Internet Freedom

Debunking Errors in a Proposed Philippine Cybersecurity Framework

Myopia.

This is the inescapable conclusion one will have upon reading Francis Domingo’s opinion piece in the November 18, 2013 issue of Philippine Daily Inquirer, “Points to consider in securing Philippine cyberspace”. While Domingo raises a valid concern on the continual growth of the cybersecurity threat, his recommendations fail to address it. Worse, if followed, his recommendations may prove disastrous.

 

The Cybersecurity Threat Continuum 

“More people may decide to engage in cyber-attacks because of the low barriers to entry, anonymity and presence of others involved in similar activities.

“Performing various operations in cyberspace is not difficult because the resources and knowledge required to exploit and disrupt infrastructure are modest compared to the requirements of exploiting other domains of conflict such as land, sea, air and even space.

“Any individual with sufficient technical knowledge and has access to information communication technologies can execute cyber-attacks.”

F. Domingo, Philippine Daily Inquirer, November 18, 2013

Domingo points out correctly that cyberattacks will continue to grow in number, scope, and impact; he correctly points out that performing such attacks are less difficult than physical violence, and puts forward a valid observation that anonymity may be a factor in choosing to perpetrate crime or fraud, destruction and disruption, or enter into conflict via cyberattacks over conventional means.

The possibilities available, however, do not constitute a simple menu of choices. Cybersecurity threats are more accurately depicted in a continuum:

cyber-threat

From left to right, the diagram describes two parallel concepts: first, that of actors — from an individual, through loosely-affiliated groups, to large, structured organizations — and, second, that of level of skill — how the increasing availability of skills and/or skilled manpower can be used as resources to plan, execute, and follow-through on a cyberattack.

From bottom to top, the diagram describes the potential damage that can result, especially from a deliberate cyberattack. For instance, the potential damage that can be caused by a prankster will be less than that of a dupe, as the former may be restrained by conscience while the latter is subject to the will of another person or group, who may feel no such restraint. Likewise, it is understandable that organized groups with larger pools of manpower and skillsets, as well as the drive to gain such skills and employ them, will have higher scales of potential damage than amorphous groups or individuals. It is equally interesting that the individuals and groups moving up the potential damage scale can be classed together into fairly distinct sets of motivations for cybercrime and cyberattack, as shown by the right-hand scale.

The cybersecurity continuum is by no means theoretical. Domingo appears to be familiar with the modes of cyberattack that have been used both locally and abroad, as well as the suspected perpetrators. As such, it is strange that Domingo clings to the notion that cyberattacks have limited impact; perhaps we must first define what a cyberattack is.

 

What is a Cyberattack?

In his opinion, Domingo provided no clear definition of a cyberattack. This vagueness may be the culprit of the erroneous premises upon which his arguments are based.

A US National Research Council’s report defines cyberattacks as “deliberate actions to alter, disrupt, deceive, degrade, or destroy computer systems or networks or the information and/or programs resident in or transiting these systems or networks.”[2] Taking off from this definition, an article “The Law of Cyber-Attack” in the California Law Review proposes that a cyberattack “consists of any action taken to undermine the functions of a computer network for a political or national security purpose.”[3]

These definitions are so broad that they seem to conflate cyberattacks and cybercrime. In crafting the Magna Carta for Philippine Internet Freedom (#MCPIF) bill, the group Democracy.Net.PH and other contributors agreed to separate the definitions of cybercrime and cyberattack. The bill defines cyberattack as:

“[A]n attack by a hostile foreign nation-state or violent non-state actor on Philippine critical infrastructure or networks through or using the Internet or information and communications technology.”[4]

The bill includes in the definition of cyberattack as also possibly this:

“[A]n assault on system security that derives from an intelligent threat, i.e., an intelligent act that is a deliberate attempt to evade security services and violate the security policy of a system.”[5]

The definition proposed in the #MCPIF acknowledges the cybersecurity threat continuum. This definition will serve as our basis in clarifying the flaws in Domingo’s op-ed piece.

 

A Cyberattack’s Impact Can be Lethal

“[C]yber-attacks have a limited impact on nation-states because the attacks rely on an electromagnetic spectrum, require man-made technology to function, and do not involve lethal action and physical violence.”

F. Domingo, Philippine Daily Inquirer, November 18, 2013

Domingo cites the distributed denial-of-service (DDoS) attack against Estonia in 2007 and the Stuxnet worm — used supposedly targeting Iran’s Natanz uranium enrichment facility and whose escape into the wild in 2010 led to its detection — as examples of cyberattacks. The modes exemplified by the Estonia attack[6] and Stuxnet[7] are similar to the Shamoon malware cyberattack on the state-owned oil firm Saudi Aramco[8], the DDoS attacks on US banks in 2012[9], the cyberattack on South Korean media and banking firms just this year[10], and so on.

It appears that Domingo’s position is that there has been no significant injury, loss of life, nor widespread physical damage to infrastructure. Ergo, damage is “limited.”

This is another shortsighted view.

While it is true that few, if at all, have so far been physically hurt by cyberattacks, the impact is nonetheless significant. The “ILOVEYOU” virus outbreak in 2000, a brainchild of one Onel de Guzman[11], a student of AMA Computer College, affected at the time about 45 million computers worldwide[12] and caused an estimated $10 billion dollars in damage[13]. The scale of damage caused by the ILOVEYOU worm, adjusted for inflation, is on a par with the scale of damage caused by Typhoon Yolanda.[14]

The perceived absence of injury to human beings does not render the damage from cyberattack limited; rather, such makes cyberattacks even more sinister. The disruption of networks that will result in the breakdown of services of government, power, communications, transport, finance, and other critical infrastructure can result in chaos in society. Instead of directly harming the populace, the attacker can create an environment where the populace will be motivated to destroy each other and themselves. Such damage mirrors that caused by enhanced radiation weapons, such as cobalt and neutron bombs, which are designed to kill but leave infrastructure and equipment relatively undamaged.[15]

Still eerily similar to atomic weapons of mass destruction, but to an even more sinister degree, is the ability of an attacker to design and control the degree of damage that is caused by the cyberattack. “Dial-a-yield” is the catchphrase often used to describe the capability to adjust a weapon to a desired scale of damage.

Domingo appears to make the error of failing to recognize that, with a cyberattack, the attacker not only can design the implementation but can practically specify the extent of damage from the narrowest of scopes up to unrestricted levels. Stuxnet was designed to go after a specific piece of equipment. Thus, the damage was limited only to the systems where the equipment was installed. If the global positioning system (GPS) navigation can be subject to an unrestricted cyberattack, which is now considered to be a distinct possibility[16], airplane crashes, ship groundings, and fatal mistaken identity incidents could occur at scales more horrific than simultaneous occurrences of incidents analogous to 9/11, Exxon Valdez, Aeroflot Flight 8381/ СССР-26492, MV Doña Paz/ MT Vector, and Korean Airlines Flight 007 combined.

There is no logical reason to wait until such catastrophic incidents occur, until lives are lost due to the lethality programmed into a cyberweapon, before establishing a robust cybersecurity framework.

 

Cyberattacks Do NOT Require High Technology; Cybersecurity Must Not Be Merely Technology-Centric

“[C]yber-attacks will not be successful if the spectrum is controlled or access to critical networks is blocked by accountable government units.”

F. Domingo, Philippine Daily Inquirer, November 18, 2013

Domingo mentions Stuxnet as a cyberattack; however, he may not be aware that the attack vector of Stuxnet was through the physical connection of an infected USB flash drive to a computer connected to the target network.

This, in hacker parlance, was a “sneakernet” attack. This attack was made via the crudest method of compromising a system — accessing the physical layer. The legal control of the allocation of the usable frequencies within the electromagnetic spectrum (for there is no means at present that can control the electromagnetic spectrum, short of repealing the laws of physics) by no means can prevent a sneakernet attack, or many other modes of attack for that matter. Restricting access to critical networks willy-nilly cannot likewise prevent such an attack since, by using the physical layer as the means of compromising the system, the data link, network, transport, session, presentation, and application layers are effectively bypassed.

Clearly, it is erroneous for Domingo to have posited that cyberattacks are solely technology-dependent, and thus for cybersecurity to be technology-centric.

In ensuring cybersecurity, there are two other aspects that must be considered and implemented. A cybersecurity plan must be based on a holistic combination of physical security, behavioral security, and electronic security means, policies, and procedures; to focus on a single defense aspect or potential threat axis would be analogous to building an iron door for a bank vault whose walls are made of paper.

