Commentary: The IRR of RA 10175

In stark contrast to the passage of its parent Statute, the recent issuance of the Cybercrime Protection Act’s (RA 10175) Implementing Rules and Regulations came about with little to no hostility and controversy involved. The three government agencies charged with crafting its watered-down provisions—the DILG, DOJ, and DOST—met for a symbolic launch last August 12, joined by a sizeable media contingent that practically limited their coverage to the holding of the event. Some found it only necessary to emphasize how long it took for the Rules to actually materialize.

To date, no public outcry has been reported. Instead, it was the arrest of a local fashion blogger[1] charged with violating the law’s controversial online libel provision that actually managed to share the spotlight, after coinciding with the IRR signing.

This is both disconcerting and problematic.

A cursory reading of the Rules reveals a slew of issues that need to be properly addressed. These issues require immediate public scrutiny given their immense impact on the implementation of the law. Apparently, an unbowed and overzealous government, unfazed by the flak and dressing down it received as proponent and defender of the flawed legislation, remains keen on pushing its agenda, with little regard for the country’s laws and legal processes.

This blog series seeks to kick start this analytical process:

Real-Time Collection of Computer Data

As enacted by Congress, RA 1075 featured the following provision:

“SEC. 12. Real-Time Collection of Traffic Data. — Law enforcement authorities, with due cause, shall be authorized to collect or record by technical or electronic means traffic data in real-time associated with specified communications transmitted by means of a computer system.

Traffic data refer only to the communication’s origin, destination, route, time, date, size, duration, or type of underlying service, but not content, nor identities.

All other data to be collected or seized or disclosed will require a court warrant.

Service providers are required to cooperate and assist law enforcement authorities in the collection or recording of the above-stated information.

The court warrant required under this section shall only be issued or granted upon written application and the examination under oath or affirmation of the applicant and the witnesses he may produce and the showing: (1) that there are reasonable grounds to believe that any of the crimes enumerated hereinabove has been committed, or is being committed, or is about to be committed: (2) that there are reasonable grounds to believe that evidence that will be obtained is essential to the conviction of any person for, or to the solution of, or to the prevention of, any such crimes; and (3) that there are no other means readily available for obtaining such evidence.”

Before the Supreme Court, human rights advocates, members of the media, lawyers and other interested parties assailed the provision for “tending to curtail civil liberties or provide opportunities for official abuse.” They emphasized that “data showing where digital messages come from, what kind they are and where they are destined need not be incriminating to their senders or recipients before they are to be protected.” They invoked the people’s right to individual privacy and to protection from government intrusion insofar as the messages they send one another are concerned.

In the end, the Court agreed. In its Disini v. Secretary of Justice decision last year, it noted, inter alia, that:

“The authority that Section 12 gives law enforcement agencies is too sweeping and lacks restraint. While it says that traffic data collection should not disclose identities or content data, such restraint is but an illusion. Admittedly, nothing can prevent law enforcement agencies holding these data in their hands from looking into the identity of their sender or receiver and what the data contains. This will unnecessarily expose the citizenry to leaked information or, worse, to extortion from certain bad elements in these agencies.”

The Court then resolved to strike down the entire provision for its patent violation of the 1987 Constitution:

“WHEREFORE, the Court DECLARES:

1. VOID for being UNCONSTITUTIONAL:

a. xx
b. Section 12 that authorizes the collection or recording of traffic data in real-time; and
c. xx” (underscoring supplied)

Fully aware of the advances in surveillance technology now available to government as well as private entities, the Supreme Court went so far as to claim as its duty the task of ensuring “that laws seeking to take advantage of these technologies be written with specificity and definiteness as to ensure respect for the rights that the Constitution guarantees.”

Enter the IRR of RA 10175.

Introduction of a New Provision

One of the key provisions of the Rules (presumably) is Section 13, which reads:

“Collection of Computer Data. Law enforcement authorities, upon the issuance of a court warrant, shall be authorized to collect or record by technical or electronic means, and the service providers are required to collect or record by technical or electronic means and/or to cooperate and assist in the collection or recording of computer data that are associated with specified communications transmitted by means of a computer system.

