Chapter 1 Cybercrime Law
Chapter 1 Cybercrime Law
Chapter 1 Cybercrime Law
KAGAWARAN NG KATARUNGAN
Department of Justice
Manila
By
Geronimo L. Sy
Assistant Secretary
Head, Office of Cybercrime
Department of Justice
Introduction
Any discussion of cybercrime in the Philippines starts with reference to the "I Love
You" virus unleashed globally in 2000. It placed the country on the global cyber-map and
pushed Congress to pass the first 'cybercrime' law, Republic Act No. 8792 or the Electronic
Commerce (E-Commerce) Act of 2000.
Hence, the concept of cybercrime which has long been recognized as a scourge in other
parts of the world formally became a crime in the country.
Not long after, the Department of Justice (DOJ) and the primary law enforcement
agencies, the National Bureau of Investigation (NBI) and the Philippine National Police
(PNP) Criminal Investigation and Detection Group (CIDG) - established the first cybercrime
1
forensic laboratories in 2001 - one for each agency given the need to build capacity and to
spur development of cyber investigations.
The Supreme Court, on the other hand, recognized the emerging crime set and
issued the Rules on Electronic Evidence on 17 July 2001. This was initially applicable only
to all civil actions and proceedings, as well as quasijudicial and administrative cases. The
Rules were subsequently amended on 24 September 2002 to include criminal cases. l
With the budding cybercrime fighting capability, two convictions stemmed out of the
several cases investigated by the DOJ under the ECommerce law.
The first conviction arose in September 2005 when the respondent, an employee of a
leading university in the south, pleaded guilty to hacking the governmental portal
"gov.ph" and other government websites in Criminal Case No. 419672-CR filed before
Branch 14 of the Metropolitan Trial Court of Manila. He was sentenced to serve one to
two years of imprisonment and to pay a fine of Php100,OOO.OO.
The second conviction was obtained in May 2006 against a 22-year old former call center
agent who broke into the computer system of a credit card company and a client of his
multi-national employer in the firm in the Philippines, thereby gaining access to a
database maintained by a sister firm in the United States. Using an internal IP address, he
proceeded to purchase goods online using various credit cards. He was sentenced by the
Quezon City Metropolitan Court to serve a minimum imprisonment term of one to two
years plus a fine of Php100,000.00, as provided under Section 33 of the E-Commerce
Law.2
Meanwhile, in 2008, the DOJ created the Task Force on E-Government, Cyber-security and
Cybercrime to address cyber-security issues and to pursue an e-government agenda. 3 The
Task Force assessed the state of cybercrime legislation not only in the country but also in
the global arena. It was to train law enforcers and prosecutors in dealing with cybercrime
and to create e-courts to handle high-tech cases such as hacking and other crimes
committed using internet technology.
The Task Force began collaborating with the Council of Europe (COE), the organization
which drafted and pushed for the adoption of the first
The Convention is divided into three principal parts. The first part identifies the
substantive cybercrime offenses which each ratifying State is obliged to adopt in its
domestic law. The second part deals with investigative procedures that States must
implement. Lastly, the third part relates to mechanisms that will enhance international
cooperation.
To monitor the compliance of parties and update observers to the said Convention, the
COE conducts a regular conference known as the Octopus
Conference which is preceded by the plenary meeting of the Cybercrime Convention
Committee (T-CY). 3
The author was invited in the annual conference held in Strasbourg, France as an
observer, panel speaker, and moderator in 2007 and subsequently, thereafter.
On 31 August 2007, the DOJ through the office of former Undersecretary Ernesto L.
Pineda expressed the request of the Government of the Philippines to be invited for
accession to the Budapest Convention. In a letter dated 15 June 2011, the COE Secretary
General Thorbjorn Jagland formally invited the
Philippines to accede to the Budapest Convention. 4
http://conventions.coe.int/Treaty/Commun/print/ChercheSig.asp?NT=185&CM=1&DF=&
CL= ENG
3 http://www.coe.int/t/dghl/cooperation/economiccrime/cybercrime
4 Council of Europe Sec. Gen. Thorbjorn Jagland Letter dated 15 June 2011
5 Republic Act No. 10175
3
While it was RA 8792 which first penalized "cybercrimes," RA 8484 (Access Device
Regulation Act of 1998) and RA 4200 (Anti-wiretapping Law) had earlier recognized acts
done using information and communication technology (ICT). More recently, but prior to
the effectivity of the CPA, RA 10173 or the Data Privacy Act of 2012 was enacted to
protect the fundamental human right of privacy and of communication while ensuring
free flow of information to promote innovation and growth.
