Cyber crime law urgent, but stalled in Congress
By David Dizon
2007 Newsbreak Investigative Writing Fellow
The extent and sophistication that computer crime in the Philippines has taken in recent years require a cyber crime law that, in turn, has been stalled in the past two Congresses.
Eight years since the enactment of the e-commerce law, the Internet landscape has changed dramatically, and the current law may not be able address the threats posed by identity theft, data privacy, online fraud, and online child pornography.
Fred Torres, former president of the Information Systems Security Society of the Philippines, says the original House and Senate bills that formed the bases for Republic Act 8792 or the e-commerce law did not center on hacking and cracking, which were relatively unknown crimes at the time.
Now, a cyber crime law may be needed to achieve stronger convictions against suspects, for instance, in the 30 cases of online offenses that the justice department is tackling—like Web site defacements, blackmail, and online pornography.
State Prosecutors Geronimo Sy says only at least two Filipino hackers have been convicted of violating the e-commerce law since its passage in 2000.
Mainly for e-commerce
The passage of RA 8792 in June 2000 was largely prompted by the need to prosecute Onel de Guzman, the college student who released the ILOVEYOU virus a month before and infected millions of computers worldwide. The bug shut down the e-mail systems of large corporations and caused an estimated US$5.5 billion in damages.
However, the main achievement of the law was only to make electronic documents admissible as evidence in court cases. It sought to penalize limited online crime, such as hacking and copyright violations.
As such, De Guzman, who admitted that he might have inadvertently released the virus, was charged under an old law penalizing unauthorized access to credit cards and bank ATMs. He was eventually released in the absence of a law at the time governing his specific offense.
Palmer Mallari, an agent of the National Bureau of Investigation Anti-Fraud and Computer Crimes Division who worked on the De Guzman case, says foreign governments wanted to indict de Guzman abroad, but doing so would violate local laws.
Addressing the vagueness
Ryan Flores, team leader of TrendLabs Philippines incident response, says one deficiency in the e-commerce law is its vagueness.
“Something has to be done about the breadth of the law as well as its vagueness. We need to pinpoint more details on what a cyber crime is and put a little more technicality in the law. If it’s too vague, the hacker can just use that vagueness to his advantage. We need the law to be more technical,” he says.
A working draft of the consolidated cyber crime bill addresses this vagueness by identifying and penalizing computer crimes and computer facilitated crimes. The bill, dubbed the Cyber crime Prevention Act, consolidates at least four House bills introduced by at least 12 congressmen including Representatives Eric D. Singson, Edgar M. Chatto, Amado T. Espino, Jr., Nanette Castelo-Daza, Harlin Cast-Abayon, Simeon L. Kintanar, Catalino V. Figueroa, Mary Ann L. Susano, Generoso DC Tulagan, Hussin U. Amin, Eufrocino M. Codilla, Sr. and Rozzano Rufino B. Biazon.
Instead of just hacking, cracking and introduction of viruses, the proposed bill now defines several acts as computer crimes including illegal access, illegal interception, misuse of devices and unsolicited commercial communications.
It also imposes penalties on computer sabotage, which it defines as "input, alteration, erasure or suppression of computer or communication data or computer or communication programs, or interference with computer and communication system or network." Acts filed under computer sabotage include data interference, system interference, computer fraud and computer forgery.
Defacement, phishing, spam
Lawyer JJ Disini, who helped Congress draft the implementing rules and regulations of RA 8792, says illegal access could mean cracking or even the malicious use of thumb drives to view or access information on a computer illegally.
“Even before you download anything, the fact that you got access without right is already a crime as proposed in the bill. So if you’re an employee and your privileges have been revoked because you were terminated, if you still get access the network, the mere fact that you are on the network and accessing information is itself a crime,” he said.
Introduction of viruses and defacement of Web sites are also covered in the current bill as defined under data and system interference. The addition of a provision on computer related forgery, which addresses phishing Web sites, was also included in the bill as part of inputs by legislators and IT experts during a cyber crime workshop last October.
One provision included in the bill is the sending of unsolicited commercial communications or spam. This is particularly important for Filipino Internet users who are either on the receiving end of spam or are themselves unwitting spam senders after their computers are infected by bots.
According to the January-June 2007 Internet Threat Security Report of software firm Symantec, a total of 87 percent of e-mails in the Philippines is spam. Richard Velasco, senior technical consultant for Symantec, said the high volume of spam is the result of spam “zombies” or computers infected with malicious software that send out thousands of junk e-mail everyday.
Disini says this particular provision of the law could be useful once the Philippines becomes a signatory of the Council of Europe Cyber crime Convention of 2001. The treaty, which has been ratified by 22 countries including the United States, sets guidelines for laws and procedures for dealing with Internet crime.
