Wednesday, June 6, 2018

The one ID to rule them all

FOR as long as I can remember, it has always been a big question in my head why there are numerous government identification cards or IDs. All the more, as I forayed into the world of information technology and was exposed to numerous system integration projects. I was also awed when I saw Singaporeans in Changi Airport merely swiping their IDs as they arrive home evading the long immigration queues back when while our passports were still ‘handwritten.’

Amid the passage of the National ID System law, it seems we are a little closer to that scenario where I don’t need to bring two government issued IDs, and a utility billing statement whenever I want to open a bank account. That is, if banks would change their “at least two government issued ID rule.” Would all the other identification protocols change? Will the postal, voter, SSS, GSIS, Philhealth, Pag-Ibig, BIR, the last Unified ID attempt (UMID), driver’s license, and passport be retired by the “one true ID to rule them all”? (Ok, that last two maybe a stretch but a guy can dream, can’t he?)

The proponents of the national ID system profess that public safety, social inclusion, law enforcement, financial inclusion, and better delivery of and access to government services are the major benefits that can be derived from having such.

On the other hand, detractors and several developed countries including the US, Australia, and New Zealand do not want to go into this path for fear of privacy violations via surveillance, oppression by infringing on civil liberties and human rights, costs, unsanctioned increase in scope, and unproven effectiveness in fighting crime and terrorism.


While both sides can argue till they are blue in the face, a concern that will invariably persist in the event that the national ID would come to fruition is the protection of the personal data that will be collected by the government. While thankfully, we now have the Data Privacy Act that guarantees the rights of the data subject and the National Privacy Commission (NPC) to monitor violations, such an undertaking of this magnitude would proportionally require massive logistical and technical expertise to implement. Can you imagine collecting, using, retaining, sharing, archiving, and destroying millions of personal data? The complexity alone of planning, implementing, managing, and supporting such a system is surely one for the books. I tip my hat to the brave men and women who will be the project and service delivery managers of this project. Please do not forget, “people, process, technology” okay? Not one, or two but all three aspects in consideration and in that exact order please.

In one of the reactions during the announcement that the bill passed both houses of Congress, a well-known data privacy advocate and former government official posed the question ‘Will these reduce identity theft?’ My quick reply was – ‘If security systems, policies, and procedures are not properly implemented it could even increase it.’ Have we forgotten about the ComeLeak episodes and the other incidents of data leakages both here and abroad? And mind you, these are supposedly very secure systems.

Making the system operational is one thing but implementing information security is another much more complex and larger undertaking. There are just so many questions that pops up when considering the security of the national ID system.

What will be the security architecture? This is key as it will define what and where information security systems would be needed to be put in place. The firewalls, intrusion detection systems, network access controls, log collectors, and others will all depend on this.

What will be the security systems? Systems and devices that will be providing critical services like authentication, privacy, authorization, integrity, and non-repudiation.

What security standards should it conform to? The appropriate best practices, global standards, frameworks and security controls should be studied and applied.

Will there be sufficient human resource? Big challenge of them all in my opinion, as the capabilities and expertise needed to properly secure systems are quite scarce and expensive.

Who will monitor and provide incident responses (IR)? This should undoubtedly be a round-the-clock 24×7 operation. Security incidents will definitely occur and the timely discovery and remediation of such is imperative to its operation.

How will business continuity and disaster recovery be implemented? The design, implementation, and management of alternative facilities, systems, location, and personnel in the event of man-made or natural catastrophe.

These are just some of the security concerns that come to mind – and I’m fairly certain that there are more that I have missed. We haven’t even touched on policies, processes, and procedures!

The Philippine Statistics Authority (PSA) is the lead agency that will be tasked to implement the national ID system and as such it will also be the one to house and maintain the system associated with its operation. That is a big burden and responsibility and we hope and pray that sufficient planning and scenario testing will happen before it is eventually rolled out into production.

Mind you, this is very much not just a sorrowful fowl from a fast-food chain that became unavailable because of IT planning issues, we are talking about the safety and privacy of the personal information of what could be the entire population of the country.

No comments:

Post a Comment