Agenda Item Two PROSECUTION OF CYBER CRIMES
THROUGH APPROPRIATE CYBER LEGISLATION
IN THE REPUBLIC OF THE PHILIPPINES
Severino H. Gana, Jr.
Assistant Chief State Prosecutor, Department of Justice. Republic of the Philippines
The Philippines welcomed the new millennium, unfortunately, still included among the ranks of the underdeveloped countries. Yet, behind this sad economic fact is the reality that the Philippines now promises to be a main source of information technology (IT) practitioners. Our country continues to witness the growing awareness, if not huge interest, of our youth in the dizzying developments in computer technology. Computer schools and colleges offering courses in computer science, programming and information management, have since multiplied, not only in the financial and business center that iss MetroManila, but in our provinces as well. Perhaps, as a reaction to our lackluster economy, crippled by the Asian financial crisis, where the only recourse for some is to work overseas, our youth look to computer courses as their key or promise to a well-paying programming job in the Western countries, especially in the United States.
Sadly, with the wonders and benefits that globalized information technology and computers in general have to offer the Philippines come also the omen and portent of a new breed of crime. A new category of felonies that threaten those very wonders and benefits. We are, of course, talking about Internet related and other high-technology crimes.
II. THE LOVE BUG VIRUS ORIGINATES IN THE PHILIPPINES
A prime example of that threat is a recent one. On May 5, 2000, two young Filipino computer programming students named Reonel Ramones and Onel de Guzman, became the target of a criminal investigation by our National Bureau of Investigation (NBI) agents. The NBI received a complaint from Sky Internet, a local Internet service provider (ISP). The ISP claimed that they have received numerous calls from European computer users, complaining that a computer virus denominated as "ILOVEU" virus was sent to their computers through the said ISP. As events would later show, the "ILOVEU" virus was able to replicate itself in as many addresses as there are in a single computer's address menu to which it was originally sent The computer user enticed by the title "ILOVEU" and thinking it is a romantic e-mail message, would click on the message. He would then unknowingly unleash the same to other addresses found in his computer. By mathematical progression, the virus was able to contaminate not only Philippine computers, it jumped off to Asian users, and subsequently to the United States and Europe. Billions of dollars in Internet transactions were lost, innumerable corporate, banking and financial files were erased. It is believed that military and defense files worldwide were likewise affected. This is not to mention the inconvenience suffered by millions of computer users as a result of clogged and heavy traffic in the Internet.
A. THE NBI INVESTIGATES
After several days of surveillance and investigation of ISPs that the virus used, the NBI was able to trace a frequently appearing telephone number, which turned out to be that of Mr. Ramones' Manila apartment. His place was searched by the NBI and Mr. Ramones was consequently arrested and placed on inquest investigation before our Department of Justice (DOJ). Mr. De Guzman was likewise arrested in Manila. At that point, the NBI was at a loss as to what felony or crime to charge the two with in court. There were some agents who theorized that they may be charged with violation of our Republic Act No. 8484 or the Access Device Regulation Act, a law designed mainly to penalize credit card fraud. The reason supposedly being that both used, if not stole, pre-paid Internet cards which enabled him to use several ISPs. Another school of thought within the NBI opined that Messrs. Ramones and de Guzman could be charged with malicious mischief, a felony involving damage to property under the Philippines' Revised Penal Code, which was, it should be mentioned, enacted in 1 932. The problem, however, with malicious mischief, is that one of its elements, aside from damage to property, was intent to damage. In this case, Mr. De Guzman claimed during custodial investigation that he merely unwittingly released the virus.
To show his intent, the NBI investigated the AMA Computer College, the programming school in Manila where Mr. De Guzman dropped out on his senior year. There, it was found that not only was Mr. De Guzman quite familiar with computer viruses, he, in fact, proposed to create one, In his undergrad thesis, he proposed the commercialization of a Trojan virus, one that innocently enters another computer but would later steal passwords, addresses, and files therefrom, much like the Trojan horse of Greek mythology. He contended that through the Trojan virus, the user would be able to save on, if not totally make do without, prepaid Internet usage cards since passwords could be obtained by the virus. Needless to state, his thesis was rejected by school administrators for being "illegal." Thus, he was forced to drop out.
