The recent scam text messages bearing one's full name least likely came from third-party data brokers contracted by telecommunication companies, much less the COVID-19 contact tracing apps, according to officials from the National Privacy Commission (NPC). Former NPC officials, however, aren't discounting such grim possibilities.
The messages, which have been hounding Filipinos for days now, usually come with an offer to earn money and a shortened link to a suspicious website.
"Based on initial investigation, unlikely sources ang aggregators," said Michael Santos, NPC Complaints and Investigation Division chief, in a webinar on Sept. 7.
Data brokers are companies that collect information like names, addresses, numbers, emails, incomes, etc., from several sources, then process, analyze, and license them to other bodies. In the context of telcos, data brokers may be contracted to work with other companies for their text campaigns.
Santos cited reports from telcos stating that the scheme happens phone-to-phone, as it's the sender's unknown numbers registered with the telcos—mostly starting with (+63)981—that are popping up instead of an organization's name (e.g., NDRRMC, MANDAVAX).
"Malamang, prepaid SIM na naka-unli text (promo)," he said.
Unscrupulous data brokers?
Earlier in the day, ex-NPC Commissioner Raymund Liboro on CNN Philippines's The Source said there could be unscrupulous data brokers out there, especially because of COVID-19 and inflation.
Liboro described a scenario in which a company may be contacting a data broker to act on its behalf in dealing with telcos. The company would then give its database to the data broker—but the telco has no idea that the data broker also sold the database to other data brokers.
He noted that in the United States, there are 4,000 registered data brokers. The industry, he said, is worth $200 billion (P11.4 trillion), projected to even double in the coming years.
"We're in the middle of a perfect storm," Liboro said. "Some people are desperate."
In a Sept. 2 Laging Handa public briefing, ex-NTC deputy commissioner Edgardo Cabarios was also convinced that somebody leaked the information because although spam messages could indeed be random, the recent messages bearing the full names of subscribers are already on another level.
“Someone should be punished here," Cabarios said. "It could not be taken from just anywhere."
Liboro on The Source said telcos must ensure that the data brokers they contract are complying with the law, particularly the Data Privacy Act of 2012. In particular, Chapter III Section 11 states that personal information shall be retained only for as long as necessary for the fulfillment of the purposes for which the data was obtained.
Apps, forms containing public info
NPC Deputy Privacy Commissioner Leandro Aguirre meanwhile said on the webinar that perpetrators could have also obtained information from apps where one's name and number are publicly available.
Similar to the cases of several netizens days ago, one of the scam text messages a PhilSTAR L!fe staff member received identified them using their full first name and last name's initial in all caps—akin to the format of popular e-wallet GCash. Another staff member got a message based on their display name on popular messaging service Viber.
Liboro also told The Source that new technology has already allowed harvesting of data from public sites.
Santos said the process is also probably automated, noting it won't be practical and profitable for perpetrators to text people manually based on COVID-19 contact tracing forms, especially the handwritten ones.
"So far, wala rin kaming nakikitang leak. 'Di mataas ang leads na sa contact tracing ito galing," he said.
A joint memorandum of the Department of Trade and Industry and Department of Labor and Employment states that forms must be handled with "utmost confidentiality" and "securely disposed of" after 30 days. In particular, paper shredders must be used to get rid of printed forms.
Liboro, however, told The Source that contact tracing forms, whether virtual or physical, are still "possible sources."
Albay 2nd District Rep. Joey Salceda earlier said the forms from several apps and establishments—instead of just one application with a single protecting data controller—could be accounting for the scam text messages. Salceda called the Inter-Agency Task Force on Emerging Infectious Diseases “careless" because of it.
He also took note of a "wild west" of three months for data privacy, when guidelines for contact tracing were only issued in June 2020 though it had started in March 2020.
"I don’t want to ascribe malice, but some of them may have even sold it," Salceda said.
SIM card registration bill revival
A House committee approved a consolidated bill seeking to require Filipinos to register their prepaid and postpaid SIM cards.
House Speaker Martin Romualdez, Ilocos Norte Rep. Sandro Marcos, and Party-list Reps. Yedda Romualdez and Jude Acidre refiled House Bill No. 14, which is the exact version approved in the 18th Congress.
Under the measure, citizens must provide to telcos their personal information that includes their full name, birthday, address, and photo from government IDs. Telcos like Globe, Smart, and DITO will store the information in a central database.
The data shall be treated as "absolutely confidential," unless the subscriber says otherwise in writing. It, however, may be accessed through a court order or a written request from a law enforcement agency.
Data breach would incur penalties ranging from P5,000 to P1 million on erring telcos or authorized sellers.
Former president Rodrigo Duterte, however, vetoed the bill passed by the 18th Congress last April because of a provision that also required social media registration, in which users must go by their real names. Duterte cited the need for a "more thorough study" amid individual privacy and free speech concerns.
Sen. Grace Poe and Senate President Juan Miguel Zubiri likewise refiled the bill, though Poe kept the social media registration provision.
The Senate Services Committee, of which Poe is chair, will hold a hearing on the scam text messages on Sept. 8. The day's agenda includes discussion on the proposed law on SIM card registration.
Culprit still unknown
Santos acknowledged that at the moment, it's difficult to pinpoint the culprit/s behind the scheme.
But by the same token, Santos believes the perpetrators only have access to mere names and numbers right now, saying that clicking the link redirects to a generic website asking users to supply more personal information.
In the meantime, the NPC and telcos are urging the public to simply ignore and block the suspicious numbers. As the classic maxims go, "Think before you click" and "If it's too good to be true, then it probably is."
Major players Globe, PLDT-Smart, and DITO Telecommunity said they're also doing their part in blocking numbers.
While Aguirre and Santos said the SIM card registration bill would be of immense help, they said it isn't still the "silver bullet" that would put an end to the problem. Blocking numbers, too, can only do so much, as the perpetrators would still find ways.
What matters now, they said, are active information drive about smishing.
The NPC is urging the public to report cases they'll encounter at [email protected]. Subscribers are also encouraged to report cases to their respective providers.
"If we won't be able to address this," Liboro said, "they would be emboldened to come up with more vicious campaigns."