Domingo has fallen into the trap of seeing a few trees and missing the forest.

 

Cybersecurity is Not Merely a Convenient Buzzword

“Security strategies are not definitive.”

F. Domingo, Philippine Daily Inquirer, November 18, 2013

Given that cybersecurity threats belong in a continuum, and that the actors, their motivations, the degrees of damage intended and programmed, and the level and breadth of skillsets are not one-dimensional – as he erroneously paints them to be – Domingo’s position of a one-size-fits-all approach to securing Philippine cyberspace is untenable.

Cybersecurity cannot be as casually relegated as Domingo proposes. The range of potential threats to the physical security of the Filipino citizen run the gamut of petty crime, organized crime, terrorism (domestic and otherwise), to unfriendly acts of foreign governments; it is well understood that the mandates to protect the life, liberty, and property of each Filipino that are given to the Philippine National Police, the National Bureau of Investigation, and the Armed Forces of the Philippines differ in level of threat and scope of action.

So, too, should be the cybersecurity mandate.

This is the approach taken by the drafters of the Magna Carta for Philippine Internet Freedom. The #MCPIF proposes that the Department of Justice (DOJ), the National Bureau of Investigation (NBI), and the Philippine National Police (PNP) shall be the competent law enforcement agencies to protect Filipino citizens from cybercrime, corollary to their mandates to protect Filipino citizens from non-ICT enabled or perpetrated crimes. Likewise, these law enforcement agencies, supported by other government offices—including the Department of Defense (DND) and the Armed Forces of the Philippines (AFP)—will be tasked with protecting the country from cyberterrorism and cyberespionage. This is no different from the current mandates given to the respective agencies of government to protect the country from terrorism and espionage.

As they are tasked with national defense and the protection of national critical infrastructure, it is therefore likewise logical that that the DND and the AFP will be tasked with national cyberdefense and the protection of national critical ICT infrastructure.

It should be pointed out that while he is correct that the Information Systems Security Society of the Philippines (ISSSP), the Information Systems Audit and Control Association (ISACA), and the Philippine Computer Emergency Response Team (PH-CERT), as well as scholars and government experts, can be resources and have actually been providing technical expertise on cybersecurity as private companies like Symantec, McAfee, and IBM, Domingo is wrong in saying that they can be agents to implement Philippine cybersecurity action and policy. There is no logic in this thinking, as it is analogous to using security guards as frontline troops in internal security operations against the New People’s Army. Security planning, while it may be enriched by inputs from those with the appropriate competencies and skills, is best put together by those who can see the forest and not just the trees.

 

RA 10175 is NOT a Good Basis for a Philippine Cybersecurity Framework

 

“[P]eople must be made aware of the rationale and scope of Republic Act No. 10175 and other laws that protect Philippine cyberspace.”

F. Domingo, Philippine Daily Inquirer, November 18, 2013

There is some merit, however limited, in Domingo’s vague proposals on how to implement cybersecurity for the Philippines, in so far as developing a culture of cybersecurity through education and information campaigns, ensuring resilience of institutions, and the development of multidisciplinary, multistakeholder teams for plans, policies, and programs to promote national cybersecurity. Clear proposals have been presented by the drafters of the Magna Carta for Philippine Internet Freedom and constitute an integral part of the bill.

Unfortunately, Domingo goes astray in promoting Republic Act No. 10175, or the Cybercrime Prevention Act of 2012, as a basis for promoting cybersecurity.

The oft-quoted maxim of Benjamin Franklin, “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety,” points out the fatal flaw in Domingo’s promotion of the Cybercrime Prevention Act. As the law – fortunately suspended in its application – promotes such assaults into civil liberties such as the right to privacy, the right to due process of law, and the freedom of expression, it cannot be the basis for establishing cybersecurity for the Filipino people.

To be succinct: our rights online are our rights offline. Our cybersecurity thinking must be no different, therefore, from how we think of ensuring our physical security – holistic, properly-calibrated, competent, and rights-based.

To reduce it to vague buzzwords would be to endanger ourselves.

 

Endnotes: 

[1] Engr. Pierre Tito Galla, PECE, is one of the convenors of Democracy.Net.PH, an ICT and civil rights advocacy group that spearheaded the drafting of the Magna Carta for Philippine Internet Freedom. He is a practicing Professional Electronics Engineer with nearly a decade and a half in the information and communications technology sector, and is currently an executive in a Fortune 500 multinational whose networks span the globe.

[2]  Hathaway, et al. “The Law of Cyber-Attack.” <http://www.law.yale.edu/documents/pdf/cglc/LawOfCyberAttack.pdf>.

[3]  Ibid.

[4] Democracy.Net.PH. “Full text of the Magna Carta for Philippine Internet Freedom.” <http://democracy.net.ph/mcpif/full-text/>.

[5] Ibid.

[6] The Associated Press. “A look at Estonia’s cyber attack in 2007.” NBCNews.com. 8 July 2009. <http://www.nbcnews.com/id/31801246/#.Up3wE8RDtXg>.

[7] Kushner, D. “The Real Story of Stuxnet.” IEEE Spectrum. 26 February 2013. <http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet>.

[8] Perlroth, N. “In Cyberattack on Saudi Firm, U.S. Sees Iran Firing Back.” The New York Times. 23 October 2012. <http://www.nytimes.com/2012/10/24/business/global/cyberattack-on-saudi-oil-firm-disquiets-us.html?_r=0>.

[9] Ibid.

[10] Waterman, S. “Cyberattack hits South Korea’s banks, media.” The Washington Times. 20 March 2013. <http://www.washingtontimes.com/news/2013/mar/20/cyberattack-hits-s-koreas-banks-media-highlights-r/?page=all>.

[11] Cluley, G. “Memories of the Love Bug worm.” Naked Security. 4 May 2009. <http://nakedsecurity.sophos.com/2009/05/04/memories-love-bug-worm/>.

[12] Ward, M. “A decade on from the ILOVEYOU bug.” BBC News. 4 May 2010. <http://www.bbc.co.uk/news/10095957>.

[13] Landler, M. “A Filipino Linked to ‘Love Bug’ Talks About His License to Hack.” The New York Times. 21 October 2000. <http://www.nytimes.com/2000/10/21/business/a-filipino-linked-to-love-bug-talks-about-his-license-to-hack.html>.

[14] RSJ/ GMA News. “NDRRMC: Yolanda death toll continues to rise, now at 5,759; damage surpasses P35B.” GMA News Online. 5 December 2013. <http://www.gmanetwork.com/news/story/338384/news/nation/ndrrmc-yolanda-death-toll-continues-to-rise-now-at-5-759-damage-surpasses-p35b>.

[15] Snow, D. “Strategic Implications of Enhanced Radiation Weapons.” Air University Review. July-August 1979. <http://www.airpower.maxwell.af.mil/airchronicles/aureview/1979/jul-aug/snow.html>.

[16] Neal, R. “GPS Terrorism: Hackers Could Exploit Location Technology to Hijack Ships, Airplanes.” International Business Times. 29 July 2013. <http://www.ibtimes.com/gps-terrorism-hackers-could-exploit-location-technology-hijack-ships-airplanes-1362937>.

Cybercrimes and Cybersecurity in the MCPIF

This is the prepared text from a democracy.net.ph forum on MCPIF: Downloadable presentation

The Magna Carta for Philippine Internet Freedom (#MCPIF) is complex, and yet has gained so much support locally, and internationally, most notably, the Electronic Frontier Foundation wrote a brief analysis of the MCPIF.

The MCPIF is complex, precisely because it deals with so many interrelated issues. We can not talk about Rights and Freedoms, without a firm discussion of Crimes, and security, and neither— do the governance and development aspects work too without the Rights framework. They all form an ecosystem. How can one reconcile Rights and Cybercrimes and Cybersecurity? Security and Rights— some argue are polar opposites. In the MCPIF, we drew a balance between those issues. In fact, it is that balancing act that in my humble opinion that matters.

The cybersecurity aspect is a bit more complicated. Complicated in the sense that normal people can’t even imagine the dangers we are all facing. How could you, when you don’t live and breathe this stuff?

Take this for example. This is a visualization of a Distributed Denial of Service attack on one of my servers.
You hear about hacking, and DDoS in the news or how Cyberwar happens. It all seems Hollywoodish. All seem so incredible. This is a 10-second, visualization of an attack on one of my servers. This is just the tip of the iceberg. Just one of very minor skirmish being waged on the Internet.

