[Tech Thoughts] Mandatory social media identity verification: A shortcut open to abuse?

The Department of Information and Communications Technology (DICT) has a draft department circular laying out its intent to institute the mandatory identity verification of user accounts on social media platforms.

The DICT is seeking comments and inputs on the matter, and despite the worry that I might be rehashing the same tired arguments made by others more knowledgeable than me in this space, it still bears noting these arguments.

Let’s dive into why this proposal feels like bad news.

The justifications

The DICT is trying to justify the idea of making sure social media accounts can be verified by stating that “the proliferation of deepfakes, AI-generated deceptive content, automated BOT accounts, and malicious coordinated inauthentic behavior necessitates a risk-based framework that scales verification duties over social media platforms.”

According to the draft circular, “there is a need to develop a policy framework that shall balance the right to free expression with the State’s duty to protect the integrity of cyberspace.”

The draft circular intends to act as a deterrent. As written, it will “serve as a mechanism for law enforcement to identify perpetrators subject to due process, thereby suppressing the proliferation of computer-related offenses, including but not limited to online scams, phishing, computer-related identity theft, cyber libel, and online sexual abuse and exploitation of children.”

It also seeks to act as a means of making social media better, by “identifying and deactivating fraudulent and automated accounts designed to manipulate public opinion and destabilize national security.”

To do this, all social media platforms affected by the circular would need to implement a mandatory account verification system as a free service to account users, making sure “all social media accounts are verified to a legal identity” such as an ID for adults or permissions from a parent or guardian for those under adult ages.

A disproportionate response and hesitance to do the enforcement work

One of the arguments against this draft circular would be that it treats all social media users like potential criminals instead of people engaged in online behavior.

It wants to make the job of enforcing existing laws easier by having everyone surrender their right to some privacy and anonymity within reason.

That sounds more like control rather than proper cybersecurity posture.

This, despite the laws being plainly stated and available, and with (what I hope they presumably have) sufficient resources to get anti-cybercrime operatives to work on stamping out criminal behavior.

Platforms are incentivized to keep the money flowing by acceding to requests from the government to stomp out bad actions and bad actors — even if Meta, for one, is guilty of fending off pressure to crack down on scams because of the money involved.

Heck, even the Grok folks are trying to enforce better behavior for users of its generative deepfake maker by instituting corrective actions when asked by the Philippines.

Perhaps the main problem isn’t that the action makes enforcement easier — it’s that enforcement of the laws might be too difficult or time-intensive as it stands now for a country like ours and the folks in charge don’t want to do the work.

A bad shortcut open to potential abuse

One other argument against instituting this social media verification circular is that it’s a shortcut measure that appears to be helpful, but will ultimately present further problems down the line.

Aside from data privacy and rights concerns, as seen above, we should also look at data security and logistics. The right questions to ask if this continues might be the following:

• Logistically, what counts (or doesn’t count) as a social media platform?
• Who’s going to process all this data?
• Who’s going to hold the data and store it for the country?
• Where will that data be stored, geographically speaking?
• Who’s going to take responsibility if the proverbial shit hits the fan, data management wise, and what recourse does a person have to complain to government or get restitution?

In terms of safeguarding all that identifying data, all it takes is one bad day for one crooked person to make a mockery of the system and exfiltrate all that information.

This “jumping into the digital” that we are so wont to do is why we have Comelec data exfiltrations and other security mishaps every so often. It’s also why mandatory SIM registration failed to curb scams and other bad actors.

Simply put? Why should I entrust even more of my data to the government if the people in charge have repeatedly shown they’re not prepared for the hard times with anything else other than apologies?

What can you do right now?

A Newsbytes report noted that folks can watch the online policy consultation, held on January 22, on Facebook.

Stakeholders can submit comments regarding the draft circular by emailing policy.research@dict.gov.ph or odnippsb@dict.gov.ph until January 28.

It may be a good idea to make your voice heard in this case. – Rappler.com