The Philippine Data Privacy Act

The Philippine Data Privacy Act is apparently stuck in Congress. They adjourned on June 5 and started again on July 27.

In the same vein that the country currently has no Anti-Cybercrime legislation, the Philippines has no specific Data Privacy Act. One of the best sources of information regarding the current state of legislation is Mr. Philip Varilla’s presentation on “Privacy Framework in the Philippines“, which if one Googles for “Philippine Privacy Law”, can be found in the website of the Office of the Privacy Commissioner for Personal Data… of Hong Kong.

The presentation states that privacy is a basic right bestowed by the Constitution’s Bill of Rights Section 2, “The right of the people to be secure in their persons, houses, papers,”; and Section 3, “The privacy of communication and correspondence shall be inviolable except upon lawful order of the court, or when public safety or order requires otherwise as prescribed by law….”

It also states that the following Philippine laws are relevant:
– REPUBLIC ACT (RA) 8505 (An Act providing Assistance and Protection for Rape Victims…) SECTION 5. Protective measures.
– RA 8369 (An Act Establishing Family Courts, granting them Exclusive Original Jurisdiction over Child and Family Cases…) SECTION 12. Privacy and Confidentiality of Proceedings.
– Law on Secrecy of Bank Deposits Republic Act No.1405, as amended
– E-COMMERCE ACT (ECA) RA 8792

If one wants to understand the current state of data privacy in the Philippines, I suggest downloading the above presentation. Reading it made me wonder why the Philippines doesn’t seem to have HIPAA like legislation specific to HMO’s making them liable in case they do not protect your medical information.

The Philippines, being a member of APEC, will be aligning its Data Privacy legislation with the APEC Framework.
The APEC Framework can be downloaded here.

Other Related Links:
(Inquirer.net Feb 2009) RP joins APEC data privacy initiatives
The Electronic Commerce Act and its Implementing Rules and Regulations (40 page pdf)
(Out-law.com) Why the APEC Privacy Framework is unlikely to protect privacy [published Oct 2007]
Philippines Convenes Seminar to Explore New Privacy Legislation
(Inquirer.net Oct 2008)Senate must pass IP, data privacy laws
(Global Sky.com) Outsourcing in the Philippines: Is your privacy protected?
ARC Frequently Asked Questions
(Chan Robles) E-Commerce Act of 2000
(Scribed) Republic Act 8792
(GMA News Blog) Janette Toral’s Blog
(Digital Filipino) Salient Features of RA8792, The E-Commerce Law
(Wikipedia) Information privacy law
(Wikipedia) US Health Insurance Portability and Accountability Act
(Wikipedia) EU Data Protection Directive

Advertisement

Opinion: On Tolentino’s CONfidence

I was chatting with an IT Security expert (who wishes to remain anonymous) the other day regarding Comelec’s Executive Director Jose Tolentino’s views about the coming implementation of PCOS machines as being un-hackable… yes, Tolentino’s views come even BEFORE its implemented. The reason why I’m posting it here is because I agree with the IT Security expert’s views.

Excerpts from the chat:

IT Sec Expert: such a display of confidence seems to be borderline misinformation
Me: true, i wonder what machine they used and if its possible to play around with it
IT Sec Expert: wel, they should worry more about organized crime, not hackers
Me: organized crime with hackers
IT Sec Expert: would the people handling such a new technology, na foreign made pa, be competent enough?
IT Sec Expert: that system would be closed circuit
Me: wires can easily be tapped, i wonder what encryption they’ll be using
IT Sec Expert: they’ll probably have dialup
Me: inside job na lang
IT Sec Expert: it would have been better had they had it publicly assessed and offer a bounty for the successful hacker
Me: why don’t you put your comments?
IT Sec Expert: you know how people are in the philippines, they always take things personally

I personally think that it’s great that the Comelec is trying something new regarding minimizing election fraud. However, time and again, its been shown that computers can be hacked, and challenging hackers is typically the first sign that a system will be hacked. Tolentino’s statements make me feel all so warm and fuzzy that the Comelec’s system is probably more secure than NASA, the US Pentagon, Royal Dutch Shell and hundreds of supposedly secure systems that have all been hacked. Maybe the Comelec’s people can consult for the Pentagon and teach them how to secure a system. No, really… seriously….

