Cybercrimes and Cybersecurity in the MCPIF

This is the prepared text from a democracy.net.ph forum on MCPIF: Downloadable presentation

The Magna Carta for Philippine Internet Freedom (#MCPIF) is complex, and yet has gained so much support locally, and internationally, most notably, the Electronic Frontier Foundation wrote a brief analysis of the MCPIF.

The MCPIF is complex, precisely because it deals with so many interrelated issues. We can not talk about Rights and Freedoms, without a firm discussion of Crimes, and security, and neither— do the governance and development aspects work too without the Rights framework. They all form an ecosystem. How can one reconcile Rights and Cybercrimes and Cybersecurity? Security and Rights— some argue are polar opposites. In the MCPIF, we drew a balance between those issues. In fact, it is that balancing act that in my humble opinion that matters.

The cybersecurity aspect is a bit more complicated. Complicated in the sense that normal people can’t even imagine the dangers we are all facing. How could you, when you don’t live and breathe this stuff?

Take this for example. This is a visualization of a Distributed Denial of Service attack on one of my servers.
You hear about hacking, and DDoS in the news or how Cyberwar happens. It all seems Hollywoodish. All seem so incredible. This is a 10-second, visualization of an attack on one of my servers. This is just the tip of the iceberg. Just one of very minor skirmish being waged on the Internet.

That’s not all. While the Internet is a beautiful place. And like the real world, it does have the seedier side to it. There is an underground economy where ATMs, Credit Cards are being traded. Places were drugs flow, Hacking tools are available.

BlackMarket

Black Market, Silk Road these are the names and places you only hear in whispers. They use the same legitimate tools many journalist rely on to converse privately with sources. To access Darknet you need to be far more savvy than the ordinary Internet user.

nation states are arming

That’s not all. There is the militarization of cyberspace. Nation-states are arming. They are developing defenses. They are writing offensive weapons. Malware that can control the battlefield in the real world. Cyberwar is going to be what the Air War and espionage is to current military doctrine.

non-state actors

The very nature of the Internet— the leveling of the playing field makes non-state actors— groups like Anonymous, or terror organizations or extremist groups can buy, steal or utilize capacity to make war or crime. In fact the biggest CyberWar to date was between two Corporations— CyberBunker, a webhost, and Spamhaus, an anti-spam business, which launched Denial of Service Attacks on each other.

LOIC screenshot

You see the tools of attack are fairly easy to acquire. This (above) is a screenshot of the Low Orbit Ion Cannon. It is a common tool tool used by hacktivists, and Anonymous. This one is so for dummies that others can remote control it using RSS to launch an attack. So you don’t really need to participate. Only your computer does. It is so easily acquired that to find it online, all you need is to Google it.

This is just one many ways to cause mayhem on the Internet.

The whole point why I wanted to show you this darker side of the Internet is to show you why we need legal frameworks to help prevent cybercrimes, enact cybersecurity, and cyberdefense.

How does the MCPIF fight cybercrime?

How do we fight Distributed Denial of Attacks? How do we fight malware? How do we fight trojan horses?

There are two ways we defined this under the MCPIF.

First, we defined this as direct network sabotage. This means that Denial of Service attacks is a crime. So yes, if you’re a member of anonymous, you are committing a crime when you launch a DDoS attack. A denial of service attack means you flood a target server with requests until legitimate requests can not be served.

Why did we do it this way?

There are two schools of thought about this. There are research papers on the web on this.

First, there is the hacktivist point of view. Meaning, DDoS is an act of protest. Second is this. If the Internet is an open network, then by degrading other people’s use of the Internet, you go against the very principle of the open network when you deny another person access. Picture three people having a conversation. Person A is yelling at Person B at yammering speed. Person C, can’t talk to Person B because Person B is being bombarded with Person A’s loud voice, so Person C’s right to be heard is blocked as well.

Why did we not recognize DDoS hacktivism? DDoS isn’t just used for protest. Sometimes there is that intent. There are other more nefarious uses. It is used to mask stealing data. It is used between corporate entities. And of course, DDoS goes aginst the principle of the open network. It would be the equivalent of giving an AK-47 to a thirteen year old.

