Jesus M. Disini, Jr., et al. vs. The Secretary of Justice, et al., G.R. No. 203335, February 11, 2014

Cyberlaw

FACTS:

These are consolidated petitions seeking to declare several provisions of R.A. No. 10175 (The Cybercrime Prevention Act of 2012), unconstitutional and void.

The cybercrime law aims to regulate access to and use of the cyberspace. Petitioners claim that the means adopted by the cybercrime law for regulating undesirable cyberspace activities violate certain of their constitutional rights.

ISSUE:

WHETHER OR NOT CERTAIN PROVISIONS OF THE CYBERCRIME PREVENTION ACT ARE CONSTITUTIONAL INSOFAR AS THEY REGARD CERTAIN ACTS AS CRIMES AND IMPOSE PENALTIES FOR THEIR COMMISSION AS WELL AS WOULD ENABLE GOVERNMENT TO TRACK DOWN AND PENALIZE VIOLATORS

RULING:

Section 4(a)(1) on Illegal Access is NOT unconstitutional.

 Petitioners contend that Section 4(a)(1) fails to meet the strict scrutiny standard required of laws that interfere with the fundamental rights of the people and should thus be struck down.

The Court has in a way found the strict scrutiny standard, an American constitutional construct, useful in determining the constitutionality of laws that tend to target a class of things or persons. According to this standard, a legislative classification that impermissibly interferes with the exercise of fundamental right or operates to the peculiar class disadvantage of a suspect class is presumed unconstitutional. The burden is on the government to prove that the classification is necessary to achieve a compelling state interest and that it is the least restrictive means to protect such interest. Later, the strict scrutiny standard was used to assess the validity of laws dealing with the regulation of speech, gender, or race as well as other fundamental rights, as expansion from its earlier applications to equal protection.

Strict Scrutiny Standard not applicable in Illegal Access provision.

The Court finds nothing in Section 4(a)(1) that calls for the application of the strict scrutiny standard since no fundamental freedom, like speech, is involved in punishing what is essentially a condemnable act – accessing the computer system of another without right. It is a universally condemned conduct.

Engagement of ethical hackers requires an agreement, therefore, insulating him from the coverage of Section 4(a)(1).

Petitioners fear that this section will jeopardize the work of ethical hackers, professionals who employ tools and techniques used by criminal hackers but would neither damage the target systems nor steal information. Ethical hackers evaluate the target system’s security and report back to the owners the vulnerabilities they found in it and give instructions for how these can be remedied. Ethical hackers are the equivalent of independent auditors who come into an organization to verify its bookkeeping records.

Besides, the client’s engagement of an ethical hacker requires an agreement between them as to the extent of the search, the methods to be used, and the systems to be tested. This is referred to as the “get out of jail free card.” Since the ethical hacker does his job with prior permission from the client, such permission would insulate him from the coverage of Section 4(a)(1).

Section 4(a)(3) on Data Interference is NOT unconstitutional.

Petitioners claim that Section 4(a)(3) suffers from overbreadth in that, while it seeks to discourage data interference, it intrudes into the area of protected speech and expression, creating a chilling and deterrent effect on these guaranteed freedoms.

Under the overbreadth doctrine, a proper governmental purpose, constitutionally subject to state regulation, may not be achieved by means that unnecessarily sweep its subject broadly, thereby invading the area of protected freedoms. But Section 4(a)(3) does not encroach on these freedoms at all. It simply punishes what essentially is a form of vandalism, the act of willfully destroying without right the things that belong to others, in this case their computer data, electronic document, or electronic data message. Such act has no connection to guaranteed freedoms. There is no freedom to destroy other people’s computer systems and private documents.

Petitioners fail to discharge the burden of proving that the provision is invalid under the Overbreadth Doctrine.

All penal laws, like the cybercrime law, have of course an inherent chilling effect, an in terrorem effect or the fear of possible prosecution that hangs on the heads of citizens who are minded to step beyond the boundaries of what is proper. But to prevent the State from legislating criminal laws because they instill such kind of fear is to render the state powerless in addressing and penalizing socially harmful conduct. Here, the chilling effect that results in paralysis is an illusion since Section 4(a)(3) clearly describes the evil that it seeks to punish and creates no tendency to intimidate the free exercise of one’s constitutional rights.

