Philippine Senate (P.S.) Res. No. 260 authored by Senator Leila de Lima "DIRECTING THE SENATE COMMITTEE ON ELECTORAL REFORMS AND PEOPLE’S PARTICIPATION TO CONDUCT AN INQUIRY, IN AID OF LEGISLATION, ON THE CURRENT STATE OF THE VOTERS DATABASE."
Source: PDF File
SEVENTEENTH CONGRESS OF THE )
REPUBLIC OF THE PHILIPPINES )
First Regular Session )
SENATE
P.S. RES. NO. ___260____
Introduced by SENATOR LEILA M. DE LIMA
RESOLUTION
DIRECTING THE SENATE COMMITTEE ON ELECTORAL REFORMS AND PEOPLE’S PARTICIPATION TO CONDUCT AN INQUIRY, IN AID OF LEGISLATION, ON THE CURRENT STATE OF THE VOTERS DATABASE IN THE CUSTODY OF THE COMMISSION ON ELECTIONS THAT WAS HACKED BY THE GROUPS ANONYMOUS PHILIPPINES AND LULZSEC PILIPINAS, LEADING THE NATIONAL PRIVACY COMMISSION (NPC)TO DECIDE AGAINST THE COMMISSION ON ELECTIONS FOR VIOLATION OF THE DATA PRIVACY ACT OF 2012, WITH THE END IN VIEW OF INSTITUTING REMEDIAL LEGISLATIVE MEASURES THAT WILL ENSURE THAT THE GOVERNMENT ACCOMPLISHES ITS CONSTITUTIONAL DUTY OF PRESERVING THE SANCTITY AND INTEGRITY OF THE ENTIRE ELECTORAL PROCESS, BEGINNING WITH THE PROTECTION OF THE VOTERS REGISTRATION PROCEDURE AND ALL DATA APPURTENANT THERETO, AND PROTECTING THE EXERCISE OF SUFFRAGE FROM ALL FOREIGN AND DOMESTIC THREATS.
WHEREAS, on March 27, 2016, hackers claiming affiliation with the group Anonymous Philippines hacked into the website of the Commission on Elections (Comelec), defacing it with a message that read “Anonymous Philippines. Greetings Philippines! We are Anonymous. The Constitution so asserts that ‘Sovereignty resides in the people and all government authority emanates from them.’ One of the processes by which people exercise their sovereignty is through voting in an election – where people choose the candidates who will best represent them, who will serve them under the principle that ‘Public office is a public trust.’ But what happens when the electoral process is so mired with questions and controversies? Can the government still guarantee that the sovereignty of the people is upheld? We request the implementation of the security features on the PCOS machines. Commission on 2 Elections, We are watching. We are Anonymous, We are legion, We do not forgive,We do not forget. Expect us.”;1
WHEREAS, on the same day, a separate group of hackers, LulzSec Pilipinas, posted an online link to what it claimed to be the entire Comelec database affecting some 55 million registered voters. The next day or on March 28, LulzSec Pilipinas updated its post to add three (3) mirror links to an index of files that could be downloaded.2 All in all, LulzSec Pilipinas released 16 databases that were allegedly retrieved from the Comelec website. Reports said that about 338 to 340 gigabytes (GB) of file size were contained in these 16 databases, the data of which seem to refer to election-related data, like “candidates”, “partylist”, “elected” and “stats”;
WHEREAS, it was only at 3:15pm (PST) on March 28, 2016, that the Comelec website supposedly returned to normal.3 According to Trend Micro, a security firm that conducted its own investigation on the extent of the data breach, the hacking incident was tagged as the biggest private data leak in Philippine history, leaving millions of registered voters at risk;4
WHEREAS, on April 12, 2016, the Comelec announced that the National Bureau of Investigation (NBI) had a lead on the suspects behind the data breach.5 On April 20, 2016, the NBI apprehended Paul Biteng, a 20 year-old Information Technology (IT)graduate student and a member of Anonymous Philippines, in his home in Sampaloc, Manila. He admitted to defacing the Comelec website but denied any involvement in the data leak;6
1http://newsinfo.inquirer.net/779228/nbi-finds-lead-on-hackers-who-defaced-comelec-website (Last accessed 16 January 2017).
2Bueza, Michael; Manuel, Wayne (2 April 2016). “Experts fear identity theft, scams due to Comelec leak”. Rappler. http://www.rappler.com/newsbreak/in-depth/127870-comelec-leak-identity-theft-scams-experts(Last accessed 16 January 2017).
