One signature away: Mandatory SIM registration bill

THE SIM (Subscriber Identity Module) Registration Act is poised to become the “first of many” laws passed during the Marcos Jr. presidency, according to Rep. Martin Romualdez, House Speaker and presidential cousin. Railroaded in both chambers of the 19th Congress, the bill is awaiting the signature of President Marcos which, according to Senate President Miguel Zubiri, was set for October 6. 

The passage of the law would add the Philippines to a list of over 150 countries with mandatory SIM registration. Once enacted, all active SIMs must be registered with telecommunication companies within 180 days or be deactivated. SIMs purchased after will have to be registered prior to activation by service providers. 

Only some months ago, then President Rodrigo Duterte vetoed the 18th Congress’ version of the law in early April because it also included mandatory social media registration. At the time, lawmakers argued the urgent passage of the bill to prevent terrorism and hoax bomb threats via text.

A surge in “personalized” text scams addressing recipients by name gave mandatory SIM registration a fresh push. These were linked to “smishing” or the fraudulent spamming of text messages prompting recipients to reveal personal data including passwords and credit card details. 

On September 8, the Senate’s Committee on Public Services chaired by Sen. Grace Poe launched a probe into the phenomenon. The committee recommended the passage of the law as the solution to smishing.

Media reports tracked the entire process which took less than three months, from its filing in July to the bicameral approval on September 28.

Reports glossed over such important issues as the effectivity of mandatory registration in preventing digital scams and the well-documented security risks and privacy concerns that could result from the law. 

Not a “silver bullet” or “panacea”

Experts say SIM registration will not stop smishing. 

In a September 25 opinion piece for Rappler, Jamael Jacob, lawyer and policy and legal advisor of the Foundation for Media Alternatives (FMA), stressed that registration can be circumvented by cybercriminals. 

“Bad actors can quickly render SIM card registries ineffective just by shifting gears and choosing a different delivery mechanism (e.g., using foreign numbers, email platforms, mobile applications, etc.).” Jacob lamented that lawmakers continued to see it as a “panacea” for all manner of cybercrimes despite evidence saying otherwise.

In a 2018 briefing paper, FMA explained that  mandatory SIM registration is a flawed system and a band-aid solution. The organization noted that some countries have repealed such laws (Mexico) and scrapped proposals (Canada) after studies revealed that years of implementation had failed to decrease SIM-related crimes. In Pakistan, criminals deliberately used SIMs registered to unsuspecting individuals to evade authorities. 

In a OneNews report posted on September 7, Deputy Commissioner Leandro Angelo Aguirre of the National Privacy Commission (NPC) pointed out that the measure “could help” but would not “completely stop scammers” who would simply turn to other means. Instead, Aguirre urged constant vigilance and awareness on the part of users. But the state privacy agency fully supports the passage of the law.

In the same article, Angel Redoble, PLDT-Smart’s Chief Information Security Officer, likewise recognized that SIM Registration would not be a “silver bullet.” Still, all three of the country’s telcos support the law. 

News.abs-cbn.com reported that Democracy.net.ph, a technology rights group, urged the administration to focus instead on “cybersecurity training and education.” 

While mandatory SIM registration has not been shown to effectively prevent crime, other sources have called attention to the perils that could result from having such a record of personal information. What would stop hackers from using this information for criminal purposes? 

Fraught with security risks

Were these dangers considered and discussed in Congress? 

A September 19 Manila Bulletin report said that ACT-Teachers Party-list Rep. France Castro and two of her colleagues in the Makabayan bloc voted against the measure. Castro noted that data breaches have already led to rampant smishing. 

Bulatlat’s September 11 report shared insights from Ronald Gustillo of Digital Pinoys, a digital safety advocacy group. Gustillo said that hackers would see a SIM registry as the “holy grail of all databases.” Jacob likewise warned in a September 5 column for GMA News Online that the database could become “one big security liability.”

On September 30, Bulatlat followed up on the issue, reporting the strong opposition to the bill of IT experts from the Computer Professional’s Union (CPU). CPU said the non-solution violated the people’s right to privacy and instead urged the Marcos administration to determine the “root cause” of the problem.

FMA added that “investigative journalists, whistle-blowers, witnesses, marginalized groups, as well as victims of discrimination and oppression, state-sponsored or otherwise,” were especially at risk of state surveillance. To register, users must present a valid government photo ID and provide other personal information via a registration form.

The September 28 editorial of SunStar Cebu raised similar concerns that the database could be used as “surveillance machinery”, given the continued red-tagging by government officials of state critics. 

No veto this time 

Speaker Romualdez, principal author of the current law, is confident that no veto would occur this time since this version excludes social media—the basis for Duterte’s veto. 

With so many doubts expressed about the effectivity of mandatory SIM registration to prevent crime, what is the possible use of the data base, or even of rushing the bill to law? 

Media should continue to spotlight the greater threat that can lead to more crime against citizens, including the intrusion of state agencies into private lives and the use of such personal information for political purposes. 

As for the elected lawmakers, their haste in passing this law has once again demonstrated the customary lack of attention to the real needs of citizens for security from crime and from dubious government interference. 

Personal communication must be secure; personal information must be kept private. Congress should be wise enough not to pass laws that will open new opportunities for crime and for more state interventions into our private lives.