That’s not all. While the Internet is a beautiful place. And like the real world, it does have the seedier side to it. There is an underground economy where ATMs, Credit Cards are being traded. Places were drugs flow, Hacking tools are available.

BlackMarket

Black Market, Silk Road these are the names and places you only hear in whispers. They use the same legitimate tools many journalist rely on to converse privately with sources. To access Darknet you need to be far more savvy than the ordinary Internet user.

nation states are arming

That’s not all. There is the militarization of cyberspace. Nation-states are arming. They are developing defenses. They are writing offensive weapons. Malware that can control the battlefield in the real world. Cyberwar is going to be what the Air War and espionage is to current military doctrine.

non-state actors

The very nature of the Internet— the leveling of the playing field makes non-state actors— groups like Anonymous, or terror organizations or extremist groups can buy, steal or utilize capacity to make war or crime. In fact the biggest CyberWar to date was between two Corporations— CyberBunker, a webhost, and Spamhaus, an anti-spam business, which launched Denial of Service Attacks on each other.

LOIC screenshot

You see the tools of attack are fairly easy to acquire. This (above) is a screenshot of the Low Orbit Ion Cannon. It is a common tool tool used by hacktivists, and Anonymous. This one is so for dummies that others can remote control it using RSS to launch an attack. So you don’t really need to participate. Only your computer does. It is so easily acquired that to find it online, all you need is to Google it.

This is just one many ways to cause mayhem on the Internet.

The whole point why I wanted to show you this darker side of the Internet is to show you why we need legal frameworks to help prevent cybercrimes, enact cybersecurity, and cyberdefense.

How does the MCPIF fight cybercrime?

How do we fight Distributed Denial of Attacks? How do we fight malware? How do we fight trojan horses?

There are two ways we defined this under the MCPIF.

First, we defined this as direct network sabotage. This means that Denial of Service attacks is a crime. So yes, if you’re a member of anonymous, you are committing a crime when you launch a DDoS attack. A denial of service attack means you flood a target server with requests until legitimate requests can not be served.

Why did we do it this way?

There are two schools of thought about this. There are research papers on the web on this.

First, there is the hacktivist point of view. Meaning, DDoS is an act of protest. Second is this. If the Internet is an open network, then by degrading other people’s use of the Internet, you go against the very principle of the open network when you deny another person access. Picture three people having a conversation. Person A is yelling at Person B at yammering speed. Person C, can’t talk to Person B because Person B is being bombarded with Person A’s loud voice, so Person C’s right to be heard is blocked as well.

Why did we not recognize DDoS hacktivism? DDoS isn’t just used for protest. Sometimes there is that intent. There are other more nefarious uses. It is used to mask stealing data. It is used between corporate entities. And of course, DDoS goes aginst the principle of the open network. It would be the equivalent of giving an AK-47 to a thirteen year old.

Molly Sauter wrote in her thesis on Distributed Denial of Service Attack actions and the study of civil disobedience on the Internet:

“Activist DDOS actions started as an exploration into the activist potential of the internet by activists experienced in “on the streets” activism. In its modern incarnation, activist DDOS is practiced mainly by fringe actors, who consider the online space a primary zone of interaction, socialization, and political action.”

We follow this same line of thinking by explicitly marking DDoS as a crime.

We didn’t limit what constitute network sabotage to just that. It includes “the physical destruction of devices, equipment, physical plant, or telecommunications cables including cable TV transmission lines and other transmission media, or through other means, except if the stoppage or degradation has been done in the normal course of work or business by a person authorized to stop, modify, or otherwise control network operations of the other person.”

We also defined indirect network sabotage. What does this mean? “it shall be unlawful for any person to install, infect, implant, or otherwise put in a device, equipment, network, or physical plant any means of performing stoppage, degradation, or modification of Internet or network operations, or data or information processing, such as but not limited to bots, or to interconnect, establish, or otherwise create a network of software, devices, equipment, or physical plants with the means of performing stoppage, degradation, or modification of Internet or network operations, or data or information processing, such as but not limited to botnets, except if the installation or interconnection has been done in the normal course of work or business by a person authorized to stop, modify, or otherwise control network operations or data or information processing of the network.”

So virus making, malware are illegal. Under the Rights section of the MCPIF, we reiterated a broad spectrum of rights. In fact, in some cases, we gave it a bit more like guaranteeing people’s rights to Jailbreak devices, or the equal protection of Network Neutrality. It doesn’t mean that while society should be open to jailbreaks, and and such, it doesn’t mean that crimes should be perpetuated on others. It is great to thinker, bad to do mayhem. This is the thinking of this section of the MCPIF.

Data privacy

Under the MCPIF, Data is sacrosanct. ISPs can’t look into your data.

Section 45, Violation of Data Privacy says:

“It shall be unlawful for any person to intentionally access data, networks, storage media where data is stored, equipment through which networks are run or maintained, the physical plant where the data or network equipment is housed, without authority granted by the Internet service provider, telecommunications entity, or other such person providing Internet or data services having possession or control of the data or network, or to intentionally access intellectual property published on the Internet or on other networks without the consent of the person having ownership, possession, or control of the intellectual property, or without legal grounds, even if access is performed without malice.”

In fact, the MCPIF goes further. Section 44 of the MCPIF punishes ISPs for failing to provide reasonable security for Data and networks:

“It shall be unlawful for any Internet service provider, telecommunications entity, or other such person providing Internet or data services to intentionally or unintentionally fail to provide appropriate levels of security for data, networks, storage media where data is stored, equipment through which networks are run or maintained, or the physical plant where the data or network equipment is housed.”

What if my friend shared something I shared only with her Facebook?
Communication is privileged under the MCPIF. The typical scenario is this. We talk to a group of our friends. We share within that community. It is a private conversation between friends. What happens when something from that conversation is spread outside the network?

Section 45 (d) of the MCPIF says:

“It shall be unlawful for any authorized person to intentionally disclose or cause the disclosure to a third party or to the public any private data being transmitted through the Internet or through public networks, or any data being transmitted through private networks, without legal grounds, even if the disclosure was done without malice.”

The same can be said if a husband wanted to share a private photo of his wife, but the wife does not want it public.

We didn’t stray from the Data Privacy act. We hold data to be sacrosanct. If I store email on my ISP’s servers, they aren’t legally able to access it. The data is mine. The service is their’s but the data is mine. So failure to provide levels of security is a penalty.

With regard to data security, we punish data, networks or storage of data. So if you suddenly guessed someone’s Facebook password, that’s a crime. To crack it— the modification of that hacked data is also a crime.

Phishing is also a crime. Fraud and Child pornography is a crime.

Prostitution online

With regard to prostitution. It is illegal to use devices, the internet for “the purpose of enabling the exchange of money or consideration for services of a sexual or lascivious nature, or facilitating the performance of such services”. We made it so it wouldn’t be an overreach. We specified, “Provided, the services shall be performed by one or more unwilling third-party adults under threat or duress.”

More crimes
Cybersquatting is illegal.

Piracy under the MCPIF is unlawful for any person to publish, reproduce, with intent to profit— emphasis on intent to profit on the Internet or through technology code, software or content he doesn’t have ownership over.
Which means, sharing is Okay, but once you sell it— no longer.
With regard to copyright infringement. This has happened to a lot of my friends. If someone steals a photo that you took, and uses it— say for another blog, a television program, and you put in the Creative Commons logo on your content, and they didn’t mention it— that’s a crime.

We made infringement of copyleft also a crime. We did this since we made copyright automatic, and dependent on the licensing that the author of the content wishes.

Copyright infringement
This has happened to a lot of my friends. If someone steals a photo that you took, and uses it— say for another blog, a television program, and you put in the Creative Commons logo on your content, and they didn’t mention it— that’s a crime.

We made infringement of copyleft also a crime. We did this since we made copyright automatic, and dependent on the licensing that the author of the content wishes.

Internet Libel
Internet libel is a very hot issue.

President Benigno S. Aquino is on record about his thoughts on Online libel:

“I do not agree that the provision on online libel should be removed. Whatever the format is, if it is libelous, then there should be some form of redress available to the victims.”

In my humble opinion, the spirit of his comment is correct. Libel per se isn’t a bad thing. There should be a mechanism for redress of grievances.

What the Cybercrime Law did was to be an overreach.

Am proud to say, we fixed this in the MCPIF. We can have a form of Internet libel, without being draconian.

Section 52 of the MCPIF states:

“Internet libel is a public and malicious expression tending to cause the dishonor, discredit, or contempt of a natural or juridical person, or to blacken the memory of one who is dead, made on the Internet or on public networks.”

