INTRODUCTION TO

COMPUTER AND
INTERNET CRIME
Atty. Ramon Antonio A. Ruperto

Ethics and Criminal Law

When faced with a difficult ethical

decision, reference to the law is
often a good starting point.
In making an ethical decision, one of
the principle guidelines is to
determine whether there is a law
that is applicable.
More specifically, one should ask
whether or not the contemplated act
is a crime.

The First Cybercrime

It is said that the first recorded cyber

crime took place in the year 1820
Joseph-Marie Jacquard, a textile
manufacturer in France, produced the
loom. This device allowed the repetition of
a series of steps in the weaving of special
fabrics. This resulted in a fear amongst
Jacquard's employees that their traditional
employment and livelihood were being
threatened. They committed acts of
sabotage to discourage Jacquard from
further use of the new technology.

What is a computer crime?

refers to any crime that involves a

computer and a network. The computer
may have been used in the commission of
a crime, or it may be the target.
any illegal behavior directed by means of
electronic operations that targets the
security of computer systems and the data
processed by them.
also referred to as cyber crime

What is a computer crime?

As of now, there is absolutely NO

comprehensive law on cybercrime
anywhere in the world
There is NO exhaustive and uniform
definition about cybercrime.
However, any activity involving a
computer which basically offends
human sensibilities, can also be
included in its ambit

Other terms

Computer-related crime - any illegal

behavior committed by means of, or
in relation to, a computer system or
network, however, strictly speaking,
this is not cybercrime.
Netcrime - refers to criminal
exploitation of the Internet

COMPUTER CRIME

Crimes that
target
computers
directly

Crimes
facilitated by
computer
networks or
devices, the
primary target
of which is
independent of
the computer
network or
device

Crimes that primarily target

computer networks or devices:

Computer viruses
Denial-of-service (DOS) attacks
Malware

Crimes that use computer networks

or devices to advance other ends:

Cyberstalking / cyberbullying
Internet fraud and identity theft
Information warfare
Phishing scams

Other ways of classifying

Cybercrimes:

1.
2.
3.

According to the victim/offended

person:
Cybercrimes
Cybercrimes
Cybercrimes
government

against
against
against

persons
property
the

Cybercrimes against persons

include crimes like transmission of

child-pornography, harassment of
any one with the use of a computer
such as e-mail, and cyberstalking,
and trafficking, distribution,
posting, and dissemination of
obscene material including
pornography, indecent exposure,
and child pornography

Cybercrimes against property

include unauthorized computer

trespassing through cyberspace
(intrusion), computer vandalism,
transmission of harmful programs,
and unauthorized possession of
computerized information

Cybercrimes against government

include cyberterrorism, cyberwarfare

generally speaking, these crimes
may also refer to those against
persons, but this time directed
against the government (as a
juridical person)

Other ways of classifying

Cybercrimes:

1.
2.
3.

As categorized by the United Nations:

unauthorized access
damage to computer data or programs
sabotage to hinder the functioning of a
computer system or network
4. unauthorized interception of data to,
from and within a system or network
5. computer espionage

Other ways of classifying

Cybercrimes:

According to the role of the computer (as

categorized by the US Department of
Justice):

1. The computer as a target - attacking the

computers of others (spreading viruses
is an example)
2. The computer as a weapon - using a
computer to commit "traditional crime"
that we see in the physical world (such
as fraud or illegal gambling)
3. The computer as an accessory - using a
computer to store illegal or stolen
information

Cybercrimes

There is no exhaustive list of all

cybercrimes
New kinds of cybercrimes arise, and
it is difficult to anticipate all the
possible kinds of cybercrimes
Some specific acts may fall under
several kinds of categories or areas

Unauthorized
access
(Hacking)

Theft: goods,
information or
money

Theft of
computer time

Computer
fraud

AREAS OF
COMPUTER
CRIME

Computer
espionage

Identity theft

Harassment
and sexuallyrelated
material

Forgery and
piracy

1. UNAUTHORIZED ACCESS

Unauthorized access to computer

material (hacking/intrusions)
Unauthorized access with intent to
commit further offenses (such as
blackmail)
Unauthorized modification of
computer material (for example,
distributing viruses)

Hacking / Intrusions

Modern-day vandalism or graffiti

Unauthorized access to computer systems
or networks
Ranges from the mere defacing of
websites for personal notoriety, the
challenge, or a political message, to
interfering or controlling the computer
system or network of another
It is unanimously agreed that any and
every system in the world can be hacked

Intrusions - in a general sense,

aside from hacking (the illegal entry
into a secure database or network),
these may also refer to the
introduction of various forms of
malicious software, which can be
malware, worms, viruses, trojan
horses, fake anti-virus software, and
may other covert programs,

Virus / Worm attacks

Viruses programs that attach
themselves to a computer or a file and
then circulate themselves to other
files and to other computers on a
network. They usually affect the data
on a computer, either by altering or
deleting it.
Worms programs which make
functional copies of themselves and
do this repeatedly until they eat up all
the available space on a computer's
memory.

