Supreme Court Decision on the Cybercrime Act of 2012

This is a searchable text version of a Supreme Court press briefing, addressing the Court’s ruling on the Cybercrime Act of 2012, published 18 February 2014, and originally published by Philippine public news site Interaksyon.com.


Press Briefing – 18 February 2014

The Supreme Court En Banc, today, acted on the following matters, among others, on its Agenda:

G.R. NO. 203335 (Jose Jesus M. Disini Jr., et al., petitioners, v. The Secretary Of Justice, et al., respondents) I G.R. NO. 203329 (Louis Biraogo, petitioner, v. National Bureau of Investigation, et al., Respondents) I G.R. NO. 203306 (Alab Ng Mamamahayag [ALAMl, petitioner, v. The Office Of The President, at al., respondents) I G.R. NO. 203359 (Senator Teofisto Dl. Guingona III, petitioner, v. The Executive Secretary, et al., respondents) I G.R. NO. 203378 (Alexander Adonis, et al., petitioners, v. The Executive Secretary, et al., respondents) I G.R. NO. 203391 (Hon. Raymond v. Palatino, Et Al., petitioners, V. Hon. Paquito N. Ochoa Jr., et al., respondents) I G.R. NO. 203407 (Bagong Alyansang Makabayan Secretary General Renato M. Reyes Jr., et al., petitioners, v. Benigno Simeon C. Aquino III, et al., respondents) I G.R. NO. 203440 (Melecio S. Sta. Maria, et al., petitioners, v. Hon. Paquito Ochoa Jr., et al., respondents) I G.R. NO. 203453 (National Union of Journalists in the Philippines (NUJP), et al., petitioners, v. The Executive Secretary, et al., respondents) I G.R. NO. 203454 (Paul Cornelius T. Castillo, et al., petitioners, v. The Honorable Secretary of Justice, et al., respondents) IG.R. NO. 203469 (Anthony Ian M. Cruz, et al., petitioners, v. His Excellency Benigno S. Aquino III, et al., respondents) I G.R. NO. 203501 (Philippine Bar Association, Inc. (PBA), petitioner, v. His Excellency Benigno S. Aquino III, et al., respondents) I G.R. NO. 203509 (Bayan Muna Representative Nery Colmenares Jr., petitioner, v. The Executive Secretary, et al., respondents) I G.R. NO. 203515 (National Press Club of the Philippines, Inc., petitioner, v. Office of the President, et al., respondents) I G.R. NO. 203518 (Philippine Internet Freedom Alliance, et al., petitioners, v. The Executive Secretary, et al., respondents) I

The Court PARTIALLY GRANTED the reliefs sought in the 15 consolidated petitions challenging the constitutionality of Republic Act No. 10175 (The Cybercrime Protection Act of 2012).

The Court, through Associate Justice Roberto A. Abad (Velasco and Perlas-Bernabe, JJ., no part), declared as UNCONSTITUTIONAL sections 4(c)(3)1, 12 and 193 of Republic Act No. 10175 (The Cybercrime Law) to be UNCONSTITUTIONAL. Section 4(c)(3) penalizes the posting of unsolicited commercial communications, section 12 authorizes the collection ‘or recording of traffic data in real-time while section 19 authorizes the Department of Justice to restrict or block access to suspected computer data.

The Court also ruled on the constitutionality of online libel when it further declared that section 4(c)(4), which penalizes online libel,4 is NOT UNCONSTITUTIONAL with respect to the original author of the post but UNCONSTITUTIONAL only where it penalizes those who simply receive the post or react to it.

It also declared that section 55, which penalizes anyone who aids or abets the commission of cybercrimes and anyone who attempts the. commission of cybercrimes, is NOT UNCONSTITUTIONAL in relation to the commission of the following cyber-offenses: (a) Illegal Access under §4(a)(1); (b) Illegal Interception under §4(a)(2); (c) Data Interference under §4(a)(3); (d) System Interference under §4(a)(4); (e) Misuse of Devices under §4(a)(5); (D Cyber squatting under §4(a)(6); (g) Computer-related fraud under §4(b)(1); (h) Computer-related identity theft under §4(b)(3); and (i) Cybersex under §4(c)(1), but UNCONSTITUTIONAL only in relation to the offenses punished by: [1] Child pornography under §4(c)(2); Unsolicited commercial communications under §4(c)(3);and online libel under §4(c)(4).