Our country’s history has shown that our own people are easier to hack (Social Engineering), which begs the question regarding not just the competency of the operators, but their integrity… will the Comelec be conducting background checks? I now wonder if the Comelec has had their system assessed, and if so by who and how was it assessed? I also hope that there will be transparency in the assessment.

Bernie Lopez wrote an insightful article which came out in PDI today entitled, “Computers can be hacked.” No, duh. Unfortunately Director Tolentino, one of the main people in the Philippines entrusted with keeping the sanctity of the ballot, thinks otherwise.

---

Social Networking
I was planning on writing about Facebook privacy, however PDI’s Bianca Consunji wrote a good article on it in “Knowing about privacy on Facebook.”

---

Botnets
BBC’s Click programme for Mar 13 was about botnets. They acquired control of over 20,000 infected computers all over the world (yes, you can now buy time on other people’s computers without their knowing it). Top botnets have more than a few hundred thousand computers under their control – up to an estimated million. They also talk about how to protect your computer here (warning tiny video, slightly muffled sound… they should’ve just used You Tube). They actually got in hot water because of this.

Info Sec News, Feb 5, 2009

Seminars
ECCInternational will be giving a Certified BCMS (ISO 25999:2007) course from Feb 9-11. They will also be giving an ITIL Practitioner Program – Configuration Management on Feb 10-11, you can check out their Training Schedule here. ISO 9001:2008 IRCA Certified Lead Auditor Seminar will also be given either on Feb 9-13 or Feb 16-20. For details and specific dates, please contact Rose, Faith or Ness at 7505671 to 73 or email training@ccinternational.com.

---

Webcasts
CSO Online has published a podcast interview of Jim Routh who is the CISO of the Depository Trust and Clearing Corporation (DTCC). He is a veteran technology and security executive, having held positions at American Express and American Express Financial Advisors before joining DTCC.

(Simply Continuous) How To Keep Your Business Running in the Event of a Disaster

---

Whitepapers
There’s a recent (Winter 2009) presentation published by the Standford Applied Crypto group by John Mitchell on Phishing and Malicious JavaScript. Aside from Phishing, the presentation talks about how JavaScript is used to obtain information from your browser. John Mitchell teaches CS 142, Web Programming and Security, at Stanford University.

(SonicWall) Bottom-line benefits of telecommuting & secure remote access
(Quest Software) Finding Complete Identity Lifecycle Management that Fits

---

Insider Threat
I either gotta love this… or get paranoid about this: Within 90 minutes of getting fired, a former contract worker for Fannie Mae allegedly added a malicious script hidden within a legitimate script that ran each morning on the network, which was designed to disable monitoring alerts and all log-ins, delete the root passwords to the 4,000 Fannie Mae servers, erase all data and backup data, power off all the servers and then disable the ability to remotely switch on the machines. This was fortunately found by another employee within days of the firing.

(Computerworld) Ex-Fannie Mae engineer pleads innocent to server bomb charge
(CSO Online) Alleged Fannie Mae data bomb author working for Bank of America now?

Another recent example of an Insider Threat is of a former employee that still has access to the system, as this article reports, “Mysterious Text-Message Alert at U. of Florida Scares and Angers Students.”

---

Psychology/Social Engineering
There’s good insight as to the psychology involved when it comes to Information Security in this article from (CSO Online) Are You Addicted to Information Insecurity?

And speaking of psychology, CSO Online’s Anatomy of a Hack is an in-depth article on how Social Engineering can be used. Also in connection to social engineering, the FBI also warns of Money Mule Scams.

A novel way of luring people to a website with malware was found in North Dakota. How? Stick a parking violation ticket on the windshield, with the supposed details of the infraction on a website.