Molly Sauter wrote in her thesis on Distributed Denial of Service Attack actions and the study of civil disobedience on the Internet:

“Activist DDOS actions started as an exploration into the activist potential of the internet by activists experienced in “on the streets” activism. In its modern incarnation, activist DDOS is practiced mainly by fringe actors, who consider the online space a primary zone of interaction, socialization, and political action.”

We follow this same line of thinking by explicitly marking DDoS as a crime.

We didn’t limit what constitute network sabotage to just that. It includes “the physical destruction of devices, equipment, physical plant, or telecommunications cables including cable TV transmission lines and other transmission media, or through other means, except if the stoppage or degradation has been done in the normal course of work or business by a person authorized to stop, modify, or otherwise control network operations of the other person.”

We also defined indirect network sabotage. What does this mean? “it shall be unlawful for any person to install, infect, implant, or otherwise put in a device, equipment, network, or physical plant any means of performing stoppage, degradation, or modification of Internet or network operations, or data or information processing, such as but not limited to bots, or to interconnect, establish, or otherwise create a network of software, devices, equipment, or physical plants with the means of performing stoppage, degradation, or modification of Internet or network operations, or data or information processing, such as but not limited to botnets, except if the installation or interconnection has been done in the normal course of work or business by a person authorized to stop, modify, or otherwise control network operations or data or information processing of the network.”

So virus making, malware are illegal. Under the Rights section of the MCPIF, we reiterated a broad spectrum of rights. In fact, in some cases, we gave it a bit more like guaranteeing people’s rights to Jailbreak devices, or the equal protection of Network Neutrality. It doesn’t mean that while society should be open to jailbreaks, and and such, it doesn’t mean that crimes should be perpetuated on others. It is great to thinker, bad to do mayhem. This is the thinking of this section of the MCPIF.

Data privacy

Under the MCPIF, Data is sacrosanct. ISPs can’t look into your data.

Section 45, Violation of Data Privacy says:

“It shall be unlawful for any person to intentionally access data, networks, storage media where data is stored, equipment through which networks are run or maintained, the physical plant where the data or network equipment is housed, without authority granted by the Internet service provider, telecommunications entity, or other such person providing Internet or data services having possession or control of the data or network, or to intentionally access intellectual property published on the Internet or on other networks without the consent of the person having ownership, possession, or control of the intellectual property, or without legal grounds, even if access is performed without malice.”

In fact, the MCPIF goes further. Section 44 of the MCPIF punishes ISPs for failing to provide reasonable security for Data and networks:

“It shall be unlawful for any Internet service provider, telecommunications entity, or other such person providing Internet or data services to intentionally or unintentionally fail to provide appropriate levels of security for data, networks, storage media where data is stored, equipment through which networks are run or maintained, or the physical plant where the data or network equipment is housed.”

What if my friend shared something I shared only with her Facebook?
Communication is privileged under the MCPIF. The typical scenario is this. We talk to a group of our friends. We share within that community. It is a private conversation between friends. What happens when something from that conversation is spread outside the network?

Section 45 (d) of the MCPIF says:

“It shall be unlawful for any authorized person to intentionally disclose or cause the disclosure to a third party or to the public any private data being transmitted through the Internet or through public networks, or any data being transmitted through private networks, without legal grounds, even if the disclosure was done without malice.”

The same can be said if a husband wanted to share a private photo of his wife, but the wife does not want it public.

We didn’t stray from the Data Privacy act. We hold data to be sacrosanct. If I store email on my ISP’s servers, they aren’t legally able to access it. The data is mine. The service is their’s but the data is mine. So failure to provide levels of security is a penalty.

With regard to data security, we punish data, networks or storage of data. So if you suddenly guessed someone’s Facebook password, that’s a crime. To crack it— the modification of that hacked data is also a crime.

Phishing is also a crime. Fraud and Child pornography is a crime.