3“Comelec website back to normal after hacking”.GMA News. 28 March 2016. http://www.gmanetwork.com/news/story/560552/scitech/technology/comelec-website-back-to-normal-after-hacking (Last accessed 16 January 2017).
4 Kennedy, John (11 April 2016). “Every one of the Philippines’ 55m voters could be in danger of fraud”. Silicon Republic. https://www.siliconrepublic.com/enterprise/philippines-fraud-hackers-leak-elections (Last accessed 16 January 2017).
“‘COMELEAKS’│ Lawmakers: Voter database breach compromises May 9 elections; PNP joins probe”. Interaksyon. 22 April 2016. http://interaksyon.com/article/126807/comeleaks--lawmakers-voter-database-
breach-compromises-may-9-elections-pnp-joins-probe (Last accessed 16 January 2017).
5Santos, Tina (29 March 2016)."Comelec shrugs off hacking”. Philippine Daily Inquirer. http://newsinfo.inquirer.net/776683/comelec-shrugs-off-hacking (Last accessed 16 January 2017).
6“NBI releases suspected Comelec hacker’s mugshot”. 21 April 2016. http://www.gmanetwork.com/news/story/563546/news/nation/nbi-releases-suspected-comelec-hacker-s-mugshot (Last accessed 16 January 2017).
Cimpanu, Catalin (22 April 2016). “Anonymous Member Arrested for the COMELEC Hack”. Softpedia. http://news.softpedia.com/news/anonymous-member-arrested-for-the-comelec-hack-503311.shtml (Last accessed 16 January 2017).
WHEREAS, on April 21, 2016, a searchable website, WeHaveYourData.com, was set up containing sensitive data on Filipino registered voters. The data found pertain to voters’ names, birth dates, and voters’ identification numbers (VIN). While some data remained encrypted, the rest was not, such as the fields for residential addresses and the birthplaces of these voters. As for the records of registered overseas Filipino voters (OFV), with the data taking up almost 10 gigabytes (GB), the names, voters’ identification numbers (VIN), current residences, names of parents, birth places, and passport numbers were not encrypted, making the data breach more alarming. A security expert, Sinag Solutions, warned that those who accessed the website could be prone to malware, viruses, and identity theft;
WHEREAS, the website was taken down with the assistance of the U.S. Department of Justice because the domain of the website was bought from a US-based web hosting company. Interestingly, the website itself was found to have been hosted in Russia;7
WHEREAS, on April 29, 2016, the NBI apprehended another suspect named Joenel de Asis, a 23-year old Computer Science graduate from Muntinlupa. De Asis is known to be one of the leaders of LulzSec Pilipinas that was responsible for the data leak. He admitted to having collaborated with Paul Biteng of Anonymous Philippines in the hacking incident and admitted to have downloaded 340 gigabytes of voters database on March 22, or five (5) days before the Comelec website was defaced on March 27. While de Asis admitted leaking the data, he denied that LulzSec Pilipinas created the searchable website “wehaveyourdata”, and gave assurance that the data leak will not affect the elections as they did not hack the Vote Counting Machines for use in the 2016 elections;8
7“Searchable website with hacked data taken down – Comelec”.
CNN Philippines. 22 April 2016.http://cnnphilippines.com/news/2016/04/22/Comelec-hack-voters-data-wehaveyourdata.html (Last accessed 16 January 2017).
8 Murdock, Jason (29 April 2016). “Philippine election hackers taunt ‘find us if you can’ as second suspect is arrested”. International Business Times. http://www.ibtimes.co.uk/philippines-election-hackers-taunt-find-us-if-you-can-second-suspect-arrested-1557420 (Last accessed 16 January 2017).
“NBI arrests 2nd hacker in Comelec data breach”. ABS-CBN News. 29 April 2016. http://news.abs-
cbn.com/halalan2016/nation/04/29/16/nbi-arrests-2nd-hacker-in-comelec-data-breach (Last accessed 16 January 2017).
Geducos, Argyll Cyrus (30 April 2016). “Second Comelec hacker arrested”. ‘Comeleak’won’t affect May 9 polls. http://2016.mb.com.ph/2016/04/30/comeleak-wont-affect-may-9-polls/ (Last accessed 16 January 2017).
“Comelec data leak has no effect on elections, says hacker”. Manila Bulletin. 29 April 2016. http://2016.mb.com.ph/2016/04/29/comelec-data-leak-has-no-effect-on-elections-says-hacker/ (Last accessed 16 January 2017).
“Second Comelec hacker arrested”. The Standard. 30 April 2016. http://thestandard.com.ph/news/-main-
stories/top-stories/204610/second-comelec-hacker-arrested.html (Last accessed 16 January 2017).
