Foundation for Media Alternatives Revisits Comelec Breach of 2016

ComeleakWith two years already having elapsed since the Philippines’ biggest government data breach grabbed hold of global headlines, non-government organization, Foundation for Media Alternatives (FMA),has released a briefing paper providing a summarized account of the events surrounding the infamous hacking incident.

The document proposes some major takeaways and action points, both on the part of government and the private sector.

When news of the so-called “Comeleak” first broke out, the ensuing public panic was exacerbated by wildly conflicting accounts from the Commission on Elections (Comelec), the hacker groups claiming responsibility for the incident (i.e., Anonymous Philippines andLulzSec Pilipinas), and law enforcement authorities. It would take a months-long investigation carried out by the then newly-minted National Privacy Commission (NPC) before some degree of clarity was achieved, through the agency’s December 2016 Decision, and the brief Preliminary Report it issued a few months prior.

If one recalls, the NPC found the Comelec and its then-Chairman, Andres Bautista, both liable for violating a number of provisions of the country’s Data Privacy Act (DPA). It went so far as to recommend to the Department of Justice the filing of criminal charges against Bautista, whilemaking no other findings of liability on the part of the other respondents initially named in the case.

With the case now pending before the appellate court, the world has since bore witness to a number of other election- or voter-related data crises. Mexico and the U.S., for instance, suffered even bigger information leaks just weeks after the incident. Then just these past month, this Facebook-Cambridge Analytica controversy has highlighted anew the extent by which misuse of data—even as innocuous as that shared via online quizzes—can threaten the very foundations of a democratic society.

In its paper, FMA looks back at that historic moment before suggesting to the various stakeholders some steps it deems necessary to prevent similar privacy breaches in the future, namely:

  • All Filipinos need to take data privacy seriously.
  • The NPC must be competent (from the Commission proper down to its operations staff), well-resourced, and independent.
  • Additional data protection policies must be developed to help government agencies and the private sector comply with the DPA.
  • State capacity in other areas (e.g., cybersecurity, cybercrime investigations, etc.) should also improve.
  • Extreme caution should be observed when dealing with data-intensive systems.
  • Civil society must continue advocating for privacy and data protection measures in government and the private sector.
  • These measures become even more relevant today as the Philippines prepares for another set of elections.