Cybercrime Prevention Act of 2012

The Cybercrime Prevention Act of 2012

The ILOVEYOU Virus

  • The ILOVEYOU virus was a computer worm that infected over ten million Windows personal computers starting May 5, 2000.
  • It spread through an email with the subject line "ILOVEYOU" and an attachment named "LOVE-LETTER-FOR-YOU.TXT.vbs."
  • Opening the attachment triggered a Visual Basic script that damaged the local machine by overwriting random files, including Office documents and images.
  • It replicated itself by sending copies to all contacts in the Windows Address Book used by Microsoft Outlook, enabling it to spread faster than any previous email worm.
  • The malware was created by Onel de Guzman, a 24-year-old computer science student at AMA Computer College in Manila, Philippines.
  • At the time, Philippine law did not criminalize malware creation, prompting the Philippine Congress to pass Republic Act No. 8792, or the Electronic Commerce Act of 2000, in July of that year to prevent similar incidents.
  • However, since the Philippine Constitution prohibits ex post facto laws, de Guzman was not prosecuted.
  • Nullum crimen nulla poena sine lege - no one can be punished for an act unless it was a crime according to law at the time of its commission.

The Cybercrime Prevention Act of 2012

  • Republic Act No. 10175, otherwise known as the Cybercrime Prevention Act of 2012, is the legal framework in the Philippines which addresses crimes committed against and through the computer system.
  • It focuses on the pre-emption, prevention, and prosecution of cybercrimes such as offenses against the privacy, confidentiality, integrity, and availability of computer data and systems, computer-related offenses, and content-related offenses.
  • It was approved by the late former president Benigno “Noynoy” Aquino III on September 12, 2012, and took effect on October 3, 2012.

Cybercrime Offenses

  • The following constitute cybercrime offenses:
    • Offenses against the confidentiality, integrity and availability of computer data and systems (Section 4(a))
    • Computer-related Offenses (Section 4(b))
    • Content-related Offenses (Section 4(c))
  • A prosecution under this Act shall be without prejudice to any liability for violation of any provision of the Revised Penal Code, as amended, or special laws (Section 7).
  • However, the offender cannot be prosecuted for cyber child pornography under R.A. 10175 and child pornography under R.A. 11930 or the Anti-Online Sexual Abuse or Exploitation of Children (OSAEC) and Anti-Child Sexual Abuse or Exploitation Materials (CSAEM) Act, or cyber libel under R.A. 10175 and libel under the Revised Penal Code, because such will offend the constitutional rule on double jeopardy. (Disini v. Secretary of Justice, G.R. No. 203335, February 11, 2014)

Offenses against the confidentiality, integrity and availability of computer data and systems

  • Computer data refers to any representation of facts, information, or concepts in a form suitable for processing in a computer system including a program suitable to cause a computer system to perform a function and includes electronic documents and/or electronic data messages whether stored in local computer systems or online. (Section 3(e)).
  • Computer system refers to any device or group of interconnected or related devices, one or more of which, pursuant to a program, performs automated processing of data. It covers any type of device with data processing capabilities including, but not limited to, computers and mobile phones. The device consisting of hardware and software may include input, output and storage components which may stand alone or be connected in a network or other similar devices. It also includes computer data storage devices or media. (Section 3(g))

Offenses against the confidentiality, integrity and availability of computer data and systems (con’t)

  • Illegal Access. — The access to the whole or any part of a computer system without right. (Section 4(a)(1)).
  • Ethical or “white” hackers are professionals who employ tools and techniques used by criminal hackers but would neither damage the target systems nor steal information. Since they do their jobs with prior permission from the client, such permission would insulate him from the coverage of the cybercrime law on illegal access. (Disini v. Secretary of Justice, G.R. No. 203335, February 11, 2014)
  • Illustration: Chiz was able to get hold of the Facebook password of Khent. Without Khent’s authority, Chiz accessed Khent’s personal message containing photos of Khent and Gran using dangerous drugs in Mambaling, and shared these photos on Facebook. Chiz is liable for the cybercrime of illegal access. (2018 Bar Exam)
  • One who hacks his neighbor’s internet access by cracking the Wi-Fi password is liable for the cybercrime of illegal access. (Judge Marlo Campanilla).