“Hacker who allegedly leaked Comelec data now in NBI Custody”. CNN Philippines. 29 April 2016. http://cnnphilippines.com/news/2016/04/29/Comelec-hacker-data-leak.html (Last accessed 16 January 2017).
WHEREAS, from the time of Biteng and De Asis’ apprehension, nothing was anymore heard about what was dubbed as “Comeleaks”. The Comelec, however, insisted that no confidential information was compromised and that none of the sensitive biometrics data was included in the database leak. In an apparent desire to rid itself of any doubt relative to their capacity to protect the system from any such future hacking or web attack, Comelec announced that they will be consulting with Microsoft and other cybersecurity experts based in the United Kingdom, Singapore,and the United States, but none was heard about the result of any such consultation,investigation, or scrutiny;9
WHEREAS, on 28 December 2016, the National Privacy Commission (NPC) in NPC Case No. 16-00110, found the Comelec responsible for violating Republic Act No. 10173 or the Data Privacy Act of 2012 and recommended the criminal prosecution of Chairman Andres D. Bautista.11 In its Decision, the NPC underscored Chairman Bautista’s “lack of appreciation” of the principles that data protection is more than just implementation of security measures. NPC also said that the Comelec violated Sections 11, 20, 21 and 22 in relation to Section 26 of the Data Privacy Act of 2012. In illustrating the breadth of the breach, the NPC Decision also enumerated the types of compromised sensitive personal information that were contained in the Comelec’s web-based applications: (1) addresses in the Philippines and abroad; (2) post or country of registration,; (3) old registration information; (4) complete name; (5)citizenship; (6) registration assistor; (7) profession; (8) sector; (9) height and weight; (10) identifying marks; (11) biometrics description; (12) voting history; (13) mode of voting; and (14) other textual reference information for the voter registration system;12
WHEREAS, there is no denying that the Comelec data breach that occurred is indeed unacceptable, and that those responsible should be fully prosecuted and punished,whether they be foreign or domestic actors. Absent an honest-to-goodness investigation, however, there is no telling the extent of the damage caused by this breach. The rising number of internet vigilantes, who tamper with our people’s right to privacy, should be everyone’s cause for worry. The need to preserve the right to privacy should be paramount. This right should be made available to all regardless of one’s stature in our society. The Comelec data breach is everyone’s problem, a repetition of this breach is everyone’s problem. Online lawlessness should be nippedt its bud. We should be able to guard against foreseeable vulnerabilities because all Filipinos have the right to the protection of their personal information against
9“Comelec taps cybersecurity experts”. The Manila Times. 21 April 2016.
http://www.manilatimes.net/comelec-taps-cybersecurity-experts/257580/ (Last accessed 16 January 2017).
1010 For Violation of Sections 11, 20, 21, 22 and 26 of the Data Privacy Act of 2012 (Republic Act No. 10173).
11Excerpts from the Dispositive portion of the Decision in NPC Case No. 16-002 (p. 34 of 35) “... This Commission FORWARDS this Decision and a copy of the pertinent case records to the Secretary of Justice, recommending the prosecution of respondent J. Andres D. Bautista for the crime of Accessing Sensitive Personal Information Due to Negligence under Section 26 of the Data Privacy Act, and for its further action.xxx”.
12http://privacy.gov.ph/privacy-commission-finds-bautista-criminally-liable-for-comeleak-data-breach (Last accessed 16 January 2017).
unlawful access and manipulation, fraudulent misuse, unauthorized usage, unlawful destruction, alteration, interference with, and contamination;
NOW THEREFORE, BE IT RESOLVED, as it is hereby resolved, in view of the foregoing reasons and circumstances, to direct the Senate Committee on Electoral Reforms and People’s Participation to conduct an inquiry, in aid of legislation, on the current state of the voters database in the custody of the Commission on Elections that has been hacked by the groups Anonymous Philippines and LulzSec Pilipinas, leading the National Privacy Commission to decide against the Commission on Elections for violation of the Data Privacy Act of 2012, with the end in view of instituting remedial legislative measures that will ensure that the government accomplishes its constitutional duty of preserving the sanctity and integrity of the entire electoral process, beginning with the protection of the voters registration procedure and all data appurtenant thereto, and protecting the Filipinos’ exercise of their right of suffrage, free of all threats and malicious interventions from foreign or domestic sources.
LEILA M. DE LIMA
This is dummy text. It is not meant to be read. Accordingly, it is difficult to figure out when to end it. But then, this is dummy text. It is not meant to be read. Period.
ConversionConversion EmoticonEmoticon