How
Can Senate Bill No. 53, The Magna Carta for Philippine Internet
Freedom Be Improved?
The
intoduction of The Magna Carta for Philippine Internet Freedom
(MCPIF) as introduced by Senator Miriam Defensor Santiago or Senate
Bill No. 53 as expected to pass into law, the use of information and
communications technology (ICT) and of the Internet that are pivotal
to the changes and improvement in the lives of ordinary Filipinos
will now protect the rights and freedom of Filipinos, while defining
and penalizing cybercrimes.
With
due respect to the wisdom and authority of Senator Miriam Defensor
Santiago in crafting the bill, it is difficult to detect the
loopholes and necessary improvement of the bill. However, as I would
like to contribute or otherwise improve the bill in my little way of
thinking, some recommendations are identified for the purpose
mentioned.
First,
under Section 27, paragraph A of MCPIF provides that “hacking” is
unlawful. The provision states that “it shall be unlawful for any
unauthorized person to intentionally access or to provide a third
party with access to, or to hack or aid or abet a third party to hack
into data, networks, storage media where data is stored, equipment
through which networks are run or access or unauthorized act of
providing a third party with access to, or the hacking into, data,
networks, storage media where data is stored, equipment through which
networks are run or maintained, the physicl plant where the data or
network equipment is housed shall be presumed to be malicious”.
This
provision should have been qualified for the reason that not all
hacking can be concluded as unlawful. Hacking should be classified
depending of the intention of the hacker wherein one is lawful and
the other is the contrary . Where the intention of the hacker who is
an agent of the government is to determine the integrity of the
networks that national security shall not be compromised of being
susceptible to hacking cannot be presumed to be malicious. The
classification should be provided in order that the government should
not be handicapped in an action to be taken by the agent in this
particular situation or other similar situations.
For
the purpose of classification, hacking should either be “white
hacking” or “black hacking” wherein the former is lawful while
the latter is unlawful. Each classification should be given
definition but should significantly differs on the intention of the
hacker. White hacking being lawful wherein the government agents or
authorized representatives is authorized to do hacking for purposes
of protecting the national interest, the integrity of networks not
only government but also in private shall be assured.
Incidental
to the classification, the bill should authorized the government to
test the integrity of the network whether public or private of being
exposed to hacking or compromise the information or data. With the
autority to be given to the government, it will strengthen and
hardened the law for its implementation and in protecting the public
interest. The government can look into any private entity
other
than the government having a network as one of the requirements in
having one. With that requirement the public shall be aware of the
importance of the integrity of the network so as to ensure the
privacy of information or data, of being hacked.
Second,
Section 6 paragraph 2 of MCPIF which provides that no person shall
restrict or deny another person access to the Internet without an
Order issued by a court of competent jurisdiction, issued after
notice of hearing, showing probable cause that the person's access to
the Internet is a means for the commission of the crimes as
enumerated therein. While the intention of the bill is good to
restrict or deny access of person when this an Order issued by a
competent court, the control, identification of the person who has
been served by the Order that must be denied access to the Internet
is difficult to implement. Anybody can access to the Internet without
qualification and even assuming the person accessing the Internet is
the person who have committed a crime as specified in the bill and
once issued an Order thereby restricting him to access Internet, this
person can easily disguise by enrolling new account by using name not
his real name.
In
order to improve the implementation of this provision, there must be
a requirement for a valid identification of the person in the
Internet. That identification should be keyed-in by the person
accessing the Internet to be detected by the network on whether this
person is the one be restricted or be denied of the access. Without a
valid identification, such person attempted to access the Internet
cannot proceed the same.
On
the part of the network through the authorized personnel of such
network should have the list of restricted person that cannot be
viewed in public which automatically detect or matched the
identification of the person accessing the Internet. However, the
network through the autorized representative shall only include the
person in the list of restricted person to access Internet only upon
Order of the competent court to do so and delisted such person upon
order of the competent court also. There should be an immediate
coordinaion between the court and the network or authorized
representative. Any violation of the network of this requirement
shall subject to the grave offense with the appropriate penalty. The
network that violated the requirement should have in gross violation
of the law with the higher penalty considering the participation or
role of the network.
The
court issuing the Order restricting the person to access in the
Internet should have also the requirement for the coordiantion with
the network or authourized representative of the network. This should
cover on how the Order which contains the name of person restricted
be coordinated or transmitted to the network with utmost
confidentiality. Same with the network to exercise utmost deligence
for the confidentiality of the information. With the requirements
enumerated on the part of the person accessing the Internet, the
network and on the competent court issuing an Order, there shall a
proper implemtation of the abovementioned provision.
