as a communication tool/system. The GSIS, through the services of PT, developed a protocol for taking in the concerns of the GSIS members who used the service. PT in its website stated: Pilipinas Teleserv handles an average of 2,000 calls for the GSIS daily. Our total abandonment rate since operations began is remarkably low, coming in at only 3%. We are proud of our consistently excellent deliveries, with our First Call Resolution rate very close to 100% and our performance within a very tight 98%-100% range of the Service Level Agreement [https://teleserv.ph/how-we-do-things/gsis, accessed July 27, 2017].
I learned during my lecture that PT’s SLA just ended and the contract for this type of service was awarded to another bidder. One of the crucial things I pointed out is the obligation of PT, and whoever was awarded the current contract to comply with the requirements of the Data Privacy Law (R.A. 10173). It was not clear from the information I researched and from the information I gathered from the participants the type of arrangement GSIS and PT had with Skype. PT basically operated as a call center for GSIS using the Skype system. It was not clear if PT or GSIS paid Skype for the use of its system. I pointed out that under the policies of Microsoft and the Skype’s Fair Use Policy, anyone who is using the Skype tool as a free service is prohibited from doing any act that would not be considered Legitimate Use, which would include the following:
(i) Using subscriptions for telemarketing or call centre operations; xxxxxx
(iii) Sharing subscriptions between users whether via a PBX, call centre, computer or any other means; xxxxxx
Furthermore, “Skype may at its option, terminate its relationship with you, or may suspend your subscription immediately if it determines you are using your subscription contrary to this FUP or Skype’s Terms of Use”[Fair Use Policy, 19.3].
I asked the attendees if GSIS had any protocol as to the retention and destruction of those Skype video/messages from its clients all those years that PT ran the service. None of them apparently knew. This is actually crucial if any of those e-data became the subject of litigation. Moreover, PT, which was actually considered a personal information processor (PIP) for GSIS, did not have any privacy code or protocol in its website which can explain as to how it handled the privacy issues pertaining to GSIS’ clients. I suggested to the attorneys, particularly those engaged in procurement matters, to include data privacy requirements as part of the terms of reference (TOR) in procuring this type of service in the future.
Since GSIS utilized cloud service providers (CSPs) like Facebook, YouTube/Google and Microsoft/Skype to reach out to its clients, I apprised the audience of several perils in entrusting their clients’ e-data to the cloud. One of the dangers is the commingling of their clients’ e-data with the e-data of other clients of the cloud service providers in the same data files, specially if these different users use the same application in the cloud servers. This now becomes a “one stop shop for hackers”. In using the services of these cloud providers, GSIS and all its clients who use these services to communicate are subject to the untrammelled collection of e-data about them, including information about the computers, mobile phones and other e-devices they use to connect to these services, their locational data, their log-in information, including their phone numbers and the phone numbers of the people in their contact lists, and so on. One of the most notorious features about the CSP provider contracts is that they do not make the CSPs liable to the users of the services, from outages, to losses of e-data, to the introduction of computer malware that harm their IT systems, etc.
Without doubt, the most disturbing thing that I raised with GSIS is the fact that its e-GSISMO website is NOT secure. I found an imgur message [https://imgur.com/r/Philippines/peI1L3a, last accessed July 29, 2017] and a Reddit thread [https://www.reddit.com/r/Philippines/comments/5nhbgn/look_gsis_egsismo_online_records_service_is/, last accessed July 29, 2017] pertaining to the insecurity of this website.
The e-GSISMO site is quite significant for government retirees/pensioners and GSIS members because it contains their membership records, statement of loan accounts, and in a press release of GSIS last year, it was stated that it will allow members to view tentative computation of retirement and social insurance benefits, dividend payments, claim and loan records, and pensioners’ data.
The respondents in the Reddit thread were not specific or detailed in their discussion of what and how this site is insecure. I decided to investigate on my own.
When I accessed the site using MOZILLA FIREFOX, I was confronted with this message, which I showed to the audience:
By clicking on “Advanced” I was able to unearth the “ERROR CODE”.
By clicking on the error code, I got the following message, and the insecure certificate chain:
https://egsismo.gsis.gov.ph/
Peer’s Certificate issuer is not recognized.
