April 24, 2016

Did the Liberal Party orchestrate the COMELEC Data Leak?

The government was quick to downplay the hacking of the Comelec database data leak. Comelec said the public has nothing to fear because Smartmatic’s PCOS machines work on an entirely different network. What they failed to comment on, however, is the data leak’s effects on everything else.

"Walang sensitive information dito, in other words. Hiwalay yung website na gagamitin natin para sa eleksyon, especially for results reporting," said Comelec spokesperson James Jimenez [CNN].

On online hacker group LulzSec Pilipinas managed to hack into Comelec’s online system and extract its entire database. The group uploaded all of it and made it available for download to the general public. They also created a torrent file as an alternative download option.

The websites and its mirrors were presumably taken down by now.

COMELEC: It's encrypted

In response, the Comelec said that while the incident is unfortunate, most of the leaked data are encrypted [Rappler] so it’s okay, as encrypted data is unintelligible to those who don’t possess the encryption key.

Trend Micro, a global security software firm, debunked Comelec’s claim. The software firm said that some part of the database are indeed encrypted, many sensitive parts of it are not. Passport information, fingerprints, names, addresses, and other personally-identifiable information were either unencrypted or worse, written in plain text [TP: Antivirus Firm].

Initially, the public didn’t really care about this fact. After all, a vast majority of Filipinos still lack the technological sophistication to properly appreciate this unprecedented case of government incompetence and identity theft.

The hackers probably realized that the entire country is taking them lightly, so they took one big step further. They created the site “wehaveyourdata.com” that contains a simple search engine that quickly allows anyone to verify the contents of the leaked COMELEC database. Requiring only one’s full name, the website’s search results provide the relevant person’s sensitive details such as address, the complete name of parents, voter registration number, birth date, among others [Rappler].

This new website has been taken down yesterday.

You, as a registered voter who had his data leaked, would probably want to heave a sigh of relief at this point.

Unfortunately, you still can’t. 

The government has been able to take down all the websites that contain leaked data. What they have no power over, however, is the last option: torrent downloads.

How Torrents Work

If you already know how torrents work, you can skip this section. Otherwise, Thinking Pinoy highly suggest that you read on.

Regular, direct downloads usually involve two computers:

  1. the server, where the files are stored, and
  2. the client, who wants to download the files.
The direct download process is pretty simple: the client requests a download from the server, then the server obliges. Because of this, direct downloads of the Comelec data leak can quickly be prevented by shutting down the server, and that’s what Comelec actually did.

Torrents, on the other hand, are a totally different story. Torrent downloads involve two types of computers:

  1.  seeders, which are analogous to servers in direct downloads, and
  2.   leechers, which are analogous to clients.

Unlike direct downloads where the source file is stored in a single computer, torrents spread the files among several computers, making the download process potentially faster and virtually impossible to stop. 

The pirated DVDs you can buy from pretty much anywhere? The movie files they contain were most likely obtained via torrent downloads, as it’s impossible for law enforcement agencies to totally weed out all seeders.

As long as one willing seeder exists, anyone can download the file.

What’s worse, a leecher who eventually downloads the entire torrent file automatically turns into a seeder simply by leaving her PC on after her download completes. That is, any unwitting leecher becomes a seeder simply by leaving her PC on. 

To cut the long story short: stopping the spread of Comelec data is impossible. Despite having taken down the direct download sites, the torrent option is here to stay.

The Comelec datatabase torrent file is about 60 GB big, so it takes a regular PLDT Fibr 50 mbps connection about a day to download the entire torrent then it can be decompressed back to its original size of 300 GB.

Yes, the arrest of the alleged leaker a couple of days back will do little in solving this unprecedented blunder. The damage has been done and it will only get worse.

So what happens now?

First, you are now prime target of identity theft, identity fraud, and its associated crimes.Because of this, several major websites have provided advice to the public on how to deal with the leak of their personal data. Tips they provided include:
  1. Calling your bank to request them to ask alternative verification questions, as phone banking reps usually ask for an account holder’s birth date and Mother’s Maiden Name for verification, both of which are freely available after the Comelec data leak.
  2. Changing your password and security questions of your email account. Many users tend to use personally identifiable information such as birthdays and parents’ names for passwords. These information, again, are publicly available through the leak.
  3. There are many other additional steps to mitigate the adverse effects of this data leak, and Thinking Pinoy will not delve on those any further as there already are sites that deal with that.
There are many other ways to use this personal information but Thinking Pinoy would rather not discuss them any further to avoid giving people ideas on how to commit felonies.

