In one of my Mandatory Continuing Legal Education (MCLE) lectures for the lawyers who are members of the Integrated Bar of the Philippines (IBP), Iloilo, last September 6, 2017, I discussed the fact that the Supreme Court actually established the cybercrime courts via a Memorandum Circular issued last November 2016. This circular operationalized the provision in the Philippine Cybercrime Prevention Act (R.A. 10175) which provided for the creation of cybercrime courts in the Philippines. The SC circular mandated that all the courts previously designated as commercial courts would serve as cybercrime courts as well.
In the 2016 draft DOJ Manual on the Investigation of Cybercrime and Related Cases (the “Draft Manual”), which had been sent to the SC for approval, but which is still pending there, the Draft Manual gave the judges power to issue search and seizure orders concerning electronic data “upon probable cause in connection with a specific offense to be determined personally by the judge after examination under oath or affirmation of the complainant and the witnesses he may produce, and particularly describing the place to be searched and the things to be seized” (Rule 3, Sec. 4).
The law enforcement authorities are mandated to “make an initial return to the judge who issued the warrant, together with the inventory of the items seized, including the hash values of the computer storage medium where the seized data are stored” (Rule 3, Sec. 4, c). There is no specific provision in the Draft Manual as to the definite time when the police must actually submit the initial inventory of the e-data seized to the court. What the Draft Manual does provide is for the allowance for the police to seek for a one time 30 day extension, in cases where the time allotted to conduct forensic examination and analysis is not sufficient, subject to the partial submission of those already completed and provide a justifiable reason for the request of such extension (Rule 3, Sec. 4, c). Within 48 hours after the expiration of the extension, the police is required to “make the full return of the warrant and deposit with the Court all computer data, including content and traffic data, examined” (Rule 3, Sec. 4, e).
What is most objectionable about this Rule, which I brought to the attention of the Iloilo IBP lawyers is this:
The Court shall ascertain that the hash values submitted during the initial return and the full return are the same and intact to ensure the integrity of evidence were preserved (Rule 3, Sec. 4, e).
When I read this, I could not believe what the Draft Manual is trying to or making the judge do, to the detriment of the rights of the accused and the interests of fair play and truth!
For those unfamiliar with the subject, a digital hash is defined by the Draft Manual itself as:
Hash value. – refers to the result produced by a mathematical algorithm that pertains to a digital information (a file, a physical disk or a logical disk), thereby creating a “digital fingerprint” or “digital DNA” for that information (Rule 1, Sec. 6, g).
How does one determine a “digital hash”?
Since the digital hash of a piece of an electronic data is mathematically obtained from the contents of such data through hashing algorithms, a cyber judge must be familiar and must know how to use hashing algorithms, like MD5 (Message Digest 5), SHA1 (Secure Hash Algorithm), SHA256, and others to compute for the hash value of an e-data. These are facilitated through the use of software and different computer programs. The Manual does not specify which hashing algorithms will be used by the police.
WHY THE DRAFT MANUAL’S PROVISION IS OBJECTIONABLE:
Since the Draft Manual obligates the cyber judge to check the initial and final hash values per electronic data, it is not clear what the Draft Manual would exactly require of judges.
Cyber judges can just compare the initial and final hash values per electronic data submitted by the police that can be presented in paper or electronic format. For example, let us say that the e-data involved is the phrase “The text inside these quotes” which has a SHA-256 hash value of: 96b26f6cc52edd91cd52ac5baa1a802f4ff04daab07a308f0b2e897cc807e4bb. The cyber judge would just have to compare the initial and final returns submitted to him/her per character. I submit however that this is objectionable from the most basic sense of fairness and justice accorded to the accused by the Constitution and our procedural and substantive due process rules.
Preclusion of Raising Valid Legal Objections by the Defense Counsel
The judge, in giving his/her imprimatur to the hash values submitted by the police would actually preclude the defense counsel from objecting to the soundness of the hashing algorithm used, or even the integrity of the e-data hashed. It is still possible that two different pieces of e-data would have the same hash value, thereby producing what is known as a “collision”. This is because no hashing algorithm is fool proof from cryptanalytic attacks.
No Judicial Certitude that the Hash Values Pertained to Same E-Data
Since the judge would not be looking at the content of the e-data itself but only on the digital hash, the judge would not be able to ascertain if the same e-data was hashed in the initial and final returns submitted by the police. The defense counsel would also encounter a seemingly insurmountable barrier to showing that the hash values submitted by the police pertain to different e-data, because the judge already made the determination by implication that the initial and final hash values of the e-data submitted by the police pertain to the same e-data.
The Toll On the Judge’s Time and Court Resources
The only alternative to this case is if the cyber judge (to assure him/herself that these characters are the actual hash values of one and the same specific e-data) would know how to run, and must actually run the SHA-256 algorithm on the e-data itself to compute for the hash value of the e-data and compare the result or checksum with the initial and final hash values in the returns of the police.
If this alternative is the one required by the Draft Manual, then it presents technical and logistical feasibility issues which can cause undue delays in the arraignment of people who were already arrested and clogging of court dockets in cybercrime courts.
The Draft Manual erroneously limited the digital hashing to the storage medium of the e-data. For those in the know, “every piece of evidence found on the disk image must be hashed. In an investigation, everything you have done must be able to be replicated by another person, and this is done via hashing. If you find a zipped file containing photos on the suspect’s disk image, the zipped file and each of the photos must be individually hashed. Think of it this way: anything you look at and anything you present as evidence must be hashed. Otherwise, there is no way for the court to verify that you did not alter the evidence in some unknown way” (WinHex Tutorial).
This alternative asks too much of the cybercrime judge’s time and abilities and court resources, including computational resources. The Judge must be trained to know how to run the different types of hashing algorithms depending on the hashing methods used by the police.
The judge will also be required to hash each piece of e-data submitted by the police to compare with their initial and final returns. This might be workable if the e-data is quite small or few. But what if the relevant e-data consists of several terabytes of e-data found on different e-devices, and those sourced from the cloud? The judge might spend too much time on these matters to the detriment of active cybercrime cases in his/her sala.
Finally, this alternative would actually make the cyber judge pre-judge or predetermine several matters about each specific e-data that he/she hashed, which may include the content and source of the e-data, and the integrity of the e-data. These again, can constitute insurmountable barriers to the defense in presenting evidence that contradict these matters.
The Judge is Transformed from an Independent Arbiter of Truth to the Prosecution’s Tool
Ultimately, in whatever scenario this plays out, the requirement that the cyber judge must “ascertain that the hash values submitted during the initial return and the full return are the same and intact to ensure the integrity of evidence were preserved” makes the judge nothing but a mere tool for the prosecution.
The Draft Manual automatically co-opts the judge to do the work of the prosecution to the great disservice of procedural and substantive due process and the rights of the accused.