CAMARINES Sur Representative LRay Villafuerte has welcomed moves by the Department of Information and Communications Technology (DICT) and the National Telecommunications Commission (NTC) to fast-track the implementation of the new law requiring the registration of possibly as many as 150 million cellular phone (cellphone) numbers in the country, but told these agencies to refrain from completing this task with haste–and risk coming up with a database system vulnerable to hacking and other security breaches.

Villafuerte, co-author of Republic Act (RA) 11394 that President Marcos signed last Oct. 10, at the same time supported the plan by DICT Secretary Ivan John Uy to let both prepaid and postpaid subscribers register their respective cellphones’ Subscriber Identity Module (SIM) cards online, to avoid the scenario of them getting stuck in long queues to sign up at would-be registration centers of PTEs (public telecommunication entities) in malls and other commercial establishments.

“Although we commend the DICT and NTC for wanting to put on the fast track the crafting of the IRR (Implementing Rules and Regulations) for RA 11394, we caution their officials against rushing headlong on the mandatory registration of SIMs without first ensuring that they have, in tandem with our PTEs, future-proofed their would-be nationwide system of collecting, storing and managing biometric data and other personal information from as many as 150 million cellphone numbers against data breaches and other security risks,” Villafuerte said.

“Speed is okay,” said the president of the National Unity Party (NUP), “but not at the risk of having the personal data of the owners of 150 million SIM cards become prone to hacking or attacks from cybercriminals and other unscrupulous groups here and abroad that would just torpedo the very purpose of RA 11394, which is to protect our people from the almost daily deluge of text scams and other cellphone-based fraud”.

Villafuerte said the DICT and NTC should work closely with local PTEs Globe Telecom, PLDT Smart, and Dito Telecommunity in crafting the law’s IRR—and giving them the time they need to prepare for the mandatory registration and future-proofing of their systems before requiring all cellphone users to register their SIMs within the prescribed period.

“The DICT and NTC should be 100% confident that by the time our cellphone owners are given a deadline to sign up, the would-be national database of SIM data is fool-proof against attacks from devious local and foreign groups that hide behind the cloak of anonymity in perpetrating crimes with the use of cellphones,” he said. “They must bear in mind that they will be dealing here with private and sensitive data of would-be registrants that are stored in possibly as many as 150 million SIMs.”

Villafuerte said the DICT and NTC should develop an ultrasafe cybersecurity system that would likewise prevent PTEs or other groups from exploiting the would-be database for telemarketing purposes.

DICT Secretary Ivan John Uy was reported in the media as saying that the NTC wouldn’t take too long to complete the IRR as the Commission had already prepared a draft when the measure was still being tackled in Congress.

Once the law becomes effective, all existing postpaid and prepaid SIM users shall be required to register within 180 days, or about six months, to avoid the deactivation of their cellphone numbers.

Section 12 of RA 11934 directs the NTC to draw up, in coordination with the DICT along with other concerned agencies and groups, this law’s IRR within 60 days of its effectivity.

Such registration shall be made through a platform or website to be put up by the PTEs, which, in turn, are tasked to work with government agencies in establishing registration facilities even in faraway places with limited Internet access.

Cellphone users shall register their SIMs within 180 days from the law’s effectivity, although the DICT is authorized to extend the registration period for another 120 days, if needed.

Villafuerte explained that Section 6 of RA 11934 directs PTEs to maintain their own database containing the information required under this law, and such shall strictly serve as a SIM Register to be used by these companies to process, activate or deactivate SIMs or subscriptions.

He said that in the record-keeping of information, the law mandates PTEs to ensure that the end-users’ data are secured and protected at all times., and requires these companies to comply with “the minimum information security standards prescribed by the DICT consistent with internationally accepted cybersecurity standards and relevant laws, rules and regulations.”

The DICT, in turn, is mandated by the law to conduct an annual audit on the PTEs’ compliance with information security standards.

Villafuerte said that “complacency has no place in crafting the IRR and establishing a database with strong and layered security features,” considering that hackers have victimized at least two government offices handling sensitive data in recent months alone.

Citing media reports, Villafuerte recalled that the day after President Marcos signed RA 11394, the National Disaster Risk Reduction and Management Council (NDRMMC) announced on Oct. 11 that its official Facebook Page was hacked.

Late last year, the official Twitter account of the NDRRMC’s implementing arm, the Office of Civil Defense (OCD), was similarly hacked.

Globe, PLDT Smart, and Dito have separately issued statements welcoming the President’s enactment of RA 11394, and expressed their desire to work with the government in crafting the IRR and providing stronger regulation against cybercriminals.

Smart Communications, however, called for more time to prepare for the mandatory registration, with its regulatory affairs chief Ray Ibay saying: “There is a clamor from PTEs like Smart to be given more time to prepare and test its systems to ensure the safety of the information that will be collected from prepaid subscribers—as an information campaign on the SIM registration process will be launched, and Smart will ensure to provide its prepaid customers a smooth and hassle-free experience upon [the] registry of their SIMs.”

The National Privacy Commission (NPC) has likewise supported the new law, but said the registration process must not be left to retailers who may lack the capacity to secure data against possible breaches.

“Mechanisms must be developed and implemented to prevent security risks and data breaches that may arise from overcollection and improper or inadequate monitoring practices,” it said.

Following President Marcos’ enactment of RA 11934, Villafuerte said, “All mobile phone subscribers will now be better protected against the plethora of phone-based scams like smishing, more so now when digital tricksters have managed to hack more personal information from their victims, including the actual names of these cellphone users they intend to swindle.”

Villafuerte said, “It will be easier for the authorities or PTEs to trace persons behind text scams and hold them accountable for a breach of privacy along with cellphone-based fraud and other punishable offenses they are able to perpetrate by using unknown or unregistered mobile phone numbers.”

“Smishing” refers to short message service (SMS) phishing in which scammers try to hoodwink unsuspecting cellular phone (cellphone) users into giving them personal information, like passwords and credit card numbers, that these bilkers can use to commit identity theft to, for example, duplicate the victims’ credit cards or withdraw money from their bank accounts.

Villafuerte said, “The Philippines has been dubbed as the fastest-growing digital economy among major ASEAN (Association of Southeast Asian Nations) member-states, registering a whopping 93% year-on-year expansion from 2020 to 2021. This figure speaks volumes of how Filipinos have become heavily reliant on the advances of technology, especially when it comes to the convenience of online transactions.”

“But the apparent helplessness of our authorities in stopping cyber criminals from preying on the owners of over a hundred million cellphone through smishing and other scams has become the dark side of the digital transformation in our country where there are more mobile phones than people,” Villafuerte said. “Hence, it is high time that we secure our mobile SIMs from the proliferation of phone-based frauds through the mandatory registration of both prepaid and postpaid subscribers and their cellphone numbers.”

The House had approved House Bill (HB) 14—authored by Speaker Ferdinand Martin Romualdez with Senior Deputy Majority Leader Ferdinand Alexander Marcos III and Tingog Reps. Yedda Marie Romualdez and Jude Acidre—in consolidation with 15 other bills, including HB 2213 that Villafuerte had written with three other CamSur representatives.

HB 2213’s other authors are Reps. Miguel Luis Villafuerte and Tsuyoshi Anthony Horibata and Bicol Saro Rep. Nicolas Enciso VIII.