Third,
in paragraph 6 of Section 6 of MCPIF provides that no natural or
juridical person, offering Internet access or by whose nature there
is a reasonable expectation of Internet access, including but not
limited to any hotel, restaurant, school, religious group,
organization, or association, shall restrict to the Internet or any
other public communications network from within its private network,
or limit the content that may be accessed by its employees, students,
members, or guests, without a reasonable ground related to the
protection of the natural or juridical person from actual or legal
threats, the privacy of others who may be accessing the network, or
the privacy of information in the network as provided for in the
Republic Act No. 10173 otherwise known as the “Data Privacy Act of
2012”.
This
provision is vague for the reason that the person whether natural or
juridical offering Internet access cannot restrict Internet access
except only on the ground of actual or legal threats, the privacy of
others who may be accessing the network, or the privacy of
information in the network. There should be a limitations which
varies depending on the type of persons or establishments. If the
network is a private entity, being the owner can do whatever he wants
to his property. In case of Internet access, some can be restricted
depending of the access that they are offering or it may depends on
person who will access to Internet.
In
the case of school, access of students to porn sites shall be
restricted and it is the responsibility of school to look into.
Restriction implemented by the school shall be in violation of the
law if the provision in paragraph 6, Section 6 of MCPIF that no
person can restrict another person except only on the specified
instances. In
commercial
stablishments, banks and other establishments, not anytime an
employee can access Internet if that access is not necessary in his
assigned task. Allowing them to access Internet during office hours
which are not necessary to their job will cost the entity for the
time consumed. These are some examples that access to Internet should
have restriction.
No
restriction to be imposed on the person offering Internet access may
be detrimental to the public. There will no control to whoever
wanted to access in whatever he wanted, he can do so and is prone to
abused of anybody. While there is a law on Data Privacy, this law is
very exposed to be violated. A law passed should be in conjunction
with the existing laws and look into if it is being susceptible to
contradiction. The restriction should be imposed depending on the
person who will be accessing Interenet and the estblishment offering
Internet services. After all, the very intention of the law is for
the good of all.
Fourth,
Section 33, paragraph A.4 of MCPIF enumerated the exceptions to
interrnet libel, the following acts shall not constitue internet
libel:
a.
Expressions of protest against the government, or against foreign
governments;
b.
Expressions of dissatisfaction with the government, its agencies or
instrumentalities, or its officials
or
agents, or with those of foreign governments;
c.
Expressions of dissatisfaction with non-government organizations,
unions, associations, political
parties,
religious groups, and public figures;
d.
Expressions of dissatisfaction with the products or services of
commercial entities;
e.
Expressions of dissatisfaction with commercial entities, or their
officers or agents, as related to the
products
or services that the commercial entites provide;
f.
Expressions of a commercial entity that are designed to descredit the
products or services of a
competitor,
even if the competitor is explicitly identified;
g.
An expression made with the intention of remaining private between
persons able to access or view
the
expression, even if the expression is later released to the public;
and
h.
A fair and true report, made in good faith, without any comments or
remarks, of any judicial,
legislative
or other offical proceedings, or of any statement, report or speech
delivered in said
proceedings,
or of any other act performed by the public officers in the exercise
of their functions, or
of
any matter of public interest.
Based
on the enumeration of the exceptions to the internet libel as
provided in Section 33, paragraph A.4 of MCPIF, I would like to
proposed another exception to be included in the enumeration related
to item h of the same paragraph. A fair and true report, made in good
faith, without any comments or remarks of private entities should not
also be considered as internet libel. An specific example of this is
the association of banks wherein this association was formulated for
the main purpose of improving the control, security, operations and
exchanging information that are useful to the banks. This
information, however, should not be in violation the bank secrecy
law.
One
good example of this is the sharing of information, exclusively to
the member banks, pertaining to the credit investigation wherein the
credit standing of the particular client can be avail of. Before a
borrower can be granted a loan, there will a credit investigation
conducted by the bank in order to determine whether this particular
borrower has a good credit standing. A good credit standing is rated
to a particular borrower is when he do not have past due accounts or
unpaid accounts with other banks, no bouncing checks experience or
stafa case and no difficulties in terms of collections. If the
borrower has this kind of record as accessed by the bank and this
information is provided by the association, a bank may not grant a
loan because of an exposure to credit risk, granting a loan to that
borrower having a bad credit standing has a big possibility of
experiencing the same.