The court warrant under this section shall be issued or granted upon written application, after examination under oath or affirmation of the application and the witnesses he may produce, and the showing that: (1) there are reasonable grounds to believe that any of the crimes enumerated hereinabove has been committed, is being committed or is about to be committed; (2) there are reasonable grounds to believe that the evidence that will be obtained is essential to the conviction of any person for, or to the solution of, or to the prevention of any such crimes; and (3) there are no other means readily available for obtaining such evidence.”

To the uninitiated, it looks eerily the same as Section 12 of the Statute it purports to implement. The very same provision the Supreme Court struck down in its entirety, noting it to be “void for being unconstitutional”.

As any person remotely familiar with law would know, that cannot possibly be the case here. Once a court (the Supreme Court, no less) has declared a provision void and proceeds to strike it down, agencies tasked to implement it are duty-bound to observe such ruling and must restrict themselves to what remains of the legislation it belongs to.

A closer examination of the Rules, however, reveals that Section 13 quite in fact represents an entirely new provision. One that critics of the law could not have challenged back in 2012, and the Supreme Court could not have later passed upon, because it was never there to begin with.

First, note that the late Section 12 of RA 10175 referred to traffic data. Section 3(p) of the law defines the term (also known as non-content data) as “any computer data other than the content of communication including, but not limited to, the communication’s origin, destination, route, time, date, size, duration, or type of underlying service”.

Section 13 of the IRR pertains to computer data—a different term that is defined by both the Statute and the IRR as “any representation of facts, information, or concepts in a form suitable for processing in a computer system including a program suitable to cause a computer system to perform a function and includes electronic documents and/or electronic data messages whether stored in local computer systems or online”.[2]

The implication of this difference is huge. The very definition of computer data—the subject of the IRR provision—is broad enough to include both traffic data and content data. Content data is defined in the Rules as “the communication content of the communication, the meaning or purport of the communication, or the message or information being conveyed by the communication, other than traffic data.”[3] And should there remain any doubt on this matter, one needs only to look at the Budapest Convention on Cybercrime—the international instrument from which the drafters appear to have lifted many of the new provisions of the IRR—for guidance. In that treaty, the “Real-time collection of traffic data” (Article 20) and “Interception of content data” (Article 21) are both classified under the title heading “Title 5 – Real-time collection of computer data.”

In other words, Section 13 of the IRR actually provides a “legal” basis for the government to conduct real-time electronic surveillance or the collection of computer data that relate to the communications of private individuals.

Unfortunately, this tendency to extend the scope of existing law does not end there.

Unlawful Expansion of the Exceptions to the Anti-Wiretapping Law

Except for certain specific provisions of RA 9372 (Human Security Act), there remains only one law to date that purports to regulate the communications surveillance activities of law enforcement authorities, and that would be antiquated RA 4200 (Anti-Wiretapping Law), which was enacted way back in 1965.

According to RA 4200, even with a court-issued warrant, communications surveillance is only permitted for very specific crimes expressly identified in the law, namely: “crimes of treason, espionage, provoking war and disloyalty in case of war, piracy, mutiny in the high seas, rebellion, conspiracy and proposal to commit rebellion, inciting to rebellion, sedition, conspiracy to commit sedition, inciting to sedition, kidnapping as defined by the Revised Penal Code, and violations of Commonwealth Act No. 616, punishing espionage and other offenses against national security.”

In the last decade, RA 9372 went on to broaden the scope of the exceptions to RA 4200 by declaring that communications by “judicially declared and outlawed terrorist organization, association, or group of persons or of any person charged with or suspected of the crime of terrorism or conspiracy to commit terrorism” may likewise be subjected to government surveillance, provided that a written order from the Court of Appeals is first secured.[4]

With Section 13 of the IRR, the exceptions to RA 4200 have multiplied exponentially by sanctioning communications surveillance in all cases where some form of cybercrime (i.e., those enumerated in RA 10175, and all crimes in the Revised Penal Code and other penal laws committed using a computer system) is involved.

