DAVAO CITY (MindaNews / 10 November) — As thousands of residents and potential visitors to the city took to social media last week to complain about the difficulties of accessing the SafeDavao site to register for a QR code, a mandatory requirement to be able to move around or enter the city supposedly effective November 7, Information Technology (IT) experts here warned of security risks in the system itself, pointing out vulnerabilities that could, if not attended to, lead to breach of data privacy.
The site crashed late Wednesday night, November 4, prompting Mayor Sara Duterte to announce over Davao City Disaster Radio (DCDR) the next day the postponement of the enforcement of the DQR to November 23.
She said the web developer sought her permission to take down the site and she instructed them to post a message that it is not available because at some point, 10,000 persons tried to access it.
As of 1 p.m. on Tuesday, Nov. 10, https://safedavaoqr.davaoct.com was still “unavailable at the moment in order to decongest the DQR registration.”
But the mayor announced over DCDR afternoon of Nov. 9 that there would be two registration links now – one for establishments and another for individuals — and that registration for establishments will resume on Wednesday, Nov. 11. For individuals, it will be announced later, she said. But enforcement will still be on November 23.
She said 360,000 individuals had registered before the site crashed. For establishments, no figure was given.
Over DCDR on November 5, the mayor told her listeners: “Useless lang na inyong time na masuko mo over a QR code … I-reserve na inyohang kusog sa mas dagkong butang na dapat kasuk-an” (It’s useless to get angry over a QR code. Reserve your energy for the bigger issues that you should be angry about).
The inaccessibility of the site, however, was not the only reason for the citizens’ rage. In fact, there were “mas dagkong butang na dapat kasuk-an” about the QR system itself. Fears of breach of data privacy, questions about the reliability of the service provider, how much the city spent, how safe – or unsafe – SafeDavao QR is, and compliance with the Data Privacy Act are among the issues the city government has to address, including as basic as why the domain name is davaoct.com instead of davaocity.gov.ph.
No QR Code, No Travel, No Entry
Section 1 of the mayor’s Executive Order 60 issued on November 3 reads: “No QR Code, No Travel, No Entry.”
According to the EO, Safe Davao QR (DQR) is an electronic contact tracing and travel pass platform for entry into and travel inside Davao City “to implement the requirement that travel must be for goods and accessing essential services or for work/business only;” in law enforcement checkpoints and barangay patrols to implement the prohibition on non-essential travel; and as a contact tracing log for entry and exit in all offices and establishments.
Davao City has the highest number of COVID-19 cases among Mindanao’s 27 provinces and 33 cities. The city has a population of 1.6 million as of the 2015 census.
As of Nov. 9, Davao City recorded 4,508 cases out of Davao region’s 6,524. Out of 4,508 cases in the city, 1,337 are classified as active, 2,978 recoveries and 193 deaths. A month earlier, on October 9, the city reported 2,244 cases.
Despite leading the number of cases in Mindanao, and last week even nationwide in terms of new cases, it took the city nearly eight months to set up an electronic contact tracing system. Other local government units in neighboring areas such as the cities of Tagum and Samal, or Koronadal and General Santos already have their own QR code systems.
A few hours before the SafeDavao site beamse unavailable on Nov. 4, MB Quin of Houston, a web developer based in Davao City, expressed concern on the security aspects of SafeDavao QR, citing eight points that indicated the problem was not just about the website traffic but the system itself.
“The main domain uses a self-issued SSL (Secure Sockets Layer) from Let’s Encrypt which even I wouldn’t recommend to small-medium online stores,” Quin said, adding “the actual page where you register does not even have SSL at all. I’m referring to http://safedavaoqr.davaoct.com/. Notice the non-use of HTTPS?”
“This means data is NOT secure. Why is the data driven main site used mainly for dissemination of information have SSL but the data collection part is not secured?” Quin asked.
He also asked why registrants are required to submit a selfie beside a valid ID when “this is typically used by online loan apps so if there’s a data breach, what stops anyone from applying for micro-loans under those people’s names? With the absence of security, even right now, other people can snoop at what data is being exchanged.”
Quin remarked that the company that implemented SafeDavao QR “doesn’t seem like” it had security in mind “since the number one thing to have when creating a secure site is having an SSL certificate, which they don’t have at the time of this writing. Note that this page probably (has) received tens of thousands of people’s IDs and selfies already.”
Surveying and mapping
Quin updated his post shortly thereafter: “Looks like this post got someone’s attention. The QR code registration page is under maintenance but the great thing it is now secured with an SSL from Sectigo.”
“It’s a good thing that the city is addressing our concerns – just hoping they become more transparent as to why certain things are needed (selfie with the id, etc), where our data is stored, and who has access to this data,” he wrote.
He also asked about Millana Surveying and Mapping Services which developed the site. He found the firm’s Facebook account was “relatively new” and it has no website.
“So the city is using a company with nearly no online presence to implement a citywide ONLINE project that deals heavily on security that appears not being implemented but is being required by the city,” Quin said.
The Millana firm’s Facebook account had been deactivated when MindaNews checked on Thursday morning and was still down as of 1 p.m. on November 10. The firm has no website but its expertise is supposed to be on surveying and GIS mapping as the name of the firm implies.
