Cybercrime Laws in the Philippines

Cybercrime Laws in the Philippines

A Brief Retrospective View

The ILOVEYOU Worm
  • In 2000, Onel De Guzman, a Filipino, created the ILOVEYOU worm.
  • The worm spread via email with an attachment named "LOVE-LETTER-FORYOU.txt.vbs".
  • Opening the attachment activated a code that forwarded the email to all of the user's contacts.
  • The worm affected email accounts globally, including those of U.S. officials.
  • The FBI traced the worm back to the Philippines.
  • Estimated damages caused by the worm reached $10 billion USD.
Legal Consequences and Legislative Response
  • Upon arrest, Onel De Guzman was released because there were no existing laws to prosecute him for cybercrimes.
  • Onel De Guzman’s actions revealed a significant threat and lack of legal provisions criminalizing cybercrimes, leaving internet users vulnerable.
  • Legislators moved quickly to enact laws covering cybercrime.

Philippine E-commerce Act of 2000 (Republic Act 8792)

  • R.A. 8792 recognizes the use of electronic commercial and non-commercial transactions and documents and defines penalties for unlawful use.
  • It aimed to deter future actions similar to Onel De Guzman's by defining certain illegal activities concerning the use of various devices.
Important Provisions of R.A. 8792
  • Ch. II. Sec 6. Legal Recognition of Data Messages: Information is not denied legal effect, validity, or enforceability solely because it is in the form of a data message.
  • This provision grants text messages, emails, and similar electronic communications (such as unaltered screenshots) the same legal validity as physical messages.
  • Ch. II. Sec 7. Legal Recognition of Electronic Documents: Electronic documents have the same legal effect, validity, and enforceability as any other document or legal writing.
  • For evidentiary purposes, an electronic document is the functional equivalent of a written document under existing laws.
  • This provision gives soft copies of documents the same legal validity as physical documents, provided their authenticity is verified.
  • Ch. II. Section 8. Legal Recognition of Electronic Signatures: An electronic signature on an electronic document is equivalent to a person's signature on a written document.
Prohibited Acts Under R.A. 8792
Hacking / Cracking
  • Unauthorized access into a computer system/server or information and communication system.
  • Any access to corrupt, alter, steal, or destroy data using a computer without the owner's knowledge and consent.
  • Introduction of computer viruses resulting in corruption, destruction, alteration, theft, or loss of electronic data messages or documents.
  • Prosecution requires proof of intent to corrupt, alter, steal, or destroy data.
Piracy
  • Unauthorized copying, reproduction, storage, uploading, downloading, communication, or broadcasting of protected material through telecommunication networks such as the internet, infringing intellectual property rights.
  • Violations against R.A. 7394: The Consumer Act Of The Philippines
    • R.A. 7394 protects consumers against hazards to health and safety and against deceptive, unfair, and unconscionable sales acts and practices.
Penalties for Hacking/Cracking and Piracy (Under R.A. 8792)
  • Minimum fine of Php 100,000.00, with a maximum fine commensurate to the damage incurred.
  • Mandatory imprisonment of 6 months to 3 years.
Penalties for violations against R.A. 7394
  • A fine of Php 20,000 to Php 2,000,000 and/or imprisonment of 3 to 6 years.
Guide Questions and Clarifications (R.A. 8792)
  • Connecting to an open WiFi network without the owner's consent: Does not constitute a violation of RA 8792, as there is no clear intent to corrupt, alter, steal, or destroy.
Case Study: Reyes vs. Global Beer Below Zero
  • Reyes was dismissed for lateness and absences, which he claimed was communicated via phone call and text messages.
  • Global claimed Reyes stopped reporting for work voluntarily.
  • Reyes submitted screenshots of text messages as evidence, including messages like “Tet will contact you plus turnover” and “Kuya pinaayos ko na kay gen salary mo.”
  • Validity of screenshots of text messages as evidence in court: Text messages, videos, and photos are admissible in court.
  • The Supreme Court ruled Reyes’ dismissal as INVALID.

