Lawbytes 213: The First Responders’ and Survivor’s Training in Electronic Evidence on Online Sexual Harassment and Violence in the UP Cebu System, Copyright by Dr. Atty. Noel G. Ramiscal

The University of the Philippines Cebu System (UPCS) reached out to me, through its Office of Anti-Sexual Harassment (OASH) Coordinator, the very dedicated and brilliant Atty. Archill Nina F. Capistrano, to deliver two training seminars for the First Responders to victims of sexual harassment and offenses under the Safe Spaces Act. This undertaking I learned, had been planned since last year by the OASH, the Gender and Development Office, and the Office of Student Affairs. The premise of their program is to capacitate anyone, be it a student, faculty, administrative employee or official of the UPCS, to adequately respond to the needs of any UPCS constituent who had been victimized by sexual harassment, in real or virtual time, who comes out to them, for help and assistance, or simply for comfort and understanding.

UP Cebu First Responders’ & Survivors’ ASH Training Poster April 22 2022

In the past seminars I have conducted for different government agencies, private corporations, as well as higher education institutions, the training was always geared for lawyers, HR practitioners and other professionals who might actually be dealing with issues related to sexual harassment in the workplace. The genius stroke in the UPCS program is its inclusivity, which is something that should be mandated across all workplaces and educational institutions all over the Philippines.

One of the training seminars I conducted for the UPCS was last April 22, 2022. In order to contribute something of true value to the UPCS program, I decided to, first, concentrate on electronic evidence collection, which is something that I know Gender and Development (GAD) or Anti-Sexual Harassment (ASH) seminars given by various training providers in the Philippines do NOT provide.

Second, I decided to include in my training seminar, the very essential aspect of addressing the electronic evidentiary interests and needs of the survivors. I have successfully won all the anti-sexual harassment cases I have filed for my clients who are the survivors, and I can honestly say that no training of this nature is given to survivors that I am aware of.

UP Cebu First Responders’ Anti-Sexual Harassment Training Slide

One of the very crucial things that should happen in order to have a successful survivor-first responder (FR) relationship is the building of trust. Survivors would only volunteer information to the FR, if they feel they can trust the FR, with their reputation and their lives. This can only happen if the FR is non-judgmental and can absolutely keep the sacrosanct duty of safeguarding the confidentiality of the information given to them by the survivor.

I emphasized at this point that, as I have found in my own experiences with my clients, the process of collecting, gathering and piecing the electronic evidence can be therapeutic and empowering for the survivors. It provides them with a way of taking control of the situation, taking back their self-respect in realizing that they were not responsible for the abuse they suffered, and directing the narrative against the offender.

Dr. Atty. Noel G. Ramiscal Title Slide Powerpoint UPCebu presentation

One important form that I have actually used in documenting online abuses is the Technology Log-in Abuse Form (TLAF), which can take the form of an Excel spreadsheet, or even a diary of the survivor. What is important is that no matter what form it takes, the documentation would include all the relevant details of the abuse/harassment/violence committed by the offender, like the technology used, the context and the content of the offending act, the date and time stamps, and other relevant metadata.

The amount of documentation would obviously depend on the type of the electronic evidence and the relevance of such evidence. I showed the participants different types of electronic evidence and some of the protocols of introducing and presenting these pieces of evidence in administrative disciplinary tribunals like the Committee on Decorum and Investigation (CODI), which must rule on these cases using the “substantial evidence” standard.

Dr. Atty. Noel G. Ramiscal UP Cebu FR Survivor Training ASH1st2022 Random Group Photo

I stressed several times that the survivor’s right to data privacy must be respected relative to the electronic data that are present in the electronic devices that may be subjected to examination by the CODI. The FR can help the survivor determine in the first instance, what maybe the types of electronic evidence that are possible for presentation, and the CODI members can inform the survivor, during the hearing that s/he must only present electronic data that are vital in helping the CODI decide the validity of his/her case. For instance, if the electronic evidence consisted mostly of text messages, the survivor must present not merely the content and screenshots of the most offending text message/s sent by the offender. The survivor must present the entire conversation between the offender and her/him, which might consist of several/many text messages. It is also important for the survivor to present the screenshots of these text messages with the date and time stamps. The number of the mobile device from where the messages originated, which can be attributed to the offender, can also be presented via a screenshot of the directory from the survivor’s mobile phone.

