In response to the persistent threat of text scams and mobile-based fraud in the Philippines, the government enacted Republic Act 11934 or the SIM Registration Act in October 2022. Hailed as a solution to growing digital crimes, the law requires subscribers to register their SIM cards using personal identification—a landmark move in shifting the country’s approach to telecommunications regulation.
After a seven-month mandatory listing period, nearly 114 million SIM cards were registered, surpassing the 100 to 110 million target set by the Department of Information and Technology (DICT). Yet, behind this impressive figure lies a troubling reality: scammers and fraudulent entities continue to exploit loopholes in the system, exposing the complexities of addressing digital crime in an interconnected world.
Superficial protocols
Mary Grace Mirandilla-Santos, an independent information communications technology policy researcher, criticizes the SIM Registration Act for its lack of robust data validation mechanisms. She adds that implementing a proper verification system would demand substantial budget and manpower, which the law does not provide. Instead, this responsibility is often outsourced to third-party companies, including foreign entities like China and Japan.
Kim Cantillas, chairperson of the Computer Professionals’ Union, warns of the potential misuse or leakage of data submitted during registration. She highlights that in the initial phase of registration, telecommunication companies included tick boxes, allowing them to use data for purposes beyond SIM registration. Although these were later removed following public backlash, Cantillas still points out the lingering risks of data exploitation. “Now that there aren’t as many eyes monitoring SIM registration, who’s to say they [aren’t] using our data for other purposes?”
Mirandilla-Santos further emphasizes that the law has failed to prevent entities involved in illegal activities from registering large numbers of SIM cards using fake identification documents. In contrast, the ban on Philippine Offshore Gaming Operators has been effective in reducing text scams, as observed by the Department of Justice, the Philippine National Police Anti-Cybercrime Group, and the DICT.
Escalating risks
Apart from its questionable effectiveness in deterring scams and cybercrimes, the SIM Card Registration Act has inadvertently introduced significant risks to subscribers’ privacy and cybersecurity.
Cantillas cautions that SIM registration creates a false sense of security, masking deeper flaws in the system. She cites a report by the Global Anti-Scam Alliance, which estimates that the Philippines suffered losses of around P460 billion this year, showing the persistent prevalence of fraudulent activities. The centralized storage of personal information further heightens the risk of breaches, turning these repositories into prime targets for cyberattacks.
Mirandilla-Santos elaborates on the dangers of compromised subscriber data, emphasizing that it can be weaponized for identity theft, fraud, or even crimes involving “spoofed” mobile numbers—those that disguise their true identity on the recipient’s caller ID for malicious intentions. Compounding the existing challenges, the government lacks the necessary resources to safeguard the massive amounts of data collected and manage the fallout of a potential cyberattack.
Interconnected hidden dangers
The Philippines is not the sole country to implement SIM card registration laws, global experiences reveal its potential pitfalls. In Pakistan, black markets for unregistered SIM cards have emerged, accompanied by a rise in identity fraud. Mexico eventually repealed its mandate in 2012, citing its ineffectiveness. Meanwhile, Indonesia experienced a massive data leak involving 1.3 billion records from SIM card registrations before abandoning the policy after three years of implementation, acknowledging its inability to curb crime.
Scams continue to thrive even in more developed nations. In Singapore, cases of deepfake-driven identity fraud have surged by 207 percent in 2024, with scammers impersonating government officials or bank representatives to steal personal information. Similarly, Dubai faced a high-profile incident where deepfake technology was used to mimic the voice of an Indian billionaire to request a large money transfer.
Other countries have faced problems such as SIM trading, cloning, spoofing, and theft of phones for their SIM cards. The European Commission also found that SIM card registration has not proven beneficial for criminal investigations across its member states. These challenges serve as a cautionary tale, urging the Philippines to adopt a more comprehensive and effective cybersecurity strategy.
Rethinking SIM registration
While the SIM Registration Act seeks to tackle mobile-based scams and enhance public security, its shortcomings have sparked concerns about its effectiveness and necessity. Regulatory measures alone cannot dismantle the complex ecosystem of cybercrimes, which demands a more holistic and comprehensive approach.
Efforts from both the public and private sectors—such as BPI’s “Maging Listo, Wag Magpaloko” PSA campaigns, Smart’s #BeCyberSmart program, Maya’s #ScamPatrol, and government campaigns like Be Wais at Magduda—emphasize the importance of improving verification systems, promoting anti-scam education, and strengthening public-private partnerships. Only through these sustained, collective efforts can the country adapt to the evolving threats of cybercrime and build a safer digital ecosystem.