B. THE DOJ DISMISSES
Despite the worldwide media attention on the case, the DOJ first resolved to dismiss the charge against Mr. Ramones. The panel of DOJ prosecutors composed to determine probable cause against him saw at Mr. Ramones could not be indicted on either a violation of the Access Device Act or under the antiquated penal provisions on malicious mischief. It should be noted that in the Philippines, being a civil law jurisdiction, the legal doctrine "nullum crimen, nulla poena sine lege" is strictly adhered to. There is no crime where there is no law punishing it. It was resolved that our Access Device Regulation Act punishes the trafficking, control, custody or possession of credit card-making or altering equipment, without being in the business thereof. Since a prepaid Internet usage card is not an "access device" within the purview of the law, the law cannot be given a broader scope as to include computer hacking or uploading a computer virus. As to the charge of malicious mischief, the charge was likewise dismissed because only one local ISP was impleaded as a private complainant. The DOJ found that there was no tangible evidence that Mr. Ramones specifically intended to damage or injure that ISP's facilities. Mr. Ramones was thus released from custody. It is rumored that he is now employed with a British computer software firm. A few weeks later, Mr. De Guzman was likewise released on the same grounds.
III. THE PHILIPPlNE CONGRESS ENACTS THE E-COMMERCE LAW
Our law enforcement agencies' sad experience with Mr. Ramones and the "ILOVEU" virus, forced our government to realize that along with globalization and interdependence come new challenges, that of modern, white collar and non-traditional computer crimes. That realization albeit belated and knee-jerk, pushed our Congress, not only to reassess the applicability of our turn-of-the-century Revised Penal Code to high-tech crimes, but also to draft new laws specifically to address them. Only a few days after Mr. Ramones was released, our Congress enacted Republic Act No. 8792 or the Electronic Commerce Act in July 2000. At present, the Philippines is only the third Southeast Asian country to enact such a law, after Singapore and Thailand and it was even ahead of the United States' Millennium Commerce Act in doing so.
While reactionary, our E-Commerce Act is in the same breadth, revolutionary. Electronic data messages and electronic documents are now valid and enforceable and shall have the same legal effect as any other document or legal writing. It now recognizes the validity of electronic transactions, such as purchase and sales contracts over the Internet. It now gives evidentiary weight to electronic signatures, subject to certain standards of integrity and reliability. Computer files and data, subject to certain standards of integrity and reliability, even when not in print, is now considered original copy and may be presented as evidence in court, as long as it can be displayed. Now, there may be so many original and authentic documents as a litigant may be able to present in court and other government offices. The law also gives the Philippine government up to the year 2002 to start computerizing its records. By mandating all these, the E-Commerce Act has overhauled our Rules on Evidence and Criminal Procedure in ways that lawyers and law enforcers who lack computer awareness may not be able to soon absorb.
More importantly, our E-Commerce Act is also penal in nature. If Messrs. Ramones and de Guzman unleashed the "ILOVEU" virus today, they could be liable for "hacking" or "cracking". Of course, because of the Philippine Constitution's prohibition against ex post facto laws, the penal provisions of the E-Commerce Act cannot now be made to apply to them. Under the law, "hacking" or "cracking" refers to the unauthorized access into or interference in a computer system/server or information and communication system or any access in order to corrupt, alter, steal, or destroy using a computer or other similar information and communication devices, including the introduction of computer viruses and the like, resulting in the corruption, destruction, alteration, theft or loss of electronic data messages and electronic documents. Hacking and cracking is punished with a mandatory imprisonment of six (6) months to three (3) years and a minimum fine of P 100,000.00 (around US $ 2,500.00) and a maximum commensurate to the damage incurred.