Trojans program in which malicious

or harmful code is disguised inside
some apparently harmless
programming or data (perhaps an
image or sound file, or email
attachment). The victim is tricked
into executing the program code by
opening the file or attachment,
initiating a malicious sequence of
event.

COST IMPACT OF WORMS

Name

Year
released

Worldwide economic
impact

Storm

2007

> $ 10 billion (est)

ILOVEYOU 2000

$ 8.75 10 billion

Code Red

2001

$ 2.62 billion

SirCam

2001

$ 1.15 billion

Melissa

1999

$ 1.10 billion

Cyber Attacks / DoS Attacks

Denial of Service (DoS) - involves flooding a

computer resource with more requests than it
can handle. This causes the resource (e.g. a web
server) to crash thereby denying authorized
users the service offered by the resource.
Distributed Denial of Service (DDoS) - the
perpetrators are many and are geographically
widespread. It is very difficult to control such
attacks. The attack is initiated by sending
excessive demands to the victim's computer(s),
exceeding the limit that the victim's servers can
support and making the servers crash

Cyber Attacks / DoS Attacks

In February 2000, these kinds of attacks

were able to bring Yahoo, eBay, Amazon,
CNN and other popular websites to a halt

Spam

Unsolicited sending of bulk email for

commercial purposes
To send the same message
indiscriminately to
(large numbers of
recipients) on the
Internet

E-mail bombing

Email bombing refers to sending a

large number of emails to the victim
resulting in the victim's email
account (in case of an individual) or
mail servers (in case of a company
or an email service provider)
crashing

2. THEFT OF GOODS,
INFORMATION OR MONEY

Diverting goods to the wrong

destination
Unauthorized tapping into data
transmission lines or databases
Using someone elses credit card
Transferring payments to bogus bank
accounts

Salami attacks

Used for the commission of financial

crimes by altering raw data just before it
is processed by a computer and making
the alteration so insignificant that in a
single case it would go completely
unnoticed. (e.g. a bank employee inserts
a program, into the bank's servers, that
deducts a small amount of money (such
as 25 centavos a month) from the account
of every customer. No account holder will
probably notice this unauthorized debit,
but the bank employee will make a sizable
amount of money every month.

"collect-the-roundoff " - In this scam,

a programmer modifies arithmetic
routines, such as interest
computations. Typically, the
calculations are carried out to several
decimal places beyond the
customary two or three kept for
financial records.

3. THEFT OF COMPUTER TIME

Involves the use of an employers

computer resources for personal
work
Considered a grey area
Example: Using Facebook during
office hours

4. COMPUTER FRAUD

May include pre-Internet scams such

as pyramid schemes, chain letters,
sales of counterfeit goods, and phony
business investment opportunities
Any fraudulent act with the use of
computers

Computer Fraud

any dishonest misrepresentation of fact

intended to let another do or refrain from
doing something which causes loss
may include credit fraud. Certain
computer viruses can log keystrokes on
your keyboard and send them to hackers,
who can then take your personal details,
credit card number and home address.
This information will be used by the
hacker for his own means

Phishing

a kind of scam, especially practiced

through e-mail, in which a cyber criminal
sends a message that appears to be from
the receivers bank or business, or a
government agency, such as the BIR
often they use these organizations logos
and design the message to appear the
same as legitimate e-mail from the
company. Once they have the recipients
trust, they then ask for money, bank
account numbers, and other personal
information

5. CORPORATE ESPIONAGE

Theft of corporate assets or trade

secrets from computer systems of
corporations which contain great deal
of information such as product
development plans, customer contact
lists, product specifications,
manufacturing process knowledge,
and strategic plans.

