Philippine Lawbytes 212: Data Security and Privacy Breaches, Malicious State Actors and Cyber Warfare, Copyright by Dr. Atty. Noel G. Ramiscal

Last March 25, 2022, I had the great privilege to open the Mandatory Continuing Legal Education (MCLE) seminars of the University of Cebu Law School (UCLS) for the 7^th Compliance period, with my lecture on “Protecting Personal and Financial Data from Theft, Privacy and Security Breaches” for the 108 lawyers/attendees via Zoom. This was quite especial because the UCLS is celebrating its 20^th Anniversary this year.

Dr. Atty. Noel G. Ramiscal University of Cebu MCLE lecture March 25, 2022

For this undertaking, I had to apprise every one of the very real cyber threatscape looming over the Philippines. In 2020, more than 7,000 Philippine companies encountered ransomware attacks, and that web threats in the Philippines increased more than 59 percent to some 44.4 million detections in 2020, compared to the year before, according to a Kaspersky report. From January to June of 2021, cyberattacks on Philippine government agencies and the private sector numbered to 5,608,320 (STATISTA, https://www.statista.com/statistics/1268283/philippines-amount-of-cyberattacks/). In the first quarter of 2022, cyberattacks have been revealed against Smartmatic-TIM last January 2022 and the Senate actually conducted a hearing last March 17, 2022. Converge also notified the NPC, last March 10, 2022 of a data privacy breach on its GoFiber app that affected its customers.

The Introductory Slide of Dr. Atty. Noel G. Ramiscal’s University of Cebu MCLE Lecture Powerpoint Presentation

To counter such attacks, I discussed the importance of putting security first in our daily transactions and work ethic. It is unfortunate that the Philippines, like other countries, appear to prioritize data privacy over data security, in terms of its legal framework and the way these two concepts are operationalized and implemented. While data privacy is considered a legal issue, data security is viewed mainly as a technical and business issue. But the reality is, data privacy cannot be achieved without first establishing data security, not the other way around. So it is very important, to have the right kind of people at the helm of an organization’s I.T. infrastructure and operations, implementing and enforcing proper security measures, like encryption, strong passwords, multi-factor authentication, proper backing up of copies of e-data, backing up the back-ups of those e-data copies, applying early and regularly, security patches, and most importantly, educating all the officials and employees about their observance and responsibility for doing the reasonable cyberhygiene practices that can prevent data breaches, particularly at this time, when many people work from home, outside the relative secure confines of the organization’s network system.

It is very important, for organizations, including law firms to be up to date on data security practices. I explicated on why, for example, virtual private networks (VPNs) are considered on the way out, and why the concept and implementation of “Zero Trust Network Access” (ZTNA) should take its place, with the primary objective of properly containing data security threats. For the very first time, I discussed and distinguished between two types of ethical hacking that are not tackled in data security MCLE lectures for lawyers: penetration testing and red teaming. I delved in detail as to what the qualifications these ethical hackers should have, the methodologies they should know, the content of their evaluation report, and the obligations they must comply with, in respect to the organization that hired them to test the network infrastructure and applications this organization utilizes.

The resplendant and brilliant Atty. Josh Carol Ventura giving the Introductory Remarks for the UC MCLE 7th Compliance Period March 25, 2022

One very crucial point that I made is the fact that Philippine law firms of whatever size are attractive targets of hackers for the very rich trove of information they have about their clients. Hackers have used social engineering tactics like phishing and spear phishing to make lawyers, their employees and clients download malware, or click on links to scammy sites that make them reveal important personal information. One of the tips I gave the attendees is to never reveal in their websites or social media accounts the names of their clients, particularly those who are quite prominent, or those in the I.T. industry, or discuss the cases they are handling which involve the sovereignty and claims of the Philippine government.

Aside from rogue employees who would betray their employers’ secrets in the caverns of the dark web, an unfortunate reality that we all must deal with is the presence of malicious state actors that engage in cyberattacks for espionage, IP rights theft, money heists, and lately, ransomware. A cautionary tale I presented was the NanHaiShu malware, a Remote Access Trojan (RAT) that was spread as a file attachment in spear phishing email messages that targeted the Department of Justice of the Philippines, the organizers of the Asia-Pacific Economic Cooperation (APEC) Summit and a major international law firm which was involved in a dispute centering on the West Philippine Sea. enSilo, which investigated the malware, named the Chinese cyber espionage group called the Advanced Persistent Threat (APT) group 10 as responsible for the attacks.

In my February 11, 2022 MCLE lecture for the Legal Management Council of the Philippines, I dissected, as one of the case studies I presented, the Bangladesh Bank heist, and presented never before seen evidence (certainly not in an MCLE lecture) as to the real hackers behind the heist which siphoned of US$81 million from the bank, through various conduits that included the Jupiter branch in Makati, of the RCBC. The heist had been attributed to the Lazarus group, affiliated with North Korea.

In the ongoing war by Russia against Ukraine, the Russian government of course had resorted to its army of hackers, as part of its military campaign. The Microsoft Threat Intelligence Center (MSTIC) reported this year that it detected a malware installed on devices belonging to “multiple government, non-profit, and information technology organizations” in Ukraine. The software, named DEV-0586, and attributed to Russia, was designed to look like ransomware, but it does not have any recovery feature. The MSTIC reported that the malware was programmed to execute when the targeted device was powered down. It was reported that the malware would overwrite the master boot record (MBR) and all the files with certain extensions from a predetermined list, which would delete all data contained in the targeted files.  Even if one paid the ransom, one would not be able to retrieve any data. So its destructive purpose is laid bare. Due to the fact that this type of malware cannot be contained within the boundaries of Ukraine, it is therefore imperative that all of us must be extra careful in opening emails and attachments from unknown sources.   