Readers of this blog might also want to check out What the Web knows about you. Its a 6 page article on what attackers may be able to find out about you online. If you’re in the US and is considering searching your SS number, check out this article first on Search Engine Privacy Tips from the World Privacy Forum website.

---

Browser Security
CSO Online also did a an unscientific poll of security experts on browser security, and it turns out that IE isn’t viewed as being as insecure as it was just a few years back. In relation to browser security, Firefox just fixed a couple of vulnerabilities in their release of version 3.06 of their browser.

Also related, Browser secrets of secure connections talks about how browsers play a key part in determining the strength of cipher used between the client and the web server. The article references the Infoworld Test Center Guide to browser security.

---

New DNS Attack
(CSO Online) Porn Site Feud Spawns New DNS Attack – Botnet operators are adding code to launch a new type of distributed denial of service attack, security experts warn
(NetworkWorld.com) Porn Site Feud Spawns New DNS Attack – A scrap between two pornographic Web sites turned nasty when one figured out how to take down the other by exploiting a previously unknown quirk in the Internet’s DNS.
(NetworkWorld.com Slideshow) How DNS cache poisoning works – this also has tips at the end on how to defend this kind of attack.

---

Other Info Sec News
(CSO Online) SMB Security: Five Bright Ideas – Small businesses have to be crafty to handle security with fewer resources. Here are bright ideas for SMBs.

(Computerworld Blog) Security businesses move ahead in this economy

(Computerworld) Removing admin rights stymies 92% of Microsoft’s bugs

(Computerworld) Microsoft denies Windows 7 security feature contains bug

(Computerworld) Banks, customers feel the fallout of the Heartland breach

(Computerworld) Study: Data breaches continue to get more costly for businesses

(Computerworld) Obama health care plan said to boost security, privacy controls – Privacy advocates say $20B e-health proposal overcomes some HIPAA concerns

Info Sec News, Feb 4, 2009

There seems to be confusion on a new draft bill by the NTC which is aimed at online content providers and VAS providers for mobile phones. Some have argued that the seemingly catch all bill may include people who blog and upload pics on Social Networking sites, although the spirit of the bill seems to be more for online applications.

(Business Mirror.com) NTC issues draft circular on content development…
(Blog) MikeAbundo.com
(Blog) Pinoy Pro Blogger

---

Don’t we all just wish that what happened in the US National Science Foundation can actually be audited and checked in the Philippines? The questions would be, are logs even activated? And secondly, does someone with the skill and competence actually take the time to consistently check those logs?

Speaking of Log Management, Prism Microsystems has a video series on 100 uses of Log Management which so far, is on #9 Email Trends.

#8 Windows disk space monitoring
#7 Windows lockout
#6 Password reset
#5 Outbound Firewall traffic
#4 Solaris BSM SU access failure
#3 Antivirus update
#2 Active Directory login failures
#1 Firewall blocks

---

9th e-Services Global Sourcing Exhibition will be held at the SMX Convention Center from from Feb 9-10, 2009
APNIC 27 will be held in Manila from Feb 23-27, 2009

---

Other News:
(CNN.com) Teens Face Porn Charges for “Sexting”

Social Networking Articles about the Philippines

A couple of interesting articles about Social Networking in the Philippines have come out in the past few months.

(Inquirer.net) Friendster fame, magnet for ads,

(Inquirer.net) Filipinos still make up big chunk of Friendster users,

(Inquirer.net) RP has highest percentage of social network users.

Wikipedia even has an article on Social Networking in the Philippines.

1to1Media published an article regarding social networking sites such as Facebook and Multiply in Photo Tagging Portends New Frontier for Privacy Pros.

If you’re interested in Social Networking and Social Engineering attacks using them, you might want to check out ENISA’s podcast on Locking Down Social Networking Vulnerabilities, this was given in Infosecurity Europe 2008 earlier this year. Enisa also has a Position Paper on Security Issues and Recommendations for Online Social Networks which was presented at the echallenges conference in the Hague on Oct 25, 2007. You can download the 36 page pdf from the above link.