This paper thus traces the history and development of the CPA — one of the country's
most critical and highly debated legislative measures. Through the years, netizens have
been victims of numerous cybercrimes committed by criminals with impunity. The CPA's
eventual passage into law and the recent 50-page decision67 of the Supreme Court
confirming its constitutionality, save for some provisions, finally opens a new period for
law enforcement in cyberspace.
Numerous public sector consultations were held. In January 2004, the first local
Cybercrime Conference was organized by Atty. Gigo A. Alampay with representatives from
the Department of Justice of both the US and Canada.
These activities were held cognizant of the limited scope of the cybercrime provisions in
the E-Commerce Act.
Meanwhile, during the interim years of 2006 and 2007, the prototype Cybercrime
Prevention Act was substantially crafted and was later finalized after the first
International Cybercrime Conference on 25-26 October 2007, conducted by the DOJ in
partnership with the COE. During the first quarter of 2008, legislative strategy on
information and communication was created by the government focused mainly in
adopting a three-tiered approach in crafting related laws to underline the primacy of
three virtual subjects, namely: data privacy, cybercrime, and cybersecurity.
11 Senate Bill No. 151, "An act Penalizing the Use of Computers to Commit, Facilitate,
or Conceal the Commission of a Crime."
12 Senate Bill No. 199, "An Act to Punish Transmission of Indecent Material by
Computer to Minors."
(c) use of a computer or computer network to conceal, obliterate, or hide the
identity of persons guilty of committing a crime or an offense; and
(d) use of a computer or computer network to conceal or hide commission of a
crime or an offense and the evidence thereof.
She also proposed the enactment of the "E-mail User Protection Act" which seeks to
protect consumers and service providers from the misuse of computer facilities by others
sending unsolicited commercial electronic mail over such facilities.
Finally, on 17 September 2004, Senator Ramon B. Magsaysay, Jr. proposed the enactment
of the "Anti-Computer Fraud and Abuse Act of 2004." It defines computer fraud and the
offenses covered by the term "computerrelated fraudulent activities" and covers such
acts as computer fraud, computer forgery, damage to computer data or computer
programs, computer sabotage, unauthorized access and unauthorized interception. It
imposes both a fine and a penalty of imprisonment for violators. It also accords authority
5
to the National Security Council to conduct investigations on computer related crimes vis-
å-vis its effects on national security.
Within the same month, Senator Loren Legarda introduced Senate Bill No. 1377, "The
Anti-Computer Fraud and Abuses Act of 2007." The proposed law seeks to penalize
several defined crimes or offenses such as computer fraud, computer forgery, damage to
computer data or computer programs, computer sabotage, unauthorized access, and
unauthorized interception. The bill likewise prescribes a higher penalty - imprisonment of
not more than 20 years and a fine not more than Php100,000.00.
Senator Miriam Defensor-Santiago, on the other hand, introduced four separate bills on
computer and internet usage, namely:
By the middle of 2008, Senator Mar Roxas introduced Senate Bill No. 2412, the "Computer
Abuse Act of 2008." The bill was patterned after the United States Computer Fraud and
6
Abuse Act13 as well as Title 18, Section 3933 of the Pennsylvania Consolidated Statues
(Crimes Code). It outlaws:
The successive introduction of bills aimed at criminalizing detrimental acts with the use of
a computer or through the use of the internet
13 18 US code 1030
resulted in the first draft of a Senate bill dubbed as a Cybercrime Prevention Act.
Introduced by Senator Juan Ponce Enrile on 21 April 2009, Senate Bill No. 3177 entitled
the "Cybercrime Prevention Act of 2009" was divided into seven chapters. 8 Chapter 1
defines significant terms such as computer system, computer data, computer program,
database, service provider, traffic data, among others. Chapter 2 enumerates acts
punishable under the proposed law which were categorized into (a) offenses against the
confidentiality, integrity and availability of computer data and systems, such as illegal
access, illegal interception, data interference, and system interference; (b) computer-
related offenses such as computer-related forgery and computer-related fraud; (c)
content-related offenses such as cybersex, child pornography, and unsolicited commercial
communications. Chapter 3 prescribes the penalties imposable for each violation. The
same chapter introduces corporate liability, that is, the imposition of a fine amounting to
a maximum of if the crime is committed on behalf of or for the
benefit of a juridical person, by a natural person who has a leading position within said
juridical person.