HTTP Strict Transport Security: false
HTTP Public Key Pinning: false
Certificate chain: —–BEGIN CERTIFICATE—–
MIIFhjCCBG6gAwIBAgITBnt0NmDHvT4FazmLK9KYKr2P/DANBgkqhkiG9w0BAQsF ADCBtTELMAkGA1UEBhMCVVMxETAPBgNVBAgTCElsbGlub2lzMRAwDgYDVQQHEwdD aGljYWdvMSEwHwYDVQQKExhUcnVzdHdhdmUgSG9sZGluZ3MsIEluYy4xPTA7BgNV BAMTNFRydXN0d2F2ZSBPcmdhbml6YXRpb24gVmFsaWRhdGlvbiBTSEEyNTYgQ0Es IExldmVsIDExHzAdBgkqhkiG9w0BCQEWEGNhQHRydXN0d2F2ZS5jb20wHhcNMTUx MDIzMDIxNzUzWhcNMTgxMDE4MDgxNzUzWjBgMRYwFAYDVQQDDA0qLmdzaXMuZ292 LnBoMQ0wCwYDVQQKDARHU0lTMRMwEQYDVQQHDApQYXNheSBDaXR5MRUwEwYDVQQI DAxNZXRybyBNYW5pbGExCzAJBgNVBAYTAlBIMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEA8SpYUBHvWyNPOj06t/HWEem3Zue6bP7vO7TP/gziP+RO0gL3
jE2ObqZHPM+eGgq4+TD+928pJa7jnT05IZxFoJFMF/h6EBWcdKe/sk4r39AgJAf3 ETw2jmNKiChw7fANAfFW0e9nb7UykQjN1h6rN2JaeQW8OpkyujXyswoUHnG1nup/ /e5kOmJXnkSd+RszvhpBfvs6HQ66rowimNq5seWJ+StltuOsxp4XVAvjUnQE2bsk
dZo/rDj1hji++vUblWP/b/dS3cnPVOPhQD9GrtGdjDnxIiC9GSSNs1ynmPqO9kky U0sdvW8uaRmprbTBKrBEXIy0kwelY4Pvpk2aUQIDAQABo4IB4TCCAd0wDAYDVR0T AQH/BAIwADALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUF BwMBMB0GA1UdDgQWBBTKyN3opKvHsKoieedveTqw/uJojDAfBgNVHSMEGDAWgBTK zh0YA3ceHPN8WLKacKgIgBb0rjBIBgNVHSAEQTA/MD0GDysGAQQBge0YAwMDAwQE AzAqMCgGCCsGAQUFBwIBFhxodHRwczovL3NzbC50cnVzdHdhdmUuY29tL0NBMGwG A1UdEQRlMGOCDSouZ3Npcy5nb3YucGiCC2dzaXMuZ292LnBoghBrZXlzLmdzaXMu Z292LnBoghB3aXNlLmdzaXMuZ292LnBoghB0ZXN0LmdzaXMuZ292LnBogg93d3cu Z3Npcy5nb3YucGgwNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC50cnVzdHdh dmUuY29tL09WQ0EyX0wxLmNybDBxBggrBgEFBQcBAQRlMGMwJgYIKwYBBQUHMAGG Gmh0dHA6Ly9vY3NwLnRydXN0d2F2ZS5jb20vMDkGCCsGAQUFBzAChi1odHRwOi8v c3NsLnRydXN0d2F2ZS5jb20vaXNzdWVycy9PVkNBMl9MMS5jcnQwDQYJKoZIhvcN AQELBQADggEBAGamlyW1N+fuR54IdO9o0qw2/09Xppz2j1MDm9IemZDadXJIai6m 7JdPeL2+rTOrzfVDlbsTcBBw0QVkzpFoZLJ1cI9PYSAGXqA1pR8t6DcpnKVRV0yH sThrrKfJZag2FwIA4cns+4qmwf44s6O7LfJ6VoZhTVjIsrbacZrGmaHvsODi9NlW 1wX0rsJA5Hjv58nIKjv/Ptyu5sdl4KmaVyIlPoDtu1Jta+nCYGKF8TJ0X9HwrHzu 3Dt9UqD+jKUDDOe06wqMFy8ME89vE9NHjghv0L5aPrIDE5UAuEBl4lpieQ0Zkv9q
gZiBPcY9hFm9XSQo67FRnqYX4al8AxcdPiM=
—–END CERTIFICATE—–
The concept of a digital certificate is like a passport or an ID that validates the identity of the user to the recipient of a message or e-data, so that they can communicate securely over the internet using the public key infrastructure system. It is not within the scope of my article to give the details of digital certification systems. It suffices for now to say that digital certificates are issued by digital certification authorities (DCAs) to users to attest to their identity, and to provide evidence that a certificate is valid, it is digitally signed by a root certificate belonging to a trusted certificate authority. A receiver of digitally signed/encrypted information from a user can validate the Certification Authority (CA) signature, and can check the additional information in the certificate [e.g. expiration period of certificate] to honor it. Operating systems and browsers maintain lists of trusted CA root certificates so they can easily verify certificates that the CAs have issued and signed. In this case, Mozilla Firefox did not recognize the certificate of the e-GSISMO DCA, proving the insecurity of the website.
