- Foreign Hackers deface government websites
- social media or internet tools essential in the acceptance of an applicant
Foreign citizens deface websites coming from the Philippines. How can you make them liable?
Cyber attacks on Philippine websites began on April 20, 2012 when the University of the Philippines website was defaced allegedly by Chinese hackers. On the following day, two Chinese government websites were attacked allegedly by Filipino hackers. On Monday, three Malacañang websites were attacked and hackers allegedly originated from IP addresses assigned to Chinese networks. The allegedly Chinese hackers defaced the websites to assert their country’s claim over the Panatag (Scarborough) Shoal located in Iba, Zambales which is under the 200 nautical miles exclusive economic zone of the Philippines.
A screenshot of the defaced website, http://www.up.edu.ph, showed a map with Chinese script that highlighted islands in the South China Sea that are claimed by the Philippines and China. “We come from China! Huangyan Island is Ours,” the map’s caption read and the text, which appeared on the Department of Budget and Management website, along with a Chinese flag and characters. “Hacked! Owned by Chinese Hackers! How Come a Small Bitch Border Country are Overconfident? And Challenged to Our Chinese Super Hacker? Remember: Don’t Trouble Chinese, Don’t Play with Fire All Members From Silic Group Hacker Army F….k! Your Mother and All your F…g Families”
Chinese hackers plan to attack more Philippine government websites, according to their discussions on the Internet. An online forum of Chinese hackers belonging to the “Silic Group” tagged the Philippine Institute of Development Studies (PIDS) and Bulacan provincial government websites that are next in their firing line. One forum user even posted usernames and passwords of Bulacan provincial government website administrators. A purported hacker from China claiming to be a member of the “Honker Union” also published on Facebook the alleged usernames and passwords of administrators of websites belonging to Radio Mindanao Network (http://www.rmn.ph), the University of the Philippines College of Arts and Letters (http://kal.upd.edu.ph), and the People Management Association of the Philippines (http://www.pmap.org.ph). An administrator of the Chinese hackers’ forum at bbs.blackbap.org also boasted about “first-hand” details about the attack that crippled the Department of Budget and Management (DBM) website. Some of the threads on the “Silic Group” hackers’ forum directly referred to the dispute between China and the Philippines over Scarborough shoal. They indicated that their attacks are linked to the issue. One forum member referred to the Scarborough standoff as “Huangyan Island incident.” He said Chinese hackers should “punish the Philippines” and target Philippine websites, “especially its portal.” Malacañang said websites of the Official Gazette, the PCDSPO, and the Presidential Museum and Library website were targets of a denial-of-service attack. “Information gathered through our data analysis indicated that the attack originated from IP addresses assigned to Chinese networks,”.
How can we make the said foreign citizens liable for hacking the websites. According to RA 8792 which is “An Act providing and use of electronic commercial and non-commercial transactions, penalties for unlawful use thereof, and other purposes” or what is known as the E-Commerce Law.
Under Section 33. Penalties – The following Acts, shall be penalized by fine and/or imprisonment, as follows:
(a) Hacking or cracking with refers to unauthorized access into or interference in a computer system/server or information and communication system; or any access in order to corrupt, alter, steal, or destroy using a computer or other similar information and communication devices, without the knowledge and consent of the owner of the computer or information and communications system, including the introduction of computer viruses and the like, resulting in the corruption, destruction, alteration, theft or loss of electronic data messages or electronic documents shall be punished by a minimum fine of One Hundred Thousand pesos (P 100,000.00) and a maximum commensurate to the damage incurred and a mandatory imprisonment of six (6) months to three (3) years;
In the above provision, there is no problem if the foreign hackers defaced some government websites while staying in the Philippines because the Philippines has a jurisdiction over the it under the territoriality rule that penal laws of the country have force and effect only within its territory subject to certain exceptions brought about by treaties or international agreements. The Supreme Court also ruled in Rustan Ang v. CA, GR No.182835, April 29,2010 that the Rules on Electronic Evidence applies only to civil actions, quasi-judicial proceedings, and administrative proceedings. Therefore, it is not applicable to the case at bar. Last January 30, 2012, the Senate approved Senate Bill 2796 or the Cybercrime Prevention Act of 2012. Under SB 2796 it seeks to penalize acts of cybercrime such as hacking, spamming and internet child pornography.
Under Sec.4 Cybercrime Offenses. — The following acts constitute the offense of cybercrime punishable under this Act:
A. Offenses against the confidentiality, integrity and availability of computer data and systems:
- Illegal Access – The intentional access to the whole or any part of a computer system without right.