Besides, the overbreadth challenge places on petitioners the heavy burden of proving that under no set of circumstances will Section 4(a)(3) be valid. Petitioner has failed to discharge this burden.

No Equal Protection violation under Section 4(a)(6) on Cyber-squatting

Petitioners claim that Section 4(a)(6) or cyber-squatting violates the equal protection clause in that, not being narrowly tailored, it will cause a user using his real name to suffer the same fate as those who use aliases or take the name of another in satire, parody, or any other literary device. For example, supposing there exists a well-known billionaire-philanthropist named “Julio Gandolfo,” the law would punish for cyber-squatting both the person who registers such name because he claims it to be his pseudo-name and another who registers the name because it happens to be his real name. Petitioners claim that, considering the substantial distinction between the two, the law should recognize the difference.

But there is no real difference whether he uses “Julio Gandolfo” which happens to be his real name or use it as a pseudo-name for it is the evil purpose for which he uses the name that the law condemns. The law is reasonable in penalizing him for acquiring the domain name in bad faith to profit, mislead, destroy reputation, or deprive others who are not ill-motivated of the rightful opportunity of registering the same. The challenge to the constitutionality of Section 4(a)(6) on ground of denial of equal protection is baseless.

Section 4(b)(3) on Computer-related Identity Theft is NOT unconstitutional

Petitioners claim that Section 4(b)(3) violates the constitutional rights to due process and to privacy and correspondence, and transgresses the freedom of the press.

The right to privacy

The right to privacy, or the right to be let alone, was institutionalized in the 1987 Constitution as a facet of the right protected by the guarantee against unreasonable searches and seizures. But the Court acknowledged its existence as early as 1968 in Morfe v. Mutuc, it ruled that the right to privacy exists independently of its identification with liberty; it is in itself deserving of constitutional protection.

Zones of Privacy

Zones of privacy are recognized and protected in our laws. Within these zones, any form of intrusion is impermissible unless excused by law and in accordance with customary legal process. The meticulous regard we accord to these zones arises not only from our conviction that the right to privacy is a “constitutional right” and “the right most valued by civilized men,” but also from our adherence to the Universal Declaration of Human Rights which mandates that, “no one shall be subjected to arbitrary interference with his privacy” and “every has the right to the protection of the law against such interference or attacks.”

Two constitutional guarantees create these zones of privacy: (a) the right against unreasonable searches and seizures, which is the basis of the right to be let alone, and (b) the right to privacy of communication and correspondence. In assessing the challenge that the State has impermissibly intruded into these zones of privacy, a court must determine whether a person has exhibited a reasonable expectation of privacy and, if so, whether that expectation has been violated by unreasonable government intrusion.

No showing how the provision violates the right to privacy and correspondence as well as the right to due process of the law.

The usual identifying information regarding a person includes his name, his citizenship, his residence address, his contact number, his place and date of birth, the name of his spouse if any, his occupation, and similar data. The law punishes those who acquire or use such identifying information without right, implicitly to cause damage. Petitioners simply fail to show how government effort to curb computer-related identity theft violates the right to privacy and correspondence as well as the right to due process of the law.

Also, the charge of invalidity of this section based on the overbreadth doctrine will not hold water since the specific conducts proscribed do not intrude into guaranteed freedoms like speech. Clearly, what this section regulates are specific actions, the acquisition, use, misuse or deletion of personal identifying data of another. There is no fundamental right to acquire another’s personal data.

Section does not violate freedom of the press

Further, petitioners fear that Section 4(b)(3) violates the freedom of the press in that journalists would be hindered from accessing the unrestricted user account of a person in the news to secure information about him that could be published. But this is not the essence of identity theft that the law seeks to prohibit and punish. Evidently, the theft of identity information must be intended for an illegitimate purpose. Moreover, acquiring and disseminating information made public by the user himself cannot be regarded as a form of theft.