6. IDENTITY THEFT

Not just theft of credit card numbers,

but also social security numbers,
bank account details, addresses and
any other personal data that a
person might use to verify their
identity

7. FORGERY AND PIRACY

Using desktop publishing software,

high resolution scanners and laser
printers to assist forgery, whether it
be money, checks, passports, visas,
birth certificates, identity cards, and
degrees
Software piracy distribution of
illegal software and other intellectual
products

Piracy / Online theft

act of copying copyrighted material. The

personal computer and the Internet both
offer new mediums for committing such
crime
include file-sharing or distributing songs,
movies, video games, and so on for free
Online Theft - any type of 'piracy' that
involves the use of the Internet to market
or distribute creative works protected by
copyright

Copying in the workplace,

counterfeiting and various forms of
illegal distribution of software cost
the Asia Pacific region US$11.6
billion in 2006

8. HARASSMENT AND
SEXUALLY RELATED MATERIAL

Computer-assisted sexual crimes,

from distribution of child
pornography, to electronic forms of
sexual harassment and cyberstalking
(use of e-mail and other electronic
media to harass or threaten a person
repeatedly)

Obscene or offensive content

The content of websites and other

electronic communications may be
distasteful, obscene or offensive for a
variety of reasons

Cyber harassment / bullying

Directing of obscenities and derogatory

comments at specific individuals focusing
for example on gender, race, religion,
nationality, sexual orientation. This often
occurs in chat rooms, through
newsgroups, and by sending hate e-mail
to interested parties
May also refer to cyber bullying, cyber
stalking, harassment by computer, online
predation, and internet libel

Cyberterrorism

is distinguished from other acts of

commercial crime or incidents of hacking
by its severity
intimidation or coercion a government or
organization to advance political or social
objectives by launching computer-based
attack against computers, network, and
the information stored on them
an act of terrorism committed through the
use of cyberspace or computer resources.

Cyberterrorism

any act of cybercrime designed to cause terror.

Like conventional terrorism, e-terrorism is
classified as such if the result of such cybercrime
is to cause enough harm to generate fear
Terrorism - Any person who commits the
following acts: Piracy and Mutiny, Rebellion or
Insurrection, Coup de Etat, Murder, Kidnapping,
Crimes Involving Destruction, Arson, Hijacking,
Illegal Possession of Firearms, thereby sowing
and creating a condition of widespread and
extraordinary fear and panic among the
populace, in order to coerce the government to
give in to an unlawful demand (Section 3,
Republic Act No. 9372)

Cyberterrorism

The medium of Cyberspace is being used by

individuals and groups to threaten the
international governments as also to terrorize the
citizens of a country. This crime manifests itself
into terrorism when an individual cracks into a
government or military maintained website
In 2010, during the months leading to the May
automated elections, five government websites
(DOH, DOLE, DSWD, NDCC, and TESDA) were
hacked. There were widespread concerns that the
automated elections counting machines could
also be hacked.

Cyber warfare

May be an effective form of warfare

in the future
In August 2008, Russia allegedly
conducted cyber attacks, this time in
a coordinated and synchronized
campaign against the country of
Georgia

Other cybercrimes

Cybersquatting
Typosquatting
Copyright/Trademark infringement
Internet plagiarism
Internet libel/defamation
Bandwidth theft

Cybercrime in the Philippines

There have been 667 instances of

government websites defacements
between 2003-2008
87 % of Filipinos have fallen to a
variety of attacks, which include
malware (virus and Trojan horse)
invasion, online or phishing scams
73 % do not expect cybercriminals to
be brought to justice

Cybercrime in the Philippines

34% say it is acceptable to download

music and movies without paying for
them
22% think that using an unsecured
WiFi access point is legal.

Cybercrime in the Philippines

As of 2005, the number of cybercrimes

recorded were only 30
CIDG has recorded 72 computer-related
crimes last year (2010) and 56 during the
first half of this year
Effendy Ibrahim, head of Symantec Asias
Internet Safety Advocate and Consumer
Business division, describes the growing
cybercrime problem in the Philippines as a
silent epidemic

Characteristics of Philippine
Criminal Law
1.

2.

3.

General Application Philippine

criminal laws are binding on all persons
who live or sojourn in the Philippines,
regardless of your nationality, religion,
etc.
Territorial our criminal law
undertakes to punish crimes committed
only within the Philippine territory
Prospective a criminal law cannot
make an act punishable when it was not
punishable when committed

VBS_LOVELETTER

better known as the Love Bug or the ILOVEYOU virus

Release in 2000, it caused major disruptions in email
systems worldwide with costs escalating to an estimated
$10 billion in revenue loss.
The source came from a Filipino IT dropout, Onel de
Guzman, who created it as part of his thesis proposal with
focus specifically on stealing passwords. Obviously, the
thesis proposal was rejected, but the virus still found its
way to the internet.
This incident marked the Philippines
infamous introduction onto the world
stage of cyber crime.