Chapter 4, on the other hand, gives law-enforcement authorities power to collect and
preserve computer data. Chapter 5 defines the jurisdiction of the Regional Trial Courts
and empowers them to hear and decide cases involving violations of the proposed law if
committed within the territory of the Philippines or by a Filipino national regardless of the
place of commission. Chapters 6 and 7 contain provisions on international cooperation
8 The author was tasked by Senator Enrile to submit a single, comprehensive draft.
7
and final provisions such as appropriations, implementing rules and regulations, among
others.
Less than a month later, Senator Antonio Trillanes IV came up with his own version of the
CPA and introduced Senate Bill No. 3213 on 6 May 2009. The proposed bill contained
almost similar provisions as the earlier version except that Senate Bill No. 3213 sought the
creation of a Computer Emergency Response Council under the control and supervision of
the Office of the President. It is primarily tasked to formulate and implement a national
plan of action to address and combat cybercrime. It is envisioned to be composed of the
Chairman of the Commission on Information and Communications Technology (CICT) as
Chairman; the Director of NBI as Vice-Chairman, and other officials of the government as
members including the Directorate- General of PNP, the Chief of the National Prosecution
Service, the Head of the National Computer Center (NCC), the head of the Philippine
Center for Transnational Crime (PCTC), three representatives from the private sector,
among others.
These two versions of the CPA were later merged forming Senate Bill No. 3553 which was
prepared jointly by the Committees on Science and Technology, Constitutional
Amendments, Revision of Codes and Laws, Justice and Human Rights, and Finance. Senate
Bill No. 3553 maintained most of the provisions contained in Senator Enrile's version of
the CPA such as the categorization of the punishable acts and the law enforcement
authorities' power to collect and preserve computer data. It incorporated Senator
Trillanes' proposal to create a body tasked to formulate and implement the national cyber
security plan, however, this time, it was referred to as the Cybercrime Investigation and
Coordinating Center composed of a smaller number of people, namely: (a) the Chairman
of the Commission on Information and Communications Technology as the Chairman with
(b) the Director of the NBI as Vice- Chairman, (c) the Chief of the PNP, (d) the Chief of the
National Prosecution Service and (e) the Head of the National Computer Center as
members. More importantly, Senate Bill No. 3553 proposed the creation of the Office of
Cybercrime (OOC) in the Department of Justice, which would be responsible for extending
immediate assistance in the investigation and prosecution of criminal offenses related to
computer systems and data, and ensure that the provisions of the proposed law are duly
complied with.
In the meantime, House Bill No. 6794, which is the counterpart bill of Senate Bill No. 3553
in the House of Representatives, was approved on third reading on 18 January 2010. This
was transmitted to and received by the Senate on 20 January 2010. 15
The CPA of 2009 was not enacted into law at this stage.
Senate Bill No. 2796, on the other hand, was principally sponsored by Senator Edgardo J.
Angara. The bill was jointly submitted by the Committees on Science and Technology;
9 House Bill Nos. 85, 167, 364, 383, 511, 1444, 2279, 3376, 4031, and 4162
8
Constitutional Amendments; Revisions of Codes and Laws; Education, Arts and Culture;
Justice and Human Rights; Trade and Commerce; Public Information and Mass Media; and
Finance on 3 May 2011. Except for the third paragraph of Section 7, Chapter Ill which cites
Republic Act 9775 or the Anti-Child Pornography Act of 2009, Senate Bill No. 2796
contained provisions identical to Senate Bill No. 3553 or the earlier proposed CPA of 2009.
Both Senator Angara and Representative Tinga co-chaired the Bicameral Conference
Committee where House Bill No. 5808 and Senate Bill No. 2796 were discussed. The
Bicameral Conference Committee decided to generally adopt the Senate version of the bill
to be used as the working draft with
15http://www.congress.gov.ph/legis/search/hist_show.php?congress=
insertions coming from the House version, including the title of the proposed Act. 10 A new
Section not found in both versions was likewise inserted. 11
Before the approval and the official recording of the Cybercrime Prevention Act, the DOJ
conducted several seminars with the active participation of prosecutors nationwide. A
Technical Working Group (TWG) on Cybercrime and Cybersecurity consisting of
representatives from national government agencies, including those engaged in law
enforcement like the PNP and the NBI, as well as private companies and the academia.
These stakeholders came together to address issues relating to cybersecurity and
cybercrime in the Philippines.
