Friday, 4 May 2012

Foreign Hackers deface government websites

Foreign citizens deface websites coming from the Philippines. How can you make them liable?

Cyber attacks on Philippine websites began on April 20, 2012 when the University of the Philippines website was defaced allegedly by Chinese hackers. On the following day, two Chinese government websites were attacked allegedly by Filipino hackers. On Monday, three MalacaƱang websites were attacked and hackers allegedly originated from IP addresses assigned to Chinese networks. The allegedly Chinese hackers defaced the websites to assert their country's claim over the Panatag (Scarborough) Shoal located in Iba, Zambales which is under the 200 nautical miles exclusive economic zone of the Philippines.

 A screenshot of the defaced website,, showed a map with Chinese script that highlighted islands in the South China Sea that are claimed by the Philippines and China. "We come from China! Huangyan Island is Ours," the map's caption read and the text, which appeared on the Department of Budget and Management website, along with a Chinese flag and characters. "Hacked! Owned by Chinese Hackers! How Come a Small Bitch Border Country are Overconfident? And Challenged to Our Chinese Super Hacker? Remember: Don't Trouble Chinese, Don't Play with Fire All Members From Silic Group Hacker Army F....k! Your Mother and All your F...g Families"

 Chinese hackers plan to attack more Philippine government websites, according to their discussions on the Internet. An online forum of Chinese hackers belonging to the "Silic Group" tagged the Philippine Institute of Development Studies (PIDS) and Bulacan provincial government websites that are next in their firing line. One forum user even posted usernames and passwords of Bulacan provincial government website administrators. A purported hacker from China claiming to be a member of the "Honker Union" also published on Facebook the alleged usernames and passwords of administrators of websites belonging to Radio Mindanao Network (, the University of the Philippines College of Arts and Letters (, and the People Management Association of the Philippines (  An administrator of the Chinese hackers' forum at also boasted about "first-hand" details about the attack that crippled the Department of Budget and Management (DBM) website. Some of the threads on the "Silic Group" hackers' forum directly referred to the dispute between China and the Philippines over Scarborough shoal. They indicated that their attacks are linked to the issue. One forum member referred to the Scarborough standoff as "Huangyan Island incident." He said Chinese hackers should "punish the Philippines" and target Philippine websites, "especially its portal."  MalacaƱang said websites of the Official Gazette, the PCDSPO, and the Presidential Museum and Library website were targets of a denial-of-service attack. "Information gathered through our data analysis indicated that the attack originated from IP addresses assigned to Chinese networks,".