The Court has defined intent to gain as an internal act which can be established through the overt acts of the offender, and it may be presumed from the furtive taking of useful property pertaining to another, unless special circumstances reveal a different intent on the part of the perpetrator. As such, the press, whether in quest of news reporting or social investigation, has nothing to fear since a special circumstance is present to negate intent to gain which is required by this Section.

Section 4(c)(1) on Cybersex does NOT violate freedom of expression

Petitioners claim that the section violates freedom of expression. They express fear that private communications of sexual character between husband and wife or consenting adults, which are not regarded as crimes under the penal code, would now be regarded as crimes when done “for favor” in cyberspace. In common usage, the term “favor” includes “gracious kindness,” “a special privilege or right granted or conceded,” or “a token of love (as a ribbon) usually worn conspicuously.” This meaning given to the term “favor” embraces socially tolerated trysts. The law as written would invite law enforcement agencies into the bedrooms of married couples or consenting individuals.

The understanding of those who drew up the cybercrime law is that the element of “engaging in a business” necessary to constitute the illegal cybersex. The Act actually seeks to punish cyber prostitution, white slave trade, and pornography for favor and consideration. This includes interactive prostitution and pornography, i.e., by webcam.

Section 4(c)(2) on Child Pornography committed through a computer system is NOT unconstitutional

The section merely expands the scope of the Anti-Child Pornography Act of 2009 (ACPA) to cover identical activities in cyberspace. In theory, nothing prevents the government from invoking the ACPA when prosecuting persons who commit child pornography using a computer system.

The law makes the penalty higher by one degree when the crime is committed in cyberspace. But no one can complain since the intensity or duration of penalty is a legislative prerogative and there is rational basis for such higher penalty. The potential for uncontrolled proliferation of a particular piece of child pornography when uploaded in the cyberspace is incalculable.

Section 4(c)(3) on Unsolicited Commercial Communications or SPAM is UNCONSTITUTIONAL for violating freedom of expression

The section penalizes the transmission of unsolicited commercial communications, also known as “spam.” The term “spam” surfaced in early internet chat rooms and interactive fantasy games. One who repeats the same sentence or comment was said to be making a “spam.” The term referred to a Monty Python’s Flying Circus scene in which actors would keep saying “Spam, Spam, Spam, and Spam” when reading options from a menu.

The Government, represented by the Solicitor General, points out that unsolicited commercial communications or spams are a nuisance that wastes the storage and network capacities of internet service providers, reduces the efficiency of commerce and technology, and interferes with the owner’s peaceful enjoyment of his property. Transmitting spams amounts to trespass to one’s privacy since the person sending out spams enters the recipient’s domain without prior permission. The OSG contends that commercial speech enjoys less protection in law.

But, firstly, the government presents no basis for holding that unsolicited electronic ads reduce the “efficiency of computers.” Secondly, people, before the arrival of the age of computers, have already been receiving such unsolicited ads by mail. These have never been outlawed as nuisance since people might have interest in such ads. What matters is that the recipient has the option of not opening or reading these mail ads. That is true with spams. Their recipient always have the option to delete or not to read them.

Commercial speech still entitled to protection

To prohibit the transmission of unsolicited ads would deny a person the right to read his emails, even unsolicited commercial ads addressed to him. Commercial speech is a separate category of speech which is not accorded the same level of protection as that given to other constitutionally  guaranteed forms of expression but is nonetheless entitled to protection. The State cannot rob him of this right without violating the constitutionally guaranteed freedom of expression. Unsolicited advertisements are legitimate forms of expression.

Section 4(c)(4) on Cyber-Libel insofar as it penalizes the author of the libelous statement or article is NOT unconstitutional

Petitioner lament that libel provisions of the penal code and, in effect, the libel provisions of the cybercrime law carry with them the requirement of “presumed malice” even when the latest jurisprudence already replaces it with the higher standard of “actual malice” as a basis for conviction. Petitioners argue that inferring “presumed malice” from the accused’s defamatory statement by virtue of Article 354 of the penal code infringes on his constitutionally guaranteed freedom of expression.

Petitioners would go further. They contend that the laws on libel should be stricken down as unconstitutional for otherwise good jurisprudence requiring “actual malice” could easily be overturned as the Court has done in Fermin v. People even where the offended parties happened to be public figures.

