One Big Pitfall of the SIM Registration Law

In its current implementation, the SIM Registration Law has failed.

The SIM Registration Law was meant to combat a lot of SMS spam that was circulating in previous years. During its peak back then, I received multiple spam and phishing texts daily. Now, a year later, I still get spam. So what happened?

The Pandemic Connection

Looking at this closer now, this storm started during the pandemic. During the early parts of it, there was disarray on how to manage people needing to buy supplies. We needed to record our data on little sheets of paper before we were allowed to go inside stores. These sheets of paper accumulated daily and turned into honeypots of personal info.

There are rules for handling these data as dictated by the Data Privacy Act. The law says that any personal info should be disposed of properly after use. But since this wasn’t followed, imagine landfills of literal data just filling up. It was an explosion waiting to happen.

Eventually, LGUs became better at getting this info from people digitally, by using apps and QR codes, but the problem didn’t go away.

What is KYC?

Before I go further, I need to explain what KYC is. KYC is short for “Know-Your-Customer” and is the act of getting the personal info of a user or customer. When you register for a service or anything (in real life or online), you need to fill out a form with your info. This is KYC in action.

For processors of KYC info, the Data Privacy Act has strict rules on how to handle these data — first is to prevent breaches and use of these for criminal purposes, and second is to use these data for services provided (with the consent of the user/customer).

In short, nowadays before you can use a service, you would always go through KYC first.

Pitfalls of KYC with SIM Registration

The SIM Registration Law mandates telecom companies to do KYC for all SIM owners. This would allow government agencies to have more actionable info when trying to investigate crime (for example through a subpoena).

But there’s no mention in the law or even in the implementing rules and regulations of how to handle data that is falsely inputted. There were news reports that a lot of input data was fake, for example, using animal pictures like monkey faces as uploaded selfies. They forgot the principle of garbage-in, garbage-out.

Any validation of KYC data is a huge expense for companies as they require the data to exactly match the user/customer. You need accurate data to perform your services and to not break other laws. Banks cannot open accounts or provide loans without a background check. Online stores cannot sell liquor or cigarettes to minors. Online gambling sites are not available to minors and government employees.

On top of this, you also need to take into account the fluidity of personal data. Data is hardly static. Names can change, as well as all other personal data. And any change needs validation. You need proof that the data is true, using other sources that can be verified.

The NTC has reportedly created a memorandum order that requires “live selfies” to be implemented. Live selfies need a video to be taken, and this will make validation more complicated than normal photos. As of Jan 2024, there is still no such order listed on their site.

To implement the “live selfies” rule, you would need all registered SIM owners to essentially, re-do the registration. But without doing the KYC validation requirement, it’s a stopgap at best. We don’t even know how “dirty” our data is. How can we trust the data? Every day thousands of people register new SIMs.

At the end of the day, telecom companies only followed the law to the letter because there is no monetary incentive to validate the SIM owner data. Telecom companies need only the mobile number to sell their services. They do not need any other data. Implementing this law is a revenue loss for them.

How do Other Countries Fight Spam?

I’ve checked other SIM Registration Laws in other countries, and some are more restrictive. Some countries limit SIM cards, and others also track the IMEI (i.e., the devices that use the SIMs). Some also penalize putting in false info (which also mandates operators to validate KYC).

In the US, the FCC and the FTC implement a no-call registry to combat spam calls (which they call “robocalls”) and they regulate operators by mandating knowing where the call came from. Essentially this also requires the operators to validate KYC.

How to Stop Text Spam

Realistically, the best solution that the NTC can do is to force KYC validations and have regulations that also mandate validating the source of the text spam. In its current state, the SIM Registration Law’s implementation has failed because it does not adequately address these.

In a perfect world, the Philippines would have the national ID data centralized into a nationwide database, and all of the SIM KYC data could be linked to that. In this scenario, there would be a monetary incentive for telecom companies to do this as all of our data are linked together.

When you have this huge database shareable to everyone, it opens up a lot of opportunities. Stores know what you always buy. Deliveries don’t need to ask for your address. Payments or even contracts can be made using biometrics (face scan, fingerprint, etc). Medical check-ups are easier as any doctor can pull up your information. Job hunting is easier.

Misuse of this power is also a given. Censorship. Big Brother. But hey, we can stop spam.

---