The
sharing of information between bank members help the banks of being
warned and decides whenever they gathered information on the client
they are dealing with. If a particular bank has this kind of client
should report to the association so that other member banks may be
warned. All other banks will do the same to protect the bank
industry, to protect the money of the public.
The
information provided of a particular client may tend to cause
dishonor and discredit his personality. It will be shown to the
members banks that this person incurring big amount of loans that not
been paid, issuing a bouncing checks or maybe a pending stafa case
and the like. However, this information are for the good of the
member banks and to continue improve and sustain integrity of the
banking system. Banking system is one of the drivers in our economy
that the government and legislators should look into concerning
public interest.
This
sharing of information, though might be an imputation of a wrong on
an individual, shall be included as an exception to internet libel.
This control mechanism being implemented by the banks for the purpose
of protecting the money of the public, integrity and economy of the
nation which the government may have the same agenda. It is just
right for the government specifically the legislators, to support but
not to restrict the actions made by the private sector.
Fifth,
another observation that should be improved is on on Chapter VIII
covering the penalties from Sections 35 to 40. This chapter should
cover all the penalty provisions of the bill. In the reading of the
bill, penalty provisions were found in, other than Cahpter VIII,
Section 34 (C.1), Section 33 and Section 32. It will easier to the
practitioners or any interested individuals to know the law.
Sixth,
in the repealing clause of bill should specifically identifies those
provisions, laws to be repealed. The repeal of Republic Act No. 10175
otherwise known as “Cybercrime Prevention Act of 2012” should be
specically stated in the repealing clause. As provided in the
statutory construction that a repealing clause which do not
specifically identifies the law or provisions of the law has no
effect of repeal.
Seventh,
the Department of Justice (DOJ), National Bureau of Investigation
(NBI) and Philippine National Plice (PNP) are the competent law
enforcement agencies wherein each agency shall create an office or
division specifically for cybercrimes. On the other hand,
jurisdiction shall be with the Cybercrime courts that shall be
created. Personnel to filled-up the positions on both created offices
or divisions of the enforcement agencies and for the created
cybercrime courts should have expertise on cybercrimes. The
requirement of expertise of personnel is a must in order to implement
the law. There is a need of education or continuing education,
training and seminar to be at par with the requirements. In addition
to the technical know how of the personnel, there should be an
adequate infrastructures for the implementation of the law. An
upgrade to the equipments of the enforcement agencies is necessary
cope with the requirements.
Once
the requirement of personnel has been fully complemented, there
should be a reasonable salaries, wages and benefits to be given to
this personnel for the continous implementation of the law. This is
because of their technical expertise that they have in information
and communications technology (ICT). With this expertise they have
are very attractive to the foreign countries. Same situation in
PAGASA employees who goes abroad because of the very attarctive
salaries and wages the foreign country offers. Giving them a wages,
salaries and benefits which is not reasonable will expose the public
the possibility of not serving the purpose of the law.
Lastly,
Section 44 which provides the Extra-territorial application of the
MCPIF subject to the existing treaty of which the Philippines is a
State Party. If there will an extra-territorial application of the
MCPIF, foreign country should be a party to the law so that the same
can bind such other country or territory. It is not dabatable that we
have an existing treaty of which the Phillipines is a signatory,
however, that is only applicable to the particular agreement that the
Philippines have signed. It is possible that some provision of the
treaty have been provided in MCPIF, but not all provisions of the
MCPIF were already covered by the treaties in which the Philippines
is a signatory, otherwise, there is already an existing law.
If
indeed MCPIF have an extra-territorial application to the foreign
country subject to the provision of the existing treaty in the
Philippines and other countries are State party, it is difficult to
implement the law because the existing law of that foreign country
might be different from MCPIF in so far as cybercrimes. One of the
question is who will be the enforcement agency will handle in that
foreign country. Is it the personnel of the designated enforcement
agencies of the Philippines or the enforcement agencies of such
foreign country. If it is the Filipino personnel, how can they copy
up with the advancement of the ICT in that country for example in
United States. If it is the enforcement agencies of that foreign
country, are they going to implement the MCPIF which is different
from their own law and when the law of the Philippines be implemented
and when theirs.
As
a sample scenario wherein a MCPIF was violated resulting damages to
the Philippines which was committed in a foreign country by citizen
of that country. On the single crime committed is also a crime in
that foreign country. Who will prosecute the accused? These are some
complication on the extra-territorial apllication of the law.
In
order to implement the effectively, this law should not have
extra-territorial application.