Prior to the new normal, I had given several MCLE lectures for the UCLS, and special lectures for their students, as well as students from other law schools in Cebu. One thing that struck me with UCLS is, its commitment to excellence and it has an academic culture that values integrity and top notch research. It is therefore an honor to be part of the endeavors of UCLS in bringing relevant and current matters of interest to the Cebu legal community, so thank you to Atty. Stephen Yu for inviting me. It was also such a pleasure to see and hear the resplendent and brilliant Atty. Josh Carol Ventura give the introductory remarks. The vivacious Atty. Lorenil Archival moderated the whole event.

A random photo from Dr. Atty. Ramiscal’s UCMCLE lecture with wonderful comment from a UCMCLE participant, March 25, 2022

To all the MCLE attendees, thank you for giving me a truly gracious and warm reception and for your wonderful comments about my lecture! And to UCLS, Congratulations on your 20^th Anniversary and many, many, more decades of Excellence to Come! God Bless Us Always In All Ways!

Philippine Lawbytes 138: Dr. Ramiscal for the Philippine National Police Investigators: Trends in Anti-Cybercrime Measures (Copyright by Dr. Atty. Noel G. Ramiscal)

I was given the opportunity by the UP POPLAW to lecture for our brothers and sisters in blue on the topic “Cybercrime” as part of the Philippine National Police (PNP) Investigation Officers Basic Course” (IOBC) Class 98-2018, and the “Criminal Investigation Course” Class 561-2018, Seminar on Laws and Jurisprudence for the PNP.

Dr. Atty. Noel G. Ramiscal at his lecture for the PNP Officers and Investigators at UP Diliman, July 4, 2018

The PNP has a competent Anti-Cybercrime Group (ACG), so I took it upon myself to introduce some concepts and developments in this quite expansive area, that these fine investigators may not have yet encountered in their work, or must be apprised of to update their awareness.

Dr. Atty. Noel G. Ramiscal during his lecture for the PNP Officers and Investigators in UP Diliman, July 4, 2018

The Implementing Rules and Regulations of the Philippine Cybercrime Prevention Act or R.A. 10175 defined a “computer” to include “any storage facility or equipment or communications facility or equipment directly related to or operating in conjunction with such device. It covers any type of computer device including devices with data processing capabilities like mobile phones, smart phones, computer networks and other devices connected to the internet.” What this basically meant is that all e-devices that operate with a computing device should also be considered a computer. Due to this, the scope of the task of any PNP cybercrime investigator has been tremendously widened. The Internet of Things (IoT) devices which I briefly discussed, as well as social media, and other e-devices that suspects can use to communicate, or can contain incriminating evidence are all part of the e-data net that cybercrime investigators must now cast. Due to this reality, the possibility of electronic evidence being tampered with, altered, destroyed or lost, is magnified, especially if the e-data are located in different countries, and can be remotely controlled or manipulated.

The PNP Officers and Investigators who gave Dr. Ramiscal a standing ovation in his Lecture at UP Diliman, July 4, 2018

One significant matter I imparted to them is the fact that e-data privacy crimes under the Data Privacy Law or R.A. 10173 are cybercrimes. And while the National Privacy Commission is the governing agency on this law, the help of cybercrime investigators may be needed to establish evidence of culpability. On this regard, I showed them several cases, among which included the COMELEC e-data breaches, that have caused a lot of dismay, disgust and actual and potential damage to the welfare and safety of each individual Philippine voter whose sensitive personal information, down to his/her voting history and biometrics have been disclosed to, and sold to, and bought by nefarious third party e-data traffickers. I discussed several aspects of digital identity fraud, including synthetic ID fraud, that I have handled.

Some of the PNP Officers and Investigators who attended Dr. Ramiscal’s Lecture, UP Diliman, July 4, 2018

I endeavored to go thru the gamut of different cyber scams and fraudulent activities that abound online, from virtual fraudulent states, to digital misappropriation of intellectual property, social media crimes, to ransomware but our three-hour session was just not enough.

Some of the PNP Officers and Investigators who attended Dr. Ramiscal’s Lecture, UP Diliman,, July 4, 2018

I always have a deep respect for the work of our dear brothers and sisters in blue who put themselves in harm’s way to keep us safe. I have met and worked with several cops whose integrity, honesty and dedication are unquestioned. But I was not prepared for the generous reception they gave to me. For the first time in my almost two decades stint as a lecturer and trainer, the wonderful attendees of these two classes actually rose from their seats and gave me a standing ovation! My mother who was with me, and I, will never forget that moment! To them, thank you for your awesomeness! God Bless us!

LAWBYTES 129: BEWARE TO ALL: THE GOVERNMENT SERVICE INSURANCE SYSTEM WEBSITE IS NOT SECURE! A REQUEST FOR SUA SPONTE ACTION BY THE NATIONAL PRIVACY COMMISSION (Copyright by Dr. Atty. Noel Guivani Ramiscal)

Note: PLEASE CLICK ON PICTURES TO MAKE THEM BIGGER

In my Mandatory Continuing Legal Education (MCLE) lecture for the GSIS last July 26, 2017, I was informed by an unimpeachable source that the digital certificate authority (DCA) the GSIS is using for its website is “C Trust Wave(?)”. I placed the phrase in question marks because I know of TrustWave as a DCA, but I am not familiar with what the source said. This DCA is the one supposedly used by the pertinent reseller to GSIS. According to the unimpeachable source, the “GSIS management” [which was the term used by the source all throughout my discussion with this source] was informed that the digital certificate issued to GSIS was weak, and of the security risks involved. But GSIS is still using it because it was a “business decision”. The GSIS management figured that the risks of e-data breach were not great. Using the analogy of the unimpeachable source, to the GSIS management, it would not make sense in buying and using a P100,000 steel bolted door, when an ordinary wooden door would do, to secure the e-data assets of GSIS. The unimpeachable source does not even use the GSIS website in the source’s personal GSIS transactions.