Prostitution online

With regard to prostitution. It is illegal to use devices, the internet for “the purpose of enabling the exchange of money or consideration for services of a sexual or lascivious nature, or facilitating the performance of such services”. We made it so it wouldn’t be an overreach. We specified, “Provided, the services shall be performed by one or more unwilling third-party adults under threat or duress.”

More crimes
Cybersquatting is illegal.

Piracy under the MCPIF is unlawful for any person to publish, reproduce, with intent to profit— emphasis on intent to profit on the Internet or through technology code, software or content he doesn’t have ownership over.
Which means, sharing is Okay, but once you sell it— no longer.
With regard to copyright infringement. This has happened to a lot of my friends. If someone steals a photo that you took, and uses it— say for another blog, a television program, and you put in the Creative Commons logo on your content, and they didn’t mention it— that’s a crime.

We made infringement of copyleft also a crime. We did this since we made copyright automatic, and dependent on the licensing that the author of the content wishes.

Copyright infringement
This has happened to a lot of my friends. If someone steals a photo that you took, and uses it— say for another blog, a television program, and you put in the Creative Commons logo on your content, and they didn’t mention it— that’s a crime.

We made infringement of copyleft also a crime. We did this since we made copyright automatic, and dependent on the licensing that the author of the content wishes.

Internet Libel
Internet libel is a very hot issue.

President Benigno S. Aquino is on record about his thoughts on Online libel:

“I do not agree that the provision on online libel should be removed. Whatever the format is, if it is libelous, then there should be some form of redress available to the victims.”

In my humble opinion, the spirit of his comment is correct. Libel per se isn’t a bad thing. There should be a mechanism for redress of grievances.

What the Cybercrime Law did was to be an overreach.

Am proud to say, we fixed this in the MCPIF. We can have a form of Internet libel, without being draconian.

Section 52 of the MCPIF states:

“Internet libel is a public and malicious expression tending to cause the dishonor, discredit, or contempt of a natural or juridical person, or to blacken the memory of one who is dead, made on the Internet or on public networks.”

We made sure that Malice is required.

We made certain that “Positive identification of the subject as an essential element of internet libel.“

We wrote down that Truth is a defense.

exceptions to Internet libel

We wrote down exceptions to Internet libel precisely because to prevent abuse. We wanted to protect Free Speech and Free Expression online.

What about below the belt attacks? Especially when targeting a government official? If under libel, there are exceptions, how does one protect a government official when the attacks are below the belt?

Enter the Hate Speech provision of the MCPIF.

hate speech

The MCPIF protects government officials for example, when a post calls for commission of illegal acts on a person, or a class of persons. It requires, “an immediate lawless danger to the public or to the person who is the object of the expression”. We think this is a balancing act when expression and free speech go beyond.

Cybersecurity
I showed you earlier how servers are attacked. How easy it is for someone to conduct a DDoS. So how do we solve all those attacks? How do we prepare for the future?

At the beginning of our presentation we talked about the complex, and changing world that we live in today. It is difficult for ordinary people to grasp the details. But the world is changing and nation-states, and none-state actors. We need to upgrade the Armed Forces of the Philippines, the Philippine National Police and the National Bureau of Investigation to meet this clear and present danger.

On a national-policy level, we need a definition of what constitutes terror. What constitutes an attack. What constitutes an attack from whom— a nation-state, a non-state actor? We need a definition of what constitutes War, what constitutes crime. And we need a framework that gives the government a reference point to plan for our national defense, prepare for war; protect our national infrastructure from attack, and aid allies on the battlefield should that need ever arise.

And so we crafted this portion of the MCPIF to look towards the future. We need the ability to have a coordinated defense of civil, government and military networks. We need a clear hierarchy of command. We need a Military that plan, that develop tools, that imagines new tactics and new strategy for a digital battlefield.

We need a coordinated defense. We need to give the President the ability to determine the nature of an attack and ways to respond to that attack. While the AFP is tasked with protecting critical infrastructure, civilian authority is supreme over the military. Hence, the Secretary of Defense is the principal adviser of the President on Cybersecurity issues.

