Philippine Lawbytes 132: DIGITAL HASHING BY JUDGES, WHAT??? (Copyright by Dr. Atty. Noel G. Ramiscal)

In one of my Mandatory Continuing Legal Education (MCLE) lectures for the lawyers who are members of the Integrated Bar of the Philippines (IBP), Iloilo, last September 6, 2017, I discussed the fact that the Supreme Court actually established the cybercrime courts via a Memorandum Circular issued last November 2016. This circular operationalized the provision in the Philippine Cybercrime Prevention Act (R.A. 10175) which provided for the creation of cybercrime courts in the Philippines. The SC circular mandated that all the courts previously designated as commercial courts would serve as cybercrime courts as well.

Dr. Atty. Noel G. Ramiscal lecturing at IBP Iloilo September 5, 2017

In the 2016 draft DOJ Manual on the Investigation of Cybercrime and Related Cases (the “Draft Manual”), which had been sent to the SC for approval, but which is still pending there, the Draft Manual gave the judges power to issue search and seizure orders concerning electronic data “upon probable cause in connection with a specific offense to be determined personally by the judge after examination under oath or affirmation of the complainant and the witnesses he may produce, and particularly describing the place to be searched and the things to be seized” (Rule 3, Sec. 4).

Some lawyers who attended Dr. Ramiscal’s lecture at IBP Iloilo Chapter, September 6, 2017

The law enforcement authorities are mandated to “make an initial return to the judge who issued the warrant, together with the inventory of the items seized, including the hash values of the computer storage medium where the seized data are stored” (Rule 3, Sec. 4, c). There is no specific provision in the Draft Manual as to the definite time when the police must actually submit the initial inventory of the e-data seized to the court. What the Draft Manual does provide is for the allowance for the police to seek for a one time 30 day extension, in cases where the time allotted to conduct forensic examination and analysis is not sufficient, subject to the partial submission of those already completed and provide a justifiable reason for the request of such extension (Rule 3, Sec. 4, c). Within 48 hours after the expiration of the extension, the police is required to “make the full return of the warrant and deposit with the Court all computer data, including content and traffic data, examined” (Rule 3, Sec. 4, e).

Some lawyers who attended Dr. Ramiscal’s lecture at IBP Iloilo Chapter on September 6, 2017

What is most objectionable about this Rule, which I brought to the attention of the Iloilo IBP lawyers is this:

The Court shall ascertain that the hash values submitted during the initial return and the full return are the same and intact to ensure the integrity of evidence were preserved (Rule 3, Sec. 4, e).

When I read this, I could not believe what the Draft Manual is trying to or making the judge do, to the detriment of the rights of the accused and the interests of fair play and truth!

For those unfamiliar with the subject, a digital hash is defined by the Draft Manual itself as:

Hash value. – refers to the result produced by a mathematical algorithm that pertains to a digital information (a file, a physical disk or a logical disk), thereby creating a “digital fingerprint” or “digital DNA” for that information (Rule 1, Sec. 6, g).

How does one determine a “digital hash”?

Since the digital hash of a piece of an electronic data is mathematically obtained from the contents of such data through hashing algorithms, a cyber judge must be familiar and must know how to use hashing algorithms, like MD5 (Message Digest 5), SHA1 (Secure Hash Algorithm), SHA256, and others to compute for the hash value of an e-data. These are facilitated through the use of software and different computer programs. The Manual does not specify which hashing algorithms will be used by the police.

WHY THE DRAFT MANUAL’S PROVISION IS OBJECTIONABLE:

Since the Draft Manual obligates the cyber judge to check the initial and final hash values per electronic data, it is not clear what the Draft Manual would exactly require of judges.

Cyber judges can just compare the initial and final hash values per electronic data submitted by the police that can be presented in paper or electronic format. For example, let us say that the e-data involved is the phrase “The text inside these quotes” which has a SHA-256 hash value of: 96b26f6cc52edd91cd52ac5baa1a802f4ff04daab07a308f0b2e897cc807e4bb. The cyber judge would just have to compare the initial and final returns submitted to him/her per character. I submit however that this is objectionable from the most basic sense of fairness and justice accorded to the accused by the Constitution and our procedural and substantive due process rules.

Preclusion of Raising Valid Legal Objections by the Defense Counsel

The judge, in giving his/her imprimatur to the hash values submitted by the police would actually preclude the defense counsel from objecting to the soundness of the hashing algorithm used, or even the integrity of the e-data hashed. It is still possible that two different pieces of e-data would have the same hash value, thereby producing what is known as a “collision”. This is because no hashing algorithm is fool proof from cryptanalytic attacks.

