Monday, October 8, 2012

Questioning the lawfulness, reasonableness, and plausibility of enforcing and implementing the Cybercrime Prevention Act

With at least eleven petitions already filed with the Supreme Court against RA 10175, or the Cybercrime Prevention Act of 2012, there's no denying that it is one very questionable law, if not totally bad. With much ado about cyber libel and all its consequences that effectively curtail freedom of speech or of expression, arguably at least, I have a lot of questions on how this controversial law will be implemented.

Protesters against the Cybercrime Law [Source]

Although DOJ Secretary Leila De Lima promised that the Implementing Rules and Regulations (IRR) will "harmonize" the Cybercrime Law, the fact remains that there is still no IRR and none of us has any clue as to how RA 10175 will actually be implemented even if the law already officially took effect on Oct. 3, 2012, fifteen (15) days after it was first published in the Official Gazette. As such, I believe I cannot be faulted for raising some questions.

Isn't this wiretapping?
Section 12 of the Cybercrime Prevention Act provides law enforcement authorities with, well, authority to collect traffic data in real time. But with due cause, of course. The section makes it clear, however, that traffic data do not include content or identities, as these would require a court warrant.

Still, doesn't this all sound a little too much like wiretapping, which, by the way, is illegal in this country according to RA 4200?

Of course one may argue that realtime collection of traffic data is not wiretapping especially when there are no wires or cables to tap, as in the case of WiFi and other wireless internet technologies like LTE, HSPA, HSDPA, WiMax, 3G, GPRS, et al. (although even these technologies involve wires and cables at one or more points in their transmission).

More so, one could argue that RA 4200 was enacted in 1965, back when such technologies never existed and which was therefore envisioned to apply only to landlines. It also specifically referred to violations as secretly overhearing, intercepting, or recording of a private conversation or spoken word; and traffic data are hardly private conversations or spoken words. In like manner, this is why Sec. 4(c)(4) was included in the Cybercrime law because the old libel provision in the archaic Revised Penal Code could not be invoked for defamatory statements made in cyberspace. Ergo, RA 4200 needs to be revised or amended first before it can be invoked against Sec. 12 of the Cybercrime Prevention Act.

While the provision may look good when applied to hacking, cyber fraud, and cybersex, it paints an entirely different picture when applied to libel. And that's the problem because the section does not distinguish among these different punishable acts as enumerated in Chapter II. That said, although it may not technically be wiretapping, such realtime collection of traffic data still looks like a violation of one's right to privacy, and that is just downright scary.

Requirements for service providers
Moving on, the same Sec. 12 also provides that "service providers are required to cooperate and assist law enforcement authorities in the collection or recording of such information." And what are service providers? According to Sec. 3(n):

Service provider refers to:
(1) Any public or private entity that provides to users of its service the ability to communicate by means of a computer system, and
(2) Any other entity that processes or stores computer data on behalf of such communication service or users of each service.

Based on that, my understanding is that service providers include ISPs and telcos like Smart, PLDT, Sun, Digitel, Globe, et al. because they "provide users with the ability to communicate by means of a computer system."


Similarly, it also includes Google, Facebook, Twitter, Instagram, Flickr, Tumblr, YouTube, Vimeo, et al. because they also allow users to communicate although they need ISPs and telcos to facilitate such communication. Moreover, hosting services, forums, and other sites are also covered by this provision, if I'm not mistaken.

If such service providers also employ third-party services for their respective data center operations, then I believe that such third-party service providers are also covered by this definition. It's a long list!

Jurisdiction gray areas on preservation of data
And what exactly does this law require of service providers as far as "cooperating with and assisting law enforcement authorities" is concerned? Sec. 13 requires service providers to preserve both integrity of traffic data and subscriber information and content data from six (6) months from the date of receipt of an order from law enforcement authorities.

Personally I think that apart from obtaining evidence of the crime committed, this is meant to be useful in ensnaring some cyber fraudster or cybersex offender, like in some entrapment operation or something. Problem is, it also applies to online libel, in which case questions on the reasonableness of such order on the part of service providers may arise.

Given the countless things that millions of social media users post online can potentially be subjects of online libel complaints, how can service providers cope with such data preservation orders when doing so entail server and database space, let alone people to manage such hardware and ensure compliance with law enforcement requirements? What if there are hundreds, or even thousands, of such orders? It can therefore be potentially cumbersome to them -- and not without financial impact -- on the service providers's business.

Facebook, Twitter, Google, and the like may not have a problem preserving such data since they don't really delete any of their subscribers's postings anyway. However, can the Philippine government really compel them to hand data over given that they're not at all based in the country? If they do not comply, what will the government do, block their sites? Try that and everyone will practically go berserk.

Moreover, what if the user chooses to delete a posting? Can the government hold these service providers liable for not preserving data that, as far as the user is concerned, are his and are only kept by Facebook or Twitter? So will the government fine them for a hundred grand and imprison them, as provided for in Sec. 20? But imprison who, Mark Zuckerberg, Larry Page, and Jack Dorsey? Bottom line, does the Philippine government even have jurisdiction over them?

And then there are web-hosting services based abroad. What to do with them?

As for telcos and ISPs, who are widely regarded as mere "dumb pipes" for internet-based services and applications, how does this law affect them? As far as I know, telcos do not really store content data as they merely enable internet services like Google and whatnot. Sure they keep subscriber information (at least with postpaid subscriptions) but telcos and ISPs simply facilitate internet connection and nothing more. So will the government now require them to invest heavily in expensive hardware just to house six months worth of data when they don't really serve any business purpose at all?

How plausible and reasonable is seizing a computer system?
Sec. 15 grants law enforcement authorities -- whoever they may be -- with some seriously awesome powers. For one, they can secure a computer system or storage medium. But that sounds easier said than done.