If the e-GSISMO site is not secure as I confirmed in my research, and interaction with the GSIS unimpeachable source during my MCLE lecture, I theorized that the whole GSIS website is not secure because the e-GSISMO site is essentially linked with the GSIS site.

To set about proving my theory, without hacking the GSIS system, I utilized the three search browsers that the GSIS website endorsed and recommended, i.e., Mozilla Firefox, Google Chrome and Internet Explorer.

GSIS expose NETOPIA time stamp and endorsement of GSIS site of Mozilla Firefox Google Chrome Internet Explorer picture copyright DRATTYNGRAMISCAL

BEFORE I CONTINUE, PLEASE NOTE THESE DISCLAIMERS AND DISCLOSURES:

1. I AM NOT CLAIMING COPYRIGHT OR ANY FORM OF INTELLECTUAL PROPERTY ON THE CONTENT FOUND IN THE PICTURES I TOOK OF THE GSIS WEBPAGES. BUT I DO HOLD THE COPYRIGHT TO THE PICTURES I TOOK OF THE COMPUTER SCREENS WHICH IS DIFFERENT FROM THE CONTENT ON THE GSIS SITE.

2. TAKING THE PICTURES AND REPRODUCING THEM ON MY BLOGSITE IS THE ONLY TECHNOLOGICALLY FEASIBLE AND DEMONSTRABLE WAY TO SHOW THE PROOF OF THE INSECURITY OF THE WHOLE GSIS WEBSITE AND ITS INDIVIDUAL WEBPAGES.

3. GSIS CANNOT CLAIM COPYRIGHT ON THE RELATED MESSAGES AND ARTICLES OF THE BROWSERS REGARDING THE INSECURITY OF ITS WEBSPAGES AND WEBSITE BECAUSE THESE EMANATE FROM THE BROWSERS.

4. I TOOK THE PICTURES AND WROTE THIS ARTICLE FOR ACADEMIC, RESEARCH AND NON-COMMERCIAL PURPOSES TO SHOW THE INSECURITY OF THE GSIS WEBSITE IN THE INTEREST OF PUBLIC SERVICE AND THE PUBLIC GOOD.

5. I DID NOT ENGAGE IN ANY HACKING ACTIVITY. WHAT I DID HERE CAN BE DONE AND CONFIRMED BY ANYONE WHO HAS ACCESS TO A COMPUTER THAT HAS THE THREE BROWSERS, AND ACCESS TO THE INTERNET. I USED GOOGLE, YAHOO! AND BING SEARCH ENGINES TO FERRET OUT THE GSIS WEBSITE.

6. I DID THIS ON MY OWN AS A DATA PRIVACY ADVOCATE, WITHOUT RECEIVING ANY FORM OF REMUNERATION OR EVEN TECHNICAL HELP FROM ANYONE.

7. I AM NOT A GSIS MEMBER. BUT I HAVE RELATIVES AND FRIENDS WHO ARE. I DID THIS FOR THEM AND FOR ALL THE MILLIONS OF GSIS MEMBERS, PARTICULARLY RETIRED GSIS PENSIONERS, WHOSE INTERESTS DESERVE PROTECTION.

TESTING MY THEORY

To test my theory, I browsed different pages of the GSIS site. I utilized different computers to access the GSIS site with these different browsers. I did my browsing on different days: July 27, 29, 31, August 1, 3, 2017.

Here are the results of my Internet examination of the browsers’ responses to queries about GSIS. For representative brevity, I chose samples of pictures I took of different screenshots of the GSIS website, and of the browsers’ responses to my GSIS queries. Any of you, my dear readers can follow and verify the steps I took. This does not require any special IT skill.

FOR MOZILLA FIREFOX

I present two samples of web pages from the GSIS website accessed through the Mozilla Firefox browser. Please notice dear readers the insecure padlock icon situated opposite the Universal Resource Locator (URL) on the page, utilized by the Mozilla Firefox, which is highlighted with the image of a sign that represents the mouse/pointing device. This would be located on the upper left portion of the computer screen.

Here is a picture of the pensioners’ page:

GSIS expose Pensioners page insecure padlock symbol picture copyright DRATTYNGRAMISCAL

Here is a picture of the news release pertaining to the GSIS’ transitioning to ISO 9001:2015:

GSIS expose News regarding GSIS transitioning to ISO 9001 2015 picture copyright DRATTYNGRAMISCAL

For now, let us just concentrate on the pensioner’s section. If any of you dear readers would click on the padlocked symbol, you would be greeted with a message bar on the left portion of the computer screen. The first message from Mozilla Firefox is “www.gsis.gov.ph Connection is Not Secure The login information you enter on this page is not secure and could be compromised”.

Picture of Message bar

GSIS expose pensioners page greeting of insecurity picture copyright DRATTYNGRAMISCAL

If you click on the “>” sign, you would be led to the reiteration of the Pensioners’ page with a Message Bar highlighting in blue font the phrase “Learn More”.

Picture of Learn More

GSIS expose Pensioners page connection not secure learn more picture copyright DRATTYNGRAMISCAL

If you click on “Learn More”, you would be led to a different and secure Mozilla Firefox page containing an article that explains the “Insecure password warning in Firefox”.

Picture of Mozilla Firefox article

GSIS expose Pensioners page learn more leading to Mozilla Firefox page detailing insecurity of page picture copyright DRATTYNGRAMISCAL

This page stated that “(t)his is to inform you that if you enter your password it could be stolen by eavesdroppers and attackers.” Furthermore, the article warned that personal information should not be entered in insecure pages like the GSIS site.

