Comeleak: Bautista faces criminal raps
Allegations of a so-called “Comeleak” have basis, and Commission on Elections Chairman Andres Bautista will face criminal charges for the hacking of the Comelec’s voter database last March, weeks before the national elections.
In a ruling signed last Dec. 28, the National Privacy Commission ( NPC) found the Comelec negligent in ensuring the privacy of its database, thus violating Republic Act 10173 or the Data Privacy Act of 2012.
The NPC recommended the criminal prosecution of Bautista for the data breach between March 20 and 27 last year.
Privacy commissioner Raymund Liboro said the NPC had served a copy of the 35-page decision to the Comelec.
“This is based on the law, based on evidence we got from a deep and wide investigation we conducted on the case,” Liboro said in a press briefing in Quezon City yesterday.
Lawyer-physician Ivy Patdu, NPC deputy commissioner, said the privacy body had also sent a copy of the decision to Justice Secretary Vitaliano Aguirre II, whose department will prosecute Bautista.
The NPC began investigating
the alleged data breach in April last year, after news on the issue had come out.
The investigation covered Bautista and other Comelec officers, but the NPC recommended prosecution only for Bautista.
Patdu said the NPC found sufficient evidence of negligence only on the part of Bautista.
“We found Comelec, as a body, as a personal information controller, liable for violation of several provisions of the ( Data Privacy) Act,” Patdu said. “As for Chairman Bautista, we found him personally liable and enough sufficient evidence to recommend prosecution per Section 26…. What is important is to impress upon everyone that the decision is based on the fact that we expect the head of the agency, the chief executive officer and the chairman of the commission, to implement these measures. There should be top management buy-in, and that responsibility ultimately falls on the head of the agency.”
In its decision, the NPC underscored Bautista’s “lack of appreciation” of the principle that data protection is more than just implementation of security measures.
“Data privacy is more than the deployment of technical security; it also includes the implementation of physical and organizational measures, as well as regular review, evaluation and updating of Comelec’s privacy and security policies and practices,” the decision read.
The NPC document further read, referring to Bautista: “The willful and intentional disregard of his duties as head of agency, which he should know or ought to know, is tantamount to gross negligence. The lack of a clear data governance policy, particularly in collecting and further processing of personal data, unnecessarily exposed personal and sensitive information of millions of Filipinos to unlawful access.”
It added: “A head of agency making his acts depend on the recommendations of the executive director or the Information Technology Department amplifies the want of even slight care. The duty to obey the law should begin at the top and should not be frustrated simply because no employee recommended such action.”
The NPC said the Comelec “violated Sections 11, 20 and 21 of the Republic Act 10173” in dispensing its duty as “personal information controller.”
The document mentioned Bautista as having “violated the provisions of Section 11, 20, 21 and 22 in relation to Section 26” of the same law.
Section 26 of the Data Privacy Act, which penalizes accessing sensitive personal information due to negligence, imposes three to six years imprisonment and a fine of P500,000 to P4 million.
The NPC said when the offender is a public officer, Section 36 accords additional penalties like disqualification from public office for a period equivalent to double the term of criminal penalty.
The NPC, a regulatory and quasi- judicial body implementing the Data Privacy Act of 2012, was activated in March 2016 with the appointment of Liboro, Patdu and Damian Mapa to the three- member commission.
“The personal data in the breach is contained in several databases kept in the website: (a) the voter database in the Precinct Finder web application, containing 75,302,683 records; (b) the voter database in the Post Finder web application, which contains 1,376,067 records; (c) the iRehistro registration database, with139,301 records; (d) the firearms ban database, containing 896,992 personal data records and 20,485 records of firearms serial numbers; and (e) the Comelec personnel database, containing records of 1,267 Comelec personnel,” the document read.
The NPC noted it was the worst recorded breach on a government- held personal database in the world, based on sheer volume.
The NPC decision also gave a rundown of what types of compromised sensitive personal information were contained in the Comelec’s two web-based applications.
“The voter database in the Precinct Finder application contained each voter’s complete name, date of birth, gender, civil status, address, precinct number, birthplace, disability, voter identification number, voter registration record number, reason for deletion/deactivation, registration date and update time,” it said.