Cybercrime Prevention Act of 2012 (Republic Act 10175)

  • Considered the most comprehensive cybercrime law in the Philippines.
  • It is the cornerstone of cybercrime protection for citizens.
  • R.A. 10175 aims to prevent and combat cybercrime by facilitating detection, investigation, and prosecution at both domestic and international levels, providing arrangements for fast and reliable international cooperation.
Definition of Cybercrime
  • A crime committed with or through the use of information and communication technologies such as radio, television, cellular phone, computer, network, and other communication devices or applications.
Three Types of Cybercrimes
  1. Offenses against the confidentiality, integrity, and availability (CIA) of computer data and systems.
  2. Computer-related offenses.
  3. Content-related offenses.
    • Note: Offenses related to infringements of copyright and related rights are not included in RA 10175, as a separate law addresses such offenses.
Jurisdiction of RA 10175
  • Any violation committed by a Filipino national, regardless of the place of commission.
  • Any element of the violation committed within the Philippines or with the use of any computer system partly or wholly situated in the country.
  • When any damage is caused to a natural or juridical person who, at the time of the offense, was in the Philippines.
Offenses Against the CIA of Computer Data and Systems (Ch. II. Sec 4 (a))
1. Illegal Access
  • Access to the whole or any part of a computer system without right.
    • Without right means lacking consent from the owner of the computer system.
    • Access includes instruction, communication with, storing/retrieving data from, or making use of any resources of a computer system or communication network.
    • Exemptions: White Hat Hackers are exempt as long as they perform only assigned tasks.
    • Connecting to an open WiFi Network (WiFi with no password) without the consent of the owner: This is illegal access under RA 10175 because it constitutes using resources without consent.
2. Illegal Interception

  • Interception made by technical means without right of any non-public transmission of computer data.

    • Interception includes listening to, recording, monitoring, or surveillance of the content of communications through electronic eavesdropping or tapping devices while the communication is occurring.

    • Example: Receiving emails from fake sources asking for login credentials to steal user information.

3. Data Interference

  • The intentional or reckless alteration, damaging, deletion, or deterioration of computer data, electronic document, or electronic data message, without right, including the introduction or transmission of viruses.

    • Scenario: Receiving a virus through a friend's flash drive, even if the friend had no intention of infecting the computer, is still considered recklessness and data interference.
4. System Interference

  • The intentional alteration or reckless hindering or interference with the functioning of a computer or computer network by inputting, transmitting, damaging, deleting, deteriorating, altering, or suppressing computer data or programs, electronic documents, or electronic data messages, without right or authority, including the introduction or transmission of viruses.

    • This is an extension of data interference, affecting the whole system.
      • Cryptojacking or Cryptomining Malware: Software programs and malware components developed to take over a computer's resources and use them for cryptocurrency mining without a user's explicit permission.
      • Downloading files from torrent sites can give them the authority to use the computer’s CPU to mine cryptocurrencies, causing the computer to heat up.
      • Website defacing is also an example.
5. Misuse of Devices
  • The use, production, sale, procurement, distribution, or otherwise making available, without right, of a device or computer password designed primarily for committing offenses under this act.
    • The possession of such items is also prohibited.
    • Example: Use of Skimming Devices / Keyloggers.
      • Ivaylo Sashov Galapov was arrested for using ATM cards in succession and was charged with R.A. 8792 and R.A. 10175 violations.
6. Cyber-squatting

  • The acquisition of a domain name over the internet in bad faith to profit, mislead, destroy reputation, or deprive others from registering the same, if the domain name is:

    • Similar or identical to an existing trademark.

    • Identical with the name of a person other than the registrant.

    • Acquired without right or with intellectual property interests in it.

    • Examples:

      • MikeRoweSoft: Mike Rowe, a student, registered MikeRoweSoft.com. Microsoft asked him to stop using the website but eventually gave it away and received an XBOX console.
      • Android.co.in: Jing Ren bought the domain Android.co.in and put it on sale for $19,500. Google sued and won the case, with Ren ordered to hand over the domain.

    • Preventive Measures:

      • Register all possible domain names, from the exact name to all possible mistakes and similarities.
Computer-Related Offenses (Ch. II. Sec 4 (b))
7. Computer-Related Forgery
  • The input, alteration, or deletion of any computer data without right, resulting in inauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic.
    • Example: Hacking into the iSLU portal to change grades.
8. Computer-Related Fraud
  • The unauthorized input, alteration, or deletion of computer data or programs or interference in the functioning of a computer system, causing damage thereby with fraudulent intent.
    • Difference from Forgery: Fraud involves damage with monetary value.
      • Examples:
        • Hacking into a bank’s database and changing account balances.
        • Asking people to send prepaid load under false pretenses.
9. Computer-Related Identity Theft
  • The intentional acquisition, use, misuse, transfer, possession, alteration, or deletion of identifying information belonging to another, whether natural or juridical, without right.
    • Example: Fake profiles on social media using another person's pictures and personal details.
Content-Related Offenses (Ch. II. Sec 4 (c))
10. Cybersex

  • The willful engagement, maintenance, control, or operation, directly or indirectly, of any lascivious exhibition of sexual organs or sexual activity, with the aid of a computer system, for favor or consideration.