- Illegal Interception – The intentional interception made by technical means without right of any non-public transmission of computer data to, from, or within a computer system including electromagnetic emissions from a computer system carrying such computer data: Provided, however, That it shall not be unlawful for an officer, employee, or agent of a service provider, whose facilities are used in the transmission of communications, to intercept, disclose, or use that communication in the normal course of his employment while engaged in any activity that is necessary to the rendition of his service or to the protection of the rights or property of the service provider, except that the latter shall not utilize service observing or random monitoring except for mechanical or service control quality checks;
- Data interference – the intentional or reckless alteration of computer data without right.
- System Interference – the intentional or reckless hindering without right of the functioning of a computer system by inputting, transmitting, deleting or altering computer data or program.
B. Computer-related Offenses:
- Computer-related Forgery – (a) the intentional input, alteration, or deletion of any computer data without right resulting in inauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic, regardless whether or not the data is directly readable and intelligible; (b) the act of knowingly using computer data which is the product of computer-related forgery as defined herein, for the purpose of perpetuating a fraudulent or dishonest design.
- Computer-related Fraud – the intentional and unauthorized input, alteration, or deletion of computer data or program or interference in the functioning of a computer system, causing damage thereby, with the intent of procuring an economic benefit for oneself or for another person or for the perpetuation of a fraudulent or dishonest activity; Provided, that if no damage has yet been caused, the penalty imposable shall be one degree lower.
The penalties are: under SEC. 7 — Any person found guilty of any of the punishable acts enumerated in Sections 4A and 4B of this Act shall be punished with imprisonment of prision mayor or a fine of at least Two Hundred Thousand Pesos (PhP200,000.00) up to a maximum amount commensurate to the damage incurred or both.
Under SEC.15 the Regional Trial Court (RTC) shall have jurisdiction over any violation of the provisions of the Act including any violation committed by a Filipino national regardless of the place of commission. Jurisdiction shall lie if any of the elements was committed within the Philippines or committed with the use of any computer system wholly or partly situated in the country, or when by such commission any damage is caused to a natural or juridical person who, at the time the offense was committed, was in the Philippines. In addition to that, the Act also provides in Chapter VI – international cooperation which is applicable at the case at bar because it involves foreign citizens. Under Sec. 16 it states that “All relevant international instruments on international cooperation in criminal matters, arrangements agreed on the basis of uniform or reciprocal legislation, and domestic laws, to the widest extent possible for the purposes of investigations or proceedings concerning criminal offenses related to computer systems and data, or for the collection of evidence in electronic form of a criminal offense shall be given full force and effect.
SB 2796 mentions also on Sec. 17 Applicability of the Convention on Cybercrime. — The provisions of Chapter III of the Convention on Cybercrime shall be directly applicable in the implementation of this Act as it relates to international cooperation taking into account the procedural laws obtaining in the jurisdiction.
The Convention on Cybercrime (Budapest Convention on Cybercrime) or just the Budapest Convention is the first international treaty on crimes committed via the Internet and other computer networks, dealing particularly with infringements of copyright, computer-related fraud, child pornography, hate crimes and violations of network security. It also contains a series of powers and procedures such as the search of computer networks and Lawful interception. “The Convention includes a list of crimes that each signatory state must transpose into their own law. It requires the criminalization of such activities as hacking (including the production, sale, or distribution of hacking tools) and offenses relating to child pornography, and expands criminal liability for intellectual property violations. Philippines is one of the non-member states that have signed but not yet ratified the convention.
It sets out in the third principal part of the Convention mechanisms by which Parties to the convention will assist each other in investigating cybercrimes and other crimes involving electronic evidence. The Convention provides that Parties “shall co-operate with each other . . . to the widest extent possible for the purposes of investigations or proceedings concerning criminal offences related to computer systems and data, or for the collection of evidence in electronic form of a criminal offense.” However, this cooperation shall occur “through the application of relevant international instruments on international co-operation in criminal matters, arrangements agreed on the basis of uniform or reciprocal legislation, and domestic laws.” This suggests that cooperation may be limited or delayed if required by law or other arrangements. The specific cooperation measures are described below.