Philippine Laws on Cybercrimes

and other related acts

E-Commerce Act of 2000

(RA No. 8792)

Punishable acts:

1. Hacking or cracking - unauthorized access into

or interference in a computer system/server or
information and communication system; or any
access in order to corrupt, alter, steal, or destroy
using a computer or other similar information and
communication devices, without the knowledge
and consent of the owner of the computer or
information and communications system,
including the introduction of computer viruses
and the like, resulting in the corruption,
destruction, alteration, theft or loss of electronic
data messages or electronic document

Hacker

Enjoys learning details of computer

systems and how to stretch their
capabilities
Programs enthusiastically rather than
just theorizing about it
Malicious inquisitive meddler who
tries to discover information by
poking around

Vandalism
(Defacement)

Public interest

Reveal
wrongdoing

THE
COMPUTER
HACKER

Financial gain

As a protest

The challenge
(fun)

Type of
perpetrator
Hacker

Typical motives

Cybercriminal

Test limits of system and/or gain

publicity
Cause problems, steal data, and
corrupt systems
Gain financially and/or disrupt
companys information systems
Capture trade secrets and gain
competitive advantage
Gain financially

Hacktivist

Promote political ideology

Cyberterrorist

Destroy infrastructure
components of institutions

Cracker
Malicious insider
Industrial spy

Hacker Ethics
(established by the early hackers)

Access to computers should be unlimited

and total
All information should be free
Mistrust authority
Hackers should be judged by their
hacking, not bogus criteria such as
academic excellence, age, race or position
You can create art and beauty on a
computer

Hackers as public watchdogs

Reveal information the public has a right

to know, and exposing the truth
In a sense, continues a tradition to
investigative journalism
Example: Chaos Computer Club released
more information to the public about the
Chernobyl disaster than the government
itself.
In this sense, it could be argued that
hackers can be intelligent and critical
checks against governments who withhold
information or abuse their power

Hackers as security consultants

Breaching of systems can provide more

effective security in the future, so that,
presumably less well-intentioned hackers
are prevented from causing real harm
In the US, convicted hackers are regularly
approached by security and intelligence
agencies with offers to join them in return
for reduction of their sentences
Others have established own computer
security firms

In May 2006, a Filipino call center

agent was found guilty of hacking
into the company he worked for and
stealing credit card details. He was
able to make online purchases worth
more than $2,000 through illegal
means. He served a 2-year prison
sentence and had to pay over $5,000
in fines.

E-Commerce Act of 2000

(RA No. 8792)

Punishable acts:

2. Piracy - unauthorized copying, reproduction,

dissemination, distribution, importation, use,
removal, alteration, substitution, modification,
storage, uploading, downloading, communication,
making available to the public, or broadcasting
of protected material, electronic signature or
copyrighted works including legally protected
sound recordings or phonograms or information
material on protected works, through the use of
telecommunication networks, such as, but not
limited to, the internet, in a manner that
infringes intellectual property rights

Anti-Camcording Act of 2010

(Republic Act No. 10088)

prohibits and penalizes unauthorized use,

possession, and control, with the intent or
attempt to use audiovisual recording
devices to transmit or make a copy of any
performance in an exhibition facility of
cinematographic film or other audiovisual
work.
camcording activities declared for private
or domestic purposes is now also
punishable by law

Exhibition facilities are now mandated to

conspicuously display notices and signages at
their premises including, but not limited to,
ticket-selling areas and theatre entrances to warn
their patrons of the consequences of illegal
camcording activities.
The Law also allows authorized persons, even
without warrant and payment of admission fee or
any charge, to enter and search any exhibition
facility, seize any audiovisual recording device,
and detain any person should they have
reasonable ground to believe that a violation
under this Act has been or is being committed.

Anti-Child Pornography Act of 2009

(Republic Act No. 9775)

This law defines child pornography as any

representation, be in visual, audio or
written, combination thereof, by
electronic, mechanical, digital, optical,
magnetic or other means, of a child
engaged in real or simulated explicit
sexual activities.
Any person who produces, distributes,
publishes and commits other related acts
would be subject to penalties. Violators
may include internet service providers and
internet content hosts.

Anti Child Pornography Act of 2009

Republic Act No. 9775

Section 4. Unlawful or Prohibited Acts.

