Wednesday, May 7, 2014

How Can Senate Bill No. 53, The Magna Carta for Philippine Internet Freedom Be Improved?

The intoduction of The Magna Carta for Philippine Internet Freedom (MCPIF) as introduced by Senator Miriam Defensor Santiago or Senate Bill No. 53 as expected to pass into law, the use of information and communications technology (ICT) and of the Internet that are pivotal to the changes and improvement in the lives of ordinary Filipinos will now protect the rights and freedom of Filipinos, while defining and penalizing cybercrimes.

With due respect to the wisdom and authority of Senator Miriam Defensor Santiago in crafting the bill, it is difficult to detect the loopholes and necessary improvement of the bill. However, as I would like to contribute or otherwise improve the bill in my little way of thinking, some recommendations are identified for the purpose mentioned.

First, under Section 27, paragraph A of MCPIF provides that “hacking” is unlawful. The provision states that “it shall be unlawful for any unauthorized person to intentionally access or to provide a third party with access to, or to hack or aid or abet a third party to hack into data, networks, storage media where data is stored, equipment through which networks are run or access or unauthorized act of providing a third party with access to, or the hacking into, data, networks, storage media where data is stored, equipment through which networks are run or maintained, the physicl plant where the data or network equipment is housed shall be presumed to be malicious”.

This provision should have been qualified for the reason that not all hacking can be concluded as unlawful. Hacking should be classified depending of the intention of the hacker wherein one is lawful and the other is the contrary . Where the intention of the hacker who is an agent of the government is to determine the integrity of the networks that national security shall not be compromised of being susceptible to hacking cannot be presumed to be malicious. The classification should be provided in order that the government should not be handicapped in an action to be taken by the agent in this particular situation or other similar situations.

For the purpose of classification, hacking should either be “white hacking” or “black hacking” wherein the former is lawful while the latter is unlawful. Each classification should be given definition but should significantly differs on the intention of the hacker. White hacking being lawful wherein the government agents or authorized representatives is authorized to do hacking for purposes of protecting the national interest, the integrity of networks not only government but also in private shall be assured.

Incidental to the classification, the bill should authorized the government to test the integrity of the network whether public or private of being exposed to hacking or compromise the information or data. With the autority to be given to the government, it will strengthen and hardened the law for its implementation and in protecting the public interest. The government can look into any private entity

other than the government having a network as one of the requirements in having one. With that requirement the public shall be aware of the importance of the integrity of the network so as to ensure the privacy of information or data, of being hacked.

Second, Section 6 paragraph 2 of MCPIF which provides that no person shall restrict or deny another person access to the Internet without an Order issued by a court of competent jurisdiction, issued after notice of hearing, showing probable cause that the person's access to the Internet is a means for the commission of the crimes as enumerated therein. While the intention of the bill is good to restrict or deny access of person when this an Order issued by a competent court, the control, identification of the person who has been served by the Order that must be denied access to the Internet is difficult to implement. Anybody can access to the Internet without qualification and even assuming the person accessing the Internet is the person who have committed a crime as specified in the bill and once issued an Order thereby restricting him to access Internet, this person can easily disguise by enrolling new account by using name not his real name.

In order to improve the implementation of this provision, there must be a requirement for a valid identification of the person in the Internet. That identification should be keyed-in by the person accessing the Internet to be detected by the network on whether this person is the one be restricted or be denied of the access. Without a valid identification, such person attempted to access the Internet cannot proceed the same.

On the part of the network through the authorized personnel of such network should have the list of restricted person that cannot be viewed in public which automatically detect or matched the identification of the person accessing the Internet. However, the network through the autorized representative shall only include the person in the list of restricted person to access Internet only upon Order of the competent court to do so and delisted such person upon order of the competent court also. There should be an immediate coordinaion between the court and the network or authorized representative. Any violation of the network of this requirement shall subject to the grave offense with the appropriate penalty. The network that violated the requirement should have in gross violation of the law with the higher penalty considering the participation or role of the network.

The court issuing the Order restricting the person to access in the Internet should have also the requirement for the coordiantion with the network or authourized representative of the network. This should cover on how the Order which contains the name of person restricted be coordinated or transmitted to the network with utmost confidentiality. Same with the network to exercise utmost deligence for the confidentiality of the information. With the requirements enumerated on the part of the person accessing the Internet, the network and on the competent court issuing an Order, there shall a proper implemtation of the abovementioned provision.

