The government was quick to downplay the hacking of the Comelec database data leak. Comelec said the public has nothing to fear because Smartmatic’s PCOS machines work on an entirely different network. What they failed to comment on, however, is the data leak’s effects on everything else.
"Walang sensitive information dito, in other words. Hiwalay yung website na gagamitin natin para sa eleksyon, especially for results reporting," said Comelec spokesperson James Jimenez [CNN].
The websites and its mirrors were presumably taken down by now.
COMELEC: It's encrypted
Trend Micro, a global security software firm, debunked Comelec’s claim. The software firm said that some part of the database are indeed encrypted, many sensitive parts of it are not. Passport information, fingerprints, names, addresses, and other personally-identifiable information were either unencrypted or worse, written in plain text [TP: Antivirus Firm].
Initially, the public didn’t really care about this fact. After all, a vast majority of Filipinos still lack the technological sophistication to properly appreciate this unprecedented case of government incompetence and identity theft.
The hackers probably realized that the entire country is taking them lightly, so they took one big step further. They created the site “wehaveyourdata.com” that contains a simple search engine that quickly allows anyone to verify the contents of the leaked COMELEC database. Requiring only one’s full name, the website’s search results provide the relevant person’s sensitive details such as address, the complete name of parents, voter registration number, birth date, among others [Rappler].
This new website has been taken down yesterday.
You, as a registered voter who had his data leaked, would probably want to heave a sigh of relief at this point.
Unfortunately, you still can’t.
How Torrents Work
Regular, direct downloads usually involve two computers:
the server, where the files are stored, and the client, who wants to download the files.
Torrents, on the other hand, are a totally different story. Torrent downloads involve two types of computers:
seeders, which are analogous to servers in direct downloads, and leechers, which are analogous to clients.
The pirated DVDs you can buy from pretty much anywhere? The movie files they contain were most likely obtained via torrent downloads, as it’s impossible for law enforcement agencies to totally weed out all seeders.
As long as one willing seeder exists, anyone can download the file.
What’s worse, a leecher who eventually downloads the entire torrent file automatically turns into a seeder simply by leaving her PC on after her download completes. That is, any unwitting leecher becomes a seeder simply by leaving her PC on.
To cut the long story short: stopping the spread of Comelec data is impossible. Despite having taken down the direct download sites, the torrent option is here to stay.
The Comelec datatabase torrent file is about 60 GB big, so it takes a regular PLDT Fibr 50 mbps connection about a day to download the entire torrent then it can be decompressed back to its original size of 300 GB.
Yes, the arrest of the alleged leaker a couple of days back will do little in solving this unprecedented blunder. The damage has been done and it will only get worse.
So what happens now? Calling your bank to request them to ask alternative verification questions, as phone banking reps usually ask for an account holder’s birth date and Mother’s Maiden Name for verification, both of which are freely available after the Comelec data leak. Changing your password and security questions of your email account. Many users tend to use personally identifiable information such as birthdays and parents’ names for passwords. These information, again, are publicly available through the leak. There are many other additional steps to mitigate the adverse effects of this data leak, and Thinking Pinoy will not delve on those any further as there already are sites that deal with that.
But to put it simply: we are all f*ck*d and there’s little we can do about it.
Why did this happen?
Think of the data leak as gossip (chismis) and the hacker as the gossiper (chismoso). The chismoso has already spread the chismis. Even if we put the chismoso behind bars, the chismis will still continue to spread.
A quick chat with Atty Trixie Cruz-Angeles
TP: Hi Attorney, tanong lang po. Can we slap the govt with a class action suit over the Comelec data leak? Kasi parang gross negligence yon e.
TCA: I think so..but it won't be class.action baka individuals.
TP: Iniisip ko kung class action un e d auto bangkarote ang gobyerno if ever. Mag tig-100,000 lang na danos yon, halos equal na sa external debt natin [Philstar].
TCA: Damages have to be proven. Mahirap pag civil though not impossible. Mas mabilis pa ang administrative charge for gross incompetence.
hindi pinirmahan ang law creating DICT pero it passed congress.
TP: From research kasi nakita ko na may Data Privacy Act of 2012 / RA 10179 pero they didnt fund it, they didnt even draft Implementing Rules and Regulations [IRR] up to this day..
TCA: Sino implementing agency?
TP: In theory, Department of Information and Communication Technology (DICT), pero DOJ ang magseset ng penalities. Even more ironically,
Kasi dati I had a chat with journalists over twitter regarding sa DICT law na pumasa sa congress pero di inabot ng Speaker and Senate President to Aquino for signing.
TCA: Whoa! Now it starts to.look like a conspiracy.
TP: Oo, patong-patong na levels ng willful negligence.
TCA: Correct. Assuming na negligence nga at hindi deliberate inaction.
TP: Well, adding the fact that malacanang even seeded the Comelec data leak torrent, its not unlikely.
TP: Pero sige, tapusin ko muna article bago ako magkaheart attack.
TCA: Pakitimbre ha.
TP: I will.
Data Privacy Act of 2012
The complete name of this law is:
"An Act protecting individual personal information in Information and Communications Systems in the Government and the Private Sector, Creating for this purpose a national privacy commission, and for other purposes."
And what was the Comelec data leak about?
Individual Personal Information and Communications Systems in the Government, which is exactly what RA 10173 covers.Laws become useful only after the creation IRRs. However, no IRRs for RA 10713 existed as of January 2016 [Philstar].
Question: who was supposed to draft the IRR for RA 10713?
Answer: The Data Privacy Commission, attached to the The Department of Information and Communication Technology [RA 70713 Sec. 9]
Now, you're probably saying: But there is no DICT!!!
That's correct, however...
@NepoMalaluan passed unanimously by both houses, for transmission for prez signature or veto, not transmitted by speaker and senate prez.— the jester-in-exile (@jesterinexile) April 7, 2016
|Drilon (left) and Belmonte (right)|
Both Senate President Franklin Drilon and House Speaker Sonny Belmonte serve as vice-chairmen for the Liberal Party. Malacañang, as we already know, is also dominated by the Liberal Party [TP: Plunder].
Just like what Atty. Cruz-Angeles said, is this a classic case of deliberate inaction?
I think the answer is obvious.
Yes, fellow Pinoys, the government itself is screwing us, again.
Did you like this post? Help ThinkingPinoy.com stay up! Even as little as 50 pesos will be a great help!
Get updated with the latest TP posts! Follow me on...