(a) To hire, employ, use, persuade, induce or
coerce a child to perform in the creation or
production of any form of child pornography;
(b) To produce, direct, manufacture or
create any form of child pornography;
(c) To publish offer, transmit, sell,
distribute, broadcast, advertise, promote,
export or import any form of child
pornography;
(d) To possess any form of child pornography
with the intent to sell, distribute, publish, or
broadcast: Provided. That possession of three (3)
or more articles of child pornography of the same
form shall be prima facie evidence of the intent
to sell, distribute, publish or broadcast;

Anti Child Pornography Act of 2009

Republic Act No. 9775
(e) To knowingly, willfully and intentionally
provide a venue for the commission of prohibited
acts as, but not limited to, dens, private rooms,
cubicles, cinemas, houses or in establishments
purporting to be a legitimate business;
(f) For film distributors, theaters and
telecommunication companies, by themselves or
in cooperation with other entities, to distribute
any form of child pornography;
(g) For a parent, legal guardian or person having
custody or control of a child to knowingly permit
the child to engage, participate or assist in any
form of child pornography;

Anti Child Pornography Act of 2009

Republic Act No. 9775
(h) To engage in the luring or grooming of a
child;
(i) To engage in pandering of any form of child
pornography;
(j) To willfully access any form of child
pornography;
(k) To conspire to commit any of the prohibited
acts stated in this section. Conspiracy to commit
any form of child pornography shall be committed
when two (2) or more persons come to an
agreement concerning the commission of any of
the said prohibited acts and decide to commit it;
and
(l) To possess any form of child pornography.

Anti Child Pornography Act of 2009

Republic Act No. 9775

Internet content host refers to a person who

hosts or who proposes to host internet content in
the Philippines.
Section 11. Duties of an Internet Content Host. An internet content host shall:
(a) Not host any form of child pornography on its
internet address;
(b) Within seven (7) days, report the presence of
any form of child pornography, as well as the
particulars of the person maintaining, hosting,
distributing or in any manner contributing to such
internet address, to the proper authorities; and
(c) Preserve such evidence for purposes of
investigation and prosecution by relevant
authorities.

Anti Child Pornography Act of 2009

Republic Act No. 9775

An internet content host shall, upon the request of proper

authorities, furnish the particulars of users who gained or
attempted to gain access to an internet address that
contains any form of child pornography.
An internet content host who shall knowingly, willfully and
intentionally violate this provision shall be subject to the
penalty provided under Section 15(j) of this Act: Provided,
That the failure of the internet content host to remove any
form of child pornography within forty-eight (48) hours
from receiving the notice that any form of child
pornography is hitting its server shall be conclusive
evidence of willful and intentional violation thereof.
Section 12. Authority to Regulate Internet Caf or Kiosk. The local government unit (LGU) of the city or municipality
where an internet caf or kiosk is located shall have the
authority to monitor and regulate the establishment and
operation of the same or similar establishments in order to
prevent violation of the provisions of this Act.

Cybercrime Prevention Act of 2012

ORIGIN:
Senate Bill No. 2796: "AN ACT DEFINING
CYBERCRIME, PROVIDING FOR
PREVENTION, INVESTIGATION AND
IMPOSITION OF PENALTIES THEREFOR
AND FOR OTHER PURPOSES
Consolidation of SBNos. 14, 52, 134, 275,
665, 828, 983, 1081, 1475, 1963, 2214,
2451, 2534, 2674, and 2721, Taking Into
Consideration SRNos. 75, 164 and 254

Republic Act No. 10175*

(Cybercrime Prevention Act of 2012)

Signed into law September 12, 2012. Took

effect October 3, 2012.
Petitioners questioned the constitutionality
of the law before the Supreme Court
On October 9, the Supreme Court issued a
TRO, effective for 120 days, against its
implementation/enforcement. Before
expiry of the period, the SC extended the
same indefinitely
On February 18, 2014, the Supreme Court
promulgated its Decision

Republic Act No. 10175*

(Cybercrime Prevention Act of 2012)

Computer - refers to an electronic, magnetic,

optical, electrochemical, or other data processing
or communications device, or grouping of such
devices, capable of performing logical, arithmetic,
routing, or storage functions and which includes
any storage facility or equipment or
communications facility or equipment directly
related to or operating in conjunction with such
device. It covers any type of computer device
including devices with data processing
capabilities like mobile phones, smart phones,
computer networks and other devices connected
to the internet.

Offenses against the confidentiality, integrity and

availability of computer data and systems
1. Illegal access - intentional access to the whole
or any part of a computer system without right
(HACKING)
2. Illegal interception - intentional interception
made by technical means without right of any
non-public transmission of computer data to,
from, or within a computer system including
electromagnetic emissions from a computer
system carrying such computer data
3. Data interference - intentional or reckless
alteration of computer data without right

Without right - refers to either:

(i) conduct undertaken without or in
excess of authority;
(ii) conduct not covered by
established legal defenses, excuses,
court orders, justifications, or
relevant principles under the law.