Third, in paragraph 6 of Section 6 of MCPIF provides that no natural or juridical person, offering Internet access or by whose nature there is a reasonable expectation of Internet access, including but not limited to any hotel, restaurant, school, religious group, organization, or association, shall restrict to the Internet or any other public communications network from within its private network, or limit the content that may be accessed by its employees, students, members, or guests, without a reasonable ground related to the protection of the natural or juridical person from actual or legal threats, the privacy of others who may be accessing the network, or the privacy of information in the network as provided for in the Republic Act No. 10173 otherwise known as the “Data Privacy Act of 2012”.

This provision is vague for the reason that the person whether natural or juridical offering Internet access cannot restrict Internet access except only on the ground of actual or legal threats, the privacy of others who may be accessing the network, or the privacy of information in the network. There should be a limitations which varies depending on the type of persons or establishments. If the network is a private entity, being the owner can do whatever he wants to his property. In case of Internet access, some can be restricted depending of the access that they are offering or it may depends on person who will access to Internet.

In the case of school, access of students to porn sites shall be restricted and it is the responsibility of school to look into. Restriction implemented by the school shall be in violation of the law if the provision in paragraph 6, Section 6 of MCPIF that no person can restrict another person except only on the specified instances. In

commercial stablishments, banks and other establishments, not anytime an employee can access Internet if that access is not necessary in his assigned task. Allowing them to access Internet during office hours which are not necessary to their job will cost the entity for the time consumed. These are some examples that access to Internet should have restriction.

No restriction to be imposed on the person offering Internet access may be detrimental to the public. There will no control to whoever wanted to access in whatever he wanted, he can do so and is prone to abused of anybody. While there is a law on Data Privacy, this law is very exposed to be violated. A law passed should be in conjunction with the existing laws and look into if it is being susceptible to contradiction. The restriction should be imposed depending on the person who will be accessing Interenet and the estblishment offering Internet services. After all, the very intention of the law is for the good of all.

Fourth, Section 33, paragraph A.4 of MCPIF enumerated the exceptions to interrnet libel, the following acts shall not constitue internet libel:
a. Expressions of protest against the government, or against foreign governments;
b. Expressions of dissatisfaction with the government, its agencies or instrumentalities, or its officials
or agents, or with those of foreign governments;
c. Expressions of dissatisfaction with non-government organizations, unions, associations, political
parties, religious groups, and public figures;
d. Expressions of dissatisfaction with the products or services of commercial entities;
e. Expressions of dissatisfaction with commercial entities, or their officers or agents, as related to the
products or services that the commercial entites provide;
f. Expressions of a commercial entity that are designed to descredit the products or services of a
competitor, even if the competitor is explicitly identified;
g. An expression made with the intention of remaining private between persons able to access or view
the expression, even if the expression is later released to the public; and
h. A fair and true report, made in good faith, without any comments or remarks, of any judicial,
legislative or other offical proceedings, or of any statement, report or speech delivered in said
proceedings, or of any other act performed by the public officers in the exercise of their functions, or
of any matter of public interest.

Based on the enumeration of the exceptions to the internet libel as provided in Section 33, paragraph A.4 of MCPIF, I would like to proposed another exception to be included in the enumeration related to item h of the same paragraph. A fair and true report, made in good faith, without any comments or remarks of private entities should not also be considered as internet libel. An specific example of this is the association of banks wherein this association was formulated for the main purpose of improving the control, security, operations and exchanging information that are useful to the banks. This information, however, should not be in violation the bank secrecy law.
One good example of this is the sharing of information, exclusively to the member banks, pertaining to the credit investigation wherein the credit standing of the particular client can be avail of. Before a borrower can be granted a loan, there will a credit investigation conducted by the bank in order to determine whether this particular borrower has a good credit standing. A good credit standing is rated to a particular borrower is when he do not have past due accounts or unpaid accounts with other banks, no bouncing checks experience or stafa case and no difficulties in terms of collections. If the borrower has this kind of record as accessed by the bank and this information is provided by the association, a bank may not grant a loan because of an exposure to credit risk, granting a loan to that borrower having a bad credit standing has a big possibility of experiencing the same.