First, Parties must regard the substantive offenses set forth in the Convention as extraditable offenses, as long as the offense is punishable in both states by deprivation of liberty for a maximum period of at least one year, “or by a more severe penalty. However, “[e]xtradition shall be subject to the conditions provided for by the law of the requested Party or by applicable extradition treaties, including the grounds on which the requested Party may refuse extradition.” If a Party refuses to extradite a person solely on the basis of his nationality, “or because the requested Party deems that it has jurisdiction over the offense,” the requested Party must refer the case (if requested by the Party seeking extradition) to its own competent authorities “for the purpose of prosecution.” Such authorities “shall take their decision and conduct their investigations and proceedings in the same manner as for any other offense of a comparable nature.” But there is no requirement that the person actually be prosecuted. Rather, the Requested party must simply “report the final outcome to the requesting Party in due course.”
Second, Parties must “afford one another mutual assistance to the widest extent possible for the purpose of investigations or proceedings concerning criminal offenses related to computer systems and data, or for the collection of evidence in electronic form of a criminal offense.” Parties must “accept and respond to” requests made by “expedited means of communication, including fax or email, to the extent that such means provide appropriate levels of security and authentication,” but may require “formal confirmation to follow.” However, Parties may refuse cooperation on any ground provided for under its domestic law “or by applicable mutual assistance treaties,” except that a Party shall not exercise its right to refuse assistance in the case of cyber crimes “solely on the ground that the request concerns an offense which it considers a fiscal offense.”
Another of mutual assistance provisions applies when two Parties do not have an existing mutual legal assistance treaty or some other formal arrangement between them (or when the Parties agree to apply the Convention provision in lieu of their existing arrangement). The Convention requires each Party to “designate a central authority” responsible for sending, answering, or executing requests for mutual assistance. The COE Secretary General shall keep an updated register of these central authorities. Parties agree to execute requests “in accordance with the procedures specified by the requesting Party, except where incompatible with the law of the requested Party.”
Finally, “[a] Party shall designate a point of contact available on a twenty-four hour, seven-day-a week basis, in order to ensure the provision of immediate assistance for the purpose of investigations or proceedings concerning criminal offenses related to computer systems and data, or for the collection of evidence in electronic form of a criminal offense.” These 24/7 points-of-contact are responsible for “facilitating” or “directly carrying out” the necessary assistance, including by providing technical advice, preserving data, collecting data, providing legal information, and locating suspects. Each Party must ensure that the 24/7 points-of-contact are “trained and equipped” to fulfill these requirements and “facilitate the operation of the network.” The 24/7 network was modeled on a similar network created by the G8 group of nations in 1997 and subsequently expanded to include 20 nations by 2001.
In the above provision, China and the Philippines should designate each a central authority and each Party shall, at the time of signature or when depositing its instrument of ratification, acceptance, approval or accession, communicate to the Secretary General of the Council of Europe the names and addresses of the authorities designated and the Secretary General of the Council of Europe shall set up and keep updated a register of central authorities designated by the Parties. Each Party shall ensure that the details held on the register are correct at all times. However, the Convention does not have any enforcement mechanism, per se, to ensure that Parties comply with their obligations under the Convention. Instead, the Convention provides that “[t]he European Committee on Crime Problems (CDPC) shall be kept informed regarding the interpretation and application of the Convention.” It also contains a dispute resolution provision, which states that Parties who disagree “as to the interpretation or application of th[e] Convention…shall seek a settlement of the dispute through negotiation or any other peaceful means of their choice, including submission of the dispute to the CDPC, to an arbitral tribunal whose decisions shall be binding upon the Parties, or to the International Court of Justice, as agreed upon by the Parties concerned.” Nevertheless, if one party refuses to submit to such arbitration, the other Party has no real recourse under the Convention as to that dispute.
I therefore conclude that RA 8792 or the e-commerce law, is not applicable at the case at bar because it does not mention in its provision that it can be applied to foreign citizens who defaced Philippine websites outside the Philippines although it mentions that hacking or cracking is penalized under the said law. Foreign Citizens who defaced the government websites can be liable only through SB Senate Bill 2796 or the Cybercrime Prevention Act of 2012 in relation with the Convention on Cybercrime which will aid to settle the dispute between the Philippines and China regarding hacking of websites of each other in a peaceful method.
>strong>Should social media and internet tools essential in the acceptance of an applicant? Can companies and/or institutions use Internet search tools and access to social media accounts in determining the most suitable candidate?
- Some of these well-known social media and internet tools are the Facebook, Twitter and LinkedIn.
- LinkedIn targets professionals and allows members to create a profile that describes their professional background and facilitates connection and communication with other professionals.
