Of Cybercrimes and Present Times

(First of Two Parts)

Call him “X. ” He put the spotlight on cybercrime, triggering the siren and searchlights, warning the rest of us that there are truly dangerous sorts online and on the loose. In May 2000, just months after clocks counted down to a millennium bug disaster that had fortunately fizzled, X sent his own bug, his virus, into the Internet. It was detected first in Hong Kong but by then it was already too late. X’s virus relentlessly spread to more than 20 countries, affecting more than 45 million users.

In Europe, the virus would infest and hobble as many as 70% of the computers in Germany, Sweden, and the Netherlands. It destroyed thousands of irreplaceable images in the archives of a Hamburg newspaper and crashed the email servers of a Paris cosmetics maker. And in Belgium, it disabled ATMs, leaving people cashless and stranded across the country. X’s creation invaded the United States, intruding into the systems of 80% of its federal agencies, infecting the computers of both NASA and the CIA, and forcing the shutdown of Congress’ email servers on Capitol Hill.

Stealing passwords, gaining illicit access, and destroying data in millisecond timescale, X’s virus replicated itself across the globe, causing billions of dollars in damage, in just two hours. Though the virus left a trail that was quickly traced to X’s country, it still did not bri ng the authorities swiftly enough to his doorstep.

In the nation of X, mayhem by computer was still so abstract that it could not easily warrant a search of his premises. When a judge was finally convinced to issue a search warrant, the authorities found evidence that it was indeed X who had created and unleashed the virus, but then they had to pause, again. The nation of X had no cybercrime laws, no law that described X’s actions as criminal, and the authorities first had to ponder what charges to bring against him. And so, even the theft and credit card fraud charges they eventually brought against X were subsequently dismissed as inapplicable. And X, the former Computer Science student Omel de

Guzman who is alleged to have created the Philippines’ infamous Love Bug virus, then skated absolutely free from prosecution.

The E-Commerce Law

De Guzman’s immunity rankled more when R.A. 8792—the E-Commerce Law—was signed into law just one month after the Love Bug outbreak. Under the law that came too late, de Guzman could have been charged with hacking—an offense punishable by imprisonment of six months to three years, and a fine equivalent to the billions of dollars in damage caused by the virus. It rankled even more abroad, among the Philippines’ allies, because only with the law would there have been grounds to extradite de Guzman, putting him on trial on foreign shores where the virus had done the most damage.

The E-Commerce Law was passed too late to catch the Love Bug culprit, but so soon after the incident that ironically, and for a while, it was depicted as the country’s main effort in cybercrime legislation. It was not. In the works long before the virus’ outbreak, the E-Commerce Law was already being considered before the turn of the century when Y2K forced everyone to take stock of just how pervasive computers have become. The law was intended to recognize and give legal efficacy to electronic documents and transactions. What were once considered mere digital facsimiles of hard-copy agreements and contracts now became binding documents in themselves. Digital material became property, their originators accorded rights of ownership. A first step really, the E-Commerce Law was just meant to open the doors to emerging new ways for doing business digitally. Hacking and piracy, the acts explicitly made punishable by the law, are described only in the section on penalties, under the law’s final provisions, and are clearly limited to those acts that threaten the law’s key principles of ownership and due authority over electronic data.

Convention on Cybercrime

But what of acts that not only threaten new ways for doing business digitally, what of acts borne of the usual harmful intent that can now be done in new ways online? What about fraud, forgery, and identity theft on the Internet? What about crimes against the innocent perpetrated on child pornography websites? What about stalking, harassment, or even murders triggered by the online publication of a hate list? And what of Internet schemes that can victimize any person with a credit card, anywhere in the world?

These could have been the questions that the Council of Europe asked when it proposed the Convention on Cybercrime in November 2001, officially putting the name “Cybercrime” to all harmful acts committed with the aid or through the means of cyberspace, a year after and in response to the Love Bug outbreak. The Convention on Cybercrime was proposed for the ratification of all nations with cybercrime legislation, soliciting international support for holding perpetrators accountable in all countries where they caused harm.