IV. EVOLVING PHILIPPINE CYBER LAWS
As if to completely raise our nation's guard against future "ILOVEU" viruses, and not even three (3) months after the passage of the E-Commerce Act, the Philippine House of Representatives is at present conducting studies on further enumerating various computer crimes not covered by the law. There are now calls within Congress to punish intentional unauthorized access of Philippine government computers and those of private financial and banking institutions. The higher penalty applies to intentional unauthorized access of national government computers. It is even proposed that exceeding authorized access be made a crime as well. Their definitions and elements remain fluid at present, since these are still proposed bills, however, we look forward to the punishment of computer sabotage, unauthorized access, and unauthorized interception of files and programs, as well as domain-squatting and "spamming". Cognizant of the effects of the Internet on intellectual property rights, distribution through the Internet of copyrighted audio and video works, such as that generated by Napster, is expected to be included in the subsequent laws. Because of the deluge of information over the Internet, which unfortunately, includes pornographic and racist sites, it is even proposed, despite our constitutional guarantee of freedom of speech and privacy, that introduction of immoral doctrines, obscene publications and exhibitions in cyberspace be likewise made a crime. In response to terrorist threats and rebel groups communicating over the Internet, the National Security Council (NSC), the Philippines' intelligence policy authority, is proposing before Congress that subject to certain limitations, "carnivore" programs or that which purposely read E-mail messages and trace certain addresses, be authorized by trial judges, much like search warrants, for intelligence gathering or crime prevention.
It remains to be seen whether our present measures to prevent and redress computer crimes will prove successful. Philippine case law on computer crimes does not exist and may prove to be slow. To illustrate, certain jurisdictional questions remain. Do Philippine courts have jurisdiction to apply our E-Commerce Law on individuals guilty of "hacking" and "cracking" of Philippine computers while outside Philippine shores? The global reach of computer crimes make dual or multiple criminality a likely scenario. Should "hacking" or "cracking" be included in the list of extraditable offenses? An inability to answer these questions raises the possibility that despite the presence of laws, but due to jurisdictional problems, computer criminals will continue to escape prosecution, not unlike our DOJ's dismissal of the Love Bug case. There are sectors within our legal community who offer alternatives, such as bringing certain types of electronic piracy and computer crimes within the jurisdiction of international legal institutions such as the International Criminal Court, being discussed in the United Nations. It is our considered opinion that computer crimes such as terrorism by means of computer or crimes involving computerized financial transactions, could be feasibly included as crimes warranting ICC's adjudication.
Our law enforcement agencies are by themselves still unfamiliar with the nature of these offenses and how best to enforce the law. Investigative procedures dealing with cybercrimes, which should be well within the ambit of our constitutional provisions on searches and seizures are sorely lacking. To be sure, new approaches to deal with these computer crimes must be found. It is hoped that meetings of prosecutors such as the one we are having now, will highlight not only the urgent problem of computer crimes and consequently, offer workable methods for prevention and prosecution.
- Republic Act No, 8792, "Electronic Commerce Act" 
- House of Representatives Bill No. I 1 25 1 , "An Act Providing Protection Against Computer Fraud, Abuses and Other Cyber-Related Fraudulent Activities"
- House of Representatives Bill No. 1 1252, "An Act Prohibiting and Penalizing Computer Fraud and Abuse, Providing For Good Samaritan Blocking and Screening of Offensive Material, and Other Purposes"
- House of Representatives Bill No. 1 1759, "An Act Defining Computer Crimes, Providing
Penalties Therefore and for Other Purposes."
- DOJ Resolution in I.S. No. 2000-9 1 8, "National Bureau of Investigation-Sky Internet vs. Reonel R. Ramones," June 26, 2000.
- DOJ Resolution in I.S. No. 2000-1242, "National Bureau of Investigation Sky Internet vs. Onel De Guzman," August 14, 2000,
- United Nations Manual on the Prevention and Control of Computer Related Crime