But to put it simply: we are all f*ck*d and there’s little we can do about it.

Why did this happen?

The NBI managed to apprehend the suspected hacker on Thursday, but it will have little effect in stopping the spread of data. As I have explained in the previous section, the spread is now unstoppable.
Think of the data leak as gossip (chismis) and the hacker as the gossiper (chismoso). The chismoso has already spread the chismis. Even if we put the chismoso behind bars, the chismis will still continue to spread.

Before Senator Grace Poe calls for yet another senate investigation (that's the only thing she does, as she has passed ZERO laws so far), the best question to ask is this:

"Could we have prevented the unprecedented Comelec data leak in the first place?"

Interestingly, the answer is YES.

A quick chat with Atty Trixie Cruz-Angeles

I asked  Atty. Trixie Cruz-Angeles (TCA) about this, and our conversation was as follows:

TP: Hi Attorney, tanong lang po. Can we slap the govt with a class action suit over the Comelec data leak? Kasi parang gross negligence yon e.

TCA: I think so..but it won't be class.action baka individuals.

TP: Iniisip ko kung class action un e d auto bangkarote ang gobyerno if ever. Mag tig-100,000 lang na danos yon, halos equal na sa external debt natin [Philstar].

TCA: Damages have to be proven. Mahirap pag civil though not impossible. Mas mabilis pa ang administrative charge for gross incompetence.

TP: From research kasi nakita ko na may Data Privacy Act of  2012 / RA 10179 pero they didnt fund it, they didnt even draft Implementing Rules and Regulations [IRR] up to this day..

TCA: Sino implementing agency?

TP: In theory, Department of Information and Communication Technology (DICT),  pero DOJ ang magseset ng penalities. Even more ironically,
hindi pinirmahan ang law creating DICT pero it passed congress.  Kasi dati  I had a chat with journalists over twitter regarding sa DICT law na pumasa sa congress pero di inabot ng Speaker and Senate President to Aquino for signing.

TCA: Whoa! Now it starts to.look like a conspiracy.

TP: Oo, patong-patong na levels ng willful negligence.

TCA: Correct. Assuming na negligence nga at hindi deliberate inaction.

TP: Well, adding the fact that malacanang even seeded the Comelec data leak torrent, its not unlikely.

TCA: Malice

TP: Pero sige, tapusin ko muna article bago ako magkaheart attack.

TCA: Pakitimbre ha.

TP: I will.

Data Privacy Act of 2012

President Benigno Aquino signed RA 10173 or the "Data Privacy Act" four years ago in August 2012 [Rappler]. 

The complete name of this law is:
"An Act protecting individual personal information in Information and Communications Systems in the Government and the Private Sector, Creating for this purpose a national privacy commission, and for other purposes."

And what was the Comelec data leak about?
Individual Personal Information and Communications Systems in the Government, which is exactly what RA 10173 covers.
Laws become useful only after the creation IRRs. However, no IRRs for RA 10713 existed as of January 2016 [Philstar].

Question: who was supposed to draft the IRR for RA 10713?

Answer: The Data Privacy Commission, attached to the The Department of Information and Communication Technology [RA  70713 Sec. 9]

Now, you're probably saying: But there is no DICT!!!

That's correct, however...

The Senate passed the DICT Bill in June 2015 [GMA]. Meanwhile, The House of Representatives passed it on October 2015 [Philstar].

After the congressional nod, all the bill needs is the president's signature (or veto). However, for some mysterious reason, neither Senate President Drilon nor House Speaker Belmonte submitted it to PNoy for signing (or veto).

As of December 2015,  several lawmakers have already called for the bill's signing [Interaksyon]. As of March 2015, the palace still hasn't signed the bill [SunStar].

And it all boils down to the inaction of two key persons: Drilon and Belmonte.

Drilon (left) and Belmonte (right)

This raises some suspicion.

Both Senate President Franklin Drilon and House Speaker Sonny Belmonte serve as vice-chairmen for the Liberal Party. MalacaƱang, as we already know, is also dominated by the Liberal Party [TP: Plunder].

Just like what Atty. Cruz-Angeles said, is this a classic case of deliberate inaction?

I would've said no. 

That is, until everyone discovered that MalacaƱang itself is facilitating the data leak [Philstar].

What does the Liberal Party have to gain with stealing voter data?

I think the answer is obvious.

Yes, fellow Pinoys, the government itself is screwing us, again.



Did you like this post? Help ThinkingPinoy.com stay up! Even as little as 50 pesos will be a great help!


Get updated with the latest TP posts! Follow me on...