NOTE ON THE ICON:

In other computers, instead of the insecure padlock sign, the icon would resemble rotating blades:

Picture of blade icon:

GSIS expose NETOPIA Rotating Blade Icon Mozilla firefox insecure GSIS site picture copyright DRATTYNGRAMISCAL

ACCESSING THE E-GSISMO SITE

In going to the e-GSISMO site from the GSIS site, one would be confronted with this warning by the Mozilla Firefox:

Picture of warning

GSIS expose NETOPIA EGSISMO site uses an invalid security certificate Mozilla firefox picture copyright DRATTYNGRAMISCAL

FOR GOOGLE CHROME

Using Google Chrome, once you access the GSIS active home page, you would notice that there is an icon comprising of the small letter “i” within a circle. This is located opposite the URL of the GSIS site. If you bring your mouse/pointing device near the icon, a message will pop saying “View site information”.

Picture of icon and message

GSIS Google Chrome expose view site information active home page picture copyright DRATTYNGRAMISCAL

Once you click on the icon, you would be shown a message saying “Your connection to this site is not secure” and other details. There is also a phrase in blue font that states “Learn more”.

Picture

GSIS Google Chrome expose connection is not secure active home page picture copyright DRATTYNGRAMISCAL

Once you click on the phrase “Learn more”, you would be led to a different secure Google Chrome site with an article explaining what the icon of “i” with a circle means.

Picture

GSIS Google Chrome expose connection is not secure GOOGLE CHROME explanation active home page picture copyright DRATTYNGRAMISCAL

The Google Chrome article states that the icon signifies that “(t)he site isn’t using a private connection. Someone might be able to see or change the information you send or get through this site”.

FOR INTERNET EXPLORER

For those using Internet Explorer 10 or 11, and with private computers that are configured to have the most secure settings, the experience can be frustrating. I tried accessing the e-GSISMO and other pages of the GSIS website for several days, but could not. This is a typical message that I got:

Picture “This page cannot be displayed”.

Internet Explorer simple search for GSIS yields no display, picture copyright DRATTYNGRamiscal

At other times, when I type “GSIS” on the Bing engine on Internet Explorer, I would be confronted with a listing of search request rejections due to unavailability or web security violations.

Picture of the search request rejections

Internet Explorer rejections of request for GSIS site or pages, picture copyright DRATTYNGRamiscal

Since the search request rejections are cached, I decided to click on the cached version of one of the rejections.

Picture of the cached link

Internet Explorer rejection of GSIS website request cached page, picture copyright DRATTYNGRAMISCAL

I was then confronted with this message from the cached page:

Picture

Internet Explorer content of GSIS website rejection cached page picture copyright DRATTYNGRAMISCAL

The Internet explorer experience mirrors what I experienced when I tried to access the e-GSISMO page within, the GSIS site using the Mozilla Firefox: Nothing. Both browsers prevented me from accessing the web page due to security reasons.

The Mozilla Firefox was quite emphatic in its explanation for the error code I showed to the GSIS lawyers last July 26, 2017. It said that “Firefox must verify that the certificate presented by the website is valid. If the certificate cannot be validated, Firefox will stop the connection to the website and show a “Your connection is not secure” error message instead [https://support.mozilla.org/en-US/kb/insecure-password-warning-firefox?as=u&utm_source=inproduct]”.

CAVEAT: PUBLIC COMPUTERS

But when I tried accessing the GSIS website on public computers in internet cafes like Netopia and other cafes in Laguna, I was able to access the site without any apparent issue. However, the different pages of the GSIS website are not encrypted. I will say more about this in the next section.

POSSIBLE LEGAL BASES OF VIOLATIONS OF R.A. 10173 BY THE “GSIS MANAGEMENT”

PHOTOGRAPHIC PROOF

INTERNET EXPLORER

Even if one uses the public computers in internet cafes and access the GSIS website, that does not mean that such access can be safe. If you dear reader would right click on a GSIS webpage (not the e-GSISMO site), like the Pensioners’ page and click on “Properties” using the Internet Explorer browser like so:

Picture

GSIS expose Internet Explorer Pensioners GSIS page Properties picture copyright DRATTYNGRAMISCAL

You, my dear reader, would be confronted with this message on the left upper portion of the computer screen, stating that the connection is not encrypted.

Picture

GSIS expose NETOPIA Unencrypted state of GSIS site in Internet Explorer picture copyright DRATTYNGRAMISCAL

If you click on “Certificates” you would have the message that this “(t)ype of document does not have a digital certificate”.

GSIS expose NETOPIA No Digital Certificate of GSIS site in Internet Explorer picture copyright DRATTYNGRAMISCAL

MOZILLA FIREFOX

The Mozilla Firefox browser’s message alerts made it very clear that the GSIS website is not encrypted. I offer two illustrations of this.

Let us go back to the Pensioners’ page. When any of you dear readers would click on the unsecure padlock sign, you would encounter this message on the upper left portion of your computer screen, with the phrase “More Information” on the gray lower portion of the message.

Picture

GSIS expose Pensioners page how do you know status of encryption click more information picture copyright DRATTYNGRAMISCAL

When you click on the phrase “More Information” you will be given a different message regarding the status of encryption of the GSIS website, in this case of the Pensioners’ page:

Picture of the encryption status

GSIS expose Pensioners page connection not encrypted picture copyright DRATTYNGRAMISCAL

This message repeats itself on different pages of the GSIS website. For example, let us go back to that News Press regarding the GSIS transitioning to the ISO 9001:2015. You, my dear reader would encounter the same message.

Picture of the encryption status

GSIS expose News regarding GSIS transitioning to ISO 9001 2015 no encryption of GSIS site Mozilla Firefox picture copyright DRATTYNGRAMISCAL

The messages concerning the non-encryption status of the GSIS website shows that the digital certificate for the website had not, and could not be verified by Mozilla Firefox. The unimpeachable GSIS source mentioned “C (See?) Trust Wave(?)” as the DCA which Mozilla Firefox does not recognize.