The Court also ruled that section 7,6 on prosecution under the Revised Penal Code as well as RA 10175, is UNCONSTITUTIONAL as far as it authorizes the prosecution of an offender under both section 4(c)(4) (online libel) and Article 3537 of the Revised Penal Code (libel), and also where it pertains to section §4(c)(2)8 (child pornography) for being in violation of the prohibition against double jeopardy.9

 


Footnotes

1 SEC. 4. Cybercrime Offenses. – The following acts constitute the offense of cybercrime punishable under this Act:

xxx

(c) Content-related Offenses:

xxx

(3) Unsolicited Commercial Communications. – The transrllissioll of cOlllmercial electronic witll the use of computer system which seek to advertise, sell, or offer for sale products and communication services are prohibited unless:

(i) There is prior affirmative consent from the recipient; or

(ii) The primary intent of the communication is for service and/or’ administrative announcements from the sender to its existing users, subscribers or customers; or

(iii) The following conditions are present:

(aa) The commercial electronic comlllunication contains a simple, valid, and reliable way for the recipient to reject. receipt of furtller comlllercial electronic messages (opt-out) from the same source;

(bb) The commercial electronic communication does not purposely disguise the source of the electronic message; and

(cc) The commercial electronic comlllunication does not purposely include misleading information in any part of the message in order to induce the recipients to read the message.

2 SEC. 12. Real-Time Collection of Traffic Data. ~ Law enforcement authorities, with due cause, shall be authorized to collect or record by technical or electronic means traffic data in real-time (associated with specified communications transmitted by means of a computer system.

Traffic data refer only to the comlllunication’s origin, destination, route, time, date, size, duration, or type of underlying service, but not content, nor identities.

Ali other data to be collected or seized or disclosed will require a court warrant.

Service providers are required to cooperate and assist law enforcement authorities in the collection or recording of the above-stated information.

The court warrant required under this section shall only be issued or granted upon written application and the examination under oath or affirmation of the applicant and the witnesses he may produce and the showing: (I) that there are reasonable grounds to believe that any of the crimes enumerated hereinabove has been committed, or is being committed, or is about to be committed: (2) that there are reasonable grounds to believe that evidence that will be obtained is essential to the conviction of any person for, or to the solution of, or to the prevention of, any such crimes; and (3) that there are no other means readily available for obtaining such evidence.

3 SEC. 19. Restricting or Blocking Access to Computer Data. – When a computer data is prima facie found to be in violation of the provisions of this Act, the 001 shall issue all order to restrict or block access to such computer data.

4 SEC. 4. Cybercrime Offenses. Th~ following acts constitule the offense of cybcrcrime punishable under this Act:

(4) Libel. – The unlawful or prohibited acts of libel as defined in Article 353 of the Revised Penal Code, as amended, committed through a computer system or any other similar means which may be devised in the future.

5 SEC. 5. Other Offenses. – The following acts shall also constitute an offense:

(a) Aiding or Abetting in the Commission of Cybercrime. – Any person who willfully abets or aids in the commission of any of the offenses enumerated in this Act shall be held liable.

(b) Attempt in the Commission ofCybercrime. – Any person who willfully attempts to commit any of tile offenses enumerated in this Act shall be held liable.

6 SECTION 7.Liability Under Other Laws. – A prosecution undcr this Act shall be without prejudice to any liability for violation of any provision of the Revised Penal Code, as amended, or special laws.

7 ARTICLE 353. Definition of Libel. – A libel is a public and malicious imputation of a crime, or of a vice or defect, real or imaginary, or any act, omission, condition, status, or circulllstance tending to cause the dishonor, discredit, or contempt of a natural or juridical person, or to blacken the memory of one who is dead.

8 Child Pornography. – The unlawful or prohibited acts defined and punishable by Republic Act No. 9775 or the Anti-Child Pornography Act of 2009, committed through a computer system: Provided, That the penalty to be imposed shall be (1) one degree higher than that provided for in Republic Act No. 9775.

9 On this matter, the Court noted that online libel is admittedly not a new crime but one already punished under Art. 353; section 4(c)(4) merely establishes the use of a computer as another “means of publication.” For this reason, charging the offender under both laws would he a violation of the guarantee against double jeopardy under Article III, section 21 of the 1987 Constitution.