We made sure that Malice is required.

We made certain that “Positive identification of the subject as an essential element of internet libel.“

We wrote down that Truth is a defense.

exceptions to Internet libel

We wrote down exceptions to Internet libel precisely because to prevent abuse. We wanted to protect Free Speech and Free Expression online.

What about below the belt attacks? Especially when targeting a government official? If under libel, there are exceptions, how does one protect a government official when the attacks are below the belt?

Enter the Hate Speech provision of the MCPIF.

hate speech

The MCPIF protects government officials for example, when a post calls for commission of illegal acts on a person, or a class of persons. It requires, “an immediate lawless danger to the public or to the person who is the object of the expression”. We think this is a balancing act when expression and free speech go beyond.

Cybersecurity
I showed you earlier how servers are attacked. How easy it is for someone to conduct a DDoS. So how do we solve all those attacks? How do we prepare for the future?

At the beginning of our presentation we talked about the complex, and changing world that we live in today. It is difficult for ordinary people to grasp the details. But the world is changing and nation-states, and none-state actors. We need to upgrade the Armed Forces of the Philippines, the Philippine National Police and the National Bureau of Investigation to meet this clear and present danger.

On a national-policy level, we need a definition of what constitutes terror. What constitutes an attack. What constitutes an attack from whom— a nation-state, a non-state actor? We need a definition of what constitutes War, what constitutes crime. And we need a framework that gives the government a reference point to plan for our national defense, prepare for war; protect our national infrastructure from attack, and aid allies on the battlefield should that need ever arise.

And so we crafted this portion of the MCPIF to look towards the future. We need the ability to have a coordinated defense of civil, government and military networks. We need a clear hierarchy of command. We need a Military that plan, that develop tools, that imagines new tactics and new strategy for a digital battlefield.

We need a coordinated defense. We need to give the President the ability to determine the nature of an attack and ways to respond to that attack. While the AFP is tasked with protecting critical infrastructure, civilian authority is supreme over the military. Hence, the Secretary of Defense is the principal adviser of the President on Cybersecurity issues.

We go back to the whole concept of DDoS attack. We were very specific for example on what DDoS is, so we can determine what a DDoS by a nation-state is, and how it pertains differently from a DDoS attack by anonymous. So that’s where the structure comes in. We wanted a framework so the AFP can build capability to fight in Cyberspace. We wanted to build-in the capability for the AFP to come up with defenses, tactics, strategies, to fight, spy, and win against our enemies, and to aid our allies in times of war.

Imagine a cyberspace battlefield fought by soldiers, powered by LOIC-type tools. Push button “hacking”. Or a visualization of the Internet as a battlefield? Who else is going to develop this but governments? The US is building an app so simple, that it is as simple as an Angry Birds game but meant for soldiers with no hacking experience.

We talked about specificity about Cybercrimes, CyberWar and CyberDefense because we wanted to reiterate a no-first-strike policy. Which means we’re building a cybersecurity force only for defense. You know like that piece of paper called the Constitution says, and all our other commitments. We don’t want people to be trigger happy. We will plan for war, but we won’t initiate it. It frees up the AFP to draw up plans, to train, to conduct exercises, to build weapons, to develop tactics and strategies like any good soldier does…but we won’t do it just to go to war.

We defined the chain of command. The Defense Secretary is the principal adviser to the President “in the protection and conduct of the national cybersecurity, and the conduct of cyberdefense and the protection of national government information and communications technology infrastructure”. It goes back to whole “civilian authority is supreme over the military” bit.

We also gave the President authority of cyberdefense for LGUs when national safety so requires but with a prescription of no more than 90 days.

So how did we do this? Well, we’re not changing things. We’re merely amending existing legislation.

We’re not creating additional agencies, we’re using existing infrastructure and adding capabilities. Like the PAF as first line defense. The PNP tasked with counter-terrorism, because it is a policy function, not a military one. The NBI “is responsible for plans, policies programs, measures, and mechanisms to detect, identify, and prevent transnational cyberterrorist attacks on Philippine government information and communications technology infrastructure, as well as publicly- and privately-owned information and communications technology infrastructure within Philippine jurisdiction.” By strengthening the mandate of these organizations, they can begin the process of building their own capabilities.

While it is sad that cyberspace has been militerized, it can not be helped. We live in a very complicated world. You’ve seen the news that every other week or so there is a cyber attack. Militants deface websites. Crackers deface websites. Anonymous attacks as an act of protest. We come from the school that thinks otherwise. That it disrupts people more than it acts as a tool to convince the powers that be of a point. How does one deal with non-state actors? How does one deal with an attack by a nation-state? We need those definitions to secure our national sovereignty.

The battlefield is changing. Our country needs the necessary infrastructure to fight on the Internet. We need frames of reference so this will not be abused. We need tools, plans, and chains of command for the government to protect us. Again, all this stems from the Constitution, and the bill of rights. Freedom and Responsibility first, before control and repression.

Coordinated Defense
Simply put, the MCPIF creates the necessary framework for our Military, law enforcement and government to protect us from Cybercrimes and Cyberattacks. There is a hierarchy in place. A system in place to execute a defense. The MCPIF makes it possible for the AFP to enter a more modern era. It gives them the framework to develop strategy, and tactics. So we can go after the bad guys. So the President can have the information to act or not to act given a specific circumstance. So the DOJ can go after real cybercriminals. And our country to coordinate with our friends in the international community.

How does this all compare to the issue of Cybercrime?
There are related provisions. Like the one on sabotage is similar to Systems Infrastructure provision in the Cybercrime Prevention Act of 2012. We also talk about cyberprositition, and internet libel. We talk about protection for human traficking. We also talk about protecting children. We brought amended the human terrorist act so law enforcement can go after terrorist funds.

What makes the MCPIF better?

We started from the concept of rights. We were specific when we had to be, and ambiguous only when we have to. The definition of prostitution for one thing is very specific and not over broad. We recognize the President’s point of view with regard to Libel. There has to be a mechanism for a redress of grievances, but we made certain that Internet Libel doesn’t break Freedom of Speech or Freedom of Expression. We made sure that satire, and sarcasm especially targeted at government to be protected because We the People also need to vent our grievances.

Specific when it needs to be, ambiguous only when we had to be
We started from the concept of rights. We were specific when we had to be, and ambiguous only when we have to. The definition of prostitution for one thing is very specific and not over broad. We recognize the President’s point of view with regard to Libel. There has to be a mechanism for a redress of grievances, but we made certain that Internet Libel doesn’t break Freedom of Speech or Freedom of Expression. We made sure that satire, and sarcasm especially targeted at government to be protected because We the People also need to vent our grievances.

The MCPIF is more specific because we need specificity. We had to be careful not to be overbroad. We needed to take real world terms— definitions that every expert in the field understands and apply it into the law. We needed to specify that something is a DDoS attack, because there are many users. What if it was a nation state? What if it is just anonymous protesting against something the President did? Are those two things of the same level? One is about warfare. One is about hactivism. Do we prosecute both with equal tenacity? It’s the difference between sending tanks against people protesting at Mendiola, and sending ships to attack the Chinese Navy.

We also had to be very specific with CyberWar. Who sets fire and when, because while war isn’t to our best interest and against the Constitution, we also have be realistic to build this capability. So unauthorized attack is a crime.

We also establish clear protection on the data. You have to get a court order say to seize or access someone’s data. Facebook can’t just give you a peak into someone’s personal data or activity. You can’t do a prism without a court order for example.

Freedom and Responsibility
Earlier, my colleague, Atty. Acero spoke of the Rights that the MCPIF covers. Let me borrow the words of Joe America who left a message on ProPinoy about The Magna Carta for Philippine Internet Freedom. He got it right when he said that this bill is about Freedom and Responsibility over Fear and Control.

Recap
So let’s recap.

We talked about Cybercrimes covered by the MCPIF.

We talked about network sabotage and what DDoS is. We talked about how Data Privacy protects the common Filipino.

We talked about what the nature of what prostitution is, online. Fraud, Child Pornography. We talked about Hate Speech, and Internet Libel.

We talked about CyberDefense and CyberWar. Why we need a coordinated cyberdefense in light of the threats existing.

We talked about how we’re upgrading the capabilities of the AFP, and the law enforcement for cyberdefenses. So they can plan, defend, develop tactics and strategies.

Conclusion
The MCPIF balances the rights with security and defense. We think that this is the right way to go. Freedom and responsibility over Fear and Control is the path to follow, and we ned this holistic approach to it.