Offenses against the confidentiality, integrity and

availability of computer data and systems

4. System interference - intentional

or reckless hindering without right
of the functioning of a computer
system by inputting, transmitting,
deleting or altering computer data
or program.

i.e. introduction of viruses, trojan

horses, worms, malicious software,
DOS attack,

Offenses against the confidentiality, integrity and

availability of computer data and systems
5. Misuse of device - use, production, sale, procurement,
importation, distribution, or otherwise making available,
without right, of:
(a) a device, including a computer program, designed
or adapted primarily for the purpose of committing any of
the offenses under this Act; or
(b) a computer password, access code, or similar data
by which the whole or any part of a computer system is
capable of being accessed with intent that it be used for
the purpose of committing any of the offenses under this
Act.
- possession of an item referred to with intent to use said
devices for the purpose of committing any of herein
offenses

Misuse of Device

Device refers to a cracking device

or tools for hacking
Penalizes the creation, possession,
acquisition of any computer program
designed to crack or disrupt systems
illegally

Offenses against the confidentiality, integrity and

availability of computer data and systems

6. Cyber-squatting. The acquisition of a

domain name over the internet in bad faith to
profit, mislead, destroy reputation, and deprive
others from registering the same, if such a
domain name is:
(i) Similar, identical, or confusingly similar to an existing
trademark registered with the appropriate government
agency at the time of the domain name registration:
(ii) Identical or in any way similar with the name of a
person other than the registrant, in case of a personal
name; and
(iii) Acquired without right or with intellectual property
interests in it.

Computer-related Offenses
1. Computer-related Forgery
(i) The input, alteration, or deletion of any computer data
without right resulting in inauthentic data with the intent
that it be considered or acted upon for legal purposes as if
it were authentic, regardless whether or not the data is
directly readable and intelligible; or
(ii) The act of knowingly using computer data which is the
product of computer-related forgery as defined herein, for
the purpose of perpetuating a fraudulent or dishonest
design.
2. Computer-related Fraud - The unauthorized input,
alteration, or deletion of computer data or program or
interference in the functioning of a computer system,
causing damage thereby with fraudulent intent:

Computer-related Offenses
3. Computer-related Identity Theft - The
intentional acquisition, use, misuse,
transfer, possession, alteration or deletion
of identifying information belonging to
another, whether natural or juridical,
without right: Provided, That if no
damage has yet been caused, the penalty
imposable shall be one (1) degree lower.

Content-related Offenses

(1) Cybersex. The willful engagement,

maintenance, control, or operation, directly or
indirectly, of any lascivious exhibition of sexual
organs or sexual activity, with the aid of a
computer system, for favor or consideration.
(2) Child Pornography. The unlawful or
prohibited acts defined and punishable by
Republic Act No. 9775 or the Anti-Child
Pornography Act of 2009, committed through a
computer system: Provided, That the penalty to
be imposed shall be (1) one degree higher than
that provided for in Republic Act No. 9775.

Content-related Offenses

(3) Unsolicited Commercial

Communications. The
transmission of commercial
electronic communication with the
use of computer system which seek
to advertise, sell, or offer for sale
products and services are prohibited

EXCEPTIONS:
(i) There is prior affirmative consent from
the recipient; or
(ii) The primary intent of the
communication is for service and/or
administrative announcements from the
sender to its existing users, subscribers or
customers;

(iii) The following conditions are present:

(aa) The commercial electronic communication
contains a simple, valid, and reliable way for the
recipient to reject. receipt of further commercial
electronic messages (opt-out) from the same
source;
(bb) The commercial electronic communication
does not purposely disguise the source of the
electronic message; and
(cc) The commercial electronic communication
does not purposely include misleading information in
any part of the message in order to induce the
recipients to read the message.

This provision (on making unsolicited

commercial communications a crime)
was declared unconstitutional by the
Supreme Court:
Unsolicited advertisements are
legitimate forms of expression.

The Government, represented by the Solicitor

General, points out that unsolicited commercial
communications or spams are a nuisance that
wastes the storage and network capacities of
internet service providers, reduces the efficiency
of commerce and technology, and interferes with
the owners peaceful enjoyment of his property.
Transmitting spams amounts to trespass to ones
privacy since the person sending out spams
enters the recipients domain without prior
permission. The OSG contends that commercial
speech enjoys less protection in law.

But, firstly, the government presents no basis

for holding that unsolicited electronic ads reduce
the "efficiency of computers." Secondly, people,
before the arrival of the age of computers, have
already been receiving such unsolicited ads by
mail. These have never been outlawed as
nuisance since people might have interest in such
ads. What matters is that the recipient has the
option of not opening or reading these mail ads.
That is true with spams. Their recipients always
have the option to delete or not to read them.