Bad Law Rears It’s Ugly Head – Incidents

Tracking uses and abuses of RA 10175

Saturday, 20 October 2012 – An Aparri Regional Trial Court Judge, Hon. Conrado Tabaco, issued an arrest warrant for Esperlita Garcia, President of the Gonzaga Alliance for Environmental Protection and Preservation, despite the Supreme Court temporary restraining order issued sometime 9 October 2012.  This warrant was issued on the basis of a libel complaint by Gonzaga Mayor Carlito Pentecostes Jr., over a Facebook posting that has subsequently been deleted from the FB account.  Ms. Garcia was subsequently released on PhP 10,000 bail after being detained overnight Thursday, 18 October 2012. Continue reading “Bad Law Rears It’s Ugly Head – Incidents”

Warning: Possibly (?) Libelous Content

Warning: Possibly (?) Libelous Content

 

AN OPEN LETTER TO OUR SENATORS
15th CONGRESS OF THE PHILIPPINES

Welcome to the 21st Century, Senators. Time to wake up. Are you awake yet? Please wake up, I, citizen, have a request to make of you. The past two weeks seems evidence that most of you were not.

I am referring to that odd reply by Senator Escudero to questions from media, concerning how changes were made to the law after the period for amendments. I dismiss the claimed possibilities of incompetence, neglect, or unmindfulness leading to inclusion of onerous provisions in RA 10175.  That backhanded, awkward attempt at humility (“we made mistakes”) leaves me to conclude that what occurred was plain and simple misuse or abuse of power, depending perhaps only on whether you miscalculated whether the President would either veto or sign RA 10175 into law. I don’t know; the legislative process is inscrutable to me.

What bothers me is the completely hamfisted, clumsy way in which the prerogatives of the Senate were mislaid, in order to apply arguably bad law to the domain of electronic communication. Surely, you must realize that, these days, the Internet is a powerful medium by which the electorate share and form our opinions on many issues, including political issues. It is an outstandingly new property of this medium that we are no longer subject to just a one-way flow of information downward from the centers of power, through the filter of the news media. It allows horizontal transfer as well, as much of news and information between strangers, as of greetings and letters among friends. Use of the Internet is very very important to us.  With our history, and the 21st of September so temporally close to the day of signing, we could not possibly have missed those insertions.  Senator Guingona didn’t miss them; how could the rest of you have?

Now, I make no mistake of assuming that all this communication only builds communities, or even mostly contains useful matter with great civic import. A lot of it is, indeed, drivel: Irrelevant to uses other than to satisfy the message senders’ private goals. And some of this communication, we have all seen, is intended for pernicious ends. I think Stuxnet and spam.

And yet: a good deal of what we citizens exchange between us will pertain to issues of the day, and indeed reflect much disappointment, anger, or even rage at the failings of government, or of specific persons in government. Or else placid complacency when things run well; when things promised by politicians turn out well. Thus it will continue to prove itself of great utility to an electorate that wants to participate responsibly, and effectively, in a democratic society.

This should come as no surprise: The sheer ease with which this technology eliminates barriers of distance, time, and greatly extends the scope of connections between persons, make it qualitatively different from traditional print and broadcast media. Government can make much better use of it than it does now. We regular citizens already try to, and do: Sharing news, links to opinions and articles, and, yes, even kvetching and cursing in the most colorful ways imaginable about incompetence, waste, and corruption.  It is thus, in part, functioning well enough as a venting mechanism to bleed off unspent energy, as more citizens become less complacent about our shared problems.

You would have been well advised to tread lightly within this domain, and helped pave the way instead for the entire government to adjust slowly to the reality (and possibilities for transparency, and citizen participation) that it presents.

But the Senate did not comport itself as though you were all well advised. Indeed, it is difficult to comprehend that you could have possibly been well advised without a working CICT to provide policy guidance. Instead, you have collectively caused to be signed into law a very dangerous document, which impact in cyberspace and in real civil society will be felt by generations, long after your time in office has gone. For most of us, this came as a big surprise.  To my mind, it only makes matters worse that Mr Sotto and others continue to avoid one of several issues with RA 10175, which is that it extends bad law (concerning libel, detailed in Article 355 of the Revised Penal Code) to extend to speech in the domain of cyberspace as well.  Hell, Mr Sotto owns up to making that insertion.

