a summary of the state of cyber security laws in the philippines
TRANSCRIPT
A Summary of the State of Cyber Security Laws in the PhilippinesSubmitted by Maria Ana E. Espinosa
Computer Security Laws Benchmark Legislation
The council of Europe’s Convention on Cybercrime serve as the benchmark legislation for the analysis on the Philippines since it is widely recognized as an international norm on the criminalisation of computer-related conduct and signed by different European countries as well as US, Canada, Japan and South Africa.
Title 1 criminalizes unauthorized access and illicit tampering with, systems, programs or data. The crimes are divided into illegal access, illegal interception, data interference, system interference and misuse of device offences. Title 2 focuses on computer-facilitated commission of fraud and forgery. While Title 5 declares the ancilliary liability of those assisting the crimes mentioned in Titles 1 and 2.
The Philippines, by far, has weakly or moderately aligned implementing laws from the convention. The existing laws merely focuses on the unauthorized access of computers or data. Philippines still rely on the general law (such as the Revised Penal Code) to prohibit acts that were mentioned in the convention. However, Philippines have current pending comprehensive security laws, known as Cybercrime Prevention Act of 2005 or House Bill 3777, which identically reproduces the offenses in the Convention’s Title 1, 2 and 5.
Philippine Legislative Status
Area Topic Legislations
Computer Security Laws
Title 1 – Core OffensesIllegal access, illegal interception, data interference, system interference, misuse of devices
Electronic Commerce ActAnti-Wire Tapping Act
Pending:Cybercrime Prevention Act of 2007Anti-Computer Fraud and Abuses Act of 2007
Title 2 – Computer-related OffensesComputer-related forgery, computer-related fraud
Revised Penal Code
Pending:Cybercrime Prevention Act of 2007Anti-computer Fraud and Abuses Act of 2007
Title 5 – Ancilliary LiabilityAttempt, aiding, abetting, corporate liability
Pending:Cybercrime Prevention Act of 2007
Privacy Laws Data Protection Constitutional right of privacy. No comprehensive data protection regulation, however the Department of Trade and Industry has promulgated an administrative order that contains voluntary guidelines for the protection of personal data held by private sector organisations.
Surveillance Anti-wire Tapping Act
Sensitive Information Secrecy of Bank Deposits Act
Spam Laws Anti-spam Regulation No general legislation but see implementing rules on sending
spam messages by SMS and MMS under the Telecommunications Policy Act
Pending:Cybercrime Prevention Act of 2007
Online Child Safety Laws
General Child Pornography Offenses
No general child pornography regulation but use of children in production of pornography is prohibited under the Special Protection of Children Against Abuse, Exploitation and Discrimination
Title 3 - Computer-facilitated Child Pornography Offenses
Pending:Cybercrime Prevention Act of 2007Internet Indecency Act
Bill Number SBN. 2796(3rd Reading Version)
HB. 3376(Introduced by Buhay Party List)
Policy, Rationale, Purpose and Aim
The bills recognize the importance to the nation’s overall social and economic growth of the information and communication industry
To provide a Comprehensive Policy Framework that regulates cyber-crimes bred by advances in Cyber Crime Technologies that hinder the development of cybercrime technologies
Define Cyber Crimes, Identify punishable acts and corresponding punishments, Define procedures for investigation and prosecution, Clarify jurisdictions and determine responsible local and national agencies and their responsibilities.
Definition of Terms Computer - an electronic, magnetic, optical, electrochemical, or other data processing or communications device, or grouping of such devices, capable of performing logical, arithmetic, routing, or storage functions and which includes any storage facility or equipment or communications facility or equipment directly related to or operating in conjunction with such device. It covers any type of computer device including devices with data processing capabilities like mobile phones and also computer networks;
Computer - refers to any device or apparatus which by electronic or electro-magnetic impulse, or by other means, capable of receiving, recording , transmitting, storing, processing retrieving, or producing information, data, figures, symbols or other modes of expression according to mathematical and logical rules of performing any one or more of these functions, including its associated devices and peripherals;
Cyber-Crimes – Refers to any offense committed by using a computer or computer or communications network
Acts Punishable Cybercrime Offenses -offenses against the confidentiality, integrity and availability of computer data and systems: - Related to computer Crimes in the House bill
A. Illegal Access – access to computers and Communication networks without authority.
B. Illegal Interception - Interception without right of any non-public transmission of computer or communication data except:
Computer Crimes – Acts that target the computers, communication networks and systems and the data they process.