Suffice to say, if this was really the intention of Congress when it crafted RA 10175, it could very well do a double take on this matter by legislating a quick follow-up revision of RA 10175. This time, it ought to be one that could withstand judicial scrutiny when invoked.

In inserting Section 13, the drafters of the IRR essentially usurped the power of Congress by putting back a provision already deemed removed by the Supreme Court, “curing” it of its initial defect by adding the court warrant as an element, and thereafter proceeding to broaden its scope by now allowing the collection of both traffic data and content data.

And yet still, the drafters of the IRR were not satisfied.

Private Entities as Co-Principals in Surveillance Activities

As per the language of Section 13, private parties are now obliged to be active participants in “sanctioned” surveillance activities by law enforcement authorities. Recall that once law enforcement authorities are able to secure a warrant, the Rules state that service providers are now “required to collect or record by technical or electronic means… computer data that are associated with specified communications transmitted by means of a computer system.”

In keeping with the IRR’s expansion theme, its authors now demand that private persons like telecommunications companies and Internet service providers not only cooperate and assist law enforcement in their surveillance missions, but also act as “deputized” law enforcement agents by carrying out the collection and recording themselves.

To make certain there is no confusion in this regard, Section 30 of the IRR affirms in no uncertain terms the imposition of this new obligation:

“Section 30. Duties of a Service Provider. The following are the duties of a service provider:

xx
1. Collect or record by technical or electronic means, and/or cooperate and assist law enforcement or competent authorities in the collection or recording of computer data that are associated with specified communications transmitted by means of a computer system, in relation to Section 13 hereof;
xx”

Not even the late Section 12 of RA 10175 was this brazen and ambitious.

Self-imposed Obligation to Foreign States

A separate but related issue regarding the collection of computer data is the obligation the Philippine government seems to have burdened itself with by way of Section 25 of the IRR, which reads:

“Section 25. International Cooperation…

The DOJ shall cooperate and render assistance to other contracting parties, as well as request assistance from foreign states, for purposes of detection, investigation and prosecution of offenses referred to in the Act and in the collection of evidence in electronic form in relation thereto. The principles contained in Presidential Decree No. 1069 and other pertinent laws, as well as existing extradition and mutual legal assistance treaties, shall apply. In this regard, the central authority shall:

1. Provide assistance to a requesting State in the real-time collection of traffic data associated with specified communications in the country transmitted by means of a computer system, with respect to criminal offenses defined in the Act for which real-time collection of traffic data would be available, subject to the provisions of Section 13 hereof;

2. Provide assistance to a requesting State in the real-time collection, recording or interception of content data of specified communications transmitted by means of a computer system, subject to the provision of Section 13 hereof;

xx”

The foregoing text clearly establishes a duty on the part of the Philippine government to act favorably on requests from foreign states to conduct communications surveillance involving both traffic and content data (read: compute data).

Given the palpable influence of the Budapest Convention on Cybercrime on the language of the IRR and the latter’s explicit reference to “other contracting parties”, one can only assume that this duty proceeds from the language of this particular treaty. The problem is: the Philippines is not a member-party to the Convention. The country has neither signed nor ratified the said treaty. It has been invited to accede, yes. But it has yet to act on such invitation.

The IRR indicates otherwise. Absent any proof thereof, however, it exposes itself anew as having committed yet another unwarranted intrusion into the realm properly vested by the Constitution upon the President and/or Congress. Section 25 is only the tip of the proverbial iceberg.

(to be continued)

[1] http://www.philstar.com/headlines/2015/08/12/1487269/fashion-pulis-arrested-over-deniece-cornejos-libel-charge
[2] Sec. 3(e), RA 10175 and Sec 3(j), IRR.
[3] Sec. 3(m), IRR
[4] Sec. 7, RA 9372. NOTE: RA 10173 (Data Privacy Act of 2012) supposedly amends the specific provision on communications surveillance under RA 9372, but does not indicate how exactly it does so.