Why the DOJ’s Cybercrime initiative is a failed project

The Philippine Department of Justice wants to revive the Cybercrime Law. The head of the Department of Justice’s Cybercrime office, Geronimo Sy said that they are dropping the online libel provisions of the bill.  According to Sy, the Department of Justice was never pushing for the Online Libel provisions of the bill. Justice Secretary Leila de Lima endorses the new measure.

GMA 7 quoted the Justice Secretary saying: “We will be proposing certain improvements of the Cyber Prevention Act, but of course we need to wait for the action of the Supreme Court (SC) in the pending petition. (Pero) kahit ano mangyari doon sa petisyon na yun sa SC, we are contemplating introducing or proposing to Congress certain enhancements.”

Not only about Online Libel
Of course that was never the heart of the problem. The Online Libel provisions, were in fact, one of many problems with Republic Act 10175 or the Cybercrime Prevention Act of 2012. There are fifteen petitions before the Supreme Court seeking the high court to declare the law, unconstitutional. The petitioners raised a total of 29 issues against the Cybercrime Prevention Act of 2012, and Online Libel is just one of those 29. The issues are as follows, as per the Supreme Court’s website:

 

Provision

Description

Petitioner’s Argument

Sol Gen’s Argument

I.

Sec. 4(a)(1)

Makes access to the whole or part of a computer system without right a cybercrime;

Failure to meet strict scrutiny standards (PIFA, et al. Petition)

“The application of strict scrutiny is not called for because Section 4(a)(1) regulates hacking, a socially harmful conduct; it does not regulate, prevent or punish speech.”

“Considering that illegal access is globally recognized as a offense against the confidentiality, integrity and availability of computer data and systems, the Philippines has no reason not to include the same”

II.

Sec. 4(a)(3)

Makes the intentional or reckless alteration, damaging, deletion or deterioration of computer data, electronic document or electronic data message without right including the introduction or transmission of viruses, a cybercrime;

Violation of freedom of expression guarantee (Reyes, et al. Petition)

“Section 4(a)(3) penalizes conduct, not speech.”
Section 4(a)(3) regulates data interference because it is socially harmful conduct. It does not regulate, prevent or punish speech.

“The protected legal interest here is the integrity and proper functioning of or use of stored computer data or computer programs.”

III.

Sec. 4(a)(6)

Makes the acquisition of a domain name over the internet in bad faith, for profit, to mislead or destroy reputation and deprive others from registering the name a cybercrime;

Violation of equal protection clause (PIFA, et al. Petition)

“The difficulty in tracing the real perpetrators of cybercrimes or persons using aliases cannot be a deterrent to the passage and implementation of the law. The cybercrime law was enacted precisely to allow law enforcement authorities to go after the perpetrators of cybercrime whether they be known or hidden under the veil of pseudonyms. Besides, a person who commits a crime using his actual name is as guilty as a person who commits a crime using an alias.

“Cybersquatting is the oldest and best-known form of nuisance in cyber space. Cybersquatters will generally either offer to sell the name back to the trademark owner for an extortionate price, or make money from internet traffic accidentally landing on their page. The practice is a nuisance for the growing number of companies that do business over the internet and are loath to lose valuable traffic to rogue websites.”

“In our jurisdiction, Article 694 of the Civil Code defines a nuisance as ‘any act, omission, establishment, condition of property, or anything else which shocks, defies, or disregards decency or morality,’ the remedies of which are a prosecution under the Revised Penal Code or any local ordinance, a civil action, or abatement without judicial proceedings.”

IV.

Sec. 4(b)(3)

Makes the intentional acquisition, use, misuse, transfer, possession, alteration or deletion of identifying information belonging to another without right a cybercrime;

Violation of due process clause (Reyes, et al. Petition)

Violation of right to privacy of communication and correspondence guarantee (Reyes, et al. Petition)

Violation of the freedom of the press guarantee (Reyes, et al. Petition)

“Section 4(b)(3) is intended to protect one’s right to privacy and to protect one’s right to property. The offender’s rights to privacy and protected speech are irrelevant in computer-related offenses.”

“Petitioner Reyes’ fear focus on the words ‘acquisition’ ‘transer’ and ‘possession’ in relation to journalists’ fundamental work of reporting information is unfounded.”

“Petitioners Reyes’ fear can be easily soothed when the principle noscitur a sociis is applied. By noscitur a sociis, the correct construction of a word or phrase susceptible of various meanings may be made clear and specific by considering the company of words in which it is found or with which it is associated.

“the words ‘intentional acquisition,’ ‘transfer,’ and ‘possession,’ must be associated with the term ‘identity theft’ and must be understood to mean any such acts done with the intention of appropriating another’s identity for acquisitorial use.”

V.

Sec. 4(c)(1)

Makes the willful engagement, maintenance, control, or operation, directly or indirectly of any lascivious exhibition of sexual organs or sexual activity, with the aid of a computer system, for favor or consideration a cybercrime;

Violation of freedom of expression clause (Guingona, et al. Petition)

“Congress, in enacting Section 4(c)(1), seeks to punish cyber prostitution, white slave trade and pornography for favour and consideration. This includes interactive prostitution and pornography, i.e., by webcam.

“The risks to publishers of publishing ‘nude materials’ in the internet or to film producers of creating ‘artistic works’ is no different or greater than the ‘risks’ presently confronting them under Article 201 of the Revised Penal Code. Since 1932, Article 201 punishes ‘obscene publications and exhibitions and indecent shows.’ To date, Article 201 has not been declared unconstitutional.”

VI.

Sec. 4(c)(3)

Makes the transmission of commercial electronic communication with the use of computer systems seeking to advertise, sell or offer for sale products and services a cybercrime;

Violation of due process clause  (ALAM, et al. Petition)

Violation of equal protection clause (PIFA, et al. Petition)

“Unsolicited Commercial Communications or ‘SPAM’ is outlawed because worldwide, SPAM messages waste the storage and network capacities of Internet Service Providers (ISPs), and are simply offensive to the unwilling recipient.”

Flooding the internet with useless and nuisance and bulk emails burden the internet networks and reduce the efficiency of commerce and technology. They also result to tremendous losses in revenue if left unpunished.”

“Spam can, in principle, properly be considered a type of trespass-since it is a means by which the spammer uninvitedly use another’s property. Spam can also be considered a nuisance because of its substantial interference with the peaceful enjoyment of a property, which causes considerable amount of damage consisting of clogged disc spaces, network congestion, financial loss and loss of productivity.”

“Spamming is at most commercial speech not worthy of constitutional protection. It is intrusive to the privacy of the internet users and unlawful appropriates the storage and network of ISPs without compensation and for profit. The government has an interest in the free, efficient flow of information, commercial technology in the Internet.”

VII.

Sec. 4(c)(4)

Makes libel as defined under Art. 355 of the Revised Penal Code when committed through a computer system or any other similar means a cybercrime;

Violation of due process clause (Biraogo Petition; Guingona Petition; Adonis, et al. Petition; Palatino et al. Petition; Reyes, et al. Petition; Sta. Maria et al. Petition; Castillo, et al. Petition; Cruz, et al. Petition; PBA, et al. Petition; NPCP et al. Petition;

Violation of equal protection clause (Guingona Petition; Sta. Maria, et al. Petition; Castillo et al. Petition; NPCP, et al. Petition)

Abridgment of freedom of speech, expression and press guarantees (Biraogo Petition; Disini, et al. Petition; Adonis, et al. Petition;

“Online libel is not a new crime. Online libel is a crime punishable under the Articles 353, in relation to Article 355 of the Revised Penal Code. Section 4(c)(4) just made express an avenue already covered by the term ’similar means’ under Article 355, to keep up with the times. This would immediately negate the oft-used defense that libel committed through the use of the internet is not punishable. That said, the relevant provisions of the Revised Penal Code on libel and jurisprudence on the subject gives ascertainable standards and well-defined parameters which would enable an accuses to determine the nature of his violation.”

“The computer system is just another means of publication”

“Libel committed through a computer system can therefore be defined as a public and malicious imputation of a crime, or of a vice or defect, real or imaginary, or any act, omission, condition, status, or circumstance tending to cause the dishonor, discredit, or contempt of a natural or juridical person, or to blacken the memory of one who is dead, committed through a computer system or any other similar means which may be devised in the future.
“Libel is not constitutionally protected speech.”

“even without Section 4(c)(4), a public malicious imputation of a crime, or of a vice or defect, real or imaginary, or any act, omission, condition, status, or circumstance tending to cause the dishonor, discredit, or contempt of a natural or juridical person, or to blacken the memory of one who is dead, made with the use of the computer system already constitutes libel.