How can we make the said foreign citizens liable for hacking the websites. According to RA 8792 which is An Act providing and use of electronic commercial and non-commercial transactions, penalties for unlawful use thereof, and other purposes” or what is known as the E-Commerce Law.
 Under Section 33. Penalties - The following Acts, shall be penalized by fine and/or imprisonment, as follows:
(a)    Hacking or cracking with refers to unauthorized access into or interference in a computer system/server or information and communication system; or any access in order to corrupt, alter, steal, or destroy using a computer or other similar information and communication devices, without the knowledge and consent of the owner of the computer or information and communications system, including the introduction of computer viruses and the like, resulting in the corruption, destruction, alteration, theft or loss of electronic data messages or electronic documents shall be punished by a minimum fine of One Hundred Thousand pesos (P 100,000.00) and a maximum commensurate to the damage incurred and a mandatory imprisonment of six (6) months to three (3) years;
In the above provision, there is no problem if the foreign hackers defaced some government websites while staying in the Philippines because the Philippines has a jurisdiction over the it under the territoriality rule  that penal laws of the country have force and effect only within its territory subject to certain exceptions brought about by treaties or international agreements. The Supreme Court also ruled in Rustan Ang v. CA, GR No.182835, April 29,2010 that the Rules on Electronic Evidence applies only to civil actions, quasi-judicial proceedings, and administrative proceedings. Therefore, it is not applicable to the case at bar. Last January 30, 2012, the Senate approved Senate Bill 2796 or the Cybercrime Prevention Act of 2012. Under SB 2796 it seeks to penalize acts of cybercrime such as hacking, spamming and internet child pornography.
 Under Sec.4 Cybercrime Offenses. — The following acts constitute the offense of cybercrime punishable under this Act:
A. Offenses against the confidentiality, integrity and availability of computer data and systems:
1. Illegal Access – The intentional access to the whole or any part of a computer system without right.
. Illegal Interception – The intentional interception made by technical means without right of any non-public transmission of computer data to, from, or within a computer system including electromagnetic emissions from a computer system carrying such computer data: Provided, however, That it shall not be unlawful for an officer, employee, or agent of a service provider, whose facilities are used in the transmission of communications, to intercept, disclose, or use that communication in the normal course of his employment while engaged in any activity that is necessary to the rendition of his service or to the protection of the rights or property of the service provider, except that the latter shall not utilize service observing or random monitoring except for mechanical or service control quality checks;
. Data interference – the intentional or reckless alteration of computer data without right.
. System Interference – the intentional or reckless hindering without right of the functioning of a computer system by inputting, transmitting, deleting or altering computer data or program.
B. Computer-related Offenses:
1. Computer-related Forgery – (a) the intentional input, alteration, or deletion of any computer data without right resulting in inauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic, regardless whether or not the data is directly readable and intelligible; (b) the act of knowingly using computer data which is the product of computer-related forgery as defined herein, for the purpose of perpetuating a fraudulent or dishonest design.
. Computer-related Fraud – the intentional and unauthorized input, alteration, or deletion of computer data or program or interference in the functioning of a computer system, causing damage thereby, with the intent of procuring an economic benefit for oneself or for another person or for the perpetuation of a fraudulent or dishonest activity; Provided, that if no damage has yet been caused, the penalty imposable shall be one degree lower.
The penalties are: under SEC. 7 — Any person found guilty of any of the punishable acts enumerated in Sections 4A and 4B of this Act shall be punished with imprisonment of prision mayor or a fine of at least Two Hundred Thousand Pesos (PhP200,000.00) up to a maximum amount commensurate to the damage incurred or both.
Under SEC.15 the Regional Trial Court (RTC) shall have jurisdiction over any violation of the provisions of the Act including any violation committed by a Filipino national regardless of the place of commission. Jurisdiction shall lie if any of the elements was committed within the Philippines or committed with the use of any computer system wholly or partly situated in the country, or when by such commission any damage is caused to a natural or juridical person who, at the time the offense was committed, was in the Philippines. In addition to that, the Act also provides in Chapter VI – international cooperation which is applicable at the case at bar because it involves foreign citizens. Under Sec. 16 it states that  “All relevant international instruments on international cooperation in criminal matters, arrangements agreed on the basis of uniform or reciprocal legislation, and domestic laws, to the widest extent possible for the purposes of investigations or proceedings concerning criminal offenses related to computer systems and data, or for the collection of evidence in electronic form of a criminal offense shall be given full force and effect.
          SB 2796 mentions also on Sec. 17 Applicability of the Convention on Cybercrime. — The provisions of Chapter III of the Convention on Cybercrime shall be directly applicable in the implementation of this Act as it relates to international cooperation taking into account the procedural laws obtaining in the jurisdiction.
          The Convention on Cybercrime (Budapest Convention on Cybercrime) or just the Budapest Convention is the first international treaty on crimes committed via the Internet and other computer networks, dealing particularly with infringements of copyright, computer-related fraud, child pornography, hate crimes and violations of network security. It also contains a series of powers and procedures such as the search of computer networks and Lawful interception. "The Convention includes a list of crimes that each signatory state must transpose into their own law. It requires the criminalization of such activities as hacking (including the production, sale, or distribution of hacking tools) and offenses relating to child pornography, and expands criminal liability for intellectual property violations. Philippines is one of the non-member states that have signed but not yet ratified the convention.
          It sets out in the third principal part of the Convention mechanisms by which Parties to the convention will assist each other in investigating cybercrimes and other crimes involving electronic evidence. The Convention provides that Parties “shall co-operate with each other . . . to the widest extent possible for the purposes of investigations or proceedings concerning criminal offences related to computer systems and data, or for the collection of evidence in electronic form of a criminal offense.” However, this cooperation shall occur “through the application of relevant international instruments on international co-operation in criminal matters, arrangements agreed on the basis of uniform or reciprocal legislation, and domestic laws.” This suggests that cooperation may be limited or delayed if required by law or other arrangements. The specific cooperation measures are described below.
          First, Parties must regard the substantive offenses set forth in the Convention as extraditable offenses, as long as the offense is punishable in both states by deprivation of liberty for a maximum period of at least one year, “or by a more severe penalty. However, “[e]xtradition shall be subject to the conditions provided for by the law of the requested Party or by applicable extradition treaties, including the grounds on which the requested Party may refuse extradition.” If a Party refuses to extradite a person solely on the basis of his nationality, “or because the requested Party deems that it has jurisdiction over the offense,” the requested Party must refer the case (if requested by the Party seeking extradition) to its own competent authorities “for the purpose of prosecution.” Such authorities “shall take their decision and conduct their investigations and proceedings in the same manner as for any other offense of a comparable nature.” But there is no requirement that the person actually be prosecuted. Rather, the Requested party must simply “report the final outcome to the requesting Party in due course.”
          Second, Parties must “afford one another mutual assistance to the widest extent possible for the purpose of investigations or proceedings concerning criminal offenses related to computer systems and data, or for the collection of evidence in electronic form of a criminal offense.” Parties must “accept and respond to” requests made by “expedited means of communication, including fax or email, to the extent that such means provide appropriate levels of security and authentication,” but may require “formal confirmation to follow.” However, Parties may refuse cooperation on any ground provided for under its domestic law “or by applicable mutual assistance treaties,” except that a Party shall not exercise its right to refuse assistance in the case of cyber crimes “solely on the ground that the request concerns an offense which it considers a fiscal offense.”
          Another of mutual assistance provisions applies when two Parties do not have an existing mutual legal assistance treaty or some other formal arrangement between them (or when the Parties agree to apply the Convention provision in lieu of their existing arrangement).  The Convention requires each Party to “designate a central authority” responsible for sending, answering, or executing requests for mutual assistance. The COE Secretary General shall keep an updated register of these central authorities. Parties agree to execute requests “in accordance with the procedures specified by the requesting Party, except where incompatible with the law of the requested Party.”