The CODI has no lawful right to demand from the survivor the examination of the entire electronic data in the survivor’s mobile phone. This would exceed the relevancy requirement, and it could also allow the offender access or knowledge to information that s/he might use later on to further harass or wreak damage to the survivor.

One of my recommendations is that aside from a lawyer, an I.T. person should be part of the CODI when electronic evidence is material to the investigation. This I.T. person must be knowledgeable about the technical standards and protocols for collecting electronic data so that s/he can advice the CODI on essential matters like when can an electronic data be considered to have been altered, tampered with or spoliated.

Dr. Atty. Noel G. Ramiscal Certificate of Appreciation from UPCebu April 22 2022

Kudos, and utmost gratitude to Dr. Clement C. Camposano, the OIC Chancellor for the UPCS, Dr. Patricia Anne G. Nazareno, the Vice Chancellor for Academic Affairs of the UPCS (who both declared my lecture “cutting edge” in their signed Certificate of Appreciation), and Atty. Capistrano for giving me this opportunity to share an important part of my advocacies. Thank you to Mr.  Michael Andrew Galorio, and the TLRC, who took care of the technical requirements for the seminar. Of course, a great shout-out to all the students of Atty. Capistrano, all the other students from UPCS, their respective tribes, the faculty members from some colleges and members of the public who viewed the event via Zoom and FaceBook Livestream. It has been my privilege to share these with all of you. God Bless Us!

Philippine Lawbytes 212: Data Security and Privacy Breaches, Malicious State Actors and Cyber Warfare, Copyright by Dr. Atty. Noel G. Ramiscal

Last March 25, 2022, I had the great privilege to open the Mandatory Continuing Legal Education (MCLE) seminars of the University of Cebu Law School (UCLS) for the 7^th Compliance period, with my lecture on “Protecting Personal and Financial Data from Theft, Privacy and Security Breaches” for the 108 lawyers/attendees via Zoom. This was quite especial because the UCLS is celebrating its 20^th Anniversary this year.

Dr. Atty. Noel G. Ramiscal University of Cebu MCLE lecture March 25, 2022

For this undertaking, I had to apprise every one of the very real cyber threatscape looming over the Philippines. In 2020, more than 7,000 Philippine companies encountered ransomware attacks, and that web threats in the Philippines increased more than 59 percent to some 44.4 million detections in 2020, compared to the year before, according to a Kaspersky report. From January to June of 2021, cyberattacks on Philippine government agencies and the private sector numbered to 5,608,320 (STATISTA, https://www.statista.com/statistics/1268283/philippines-amount-of-cyberattacks/). In the first quarter of 2022, cyberattacks have been revealed against Smartmatic-TIM last January 2022 and the Senate actually conducted a hearing last March 17, 2022. Converge also notified the NPC, last March 10, 2022 of a data privacy breach on its GoFiber app that affected its customers.

The Introductory Slide of Dr. Atty. Noel G. Ramiscal’s University of Cebu MCLE Lecture Powerpoint Presentation

To counter such attacks, I discussed the importance of putting security first in our daily transactions and work ethic. It is unfortunate that the Philippines, like other countries, appear to prioritize data privacy over data security, in terms of its legal framework and the way these two concepts are operationalized and implemented. While data privacy is considered a legal issue, data security is viewed mainly as a technical and business issue. But the reality is, data privacy cannot be achieved without first establishing data security, not the other way around. So it is very important, to have the right kind of people at the helm of an organization’s I.T. infrastructure and operations, implementing and enforcing proper security measures, like encryption, strong passwords, multi-factor authentication, proper backing up of copies of e-data, backing up the back-ups of those e-data copies, applying early and regularly, security patches, and most importantly, educating all the officials and employees about their observance and responsibility for doing the reasonable cyberhygiene practices that can prevent data breaches, particularly at this time, when many people work from home, outside the relative secure confines of the organization’s network system.