We go back to the whole concept of DDoS attack. We were very specific for example on what DDoS is, so we can determine what a DDoS by a nation-state is, and how it pertains differently from a DDoS attack by anonymous. So that’s where the structure comes in. We wanted a framework so the AFP can build capability to fight in Cyberspace. We wanted to build-in the capability for the AFP to come up with defenses, tactics, strategies, to fight, spy, and win against our enemies, and to aid our allies in times of war.

Imagine a cyberspace battlefield fought by soldiers, powered by LOIC-type tools. Push button “hacking”. Or a visualization of the Internet as a battlefield? Who else is going to develop this but governments? The US is building an app so simple, that it is as simple as an Angry Birds game but meant for soldiers with no hacking experience.

We talked about specificity about Cybercrimes, CyberWar and CyberDefense because we wanted to reiterate a no-first-strike policy. Which means we’re building a cybersecurity force only for defense. You know like that piece of paper called the Constitution says, and all our other commitments. We don’t want people to be trigger happy. We will plan for war, but we won’t initiate it. It frees up the AFP to draw up plans, to train, to conduct exercises, to build weapons, to develop tactics and strategies like any good soldier does…but we won’t do it just to go to war.

We defined the chain of command. The Defense Secretary is the principal adviser to the President “in the protection and conduct of the national cybersecurity, and the conduct of cyberdefense and the protection of national government information and communications technology infrastructure”. It goes back to whole “civilian authority is supreme over the military” bit.

We also gave the President authority of cyberdefense for LGUs when national safety so requires but with a prescription of no more than 90 days.

So how did we do this? Well, we’re not changing things. We’re merely amending existing legislation.

We’re not creating additional agencies, we’re using existing infrastructure and adding capabilities. Like the PAF as first line defense. The PNP tasked with counter-terrorism, because it is a policy function, not a military one. The NBI “is responsible for plans, policies programs, measures, and mechanisms to detect, identify, and prevent transnational cyberterrorist attacks on Philippine government information and communications technology infrastructure, as well as publicly- and privately-owned information and communications technology infrastructure within Philippine jurisdiction.” By strengthening the mandate of these organizations, they can begin the process of building their own capabilities.

While it is sad that cyberspace has been militerized, it can not be helped. We live in a very complicated world. You’ve seen the news that every other week or so there is a cyber attack. Militants deface websites. Crackers deface websites. Anonymous attacks as an act of protest. We come from the school that thinks otherwise. That it disrupts people more than it acts as a tool to convince the powers that be of a point. How does one deal with non-state actors? How does one deal with an attack by a nation-state? We need those definitions to secure our national sovereignty.

The battlefield is changing. Our country needs the necessary infrastructure to fight on the Internet. We need frames of reference so this will not be abused. We need tools, plans, and chains of command for the government to protect us. Again, all this stems from the Constitution, and the bill of rights. Freedom and Responsibility first, before control and repression.

Coordinated Defense
Simply put, the MCPIF creates the necessary framework for our Military, law enforcement and government to protect us from Cybercrimes and Cyberattacks. There is a hierarchy in place. A system in place to execute a defense. The MCPIF makes it possible for the AFP to enter a more modern era. It gives them the framework to develop strategy, and tactics. So we can go after the bad guys. So the President can have the information to act or not to act given a specific circumstance. So the DOJ can go after real cybercriminals. And our country to coordinate with our friends in the international community.

How does this all compare to the issue of Cybercrime?
There are related provisions. Like the one on sabotage is similar to Systems Infrastructure provision in the Cybercrime Prevention Act of 2012. We also talk about cyberprositition, and internet libel. We talk about protection for human traficking. We also talk about protecting children. We brought amended the human terrorist act so law enforcement can go after terrorist funds.

What makes the MCPIF better?

We started from the concept of rights. We were specific when we had to be, and ambiguous only when we have to. The definition of prostitution for one thing is very specific and not over broad. We recognize the President’s point of view with regard to Libel. There has to be a mechanism for a redress of grievances, but we made certain that Internet Libel doesn’t break Freedom of Speech or Freedom of Expression. We made sure that satire, and sarcasm especially targeted at government to be protected because We the People also need to vent our grievances.