“online libel was already a crime punished under Articles 353 to 362 of the Revised Penal Code, and to date, has never been declared unconstitutional on the ground of abridging the right to free speech, freedom of expression and of the press.

“it must be emphasized that cyber libel was not given a higher penalty under Section 4(c)(4). Notably, R.A. No. 10175 did not provide for a distinct penalty for Section 4(c)(4). The ‘one degree higher penalty’ was imposed under Section 6 for all the crimes under the Revised Penal Code and special penal laws committed with the use of ICT.“

 

 

 

Violation of the rule on double jeopardy (NPCP, et al. Petition)

 

 

 

 

Being a bill of attainder (NUJP, et. al. Petition)

 

 

 

 

Being an ex post facto law (PIFA et al. Petition)

“libel committed by using computer system is punishable under Articles 353-362 of the Revised Penal Code. Section 4(c)(4) merely made expressed another venue for the commission of libel. Said addition does not make said provision ex post facto. Libelous statements made through computer systems prior to the enactment of R.A. No. 10175 are already considered punishable under the Revised Penal Code.”

 

 

 

Violation of the International Covenant on Civil and Political Rights (Adonis, et al. Petition; Reyes, et al. Petition)

“Libel is unprotected speech. It remains to be a crime in many nations.”

“The text of the ICCPR does not mandate the decriminalization of libel. In fact, ICCPR recognizes that the freedom carries with it special duties and responsibilities and may be subject to certain restrictions as are provided by law and as are necessary for the respect of the rights or reputations of others”

VIII.

Sec. 5

Declares the aiding or abetting in the commission of Cybercrime and the attempt in its commission as a cybercrime offense.

Violation of due process clause (Reyes, et al. Petition; Sta. Maria, et al. Petition; Cruz, et al. Petition; PBA, et al. Petition; NPCP, et al. Petition)

Violation of equal protection clause (NPCP, et al. Petition)

Violation of freedom of expression clause (NUJP, et al. Petition)

Violation of rule on double jeopardy (NPCP, et al. Petition)

Being a bill of attainder (NUJP, et al. Petition)

“A criminal statute does not become void just because of its reference to general terms, or in this case, of its use of the terms ‘aid’ or ‘abet,’ and ‘attempt.’ There is no constitutional or statutory duty on the part of the lawmakers to define every word in a law, as long as the intent can be gathered from the entire act.”

“The test in determining the ambiguity of a statute is whether the words convey a sufficiently definite warning with respect to the proscribed conduct based on common understanding and practice. The words of a statute are interpreted in their plain and ordinary meaning. There is no need for absolute precision in order to appreciate the words of the statute. A reasonable degree of certainty and flexibility, with clearly delineated limitations, is acceptable.”

“a person who is guilty of aiding and abetting is simply considered an accomplice. Section 5, when read together with Section 8, last paragraph of R.A. No. 10175, shows that a person guilty of aiding and abetting is penalized as an accomplice.”

The laws on libel and as now contained in Section 4(c)(4) “do not operate as ‘prior restraints’ to speech. These libel acts provide for ‘subsequent punishment.’ Thus, petitioners are free toexercise their right to speak out. If what they express is libelous, then they risk subsequent punishment. 

IX.

Sec. 6

Imposes a penalty one degree higher for crimes penalized by the Revised Penal Code and special laws, if committed with the use of information and communication technology.

Violation of due process clause (Guingona, et al. Petition; NUJP, et al. Petition; Cruz, et al. Petition; NPCP, et al. Petition)

Violation of equal protection clause (Guingona, et al. Petition; Adonis, et al. Petition; Sta. Maria, et al. Petition; Cruz, PBA et al. Petition; NPCP, et al. Petition)

Violation of freedom of expression clause (NUJP, et al. Petition; Cruz, et al. Petition; NPCP, et al. Petition)

Violation of rule on double jeopardy (Disini et al. Petition; Reyes, et al. Petition; Sta. Maria, et al. Petition; NPCP, et al. Petition)

Being a bill of attainder (NUJP, et al. Petition)

Being incompatible with Art. 19, par. 3 of the International Covenant on Civil and Political Rights on freedom of expression (PIFA, et al. Petition)

“The presumption is that the language used in a statue, which has a technical or well known legal meaning, is used in that sense by legislation.”

“thus the first sentence of Section 6 is clear, delimited in scope and is valid.”

“Double jeopardy is inherently a ‘procedural defense’ or a shield that forbids a defendant from being subjected to the possibility of being penalized twice, or being tried again on the same (or similar) charge following a legitimate acquittal or conviction. It is not a constitutional prohibition against laws that may present possible prosecution for an offense penalized under other laws or statutes. Hence, the mere possibility of prosecution for two separate offenses by itself would not render either law unconstitutional.

The Supreme Court “has subscribed to the conclusiveness of an enrolled bill. It has consistently refused to invalidate a law or provision of law, on the ground that the bill from which it originated contained no such provision, and was merely inserted by the Bicameral Conference Committee of both houses.

“The guaranty of the equal protection of the laws is not violated by a legislation based on a reasonable classification. The equal protection clause, therefore, does not preclude classification of individuals who may be accorded different treatment under the law as long as the classification is reasonable and not arbitrary.”

The classification rests on substantial distinction because of the  “scope of reach,” “accessibility,” and effect“

“Thus, due to this nature of the internet, any person with minimal equipment and once online can have the opportunity to create worldwide chaos or intrude into the privacy of others without much obstacle.”

The principle purpose of the law is “to maintain minimum standards of decency, morality and civility in human society. The qualifying circumstance of use of ICT was included in Section 6 as means to deter the increasing commission of cyber offenses.

“the increase in penalties under Section 6 of R.A. No. 10175 is, therefore justified and consistent with the policy of the law.”

The Act is not a bill of attainder, “Section 6 does not seek to punish a status or a group but the action, i.e, using ICT to commit crimes.”

“Section 6 does not punish internet users without the benefit of a trial. It merely makes the use of ICT a qualifying circumstance for all crimes and offenses. All elements including the use of ICT, must be established by proof beyond reasonable doubt.”

X.

Sec. 7

Provides that prosecution under this law is without prejudice to any liability for violation of the Revised Penal Code or special laws.

Violation of due process clause (NUJP, et al. Petition; Cruz, et al. Petition)

Violation of equal protection clause (Disini et al. Petition; Sta. Maria, et al. Petition; NUJP, et al. Petition)

Violation of freedom of expression clause (NUJP, et al. Petition; Cruz, et al. Petition)

Violation of rule on double jeopardy (Disini et al. Petition; Guingona, et al. Petition; Adonis, et al. Petition; Reyes, et al. Petition; Sta. Maria, et al. Petition; NUJP, et al. Petition; PBA, et al. Petition)

Supreme court said that “when two different laws defines two crimes, prior jeopardy as to one does not bar prosecution of the other although both offenses arise from the same fact, if each crime, involve some important act which is not essential element of the other, the protection against double jeopardy is only for the same offense.”

XI.

Penal Provisions

 

Unconstitutional (Biraogo, et al. Petition)

“it is within the power of the legislature to determine what acts or omissions other than those set out in the Revised Penal Code or other existing statues are to be condemned as separate, individual crimes and what penalties should be attached thereto. This legislative power is not diluted or improperly wielded simply because at some prior time the act or omission was but an element or ingredient of another offense, or might usually have been connected with another crime.

XII.

Sec. 12

Authorizes law enforcement authorities, by technical means, after finding due cause, to collect or record traffic data in real-time, associated with specified communication transmitted by means of a computer system.

Violation of due process clause (Castillo, et al. Petition)

Violation of freedom of expression clause (Biraogo, et al. Petition; Castillo, et al. Petition)

Violation of rule on searches and seizures (Reyes, et al. Petition; Castillo et al. Petition, Cruz, et al. Petition; PBA, et al Petition)

Allows warrantless electronic surveillance (NUJP et al. Petition)

Violation of right to privacy (Reyes, et al. Petition; NUJP et al. Petition; Castillo et al. Petition, Cruz, et al. Petition; PBA, et al Petition)

The collection of traffic data will not result in any search or seizure of petitioner’s persons and/or property.

The right to privacy does not extend to traffic data.

Traffic data is non-content data that consists of the origin, destination, route, time, and date of the communication.