No Judicial Certitude that the Hash Values Pertained to Same E-Data

Since the judge would not be looking at the content of the e-data itself but only on the digital hash, the judge would not be able to ascertain if the same e-data was hashed in the initial and final returns submitted by the police. The defense counsel would also encounter a seemingly insurmountable barrier to showing that the hash values submitted by the police pertain to different e-data, because the judge already made the determination by implication that the initial and final hash values of the e-data submitted by the police pertain to the same e-data.

The Toll On the Judge’s Time and Court Resources

The only alternative to this case is if the cyber judge (to assure him/herself that these characters are the actual hash values of one and the same specific e-data) would know how to run, and must actually run the SHA-256 algorithm on the e-data itself to compute for the hash value of the e-data and compare the result or checksum with the initial and final hash values in the returns of the police.

If this alternative is the one required by the Draft Manual, then it presents technical and logistical feasibility issues which can cause undue delays in the arraignment of people who were already arrested and clogging of court dockets in cybercrime courts.

The Draft Manual erroneously limited the digital hashing to the storage medium of the e-data. For those in the know, “every piece of evidence found on the disk image must be hashed. In an investigation, everything you have done must be able to be replicated by another person, and this is done via hashing. If you find a zipped file containing photos on the suspect’s disk image, the zipped file and each of the photos must be individually hashed. Think of it this way: anything you look at and anything you present as evidence must be hashed. Otherwise, there is no way for the court to verify that you did not alter the evidence in some unknown way” (WinHex Tutorial).

This alternative asks too much of the cybercrime judge’s time and abilities and court resources, including computational resources. The Judge must be trained to know how to run the different types of hashing algorithms depending on the hashing methods used by the police.

The judge will also be required to hash each piece of e-data submitted by the police to compare with their initial and final returns. This might be workable if the e-data is quite small or few. But what if the relevant e-data consists of several terabytes of e-data found on different e-devices, and those sourced from the cloud? The judge might spend too much time on these matters to the detriment of active cybercrime cases in his/her sala.

Finally, this alternative would actually make the cyber judge pre-judge or predetermine several matters about each specific e-data that he/she hashed, which may include the content and source of the e-data, and the integrity of the e-data. These again, can constitute insurmountable barriers to the defense in presenting evidence that contradict these matters.

Dr. Atty. Noel G. Ramiscal having dinner with IBP Iloilo Officers & staff, SC MCLE Monitors, & Congressman Neri Colmenares on September 5, 2017

The Judge is Transformed from an Independent Arbiter of Truth to the Prosecution’s Tool

Ultimately, in whatever scenario this plays out, the requirement that the cyber judge must “ascertain that the hash values submitted during the initial return and the full return are the same and intact to ensure the integrity of evidence were preserved” makes the judge nothing but a mere tool for the prosecution.

The Draft Manual automatically co-opts the judge to do the work of the prosecution to the great disservice of procedural and substantive due process and the rights of the accused.

PHILIPPINE LAWBYTES 131: WARNING: The DICT, CHED, NTC, NBI, BSP, PhilHealth, DOH, IPOPhl and the Supreme Court websites are not secure! (Copyright by Dr. Atty. Noel G. Ramiscal)

In line with my ongoing exposes of different websites of government agencies and government owned and controlled corporations (GOCCs), it bears noting that the requirement of securing, including encrypting websites that may store and collect personal e-data from visitors, and from members can be traced back (though dubiously) in this provision under the Philippine Data Privacy Law, passed in 2012:

Requirement Relating to Access by Agency Personnel to Sensitive Personal Information.

(3) Encryption – Any technology used to store, transport or access sensitive personal information for purposes of off-site access approved under this subsection shall be secured by the use of the most secure encryption standard recognized by the Commission [Sec. 3]

On my lectures on cryptology which I had delivered to many fora since 2012, I had pounced on the inadequacy of this law which limited the purpose of encrypting e-data for “off-site access”.