    • If two individuals, even if partners in life, consent to record any sexual act they are doing, it does not constitute cybersex because the act is not done for “any favor or consideration.”
11. Child Pornography

  • The unlawful or prohibited acts defined and punishable by Republic Act No. 9775 (Anti-Child Pornography Act of 2009) committed through a computer system.

    • Includes any representation, whether visual or audio, of a child engaged or involved in real or simulated explicit sexual activities.
      • Possession with intent to sell: 20 years and 1 day to 40 years imprisonment AND fine of Php 750,000.00 to Php 1 million
      • Willful access: 6 years and 1 day to 8 years imprisonment AND fine of Php 200,000.00 to Php 300,000.00
      • Possession: 3 months and 1 day to 4 months AND fine of Php 50,000.00 to Php 100,000.00
    • “Hentai” clips do not violate this law unless they contain a character explicitly identified as a minor.
12. Online Libel

  • Libel is the public and malicious imputation of a crime, real or imaginary, or any act, omission, condition, status, or circumstance tending to cause the dishonor, discredit, or contempt of a natural or juridical person, or to blacken the memory of one who is dead.

    • Elements of Libel:

      1. Allegation of a discreditable act or condition concerning another.
      2. Publication of the charge.
      3. Identity of the person defamed.
      4. Existence of malice.

    • There is "actual malice" or malice in fact when the offender makes the defamatory statement with the knowledge that it is false or with reckless disregard of whether it was false or not.

    • Example Post: “Hoy Maria David! Ikaw malandi ka! Alam naman ng lahat na kahit kanino pumapatol ka! Tuwing gabi nasa park ka, kasama mo nanay mo! Magkano ba ang rate natin ngayon? 500 hundred, tatlong oras? Ha? Pokpok! Pokpok! Pokpok kayo ng nanay mo!”

      • The person who posted it is liable for libel because all elements are present.
      • Liking or reacting to the post does not constitute libel.
      • Sharing the post does not constitute libel because the statements were not made by the sharer.
      • Commenting “OO NGA!” does not constitute libel.
      • Commenting “OO NGA! Pokpok talaga kayong mag-ina!!” constitutes libel because it states an allegation toward Maria David.
13. Unsolicited Commercial Communication

  • The transmission of commercial electronic communication seeking to advertise or sell products and services.

    • The Supreme Court ruled on February 11, 2014, that spamming is NOT illegal and struck down this provision of RA 10175 as unconstitutional.

The Concept of PRIVACY

Privacy Under the Civil Code (Republic Act 386)

  • This is the right of an individual to be free from unwarranted publicity or interference by the public in matters not necessarily of public concern.

    • The State recognizes the right of the people to be secure in their houses and the right to privacy cannot be denied. There is an expectation of privacy without consent.
Privacy in the Civil Code Art. 26
  • Every person shall respect the dignity, personality, privacy, and peace of mind of his neighbors and other persons.
Prohibited Acts Under the Civil Code
  1. Prying into the privacy of another's residence.
  2. Meddling with or disturbing the private life or family relations of another.
  3. Intriguing to cause another to be alienated from his friends.
  4. Vexing or humiliating another on account of his religious beliefs, lowly station in life, place of birth, physical defect, or other personal condition.
Hing vs. Choachuy (2013)
  • An individual cannot install surveillance cameras on his own property facing the property of another.
  • A man’s house is his castle, where his right to privacy cannot be denied. It includes any act of intrusion into, peeping, or peering inquisitively into the residence of another without consent.
  • The installation of surveillance cameras should not cover places where there is a reasonable expectation of privacy unless consent is obtained.
Expectation of Privacy in the Workplace/School
  • Employees in the workplace have less or no expectation of privacy.
  • Students have less or no expectation of privacy within school grounds.
Recording Audio and Wiretapping
  • The installation of a CCTV camera with audio cannot be considered tapping a wire or cable.
Zulueta vs. C.A. (1996)

  • Cecilia, the wife of Dr. Alfredo, forcibly opened drawers and cabinets in her husband's clinic and took 157 documents, including private correspondence and financial records.

  • These items were used as evidence in a legal separation case.

    • The court ruled that the right to privacy of Dr. Alfredo Martin was violated.
Admissibility of Evidence in Legal Separation Case
  • The documents and papers were inadmissible as evidence.
  • The court stated that “the intimacies between husband and wife do not justify any one of them in breaking the drawers and cabinets of the other and in ransacking them for any telltale evidence of marital infidelity.”
Reasonable Expectation of Privacy
  • When a person believes that one could undress in privacy without being concerned that an image of him or her is being taken.
  • When a reasonable person would believe that one's private area would not be visible regardless of whether the person is in a public or private place.
  • A person has a reasonable expectation of privacy inside a fitting room.