The man, Mr Tito Sotto, is not only devious, having contrived to violate parliamentary process*; he is also apparently unfit to speak as a Senator, being unable to see that extending “cybercrime” to include libel makes bad law (per United Nations Human Rights Council statement) encompass speech in cyberspace as well.  Perhaps this just indicates a difference of opinion against those held by Senators Honasan and Escudero.  Still, two wrongs do not make a right; it only broadens the scope of the defect.  He appears, quite possibly, to be making statements purely out of bravado. Most certainly, he did not, and does not speak on my behalf, nor on behalf of many, many others who have legitimate uses for the Internet yet quite rightly fear the repercussions of this law on our civic freedoms.

(Never mind for now that we, the public, have heard not a single word from, say, someone from the Senate Ethics Committee, but at least one of his peers, censuring Mr Tito Sotto, for such blatant dishonesty, denying his act of demonstrated plagiarism, even after undeniable proof was found. Not a word of remonstration, to at least assure the public that that august body, as we Filipinos do, value integrity and the ability to enunciate his own views as a leader should. That man’s continuing presence there is a stain on the Senate institution, not least as he has subsequently shown himself to be truly an enemy of our nation’s democratic ideals. And so, not having acted the part, he will receive neither honorific nor title of Senator from me here; neither do I address him in my entreaty below, as I do not have confidence in his capabilities, notwithstanding his popularity by which he gained that position of honor.)

I, citizen, ask you to please, please

  • take immediate steps to act on proposals by Senator Escudero (SBN-2162), Senator Honasan (SBN-3244), and Senator Guingona to decriminalize libel, and to remove onerous provisions of R.A. 10175; and
  • facilitate, by means at your disposal as Senators, to facilitate speedy formation of an advisory council (to function in the stead of members of a Commission on Information and Communications Technology) to draw up a technical analysis of the requirements for implementing the remaining parts of R.A. 10175 in a coherent manner.

Yours sincerely,

Antonio Victor Andrada Hilario

 

* I understand from listening to lawyers speaking at online fora dissecting RA 10175, that there is that period for amendments.

P.S. It would go a long way toward rehabilitating Senator Mr Sotto were other members of Senate to prevail upon him to actively, visibly take part in remedying the very defects that he introduced, and that he apologize for committing that breach of process, don’t you think?

P.P.S. Not being a lawyer, I think the only element missing from my jibes at Mr Sotto that they constitute libel is the element of malice – although I must admit to hoping his political career ends permanently after this term, and that this open letter convinces many that he should not ever find his way back to political office.

 

Thoughts following reading Clay Shirky’s Cognitive Surplus: Creativity and Generosity In A Connected Age (2010) (ISBN 978-1-59420-253-7), in a bid to make sense of recent events (i.e. find conceptual glue to piece together my very, very fragmented notions of how things came to this point).

Social Media, and Mass Media: Or, I, being blind, must blind you

Update: On Monday, 21 May 2018, the Senate voted Mr Vicente Sotto III to the Senate presidency.   This former head of the Dangerous Drugs Board (2008) has been in the House since 1994, and is serving the second of two, allowed consecutive terms as Senator – the fourth of his political career.  A report of his accomplishments in office is reported elsewhere.  He enters this term under the administration of Rodrigo Duterte, where the Senate will have to confront the unconstitutional removal of Chief Justice Ma. Lourdes Sereno from office, and the prospect of a Constitutional crisis.


A bit thick in the skull, the Senator Mr. Tito Sotto had this to say to critics recently:

“If mainstream media are prevented by law from cursing and engaging in character assassination, why should those in the social media and in the Internet be exempted from such accountability,” said Sotto, who had proposed the extension of the Act’s coverage to include libel.

(From Philippine Daily Inquirer Online, Sotto: What’s wrong with online libel?)

I find this thought to be compelling: Philippine libel law is out of sync with how civil liberties have come to be interpreted in the past century, of which more was recently written by Atty Harry Roque, here. The main weakness in Philippine libel law, is simply that truth is not a defense against a charge of libel. The key concept is that of defamatory speech, such as, for example contained in the statement “Mr. Tito Sotto is a demonstrated plagiarist.”  It is a statement that is harmful to the reputation of the subject of the sentence.  Libel law in this 21st century Philippines is intended to deter this kind of speech, and make it possible to sue the issuer (for example, me) for damages claims.  Such a statement forms (and is indeed, intended to form) an opinion in the mind of my reader in such a way as to seriously diminish the possibility of his being elected back into office at some future time. I assert, thus, that my country needs no stinkin’ punyeta plagiarists in the House of Congress.