The messages also contained the warning that “(i)nformation sent over the Internet without encryption can be seen by other people while it is in transit”.

LEGAL BASES:

THE LEGAL REQUIREMENT OF ENCRYPTION WHICH THE GSIS MANAGEMENT DID NOT FOLLOW

Under SEC. 23 of R.A. 10173, “(a)ny technology used to store, transport or access sensitive personal information for purposes of off-site access approved under this subsection shall be secured by the use of the most secure encryption standard recognized by the Commission”.

The National Privacy Commission (NPC) required in Sec. 8 of “NPC Circular 16-01 – Security of Personal Data in Government Agencies” dated 10 October 2016, “(a)ll personal data that are digitally processed must be encrypted, whether at rest or in transit. For this purpose, the Commission recommends Advanced Encryption Standard with a key size of 256 bits (AES-256) as the most appropriate encryption standard”.

These provisions can and should be made to apply to government websites like the GSIS, which store personal information of its clients, employees and officials, which are made accessible to these people anywhere, via the Internet. Both the law and the NPC Circular are quite clear in their absolute directive. There are no exemptions or excepting circumstances that allow for the non-encryption of the personal data contained in these websites.

Furthermore, the law and the NPC directive did not make any instance as a precondition for encryption. So it is immaterial if no GSIS member had ever been actually harmed by using the unencrypted site of the GSIS.

THE VULNERABILITY OF THE GSIS SITE AS THE DIRECT RESULT OF THE GSIS MANAGEMENT’S “BUSINESS DECISION”

I must re-emphasize that according to the admission of the GSIS unimpeachable source whom I directly spoke to during my July 26, 2017 lecture, the GSIS management were apprised of the risks of having an unsecured website but they decided to continue the site’s operation as a “business decision”.

The Price to be Paid for an Unencrypted State

It bears noting that the continued unencrypted and unsecured state of the GSIS website makes it a prime target for several cybercriminal activities, including defacement and hacking. The information sent by GSIS members using this unsecured site can be intercepted and even altered. The content of that information can be stolen if valuable to the eavesdropper or interceptor.

The IoT and E-Data Aggregation

I must emphasize that all users of computers and e-devices all over the world are now connected to the “Internet of Everything” (IoT). You, my dear readers, who use your laptops, your smart phones, your Fitbit devices, other wearable devices and other smart appliances that are connected to the Internet, are subject to data collection by entities like the manufacturers of these devices, and other entities whose intent may be malicious. In using the Google Chrome browser in accessing the GSIS website, the insecure message posted by Google Chrome also include the notice that “Cookies” are utilized to collect information about the user of the site.

GSIS Google Chrome expose connection is not secure active home page picture copyright DRATTYNGRAMISCAL

Depending on the type and nature of the cookies, this means that the user’s log-in information, device information, telephony details, IP address, and other identifying data about the user and/or his/her e-devices are collected. Since the GSIS site is unencrypted, any information entered by the user, for example, matters pertaining to auto shield insurance or home insurance in the GSIS site, can be seen by any interceptor or eavesdropper. At the hands of a knowledgeable and efficient cyber criminal, all these e-data can be aggregated to pinpoint the identity, habits and concerns of a particular user and used against that user.

Ransomware

In my lecture for the GSIS lawyers, I mentioned also the possibility of their organization being targeted with ransomware. Because the GSIS website is not encrypted, it is easier for any attacker to hijack the information, encrypt it, demand ransom, thus making it inaccessible, not merely to the GSIS members and pensioners, but even to the GSIS website administrator/operator/maintainer.

Possible Liability of GSIS Management

Sec. 20 (b) of R.A. 10173 imposes the legal obligation on a personal information controller, like the GSIS to “implement reasonable and appropriate measures to protect personal information against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination”.

As I made very clear in my book “Cryptology: The Law and Science of Electronic Secrets and Codes”, encryption is one of the necessary safeguards that are crucial in protecting the security, confidentiality and authenticity of e-data. It is also one of those cyber-hygiene tools that should be utilized by any organization that processes the personal data of anyone. Employing encryption should be considered part of a corporation’s social and legal responsibility.

In this case, the “business decision” of GSIS management in letting the GSIS website remain unsecured, unencrypted and basically a target for hacking, as shown by the Mozilla Firefox message, evidently violates the unequivocal letter and intent of the law and the NPC directive.

Sec. 34. of R.A. 10173 provides that if the offender is a corporation, partnership or any juridical person, the penalty shall be imposed upon the responsible officers, as the case may be, who participated in, or by their gross negligence, allowed the commission of the crime.

As I pointed out in my previous article on the insecurity of the e-GSISMO website, the Directors’ and Officers’ Liability Insurance (DOLI) policy of the GSIS will NOT cover any claim against the insured BOT members and officials in these two clear instances:

Where the court, tribunal, or administrative agency finds that the GOCC, acting through its Board of Directors or Management, has violated its charter or caused unreasonable damage to its identified stakeholders.xxx

Where liabilities arise from the director’s/trustee’s or officer’s fraud, breach of fiduciary duties, or unethical conduct.

THE GSIS MEMBERS BEING DENIED ACCESS TO THE GSIS SITE DUE TO THE INSECURITY OF THE WEBSITE

Another important violation here of the GSIS members’ and pensioners’ rights is the right to access their personal information in the GSIS website, including the e-GSISMO site. GSIS members and pensioners using the Internet Explorer (depending on several factors) and the Mozilla Firefox would be denied access to the e-GSISMO site because of “web security” violations, or the site’s connection is “untrusted” as evidenced from the messages that the two browsers would post to the computer screen of anyone who tried to access the e-GSISMO site. Due to the site’s insecurity, GSIS members and pensioners are actually discouraged to use the website. They cannot access their personal information, e.g., the status of their GSIS loans, the amount of their loans and the interests, the tentative computation of their pensions, etc., which are all very personal, sensitive and exclusive to each of them.