Photo and Video Voyeurism Act of 2009 (Republic Act 9995)

Punishable Acts
  1. Unconsented taking of a photo or video of a person engaged in a sexual act or capturing an image of the private area of a person under circumstances with a reasonable expectation of privacy.
  2. Copying or reproduction of such photo or video recording of the sexual act.
  3. Selling or distribution of such photo or video recording.
  4. Publication or broadcasting, whether in print or broadcast media, or the showing of such sexual act or any similar activity through VCD/DVD, the internet, cellular phones, and other similar means or devices without the written consent of the persons featured.
Definition of Private Area
  • “Private area of a person” includes naked or the undergarment-clad genitals, pubic area, buttocks, or the female breast.
Non-Commercial Copying or Reproduction
  • The mere copying or reproduction of said material will make one liable under the law regardless of the reason or whether one profits or not from such act.
  • In fact, the mere showing of the material on one’s cellphone would violate the law.
Consent for Reproduction, Distribution, and Broadcasting
  • Even if the person in the photo knew and consented to the video recording or taking of the photo, it doesn't mean the person gave written consent to its reproduction, distribution, and broadcasting.
Scope
  • RA 9995 does not cover peeping toms who do not take photo or video recordings but may still be subjected to other civil or criminal cases.
  • It only covers situations where there was capturing, photographing, recording, or copying of sexual acts or private parts.
Penalty
  • 3 years to 7 years imprisonment AND a fine of Php 100,000.00 to Php 500,000.00

Data Privacy Act (Republic Act 10173)

