22 January 2024

A Repressive Digital Rights Landscape in the Philippines

A report submitted to the UN Special Rapporteur on Freedom of Opinion and Expression

In the last decade, the Philippines has seen a rapid transformation with the integration of digital technologies in daily life. Platforms that facilitate precarious working conditions and outsourced labor have become more and more popular, especially during the COVID-19 pandemic. Many businesses have geared towards remote and online conduct. Meanwhile, the government is fast-tracking its digital transformation. These create conditions for Filipinos to become more dependent on digital technologies and the Internet.

Philippine government agencies and policies have not been able to ensure the protections of Filipinos’ rights in the digital sphere. The Department of Information and Communications Technology (DICT) has proven itself inadequate in securing the nation from cyberattacks, as evidenced by the numerous data breaches and leaks from government institutions. In 2023 alone, there have been at least 5 reported cases of data breaches.

The right to privacy of communication is enshrined in the 1987 Philippine Constitution. Despite significant changes in communications technology, the Data Privacy Act of 2012 remains unchanged. The National Privacy Commission (NPC) has been ineffective in ensuring adherence of government offices and private businesses to the Data Privacy Act. Instead of fostering a culture that respects privacy, the government itself has been the primary promoter of the nothing-to-hide-nothing-to-fear rhetoric, which undermines the social value of privacy to sway the public into willingly giving up their privacy through laws that masquerade as solutions to crime or terrorism in order to legitimize massive state surveillance. The Anti-Terror Law (ATL) and SIM Registration Law are privacy nightmares, as there are little to no protections against the misuse of these laws by law enforcement agencies. The ATL allows authorities to surveil anyone suspected of terrorism or providing services to someone suspected of terrorism, even without pertinent evidence. The SIM Registration Law allows spoofing in connection with “authorized activities of law enforcement agencies,” or a court order. With the worsening culture of impunity in the Philippines, these laws spell disaster for Filipinos’ right to privacy in communications.

The Philippines has also been used as testing and exhibition grounds for techniques and technologies that exploit massive collections of people’s data to attain certain political objectives at the cost of political, economic, and social turmoil in the country. The pervasive corruption, culture of impunity, and economic crises, coupled with Filipinos’ wide acceptance and excessive usage of social media and online services have made the Philippines a prime subject for such techniques and technologies. In 2013, Facebook offered free Internet access to its social media site and a limited number of websites in the Philippines. In the guise of accessibility, it has onboarded more Filipinos onto the platform and made them more reliant on Facebook. Later, Cambridge Analytica1 would use the data of Filipino Facebook users to influence the 2016 Presidential Elections. The same company provided services for the current president of the Philippines, Bongbong Marcos, to fuel their disinformation machinery and eventually their return to power. Under the current Marcos administration, people’s organizations, activists, community organizers, and other groups have faced constant harassment from troll farms in social media; personalities have been red-tagged or maliciously linked as part of the underground armed revolutionary movement led by the Communist Party of the Philippines (CPP), which has led to further threats online. The government has gone after progressive websites, even going as far as demanding the National Telecommunications Commission (NTC) to block several websites owned by certain organizations for their alleged “links to the CPP”.

The issues of digital rights cannot be separated from issues of internet freedom and the rights to freedom of expression, access to digital communication, and privacy of communication. In this report, we focus on particular digital rights issues that relate to the right to communication, particularly privacy and access rights.

Mandatory SIM registration

SIM cards are an accessible means of communication in the Philippines. According to We are Social’s Digital 2023 report, more than 97% of Filipino internet users access the internet using mobile phones. Mobile data over prepaid SIM cards are more affordable for Filipinos in lower income households2. Thus, access to prepaid SIM cards is fundamental to the accessibility of internet and telecommunications services.

The Marcos Jr. administration railroaded the SIM Registration Law in the guise of addressing the spike in text scams during the pandemic, despite warnings from privacy experts and advocates of the dangers and risks of mandatory SIM registration. Telecommunications companies rushed their online platforms for registration, resulting in their servers crashing within the first hours of implementation3. These companies were also negligent in their implementation of identity verification allowing cartoon characters as valid identities to register a SIM card4. The two major telecommunications companies, Smart and Globe, also attempted to use SIM Registration data for marketing purposes5, which is explicitly against the SIM Registration Law and Data Privacy Act.

Within the first year of the SIM Registration Law’s implementation, black markets of pre-registered SIM cards have already sprouted6. Citizens who are not as technically savvy have also been exposed to risks of identity theft and further scams as they have resorted to giving out their personal information to sellers of SIM cards to help them register their SIMs.

Even with the full implementation of the SIM Registration Law, text scams continue to proliferate. As of September 2023, the National Telecommunications Commission has already received up to 45,000 complaints of text scams7.

Instead of acknowledging the ineffectiveness of mandatory SIM registration in curbing crime—as privacy experts have tirelessly warned—the DICT floats reactive measures such as the SIM Check Mo project which further puts subscribers’ information at risk8.

Public Utility Act

Amendments to the Public Utility Act signed by former president Rodrigo Duterte allows 100% foreign ownership of telecommunications. Should it happen that telecommunications infrastructure in the Philippines be owned and controlled by foreign actors, it would be much more difficult to ensure sovereignty over the Filipino people’s data, as even Internet traffic would pass through these infrastructures10.

Data Privacy Act

The Department of Justice reported that cybercrime-related incidents increased by 400% in 2023.11 Many of these involve phishing and scams, techniques that exploit our weaknesses as humans (social engineering) which happen to use technology or happen in cyberspace. Social engineering attacks are more effective when attackers have more information about their targets. Thus, it is imperative that data privacy be taken seriously by public and private sectors.

The NPC has been largely reactive in its mandate to ensure compliance with the Data Privacy Act. During the COVID-19 lockdowns, contact tracing methods have largely been unregulated and unmonitored. Citizens were compelled to give out their personal information through digital means and written forms to be able to enter establishments. Local government units partnered with third-party application developers for digital contact tracing. Applications with questionable data policies would only be called out by the NPC after complaints from concerned citizens. Some businesses have also started requiring their customers to sign up for accounts which require personal information that are not necessary for the services they provide, which is contrary to the General Data Privacy Principles outlined in Section 11 of the Data Privacy Act12.

The NPC has also been largely unresponsive and reactive to various social engineering attacks against government infrastructure, affecting the data of millions of Filipinos. The largest such incident this year, affecting government insurance provider PhilHealth, involved the leak of the personal information of more than 32 million individuals, mostly from vulnerable sectors.13 The government initially denied that any personal data had been breached14, before eventually caving a week later15, setting up a portal where affected individuals could verify that their information had indeed been breached16. Despite the gravity of the leak, caused by a social engineering ransomware attack on an employee’s workstation, the NPC has yet to hold any government official accountable. Similar attacks have been reported in other government agencies, suggesting a lack of safeguards in government agencies to protect people’s personal data.

Cybercrime Prevention Act

The Cybercrime Prevention Act broadens the scope of what is considered libel.17 Under this law, penalties to crimes under the Revised Penal Code shall be one degree higher if committed using information and communications technology.18 With the broad scope of libel in the Philippines, anyone critical of the government can be threatened with cyber libel.

The law also mandates service providers to preserve both traffic data (metadata of communications data) and content data for a minimum period of six months up to one year. In combination with the Anti-Terror Law and SIM Registration Law, in the context of a culture of impunity among law enforcement and government officials and poor national cybersecurity, Filipinos are so much more susceptible to both cyber attacks and state repression now more than ever.