Mr. Paul Biteng has consistently maintained that he informed COMELEC by an email through its website regarding the vulnerabilities he found on the COMELEC website, specifically the Precinct Finder, through Structured Query Language (SQL) injections. Even in his interview with “Tech in the Province” last November 23, 2020, posted in YouTube, he was adamant that he gave that email, but the COMELEC never responded. He posited that it was because of that email, that he was the one arrested last 2016 for the COMELEAK hacks.
The surprising thing in this case was the revelation by Atty. Alcantara that the defense was not given access to the electronic evidence in the e-devices and Mr. Biteng’s Gmail account that the law enforcement agents seized.
The production and presentation of the email message was crucial to the cases and should have been done by the law enforcement agencies and the prosecution. The email message should not only have contained the actual content but all the metadata that is present in the Gmail account of Mr. Biteng that was seized by the NBI. All emails will contain in their metadata the originating IP address and the destination IP address. These are automatically generated in email systems. The examination of the IP addresses was crucial so as to establish if COMELEC lied about not getting the email warning of Mr. Biteng, or if Mr.Biteng was actually telling the truth.
Access to the e-data, particularly in the email account of Mr. Biteng was crucial to his defense, because it could prove exculpatory. Thus, the State’s refusal was legally unwarranted and actually defeated the right of the accused to present a proper defense. Access to e-data by the accused that is in the sole custody of the State, is a fundamental component of the accused’s constitutional right to Due Process.
There is also the fact that one of the e-devices that the police had in their custody, which definitely did not belong to Mr. Biteng, had an IP address that was confirmed by a DOST ASTI expert to have been assigned to the NBI. This alone is sufficient to raise doubts about the charges against Mr. Biteng, and actually give credence to the belief that Mr. Biteng was just a “fall guy”.
And most importantly, it must not be forgotten that the cybercrime cases charged against Mr. Biteng stem directly from the Data Privacy violations that the National Privacy Commission (NPC) adjudged the COMELEC, in particular, one of its former top officials, Juan Andres D. Bautista, to be guilty of, and has in fact, recommended his criminal prosecution to the DOJ.
The NPC decision on the COMELEC data breach underscored Mr. Bautista’s “lack of appreciation” of the principle that data protection is more than just implementation of security measures. The decision decried “(t)he lack of a clear data governance policy, particularly in collecting and further processing of personal data, unnecessarily exposed personal and sensitive information of millions of Filipinos.” The NPC unequivocally stated that a “head of agency making his acts depend on the recommendations of the Executive Director or the Information Technology Department amplifies the want of even slight care. The duty to obey the law should begin at the top and should not be frustrated simply because no employee recommended such action”. Thus, the NPC concluded that the “wilful and intentional disregard of his duties as head of agency, which he should know or ought to know, is tantamount to gross negligence”.
The NPC decision cited Mr. Bautista as having “violated the provisions of Section 11, 20, 21 and 22 in relation to Section 26” of the same law. Section 26 of the Data Privacy Act, which penalizes accessing sensitive personal information due to negligence, imposes imprisonment from 3 to 6 years and a fine from P500,000 to P4,000,000. Section 36 accords additional penalties when the offender is a public officer, consisting in the disqualification from public office for a period equivalent to double the term of criminal penalty” [see In re: Investigation of the security incident involving COMELEC website and/or data processing system, NPC Case No. 16-001, 28 December 2016].
Given all these facts, it would be reasonable to ask why did the State expend valuable government resources including the Judiciary’s, prosecuting Mr. Biteng for three years, the person who is apparently the most innocent of all in this matter, who merely warned the COMELEC?
But the ultimate issue that needs clarification is, what has happened to the NPC recommendation that the disgraced and impeached (by the House of Representatives) Mr. Bautista be prosecuted for the alleged data privacy violations he committed against the personal identifying information of the Philippine electorate he allegedly failed to safeguard? There appears to be no current news about his prosecution or trial for what the NPC had characterized then as “the worst recorded breach on a government-held personal database in the world”.