Privacy body probes 'gaps' in FOI website interface after data leak

ABS-CBN News

Posted at Mar 23 2019 03:03 PM | Updated as of Mar 23 2019 07:38 PM

MANILA (UPDATE) - The National Privacy Commission (NPC) is looking into "gaps" in the interface of the government's Freedom of Information website that may have caused the leak of data on users who requested documents from the website, one of the agency's commissioners said Saturday.

Columnist Wilson Chua earlier said the ID he used on government website www.foi.gov.ph was leaked and could now be searched online by using "eFOI ID."

Watch more in iWant or TFC.tv

"We are looking at the interface. There might have been some gaps in the design, in the way the process was offered or uploaded," NPC Commissioner Mon Liboro told ANC's Dateline Philippines Weekend.

"It's a case of our FOI frontliners, meaning the PCOO (Presidential Communications Operations Office), apparently overdid [the] transparency angle or aspect of this FOI service," he said.

"We are looking [at] how they might have [been] amiss on this one," he said.

The FOI website allows Filipinos to request any information about government transactions and operations. Users who make a request on the platform are asked to upload a scanned copy of their IDs on the website as part of the requirements.

"The attachments of those who made the request have been taken down," Liboro said.

"We're still measuring the extent of this incident. This will all be part of the ongoing investigation," he said.

Liboro downplayed the gravity of the data leak, saying such flaws "do happen" when rolling out innovations.

"The PCOO is a very young organization. The FOI itself is a nascent concept that is being offered, so this is part of the development.," he said.

"Sometimes these gaps do happen. You don't get it perfect on the first try. We learn from this incident," he said.

The Department of Information and Communications Technology believes the data leak is an isolated case but it did not rule out the possibility that some officials may be held liable for the incident.

"If there is really a breach, if there is really a negligence on the part of the administration, then there are laws that will take care of that," DICT Assistant Secretary Allan Cabanlong said.

Civil society group Democracy.net.ph, meanwhile, questioned the need to require identification documents in FOI requests.

It believes this part of the process is the root cause of the data leak.

"Global best practice for FOI is that an ID is not required for FOI transaction, why is an identity required on requesting information from government?" said Pierre Tito Galla, co-founder of Democracy.net.ph.

"In fact private data should not require a citizen proof of his identity to be able top request FOI information."

It urged government to take note of international best practices and establish a so-called government enterprise architecture framework to prevent data breach incidents.

"We are having breaches over different websites because the standards are all over the place, no one set standard, no policy in design being implemented," Galla said.

"We have websites even requiring old browsers IE7. Which is not a good, older tech easy to compromise, moving forward with time."

For now, the group advised users who may want to request information from the FOI portal to use other means.