The Senate and the House of Representatives finalized and ratified the proposed SIM Card Registration Act in their bicameral conference committee sessions. The two chambers of Congress endorsed the bill to Malacañang on February 2 and is only now awaiting President Rodrigo Duterte’s signature to become law.
House Bill 5793 and Senate Bill 2395, requires all social media users to register their legal identities and phone numbers when creating new accounts which aims to eliminate phone-aided terrorism and criminal activities.
Current subscribers with existing SIM card and active services will be given 180 days from the day that the law will take effect to register their account in their respective Public Telecommunication Entities (PTEs). Failure to comply with the requirement will lead to deactivation.
An extension period of up to 120 days shall be allowed through a valid request to the Department of Information and Communications Technology (DICT).
Senator Grace Poe, chairperson of the public services committee who led the bicameral meeting, said in statement that among the provisions that were settled was “to mandate all public telecommunications entities (PTEs) to require the registration of SIM cards as a prerequisite to their sale and activation.”
“Whatever information obtained in the registration process cannot be disclosed to any person except in compliance with any law authorizing disclosure, such as in the case of the Data Privacy Act; or in compliance with a court order or any other legal process; or with the written consent of the subscriber. No waiver of absolute confidentiality is allowed,” Poe said.
The country’s major telecommunications companies Smart Communications and Globe Telecom expressed their support for the ratification of the SIM registration bill.
Smart Communications’ vice president of regulatory affairs Roy Iba said that “the SIM card registration bill will help quash the proliferation of fraudulent spam messages, smishing cases and fraud, and will boost telecom security efforts to keep subscribers safe.”
Globe Telecom, in their statement , expressed support for the legislation as “part of our commitment to support the government in its fight against fraud, terrorism and other crimes.”
SIM card registration might put users’ privacy at risk
Cybersecurity experts have been raising the alarm that the mandatory registration of SIM cards may put the security and privacy of the users and citizens in general at risk.
The challenges in the proposed system include (1) potential use and abuse and susceptibility to surveillance, (2) centralized SIM card registry carries massive security risk, (3) disenfranchisement of the poor without official registration or who may be unable to buy SIM cards in far-flung areas in stores without the registration capability, and (4) negative or failed experiences in other countries.
As early as 2018, the Foundation for Media Alternatives raised the dangers of SIM card registration. The group said the move poses logistical challenges as it would require considerable information infrastructure, with the country then having 129.4 million subscriptions (96% of which were prepaid). Also, the group said the proposed law would disenfranchise the marginalized and would disincentivize those without official registration.
Jamael Jacob, a lawyer specializing in law, ICT and human rights, who also wrote on the dangers of the proposed law as “ill-conceived” since 2018, said the end product the Congress now passed is much worse than the one years before. He pointed out a lot of vague provisions in the law, including the social media account registration scope, process, deadline and how can this be enforceable with social media companies.
Another vague provision in the law he pointed out, one that has an implication on privacy rights, said that government agents can invoke telcos and social media companies to disclose registration information “enforceable administrative request for information.” But it is unclear whether government agents need only to make the request via a letter, call or in-person visit and what are the cases or when will this be permitted or who among the government can make the request, given there are already provisions for legal processes and court orders in the request of information.
Jacob also said the massive database of SIM cards becomes a major security risk, while its nature is still hazy. It is unclear if there will only be one centralized database to which all telcos will pool the information they collected, and who owns and controls the database.
Cybersecurity policy analyst Mary Grace Mirandilla-Santos, who spoke on behalf of Secure Connections, a cybersecurity initiative of The Asia Foundation, said that the bill if passed into the law may do more harm than good, as there is no solid proof that the compulsory enrollment of personal information with telecommunications firms will curb crimes.
In a statement that was released to PhilStar last February 4, Mirandilla-Santos also stressed how mandatory registration of SIM card posed a huge threat in data privacy. With the law in place, she said any SIM user can also be a subject of surveillance, as whereabouts can be easily traced, which does not bode well for informants blowing the whistle on sensitive information.
FMA also scored how a centralized SIM card registry can be potentially used for surveillance, giving rise to “significant risks for a whole spectrum of individuals, among whom are investigative journalists, whistleblowers, witnesses, marginalized groups, as well as victims of discrimination and oppression, state-sponsored or otherwise.”
“It is good that the bill includes a provision requiring PTEs to comply with minimum information security standards to reduce the risks to its recordkeeping system. However, the security of a central database cannot be guaranteed at 100%,” Mirandilla-Santos said.
Mirandilla-Santos also noted that based from the findings of global non-profit Privacy International, mandatory SIM card registration policies adopted by several countries including Canada, Czech Republic, the Netherlands and Ireland were “ineffective and inefficient.”
FMA also flagged “discouraging experiences” from other countries. In Mexico, the mandatory registration law was repealed after three years, after seeing no improvement in the prevention, investigation and prosecution of crimes. In Pakistan, a black market of SIM cards emerged. In Zimbabwe, the mandatory registration law enabled location-tracking and simplified communications surveillance and interception.