“The voter database in the Post Finder application contained information on each voter’s verified name, date of birth, gender, civil status, post of registration, passport information, with number and expiry date, taxpayer identification number, e-mail address, mailing address, spouse’s name, the complete names of the voter’s mother and father, the voter’s addresses in the Philippines and abroad, post or country of registration, old registration information, Philippine representative’s complete name, citizenship, registration assistor, profession, sector, height and weight, identifying marks, biometrics description, voting history, mode of voting and other textual reference information for the voter registration system,” it added, raising the danger of those data getting into the hands of criminals.
As corrective measures, the NPC has ordered the Comelec and Bautista to appoint a Data Protection Officer within a month from receipt of the decision, to conduct an agency-wide Privacy Impact Assessment within two months, and to create a Privacy Management Program and a Breach Management Procedure within three months.
Within six months from receipt of the decision, the Comelec is also obliged to implement organizational, physical and technical security measures to comply with the Implementing Rules and Regulations of the Data Privacy Act and the provisions of NPC Circular 16-01 on Security of Personal Data in Government Agencies.
The NPC has also recommended to the justice secretary “further investigation for possible prosecution” under the Cybercrime Prevention Act, after learning that one of the computers used in the Comelec data breach had an IP address registered with the National Bureau of Investigation (NBI).
Other Comelec officials covered by the NPC investigation were: commissioners Robert Lim and Al Parreño, executive director Jose Tolentino, Jr., education and information division director James Arthur Jimenez, information technology department directors Ferdinand de Leon and Jeannie Flororita, and management information systems chief Eden Bolo. Data hacking is Comelec’s negligence
The alleged hacking of Comelec’s website is an act of negligence on the part of its officials, the lawyer of the two men accused of hacking the commission’s website stressed. In a phone interview with
Harold Alcantara, counsel for suspected hackers Paul Biteng and Joenel de Asis, said the Comelec officials might be pressed further, instead of Biteng and de Asis, because of the supposed violation.
Alcantara said the NPC’s recommendation to file cases against Comelec officials has no bearing on the case of his clients.
But he said the NPC’s involvement in the so- called “Comeleak” could make it difficult for Comelec officials to prove their case against Biteng and de Asis.
The NBI has filed charges of illegal access, data interference and misuse of devices, all under the Cybercrime Prevention Act, against Biteng and de Asis, and unauthorized access or intentional breach under the Data Privacy Act against de Asis.
At dawn of March 27 last year, hackers who introduced themselves as members of “hacktivist” group Anonymous Philippines, defaced the Comelec website, saying they wanted to show that hacking might expose the vulnerability of the entire electoral process, which has gone automated.
The hacking affected certain functions like the precinct finder and post finder for registered voters.
Biteng and De Asis were arrested inside their homes in Sampaloc, Manila and Muntinlupa City around a month after.
Moments after their arrest, a user-friendly website called wehaveyourdata.com published personal details of voters, where they can search for information.
“LulzSec Pilipinas have hacked comelec.ph. They have dumped the database of about 70 million of Philippines voters and have published all the data at archive.org,” said the owners of the page.
“The database contains a lot of sensitive information, including fingerprint data and passport information. So, we thought that it would be fun to make a search engine over that data,” it added.
De Asis is allegedly a member of online group LulzSec Pilipinas.
Biteng was arrested in April last year and later indicted before the Manila regional trial court.
De Asis was arrested in May after reportedly downloading 340 gigabytes of data from the Comelec website and leaking details of 55 million voters.
Both are now undergoing trial, Alcantara noted, as Biteng would soon be subjected to cross- examination, while de Asis would undergo pre-trial conference. Consumer group applauds
Consumer group TXTPower has lauded the decision of the NPC to hold Bautista criminally liable over the leak of voter records last year.
In a statement, the group pressed for an immediate filing of criminal charges against Bautista and other officials over the issue.
“If Chairman Bautista and the Comelec could shamelessly claim credit for purportedly successful elections, they should also be ready to admit accountability, when they violate the law, which is clear in this case,” the consumer group said. “We are studying how this NPC decision could be a basis for filing other complaints, including but not limited to impeachment.”
TXTPower called on other agencies holding public data, such as the NBI, Anti-Money Laundering Council, Social Security System, Government Service Insurance System and the Land Transportation Office, to comply with the provisions of the Data Privacy Law.
“Public offices should protect the integrity, security and privacy of personal data they collect from citizens,” the group said. – With Ghio Ong, Edu Punay, Janvic Mateo