One of the aims of the NIG was to consolidate and concretize the government's efforts on
cybersecurity and successfully implement measures to fight cybercrime. The Cybercrime
seminars entitled "Investigating Cybercrime: A Global Training Program for Prosecutors"
were held on separate dates in various cities in the country, viz. 19-20 September 2011 in
Manila; 20-21 October 2011 in Cebu City; 26-27 January 2012 in Davao City; 22-23
February 2012 in Tuguegarao City; 19-22 April 2012 in Laoag City; 22-25 May 2012 in
Legazpi City, and 19-20 July 2012 in Iloilo City. Comments were considered and the draft
cybercrime bill was continuously revised and endorsed to both houses of Congress.
10
An Act Defining Cybercrime, Providing For The Prevention, Investigation, Suppression And
The Imposition Of Penalties Therefor And For Other Purposes
11 Sec. 6 — All crimes defined and penalized by the Revised Penal Code, as amended, and
special laws, if committed by, through and with the use of information and communications
technologies shall be covered by the relevant provisions of this Act. Provided, That the
penalty to be imposed shall be one degree higher than that provided for by the revised
Penal Code and special laws.
9
After the CPA of 2012 was signed into law, the DOJ in partnership with the Department of
Science and Technology Information and Communications Technology Office (DOST-ICTO)
hosted a multi-sectoral forum on 9 October 2012 to ensure proper dissemination of
information about the new law. Key provisions of the CPA were presented and inputs and
insights for the law's implementing rules and regulations were solicited. 12 Unfortunately,
it was on that same day when the Supreme Court issued a temporary restraining order
suspending the application of the legislative measure in view of numerous petitions filed
by concerned groups, mostly from the media, academe and legal community, assailing the
CPA's constitutionality. 13
The original 120-day temporary restraining order issued on 9 October 2012 was extended
on 5 February 2013 pending hearing and adjudication of the issues. 21
Given the close cooperation with the COE, the DOJ organized on 23-24 May 2013 the
Regional Workshop on the protection of children against online sexual violence in
Southeast Asia to enhance law enforcement cooperation and criminal law benchmarks of
the Budapest and Lanzarote Conventions.
The COE Convention on the Protection of Children against sexual exploitation and sexual
abuse, or the Lanzarote Convention, aims to prevent and combat sexual exploitation and
sexual abuse of children; protect the rights of child victims of this kind of exploitation and
abuse; and promote national and international co-operation against these misdeeds
against children. 22
The conference was attended by Ministries of Justice and other institutions responsible
for law drafting, prosecution service, and law enforcement in child protection, or
cybercrime units of the participating countries in Southeast Asia. It seeks to promote the
implementation of the criminal law benchmarks of the Budapest and Lanzarote
Conventions as a basis for enhanced law enforcement cooperation to protect children
against sexual violence.
The DOJ, through the author, presented its efforts to come up with a second version of a
cybercrime law amending the CPA of 2012, as a response to the clamor of netizens on
cybercrimes, both domestic and international, taking into account the constitutional and
statutory rights guaranteed under the present Charter. The second version of the law
sought to set aside cybersquatting as an offense as well as content-related offenses of
cybersex, childpornography, and libel. It deleted the imposition of penalty one degree
higher for crimes penalized by the Revised Penal Code and special laws if committed with
the use of information and communication technology; the provision on liabilities under
other laws; the provision on restricting or blocking access to computer data; and the
G.R. No. 203391, Bagong Alyansang Makabayan Secretary General Renato M. Reyes, Jr., et
al. v. Benigno Simeon C. Aquino Ill, etc., et al., G.R. No. 203407, Sta. Maria, et al. v. Ochoa,
etc., et al., G.R. No. 203440, National Union of Journalists of the Philippines (NUJP), et al.
v. Executive Secretary, G.R. No. 203453, Cruz, et al. v. Aquino Ill, etc., et al., G.R.No.
203469, Philippine Bar Association, Inc. v. Aquino Iii, etc. et al., G.R. No. 203501, Bayan
Muna Representative Neri J. Col men ares v. The Executive Secretary Paquito Ochoa, Jr.,
G.R. No. 203509, National Press Club of the Philippines, Inc., et al.v. Office of the
President, etc., et al., G.R. No. 203515, Philippine Internet Freedom Alliance, etc., et al. v.
The Executive Secretary, et al., G.R. No. 203518. 21 Id
22
Council of Europe Treaty Series — No. 201
(d) Sixteenth Congress (2013-2016)
Similar efforts to address controversial provisions of the CPA were made by legislators
such as the amendments proposed by Senators Ferdinand R. Marcos, Jr., Francis G.
