App and software developers learn importance of data privacy by design at NPC forum

Over 500 software and mobile app developers from local governments and the private sector learned the importance of adopting data privacy principles in all stages of their product development and business management processes at a privacy-by-design webinar that National Privacy Commission (NPC) conducted on Sept. 27.

Kevin Shepherdson, a founder of Singapore-based privacy specialist firm Straits Interactive Pte. Ltd., lamented how many developers look at privacy only after they introduced the app and when everyone was complaining.

“You have to think [of privacy] at the planning stage. You have to be proactive not reactive,” Shepherdson said.

Million-dollar penalties

He warned that a reactive practice could bring problems in the end, citing a number of cases in which tech companies, such as Google and Tiktok, had been slapped by foreign privacy authorities with million-dollar penalties for privacy-violative practices. Others, like the facial recognition Ever App, were forced to shut down.

“Everything you do from the moment may influence not only the performance of your software but also those who use it in the context of privacy. Privacy must be your default posture even before you begin your programming journey," Privacy Commissioner Raymund E. Liboro said at the summit.

Origin of privacy by design

Privacy by design was developed in the 1990s by the Information and Privacy Commissioner of Ontario, Dr. Ann Cavoukian.

The approach, adopted by the European Union’s General Data Protection Regulations, requires data processors and IT system engineers to design products in a data-minimizing and data-subject friendly way, with pre-settings that adopt measures to mitigate anticipated security risks.

Lessons from Ph’s contact-tracing

Liboro urged developers to strive for privacy by design, calling it an "enabler of trust that will promote the use of your products, services and technologies.”

“Conversely the lack of trust will make people suspicious and hesitant to use your app or disclose their information which is critical for data driven technologies," Liboro said.

He cited as lesson the country's contact tracing, which Malacañang called the “weakest point” in the country’s Covid-19 efforts. Liboro noted that the NPC found people using these apps “incorrectly, with some using aliases to spoof their identity.”

Edwin Concepcion, head of Straits’ DPaaS Excellence and Support–Asean, echoed this, saying “building trust was one of the challenges the local contact tracing apps.”

He said he had found a privacy notice of a local government-implemented contacttracing app that was collecting personal data for marketing and data mining, purposes which have no relation to the objective of the contact-tracing app.

Liboro assured the participants that the NPC was continuing to coordinate with national and local governments “to ensure their respective in-house and respective software developers or contract-tracing apps are appraised of the duty to safeguard the personal info of Filipino people.”

Consent best practices

Atty. Rainier M. Milanes, chief of NPC's Compliance and Monitoring Division, gave an overview of the Data Privacy Act (DPA) of 2012, while reminding developers and data privacy officers (DPOs) to regularly work out a “clear, specific and updated” privacy notice and consent collection forms.

“Include specific consent. Describe what happens to the data once it is collected, what will happen to it when stored and when will it be disposed of,” Milanes said.

Strait’s Shepherdson added that once a mobile app had uninstalled, the user’s personal data must be deleted from the app as it was understood that the app’s business goals had been fulfilled.

Milanes said another best practice was allowing users to refuse and withdraw consent “easily and anytime.”

“Consent should also be unbundled from other terms and conditions whenever possible,” Milanes explained, discouraging the use of pre-ticked boxes especially for optional terms, such as marketing purposes, when seeking consent.

Kelvin Magtalas, information systems analyst at NPC’s Data Security and Technology Standards Division, said privacy notices and consent forms must have “clear and concise language understandable to its targeted audience.”

“In the Philippines, where we have many dialects, reiteration in other dialects should also be considered,” Magtalas added.

He pointed out that fintech-and online-solutions provider industries must improve on drafting privacy notices as many “vaguely describe the actual processing of their services.”

Cross-border data transfers, accountability

Atty. Ivy Grace Villasoto, Policy Development Division chief, explained the obligations of personal information controllers and personal information processors in sharing and transferring data.

She discussed the Asean Model Contract Clauses (MCCs), which the NPC is encouraging companies to adopt when transferring personal data across different jurisdictions in the region.

MCCs are templates businesses can adopt to set out the responsibilities, required personal data protection measures and related obligations of contracting parties when transferring personal data with other entities within the Asean for both controller-tocontroller as well as controller-to-processor transfers.

"You can use this to fulfill your obligations under Section 21 of the DPA or the principle of accountability to provide a comparable level of protection as personal data is processed by a third party," Villasoto said.

Swiss privacy laws

Carlos Ely C. Tingson, DPO of the Presidential Security Group, shared an analysis of Swiss privacy laws, one of the highest legal standards for privacy in the world that makes Switzerland a top choice for data centers.

He emphasized the need to fully understand the laws of other jurisdictions and their security protocols that would be applied to data handling processes.

“By putting privacy by design, it is not enough to say, ‘We are using high-grade encryption.’ We have to check the design itself, the infrastructure we use,” Tingson said.

“We also have to check, aside from the SSL (Secure Socket Layer) and the authentication protocols, we have to check how were the [server] keys derived, how were the keys distributed, where are they stored, and the like,” he added.

Finding external, internal vulnerabilities

Allan Jay Dumanhug, cofounder of cybersecurity firm Secuna, encouraged developers to “hack yourselves first,” providing key tips in searching for publicly available data through Google, GitHub and Shodan, the most common sources of hackers.

For his part, Raymund Nuñez, an information security professor at the University of the Philippines and a security consultant, said vulnerabilities that were widely perceived low-risk could still open a point of entry for hackers, especially when combined with other low-risk threats.

`Bruteforcing’ credit card number

Nuñez revealed how the last four-digits of a credit card number revealed in physical receipts, could still be “bruteforced” to reverse anonymization especially if the programming language used was weak. Bruteforcing is an exhaustive search and the guessing of possible combinations of a targeted password.

“Bruteforcing blindly would have taken months to crack but with the insights we have, the techniques we applied, we were able to crack 300,000 passwords in a few hours,” Nuñez added.

Google, Facebook reassurance

Meanwhile, tech giants such as Google and Facebook reiterated their commitments to comply with the DPA and protect users.

Yves Gonzalez, head of Google Philippines’ Government Affairs and Public Policy, presented the platform’s key features that represent privacy by design.

"Our privacy tools put you, the user in control," Gonzalez said, noting that configurations are easy to use so users, "in just a few clicks,” can choose the right privacy setting that works best for them.

He also touted Google’s privacy sandbox which allows advertisers to continue profiting from personalized ads while protecting users profile.

Arianne Jimenez, Facebook’s privacy and public policy manager for the Asia Pacific, shared how the social media giant leveraged real-time data to respond to real world crises such as Covid-19.

Vigilance among data subjects

Liboro urged data subjects to be more vigilant in protecting their data privacy rights in this digital age.

“Do not hesitate to file a complaint against tech platforms that are failing your privacy and protection standards,” he said.

The NPC chief said data subjects need not adjust with tech platforms.

``Developers, companies and personal information controllers must adjust according to your needs by thinking of your privacy rights in every step of the way,’’ he said.

“Because it is only through privacy by design that data subjects will fully embrace the digital world, and hence keep the economy and innovation thriving for the benefit of Filipinos,” Liboro added.