When I presented the powerpoint slide that shows the Mozilla Firefox message, error code and the report on the false certificate, I asked the people in attendance if the GSIS management knew about this. It was confirmed by an unimpeachable GSIS source during my lecture that the DCA of e-GSISMO did indeed lack certain requirements which made the website insecure. Further, this fact was actually revealed to the GSIS management which was notified of the risks. But the management made a business decision to actually release and continue the website’s operation, despite the risks. This is the core of GSIS e-data and services, because they contain very specific detailed confidential and highly sensitive information about specific GSIS members that cannot be retrieved or accessed in other government websites, including the hacked COMELEC sites and computer. For the GSIS management to have approved the operation of the unsecured e-GSISMO site and to advertise it to be used by all GSIS members and retired pensioners, is a very bad business decision that can harm the privacy rights of GSIS members and pensioners and impact on their well being.
If the continued operation of this insecure site results in the actual harm of any GSIS stakeholder, or in the perpetration of a criminal act against any GSIS stakeholder, the GSIS management can be held accountable. I impressed upon the audience that the members of the GSIS Board of Trustees, and its officers, who were apprised of the risks and yet decided to run the site cannot find refuge in the Directors’ and Officers’ Liability Insurance (DOLI) policy. The policy does NOT cover any claim against the insured:
Where the court, tribunal, or administrative agency finds that the GOCC, acting through its Board of Directors or
Management, has violated its charter or caused unreasonable damage to its identified stakeholders.xxx
Where liabilities arise from the director’s/trustee’s or officer’s fraud, breach of fiduciary duties, or
unethical conduct.
I pointed out that a violation of the pertinent provisions of R.A. 10173 is a criminal offense, and a criminal offense is more than mere unethical conduct.
Under SEC. 34. of this law, if the offender is a corporation, partnership or any juridical person, the penalty shall be imposed upon the responsible officers, as the case may be, who participated in, or by their gross negligence, allowed the commission of the crime. One lawyer asked if a cybersecurity insurance policy, which I discussed in connection with the protection of GSIS e-data would cover the members of the BOT, I said that cybersecurity insurance policies generally cover the losses of the corporation itself, like GSIS, due to e-data breaches, not individual corporate officials’ liabilities to the GSIS and to the GSIS members and retired pensioners.
The GSIS and its BOT must be reminded of the NPC decision re: the breach of electorate data kept in the custody of COMELEC, i.e., “the duty to obey the law should begin at the top and should not be frustrated simply because no employee recommended such action.” In this case, as the unimpeachable source during my lecture confirmed, the GSIS management were already warned of the risks by its own people, and yet decided to continue inflicting this unsecured website on its members and pensioners.
Finally, even if no GSIS member or retired pensioner is actually harmed by the unsecured e-GSISMO website, the BOT members and GSIS officials are still bound by the R.A. 10173 to implement the necessary safeguards to protect the edata of all GSIS stakeholders as a personal information controller (PIC). I apprised the attendees that these measures, together with the cyber hygiene practices that all PICs in the Philippines must observe on a regular basis, should be part of the corporate social responsibility of all PICs. The National Privacy Commission and the Civil Service Commission must look into this matter.
I wrote this article for the sake of millions of GSIS members (I am not one of them) and retired pensioners who may have used the e-GSISMO insecure website. They deserve better service and treatment. Actually, they deserve the best.
As always, I am grateful to God for this opportunity to ferret out matters like this in the interest of public service. Let us hope that the GSIS BOT and all its officials who are connected to safeguarding the privacy rights of the GSIS members do their jobs properly. God bless us!