Escudero, Pia S. Cayetano, and Alan Peter S. Cayetano to delete Sections 4(c)2, 4(c)4, 6, 7,
12 and 19 as well as to revisit Section 21 of the Act. 14 On the other hand, Senators Miriam
Defensor-Santiago and Paolo Benigno "Bam" A. Aquino IV aim to establish a Magna Carta
for Philippine Internet Freedom. 24
Pending the approval of these bills, the Supreme Court confirmed the constitutionality of
the CPA on 18 February 2014. In its 50-page decision, the Supreme Court declared valid
and constitutional the following provisions, namely:
see Senate Bill Nos. 11, 126, 154, 248, and 249, 16th Congress.
14 24
The Supreme Court likewise declared as constitutional Section 4(c)4, which penalizes
online libel with respect to the original author of the post but declared unconstitutional
with respect to others who simply receive the post and react to it; and Section 5, which
penalizes aiding or abetting and attempt in the commission of cybercrimes only in relation
to Section 4(a)1 on Illegal Access, Section 4(a)2 on Illegal Interception, Section 4(a)3 on
Data Interference, Section 4(a)4 on System Interference, Section 4(a)5 on Misuse of
Devices, Section 4(a)6 on Cyber-squatting, Section 4(b)1 on Computerrelated Forgery,
Section 4(b)2 on Computer-related Fraud, Section 4(b)3 on Computer-related Identity
Theft, and Section 4(c)1 on Cybersex, but void with respect to Sections 4(c)2 on Child
Pornography, 4(c)3 on Unsolicited Commercial Communications, and 4(c)4 on Online
Libel.
On the other hand, Sections 4(c)3 which penalizes posting of unsolicited commercial
communications, Section 12 which authorizes the collection or recording of traffic data in
real-time, and Section 19 which authorizes the DOJ to restrict or block access to suspected
Computer Data were however declared void for being violative of the Constitution.
Similarly, the Supreme Court declared that charging an offender for online libel under
both Section 4(c)4 of the CPA and Article 353 of the Revised Penal Code, or for child
pornography committed online under both Section 4(c)2 of the CPA and the Anti-Child
Pornography Act of 2009 violates the Constitutional proscription against double jeopardy.
Conclusion
The development, passage, and enactment of cybercrime legislation in the Philippines
have been long and tedious. The technical issues coupled with the strong resolve of
12
several groups of people, especially bloggers and internet users, to safeguard their
freedom of speech and expression has resulted in public debates and court litigation.
13
Indeed, the State, as parens patriae, has the obligation to protect the Filipino people
against cyberbullies but it must strike the balance between penalizing what are
considered as cybercrimes and respecting the people's fundamental rights. With the final
resolution on the validity and constitutionality of the CPA, coupled with the active
enforcement of its provisions and related laws by the OOC, NBI, and PNP, the security of
the public in cyberspace is now greatly assured.
The implementing rules and regulations (IRR) of the CPA were drafted by the DOJ jointly
with the Information and Communications TechnologyOffice of the Department of
Science and Technology (ICTO-DOST), and the Department of Interior and Local
Government (DILG) pursuant to Section 28 of the CPA, with the cooperation of the NBI
and PNP. Consultations with members of the academe, government and private sectors
were also conducted. The IRR, which is intended to be straightforward and
comprehensive, seeks to harmonize provisions of the CPA with other laws such as the
Access Devices Regulation Act of 1998, E-Commerce Act of 2000, AntiChild Pornography
Act of 2009, and Anti-Photo and Voyeurism Act of 2009, as well as fill in the gaps in law
enforcement procedures on cybercrimes.
The consultation process consists of practical, technical and legal review and application
of the CPA, engaging various public and private sectors. In particular, the TWG convened
to draft the IRR on 10, 17, 26 March; 20, 26 August; and 05 September 2014. Also,
stakeholders from business, academe and non-governmental organizations were
consulted on 08 April 2014; national government agencies and organizations in the legal
profession on 15 April 2014; media, ICT groups and internet service providers (ISPs) on 29
April and 16 May 2014.
On 12 August 2015, the IRR of the Cybercrime Prevention Act of 2012 was finally signed
at a ceremony held in Manila attended by a spectrum of stakeholders. The IRR were duly
filed with the University of the Philippines Law Center on 21 September 2015 and
published in two newspapers of general circulation on 24 September 2015. It took effect
fifteen (15) days after - on 09 October 2015.