In February 11, 2022, the Legal Management Council of the Philippines (LMCP) and the UP Institute of Administration of Justice (UP IAJ) invited me to give a three (3) hour Mandatory Continuing Legal Education (MCLE) lecture on Data Privacy. The LMCP is a prestigious organization comprised of legal executives and managers of top law firms and Fortune 500/2000 companies in the Philippines. For this engagement, I decided to do a full lecture on the important intersections between "Data Privacy" and "Data Security" which had not been emphasized or even done in any MCLE lecture on data privacy in the Philippines.

The whole point of my lecture is that data privacy is not achievable without data security. Data security is the most vital requirement and prerequisite to data privacy, not the other way around. Thus, the legal importance given to data privacy, without any equal emphasis on the legal significance of data security is misplaced and is rife with grave repercussions. I illustrated this by giving detailed case studies, culled from the cases I have handled, and from my research.

One of the most important developments in the field of data privacy as far as the Philippines is concerned is being accepted as one of the members of the APEC Cross-Border Privacy Rules System (CBPRS).  Endorsed by APEC Leaders in 2011, this is a voluntary, accountability-based system that facilitates privacy-respecting data flows among APEC economies. It provides the recognition criteria for organizations, or countries, wishing to become an APEC CBPR System certified Accountability Agent. It establishes a regulatory cooperative arrangement to ensure that each of the APEC CBPR system program requirements can be enforced by participating APEC economies.

In order to join this system, applicant countries or organizations must fill-up an intake questionnaire, and their responses will be evaluated based on assessment criteria. The current nine participating APEC CBPR system economies: USA, Mexico, Japan, Canada, Singapore, the Republic of Korea, Australia, Chinese Taipei, and the Philippines. The website itself contains all the documentary submissions officially submitted by the member countries.

As is part of my due diligence tests for every website I visit, critique, document and present in my research and presentations, the CBPRS website failed that one vital requirement that all websites dedicated to data privacy must have: data security. According to these four web browsers I used, the CBPRS website is NOT SECURE and UNSAFE, even DANGEROUS. Please take note of the yellow marker encircling the areas where these warnings and indications are visible. The web browsers all note the insecurity of these websites even today, February 19, 2022.

1. MOZILLA FIREFOX

2. GOOGLE CHROME

3. MICROSOFT BING

4. OPERA

THE NATIONAL PRIVACY COMMISSION WEBSITE

In contrast, the National Privacy Commission's website, in all four web browsers tested safe and secure. I will just give one example, the following were screenshots from the web browser Mozilla Firefox:

IMPLICATIONS:

The CBPRS.org does not have the "https" or "hypertext transfer protocol secure" protocol. This shows that the CBPRS.org site is not encrypted via the Transport Layer Security (TLS) encryption. TLS encryption protects all information that passes through the browser to the server, including logins and passwords, and even the web administration credentials. With the four web browsers' warning of the website being "Not Secure", it means that all transfer of information to and from this website, cannot be trusted.

The security warnings of the four web browsers show that the identity of CBPRS.org had not been validated by a legitimate 3rd party source. According to the Opera Guidelines, the "best guarantee of a website's identity is provided by Extended Validation (EV) certificates. Extended Validation means that the details of the organization buying the certificate have been audited by an accountable, third-party entity, who can therefore verify that the certificate owner is who it claims to be. EV websites are indicated by a black  security badge with a padlock in the address field".

In contrast to all these, the NPC website follows the "https" encryption protocol and it is verified by Cloudflare Inc.

The non-encrypted state and non-secure state of the CBPRS website entails it is more prone to viruses and hacking attacks. A TSL Certificate provides an additional barrier that can prevent malicious actors from gaining access to the  information in this site, for example, by introducing fake documents, or uploading malicious scripts on the site. This is all the more pressing because the Philippines' official documents submitted by the NPC, and all the other documents of the 8 member economies, which are retrievable from this site, are not secured.

Moreover, the "Not Secure" warnings also means that anyone that visits this site does not have any privacy while browsing. There will always be a risk of local attackers, users on other computers of the same network, to be able to monitor, view the pages that the viewer is browsing as well as the information s/he is sending or receiving. It does not provide trust or security to the viewing experience.

Unlike the NPC website, the CBPRS website is not privacy compliant at all. It is all the more baffling considering that the CBPRS website should be a paragon of data privacy standards for a website, given the fact that it houses the official documentations submitted by its member countries.

I therefore respectfully request for the NPC, as the representative of the Philippine economy in APEC to notify the CBPRS body about their website's insecurity, and the probable consequences if this is not addressed. It behooves the NPC to inform the CBPRS organization about its website's insecurity and unencrypted state, for it is truly horrendous and unexcusable that a website devoted to data privacy, can violate security standards, potentially breach the privacy of internet viewers, and be open for possible defacement, and even the deletion or alteration of the official public documents submitted by APEC member economies.

 This free site is ad-supported. Learn more