Specific when it needs to be, ambiguous only when we had to be
We started from the concept of rights. We were specific when we had to be, and ambiguous only when we have to. The definition of prostitution for one thing is very specific and not over broad. We recognize the President’s point of view with regard to Libel. There has to be a mechanism for a redress of grievances, but we made certain that Internet Libel doesn’t break Freedom of Speech or Freedom of Expression. We made sure that satire, and sarcasm especially targeted at government to be protected because We the People also need to vent our grievances.

The MCPIF is more specific because we need specificity. We had to be careful not to be overbroad. We needed to take real world terms— definitions that every expert in the field understands and apply it into the law. We needed to specify that something is a DDoS attack, because there are many users. What if it was a nation state? What if it is just anonymous protesting against something the President did? Are those two things of the same level? One is about warfare. One is about hactivism. Do we prosecute both with equal tenacity? It’s the difference between sending tanks against people protesting at Mendiola, and sending ships to attack the Chinese Navy.

We also had to be very specific with CyberWar. Who sets fire and when, because while war isn’t to our best interest and against the Constitution, we also have be realistic to build this capability. So unauthorized attack is a crime.

We also establish clear protection on the data. You have to get a court order say to seize or access someone’s data. Facebook can’t just give you a peak into someone’s personal data or activity. You can’t do a prism without a court order for example.

Freedom and Responsibility
Earlier, my colleague, Atty. Acero spoke of the Rights that the MCPIF covers. Let me borrow the words of Joe America who left a message on ProPinoy about The Magna Carta for Philippine Internet Freedom. He got it right when he said that this bill is about Freedom and Responsibility over Fear and Control.

Recap
So let’s recap.

We talked about Cybercrimes covered by the MCPIF.

We talked about network sabotage and what DDoS is. We talked about how Data Privacy protects the common Filipino.

We talked about what the nature of what prostitution is, online. Fraud, Child Pornography. We talked about Hate Speech, and Internet Libel.

We talked about CyberDefense and CyberWar. Why we need a coordinated cyberdefense in light of the threats existing.

We talked about how we’re upgrading the capabilities of the AFP, and the law enforcement for cyberdefenses. So they can plan, defend, develop tactics and strategies.

Conclusion
The MCPIF balances the rights with security and defense. We think that this is the right way to go. Freedom and responsibility over Fear and Control is the path to follow, and we ned this holistic approach to it.

Cocoy Dayao

Cocoy is the Chief Technology Officer of Lab Rats Technica, a Digital Consulting company that specialises in DevOps, iOS, and Web Apps, E-Commerce sites, Cybersecurity and Social Media consulting. He is a technology enthusiast, political junkie and social observer who enjoys a good cup of coffee, comic books, and tweets as @cocoy on twitter.

Cocoy is also the Managing Director and Editor-in-Chief of the ProPinoy Project.

Cocoy considers himself to be Liberal.

  • Thank you for this “common man” explanation of the legal and technology issues in the MCPIF. Although the proposed legislation is lengthy and intricate, it is also elegant in making sure basic rights of expression are not sacrificed to the gods of authority and control. I particularly appreciate the way libel is handled, as I “work” in an arena of considerable opinion, some sharp, but always with good intent. Like, man, if I rip at Senator Binay for HER approach on this matter, the real aim is the opposite of malice. It is to advocate for a healthy, vibrant, expressive Philippines. Whether or not it hurts her personal feelings is largely irrelevant. She controls that by the acts she promotes and the wisdom she expresses. Or doesn’t.

    Thanks also to the wizards who crafted this legislation, and to Senator Santiago for putting it on the table. If the other senators are sharp, they will recognize they have the perfect solution to that ugly toad of legislation they passed now being embarrassingly held up by the Supreme Court.

    • cocoy

      Hi Joe. based on my reading, the libel provision is going to face very stiff opposition.