Information Security and the Philippine Justice System

By: Teril Bilog

August 8, 2009

“This week the so-called "Love Bug" computer hacker - believed responsible for disabling millions of the world's computers
last May - walked free in the Philippines. Government prosecutors said they couldn't prosecute due to a lack of electronic
commerce legislation. The incident has raised questions about the inadequacy of cyber laws in developing countries. Grace
Cutler has more from Hong Kong.” (Cutler 2000)

“While the 2003 Optical Media Act served as a groundbreaking anti-piracy legislation in the region, it needs to catch up with
the times and identify the internet as a platform for sex video reproduction, an official said.
Rosendo Meneses, executive director of the Optical Media Board (OMB), said Thursday during the Senate hearing on the sex
video scandal of Dr. Hayden Kho and actress Katrina Halili, that the present law falls short in determining the link between
the proliferation of sexual videos online and in optical media such as digital video discs (DVDs) and video compact discs
(VCDs).” (Romero 2009)

“PHILIPPINES--The government is taking its time passing an anti-cybercrime law, which observers say, will safeguard the
country from becoming a haven for crimes such as phishing or identity theft, and child pornography and prostitution.”
(Pinaroc 2007)

“The extent and sophistication that computer crime in the Philippines has taken in recent years require a cyber crime law
that, in turn, has been stalled in the past two Congresses.” (Dizon 2008)
“MANILA, Philippines—Senator Alan Peter Cayetano has filed a resolution setting aside P100 million as an incentive to
anyone who can convincingly demonstrate the weakness of the automated poll system.
“Cayetano, at a press conference Friday, said that if any IT expert can establish that the system to be used in the 2010 polls
is not secure from fraud and tampering, “Comelec should cancel the contract, save the P11 billion and sue for damages the
contractor in the event of such successful hacking.”” (Ager and Lim Uba 2009).

“MANILA, Philippines - Senate President Juan Ponce Enrile is pushing for a bill that aims to penalize cyber criminals and
hackers, including pedophiles who use the Internet to lure victims.” (Mendez 2009)

“We do not yet have a law to penalize cyber-crime.” (Romero 2009).

The citations above hold testament to the growing need for stronger and more defined laws with regards to information security. To
date, Republic Act No. 8792, or the E-Commerce law, is but one of the few solids law on information security. Note that this law
“focuses more on electronic evidence and common online crimes such as hacking and copyright violations.” (Pinaroc 2007). There
are no laws explicitly for crimes such as child pornography and cybersex.

While information security problems may seem to pose as a small threat to the lay person, it may not be so ten years from now.
Note that digitization and automation are becoming a trend. It covers not only the domain of information dissemination (as in event
announcements, file sharing, and photo albums), but also in important functions such as online shopping, enrollment, flight booking,
and job hunting. Note that payment can be done without using physical money through the use of credit cards. Recent news even
states that ATM cards may soon be used to pay for MRT fares. Imagine what would happen if a person were to gain unlimited access
to all these stored information. Countless acts of injustice such as identity theft and information stealing may become more and
more prominent. In these modern times, information is worth more than gold.
Note the following scenarios:
1. Identity Theft
Job hunters nowadays are posting their profile and resume online in websites such as jobstreet.com. Details about where they
live, how to contact them, date of birth, where they went to school, curriculum vitae, as well as their hobbies are found in that
resume, which is available for public view. If the criminal needs more information and even photos and videos, he or she can
simply look up one of the person’s social networking site profile (Friendster, mySpace, Facebook, Multiply) should the victim
have one. A vast majority of people in this modern age is a member of at least one social networking site. The criminal may also
opt to look at the victim’s blog (Blogger, LiveJournal) if any for more intimate information (i.e. the victim’s life experiences).

2. Information Stealing
Imagine if one had insider information as to whether or not a particular stock will go up on a particular day. Doing stocks is
essentially gambling except that it contributes to society. Having insider info is like having shaved dice in a game of craps in a
casino. The criminal could amass a great sum of wealth and there could be no way of tracing it. He could also sell the
information to other interested parties and amass more wealth. In a simpler scenario, imagine if a student could get his hands
on everyone’s grades stored in his university’s computer. He could change everyone’s grades. He could change his 0.0 into a 4.0,
or worse, delete all the records entirely. He could even hold people’s grades for ransom, or ask bribes from people in exchange
for changing their grades.

3. 2010 Automated Elections

Perhaps one of the more important issues it the automation of the 2010 elections. This is an issue of national concern. The
success of automating the elections can either make or break (or disintegrate) the name of the Philippines. All eyes are on this
project. At present, the country is divided in two—whether to push through with automation or not. What if the votes were
compromised by some hacker or an event-triggered Trojan? What if the code for the machines itself is compromised? What if
the machines crash during the Election Day like when they were pilot tested? Will automation make cheating easier? Everyone
is panicking because of little knowledge on how systems can be compromised and confidence in the government to conduct a
trustworthy election. People do not realize that it could take even a skilled hacker how many years to crack a passcode. People
do not understand the auditing processes that the Smartmatic electoral systems must go through to ensure that they are not
compromised. People do not like the fact that nobody is accountable in case something goes wrong in the elections. Everybody
wants a better, speedier election, but everybody has doubts on the success of automating the elections because nobody is sure
that the ballots will be protected from saboteurs.

The vast majority of Filipinos that have little care for information security are only now starting to understand its value. The fact that
there are little laws on it, and the magnitude of crimes exploiting information proves that. With growing automation and digitization
comes more need for protection. The current generation of law makers does not have the necessary knowledge on the digital world
to pass the necessary bills. It is up to the new generation—the generation who grew up with technology—to pass these bills. The
new, tech savvy generation will pave the way to safeguard information within the next decade. The e-commerce act is hardly
enough, and the people are starting to realize this. The people are starting to understand this and if nothing is done, cases like the “I
Love You” Virus case will repeat itself over and over again—with nobody being prosecuted and nobody being accountable.
For the longest time, laws and amendments to the law were brought about by irreversible and grave circumstances to cope with
changing times. Something bad always has to happen before anybody acts. Prevention is better than cure. Although the Philippines
is a developing country and would not seem to require a lot of information security bylaws, implementing them in the future may be
more costly. Below are some of the measures that the proponent believes to be necessary for the Philippines to adapt to the risks of
the digital world:

1. A comprehensive framework for ensuring the effectiveness of information security controls over information resources that support
Federal operations and assets. (Centers for Medicare & Medicaid Services n.d.);
2. Enforce public awareness on information technology (basics) and information security—highlighting the risks involved and the
methods to protect one from them;
3. A strong, governing body (or bodies) dealing with information security. Have that governing body (or bodies) audit information
systems versus the set standards (yet to be set) for both public and private systems (should their systems be of national concern
like Smart and Globe telecommunications systems);
4. A set of standards endorsed and enforced by the government to protect data integrity
ex: encryption standards, proposed system architecture to enforce security, etc.;
5. Government-funded research on the development and implementation of information securing techniques for their own
systems;
6. Have a plan to safeguard assets (information) in case of emergencies;
7. Have laws to safeguard information also in private systems; and
8. Enlist the help of developed countries and local I.T. bodies (academe, NGO’s and I.T. firms) to further knowledge, awareness,
and development of securing information in the country.

In summa, the proponent believes that with the Philippines’ entry to the modern word (currently highlighted by the automation of
the elections), the country’s justice system will need to adapt. New laws need to be passed to protect information, and the youth
will spearhead this movement.