After multiple attempts by lawmakers since the early 2000s, the mandatory Subscriber Identity Module (SIM) Card Registration Act lapsed into law yesterday, March 4.
The said act will require SIM cards to be registered prior to use and activation. It will also require social media companies to register the real names and private phone numbers of people creating accounts on their platforms.
SIM cards give cell phones, telephones, and devices a unique number and customer identity. These store specific data needed to access various services such as Internet browsing, texting, and calling, according to PCMag’s encyclopedia.
Lawmakers and telecommunications companies have lobbied for the passage of this law to curb criminal activities aided by SIM cards, the internet, or electronic communication devices.
These crimes include “terrorism; text scams; unsolicited, indecent or obscene messages; bank fraud; libel; anonymous online defamation; trolling; hate speech, spread of digital disinformation or fake news.”
Groups advocating for information and communication technology (ICT) rights strongly oppose the said measure, saying it would be disastrous in terms of privacy and security rights. It is expected to significantly affect over 160 million prepaid subscriptions in the country.
‘Quick-fix’ solution against trolls, fake news
One of the major positions against the act stems from a provision introduced earlier in December 2021 by Sen. Franklin Drilon as a “quick-fix” solution to address issues on trolls.
Advocates have challenged this as unconstitutional for violating “constitutional guarantees of freedom of expression, freedom of association, (and) personal privacy.”
In an effort to address the impunity that social media provides for troll accounts, Section 5 of the law states that “all social media account providers shall require real-name and phone number upon creation of (an) account.”
This provision became controversial because:
- The term “social media” is not defined in the act in the first place. Carlos Nazareno, cybersecurity advocate and director of internet and ICT rights advocacy group Democracy.Net.PH, pointed out that the huge chunk of the problem lies with the vagueness of its legal definition.
“Puwedeng masama dito [sic] ‘yung (The term “social media” can include) blogs, business networks, collaborative projects, forums, photo sharing services, product/service review platforms, social gaming, social networks, video sharing, [and] virtual worlds,” Nazareno said in a Twitter Space last Feb. 19.
- There is no existing law or provision that penalizes “trolling”, “hate speech”, and “spread of digital disinformation or fake news”. Despite not having basis under existing laws, Democracy.Net.PH said these can be invoked “to justify the need for the law and its oppressive impositions.”
While the Cybercrime Prevention Act of 2012 provides safeguards against cyberlibel, a 2014 Supreme Court decision stated that actual malice must be proven first by trial in order to hold an online troll liable for cyberlibel.
- The law deprives people of the right to be anonymous online. By criminalizing the right to anonymity and pseudonymity online, media nonprofit Foundation for Media Alternatives said it deprives Filipinos of their right to create a zone of privacy “wherein people can feel safe with their personal opinions and beliefs.”
Possible abuse of SIM card-based profiling, surveillance
According to privacy rights charity Privacy International (PI), laws mandating SIM registration are often introduced in a “legal void” or when there is yet no existing robust legislation and framework on data protection and oversight such as the Data Privacy Act of 2012.
“SIM users’ information can be shared and matched with other private and public databases, enabling the state to create comprehensive profiles of individual citizens, and enabling companies and third parties to access a vast amount of data,” PI said.
Section 9 of the law provides confidentiality of personal data for the end user. This is revoked if telecommunications and social media companies were ordered via subpoena to hand over phone numbers and social media accounts the government thinks may have been used in criminal activities, as stated in Section 10.
In a May 22, 2015 report before the UN Human Rights Council, UN special rapporteur on the promotion and protection of the right to freedom of opinion and expression David Kaye said that states should not require SIM card registration for mobile users.
“Compulsory SIM card registration may provide governments with the capacity to monitor individuals and journalists well beyond any legitimate government interest,” Kaye said.
Law authorities are authorized to spoof registered SIM cards as stated in Section 11 of the act. This allows them to transmit misleading or inaccurate information about text messages or calls for legitimate law enforcement operations like surveillance.
“Coupled with the Anti-Terror Law, law enforcement agencies can practically use this on anyone, because the ATL doesn’t require substantial evidence—or any evidence at all—to tag someone as a terrorist and surveil them,” Kim Cantillas, secretary-general of militant tech group Computer Professionals’ Union stated in a UPLB Perspective column published last Feb. 25.
Personal data more prone to cyberattacks
The compulsory collection of real names and private phone numbers in social media platforms also exposes Filipinos to “harassment, identity theft, financial crime, and other forms of harm,” Democracy.Net.PH said.
“From a cybersecurity perspective, the law is creating additional vulnerabilities for individuals because of the potential for data breaches,” they added. To justify their argument, they cited the case of Facebook which experienced four cases of data leaks in 2019 which affected almost 900,000 Filipino Facebook users.
Senior data scientist of digital banking firm ING Albert Yumol said during a Feb. 19 Twitter Space that chances of data breaches are high if the personal data of SIM card subscribers are stored all in a single database.
Filipinos are also required to divulge personal information to the government through public telecommunication entities (PTEs) such as Globe Telecom and Smart.
Section 6 of the SIM Card Registration Act states that PTEs will forward and keep the collected data to a centralized database accessible to both the National Telecommunications Commission and the Department of Information and Communications Technology.
“The database shall strictly serve as a register for the processing, activation or deactivation of subscription, and shall not be used for any other purpose,” the law stated.
But without its implementing rules and regulations, it’s not certain who will manage the database and how it would be done.
Socmed firms, telcos may profit from collected personal data
Social media platforms are required to comply under the SIM Card Registration Act, but Democracy.Net.PH believes it’s uncertain whether these companies will follow as long as they operate outside local jurisdiction.
“Even if lawmakers issue new rules, there is no guarantee platforms will follow,” the group said, citing a Feb. 3 WIRED magazine report about Dubai-based online messaging app Telegram ignoring an order from German authorities amid a crackdown on violent anti-lockdown content.
The law would be similar to the Anti-Terrorism Act of 2020, where the government can reach out to foreign countries where the social media companies operate, Francis Malayao of tech advocacy group Computer Professionals’ Union said in reply to a question from student publication RESISTANCE during a March 2 forum.
Meanwhile, UP Internet Freedom Network Vice President Sonya Castillo raised caveats on surveillance capitalism once the law has been implemented.
“Social media companies and telecommunication companies may also benefit from this (measure) in a sense that they have the (personal) data to sell to the government or vice-versa,” Castillo said.