The sharing of information between bank members help the banks of being warned and decides whenever they gathered information on the client they are dealing with. If a particular bank has this kind of client should report to the association so that other member banks may be warned. All other banks will do the same to protect the bank industry, to protect the money of the public.

The information provided of a particular client may tend to cause dishonor and discredit his personality. It will be shown to the members banks that this person incurring big amount of loans that not been paid, issuing a bouncing checks or maybe a pending stafa case and the like. However, this information are for the good of the member banks and to continue improve and sustain integrity of the banking system. Banking system is one of the drivers in our economy that the government and legislators should look into concerning public interest.

This sharing of information, though might be an imputation of a wrong on an individual, shall be included as an exception to internet libel. This control mechanism being implemented by the banks for the purpose of protecting the money of the public, integrity and economy of the nation which the government may have the same agenda. It is just right for the government specifically the legislators, to support but not to restrict the actions made by the private sector.

Fifth, another observation that should be improved is on on Chapter VIII covering the penalties from Sections 35 to 40. This chapter should cover all the penalty provisions of the bill. In the reading of the bill, penalty provisions were found in, other than Cahpter VIII, Section 34 (C.1), Section 33 and Section 32. It will easier to the practitioners or any interested individuals to know the law.

Sixth, in the repealing clause of bill should specifically identifies those provisions, laws to be repealed. The repeal of Republic Act No. 10175 otherwise known as “Cybercrime Prevention Act of 2012” should be specically stated in the repealing clause. As provided in the statutory construction that a repealing clause which do not specifically identifies the law or provisions of the law has no effect of repeal.

Seventh, the Department of Justice (DOJ), National Bureau of Investigation (NBI) and Philippine National Plice (PNP) are the competent law enforcement agencies wherein each agency shall create an office or division specifically for cybercrimes. On the other hand, jurisdiction shall be with the Cybercrime courts that shall be created. Personnel to filled-up the positions on both created offices or divisions of the enforcement agencies and for the created cybercrime courts should have expertise on cybercrimes. The requirement of expertise of personnel is a must in order to implement the law. There is a need of education or continuing education, training and seminar to be at par with the requirements. In addition to the technical know how of the personnel, there should be an adequate infrastructures for the implementation of the law. An upgrade to the equipments of the enforcement agencies is necessary cope with the requirements.

Once the requirement of personnel has been fully complemented, there should be a reasonable salaries, wages and benefits to be given to this personnel for the continous implementation of the law. This is because of their technical expertise that they have in information and communications technology (ICT). With this expertise they have are very attractive to the foreign countries. Same situation in PAGASA employees who goes abroad because of the very attarctive salaries and wages the foreign country offers. Giving them a wages, salaries and benefits which is not reasonable will expose the public the possibility of not serving the purpose of the law.
Lastly, Section 44 which provides the Extra-territorial application of the MCPIF subject to the existing treaty of which the Philippines is a State Party. If there will an extra-territorial application of the MCPIF, foreign country should be a party to the law so that the same can bind such other country or territory. It is not dabatable that we have an existing treaty of which the Phillipines is a signatory, however, that is only applicable to the particular agreement that the Philippines have signed. It is possible that some provision of the treaty have been provided in MCPIF, but not all provisions of the MCPIF were already covered by the treaties in which the Philippines is a signatory, otherwise, there is already an existing law.

If indeed MCPIF have an extra-territorial application to the foreign country subject to the provision of the existing treaty in the Philippines and other countries are State party, it is difficult to implement the law because the existing law of that foreign country might be different from MCPIF in so far as cybercrimes. One of the question is who will be the enforcement agency will handle in that foreign country. Is it the personnel of the designated enforcement agencies of the Philippines or the enforcement agencies of such foreign country. If it is the Filipino personnel, how can they copy up with the advancement of the ICT in that country for example in United States. If it is the enforcement agencies of that foreign country, are they going to implement the MCPIF which is different from their own law and when the law of the Philippines be implemented and when theirs.

As a sample scenario wherein a MCPIF was violated resulting damages to the Philippines which was committed in a foreign country by citizen of that country. On the single crime committed is also a crime in that foreign country. Who will prosecute the accused? These are some complication on the extra-territorial apllication of the law.

In order to implement the effectively, this law should not have extra-territorial application.


Post a Comment

Subscribe to Post Comments [Atom]

<< Home