I can be sued and fined for saying this under existing libel law. And there, as my oldtime favorite columnist Conrad de Quiros puts it, there is the rub.

Certain laws that do apply to the domain of print and broadcast media, it can be argued, should be applied to neither the mass media, nor to social media.

Mr Sotto’s argument is, in essence, a defense that, “two wrongs make a right.”  Creating bad law governing the conduct of electronically-mediated free speech between citizens, to match an equally bad law that aims to defend against defamation (itself of dubious value), only makes bad law apply equally to two separate spheres of public discourse.

What’s wrong with preventing cursing and engaging in character assassination in any channel of public discourse?  Only one “little” thing:  Defamatory speech is still speech, with defamation only being defamation in the eye (or the ear) of the beholder; no law can abridge that, or so I take it from the Bill of Rights, Article III, in that little old document we call our Constitution:

Section 4. No law shall be passed abridging the freedom of speech, of expression, or of the press, or the right of the people peaceably to assemble and petition the government for redress of grievances.

Libel laws that enforce prior restraint of our Section 4 right, are, arguably, not the way to counter the possibility of sustaining actual economic harm, arising from damage to one’s reputation. Libel law, even if it is law, is still bad law. 

Now, come to think of it, it’s actually politicos who manage to establish favors to be traded for future or present economic gain, that are actually harmed by damage to their reputations, eh? With such persons, that kind of character (or lack thereof) deserves to be exposed, fully, the better to excise those persons from the body of government as one would a pus-filled cyst.

Bilang pasasalamat

It’s September 21st – the anniversary of Martial Law here in the Philippines – and I thank our legislators for these two bitter gifts this year:

  • An unrepentant plagiarist Mr Tito Sotto to deck our Senate halls – and not a peep from the Senate Ethics committee;
  • Extending “libel” to speech uttered in cyberspace – I don’t give a damn about celebrities, it’s the fucking politicians who stand to gain from using bad law (enacted September 12, 2012) to cover their tracks, and deter citizens from aggressive coverage of their actions.

No, it’s not more fun in the Philippines. Democracy here is always under tension, just as it is everywhere else, and the thought of that does not freaking mollify me, thanks.

* * *

I’ll trouble you with another thought: “The truth shall set you free” should really read, in this post-R.A. 10175 Philippines, as: “Truth is no defense against jail time” (highlight mine):

“the UNHRC declared that Philippine libel law under the RPC contravenes freedom of expression on two counts: one, it is a disproportionate means by which to achieve its avowed goal of protecting the privacy of private persons; and two, because there is an alternative in the form of civil libel, or the payment of damages. The UNHRC also took the view that our libel in the Philippines, because it does not recognize truth as a defense, is additionally defective on this ground.”

See the full article at rappler.com: Cybercrime Law: See you in court, P’Noy

Not being a lawyer myself, this came as news to me. Anybody else surprised? You or I, or our journalists, for that matter, face harassment online, online now as well (apart from threats mounted through other, sometimes brutal avenues – as through physical violence), and this, with the full force of law and State power to enforce that threat.  Good, solid journalism done in the public interest is not enough to protect citizens from having this held over their heads.

We really must thank our legislators for giving this tool over to grafters, as well as the likes of Mr. Tito Sotto, and petty artistas and socialites, who now have a means to intimidate online news outfits, bloggers, and regular citizens with the full force of defective law.

Such a fitting gift to the Filipino citizen, to commemorate the anniversary of Martial Law with, it’s actually fucking brilliant. Damned good timing, parang humabol pa talaga sa deadline.

_________

“There must be some way out of here, said the Joker to the Thief.”

Fencing the Frontier (3)

It is done: President Aquino signed a version of the Cybercrime Prevention Act into law Wednesday, 12 September 2012. And guess what? It has provisions regarding online libel (Chapter 2, Section 4(c), Content-Related Offenses, item 4).

The plagiarist Senator Mr. Tito Sotto comes to mind.