The rationale for the collection of traffic data is analogous to the one used and recognized in a valid warrantless search of a moving vehicle and to that under exigent circumstances… under existing technology, it is quite impossible to describe the place, things and persons to be searched because what is originally posted or made available online or stored in local computer systems may be changed, removed, or passed on to another instantaneously.

Real-time collection of traffic data is akin to the collection of information derived from visual surveillance of an open physical space and does not intrude into “private” space.

There is no necessity to secure a warrant where there is no invasion of personal space.

Because traffic data is non-content information, the Constitution does not require that it may be collected only upon the prior authority of a judicial warrant.

No privacy can be expected from information revealed to or made available to a third party.

XIII.

Sec. 13

Preserves data.

Violation of due process clause (Palatino, et al. Petition)

Violation of right to privacy (PIFA, et al. Petition)

Sec. 13 is directed to a service provider and not to individual users.

Requirement under the first sentence of Sec. 13 is a mere amendment to the franchise of telephone companies.

Sec. 13 only calls for the preservation of traffic data and subscriber information… The subscriber’s use and disposition of the preserved data are not being restricted.

XIV.

Sec. 14

Empowers law enforcement authorities, upon securing a search warrant, to issue an order requiring any person or service provider to disclose or submit traffic data within his possession or control.

Undue delegation of judicial powers to PNP and NBI (NUJP et al. Petition)

The order referred to in Sc. 14 is to be issued upon securing a court warrant.

There is no need to conduct the search and seizure themselves, law enforcement agencies will just require or order the date custodian to produce the relevant data. It’s done pursuant to a court issued warrant.

The power to issue subpoena is inherent in the power to investigate and may thus be exercised by the law enforcement authorities.

Having subpoena powers does not necessarily clothe law enforcement agencies with judicial power.

XV.

Sec. 15

Defines the powers and duties of law enforcement authorities in the implementation of the search and seizure warrant

Undue delegation of judicial powers to PNP (NUJP et al. Petition)

Being an unlawful search and seizure (Palatino, et al. Petition)

Search and seizure is a plainly law enforcement function.

This Honorable Court already recognized the authority of law enforcement agencies to seize, retain, and destroy computer hardware and software containing pornographic materials in violation of Art 201 of the Revised Penal Code.

XVI.

Sec. 17

Authorizes service providers and law enforcement authorities, upon expiration of the periods under Sec. 13 and 15 to immediately and completely destroy the computer data subject of a preservation and examination.

Violation of due process clause (Reyes, et al. Petition; Palatino, et al. Petition)

Sec 17 merely provides for a process of clearing up – the telcos’ systems to avoid overloading their storage capacity.

The clean up protects individuals from unnecessary delay in the investigation and prosecution of a cybercrime.

XVII.

Sec. 19

Authorizes Department of Justice to issue an order to restrict or block access to computer data found prima facie to be in violation of RA 10175

Violation of due process clause (Disini, et al. Petition; Guingona, et al. Petition; Sta. Maria, et al. Petition; NUJP, et al. Petition; Castillo, et al. Petition; Cruz, et al. Petition; NPCP, et al. Petition)

Being an unlawful search and seizure (Guingona, et al. Petition; Castillo, et al. Petition; Cruz, et al. Petition; NPCP, et al. Petition)

Violation of right to privacy of communication (Sta. Maria, et al. Petition; Castillo, et al. Petition; NPCP, et al. Petition)

Violation of freedom of expression clause (Sta. Maria, et al. Petition; Cruz, et al. Petition)

Violation of rule on double jeopardy (Sta. Maria, et al. Petition)

Undue delegation of legislative authority (Disini, et al. Petition)

Being a grant of unbridled power to the Sec. of Justice to act as a “judge, jury and executioner” of all cyber crime related complaints (Disini, et al. Petition; Reyes, et al. Petition)

Undue delegation of judicial function (Adonis, et al. Petition; NUJP, et al. Petition)

Sec. 10 is an impermissible final restraint on the freedoms of speech and expression.

Sec. 19 seeks to restrain access to, circulation and dissemination of computer data prima facie found to be violative of the provisions of RA 10175. It covers not just conduct but broadly and dangerously sweeps speech.

DOJ’s findings are unprotected speech and expression.

It does not provide for constitutionally mandated procedural safeguards that would justify final restraint.

XVIII.

Sec. 20

Penalizes any person who fails to comply with the order from law enforcement authorities.

Violation of right to privacy of communication and correspondence (Biraogo, et al. Petition)

Violation of freedom of expression clause (Biraogo, et al. Petition)

Being a bill of attainder (NUJP, et al. Petition)

Sec. 20, by its reference to PD No. 1829, clearly sets the definitive elements that will constitute non-compliance.

A person must still be prosecuted for obstruction of justice and thereafter, proven to have knowingly or willfully defied the orders of law enforcement authorities before he will be penalized for non-complaince. 

XIX.

Sec. 24

Gives the CICC the power to formulate a national cyber security plan

Undue delegation of legislative power (NUJP, et al. Petition)

Powers of the CICC with respect to enactment of relevant laws, issuances, measures, and policies is merely recommendatory.

A perusal of Sec. 2 of RA 10175 readily reveals that the policy of the State deals with the “interest of law and order,” “public interest,” and “justice and equity” are sufficient standards.


How to fix the cybercrime law

The underlying rational for Cybercrime Law isn’t of course evil. In fact, we should have one. The problem of course stems from the draconian implementation, and the misreading of what the Internet is, what the opportunities that it provides not just for individuals but for the economy of a nation, and the myriad dangers online that the government needs to be able to protect or defend from.

Any law that seeks to address these fundamental dangers must be grounded first in protecting civil rights.

This age we are living now is on the corner of the 20th and 21st centuries. We have a nation on the cusp of change, but in many ways remain decades behind. Still, we are faced with increasing threats not just individually on Cyberspace like Identity Theft, like malware, but on a national level, as the nation recently experienced with our brushoff with Taiwan.

The dangers are many. The dangers are myriad. And we are not prepared to meet it head on.

Perhaps, the problem is as many Philippine problems are— rooted in incapacity. Incapacity to build for the future. Whether or not the Philippines is ready, the threats are there. There is no stopping it.

Amy Davidson of the New Yorker recently wrote a review of Star Trek into Darkness, asking if the movie was a drone allegory. She wrote, “The dialogue contains several reminders that, confronted by danger, we must not forget “who we are”—one comes in a speech that Kirk gives at the very end. One fears that what he means is not that he should remember that he is an officer in a society governed by laws—and for good reason—but that he is James Tiberius Kirk. The only real conclusion in the movie is that Kirk should trust his instincts, and carry on meaning well and standing up for his friends. President Obama is due to give a big speech on Thursday about counterterrorism, drones, detainees, and everything he’s trying to do in that space. For a President who has been accused of being Spock-like, his approach to national security and the law has been far too Kirk-like: driven by a belief that his good will alone, his character, compensates for legal limbos like Guantánamo and discredits the anger, here and abroad, about drones. He remembers who he is, and thinks that that should be enough. He’s wrong; what we need to remember is what America is, and ought to be.”

In many ways, I think this mirrors our own brush with Cybercrime Law. I think it boils down to the question: who we are as a nation. Who we are as a society, and as a people. I’d like to ask Secretary de Lima, President Aquino, and Members of Congress this: who do you want the nation to be decades down the road.

Daan Matuwid is built on the premise that without corruption, our nation can be better. So it asks the nation to pay the right taxes. It takes on the fight to oust Renato Corona as Chief Justice. The President is adamant to get his predecessor to answer for her alleged crimes against the nation. The argument is right. How can we as a nation become better if these crimes go unanswered?

In the same respect, what kind of a nation are we building with laws like the Cybercrime Prevention Act? What does it say about us as a people? What does it say about where our leaders are taking us?

So what we need is legislation that looks towards the future. Democracy.net.ph says, we need a holistic approach to cybercrime legislation. We need to look at it from the perspective of Civil Rights, Governance, Development and Security. Which is why the group is proposing the Magna Carta for Philippine Internet Freedom. In fact, it was filed before the Senate during the 15th Congress, and the group is working hard to get is filed before the 16th Congress when it opens and perhaps get it passed.

So legislation must take account people’s rights. It needs to be grounded on that. The Constitution of course guarantees the bill of rights. It is more than that. We need to legislate that the Internet be viewed as a place where truth and beauty is created. Where culture thrives.