The Philippines has not been able to ratify the International Convention on Cybercrime, the nation from where the Love Bug sprung has not been able to support the international effort that arose in response to the infamous virus, because the country did not have cybercrime legislation that matched the scope advocated by the convention. Not until last year when R.A. 10175, the Cybercrime Prevention Act, was signed into law on September 12, 2012.

cybercrime law 2 (1) — Will the libel clause on the Anti-Cybercrime Law shut up netizens? Photo by John Ray Ramos.

The Anti-Cybercrime Law

But even now, near the middle of 2013, the Cybercrime Prevention Act is still not enforced. Criticized widely, on high and even from abroad for arguable infringements on civil liberties, the Cybercrime Prevention Act of 2012—better known as the Anti-Cybercrime Law—has been restrained, indefinitely. Even before the law was to take effect on October 3, fifteen days after completion of its publication on September 18, the Supreme Court had already received several petitions questioning the constitutionality of the Anti-Cybercrime Law. But on October 2, on the eve of implementation, it deferred its decision on the matter since the absence of some justices prevented the Court from sitting en banc. Then on October 9, just a week after the deferment, with the law hardly making it to the government agencies tasked with formulating its implementing rules and regulations, the Supreme Court convened and issued a temporary restraining order, a TRO, on its implementation. The TRO was to remain in effect for 120 days until February 6, 2013. After hearing oral arguments from the petitioners on January 15, then from the Solicitor General on January 22, the Supreme Court convened on February 5, the day before the TRO would have been lifted, and ordered its continuing effect until further notice from the Court.

Libel as Cybercrime

Objections to the law’s constitutionality have been mainly aimed at its clause on libel, a clause inserted in the eleventh hour of deliberations and which now seems orphaned with no lawmaker readily admitting to its ownership. Included as the very last item under content-related offenses, which in turn is the very last category under the law’s section describing punishable cybercrimes, the controversial clause in the Anti-Cybercrime Law merely refers to the prevailing definition of libel while extending it to include acts “committed through a computer system or any other similar means which may be devised in the future.”

The clause looks innocuous enough, seemingly disproportionate to the uproar that it has caused. But even if it had not been inserted, even if no Anti-Cybercrime Law had ever gone on the books, the country’s continued criminalization of libel in itself has already been, and will continue to be, a cause for heated debate. A bone of contention between pundits both in and outside the Philippines, the definition of libel in the Revised Penal Code has even been criticized by the United Nations as contrary to the International Covenant on Civil and Political Rights, and is not consistent for a nation that respects its citizens’ freedom of expression.

Perplexingly, the Anti-Cybercrime Law could have been applied to libel even without the inserted clause. Just four short paragraphs down from the libel clause is a whole section that serves as a catch-all, making the Anti-Cybercrime Law applicable to all crimes defined in the Revised Penal Code—libel included—if any of these are committed “through and with the use of information and communications technologies.” Examine the language of this catch-all section and you’d even find it more encompassing yet shorter than the libel clause’s pedestrian wording of “prohibited acts … committed through a computer system or any other similar means which may be devised in the future.” The catch-all seems to have been written by someone familiar with the underlying technologies that can be employed for cybercrime, while the libel clause’s phrasing looks myopic in comparison, describing only the appliances in which these technologies are packaged. In essence, the reversal of opinions, withdrawal of support, and the petitions to the Supreme Court questioning its constitutionality, all show that the Anti-Cybercrime Law was weakened by a redundant clause which highlighted its reference to the prevailing and controversial definition of libel as a crime. The clause, looking like a simple afterthought, had instead turned into a lightning rod, spotlighting a link to the one provision in the Revised Penal Code that could quickly galvanize the detractors of the Anti-Cybercrime Law. Of all things, one could even liken the clause’s effect to that of a virus—surreptitiously inserted, impervious to deletion, and seemingly harmless, but all the while simply waiting for the inevitable activation of its malware payload.

(To be continued)