On a lighter note, my previous gripes about data privacy were misplaced: I should have sought out the text for the Senate Bill No. 2965 and House Bill No. 4115. A first glance tells me I’ll need to read the texts; we’ll find out more in the next few days. You can download SBN 2965 from the [still domain-name-free] Senate Legislative Servers, here.*

Load these pages up, and read with me. I’ll be putting up comments here over the next few days:

I have a feeling I’ll want some coffee or beer with friends to talk about this.

 

* What the fuck, amateurs? What’s with the use of an IP address instead of a name ( http://202.57.33.10/plis/data/1218710275!.pdf) like the rest of the decent Internet does? Why don’t you have a subdomain for this content server? Sure, you’re on the fucking web, but if you don’t have a domain name: (1) you don’t intend to be found by search engines (2) You intend for people to jump through fucking hoops, your own damned lousy search engine, to find the texts detailing ours laws. Fix that!  Or hire me to fix it for you, dammit.

Fencing the Frontier (II)

After getting over my irritation (and mild embarrassment) that the Senate legislative content server doesn’t even have a proper domain name – and that their cybercrime bill 2796 comes in so close on the heels of the United States’ abortive SOPA and PIPA legislative disasters – my next gut response was “okay, just what have our legislators got up to now?”

I’ve been a consumer of Internet content for over a decade, and a programmer and Web developer for almost a decade; and SB 2796 troubles me in a number of ways. I’ll walk through these sections of the bill that bother me.

Cybercrimes against things

SB 2796 is not about your right to use electronic communication with, say, reasonable expectations of privacy. The Declaration of Policy (Section 2) emphasizes protection of computer systems

from all forms of misuse, abuse, and illegal access by making punishable under the law such conduct or conducts.

It is, straightforwardly, about the State adopting “sufficient powers to effectively prevent and combat such offenses by facilitating their detection, investigation, and prosecution at both the domestic and international levels.”

I dislike the imprecision in their definition of the terms in Section 3. Take one mild example, its definition of a “service provider”:

  • any public or private entity that provides to users of its service the ability to communicate by means of a computer system, and
  • any other entity that processes or stores computer data on behalf of such communication service or users of such service.

Now, am I a service provider, if I operate a weblog where my readers are allowed to post comments, and converse among themselves? How about when I establish a chat service for my friends on my rented web server – are both I and my ISP “service providers”?  I was hoping to set up a site that’s a kind of mashup between Mathoverflow and Wolfram Alpha – will that make me a “service provider?” These questions are relevant to reading Chapter II, “Punishable acts”, where it is lawful for a service provider to intercept, use, or otherwise disclose the content of activity on the service.

There’s a few more bits in Section 3 about electronic interception, subscriber information (basically any information related to a service user’s location, service details, and billing history), and “traffic data or non-content data” (network traffic data ), and that all-important modifier phrase, “without right,” that are germane to the discussion of punishable acts, which I’ll spell out in detail later.

It is Section 4 that defines three categories of “cybercrime” offenses: Those that detrimentally affect confidentiality of data and reliability of computer systems; computer-assisted fraud, and forgery; and content-related offenses.

We Ownses Your Datas

The first category includes two specific offenses: Illegal intercept, and misuse of devices, both of which are of interest to users and, crucially, system administrators.  Illegal interception is

The intentional interception made by technical means
without right of any non-public transmission of computer data to,  from, or within a computer system including electromagnetic emissions from a computer system carrying such computer data: Provided, however, That it shall not be unlawful for an officer, employee, or agent of a service provider, whose facilities are used in the transmission of communications, to intercept, disclose, or use that communication in the normal course of his employment while engaged in any activity that is necessary to the rendition of his service or to the protection of the rights or property of the service provider, except  that the latter shall not utilize service observing or random monitoring except for mechanical or service control quality checks.  [Emphasis mine].

It is striking that nothing is said about restrictions about how that data may be handled or used. There is no provision for how certain kinds of system data should or should not be handled.  Shouldn’t there be something explicitly said about what is broadly prohibited to be done with system users’ data? Shouldn’t information about third parties be protected (i.e. by encrypting it) while it is in the possession of the service provider?