A. Illegal Access – access to computers and Communication networks without authority.
B. Illegal Interception - Interception without right of any non-public transmission of computer or communication data except
1) It is the agents, employee/ officers duty (in transmission, employment, quality control) to intercept 2) no expectation of privacy.
C. Misuse of devices Use, production, sale, procurement
importation, distribution or other wise making available of :1) Devices/software which primary
purpose is committing an offense,2) Computer or network password
Possession of such items is also punishable except if used for product testing (i.e. Security softwares) or academic purposes
D. Data Interference – Computer Sabotage with no apparent aim (Under Computer Sabotage in the house Bill)
1. System Interference – aimed to hinder the function of the computer or network 2. Cyber-squatting– The acquisition of a domain name over the internet in bad faith to profit, mislead, destroy reputation, and deprive others from registering the same, if such a domain name is:
o Similar, identical, or confusingly similar to an existing trademark registered with the appropriate government agency at the time of the domain name registration;
o Identical or in any way similar with the name of a person other than the registrant, in case of a personal name; and
o Acquired without right or with intellectual property interests in it. – maybe related to RPC
1. It is the agents, employee/ officers duty( in transmission, employment, quality control) to intercept 2. no expectation of privacy.
C. Misuse of devices Use, production, sale, procurement
importation, distribution or other wise making available of: 1) Devices/software which primary purpose is committing an offense, 2) Computer or network password
Possession of such items is also punishable except if used for product testing (i.e. Security softwares) or academic purposes
Unsolicited Commercial Communications – transmission of electronic messages that advertise illegal products. Exceptions are:1) Consent from recipient present 2) Recipient can reject message (opt-out), message is not disguised, no misleading info that lead recipient to read
intellectual property laws under the house bill
Computer Related Offenses – Related to computer sabotage in house bill
A. Computer Related Forgery input, alteration or deletion without
right creating inauthentic computer data and acting upon for legal purposes as if it were authentic
use of such inauthentic data knowing it was a product of forgery
B. Computer Related Fraud intentional and unauthorized input,
alteration, or deletion of computer data or program or interference in the functioning of a computer system, causing damage thereby, with the intent of procuring an economic benefit for oneself or for another person or for the perpetuation of a fraudulent or dishonest activity
Computer Sabotage – input, alteration, erasure or suppression of computer and communication network data to hinder the function of the computer or network. Includes transmission of virus.
A. Data Interference – Computer Sabotage with no apparent aim
B. System Interference – aimed to hinder the function of the computer or network
C. Computer fraud – aimed to commit fraud
D. Computer Forgery – acts constitute Forgery
Content Related Offense – Related to Computer Facilitated crimes in the House Bill
A. Cyber Sex – Operation directly/indirectly of exhibition of sexual organs/ activity or acts lasciviousness with use of computers
B. Child pornography - without prejudice to “anti trafficking” and “Child ProtectionC. Unsolicited Commercial Communications – transmission of electronic messages that advertise illegal products. Except 1) Consent from recipient present 2) Recipient can reject message (opt-out), message is not disguised, no misleading info that lead recipient to read – seen under computer Crimes in the house bill
D. Libel – as defined by RPC with use of Computers
Computer Facilitated Crime – Computer or communication network is used as a tool in committing a crime
A. Cybersex – without prejudice to “anti trafficking” and “Child Protection act” Producing Child Pornography For
distribution in a computer or network, Offering or making such child
pornography available through a computer or computer network
Distribution and transmitting child pornography through computer networks
Possession of child pornography in Computer medium
Solicitation of and prostitution of Cybersex
Operation of Cyber café which engages in cybersex
Promotion/ ads of cyber sex
B. RPC intellectual property laws through computer / computer networks including
wiretapping laws
Note: It is red if it is not punished in the other bill
Other offensesA. Aiding and Abetting the commission of Cyber CrimesB. Attempting the commission of Cyber Crimes
Penalties Offenses against the confidentiality, integrity and availability of computer data and systems and Computer Related Offenses – Prison mayor or fine of 200,000 to damage incurred or both
Cyber – Squatting prison mayor or fine not more than 500,000
Offenses against the confidentiality, integrity and availability of computer data and systems is done against critical infrastructure – Reclusion temporal or a fine 500,000 to damage incurred or both
Cyber Sex - Prison mayor or 200,000 to 1,000,000 or both
Child pornography – Punishment in Child pornography act
Unsolicited Commercial communication – arresto mayor 50,000 -250,00 or both