The Convention is aimed at providing for swifter prosecutions of cyber crime as well as better cooperation between law enforcement agencies, as investigations often cross borders. It also requires countries to have a law enforcement contact available at all hours to assist in a digital investigation.
“If we become part of the EC cyber crime treaty, we can extradite these defendants who are US-based. A lot of the big spammers are outside the country. At least one guy has been convicted in the US so it’s not impossible to prosecute these spammers because they’re known,” Disini said.
Torres says the cyber crime treaty could also help law enforcers in pursuing other computer criminals outside the country who wreak havoc on local computers and networks.
Cyber sex, online child porn
Another provision in the bill, which was suggested during the cyber crime workshop last year, includes computer facilitated crime or use of a computer to commit crimes as defined by the Revised Penal Code, the Intellectual Property Code, the Consumer Act and other relevant laws.
This provision also covers all offenses related to cyber sex including production of child ponorgraphy for the purpose of distribution, offering or making available child pornography through a computer or computer network; distribution of child pornography, possession, prostitution or solicitation of any form of cyber sex, operation of internet café or any type of establishment which engages in cyber sex and promotion and advertisement of any form of cyber sex.
Disini says the bill makes a clear distinction between pornography in general and child pornography. He says that while adult pornography, particularly in the United States, is protected as free speech, “there is no form of child pornography that is permissible.”
“Child pornography by definition is exploitative. Possession of child pornography should be criminal behavior. The mere fact that you have possession of child pornography means you are feeding the demand for this type of content,” he said.
He said this includes online forums that do not host the images but still link to sites that promote child pornography.
Under the proposed bill, those found guilty of computer crimes or computer sabotage could be fined P100,000 up to a maximum amount commensurate to the damage incurred plus a jail sentence of six to 12 years. Those found guilty of computer facilitated crimes could be fined P200,000 to P800,000 and a mandatory imprisonment of six to 12 years provided that the maximum penalty, as provided for by law, is imposed.
Conspiracy to commit cyber crime and aiding or abetting in the commission of cyber crime is also included in the proposed bill.
Still needs work
The bill also proposes the creation of a computer emergency response council that will formulate and implement a plan of action to combat cyber crime. The council will be headed by the chairman of the Commission on Information and Communications Technology with the director of the NBI as vice-chairman. Other members include the chiefs of the CIDG, Philippine National Police, National Prosecution Service, National Computer Center, Philippine Center for Transnational Crime and NBI anti-fraud and computer crimes division. It also allots seats for three IT security experts from the private sector, which will be appointed by the President.
Even before the passage of the bill, Malacañang may be taking the threat of cyber crime seriously. It has proposed the setting up of a one-stop shop that would handle all Internet threats in the country. Undersecretary Virtus Gil, head of the Presidential Situation Room, says the proposed Cybersecurity Monitoring Center will be manned 24 hours a day, seven days a week, and will be under the Office of the President.
“Each sector has its own threat in cyberspace and each sector has its own emergency response team. But when it comes to cyber security, you cannot just police your own. You have to look at the big picture. That is why there is a national coordinator. We have to know everything,” Gil says.
Disini acknowledges, however, that the cyber crime bill still needs work before it is passed into law.“Yes, we need a new cyber crime law. However, there is no criminal liability for attempted cracking or hacking in the present form of the bill," he said.
He says the bill should not become a stand-alone law but should be included as part of the Revised Penal Code.
"My main beef is that it’s a stand alone law once it’s passed. The danger is that it becomes an independent piece of criminal legislation and the Supreme Court can consider it as mala prohibita. This means that if you commit an act intentionally or unintentionally, it will be considered a violation. If the statute says the introduction of viruses is a crime, if you accidentally introduce a virus via e-mail, since intent is unimportant, theoretically you have violated the law. I disagree with that."
Catanduanes Rep. Joseph Santiago, chairman of the House committee on information and communications technology, says his efforts to pass a cyber crime bill in the 13th Congress were sidelined. He says at least five different versions of the cyber crime bill are pending before his committee since the start of the 14th Congress.
He says one problem being faced by his committee in pushing for a cyber crime law is that only a limited sector of society is focusing on it.
“These are quite polar crimes that don’t usually make the news, but it’s a monster in the making. Media, for example, focuses too much on the cyber sex dens, but there’s more than that. Imagine what would happen if someone creates a virus that wreaks havoc on the stock exchange or on the banking industry? There has to be a bill that works on securing these systems,” he says.
“Of course, we have security measures in place, but if someone breaks these measures, where’s the law that penalizes the perpetrators? We have to prevent another Onel de Guzman from happening.”
This special report was produced under the 2007 Newsbreak Investigative Reporting Fellowship Program, a component of the Media, Democracy and Development Program of the United Nations Democracy Fund.
» RP computer hackers turning into syndicates (Second of three parts)
» Password thieves prey on Pinoy Internet users (First of three parts)