Furthermore, due to the website’s insecurity, GSIS members and pensioners are forced to conduct their transactions with the GSIS personally, which defeats the purpose of setting up the website to prevent long queues in GSIS offices and avoid waste of time, travel and other expenses on the part of the GSIS members and pensioners.

Under Sec. 16 (c) of R.A. 10173, the GSIS members and pensioners are granted the right of reasonable access to their personal information that is stored and processed through the GSIS website. The law allows GSIS members and pensioners access to, and upon demand, retrieve the “(1) Contents of his or her personal information that were processed; (2) Sources from which personal information were obtained; (3) Names and addresses of recipients of the personal information; (4) Manner by which such data were processed; (5) Reasons for the disclosure of the personal information to recipients; (6) Information on automated processes where the data will or likely to be made as the sole basis for any decision significantly affecting or will affect the data subject; (7) Date when his or her personal information concerning the data subject were last accessed and modified; and (8) The designation, or name or identity and address of the personal information controller” which can be contained in the e-GSISMO or GSIS website. The purpose for this access is to allow GSIS members and pensioners to check the accuracy of their personal information and the data that GSIS had processed, and to demand indemnity for damages due to “inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal information” [Sec. 16 (f)] that GSIS processed.

Thus, the insecurity of the GSIS website and webpages actually prevents GSIS members and pensioners to exercise these rights granted to them as data subjects under R.A. 10173.

RES IPSA LOQUITUR

There is an applicable legal principle that law students learn in their Statutory Construction class, i.e., res ipsa loquitur, which means “the thing speaks for itself”. “(W)here the thing which caused the injury, without the fault of the injured, is under the exclusive control of the defendant and the injury is such that it should not have occurred if he, having such control used proper care, it affords reasonable evidence, in the absence of explanation that the injury arose from the defendant’s want of care, and the burden of proof is shifted to him to establish that he has observed due care and diligence” (Professional Services Inc., v. Agana, G.R. No. 126297, January 31, 2007, Supreme Court, 1st Division). In case any GSIS member or pensioner suffers any injury due to the insecurity of the GSIS website, that injury may be attributed to the “GSIS management” because the business decision to unleash this insecure website is theirs alone and they had exclusive control in terms of the decision power to set the course of operation of the GSIS website.

NPC ACTION ON THIS MATTER, SUA SPONTE

One of the lawyers represented during my MCLE lecture that GSIS is seeking a one year extension from the National Privacy Comission (NPC) to observe the R.A. 10173’s requirements. I asked the audience why should GSIS be given this extension, unlike the other PICs. I reminded them that R.A. 10173 has been passed in 2012 and the GSIS should have striven to comply with its requirements way back then. Besides, the NPC has been operating on this principle and set the deadline for all PICs as September 2017.

A one year extension might give GSIS another one year of institutional inertia or delay to fix the insecurity of its website. This must not be allowed because the GSIS website and its related sites, particularly the e-GSISMO contain crucial personal information that are vital to the economic security of millions of GSIS members and retired pensioners. If the GSIS management continue to use insecure websites, then GSIS must stop altogether the processing, including the storage of all the personal information of all its active and inactive members on these sites.

Since I am not a current GSIS member, I have no legal standing to bring a complaint against the GSIS to the NPC. I would leave it to you, dear reader, who may be a GSIS member to do this.

However, the NPC under its own rules, declared that the Commission, “sua sponte, or persons who are the subject of a privacy violation or personal data breach, or who are otherwise personally affected by a violation of the Data Privacy Act, may file complaints for violations of the Act” [Sec. NPC Circular 16-04 – Rules of Procedure, dated 15 December 2016].

“Sua sponte” means that the NPC itself can take cognizance of this matter. It is a Latin term that means “of one’s own accord” or “voluntarily”.

That is the reason why I have emailed the URL of this article to Commissioner Liboro and Deputy Commissioner Patdu and to the email address for complaints to NPC. With this expose, I trust that the NPC would do their own investigation and confirm and rule on this matter.

FOR GSIS MEMBERS: WHERE TO FILE COMPLAINT

If any of you, dear readers, have been affected by the unsecured, unencrypted website of the GSIS, if your e-data regarding your personal information, membership, loans, pensions have been compromised, or if you cannot even access these personal information because you had been prevented from doing so by the browsers which did not accept the digital certificate of the GSIS website or had warned you of its insecurity, and thus did not proceed to bring you to the GSIS page or site you desired, you definitely suffered damage.

Under R.A. 10173, you can file a complaint against GSIS and seek for damages, as part of your legal rights as a “data subject”. The privilege of government agencies known as immunity from suit, should not prevent the NPC from proceeding with your complaint because, the damage was done by responsible and informed officials in this agency, acting clearly in disregard of R.A. 10173, not the agency itself.

To proceed with your complaint, kindly read the procedural rules of the NPC Circular 16-04 – Rules of Procedure here:

Click to access sgd-npc-circular-16-04-rules-of-procedure.pdf

You can electronically file your complaint by email, bearing in mind this instruction:

[If] submissions are made through e-mail, all electronic documents must be submitted to complaints@privacy.gov.ph, copy furnished any and all other parties to the complaint (Sec. 8).

Please take heart in the fact that the NPC has previously dealt with another major data privacy violator, the COMELEC, admirably. Its decision against COMELEC and against its current Chair, Andres Bautista, showed that it did not apply the immunity from suit principle, but the letter and intent of R.A. 10173 to vindicate all our data privacy rights as voters.

CONCLUSION:

What has been happening here is truly and absolutely inexcusable. It is mind boggling and unconscionable that an agency of the government, in charge of managing billions, if not trillions of Philippine pesos constituting the contributions and pensions of its members, and which has deep pockets for utilizing the Internet and its innovations to supposedly serve its clients and members, had intentionally scrimped on its budget as a “business decision” and left its website vulnerable to hacking.

