A Shopping Site Uses Data Privacy Act of 2012 to Protect Criminals | BlogPh.net

A Shopping Site Uses Data Privacy Act of 2012 to Protect Criminals

I support the Data Privacy Act of 2012, but not when it's quoted to protect criminals. Shopee Philippines just did that because they're willing to disclose any information about fraudulent user/s of their site. 


Republic Act 10173 – Data Privacy Act of 2012


Just a background, this policy aims to "protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth." The National Privacy Commission was then established to oversee and enforce this law. I have contacted them as well but everything is still fresh even if I'm trying to speed things up. I'm busy too so I can't really do much. 



The Shopping Site which Protect Criminals


It all started on the usual monthly routinary credit card statement check when I saw these questionable transactions:



The spending happened on a weekend when the card used was with me at all times. It's also just a free supplementary card that I don't even use much because I have my own. 

I actually rummaged through all billing statements billed to the primary account of this supplementary card and found only TWO instances when it was used. One this year and another last year since it was upgraded from one card type to another. I didn't count the older transactions prior to the upgrade because the card number have obviously changed since then. 

We contacted the bank right after discovering this, long before the paper bill is going to be mailed. They have cancelled the card and will issue a replacement but I didn't even ask for one. I would have just opted out if they asked if I want one first. But that's another story. 

I also called Shopee Ph and this is when it gets dirty.






The line of questioning alone is shamelessly geared towards victim blaming. But it becomes worse than that when they marked the case as resolved while the scammers are still out there. 

I have no idea how the Shopee reps found details about the transaction based only on the last 4 digits of the card and transaction details. Don't they have tons of transactions to check, or maybe they don't? After all, another major player still dominates the ecommerce market locally and the margin is very wide based on a report from Entrepreneur Philippines. Now there are issues with the other shopping platform as well but that's another story.

Maybe the Shopee rep didn't even search for anything and just sent me a canned response?





Based on their initial reply, they have already found the site users who have committed CC fraud even if I felt like they didn't even bother looking. What irks me is the scripted reply citing the Data Privacy Act. This went on a couple more times with the exact same excuse to conceal the culprits. 




At this point, I now believe that they indeed counter checked. After all, the email headline shows "confirmed fraud." But still, they do not want to disclose details about the scammers and resort to victim blaming instead.






One Time Passcode Sent to Old Number


Now my own CC is updated and all that but the account owner of this supplementary card in question is not. The number associated to his card is long gone. We don't even know what the cell number is and only found out through the bank. 

I tried to call those digits and got a response, "The number you have dialed is either unattended or out of coverage area." It sounds like it is active but without a signal. I thought it could still be around the house since we keep old sims but I can't find it.

In case the number has already been recycled, what are the odds of the person who owns it now to have information about the CC number as well? Very unlikely. 

I can ask the mobile network provider but I doubt if they will help me unless the National Telecommunications Commission intervenes; but I'll try what I can do. 

Update: the mobile provider customer service agent I spoke with over the phone (via their hotline) only explained the same information I already know ---that the SIM is not getting a signal. A physical store branch rep, on the other hand, said they cannot provide the history of the said number without verification due to security and privacy purposes. I also already expect that response, so why did I even bother to ask? 😂 

As for NTC, the phone numbers on their site just kept on ringing without anyone answering. One number was answered but he transferred my call. The next person gave me a number to call. It was one of the numbers I already tried to call. 😑 

The contact form doesn't seem to work too. I hope they reply via email. 





Anyway, it just frustrates me that Shopee keeps citing the Data Privacy Act to coddle criminals!






Now I don't have anything agains the representatives, which is why I cut off the email with their names showing and I didn't bother responding to the surveys they send; but it's really irritating knowing how they can see the fraudsters' files but won't share it!


Philippine National Police Anti-Cybercrime Group's Response


Based on the PNP ACG's response, it seems like quoting the DPA of 2012 is quite a common deterrent they encounter when responding to similar complaints. We'll need a court order to request such information even if it looks like the respondents are committing obstruction of justice. 


Shady Sales Tactics


Because of the repetitive script by the Shopee reps, I assume that this is nothing new to them as well. The shop still earns from both seller and buyer even if the payment method used was illegally obtained. As one of the email above states, the order was already completed. 

While the money lost here is not as high as another case posted on Facebook (a different shopping site), imagine how much it would accumulate to if there are numerous other similar disputes? 

I'll be genuinely sad if this site eventually suffers the same fate as the defunct sulit.com.ph website if they do nothing about scams within their network. 


BLINK Shopee Scam


Geesh, I've read that they may have also pocketed millions from the recent BLINK related scam. The poor kids spent thousands up to hundred thousands for a chance to meet and greet their Black Pink Kpop idols back in June, but was scammed. Tickets were instead given away to influencers and celebrities for free. I understand that they need to recover celebrity endorsement ad fees but how they do so makes me shake my head.


How was the Credit Card Info Obtained? 


As I've mentioned above, I only used the card in question twice. Both are through two reputable shopping malls. 