Elements of libel: (a) allegation of a discreditable act or condition concerning another; (b) publication of the charge; (c) identity of the person defamed; and (d) existence of malice.

There is “actual malice” or malice in fact when the offender makes the defamatory statement with knowledge that is false or with reckless disregard of whether it was false or not. The reckless disregard standard used here requires a high degree of awareness of probable falsity. There must be sufficient evidence to permit the conclusion that the accused in fact entertained serious doubts as to the truth of the statement he published. Gross or even extreme negligence is not sufficient to establish actual malice.

Prosecution bears the burden of proving actual malice in instances where such element is required to establish guilt. The defense of absence of actual malice, even when the statement turns out to be false, is available where the offended party is a public official or a public figure, as in the cases of Vasquez (a barangay official) and Borjal (the Executive Director, First National Conference on Land Transportation). Since the penal code and implicitly, the cybercrime law, mainly target libel against private persons, the Court recognizes that these laws imply a stricter standard of “malice” to convict the author of a defamatory statement where the offended party is a public figure. Society’s interest and the maintenance of good government demand a full discussion of public affairs.

Where the offended party is a private individual, the prosecution need not prove the presence of malice. The law explicitly presumes its existence (malice in law) from the defamatory character of the assailed statement. For his defense, the accused must show that he has a justifiable reason for the defamatory statement even if it was in fact true.

Cybercrime Prevention Act does not violate the Philippines’ obligations under the International Covenant of Civil and Political Rights (ICCPR)

General Comment 34 of ICCPR does not say that the truth of the defamatory statement should constitute an all-encompassing defense. As it happens, Article 361 recognizes truth as a defense but under the condition that the accused has been prompted in making the statement by good motives and for justifiable ends.

Proof of the truth of an imputation of an act or omission not constituting a crime shall not be admitted, unless the imputation shall have been made against government employees with respect to facts related to the discharge of their official duties.

In such cases if the defendant proves the truth of the imputation made by him, he shall be acquitted.

Section 5 on Aiding or Abetting the Commission of Cybercrime should be permitted to apply to Section 4(a)(1) on Illegal Access, Section 4(a)(2) on Illegal Interception, Section 4(a)(3) on Data Interference, Section 4(a)(4) on System Interference, Section 4(a)(5) on Misuse of Devices, Section 4(a)(6) on Cyber-Squatting, Section 4(b)(1) on Computer-related Forgery, Section 4(b)(2) on Computer-related Fraud, Section 4(b)(3) on Computer-related Identity Theft, and Section 4(c)(1) on Cybersex.  

Petitioners assail the constitutionality of Section 5 that renders criminally liable any person who willfully abets or aids in the commission or attempts to commit any of the offenses enumerate as cybercrimes. It suffers from overbreadth, creating a chilling and deterrent effect on protected expression.

Aiding and abetting certain cybercrimes must be distinguished between the actors

In the cyberworld, there are many actors: a) the blogger who originates the assailed statement; b) the blog service provider like Yahoo; c) the internet service provider like PLDT, Smart, Globe, or Sun; d) the internet café that may have provided the computer used for posting the blog; e) the person who makes a favorable comment on the blog; and f)the person who posts a link to the blog site.

The question is: are online postings such as “Liking” an openly defamatory statement, “Commenting” on it, or “Sharing” it with others, to be regarded as “aiding or abetting?” In libel in the physical world, if Nestor places on the office bulletin board a small poster that says, “Armand is a thief!,” he could certainly be charged with libel. If Roger, seeing the poster, writes on it, “I like this!,” that could not be libel since he did not author the poster. If Arthur, passing by and noticing the poster, writes on it, “Correct!,” would that be libel? No, for he merely expresses agreement with the statement on the poster. He still is not its author. Besides, it is not clear if aiding or abetting libel in the physical world is a crime.

But suppose Nestor posts the blog, “Armand is a thief!” on a social networking site. Would a reader and his Friends or Followers, availing themselves of the “Like,” “Comment,” and “Share” reactions, be guilty of aiding or abetting libel? And, in the complex world of cyberspace expressions of thoughts, when will one be liable for aiding or abetting cybercrimes? Where is the venue of the crime?