The firm is also behind the website https://covid19.davaoct.com/ which shows statistics, graphs, charts and maps of COVID-19 cases in the city “for informational purposes only” and “any reliance you place on such information is therefore strictly at your own risk.”
The COVID website has no “about us” section but searching Millana Surveying and Mapping Services in the worldwideweb leads to this site. Note that like the COVID website, the domain name of SafeDavao is also davaoct.com.
The Millana firm is not known to the IT community in the city.
“Need to be architectured and secured well”
Atty. Samuel Matunog, President of ICT Davao, told MindaNews on Nov. 5 that their members are sectoral associations but they have affiliate members. Matunog said he is not familiar with the Millana firm and “we also do not have an affiliate member by that name.”
On the question of how safe – or unsafe – SafeDavao QR is, Matunog replied: “cloud enterprise software applications such as those storing or proposing to manage and store millions of records, need to be architectured and secured well because there are malign actors waiting to pounce on your data. Many of these are powered by (ro)bots operated by ransomware entities.”
He added that there are “well understood processes and methods to secure a system” that (if) properly applied, there should be no reason to worry.”
“Should those who have already registered worry?” MindaNews asked. Matunog replied: “ I am not in position to comment because I have not seen how the system was architectured, designed and secured.”
He said the most obvious challenge is handling the traffic to the site but “that should be easy to solve.”
“The others, we need to be allowed to audit the system to make an opinion, just like the audit of the system of Smartmatic,” he said.
Third party security audits
Security audit is also what Jan Koichi Dayanan, a Davao City-based senior software engineer of an ISP company, proposed. Late evening of Nov. 4, he posted on his FB page 14 suggestions to the developers of SafeDavao QR, including basics such as utilizing local storage for their app so users can resume registration if the page is down, to hardcode the barangay data for Dvao City and nearby towns and cities, to load balance their servers to prevent a slowdown, to encrypt data, to turn off their debug mode on production as their MySQl server IP, username and database name can be accessed and is “another vector of attack.”
Dayanan also proposed to the developers to “open source your code,” noting that if the developer wants to make the system more secure and to hasten validation, “let everyone who’s interested work on it.”
He also urged them to remove the OTP (one time password) expiration because its SMS infrastructure is slow.
“Encrypt your QR information, or at least use a longer random string for IDs. One can easily brute force information and get them if they have access as an establishment,” added Dayanan, former head of Developers Connect Davao (Devcon Davao), an association of IT professionals, mostly software developers.
“Allow grayhats to work on your QA/QC (quality assurance / quality control). Third-party security audits are a must,” he suggested.
In another post on November 5, Dayanan addressed his friends that as an IT professional, “I advice you not to register yet sa DQR and wait until the issues are resolved.”
Dayanan told MindaNews over the weekend that the local government and the developer “should try to make it more transparent to people what happens to the data they have collected.”
“So far, people should not be panicking that their data is being used somewhere else. … … they should just keep their ears to the ground, observe … how this will evolve in the next few weeks.”
He said he believes changes are being done now to improve the system but reiterated his proposal to allow open sourcing “so other people can access the code to help mitigate these issues.”
Data Privacy Act
Over DCDR on Monday afternoon, Mayor Duterte said there are now many service providers working on the SafeDavao site. “Daghang service providers
Daghan na silang nagtabang ani” (There are many service providers now. Many are now helping). She did not name the service providers.
It is not clear if the first service provider is still working with the others or if the other service providers have taken over.
The mayor said there may be changes to the SafeDavao links. Whether or not the domain name will remain as davaoct.com or changed to gov.ph will be known when the links are announced. As of 1 p.m. on Nov. 10, the link to the registration site for establishments has not been announced. Their registration is supposed to resume on Nov. 11.
Reports from various sources said the City Information Technology Center (CITC) was not privy to the development of the SafeDavao QR system.
MindaNews sought Chito Mercado, OIC of the CITC, to clarify these reports but he could not be reached. MindaNews sent him questions by e-mail early Friday morning and followed it up Monday morning but he has yet to respond as of 1 p.m. Tuesday.
Apart from questions on accessibility and the system itself, questions have also been raised about compliance with RA 10173 or the Data Privacy Act (DPA) of 2012. The law mandates the protection of the “fundamental human right of privacy of communication while ensuring free flow of information to promote innovation and growth” and recognizes the “inherent obligation to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected.”
Section 24 of the DPA states that when entering into any contract that may involve accessing or requiring sensitive personal information from at least 1,000 individuals, a government agency shall require the contractor and its employees to register their personal information processing system with the National Privacy Commission (NPC).
It is not clear if the Safe Davao personal information processing system was registered with the NPC.
NPC Circular 2017-01 issued on July 31, 2017 provides for a mandatory registration of the data processing system in two phases.
NPC Circular 2016-01 issued on October 10, 2016 requires government agencies to conduct a Privacy Impact Assessment (PIA) “for each program, process, or measure within the agency that involves personal data” while NPC Circular 2016-03 recommends the conduct of a PIA as part of any organization’s security incident management policy.
NPC Advisory 2017-03 provides that for new processing systems, a PIA “should be undertaken prior to their adoption, use, or implementation.”
The law also provides that there should be a Data Privacy Officer (DPO) who shall be accountable for the government or private firm’s compliance with the DPA, its IRR and other issuances of the NPC. (Carolyn O. Arguillas / MindaNews)