To prohibit the transmission of unsolicited ads

would deny a person the right to read his emails,
even unsolicited commercial ads addressed to
him. Commercial speech is a separate category of
speech which is not accorded the same level of
protection as that given to other constitutionally
guaranteed forms of expression but is
nonetheless entitled to protection. The State
cannot rob him of this right without violating the
constitutionally guaranteed freedom of
expression. Unsolicited advertisements are
legitimate forms of expression.

III. Content-related Offenses

4. Libel. The unlawful or prohibited acts
of libel as defined in Article 355 of the
Revised Penal Code, as amended,
committed through a computer system
or any other similar means which may
be devised in the future.

SC upheld the validity of this

provision.
Indeed, cyberlibel is actually not a
new crime since Article 353, in
relation to Article 355 of the penal
code, already punishes it. In effect,
Section 4(c)(4) above merely affirms
that online defamation constitutes
similar means for committing libel.

Aiding or Abetting

Sec. 5. Other Offenses. The

following acts shall also constitute an
offense:
(a) Aiding or Abetting in the
Commission of Cybercrime. Any
person who willfully abets or aids in
the commission of any of the
offenses enumerated in this Act shall
be held liable.

Are online postings such as Liking

an openly defamatory statement,
Commenting on it, or Sharing it
with others, to be regarded as
aiding or abetting?

In libel in the physical world, if Nestor

places on the office bulletin board a small
poster that says, Armand is a thief!, he
could certainly be charged with libel. If
Roger, seeing the poster, writes on it, I
like this!, that could not be libel since he
did not author the poster. If Arthur,
passing by and noticing the poster, writes
on it,Correct!, would that be libel? No,
for he merely expresses agreement with
the statement on the poster. He still is not
its author.

But suppose Nestor posts the blog,

Armand is a thief! on a social networking
site. Would a reader and his Friends or
Followers, availing themselves of any of
the Like, Comment, and Share
reactions, be guilty of aiding or abetting
libel? And, in the complex world of
cyberspace expressions of thoughts, when
will one be liable for aiding or abetting
cybercrimes? Where is the venue of the
crime?

Except for the original author of the assailed

statement, the rest (those who pressed Like,
Comment and Share) are essentially knee-jerk
sentiments of readers who may think little or
haphazardly of their response to the original
posting. Will they be liable for aiding or abetting?
And, considering the inherent impossibility of
joining hundreds or thousands of responding
Friends or Followers in the criminal charge to
be filed in court, who will make a choice as to
who should go to jail for the outbreak of the
challenged posting?

The old parameters for enforcing the

traditional form of libel would be a square
peg in a round hole when applied to
cyberspace libel. Unless the legislature
crafts a cyber libel law that takes into
account its unique circumstances and
culture, such law will tend to create a
chilling effect on the millions that use this
new medium of communication in violation
of their constitutionally-guaranteed right
to freedom of expression.

The terms aiding or abetting

constitute broad sweep that
generates chilling effect on those
who express themselves through
cyberspace posts, comments, and
other messages. Hence, Section 5 of
the cybercrime law that punishes
aiding or abetting libel on the
cyberspace is a nullity.

In regard to the crime that targets

child pornography, when Google
procures, stores, and indexes child
pornography and facilitates the
completion of transactions involving
the dissemination of child
pornography, does this make
Google and its users aiders and
abettors in the commission of child
pornography crimes?

When a person replies to a Tweet

containing child pornography, he
effectively republishes it whether
wittingly or unwittingly. Does this
make him a willing accomplice to the
distribution of child pornography?
The legislature needs to address this
clearly to relieve users of annoying
fear of possible criminal prosecution.

ISSUES/PROBLEM AREAS
Not all forms of cybercrimes are covered
under our existing laws, including the
Cybercrime Prevention Act of 2012.

There will always be new types of

cybercrimes.
The human mind is ingenious enough to
devise new ways for perpetuating crime,
especially when newer technologies are
developed.

ISSUES/PROBLEM AREAS

People can file criminal cases under

provisions currently existing in our
laws.
Alternatively, victims can file for civil
damages instead.

IT SECURITY
INCIDENTS
A Major Concern

The security of information

technology used in business is
utmost importance. Confidential
business data and private customer
and employee information must be
safeguarded, and systems must be
protected against malicious acts of
theft or disruption.