Offenses against the confidentiality, integrity and availability of computer data and systems (con’t)

  • Illegal Interception. — The interception made by technical means without right of any non- public transmission of computer data to, from, or within a computer system including electromagnetic emissions from a computer system carrying such computer data. (Section 4(a)(2))
  • Computer hacking constitutes either illegal access or illegal interception. (Judge Marlo Campanilla)
  • Intercepting the wireless cellphone communication through the use of computer systems between parties without a right constitutes the cybercrime of illegal interception. (Judge Marlo Campanilla).
  • Data Interference. — The intentional or reckless alteration, damaging, deletion or deterioration of computer data, electronic document, or electronic data message, without right, including the introduction or transmission of viruses. (Section 4(a)(3))
  • This is considered cyber vandalism. (Judge Marlo Campanilla)

Offenses against the confidentiality, integrity and availability of computer data and systems (con’t)

  • System Interference. — The intentional alteration or reckless hindering or interference with the functioning of a computer or computer network by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data or program, electronic document, or electronic data message, without right or authority, including the introduction or transmission of viruses. (Section 4(a)(4))
  • The transmission of a computer virus that interferes with computer data or system constitutes the cybercrime of system interference. (Judge Campanilla).
  • Misuse of Devices. - The use, production, sale, procurement, importation, distribution, or otherwise making available, without right, of:
    • A device, including a computer program, designed or adapted primarily for the purpose of committing any of the offenses under this Act; or
    • A computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed with intent that it be used for the purpose of committing any of the offenses under this Act. (Section 4(a)(5)

Offenses against the confidentiality, integrity and availability of computer data and systems (con’t)

  • Cyber-squatting. — The acquisition of a domain name over the internet, in bad faith to profit, mislead, destroy reputation, and deprive others from registering the same, if such a domain name is:
    • Similar, identical, or confusingly similar to an existing trademark registered with the appropriate government agency at the time of the domain name registration;
    • Identical or in any way similar with the name of a person other than the registrant, in case of a personal name; and
    • Acquired without right or with intellectual property interests in it. (Section 4(a)(5))
  • Cybersquatting is the act of registering an unregistered internet domain name in bad faith to profit, mislead, destroy reputation, and deprive a person to whom the domain name belongs from registering the same.
  • Jan, a businessman and computer scientist, claimed to have devised an innovative business model where he would compile a list of celebrities and acquire numerous domain names in the internet using the names of these celebrities for the purpose of selling these registered names to said personalities and entities in the future. Jan is liable for cybersquatting. (2019 Bar Exam)

Computer-related Offenses

  • Computer-related Forgery. -
    • The input, alteration, or deletion of any computer data without right resulting in inauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic, regardless whether or not the data is directly readable and intelligible; or
    • The act of knowingly using computer data which is the product of computer-related forgery as defined herein, for the purpose of perpetuating a fraudulent or dishonest design. (Section 4(b)(1))
  • Computer-related Fraud. — The unauthorized input, alteration, or deletion of computer data or program or interference in the functioning of a computer system, causing damage thereby with fraudulent intent. (Section 4(b)(2)).
  • Computer-related Identity Theft. — The intentional acquisition, use, misuse, transfer, possession, alteration or deletion of identifying information belonging to another, whether natural or juridical, without right.
  • Using the name of another person and his pictures in opening a Facebook account without authority constitutes the cybercrime of computer-related identity theft. (Judge Campanilla)

Content-related Offenses

  • The cybercrimes of Cybersex and Child Pornography have been repealed by R.A. 11930 or the Anti-Online Sexual Abuse or Exploitation of Children (OSAEC) and Anti-Child Sexual Abuse or Exploitation Materials (CSAEM) Act.
  • Unsolicited Commercial Communications. — committed by any person who shall transmit commercial electronic communication with the use of a computer system which seeks to advertise, sell, or offer for sale products and services. This is known as spam. (Section 4(c)(3))
  • In Disini v. Executive Secretary, this provision was declared unconstitutional. It was held that to prohibit the transmission of unsolicited ads would deny a person the right to read his emails, even unsolicited commercial ads addressed to him. The State cannot rob him of this right without violating the constitutionally guaranteed freedom of expression. Unsolicited advertisements, or spam emails, are legitimate forms of expression.

Content-related Offenses (con’t)

  • Libel. — The unlawful or prohibited acts of libel as defined in Article 355 of the Revised Penal Code, as amended, committed through a computer system or any other similar means which may be devised in the future. (Section 4(c)(4)).
  • Other Offenses. — also committed by any person who shall willfully abet or aid in the commission of any of the cybercrime offenses or any person who willfully attempts to commit any of the cybercrime offenses (Section 5).
  • The provision on aiding or abetting cybercrime in relation to cyberlibel was declared unconstitutional in Disini v Executive Secretary. The terms “aiding or abetting” constitute broad sweep that generates a chilling effect on those who express themselves through cyberspace posts, comments, and other messages. Hence, this provision is a nullity since it encroaches upon freedom of speech on grounds of overbreadth or vagueness of the statute.
  • Illustration: A vlogger who originally posted a libelous message in social media is liable for cybercrime. However, netizens who merely reacted to the defamatory message by clicking the Like, Comment, or Share buttons are not liable for aiding or abetting cybercrime.