Except for the original author of the assailed statement, the rest (those who pressed Like, Comment and Share) are essentially knee-jerk sentiments of readers who may think little or haphazardly of their response to the original posting. Will they be liable for aiding or abetting? And, considering the inherent impossibility of joining hundreds of thousands of responding “Friends” or “Followers” in the criminal charge to be filed in court, who will make a choice as to who should go to jail for the outbreak of the challenged posting?

Section 5 of the cybercrime law that punishes “aiding or abetting” cyber-libel, unsolicited commercial communications and child pornography is a nullity for being UNCONSTITUTIONAL

Cyberlibel often goes hand in hand with cyberbullying that oppresses the victim, his relatives, and friends, evoking from mild to disastrous reactions. Still, a governmental purpose, which seeks to regulate the use of this cyberspace communication technology to protect a person’s reputation and peace of mind, cannot adopt means that will unnecessarily and broadly sweep, invading the area of protected freedoms.

If such means are adopted, self-inhibition borne of fear of what sinister predicaments await internet users will suppress otherwise robust discussion of public issues. Democracy will be threatened and with it, all liberties. Penal laws should provide reasonably clear guidelines for law enforcement officials and triers of facts to prevent arbitrary and discriminatory enforcement. The terms “aiding or abetting” constitute broad sweep that generates chilling effect on those who express themselves through cyberspace posts, comments, and other messages. Hence, Section 5 of the cybercrime law that punishes “aiding or abetting” libel on the cyberspace is a nullity.

When void-for-vagueness doctrine is acceptable

When a penal statute encroaches upon the freedom of speech, a facial challenge grounded on the void-for-vagueness doctrine is acceptable. Generally, the overbreadth and vagueness doctrine is inapplicable in ‘facial” challenges to penal statutes not involving free speech. In an “as applied” challenge, the petitioner who claims a violation of his constitutional right must assert his own right, not that of third persons. This rule is also known as the prohibition against third-party standing.

But this rule admits of exceptions. A petitioner may for instance mount a “facial” challenge to the constitutionality of a statute even if he claims no violation of his own right under the assailed statute where it involves free speech on the grounds of overbreadth or vagueness of the statute.

The rationale for this exception is to counter the “chilling effect” on protected speech that comes from statutes violating free speech. A person who does not know whether his speech constitutes a crime under an overbroad or vague law may simply restrain himself from speaking in order to avoid being charged of a crime. The overbroad or vague law thus chills him into silence.

Section 5 with respect to Section 4(c)(4) is unconstitutional. Its vagueness raises apprehension on the part of internet users because of its obvious chilling effect on the freedom of expression, especially since the crime of aiding or abetting ensnares all the actors in the cyberspace front in a fuzzy way. What is more, as the petitioners point out, formal crimes such as libel are not punishable unless consummated. In the absence of legislation tracing the interaction of netizens and their level of responsibility such as in other countries, Section 5, in relation to Section 4(c)(4) on Libel, Section 4(c)(3) on Unsolicited Commercial Communications, and Section 4(c)(2) on Child Pornography, cannot stand scrutiny.

Section 6, which imposes a higher penalty on crimes penalized under the Revised Penal Code if committed through information and communication technologies, is NOT unconstitutional.

Section 6 merely makes commission of existing crimes through the internet a qualifying circumstance. As the Solicitor General points out, there exists a substantial distinction between crimes committed through the use of information and communications technology and similar crimes committed using other means. In using the technology in question, the offender often evades identification and is able to reach far more victims or cause greater harm. The distinction, therefore, creates a basis for higher penalties for cybercrimes.

Section 7, which allows prosecution both under the Cybercrime Law and the Revised Penal Code, is UNCONSTITUTIONAL insofar as cyber-libel and cyber child pornography is concerned.