Ethical decisions regarding IT

security:

If their firm is a victim of a computer

crime, should they pursue prosecution of
the criminals at all costs, maintain a low
profile to avoid the negative publicity,
inform the affected customers, or take
some other action?
How much effort and money should be
spent to safeguard against computer
crime?

Ethical decisions regarding IT

security:

If their firm produces software with

defects that allow hackers to attack
customer data and computers, what
actions should they take?
What should be done if recommended
computer security safeguards make life
more difficult for customers and
employees, resulting in lost sales and
increased costs?

Most Common Security Incidents

TYPE OF SECURITY INCIDENT

2007

2008

Virus

52%

50%

Insider Abuse

59%

44%

Laptop theft

50%

42%

Unauthorized Access

25%

29%

Denial of Service

25%

21%

Instant Messaging Abuse

25%

21%

Bots

21%

20%

Implementing Trustworthy
Computing

Trustworthy computing method of

computing that delivers secure,
private, and reliable computing
experiences based on sound business
practices
Businesses and organizations are
now demanding this

Risk Assessment

Process of assessing security-related

risks to an organizations computers
and networks from both internal and
external threats.

Security risk assessment process

1.

2.

Identify the set of IT assets about

which the organization is most
concerned. Priority is typically given
to those assets that support the
organizations mission and the
meeting of its primary business
goals.
Identify the loss events or the risks
or threats that could occur

Security risk assessment process

3.

4.

Assess the frequency of events or the

likelihood of each potential threat; some
threats, such as insider fraud, are more
likely to occur than others.
Determine the impact of each threat
occurring. Would the threat have a minor
impact on the organization, or could it
keep the organization from carrying out
its mission for a lengthy period of time?

Security risk assessment process

6.

7.

Determine how each threat can be

mitigated so that it becomes much
less likely to occur or if it does
occur, has less of an impact on the
organization.
Assess the feasibility of
implementing the mitigation options

Security risk assessment process

7.

8.

Perform a cost-benefit analysis to ensure

that your efforts will be cost effective.
Make the decision on whether or not to
implement a particular countermeasure.
If you decide against implementing a
particular countermeasure, you ned to
reassess if the threat is truly serious,
and if so, identify a less costly
countermeasure.

Establishing A Security Policy

Establishing A Security Policy

Educating Employees and Workers

Prevention

Installing a Corporate firewall

Intrusion Prevention systems
Installing Antivirus software,
Implementing safeguards against
attacks by malicious insiders
Conducting periodic IT Security Audit

Passwords

Anti-virus
software

Audit-control
software

Encryption

AUGMENTING
COMPUTER
SECURITY

Biometrics

Access control
software

Firewalls

Passwords

One of the simplest and most widely used

computer security measures
Inherent weakness: can be too obvious or
easy to guess
Rigorously enforced password policies
need to be adhered to (at least 8
characters, alphanumeric)
Changed on a regular basis
Monitor logins (including unsuccessful
ones)

Encryption

Useful to secure information in transit between

the sender and receiver
Encryption conversion of data into a form
(called a cipher) that cannot be easily understood
by unauthorized receivers
Decryption process of converting encrypted
data back into its original form, so it can be
understood
Ciphers include substitution of letters for
numbers, scrambling, rotation of letters
More complex ciphers are based on sophisticated
computer algorithms

Access control software

Assigns access rights and privileges

in a computer network to different
users
Restricts users to only those files
they are authorized to use
Limitation: it does not protect
against frauds committed by
employees while going about their
legitimate tasks

Firewalls

Consists of hardware and/or software that

is designed to insulate an organizations
internal network from the wider Internet,
by putting a boundary around it (firewall)
Not only does it serve to protect against
hacking from outside, but also to restrict
access to the Internet from inside a
network (such as blocking access to
certain websites)

Biometrics

Process of digitizing biological

characteristics
Work by sampling unique biological
features, such as voice, the pattern
of blood vessels in the retina, or
fingerprints.
This is converted into mathematical
code and stored as a biometric
template

Audit control software

Used to closely monitor the use of a

computer
Enables auditors to trace and identify
any operator who gains access to a
system, and the exact time that they
occurred

Anti-virus sofware

Works by searching the computers

hard drive and storage media for
virus patterns and signatures, and
matching them against is own
database of virus definitions
Limitation: new viruses are
appearing all th etime

Detection

Intrusion Detection System

software and/or hardware that
monitors system and network
resources and activities, and notified
network security personnel when it
identifies possible intrusions

Response

Prepare for the worst in a security

incident, the primary goal must be to
regain control and limit damage, not to
attempt to monitor or catch an intruder.
Incident notification
Protection of Evidence and Activity logs
Incident containment
Eradication
Incident Follow-up