Duterte vetos surveillance law in the Philippines, protects his troll farms

Caitlin Thompson


Last Friday, Philippine President Rodrigo Duterte decided to veto a bill that would have required Filipinos to present valid ID when buying a mobile SIM card, citing concerns about “dangerous state intrusion and surveillance” that could threaten people’s rights.

This is pretty rich coming from Duterte, whose government has digitized and weaponized mass surveillance tools at an impressive scale. What’s really going on here?

Bills like this have been adopted in more than 150 countries from Bangladesh to Tajikistan. They’re often rolled out under the guise of preventing crimes committed via mobile phone, like fraud or extortion. But they also lead to the creation of huge troves of personal data that governments can use for all kinds of things, absent strong data protection laws. Rules like this also can have grave consequences for free speech and the rights of marginalized groups, who need to preserve their privacy in order to communicate and work safely.

But this one had a special twist, that experts suspect is the real reason behind Duterte’s veto. Language added to the bill shortly before it reached the president’s desk would have required people to use their real names and phone numbers when setting up social media accounts, in an effort to crack down on trolls, bots and other fraudulent activity online. 

This week, I spoke with Jamael Jacob, a legal and policy advisor at the Philippines-based Foundation for Media Alternatives, about Duterte’s surprise move, and the bill’s broader implications for the country. Our conversation has been edited for length and clarity.

Duterte’s administration has a well-documented history of using bots and trolls on social media. Do you think that’s related to why he vetoed the bill?

Yes. In fact, it’s the only reason we — civil society members who have consistently opposed the measure — can think of that would explain this most unexpected outcome.

Apart from the administration’s use of bots and trolls (which dates back to the 2016 election period), the President’s disdain for human rights and advocates is also well-known. To now champion them all of a sudden and rail against unwarranted state intrusion and surveillance is suspicious and uncharacteristic, at best.

Tell us about the bill. How did the SIM Card Registration Law come about in the Philippines, and what was the justification for it?  

The bill is the consolidated version of several proposals from the Philippine Congress. This is the first time it has actually reached the Office of the President.

In the earlier attempts, proponents linked the policy to bombing incidents. In the wake of a bombing attack, where the explosive was supposedly triggered remotely using a mobile phone, they would claim that if only such a law existed, the authorities would be able to apprehend whomever was behind it. They fail to explain though how exactly they will manage to do that with the help of a SIM card registry. In recent years, the narrative has shifted to fraud. Supporters would now say that a SIM card registration policy would essentially eradicate credit card fraud and online scams.

Yet proponents always stop short of explaining how exactly existing SIM card registration policies have helped other countries curb crimes.

The proposed law also requires people to use their real names when setting up social media accounts. What’s that about? 

The latest version of the bill only made things worse by adding a social media registration component. They say it is meant to address problems like trolling and online libel, by either discouraging people from engaging in such activities, or by allowing law enforcement authorities to run after those committing them.

This insertion was rushed, and it’s readily apparent given the bill’s failure to provide details to guide its implementation. It gives the implementing agency too much discretion. This is a perfect recipe for government abuse and confusion among those expected to comply with the law. 

What were your concerns about the bill?

First, its effectiveness has not been adequately proven [in other countries]. All the problems it is supposed to solve still exist in those countries where a SIM card registration law is already in place. 

Second, it would facilitate more effective state surveillance. It prevents anonymity in communications which is essential for journalists, whistleblowers or victims of abuse and harassment. It curtails free speech by discouraging criticisms of the government. 

Third, it is a logistical nightmare. [People will] need to register and constantly update their registration records. This could disenfranchise those living in far-flung areas and strained financial resources. 

Fourth, it introduces yet another massive state-managed database, which, given the Philippine government’s history, immediately becomes a security liability that puts the personal data of millions of Filipinos at risk.

Can you put this into context in terms of digital privacy and free speech in the Philippines more broadly? 

Here in the Philippines, privacy and data protection are still seen as deserving less consideration compared to other human rights. For the government, it is also more convenient to set aside allegations of unwarranted surveillance simply by referencing public safety, national security or public interest. This is exactly what happened with SIM card registration.

[In contrast to privacy] free speech is more vigorously defended by rights advocates, but it remains under constant attack through the weaponization of the country’s libel laws. 

This current state of affairs makes opposing deeply flawed policies at their inception all the more important, since such laws are exponentially more difficult to challenge and defend against once they are in place. The odds are usually stacked against victims and human rights defenders.

The Philippines is in election season right now, with the presidential vote taking place May 9. So what happens to the bill now? Is this the end?

There are only two ways forward for this bill. Congress may choose to overturn the presidential veto. However, Congress has rarely gone against the wishes of President Duterte these past six years. There have been no signs that they are willing to buck that trend any time soon.

If it’s not that, the proponents of this bill will have to file it again in the next Congress, which starts in July 2022. That means it will have to go through the entire legislative process once again. It will be impossible to predict how it will fare, considering that there will likely be many new faces in Congress and a new President.


Spyware goes way beyond Pegasus: A reminder from Trinidad and Tobago. The Trinidad Express recently reported on allegations that the Caribbean country’s police bought Israeli NSO Group’s infamous Pegasus spyware. But as is so often the case, figuring out exactly what tech governments are buying and who is selling it to them is challenging. According to Haaretz, it might have been a totally different Israeli firm called Cytrox. That firm has a tool very similar to Pegasus called Predator, and a 2021 Citizen Lab report found that links used to infect a phone with Predator were based in Trinidad and Tobago. Just goes to show that the spyware industry is vast and murky.  

State-sponsored hackers are exploiting the war in Ukraine to capture targets in Nicaragua, Venezuela, Saudi Arabia and Pakistan, according to research from Check Point, a cyber threat intelligence firm. Malicious actors are using mentions of the war in phishing emails to lure people in key energy, financial and governmental sectors into opening them. An Iranian hacking group, for example, sent an email to Israeli energy companies with a link to an article on alleged Russian war crimes in Ukraine. If someone opened that link, their device was infected with malware.

Surveillance is in fashion. The luxury brand Louis Vuitton is being sued in Illinois under the state’s Biometric Information Privacy Act. According to the lawsuit, the company’s virtual “try it on feature” collects and stores customers’ facial scans without telling them or asking their permission. I’ve written about BIPA in this newsletter before. But I’ll be honest, this one confuses me. BIPA doesn’t prohibit companies from collecting people’s biometric data — it just requires them to inform consumers and get their consent before doing so. This seems like a very easy fix — what’s so hard about that, Louis?


  • Now we know how Ukrainians are using Clearview AI. Ukrainians are using facial recognition tech to identify dead Russian soldiers and tell their families in hopes of sparking dissent in Russia. When Clearview first gave Ukraine access to its tech for free, I wrote about the precedent it sets for facial recognition in a war zone. 
  • Immigration activists have filed a lawsuit against the U.S. Immigration and Customs Enforcement (ICE) agency, demanding information on ICE’s “Alternatives to Detention” program, which targets migrants with surveillance via facial recognition and GPS monitoring bracelets while they await immigration proceedings. If you want more on immigration surveillance, I highly recommend my colleague Erica Hellerstein’s deep-dive into the matrix of surveillance tech on the U.S.-Mexico border. 
  • I am painfully aware that I’m using Google Chrome right now after reading this comic strip that lays out how Chrome is tracking everything we do using the tool. “All facets of your life are scrupulously collected, analyzed and assembled into an intimate profile: a data text that aims to describe what makes you you,” wrote the creator Leah Elliott, an artist and digital rights activist.