 Finally, “[a] Party shall designate a point of contact available on a twenty-four hour, seven-day-a week basis, in order to ensure the provision of immediate assistance for the purpose of investigations or proceedings concerning criminal offenses related to computer systems and data, or for the collection of evidence in electronic form of a criminal offense.” These 24/7 points-of-contact are responsible for “facilitating” or “directly carrying out” the necessary assistance, including by providing technical advice, preserving data, collecting data, providing legal information, and locating suspects. Each Party must ensure that the 24/7 points-of-contact are “trained and equipped” to fulfill these requirements and “facilitate the operation of the network.” The 24/7 network was modeled on a similar network created by the G8 group of nations in 1997 and subsequently expanded to include 20 nations by 2001.
In the above provision, China and the Philippines should designate each a central authority and each Party shall, at the time of signature or when depositing its instrument of ratification, acceptance, approval or accession, communicate to the Secretary General of the Council of Europe the names and addresses of the authorities designated and the Secretary General of the Council of Europe shall set up and keep updated a register of central authorities designated by the Parties. Each Party shall ensure that the details held on the register are correct at all times. However, the Convention does not have any enforcement mechanism, per se, to ensure that Parties comply with their obligations under the Convention. Instead, the Convention provides that “[t]he European Committee on Crime Problems (CDPC) shall be kept informed regarding the interpretation and application of the Convention.” It also contains a dispute resolution provision, which states that Parties who disagree “as to the interpretation or application of th[e] Convention...shall seek a settlement of the dispute through negotiation or any other peaceful means of their choice, including submission of the dispute to the CDPC, to an arbitral tribunal whose decisions shall be binding upon the Parties, or to the International Court of Justice, as agreed upon by the Parties concerned.” Nevertheless, if one party refuses to submit to such arbitration, the other Party has no real recourse under the Convention as to that dispute.

          I therefore conclude that RA 8792 or the e-commerce law, is not applicable at the case at bar because it does not mention in its provision that it can be applied to foreign citizens who defaced Philippine websites outside the Philippines although it mentions that hacking or cracking is penalized under the said law. Foreign Citizens who defaced the government websites can be liable only through SB Senate Bill 2796 or the Cybercrime Prevention Act of 2012 in relation with the Convention on Cybercrime which will aid to settle the dispute between the Philippines and China regarding hacking of websites of each other in a peaceful method.


DISCLAIMER:  The views and opinions expressed in this blog are those of the author and not intended to provide legal advice.

No comments:

Post a Comment