It’s Christmas time, and my family and I are due to use the eGov PH app again. Normally, I’d do so cheerfully. This time around, I can’t help but feel somewhat nervous. We’re all familiar with eGov PH; the President considers it a hallmark of his administration: “I am bringing government services right to the fingertips of every Filipino. Through the eGov Super App and digital ID systems, everyday transactions are now faster and more accessible than ever before.” There’s obviously a lot more the app is supposed to do, and now it has an embedded local government unit-specific feature known as eLGU.

When travel resumed as the pandemic began to subside, a perennial source of inconvenience and frustration was government requirements involving uploading proof of vaccination using QR codes. When the eGov app was rolled out, I expected a fresh round of horror stories, but as I’ve told friends and family alike, I’ve been pleasantly surprised because the app simply works. Coming and going, I can prepare and submit immigration and customs submissions (and more recently, pay travel tax) easily, and it stores your records for retrieval next time. That makes me (and my family) part of the estimated 14 million users of the app. It has our photos, our government records, and other personal data.

My attention was drawn to reports of a double-barreled inquiry into the Department of Information and Communications Technology (DICT), eGov, and their officials. The first article was on Nov. 19, reporting concerns over “eGov’s risk to users: No contracts, unclear data breach liabilities.” “The system collecting all that information has been rolled out across the country without the basic agreements that spell out who is responsible for protecting your data,” the report said. This was revealed by a DICT internal audit, which discovered that the eLGU platform of the app “is operating without signed contracts between the DICT and local governments.” The contracts “normally define who secures the data, who reports breaches, and who the public can hold accountable,” and in their absence, should something go wrong, it’s not clear who could be held to account.

To be precise, as of the time the audit was held, 48 percent of LGUs had complete agreements; the rest had none or only partial compliance. The reason there aren’t any contracts is that contracts are a form of red tape, and the missing half of LGUs with no memorandums of agreement or memorandums of understanding had theirs dispensed on the basis of the Ease of Doing Business law, which DICT Undersecretary for E-Government David Almirol Jr. said mandated his department to deploy the system rapidly.

On the same day—Nov. 19—that a news website first took a look at eGov PH’s security, the South Korean e-commerce giant Coupang disclosed it had experienced a security breach; the next day, it also announced there had been a personal data leak involving the data of possibly 34 million customers. What the South Korean government did next provides a useful benchmark for evaluating our domestic equivalents. It immediately set up an onsite investigation; this was elevated by activating a joint public-private investigation team to determine whether “Coupang violated its obligations to implement adequate safeguards, including access control, authorization management, and encryption,” on Nov. 30. That same day, an emergency meeting was convened by the deputy prime minister who happens to also be minister of science and ICT. The day before, Nov. 29, the government issued a nationwide security alert and kicked off a three-month period of strengthened monitoring “for the unintended or unauthorized exposure of personal data online, including on the dark web.” Here, an investigation would fail on Day 1: “We don’t know who is accountable for security.”

It turns out there seems to have been three internal audits in the DICT, two of which involved–well, see the next story, on Dec. 8, which was “Conflict of interest? Audit questions the DICT usec’s ties to former company Multisys,” which looked into Almirol, the man credited by the President (as reported by this paper) as “the one who personally wrote the app’s code and knows it inside and out.” Almirol ended up with his own department conducting inquiries into the possibility of a conflict of interest involving one of DICT’s suppliers, PLDT, which had bought a company that Almirol used to head.

So many internal audits suggest an uneasy leadership, which has to approve such investigations. But DICT Secretary Henry Aguda has shown no sign of acting to either remove Almirol or clear him. Anyone familiar with Palace reindeer games knows that investigations are useless if the President likes the one under investigation. But here’s what the stories suggest: there are legitimate privacy and accountability concerns over eGov PH; South Korea tells us how serious it would be if a data breach were to happen. If it happens now, the one who will be held to account by the President and the public alike will be Aguda.