I may not be an expert in online security, but I've been working in a web-based environment for almost 10 years now so I can at least say that I am not as noob as I was when I first started in this industry. I won't fall for the scenarios (more like accusatory victim-shaming questions) they've asked/listed on the first email. 

Only one thing came to mind: they're own website. I made a seller account (some time last year) in Shopee Philippines because of the positive feedbacks I've heard about the platform. To complete the process of registering, sellers are asked to provide financial information for verification purposes. Now I can't recall which card I have used to verify but I definitely won't use my main account for sure. 

Here's the page which states requirements to open a seller account (in case they update it):




Anyway, account deleted. Bye! 

I deleted the financial info I've provided after the seller account became active but who knows if they haven't? After all, they don't want to disclose any information collected due to RA 10173, so they will not even confirm nor deny what I'm thinking. 😛


RFID Hacking


For the sake of argument, say, hypothetically, it was obtained elsewhere such as through RFID hacking, it doesn't answer more questions that will follow suit such as if there are really cases of this locally because I haven't read any yet. But seeing how RFID blocking products sell well in shopping sites, looks like Pinoys are wary of this threat (guess I wasn't -_-). 

So who did this? I'll be paranoid to blame people nearby when we were at a certain mall on the same day the incident happened. But I do recall two suspicious girls standing closely. We were eating at that time and the bag where valuables are kept was just on the table close to those girls. I've caught their anxious gaze several times while they tinker through their phones. But hey, I could just be paranoid indeed. 

Too bad, there are probably no CCTVs to dispel or support my suspicion as this was by the bay area. I'll try my luck though. Who knows?


BPI Fraud


Another update. Looks like this is now a "thing" as I've seen several Facebook posts set to public view when I searched for "bpi fraud." A lot happened this month too (July 2019) and there are patterns --- supplementary cards that are not used online or were never even used. Shopee seems to be mentioned a lot but there's also Lazada, some random sites overseas, and even pizza. There were complaints posted on a local forum thread too (PinoyExchange) for BPI card users. Some of us are wondering if it's an inside job. The card details were collected internally through their employees. 





Data Privacy Act Non-Applicability


Yet all the drama still boils down to quoting the Data Privacy Act to conceal criminals. What do they want to prove by doing so? To be a law abiding business by protecting scammers' personal information? Are they scared that the fraudsters will sue them using this? Or they simply don't care since they made money from the transaction anyway because it was already completed. 🙄

Update: I went through the hassle of filing a notarized complaint-affidavit. I will be like the Reddit user who filed and won the complaint against Shopee through the Department of Trade and Industry (DTI). 

All that jazz actually doesn't apply based on section 19.*

SEC. 19. Non-Applicability. – The immediately preceding sections are not applicable if the processed personal information are used only for the needs of scientific and statistical research and, on the basis of such, no activities are carried out and no decisions are taken regarding the data subject: Provided, That the personal information shall be held under strict confidentiality and shall be used only for the declared purpose. Likewise, the immediately preceding sections are not applicable to processing of personal information gathered for the purpose of investigations in relation to any criminal, administrative or tax liabilities of a data subject.


Obstruction of Apprehension and Prosecution of Criminal Offenders


What's very applicable is Presidential Decree No. 1829.*

(b) altering, destroying, suppressing or concealing any paper, record, document, or object, with intent to impair its verity, authenticity, legibility, availability, or admissibility as evidence in any investigation of or official proceedings in, criminal cases, or to be used in the investigation of, or official proceedings in, criminal cases;

(c) harboring or concealing, or facilitating the escape of, any person he knows, or has reasonable ground to believe or suspect, has committed any offense under existing penal laws in order to prevent his arrest prosecution and conviction;


Stressed Out


I'm stressed out and can't sleep well since this dramarama started. My personal life is also affected. I ended up in a hospital just 2 nights after with 3k bill. 😑 I'm too ashamed to share the details. 

In the end, I'm nothing but a nobody and this case will quite possibly be collecting dust soon enough just like all other posts about their scam online including that BLINK scam (I've read they were only penalized by 300k by the Department of Trade and Industry); but I will still do what I can, even it if it seems futile. 

Disputed Transactions Reversed


Another update. The disputed transactions were reversed by the bank, one month after, right before this month's statement was released. 




I'm not sure if they're just swamped with too many similar issues lately because one of their CSRs said it normally takes 5 business days to resolve cases like this, but another forum-er with the same issue waited for about a month too. I don't know if it helped that we threatened to cancel every account, complete with the drama that loosing us won't matter to their billion revenue anyway. 😂

Now, what to do with Shopee? I'm inclined to just let the bank deal with collecting what they ought to from that site and the latter to run after their own members to retrieve the funds back. After all, the NPC replied (also about a month after) and I have to start from scratch because I didn't fill up the form during the initial email. -_- We'll see. 

*
https://www.privacy.gov.ph/data-privacy-act/#19
https://www.officialgazette.gov.ph/1981/01/16/presidential-decree-no-1829-s-1981/
Share on Google Plus
    Blogger Comment
    Facebook Comment

0 comments :

Post a Comment