Picking up where I left off six years ago.

It's time to dust off this blog and start writing again. I miss the blogs of old, where people would shared the trivia of their lives. Privacy has made us more aware of how we should be careful of what we share publicly. This is a good thing, in my opinion. And yet I also feel sad because this has led to a significant loss in the way we relate to each other online. The sharing is now done in social media platforms, where--unfortunately--we are all aspects of our online selves are monetized.

I missed writing about the minutiae of my life. I miss having a place where I could document my thoughts. If writing helps you make sense of your thoughts and understand the world, then not writing points to a poverty of your inner life. Isn't that sad?

Funemployment?

Today is the first working day that I am without a job. A regular job, that is. Today, I find myself hanging out at this parking building in Bonifacio Global City. I am paying P50 so that I can occupy this space for the next three hours. After that, I will need to pay P50 per hour. Just a few days ago, I would have felt a tinge of annoyance but would probably have just said, “fuck it” and resolved to keep my car here. Now that I am not sure of where money will be coming from, I am in pain at the thought of paying P50 hourly for a 2x3 sqm space. Haha. How the mighty have fallen!

(That said, I am now realizing just how much money I wasted by not caring about these things before.)

"Writers are always selling somebody out." "Slouching Towards Bethlehem: Essays" by Joan Didion

"Writers are always selling somebody out." "Slouching Towards Bethlehem: Essays" by Joan Didion

Getting to “yes” (designing the framework for data subject’s consent)

Currently reading up on the GDPR, in particular on how consent from the data subject may be obtained via a website or app. Based on the opinion of experts (I am basing the conclusion on the fact that they have IAPP certifications, so their “expertise” is qualified by that fact), it seems that a note saying “By clicking the link, you consent to the collection and processing of your information” might not be enough. It appears that consent under the GDPR requires an affirmative action. Expert opinion is that there should be a separate button or clickable element through which the user can explicitly signify consent. Just the “enter” or “continue to content” or similar would not suffice.

I am thinking back to our project team discussions the past few months and this really reinforces my realization that you cannot comply with the Data Privacy Act by just making adjustments at the end of app development. The best approach is via privacy by design. Read more about it here: https://en.wikipedia.org/wiki/Privacy_by_design

Have you been to the National Privacy Commission’s website lately? If you haven’t, you’d be pleasantly surprised to know that the NPC has revamped its website. It is now so much easier to get practical and usable information on how to comply with the Date Privacy Act (DPA).

NPC officials have been going around the country, conducting road shows for government, local government, and private corporations, encouraging everyone to comply with the DPA. This is important and gruelling work but it’s not like the NPC has a choice in the matter. After all, once September 9, 2017 comes, it’s all systems go for compliance with the DPA. The NPC will not be able to reach every corner of the country before the deadline comes, so the website will be a big help in guiding people on what to do.

The NPC has created such a useful guide that you may be tempted to ask: do we really need to engage a lawyer to help us get ready for compliance? My answer is a definite yes. 

While the requirements may now be a bit easier to understand, everyone will still have to anticipate the ramifications of the law and its impact on their operations. The way each company does business is different and so a template Privacy Policy will not work for everyone. Also, while a company may have succeeded in designating an officer with sufficient knowledge of the DPA as the Data Protection Officer, a lawyer would still serve as an invaluable guide for the DPO and Management. Remember that even template contracts with service providers and other third parties within whom the company may be sharing data will have to be reviewed. This is not only to comply with the DPA but, more importantly, to ensure that the company’s ass is sufficiently covered in case it becomes the subject of a security incident or a data breach.

I will also stress the importance of looking at the background of your lawyer. Not all lawyers will be familiar with the DPA and data privacy principles in general. After all, you don’t want to be following the lead of the pied piper.

So write your story as it needs to be written. Write it ­honestly, and tell it as best you can. I’m not sure that there are any other rules. Not ones that matter.

Neil Gaiman

Emerging online issues

This is the text of a presentation I did on emerging online issues in November 2016 at the Internet Rights and Principles workshop organized by Internet Society and Foundation for Media Alternatives.

Here a link to the presentation.

Privacy and Protection of Personal Data

1.    Informed Consent

a.     “Consent of the data subject” refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of his or her personal, sensitive personal, or privileged information. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of a data subject by a lawful representative or an agent specifically authorized by the data subject to do so.

b.    Does anyone read the Terms and Conditions of websites, apps, etc?

c.     Can there be informed consent if you cannot understand what you are consenting to?

d.    Who should be responsible for making the public understand? These are actually contracts of adhesion and, under the law, any unclear provision will be taken against the party drafting it.