There should be no question that if the published material on print, said to be libelous, is again posted online or vice versa, that identical material cannot be the subject of two separate libels. The two offenses, one a violation of Article 353 of the Revised Penal Code and the other a violation of Section 4(c)(4) of R.A. 10175 involve essentially the same elements and are in fact one and the same offense. Indeed, the OSG itself claims that online libel under Section 4(c)(4) is not a new crime but is one already punished under Article 353. Section 4(c)(4) merely establishes the computer system as another means of publication. Charging the offender under both laws would be a blatant violation of the proscription against double jeopardy.

The same is true with child pornography committed online. Section 4(c)(2) merely expands the ACPA’s scope so as to include identical activities in cyberspace. As previously discussed, ACPA’s definition of child pornography in fact already covers the use of “electronic, mechanical, digital, optical, magnetic or any other means.” Thus, charging the offender under both Section 4(c)(2) and ACPA would likewise be tantamount to a violation of the constitutional prohibition against double jeopardy.

Section 8 which imposes penalties for cybercrimes is NOT unconstitutional

The matter of fixing penalties for the commission of crimes is as a rule a legislative prerogative. Here the legislature prescribed a measure of severe penalties for what it regards as deleterious cybercrimes. They appear appropriate to the evil sought to be punished. The power to determine penalties for offenses is not diluted or improperly wielded simply because at some prior time the act or omission was but an element of another offense or might just have been connected with another crime. Judges and magistrates can only interpret and apply them and have no authority to modify or revise their range as determined by the legislative department.

Section 12, authorizing law enforcement to collect real-time traffic data, is TOO SWEEPING AND LACKS RESTRAINT

Petitioners assail the grant to law enforcement agencies of the power to collect or record traffic data in real time as tending to curtail civil liberties or provide opportunities for official abuse. They claim that data showing where digital messages come from, what kind they are, and where they are destined need not be incriminating to their senders or recipients before they are to be protected. Petitioners invoke the right of every individual to privacy and to be protected from government snooping into messages or information that they send to one another.

The first question is whether or not Section 12 has a proper governmental purpose since a law may require the disclosure of matters normally considered private but then only upon showing that such requirement has a rational relation to the purpose of the law, that there is compelling State interest behind the law, and that the provision itself is narrowly drawn. In assessing regulations affecting privacy rights, courts should balance the legitimate concerns of the State against constitutional guarantees.

Undoubtedly, the State has a compelling interest in enacting the cybercrime law for there is a need to put order to the tremendous activities in cyberspace for public good. To do this, it is within the realm of reason that the government should be able to monitor traffic data to enhance its ability to combat all sorts of cybercrimes.

Chapter IV of the cybercrime law, of which the collection or recording of traffic data is part, aims to provide the law enforcement authorities with the power they need for spotting, preventing, and investigating crimes committed in cyberspace. Crime-fighting is a state business.

Those who commit the crimes of accessing a computer system without right, transmitting viruses, lasciviously exhibiting sexual organs or sexual activity for favor or consideration, and producing child pornography could easily evade detection and prosecution by simply moving the physical location of their computers or laptops from day to day. In this digital age, the wicked can commit cybercrimes from virtually anywhere: from internet cafes, from kindred places that provide free internet services, and from unregistered mobile internet connectors. Criminals using cellphones under pre-paid arrangements and with unregistered SIM cards do not have listed addresses and can neither be located nor identified. There are many ways the cyber criminals can quickly erase their tracks. Those who peddle child pornography could use relays of computers to mislead law enforcement authorities regarding their places of operations. Evidently, it is only real-time traffic data collection or recording and a subsequent recourse to court-issued search and seizure warrant that can succeed in ferreting them out.

Two categories of right to privacy

In Whalen v. Roe, the United States Supreme Court classified privacy in two categories: decisional privacy and informational privacy. Decisional privacy involves the right to independence in making certain important decisions, while informational privacy refers to the interest in avoiding disclosure of personal matters. It is the latter right – the right to informational privacy – that those who oppose government collection or recording of traffic data in real-time seek to protect.

Informational privacy and its two aspects

Informational privacy has two aspects: the right not to have private information disclosed, and the right to live freely without surveillance and intrusion. In determining whether or not a matter is entitled to the right to privacy, this Court has laid down a two-fold test. The first is a subjective test, where one claiming the right must have an actual or legitimate expectation of privacy over a certain matter. The second is an objective test, where his or her expectation of privacy must be one society is prepared to accept as objectively reasonable.