The GSIS purportedly received several ISO certifications. Those in the know would know that getting these certifications entailed a lot of money and hard work. Its latest ISO certification bandied about in its “news” last July 28, 2017, was ISO 9001:2015. GSIS Officer in Charge Nora Malubay Saludares presented in the annual forum on Quality Management System the GSIS experience.

GSIS expose News regarding GSIS transitioning to ISO 9001 2015 picture copyright DRATTYNGRAMISCAL

The press release ran:

The Forum which was held last Wednesday and Thursday (26 to 27 July 2017), highlighted the impact of ISO 9001 9001:2015-based QMS on business operations. GSIS received the ISO 9001:2015 certification for its QMS on loan processing and membership administration in March this year. In 2015, GSIS was conferred the ISO 9001:2008 for its loan processing only [bold italicized emphasis supplied].

The question that must be asked then: How can an agency that processes millions of personal information regarding its members’ loans and other membership details which are contained in its e-GSISMO website receive an ISO certification on these matters, when its own website that houses these relevant e-data is completely insecure and vulnerable to hacking, and does not even have a decent encryption system?

This is not mere ignorance or mere misappreciation by the GSIS BOT/management. They had been forewarned by the risks by their own people. They do not have to be warned by any outsider. This is wilful mismanagement of e-data. It shows simply, the utter and gross disregard by the GSIS BOT/management of the importance of securing the personal e-information of all its members that goes against the very principles of data processing and the legal rights of data subjects enshrined in R.A. 10173.

And take note dear readers, GSIS recently concluded a contract with another provider to operate their Skype appointment system. When I questioned the audience concerning the e-data privacy requirements that should have been included in the Terms of Reference in the procurement process, no one could answer me.

Paraphrasing Edmund Burke, in order for this iniquitous state to continue, it is enough that those in the know, do nothing. I refuse to let this state continue. Now my dear readers, all of you also know. I trust you all to do something!

Thank you.

God Bless Us!

Lawbytes 115: The Extra-Territorial Prosecution of Cyber Privacy Predators and Cybercriminals, Copyright by Dr. Atty. Noel G. Ramiscal

August 15, 2016 was an extra special day for my advocacies on several levels. It was the day when I got to debut a very new and hot topic for the UP IAJ [through the urging of the wonderful Ms. Mabel Perez] in their Mandatory Continuing Legal Education (MCLE) seminar series. This lecture, which I entitled “Trends and Issues in the Prosecution of Cyber Privacy Predators and Personal Information Thieves” is in all probability, the first time that would be tackled by any MCLE lecturer in the Philippines. The National Privacy Commission (NPC) was just established last March 8, 2016, despite the fact that the law (R.A. 10173) creating it was passed in 2012, and up to now, the lmplementing Rules and Regulations (I.R.R.) that the NPC was tasked to promulgate is still in the process of being finalized.

Dr. Atty. Noel G. Ramiscal, at his August 15, 2016 MCLE lecture for UP IAJ

The proposed I.R.R. seeks to create a Data Security and Compliance Office, a Legal and Enforcement Office and a Privacy Policy Office which are all crucial to the NPC, because as a quasi-judicial body, it would be deciding on data privacy violations arising from the different and new cybercrimes concerning data processing that R.A. 10173 established. Since the NPC is swamped with many issues concerning its existence and operations, I figured my lecture can help clarify some of these issues and point to some trends, standards or guidelines that these new offices need to be apprised of to do their jobs effectively.

I went through many essential concepts that are unique to the Data Privacy law, for a very attentive and receptive audience (none of whom slept during my lecture): from the right of informational privacy that was developed in Europe after the Second World War and the right to informational self-determination which was first recognized as a constitutionally guaranteed right in 1983 by the German Constitutional Court; to the explication of the right to be forgotten, and the relevance of our very own writ of habeas data in enforcing this right; to the right of portability and how that right had been enforced in some jurisdictions; to the right of transmissibility and my own advocacy for the establishment of a Digital Inheritance Law in the Philippines which would give access to the heirs of a decedent, and the police and prosecutors to e-data, particularly emails and social media e-data, that can give a clue to any foul play or crime that was perpetrated on the decedent; to the different types of identity theft, impersonation and misappropriation of personal information; to the role of encryption in securing our privacy; to the electronic means of stealing personal information like spamming and ransomware; to the types of electronic evidence that prosecutors should recognize and present in court as incriminating evidence; and everything in between.

Dr. Atty. Noel G. Ramiscal with Former Philippine Vice President, Atty. Jejomar C. Binay and a group of brilliant Ibanag lawyers who attended his MCLE LECTURE, AUGUST 15 2016

One of the most important concepts I discussed at some length is the extra-territorial application of R.A. 10173, as well as the Cybercrime Prevention Act (R.A. 10175). Prior to these laws, law students and lawyers were only taught criminal laws are primarily territorial in application, and the only way that courts can have jurisdiction over the person of the accused would be through the latter’s arrest, voluntary surrender or arraignment appearance.

The two laws changed all previous conceptions of the territorial application of Philippine criminal laws by broadening their scope. R.A. 10175 made it easier to file any cybercrime case in a Philippine cybercrime court, even if the offender is not in the Philippines so long as any of these jurisdictional requirements are met: if the computer system which was used to commit the crime is situated wholly or partially in the Philippines; or when the offender is a Philippine citizen; or when any of the elements were committed in the Philippines; or when the offended party, natural or juridical, was in the Philippines when the offense was committed and experienced damage here.

