Constitutional: Cybercrime offense of illegal access under Section 4(a) (1) of R.A. 10175

R.A. 10175 or the Philippine Cybercrime Prevention Act of 2012 penalizes the cybercrime offense of illegal dismissal under Section 4 (a) (1).

In the various petitions filed before the Supreme Court, Petitioners sought to invalidate this provision primarily on the ground that it did not meet the strict scrutiny standard and such would jeopardize the safety of ethical hackers.

This provision penalizing the cybercrime offense of illegal dismissal is reflected in Section 19 of R.A. 10175, which is faithfully reproduced herein:

Section 4. Cybercrime Offenses. – The following acts constitute the offense of cybercrime punishable under this Act:

(a) Offenses against the confidentiality, integrity and availability of computer data and systems:

(1) Illegal Access. – The access to the whole or any part of a computer system without right.

Based on the above-cited provision, the Cybercrime Offense of Illegal Dismissal is “the access to the whole or any part of a computer system without right.” A plain reading of would readily show that a simple access of another’s computer system (e.g. mobile phone, laptop, tablet) without any permission or consent would constitute illegal dismissal.

R.A. 10175 provides for a definition of access. Access refers to “the instruction, communication with, storing data in, retrieving data from, or otherwise making use of any resources of a computer system or communication network.”[1] Conversely, illegal access is access as defined but without any right or authority.

Without right, which is a common theme or defense for most Cybercrime Offenses, is given a definition. Without right refers to “either: (i) conduct undertaken without or in excess of authority; or (ii) conduct not covered by established legal defenses, excuses, court orders, justifications, or relevant principles under the law.”[2]

Section 4 (a) (1) on Illegal Access has been declared constitutional and valid.

Constitutional: Section 4 (a) (1) of R.A. 10175

Petitioners sought to invalidate Section 4 (a) (1) on the ground that the provision did not meet the strict scrutiny standard which is required on laws that would interfere with the people’s fundamental rights. Further, Petitioners argued that ethical hackers may face criminal liabilities under the Cybercrime Offense of Illegal Access. Ethical hackers “employ tools and techniques used by criminal hackers but would neither damage the target systems nor steal information.” They are like independent auditors as ethical hackers main role is to “evaluate the target system’s security and report back to the owners the vulnerabilities they found in it and give instructions for how these can be remedied.”

The Supreme Court declared Section 4 (a) (1) of R.A. 10175 constitutional.

As observed by the Supreme Court, the strict scrutiny standard is an American constitutional construct that is used in determining the constitutionality of a law that has a tendency to target a class of things or persons. Based on the strict scrutiny standards, “a legislative classification that impermissibly interferes with the exercise of fundamental right or operates to the peculiar class disadvantage of a suspect class is presumed unconstitutional.” The burden shifts to the Government to establish that such classification is necessary in order to meet a “compelling State interest.” Further, such law is “the least restrictive means” to protect such interest. As an expansion from its use in equal protection, the strict scrutiny standard was eventually used to assess laws regulating speech, gender, race, and other fundamental rights.

The high tribunal did not find any necessity for the application of the strict scrutiny standard as there is no fundamental freedom involved. Essentially, illegal access of another computer without right is a “condemnable act”. The Decision reads further that illegal access is “a universally condemned act”.

As for ethical hackers, they are cannot be made liable for Illegal Access as a client’s engagement is covered by an agreement which specifies the scope and extent of the search, methodologies, and systems subject of testing. This referred to as a “get out of jail free card.” With such permission, the ethical hacker would be insulated from the coverage of Section 4 (a) (1).

Commentary

The Decision characterizes illegal access as “a universally condemned act”. Does this mean that a person who uses his friend’s mobile phone without consent in order to send an SMS to the former’s dying grandmother in the hospital one such act? Does this mean that an adult child’s use of his parent’s laptop without consent to make a thesis paper one such act? Does this mean that an employee’s use of the company desktop without consent to complete a report one such act?

The principle of without right being common to most Cybercrime Offense happens to be the best defense against a prosecution for a violation. If the offender had consent, then he/she had the right to access the computer system resulting in non-illegal access.

As for the strict scrutiny standards, it is submitted that this could have been evaluated under the doctrine of overbreadth. The legal provision is so broad that it could apply to any and all use of information and communication technology without consent. The implications are immense and far reaching that it could infringe fundamental rights. The elements of the Cybercrime Offense of Illegal Dismissal are very straightforward: that there is an offender who uses another’s computer system, and that such use is without right. This could apply to mobile phones, tablets, laptops, servers, and any information and communication technology.

On the other hand, the case for ethical hackers highly presupposes that there is a written agreement between the client and the ethical hacker. Without such written contract, it is possible that the ethical hacker may face prosecution by an unsatisfied or, worse, an angry client. Based on experience and observations, written agreements are not the norm in doing business in the Philippines. Most transactions are created via gentleman’s agreement with a simple firm shake of the hands. They are, in effect, verbal agreements with no written proof of the contract. Given these conditions, it is likely that there may be some ethical hackers who might find him/herself under prosecution for the Cybercrime of Illegal Access and he/she does not have strong defense due to the absence of a written contract.

While this provision may have good intentions to prevent illegal access of computer systems, this could have been narrowly drawn in order to avoid casting a wide net. For instance, the Cybercrime Offense could have been qualified to apply only to computer systems which have passwords or does not have a guest account. These circumstances indicates the owner’s intent not to allow anyone to use the computer system. Otherwise, any person who picks up a computer failing to get permission and then start browsing the Internet may be held liable for Illegal Access under R.A. 10175.

 

References:

[1] R.A. 10175. Sec. 3 (a).

[2] Ibid. Sec. 3 (h).