Without reasonable expectation of privacy, the right to it would have no basis in fact

Computer data – messages of all kinds – travel across the internet in packets and in a way that may be likened to parcels of letters or things that are sent through the posts. When data is sent from any one source, the content is broken up into packets and around each of these packets is a wrapper or header. This header contains the traffic data: information that tells computers where the packet originated, what kind of data is in the packet (SMS, voice call, video, internet chat messages, email, online browsing data, etc.), where the packet is going, and how the packet fits together with other packets. The difference is that traffic data sent through the internet at times across the ocean do not disclose the actual names and addresses (residential or office) of the sender and the recipient, only their coded internet protocol (IP) addresses. The packets travel from one computer system to another where their contents are pieced back together.

Section 12 does not permit law enforcement authorities to look into the contents of the messages and uncover the identities of the sender and the recipient.

ICT users must know that they cannot communicate or exchange data with one another over cyberspace except through some service providers to whom they must submit certain traffic data that are needed for a successful cyberspace communication. The conveyance of this data takes them out of the private sphere, making the expectation of privacy in regard to them an expectation that society is not prepared to recognize as reasonable.

“Due Cause” under Section 12 has no precedent in law or jurisprudence

Section 12 empowers law enforcement authorities, “with due cause,” to collect or record by technical or electronic means traffic data in real-time. But the cybercrime law, dealing with a novel situation, fails to hint at the meaning it intends for the phrase “due cause.” Section 12 does not even bother to relate the collection of data to the probable commission of a particular crime. It just says, “with due cause,” thus justifying a general gathering of data. It is akin to the use of a general search warrant that the Constitution prohibits.

The authority that Section 12 gives law enforcement agencies is too sweeping and lacks restraint. While it says that traffic data collection should not disclose identities or content data, such restraint is but an illusion. Admittedly, nothing can prevent law enforcement agencies holding these data in their hands from looking into the identity of their sender or receiver and what the data contains. This will unnecessarily expose the citizenry to leaked information or, worse, to extortion from certain bad elements in these agencies.

Section 12, of course, limits the collection of traffic data to those “associated with specified communications.” But this supposed limitation is no limitation at all since, evidently, it is the law enforcement agencies that would specify the target communications. The power is virtually limitless, enabling law enforcement authorities to engage in “fishing expedition,” choosing whatever specified communication they want. This evidently threatens the right of individuals to privacy.

This Court is mindful that advances in technology allow the government and kindred institutions to monitor individuals and place them under surveillance in ways that have previously been impractical or even impossible. “All the forces of technological age x x x operate to narrow the area of privacy and facilitate intrusions into it. In modern terms, the capacity to maintain and support this enclave of private life marks the difference between a democratic and totalitarian society.” The Court must ensure that laws seeking to take advantage of these technologies be written with specificity and definiteness as to ensure respect for the rights that the Constitution guarantees.

Section 13 on preservation of computer data and Section 17 on destruction of computer data do not constitute undue deprivation of right to property

The contents of materials sent or received through the internet belong to their authors or recipients and are to be considered private communications. The data that service providers preserve on orders of law enforcement authorities are not made inaccessible to users by reason of the issuance of such orders. The process of preserving data will not unduly hamper the normal transmission or use of the same.

It is unclear that the user has demandable right to require the service provider to have that copy of the data saved indefinitely for him in its storage system. If he wanted them preserved, he should have saved them in his computer when he generated the data or received it. He could also request the service provider for a copy before it is deleted.

Section 14 on disclosure of computer data does not violate privacy of communications and correspondence

The process envisioned in Section 14 is being likened to the issuance of subpoena. Executive agencies have the power to issue subpoena as an adjunct of their investigatory powers. Besides, what Section 14 envisions is merely the enforcement of a duly issued court warrant, a function usually lodged in the hands of law enforcers to enable them to carry out their executive functions. The prescribed procedure for disclosure would not constitute an unlawful search or seizure nor would it violate the privacy of communications and correspondence. Disclosure can be made only after judicial intervention.