In a similar manner, R.A. 10173 and its proposed I.R.R. made filing a cybercrime case for any unlawful data processing of the personal information of a data subject apparently simpler, by requiring the fulfilment of any of these conditions: the data wrongfully processed belongs to a Philippine citizen or resident; or the data processor [personal information controller or personal information processor] has a Philippine link. The linkage can be through the fact that the data processor processes personal information in the Philippines; or carries business in the Philippines; or uses equipment located in the country, or maintains an office, branch or agency in the Philippines for processing of personal data; or has a branch, agency, office or subsidiary in the Philippines and the parent or affiliate of the Philippine entity has access to personal information. If the data processor processes the personal information outside the Philippines, it could still be held liable as long as the information is about Philippine citizens or residents. Other links include the data processor having entered into a contract in the Philippines; or if it’s not incorporated in the Philippines, it somehow “has central management and control in the country”.

Some lawyers who attended Dr. Noel G. Ramiscal’s MCLE lecture PROSECUTING CYBERPRIVACY PREDATORS, AUGUST 15, 2016

While these jurisdictional “links” or anchors that Philippine prosecutors can now use to go after cybercriminals in other countries legally exist, I gave a cautionary note in their enforcement. In this “cloud” era, incriminating or offending data can easily be transferred to different servers in different countries and the challenge for the prosecution is how to have access to these data, present them in a Philippine court and bring the criminals to justice. In the controversial and recently decided case involving the US government against Microsoft, Microsoft refused to honor and moved for the quashal of the search warrant issued by District Judge Francis of the Southern District Court of New York that would have given the US DOJ and FBI access to the electronically stored data of a person under investigation for drug charges. Microsoft’s refusal was based on the fact that the data which belonged to one of its customers is physically stored in a server located in Dublin, Northern Ireland. The case was elevated to the Chief Judge of the same District Court of New York who affirmed the findings of Judge Francis.

The District Court’s rulings were based on the appreciation of the nature of search warrants for cloud e-data. The court noted that it is a “hybrid order” that is “executed like a subpoena in that it is served on the ISP [Internet Service Provider] in possession of the information and does not involve government agents entering the premises of the ISP to search its servers and seize the email account in question.” The service of the warrant and the seizure of the e-data can be completed not from the physical location of the server but from any remote location by a certified Microsoft owned computer that has lawful access to, and control of the e-data. The relevant test is not one of location, but of control. In ruling like this, the District Court overturned the territorial principle in the application of search warrants outside of the U.S.

As expected, Microsoft appealed this decision to the U.S. Court of Appeals, and the Second Circuit of the Court of Appeals came out with a decision last July 14, 2016 reversing the District Court’s ruling, and vindicating the privacy rights of the subscribers of Microsoft’s cloud services. The Court of Appeals, through Judge Susan Carney, emphatically stated that the U.S. Stored Communications Act, under which the search warrant was issued, was intended by the U.S. Congress to apply only to information that is domestically stored in the U.S., and not to e-data that are physically located outside its boundaries. To decide in the manner of the District Judge would mean the abandonment of the time honoured territoriality principle which the Court of Appeals stated “(w)e are not at liberty to do so.” The Court of Appeals, among others, reversed the decision of the District Court and remanded the case back to it with instructions the quash the search warrant, insofar as it directs Microsoft to produce customer content outside of the U.S.

Some of the lawyers who attended Dr. Ramiscal’s lecture on Prosecuting Cyberprivacy Predators and ID Thieves, AUGUST 15 2016

One comment that I have on this is that the US government pursued this process in order to evade the Data Privacy Law of Northern Ireland and bypass the Mutual Legal Assistance Treaty (MLAT) process it has with this country, as shortcuts. But it took them longer than they imagined. This case was brought to Judge Francis last 2013, and decided by the Court of Appeals in July 14, 2016. Had the U.S. Government gone through the MLAT process, it might have succeeded in getting the e-data it required in a shorter time, instead of having the lengthy litigation which proved futile for its cause, and the negative publication it received from the international diplomatic and business community.

Since R.A. 10175 expressly mentioned MLATs as a way of enforcing its provisions, it is my suggestion that this is a valuable tool in the arsenal of prosecutors, which they must master, in terms of going after criminals outside Philippine territory. Under the law (R.A. 10844) creating the Department of Communication Information Technology (DCIT), this agency was placed in charge of the Cybercrime Investigation and Coordination Center (CICC) which would be attached to it. The law specifically stated “(i) All powers and functions related to cybersecurity including, but not limited to the formulation of the National Cybersecurity Plan, establishment of the National Computer Emergency Response Team (CERT), and the facilitation of international cooperation on intelligence regarding cybersecurity matters are transferred to the Department”. Under this set-up, the DCIT will be engaged with the DOJ in terms of the international aspects of cybercrime. The DCIT must also be apprised with the MLATs, etc., so it can do its tasks well. The Philippines’ MLAT with the U.S. offers several measures that could effectively facilitate the production of evidence and even the forfeiture of the proceeds of the crimes committed against Philippine citizens by people or entities domiciled in the U.S. In fact, this could be used to go after the U.S. owners of the “wehaveyourdata.com” site which published the personal information of over 40 million registered Philippine voters in the massive breach of the Commission on Elections (COMELEC) e-database.

DR. RAMISCAL’S SKETCH BY ATTY. ADAN

One of the reasons why I said this was an extra-special occasion for me is that I got to meet the former Vice President of the Philippines, who is a very distinguished lawyer himself, Atty. Jejomar C. Binay, and a host of several Ibanag lawyers who are brilliant in their own fields who attended my lecture. It was also on this event that Atty. Dan Adan, a multi-talented lawyer, presented me with his pencil sketch of my image while I was lecturing. That was truly a first!

Warmest gratitude to UP IAJ, Prof. Daway and all their truly supportive staff, and the splendid lawyers who gave me their undivided attention and genuine interest for the two hours that I spent with them! God Bless Us!