It is very important, for organizations, including law firms to be up to date on data security practices. I explicated on why, for example, virtual private networks (VPNs) are considered on the way out, and why the concept and implementation of “Zero Trust Network Access” (ZTNA) should take its place, with the primary objective of properly containing data security threats. For the very first time, I discussed and distinguished between two types of ethical hacking that are not tackled in data security MCLE lectures for lawyers: penetration testing and red teaming. I delved in detail as to what the qualifications these ethical hackers should have, the methodologies they should know, the content of their evaluation report, and the obligations they must comply with, in respect to the organization that hired them to test the network infrastructure and applications this organization utilizes.

The resplendant and brilliant Atty. Josh Carol Ventura giving the Introductory Remarks for the UC MCLE 7th Compliance Period March 25, 2022

One very crucial point that I made is the fact that Philippine law firms of whatever size are attractive targets of hackers for the very rich trove of information they have about their clients. Hackers have used social engineering tactics like phishing and spear phishing to make lawyers, their employees and clients download malware, or click on links to scammy sites that make them reveal important personal information. One of the tips I gave the attendees is to never reveal in their websites or social media accounts the names of their clients, particularly those who are quite prominent, or those in the I.T. industry, or discuss the cases they are handling which involve the sovereignty and claims of the Philippine government.

Aside from rogue employees who would betray their employers’ secrets in the caverns of the dark web, an unfortunate reality that we all must deal with is the presence of malicious state actors that engage in cyberattacks for espionage, IP rights theft, money heists, and lately, ransomware. A cautionary tale I presented was the NanHaiShu malware, a Remote Access Trojan (RAT) that was spread as a file attachment in spear phishing email messages that targeted the Department of Justice of the Philippines, the organizers of the Asia-Pacific Economic Cooperation (APEC) Summit and a major international law firm which was involved in a dispute centering on the West Philippine Sea. enSilo, which investigated the malware, named the Chinese cyber espionage group called the Advanced Persistent Threat (APT) group 10 as responsible for the attacks.

In my February 11, 2022 MCLE lecture for the Legal Management Council of the Philippines, I dissected, as one of the case studies I presented, the Bangladesh Bank heist, and presented never before seen evidence (certainly not in an MCLE lecture) as to the real hackers behind the heist which siphoned of US$81 million from the bank, through various conduits that included the Jupiter branch in Makati, of the RCBC. The heist had been attributed to the Lazarus group, affiliated with North Korea.

In the ongoing war by Russia against Ukraine, the Russian government of course had resorted to its army of hackers, as part of its military campaign. The Microsoft Threat Intelligence Center (MSTIC) reported this year that it detected a malware installed on devices belonging to “multiple government, non-profit, and information technology organizations” in Ukraine. The software, named DEV-0586, and attributed to Russia, was designed to look like ransomware, but it does not have any recovery feature. The MSTIC reported that the malware was programmed to execute when the targeted device was powered down. It was reported that the malware would overwrite the master boot record (MBR) and all the files with certain extensions from a predetermined list, which would delete all data contained in the targeted files.  Even if one paid the ransom, one would not be able to retrieve any data. So its destructive purpose is laid bare. Due to the fact that this type of malware cannot be contained within the boundaries of Ukraine, it is therefore imperative that all of us must be extra careful in opening emails and attachments from unknown sources.   

Prior to the new normal, I had given several MCLE lectures for the UCLS, and special lectures for their students, as well as students from other law schools in Cebu. One thing that struck me with UCLS is, its commitment to excellence and it has an academic culture that values integrity and top notch research. It is therefore an honor to be part of the endeavors of UCLS in bringing relevant and current matters of interest to the Cebu legal community, so thank you to Atty. Stephen Yu for inviting me. It was also such a pleasure to see and hear the resplendent and brilliant Atty. Josh Carol Ventura give the introductory remarks. The vivacious Atty. Lorenil Archival moderated the whole event.

A random photo from Dr. Atty. Ramiscal’s UCMCLE lecture with wonderful comment from a UCMCLE participant, March 25, 2022

To all the MCLE attendees, thank you for giving me a truly gracious and warm reception and for your wonderful comments about my lecture! And to UCLS, Congratulations on your 20^th Anniversary and many, many, more decades of Excellence to Come! God Bless Us Always In All Ways!