- Facebook targets students and adults allowing members to create a profile that primarily focuses on more personal matters such as family and hobbies. Members use Facebook to talk with friends and share personal information about their lives.
- Twitter is a more recent addition to the social networking phenomenon. Twitter asks users “What are you doing?”, and users answer with a brief message. Twitter members can post links to articles, pictures, videos or other information about themselves or topics of interest.
These Social media and internet tools are not essential in the acceptance of an applicant and companies and/or institutions in determining the most suitable candidate because of the disadvantages in the so-called “social-media background checks” because the use of social media background checks for job applicants has become controversial and can present legal risks. Employers face numerous landmines and pitfalls that can include privacy, discrimination, and accuracy issues.
When an applicant creates a profile he/she may enter very little information or a lot of information about himself/herself and their professional qualifications on the profile. In the information page from Facebook, the questions look like a direct list of questions that during the hiring process should be avoided. Some of these are the following: gender, birthday, family members, relationship status, sexual orientation and religious views are all available profile fields.
Also on Facebook, comments posted to one’s wall can easily contain comments that would disclose information about marital status, disabilities, religious views, etc. Another possible trouble spot relates to using information associated with friends and contacts. These sites allow the job seeker to set tight privacy settings on his/her profile, limiting information that visitors can see. However, it is difficult to control what friends are posting. Friends may post pictures of the job seeker or messages and comments containing content that could be less than favorable in a potential employer’s eyes. If a friend tag a picture to the applicant wherein they were drinking hard liquor and friends of the applicant would comment negatively about the applicant whether it is true or not then the employer would probably not hire the applicant because of the pictures and the comments in the Facebook wall of the applicant. The applicant at that moment cannot defend himself or herself to the employer because you do not know when the employer or his/her staff would look into the profile of the applicant. There could also be a possibility that discrimination could happen regarding the marital status of an applicant. If the employer finds out that the applicant is a single parent because of looking the pictures of the applicant in the Facebook there could also be a possibility that the employer or his/her staff would not hire someone who is a single parent because of avoiding RA. 8972 “An act providing for benefits and privileges to solo parents and their children, appropriating funds therefor and for other purposes” also known as the “Solo Parents’ Welfare Act of 2000” which would only give additional benefits to the applicant so employer would rather chose someone who is not a solo parent even though an applicant is highly qualified for the position. How about an employer who would see in the profile picture of the applicant in these social media who is handicapped will the employer continue to see the profile of the applicant? This is the problem with the social media and internet tools in the acceptance of the applicant there could be a discrimination in the employment process violating the Equal Protection Clause that all persons or things similarly situated must be treated alike both to the rights conferred and the liabilities imposed. It does not demand absolute equality among residents; it merely requires that all persons shall be treated alike, under like circumstances and conditions both as to privileges conferred and liabilities enforced.
In a blog titled ‘Protecting Your Passwords and Your Privacy’ posted on the Facebook and Privacy page on Friday, March 23, 2012, Erin Egan, the Menlo Park, California-based company’s Chief Privacy Officer, responded to recent news reports of employers “seeking to gain inappropriate access” to the Facebook profiles of job applicants and employees. She also said that Facebook would “take action to protect the privacy and security” of users and consider “initiating legal action” where appropriate Protecting Your Passwords and Your Privacy’ . Erin Egan stated that-
“As a user, you shouldn’t be forced to share your private information and communications just to get a job. And as the friend of a user, you shouldn’t have to worry that your private information or communications will be revealed to someone you don’t know and didn’t intend to share with just because that user is looking for a job. That’s why we’ve made it a violation of Facebook’s Statement of Rights and Responsibilities to share or solicit a Facebook password. “
In the above statement it would show that even in social media and internet tools a person has still right to privacy and if an employer would violate it the Writ of Habeas Data would apply wherein-
Section 1. Habeas Data. – The writ of habeas data is a remedy available to any person whose right to privacy in life, liberty or security is violated or threatened by an unlawful act or omission of a public official or employee, or of a private individual or entity engaged in the gathering, collecting or storing of data or information regarding the person, family, home and correspondence of the aggrieved party.
- Association of Small Landowners in the Philippines Inc. vs. Secretary of Agrarian Reform, GR 78741, 14 July 1989; Ichong vs. Hernandez, 11 Phil.1155
- 2 Cooley, Constitutional Limitations, 824-825
- Social Networks and Employment Law: Are you putting your Organization at Risk? @ PeopleClick.com