The National Privacy Commission issued the Implementing Rules and Regulations (IRR) of this law over four years after its passage. The IRR stated:

NPC shall…issue guidelines on security measures for…encryption [Sec.9,a.1, Rule III]
Any technology used to store, transport or access sensitive personal information for purposes of off-site access approved under this subsection shall be secured by the use of the most secure encryption standard recognized by the Commission [Sec. 31, b.b.3, Rule VII]

Personal Information Controllers (PICs) are required to protect data by providing “Technical Security measures such as data encryption, during storage and while in transit” [Sec. 28., d, Rule VI]

The IRR improved on the law by requiring encryption of e-data by PICs not on the basis of off-site access, but during the e-data’s storage and while such e-data is in transit, which would cover e-data stored in online repositories like websites that are accessed by users from all over the Internet.

In its Memorandum Circular issued last October 16, 2016, the NPC provided:

SECTION 8. Encryption of Personal Data. All personal data that are digitally processed must be encrypted, whether at rest or in transit. For this purpose, the Commission recommends Advanced Encryption Standard with a key size of 256 bits (AES-256) as the most appropriate encryption standard.

In my book “Cryptology: The Law and Science of Electronic Secrets and Codes”

Cryptology Book of Dr. Atty. Noel G. Ramiscal

I expound on the different types of cryptographic technologies and why and how technologically savvy people and entities do not limit their cryptographic measures to one type, due to the needs of different types of e-data. This should be obvious to those who are familiar with encryption technologies.

In this case however, the NPC’s Circular recommended the AES 256 encryption as the standard encryption apparently for all types of e-data. While the wisdom and feasibility of this recommendation by NPC is debatable, insofar as personal information controllers like government agencies are concerned, this is the LAW or standard by which their data encryption measures will be measured by.

Due to this, I have decided to evaluate some of the more crucial websites of government agencies and GOCCs that impact on the economic, educational and social welfare of millions of Filipinos and test them in accordance with the NPC standard using the two most popular browsers: Mozilla Firefox and Google Chrome. I utilized the same methods I expounded on in my GSIS and Pag-Ibig exposes.

Since the NPC is the vanguard of e-data protection, it is no wonder that its website epitomizes to some extent the encryption standard it set. Google Chrome found its website secure:

NPC Secure Website Google Chrome picture taken by Dr. Atty. Noel G Ramiscal, October 16, 2017

Mozilla Firefox found its website secure and the contents fully encrypted:

NPC Secure Website Mozilla picture taken by Dr. Atty. Noel G. Ramiscal, Oct. 16, 2017

NPC Secure Encrypted Website Mozilla picture taken by Dr. Atty. Noel G. Ramiscal, Oct. 16, 2017

The Department of Information Communication and Technology

The greatest disappointment is the Department of Information Communication and Technology (DICT) website which both browsers found insecure! Google Chrome:

DICT Insecure Website Google Chrome picture taken by Dr. Atty. Noel G. Ramiscal, Oct. 16, 2017

Mozilla Firefox:

DICT Insecure Website Mozilla picture taken by Dr. Atty. Noel G. Ramiscal, Oct. 16, 2017

DICT Unencrypted Website Mozilla picture taken by Dr. Atty. Noel G. Ramiscal, Oct. 16, 2017

The DICT is supposed to be the leader in setting standards for cybersecurity, which should include the security of its website and its contents. Its “Philippine National Public Key Infrastructure Time-Stamping Authority – Time-Stamp Policy / Practice Statement (PNPKI TSA-TSP/PS)” recommended “sha256WithRSAEncryption” for digital Signatures. It should know the encryption standards required for securing its website. This is indeed gravely scandalous and must be rectified.

The Commission on Higher Education

I chose to look at the Commission on Higher Education (CHED) because it has a partnership with DICT and the CHED website houses a lot of important e-data on the stakeholders of higher education. But its website did not pass the test.

Google Chrome:

CHED Insecure Website Google Chrome picture taken by Dr. Atty. Noel G. Ramiscal, Oct. 16, 2017

Mozilla Firefox:

CHED Insecure Website Mozilla picture taken by Dr. Atty. Noel G. Ramiscal, Oct. 16, 2017

CHED Unencrypted Website Mozilla picture taken by Dr. Atty. Noel G. Ramiscal, Oct. 16, 2017

The National Telecommunications Commission

Another crucial agency is the National Telecommunications Commission (NTC) which is at the forefront of technological developments. But it too did not follow the NPC standards for its website!

Google Chrome:

NTC Insecure Website Google Chrome picture taken by Dr. Atty. Noel G. Ramiscal, Oct. 16, 2017

Mozilla Firefox:

NTC Insecure Website Mozilla picture taken by Dr. Atty. Noel G. Ramiscal, Oct. 16, 2017

NTC Mozilla unencrypted website picture taken by Dr. Atty. Noel G. Ramiscal, Oct. 16, 2017

The National Bureau of Investigation

The National Bureau of Investigation’s website has been deemed to be insecure and unencrypted by both browsers which is quite disconcerting because the NBI is the agency that spearheads the investigation of cybercrimes!