Legislation on the Internet also needs to address the “problem” of the Philippines with respect to building capacity. So there should be an economic component. The Internet you see is viewed in similar terms to a railway, a highway, a farm to market road, electricity, and ports. It boosts productivity. So the government needs this. Raise the economy through the use of ICT, and not just because there are BPOs, but because ordinary companies are more productive when decks are sent faster. When Employees can communicate through Voice Over IPs or at the very least, reliable telephony.

The threats to security are profound. We are faced with nation-states building Cyber Armies. We are faced with non-state actors like Anonymous conducting denial of service attacks. It is a reverse Kiram and these hacktivists think that DDoS is a reasonable form of civil disturbance online.

There are many more things that need to be thought of. There should be a wide debate on the issue. There should be a demystifying of the issues. How can governments who don’t live and breathe the internet attempt to write legislation for it?

Understanding the Internet

In 1996 a Time Magazine article came out. Philip Elmer-Dewitt wrote about the First Nation of Cyberspace and in it he said, “The Internet imposes no restrictions. Anybody can start a discussion on any topic and say anything. There have been sporadic attempts by local network managers to crack down on the raunchier discussion groups, but as Internet pioneer John Gilmore puts it, “The Net interprets censorship as damage and routes around it.””

Journalist Ellyne Phneah points out, “Governments need to know what problems the cybersecurity legislation is meant to address, or they will face public backlash over the possible intrusions to their personal rights.”

Therein likes the crux of the issue.

Kabataan Partylist files their vision of Internet Freedom

Kabataan Partylist representative Raymond Palatino files their vision of Internet Freedom in the Philippine House of Representatives. It is a first step in the ongoing debate of Internet Freedom, Cybercrime, and the very state of Internet Freedom in the Philippines.

Not surprisingly, the vision that Kabataan Partylist is highlighting is one narrowed to the relationship of the user to local Internet Service Providers. This isn’t surprising, given the present state of the Internet in the Philippines, and the push of Kabataan Partylist and similar organization for “better internet”. So, this isn’t surprising, given the Kabataan Partylist’s ideology. This is the polar opposite of the Philippine Cybercrime Prevention Act.

So how does this vision of the Kabataan Partylist begin?

It starts off with a definition of what they believe Internet is. “Internet,” Kabataan Partylist writes, “refers collectively to the myriad of computers and telecommunications facilities, including equipment, and operating software which comprise the interconnected worldwide network of networks that employ the transmission control protocol or internet protocol, or any predecessor or successor protocols to such protocol to communicate information of all kinds by wire, radio, or other electronic media.”

It seems to suffer from an identity crisis, encompassing even the data stored on “electronic media” like hard drives, flash drives, usb flash drives, and broadcast, which refer to “wire”, and “radio”. Attempting to be clever, but muddling the issue of what the Internet is.

I asked this once of Senator Ed Angara on twitter, why his definitions in the Cybercrime law were far from the dictionary definitions. What I meant to say, far from the definitions that normal people— society in general say it is. And I got something like the definition in law is different, because it is. Why don’t lawmakers stick to the definitions that Industry experts have come to agree on already? Why diverge? Why muddle?

In Kabataan Partylist’s defense, they do mention TCP/IP or the Transmission Control Protocol/Internet Protocol that drives the Internet, which is more than what other similar initiatives like the Cybercrime Prevention Act says it is, which co-incidently mentions the Internet only twice, and has not defined what it means. Another example, under the 14th Congress, Senator Trillanes filed Senate Bill 2145: “The Telecommunications Convergence Act of the Philippines,” and it reached committee level.

The Kabataan Partylist goes on to define what Internet Access is. They mean how users connect to the internet through a “computer with a modem”, and using “common methods of Internet access such as dial-up, landline, T-lines, WiFi, satellite, cell phones, and similar technologies”.

Truth be told I remembered this entry from @franky on Facebook. I am uncertain if the post is public, but he was referring to Commission on Election resolution on online advertising by politicians, and he wrote: “Another example of not understanding how the internet works.”

Exactly.

Haven’t you noticed that more, and more people are connecting to the Internet using Post-PC devices? Smartphones and tablets, and to limit “Internet access” to “computer with a modem”, and to differentiate “cellphones” from computers is a very limited understanding of what this is all about. I fear that this bill, should it become law will be obsolete even before it has an opportunity to work.

The Kabataan Partylist vision of Internet Freedom can be summed up as an “Internet Service Contract Act”.

The Universal Access to the Internet, Rights Rights of Internet Users, provisions for instance, makes one wonder if we’re not reading that this is an “Internet Service Contract Act”, and not really, one on Internet Freedom. The Kabataan Partylist vision for example is silent on the Rooting and Jailbreaking.

Leonardo da Vinci, Edison, Henry Ford, and Woz have one thing in common. They all had to scratch an itch. They all tinkered, and at the heart of the hacker ethos that’s what it is. Hackers aren’t the lawless individuals media often portrays them to be. Hackers are curiosity unbridled that you go and set out to explore— to tinker— to ask, “what if?”

What has this got to do with the Internet, and the whole notion of Internet Freedom? At the core of what the Internet is— is this hacker philosophy. Putting all these pieces together makes the Internet work, and at the heart of that is that tinkering— developer mentality. Without it, this whole Internet, this whole “rebellion”, and “democratization” of information, technology and basically just about everything will not have come to be real. The Kabataan Partylist version of Internet Freedom is silent on this. I think it is fundamentally important that rooting, and jailbreaking are fundamental rights that ought to be recognized just as network neutrality— that data be seen equally be recognized because this spurs innovation.

The Kabataan Partylist bill is the Cybercrime Prevention Act all over again— but in this case, the polar opposite. Where the Philippine Cybercrime Prevention Act stands is the government and law enforcement vision of the Internet. Which, naturally, means they want the maximum ability to do their jobs. Take down clauses, cybersex ideology, and in my opinion— “draconian powers” are natural byproducts of being in the other side of the fence.

The latest Distributed Denial of Service attacks, defacement of websites are just some of the things that make people seethe. It isn’t helping the cause to achieve Internet Freedom in the Philippines. In fact, it is doing quite the opposite. It is making it harder to get people who don’t know to understand what this is all about. When a gun is pointed to your head, or when the voices are screaming, the natural reaction is to scream back. Let me tell you that government isn’t too pleased with attacks. People rarely listen when all they can see are guns, and screaming. So that’s the other good thing about the Kabataan Partylist coming out with their idea of what Internet Freedom is. So a real debate can happen. We can see people’s ideas and not ruckus. This is what an informed democracy is about. The people talk, and hash out our differences like adults. We could all use a little emotional quotient, as much as we have an intelligent quotient.

We all want Internet in the Philippines to be blazing fast. How many times have we heard ourselves say that downloads are too slow? You know, just to get that deck that’s urgently needed? Let’s not even talk about how much video on the Internet buffers or how productivity is affected because of slow internet. The Internet is more than that. How to achieve faster downloads requires more than the rights to get online, or to have faster speeds. That’s the effect. That’s the endgame, how to get there means something else. It is, in my humble opinion important to get the fundamentals correctly.

It is an interesting first step that Kabataan Partylist has in fact written their view of what the Internet is. In fact, it is laudable first step. It is a sign that there is at least some attempt in Congress to think about this. What saddens me is that this is the Cybercrime Prevention Act all over again. It is a shallow piece that looks at it from one point of view, just like the Government thinks about it in their point of view. Like the Cybercrime Prevention Act, it does fall short of what actually needs to be done. The Kabataan Partylist mean well— I mean how can you not mean well, if you only want good Internet for all? The Cybercrime Prevention Act also means well. It meant to go after the bad guys that in the government’s and the law enforcement point of view, they can’t. I like to think that none of these approaches are malicious, nor foolhardy. In my humble opinion, both views represent the poles of what ordinary people think of the Internet. I hope that experts in the field can come up and advice all these people of what should be done. What limits and powers there ought to be. This is still a laudable first step in the process of understanding, and a welcome part of the ongoing debate. At least, they are trying. I hope that everyone can come together— all spectrum— to have real governance. There is much to bridge in the gap of intelligence, and understanding, and I hope that people and groups can come out and teach.

It is in my belief that the Magna Carta for Philippine Internet Freedom that Senator Santiago filed represents the end goal of these two distinct points of view. It balances some of the rights— and adds more to the rights that the Kabataan Partylist want, at the same time, the MCPIF addresses the need of government to have some teeth. What’s more, it is my humble opinion that the MCPIF goes beyond both measures as it seeks to balance rights, governance, development and security.

(Disclosure: the author is a founding member of Democracy.Net.PH, and he helped draft the Magna Carta for Philippine Internet Freedom with fellow members).