Aiding Abetting and attempting 1 degree lower or 100,000-500,000 or bothIf act punishable is done due to lack of supervision of a person, such person shal be fined of not less than double fine imposable – 5,000,000
Illegal Access, Illegal Interpretation, Misuse of Devices and all types of computer sabotage – Prison Mayor + Fine of 100,000 to damage incurred
Unsolicited Commercial Communication – Prision correctional or 100,000-600,000 or both
All types of Computer facilitated Crimes – Prison mayor + 200,000 – 800,000
Maximum penalty if: 1) Confidential information is Communicated2) non-public computer of government agency was accessed
National Cyber Security Efforts by Undersecretary Virtus V. Gil, National Cyber Security CoordinatorAFP Summit on Enhancing Cyber Security National Cyber Defense Capability Development ConferenceDusit Thani Manila, March 10-11, 2010
Status of RP Internet: The internet users increase in an average of 200,000 to 300,000 per year Use of public PC is more common than the use of private PCs Public PC is more prone to attackers since it is hard to track and guarantees anonymity
There is continuous expansion of online game market which is prone to cheating, identity theft and item trading
The cybercrime issue started in 2000 with the ‘LOVEBUG’ virus which was created by a Filipino; from the FBI’s data it caused $12 Billion worth of worldwide damage
NBI has handled 30 cybercrimes by far PNP monitored 446 defacement of government websites since 2003 There are 700 incidents per day of cybercrimes involving private individuals
Cyber-Terrorism Activities There are eight different ways in which contemporary terrorists are presently using the Internet,
ranging from psychological warfare; publicity and propaganda; to highly instrumental usage such as networking; sharing of information; fundraising; recruitment; data mining; planning and coordination of actions.
Local rebels are targeting cellular sites. There were 19 attacks in 2006 and 9 attacks in 2007, it caused telecommunication companies 3M pesos of damage
Operation Bojinkao Arab dialect meaning, explosiono A planned large-scale attack on airliner in 1995 and precursor of September 11, 2001
attackso Plotters of Bojinka used the Philippines as a launching pad for terrorist acts by
supporting Abu Sayyafo Computer forensics played a big role in decrypting the messages and thwart a deadly
terrorist attach
Assessment Organization for RP Cyber Defense
o Computer Emergency Response Team (PHCERT) Providing assistance or response to local cyber security Operation is email-based and phone-based Has strong coordination with different government agencies through the
conduct of technical trainings Operations is faced with financial difficulty and human resources scarcity
National Bureau of Investigation – Anti Fraud and Cyber Crime Divisiono Created in February 1997o Needs to be empowered by law in order to be organizationally and financially effective
Philippine National Police – Government Computer Security Incident Response Teamo Aims to suppress, detect and investigate computer network intrusions and other related
internet or computer crimeso Uses digital analysis, log file analysis, forensic media analysis, etc.o Issues are lack of specific legislation, lack of management support, overlapping roles of
IT government bodies, lack of proper training of law enforcers, public awareness, etc.
Other Organizationso ISSSP (Information Systems Security Specialists of the Philippines) - involved in the effort
of creating awareness and raising the level of information security practice and security management in the Philippines.
o PH-CISSP (Philippine Certified Information Systems Security Professionals) - certifies Filipinos with security professional work experience.
o ISACA (Information Systems Audit and Control Association) - sponsors local educational seminars and workshops, engages in IT research projects, conducts regular meetings, and helps to further promote and elevate the visibility of the IS audit, control and the security professional.
Cyber Security Legal Regime RA 8792 (Philippine E-Commerce Law) - not particular about emergency readiness but it does
set the legal framework for recognition of electronic documents and transactions. Central Bank Circulars – dictate banks and financial institutions as regards the:
o Financial systems stability and service levelso Connectivity security and redundancy requirementso Presence of disaster recovery site and systems
Pending Lawso HB 1246 Anti-Cyber Crime Act of 2001 o HB 2251 Convergence Policy Act of the Philippines of 2004 o SB 428 The Anti-Telecommunications Fraud Act of 2004 o SB 2073 Data Protection Act of 2005 o HB 3777 Cyber-crime Prevention Act of 2005
Role of Cyber Security Coordinator Coordinating domestic and foreign cyber-terrorism countermeasures Spearhead enhancement or public-private sector partnership to protect critical national
infrastractures Cyber Security Roadmap
o Establish Cyber Security Coordination Officeo Establish emergency readiness systemo Operate emergency readiness system
Proposal to Public-Private Partnership Identifying and creating a single point of contact for purposes of simplifying the information
exchange among organizations. Fostering collaborative effort of strengthening capabilities of developing a home-grown incident
response team and conducting collaborative research activities to monitor and detect cyber-terrorism activities
Continuing the effort of strengthening the mutual thrust among the private and public entities.