I’ll give you an example: as a computer system administrator I may make a USB flash drive copy of a database table containing my subscribers’ transactions on my site, and transfer it to a different, (perhaps offline) system inside my company as part of my daily routines. Then I can take the flash drive home, can’t I? Nothing wrong there. What if that database table contains our customers’ credit card billing data – and I lose the flash drive? No problem! It’s a sad loss, but completely legal for my company to be operating without data integrity safeguards. Or, I could pass it on to a senior manager, who’ll be converting those tables into mail lists of our highest-spending site users, which we can sell on to e-marketing firms. All completely legal, as this is done as part of my duties as an employee.

(Update, 25 September, 2012: The Data Privacy Act of 2012, specifically Section 11 (General Data Privacy Principles) up to Section 16 (Rights of the Data Subject) address this issue, and specify the scope of responsibility of so-called “personal information processors.”  More on this in later posts.)

There are simply no good business or economic reasons to say that improving the security around citizens’ data is infeasible, too costly, or too complicated. We largely have the software and semiconductor industries to thank for this. While data encryption, for example, is still compute-intensive, it is no longer as costly as it used to be only a few years ago. What I mean by this is that there are programming practices and techniques for, say, writing Web site business logic, or for designing complex desktop programs, that can improve privacy and security using encryption techniques which, only a few years ago, would have required faster processors or more memory. Well, guess what? Today, we have those faster processors and more memory.

Methodology for computing systems design has evolved to both meet time-to-market pressures and attain software quality goals. There are programming and system administration practices which can be put in place to foil casual data theft by system operators and employees, and can be reasonably mandated by a cybercrime law to be a service provider’s obligation to exercise. Societies’ know-how has evolved to the point where we can reasonably enforce responsibilities of third parties that handle citizen data, that they do so with sufficient safeguards to privacy and freedom from unwanted use of that data.

As it stands now, the definition of “illegal access” provides implicit, blanket license to “service providers” to do practically anything they want with the information that enters their domain – which may not be same as what the owner or subject of that data might want.

 

Possession of ‘ping’ a punishable offense?

This innocuous-sounding definition “Misuse of devices”, Section 4A(5), is as much useless as it is apparently poorly thought out, as it ignores “dual use” capability of most computing equipment and software. We need only point out two phenomena to demonstrate why: commodity software (including open source software), and malware.

The main point about software being a commodity (free or paid for) is simply that software is ubiquitous, and the crucial thing about commodity operating systems is that there is a whole bucket of tools in each of them – be it Windows, OS X, or Linux – that can be used to find out things about other networks or computers, usually by interacting with them in some way. These tools can be used to analyze, for example, an Internet site target to find out whether it’s visible on the `Net, learn what software the site is running, learn it’s vulnerabilities, and so on – and thence, defend, or attack it. Many software tools used by IT professionals can be used both ways: as diagnostic tools, for instance, or for illegal intercept. The picture processing tool Photoshop, a favorite of web designers and graphic artists the world over, is also able to be used for digital image forgery.

Worse, there are inevitable defects, particularly in new software, that make them prone to being used to attack the machine on which they are used. This is why the newest software isn’t always the best thing to have running on your computer, and why Windows XP is still a better choice for privacy and security conscious computer users (at least if you have no choice) – it’s simply been through a lot more “consumer testing” and has more bug fixes than the newest iteration of that Microsoft operating system.

Which brings us to software that’s been written for purposes that a computer owner does not intend – malware. Anybody who’s been bit by malware knows the signs: Odd behavior from the trusty desktop; increased traffic and reduced Internet access speed; possibly even lost or corrupted files.  It is very likely that many more computer users have been afflicted by these pieces of rogue software that may have been passed on to them by a coworker’s USB stick or, more commonly, by downloading it from the Internet, and who aren’t aware that their computer has been compromised.

It would be more useful to specify creation and dissemination of malware as a punishable act. Otherwise mere possession of a computer containing ping, telnet, nmap, wireshark, dig, or tcping, let alone socat (a general-purpose network socket tool) puts the holder at risk of falling foul of the law. The committee that drafted this Bill needed to go get a clue, perhaps starting with watching a TED Talk or two, and getting a grip on this simple idea: Electronic communication devices and software are “dual use” tools. If government intends to be up to the task of prosecuting misuse of these tools, they would do well to specify the who and what needs protecting, perhaps more than specifying a broad class of dual-use technology.  They could have done better by identifying, generically, breaches of information systems that put life, property, and rights at risk, rather than the tools with which these risks may be created.