Google Chrome:

NBI Insecure Website Google Chrome picture taken by Dr. Atty. Noel G. Ramiscal, Oct. 16, 2017

Mozilla Firefox:

NBI Insecure Website Mozilla picture taken by Dr. Atty. Noel G. Ramiscal, Oct. 16, 2017

NBI Mozilla unencrypted website picture taken by Dr. Atty. Noel G. Ramiscal, Oct. 16, 2017

The Bangko Sentral ng Pilipinas

The Bangko Sentral ng Pilipinas (BSP) with all of its pronouncements and requirements on security and encryption on banks and other financial institutions has apparently not heeded these when it came to its website which is deemed insecure by both browsers!

Google Chrome:

BSP Insecure Website Google Chrome picture taken by Dr. Atty. Noel G. Ramiscal, Oct. 16, 2017

Mozilla Firefox:

BSP Insecure Website Mozilla picture taken by Dr. Atty. Noel G. Ramiscal, Oct. 16, 2017

BSP Unencrypted Website Mozilla picture taken by Dr. Atty. Noel G. Ramiscal, Oct. 16, 2017

PhilHealth

The PhilHealth website which houses a lot of important sensitive e-data that pertains to its members has been found to be insecure by both browsers. Mozilla Firefox found that it is partially encrypted as well.

Google Chrome:

PHILHEALTH GOOGLE CHROME Insecure Website picture taken by Dr. Atty. Noel G. Ramiscal, Oct. 16, 2017

Mozilla Firefox:

PHILHEALTH MOZILLA Insecure Website picture taken by Dr. Atty. Noel G. Ramiscal, Oct. 16, 2017

PHILHEALTH MOZILLA Partially Unencrypted Website picture taken by Dr. Atty. Noel G. Ramiscal, Oct. 16, 2017

The Department of Health

The Department of Health (DOH) website is quite crucial because it imparts a lot of important information to the Philippine populace pertaining to health and medical issues, including crises and warnings, that should not be placed in danger of being altered or modified in any way. But the two browsers found its website insecure.

Google Chrome:

DOH GOOGLE CHROME Insecure Website picture taken by Dr. Atty. Noel G. Ramiscal, Oct. 16, 2017

Mozilla Firefox:

DOH Insecure Website Mozilla picture taken by Dr. Atty. Noel G. Ramiscal, Oct. 16, 2017

DOH Unencrypted Website Mozilla picture taken by Dr. Atty. Noel G. Ramiscal, Oct. 16, 2017

Intellectual Property Office of the Philippines

I chose to look at the Intellectual Property Office of the Philippines (IPOPHIL) website due to the important e-data it houses that impact on the intellectual property of millions of Philippine stakeholders. But its website has also been deemed as insecure.

Google Chrome:

IPOPHIL Insecure Website Google Chrome picture taken by Dr. Atty. Noel G. Ramiscal, Oct. 16, 2017

Mozilla Firefox:

IPOPHIL Insecure Website Mozilla picture taken by Dr. Atty. Noel G. Ramiscal, Oct. 16, 2017

IPOPHIL Unencrypted Website Mozilla picture taken by Dr. Atty. Noel G. Ramiscal, Oct. 16, 2017

The Supreme Court of the Philippines

Finally, the Supreme Court of the Philippines website is a repository of vital information pertaining to cases and documents that impact on the rights and liberties of Philippine citizens, and a list of all admitted lawyers to the Philippine Bar. However, its website evidently suffers from insecurity as found by both browsers.

Google Chrome:

SC Insecure Website GOOGLE CHROME picture taken by Dr. Atty. Noel G. Ramiscal, Oct. 16, 2017

Mozilla Firefox:

SC Insecure site Mozilla Firefox picture taken by Dr. Atty. Noel G. Ramiscal, Oct. 16, 2017

SC Unencrypted site Mozilla Firefox picture taken by Dr. Atty. Noel G. Ramiscal, Oct. 16, 2017

How can the hundreds of thousands of personal information controllers in the Philippines be expected to comply with the data privacy and security requirements of R.A. 10173 if some government agencies and GOCCs like those above could not even get the e-data security requirements right of data subjects?