Section 15 on search, seizure and examination of computer data does not supersede existing search and seizure rules

On its face, Section 15 merely enumerates the duties of law enforcement authorities that would ensure the proper collection, preservation, and use of computer system or data that have been seized by virtue of a court warrant. The exercise of these duties does not pose any threat on the rights of the person from whom they were taken. Section 15 does not appear to supersede existing search and seizure rules but merely supplements them.

Section 19 on restricting or blocking access to computer data is UNCONSTITUTIONAL

Computer data may refer to entire programs or lines of code, including malware, as well as files that contain texts, images, audio, or video recordings. Without having to go into a lengthy discussion of property rights in the digital space, it is indisputable that computer data, produced or created by their writers or authors may constitute personal property. Consequently, they are protected from unreasonable searches and seizures, whether while stored in their personal computers or in the service provider’s systems.

Section 2, Article III of the 1987 Constitution provides that the right to be secure in one’s papers and effects against unreasonable searches and seizures of whatever nature and for any purpose shall be inviolable. Further, it states that no search warrant shall issue except upon probable cause to be determined personally by the judge. Here, the Government, in effect, seizes and places the computer data under its control and disposition without a warrant. The Department of Justice order cannot substitute for judicial search warrant.

The content of the computer data can also constitute speech. In such a case, Section 19 operates as a restriction on the freedom of expression over cyberspace. Certainly not all forms of speech are protected. Legislature may, within constitutional bounds, declare certain kinds of expression as illegal. But for an executive officer to seize content alleged to be unprotected without any judicial warrant, it is not enough for him to be of the opinion that such content violates some law, for to do so would make him judge, jury, and executioner all rolled into one.

Not only does Section 19 preclude any judicial intervention, but it also disregards jurisprudential guidelines established to determine the validity of restrictions on speech. Restraints on free speech are generally evaluated on one of or a combination of three tests: the dangerous tendency doctrine, the balancing of interest test, and the clear and present danger rule. Section 19, however, merely requires that the data to be blocked be found prima facie in violation of any provision of the cybercrime law. Taking Section 6 into consideration, this can actually be made to apply in relation to any penal provision. It does not take into consideration any of the three tests mentioned above.

Section 20, punishing non-compliance with any order issued by law enforcement agencies under Chapter IV, is NOT unconstitutional

Petitioners challenge Section 20, alleging that it is a bill of attainder. The argument is that mere failure to comply constitutes a legislative finding of guilt, without regard to situations where non-compliance would be reasonable or valid.

But since the non-compliance would be punished as a violation of P.D. 1829, Section 20 necessarily incorporates elements of the offense which are defined therein. Thus, there must still be judicial determination of guilt, during which, defense and justifications for non-compliance may be raised. Thus, Section 20 is valid insofar as it applies to the provisions of Chapter IV which are not struck by the Court.

Sections 24 and 26, which provides the creation and powers of the Cybercrime Investigation and Coordination Center, are VALID

Petitioners mainly contend that Congress invalidly delegated its power when it gave the Cybercrime Investigation and Coordinating Center (CICC) the power to formulate a national cybersecurity plan without any sufficient standards or parameters for it to follow.

In order to determine whether there is undue delegation of legislative power, the Court has adopted two tests: the completeness test and the sufficient standard test. Under the first test, the law must be complete in all its terms and conditions when it leaves the legislature such that when it reaches the delegate, the only thing he will have to do is to enforce it. The second test mandates adequate guidelines or limitations in the law to determine the boundaries of the delegate’s authority and prevent the delegation from running riot.

Here, the cybercrime law is complete in itself when it directed the CICC to formulate and implement a national cybersecurity plan. Also, contrary to the position of the petitioners, the law gave sufficient standards for the CICC to follow when it provided a definition of cybersecurity.

Further, the formulation of the cybersecurity plan is consistent with the policy of the law to “prevent and combat such [cyber] offenses by facilitating their detection, investigation, and prosecution at both the domestic and international levels, and by providing arrangements for fast and reliable international cooperation.” This policy is clearly adopted in the interest of law and order, which has been considered as sufficient standard.

Leave a Comment

Your email address will not be published. Required fields are marked *