2.     Transfers of personal data

a.     Hey Kuya is an SMS- and online-based application platform that provides service in a form of virtual personal assistant that caters people’s demands by using third party providers of various services.

b.    Sometime this year, I tried signing up for the service. They ask you to enter your SMS as well as your email address. I got a message saying that there were a lot of pending registrations so I need to wait to get my activation code.

c.     The activation never came.

d.    Instead, on 17 November 2016, I received an email from Shahab Shabibi, who introduced himself as the founder and CEO. He said that HeyKuya was acquired by the YesBoss Group of Indonesia in March 2016. The new owner has decided to cease operations of HeyKuya here in the Philippines as they get ready to march towards building an Artificial Intelligence platform using the data provided by HeyKuya.

e.     I don’t remember consenting to the use of my data elsewhere so I checked the website of HeyKuya but it was no longer up. Good thing Google had cached a copy of the page.

f.      Here’s what the page says under Data Protection: “HeyKuya shall not provide or sell the personal data of its users to any third parties, unless such data is required to fulfill user demand.”

Harassment Online

Sen. Risa Hontiveros filed SB No. 1251 on Gender-Based Electronic Violence

a.     Definition of GBEV: “acts involving use of any form of information and communications technology which causes or is likely to cause mental, emotional or psychological distress or suffering to the female victim or lesbian, gay, bisexual, transgender, queer (LGBTQ) victim, and tending to disparage the dignity and personhood of the same on account of his or her gender.”

b.    Offenses penalized:

i.     Unauthorized recording, reproduction or distribution of videos showing the victim's naked or undergarment-clad genitals, pubic area, buttocks or breasts

ii.     Uploading or sharing without the consent of the victim any form of media that contain pictures, voice, or video of the victim with lewd, indecent, obscene or sexual content

iii.     Harassing or threatening the victim through text messaging, obscene, misogynistic, homophobic or indecent posts in social media sites, or other cyber, electronic or multimedia means

iv.     Cyber-stalking which includes, but not limited to, the hacking of personal accounts on social networking sites, the use of location trackers on cellular devices

v.     Unauthorized use of the victim's picture, video, voice, name, or any other aspect of the victim's identity and distributing the same in any video game, phone application, program and the like, which deliberately exposes the victim to harassment and attack and puts or tends to put the victim in a bad light or injure the victim's reputation

c.     Penalties: a jail term of 5 to 10 years for offenders, or a fine of P100,000 to P500,000, or both.

Intermediary Liability

Rep. Antonio Teves filed House Bill 4093, which pushes for “mandatory authentication process for all social media and other similar online accounts enjoyed by users in the country.”

a.     The Cybercrime Act has not curbed cyberbullying and harassment... The Cybercrime Act does not address the issues of traceability and accountability that should be inherent in social media accounts from the point of registration.”

b.    But it also mandates: “all persons shall be required to possess any valid IDs issued by the government and/or barangay certificates issued by barangay authorities”

Done with two weeks of BBG so far. I know it's early days yet but I haven't really seen any improvement at all. A bit nervous about whether this thing will work for me. I am supposed to take a progress shot in two weeks. What is there is no progress? Sigh.

If this lola can complete the #BBG, I sure as heck can do it too.

Done with Week 2, Day 2 on the dining room floor. And I had Georgie try to help me out.

Catching my breath. Hooooooo. Did circuit #2 of Week 2, Day 1 today after failing to finish it yesterday. I am TIRED. Wow. 11 weeks and 2 days to go.

My gym last night. Just realized that I did BBG Week One wrong. Hahaha. I was supposed to do each circuit TWICE. No wonder I thought it wasn't too difficult. Hahaha. And I didn't also do the LISS in between the resistance days. Ugh. So I had a really hard time of it last night. I didn't finish the second circuit so I will try to finish everything today. (Also, I think I need a gym to do the stuff I'm supposed to do. It was awkward huffing and puffing with all those people walking past me.)

It’s a WOW!

Today's awesome discovery: There are a lot of air fryer recipes on YouTube. 

I cut my hair!

Today is gonna be great.

I can feel it. After procrastinating in bed, finally got up at 6:15am, did #bbg week one, day 3 (the full body workout), ate a hearty breakfast of pig knuckles, and now at Hyundai having my car looked at. It's just 8:00am! After this, I am off to Pat's salon. Maybe I'll have my long curly hair chopped off. My hair has gone dry months after the perm. Remind me never to get permanent curls again. Please.

Another #fail day. I was planning to do Day 2 today after missing it due to cramps yesterday. Body still in a bit of pain though so I will have to postpone it to tomorrow. Fingers-crossed I finally will be feeling up for it.