Objectives
  1. Describe personal information, sensitive personal information, personal information controller, personal information processor, consent, and breach.
  2. Recognize the data privacy rights of a data subject.
Key Aspects
  1. Protects the privacy of individuals while ensuring the free flow of information to promote innovation and growth.
  2. Regulates the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure, or destruction of personal data.
  3. Ensures that the Philippines complies with international standards set for data protection.
Important Definitions
  1. Personal Information Controller (PIC): The individual, corporation, or body who decides what to do with the data.
  2. Personal Information Processor (PIP): One who processes data for a Personal Information Controller but does not process information for the PIP’s own purpose.
  3. Consent: Where the data subject agrees to the collection and processing of his personal data. The agreement must inform:
    • Purpose, nature, and extent of processing.
    • Period of consent/instruction.
    • Rights as a data subject.
  4. Breach: A security incident that:
    • Leads to the unlawful or unauthorized processing of personal, sensitive, or privileged information.
    • Compromises the availability, integrity, or confidentiality of personal data.
Personal Information vs. Sensitive Personal Information
  • Personal Information: Any information or opinion about a particular individual that can be used in identifying a person.
    • Examples: name, address, phone number, date of birth, email address.
  • Sensitive Personal Information: A type of personal information that may be used to harm or discriminate against other people when mishandled.
    • Examples: race or ethnic origin, political opinions, religious affiliations, criminal record, biometric information, medical records, and government-issued IDs.
Core Principles of RA 10173
  1. Transparency
  2. Legitimate Purpose
  3. Proportionality
Processing Personal Information
  • The processing of personal information shall be allowed and shall adhere to the following:
    • Principles of transparency.
    • Legitimate purpose.
    • Proportionality.
Principle of Transparency
  • The data subject must know:
    • The kind of personal data collected.
    • How the personal data will be collected.
    • Why personal data will be collected.
  • The data processing policies of the PIC must be known to the data subject.
  • The information to be provided to the data subject must be in clear and plain language.
Legitimate Purpose Principle
  • Data collected must always be collected only for the specific, explicit, and legitimate purposes of the PIC.
  • Data that is not compatible with the purpose for which the data was collected shall not be processed.
Principle of Proportionality
  • The processing of personal data should be limited to such processing as is adequate, relevant, and not excessive in relation to the purpose of the data processing.
  • Efforts should be made to limit the processed data to the minimum necessary.
Processing Sensitive Personal Information
  1. The data subject has given his or her consent.
  2. The processing of personal information is necessary and is related to the fulfillment of a contract with the data subject or in order to take steps at the request of the data subject prior to entering into a contract.
  3. The processing is necessary for compliance with a legal obligation to which the personal information controller is subject.
  4. The processing is necessary to protect vitally important interests of the data subject, including life and health.
  5. The processing is necessary to respond to a national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority.
  6. The processing is necessary for the legitimate interests pursued by the personal information controller, except where such interests are overridden by fundamental rights and freedoms of the data subject.
Rights of the Data Subject
  1. Right to be informed.
  2. Right to object.
  3. Right to access.
  4. Right to rectification.
  5. Right to erasure or blocking.
  6. Right to damages.
  7. Right to data portability.
  8. Right to file a complaint.
1. Right to be Informed
  • This is the right to be informed that your personal data shall be, are being, or have been processed, including the existence of automated decision-making and profiling.
  • The disclosure must be made before the entry of the data into the processing system or at the next practical opportunity.
2. Right to Object
  • The right to object to the processing of personal data, including processing for direct marketing, automated processing, or profiling.
    • This includes the right to be given an opportunity to withhold consent to the processing in case of any changes or amendments to the information supplied or declared.
  • There are several exceptions where you cannot invoke your right to object:
    • Personal data is needed pursuant to a subpoena issued by a court.
    • Processing is necessary for or related to a contract or service to which the data subject is a party.
    • Information is being processed as a result of a legal obligation.
3. Right to Access
  • The right to find out whether a PIC holds any personal data about you.
  • The right to reasonable access to personal data that were processed, sources of personal data, names and addresses of recipients, manner/method of processing, information on automated process, date when personal data was last accessed and modified, designation, name or identity, and address of the PIC.
4. Right to Rectification
  • This involves the right to dispute the inaccuracy or error in the personal data and have the PIC correct it immediately.
  • It also includes access to new and retracted information, and simultaneous receipt thereof.
  • Recipients previously given erroneous data must be informed of inaccuracy and rectification upon reasonable request of the data subject.
5. Right to Erasure or Blocking
  • This is the right to suspend, withdraw, or order the blocking, removal, or destruction of his or her personal information from the personal information controller’s filing system.
  • The right to erase or block can be invoked in the following circumstances:
    • There are data which are incomplete, outdated, false, or unlawfully obtained.
    • The data was used for unauthorized purposes.
    • The data is no longer necessary for purposes of collection.
    • The processing of data was found to be unlawful.
    • The PIC or PIP violated the rights of the data subject.
6. Right to Damages
  • This is the right to be indemnified (receive compensation) for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of personal data.
7. Right to Data Portability
  • The right to obtain a copy of data undergoing processing in an electronic or structured format, commonly used, and allows for further use by the data subject.
  • Takes into account the right to have control over personal data being processed based on consent, contract, for commercial purposes, or through automated means.
8. Right to File a Complaint
  • In circumstances wherein the PIC or the PIP has breached the privacy of the data subject, a complaint may be filed through complaints@privacy.gov.ph
  • National Privacy Commission - Government agency responsible for implementing R.A. 10173.
Questions and Cases

  • A teacher/professor cannot search the contents of a student’s cellular phone without justification under a law or regulation, and may be considered as unauthorized processing of data.

    • However, there are exceptions:
      • If it was done with student’s consent (except if the student is a minor.)
      • If it is required by the student’s life and health, or by national emergency.

  • Implied (indirect) form of consent: Not valid under the Data Privacy Act since consent must be freely given, specific, and informed with an indication of will.

  • Handwritten signatures: Not considered sensitive personal information, but may be personal information when used to identify an individual.

  • Usernames, passwords, IP and MAC addresses, location cookies and birthday (month and day only): Considered personal information only when combined with other pieces of information that may allow an individual to be distinguished from others.

Prohibited Acts: R.A. 10173

  1. Unauthorized processing of personal information and sensitive personal information: Process (sensitive) personal information without the consent of the data subject or without being authorized under the Data Privacy Act or any other law.

  2. Accessing personal information and sensitive personal information due to negligence: Provided access to (sensitive) personal information due to negligence or was unauthorized under the Data Privacy Act or any existing law.

  3. Improper disposal of (sensitive) personal information: Negligently dispose, discard or abandon the (sensitive) personal information of an individual in an area accessible to the public or placed the (sensitive) personal information of an individual in a container for trash collection.

  4. Processing of personal information and sensitive personal information for unauthorized purposes: Process personal information for purposes not authorized by the data subject or not otherwise authorized by the Data Privacy Act or under existing laws.

  5. Unauthorized access or intentional breach: Knowingly and unlawfully violate data confidentiality and security data systems where personal and sensitive personal information is stored.

  6. Malicious disclosure: Discloses to a third party unwarranted or false information with malice or in bad faith relative to any (sensitive) personal information obtained by such PIC or PIP.