While technically your PC, iMac, laptop or tablet are computer systems in their own right, others, especially those that enable applications and other services over the internet, can have a far more complex ecosystem than what you're using at home.

Suppose there's a locally-based social networking site ala-Facebook with millions upon millions of users. That service would require several servers and databases, no doubt, and which could be in several different locations, not to mention the many terminals to facilitate access and control over them. One or more may be application servers while others will basically house terabytes of data. One server may be dedicated specifically for a particular feature of that site, like chat, and which may also have its own dedicated database or more. Some features like sharing content may need to go through another engine or server before it can lookup one or more databases for content to be shared. And this being a very popular site, there are hundreds more services connecting to it via one or more APIs. Content shared may also be from other sites or services. And I haven't even said anything about redundancies and backup sites yet. I mean, it can get really complicated.

A sample relatively simple computer system diagram [Source]

And they really have to secure all that? Can they?

Well, the same section also grants whoever these law enforcement authorities are (Told you they have awesome powers!) the power to order any person who has knowledge about how the whole system functions to provide them with with necessary information so they can carry on with the search, seizure and examination.

Uhm, that's also easier said than done. There may not even be one person who knows it all, which means a lot of the service provider's employees may be required. Needless to say, that means time and therefore, money, on the service provider's part. And how many potential cases are we expecting here? They might even need a whole team just to assist these authorities!

Still, an entire computer system?

More right to privacy issues
Assuming the government can indeed successfully seize an entire computer system (sounds so Martial Law), isn't the right to privacy of those users not the subject of a complaint compromised somehow? They did seize an entire ecosystem after all.

How can users of whatever service be assured that their data, especially sensitive information, are not compromised by such searches and seizures? Are they really able to isolate only those data that are the subject of the warrant from everything else? Can we be so sure that nothing else has been viewed, let alone copied? I mean, seizure sounds really absolute, which bothers me even more.

Copying and seizure of data
Of course all this seizure provision is basically meant to produce evidence that will be admissible in court. As such, they need to copy data, which the same Sec. 15 also authorizes. Further, Sec. 16 provides that this has to be deposited with the court in a sealed package.

I assume it's the government that shoulders the cost of whatever storage medium they have sealed there. However, how would they ensure the readability of its contents? Aha!

Data can come in several formats, and may need specific applications and even operating systems to read them. Assuming what was copied is highly-specialized data, are service providers still bound to shoulder whatever cost it may entail to make it readable to an outside party, much more during court proceedings? Software licenses and installations may be required here. They couldn't be pirated versions, right?

Okay, assuming the highly-specialized data can be converted to another format, something more suitable to law enforcement authorities, how is one assured that the integrity and completeness of data have not been compromised? That could mean a lot of work to do from developing a script up to testing its functional worthiness. Ah, more hassle on the part of service providers.

Sec. 15 also grants the still-unspecified authorities "to render inaccessible or remove those computer data in the accessed computer or computer and communications network." Likewise, Sec. 16 provides that "the law enforcement authority shall also certify that no duplicates or copies of the whole or any part thereof have been made."

So apart from copying, they can also remove data. It may sound simple but there can be some repercussions. For one, assume that the data pertains to the suspect accessing specific sites or applications, all of which have their corresponding data charges. And you remove that data -- totally. Now someone comes complaining of billing charges or something and the service provider has nothing to substantiate the charges billed because they were removed by law enforcement. Wouldn't that be a little unfair to the service provider?

Now if it were subscriber information that were removed, wouldn't that mean that that person or entity is no longer a subscriber to whatever service he was supposed to be subscribed to in the first place? Is that fair? Or is that even right?

The "take-down clause"
Sec. 19, inserted into the bill by Sen. Pia Cayetano, proved to be very controversial. Nicknamed the "take-down clause," it grants the DOJ the power to restrict or block access to computer data. In other words, the DOJ can block access to websites, or take them down as others put it.

According to blogger Raissa Robles, Cayetano was only referring to cyber offenses like cybersex, which, of course, would make Sec. 19 look very reasonable.

Unfortunately, because Sen. Tito Sotto subsequently inserted the libel rider, the take-down clause now applies to libel as well, effectively denying anyone accused his right to due process. Whether what that person posted was indeed libelous or not doesn't matter anymore because access has already been restricted. As with libel, it's like saying he is guilty unless proven otherwise.

But can the DOJ really order the take-down of an entire site or the blocking of a whole account if it's just one particular post that is the subject of a libel complaint? Is that even fair at all when such accusation may not hold water in court in the end?

In hindsight
In light of all this, I couldn't help but wonder whether our lawmakers actually read what they're supposedly voting for or against as far as legislation is concerned. Their carelessness astounds me. And we all know how the insertion of the libel clause was overlooked and which has now become law. I wonder whether they have thoroughly evaluated and re-evaluated each and every provision.

One by one, senators and congressmen are resorting to damage control over the libel rider. Fine. But have they really given a hard look at how all this is going to be implemented? Have they considered all possible scenarios and consequences? Or worse, do they even understand the very subject of this legislation?

I don't think so.


  1. This is a very delicate thing...and it has a lot of points in which it really destroys what freedom of speech is all kinda global as my country we are having similar issues...with a very similar law...I don´t like where this is all heading, too bad, too bad.

    The Black Label

    1. too bad indeed. good thing we got a TRO in the meantime.

  2. Totally agree with you!
    great post!

  3. Hello, I found your blog from a friend and I went to visit! I loved your post and I am going to stay on top of all the news!

    I hope my blog:

    If you want to follow me I'll be very happy! ♥ hugs..

    Instangram @pathyamorinha


Related Posts Plugin for WordPress, Blogger...
Related Posts Plugin for WordPress, Blogger...