Lawbytes 114: Why the Supreme Court’s legalization of Spamming should be overturned and what the NPC, DCIT and the NTC should do [Part 2] Copyright by Dr. Atty. Noel G. Ramiscal

In this Part, I state the reasons that I have advanced in my lectures for different stakeholders in the Philippines, why the Supreme Court’s February 11, 2014 decision legalizing spamming is erroneous and deleterious to the online, personal and even economic well being of the targeted victims of spammers.

There are different kinds of spams. Unsolicited commercial communications sent through emails are the original and popular manifestations of spam. Spams sent through instant messaging services are denominated “spims”. Spams that appear through text messaging or “push messaging” are also known as “smishes”.

In my April 11, 2016 MCLE lecture for UP IAJ, and my August 12, 2016 MCLE lecture for the Department of Foreign Affairs lawyers and foreign service officers, I gave the example of a lawyer who was suspended for spamming and eventually disbarred for other reasons in the U.S. Known as a “father” of spamming, Laurence Canter sent emails advertising his immigration practice to several thousands of individuals and Internet groups in 1994, when there was as yet no law prohibiting spamming. He was found guilty of violating legal ethical prohibitions on law advertising and misrepresentation since he was not a certified immigration law specialist. He received a one year suspension of his law license in Tennessee which he was made to serve concurrently with disbarment for his other infractions that included writing bouncing checks, neglecting cases and conversion of his clients’ funds.

Dr. Atty. Noel G. Ramiscal’s DFA MCLE LECTURE, August 12 2016

In my lectures for different Integrated Bar of the Philippines (IBP) Chapters last year and this year, and for the UP IAJ and ACLEx, on the topics of electronic evidence and in cybercrimes, I discuss how spams which contain seemingly innocent messages, can be the vehicles for malware and fraudulent e-scams. Scams can be the carriers of malicious codes or attachments that contain viruses, worms or Trojan horses.

Dr. Ramiscal at ACLEX MCLE lecture, July 22, 2016

Spam messages are sent in phishing scams. The U.S. Department of Justice defines phishing as the “creation and use of e-mails and Web sites–designed to look like e-mails and Web sites of well-known legitimate businesses, financial institutions, and government agencies–in order to deceive Internet users into disclosing their bank and financial account information or other personal data such as usernames or passwords.” In one type of phishing scam that I showed in my August 3, 2016 lecture for the Bank of Philippine Islands officers and employees, which involved a bank, the professional looking email emulated the bank’s correspondence style and logo and placed a link on a rogue bank site which, when clicked would ask the user to enter their bank password and other log-in details to steal the funds of the user. These spams used in spear phishing scams target specific groups of individuals whose email addresses have been collected or compromised and can be quite convincing.

The National Privacy Commission (NPC), the Department of Communication Information Technology and the National Telecommunications Commission (NTC) must seriously consider this matter.

From the perspective of the privacy advocate, spams are tangible manifestations of wrongful use of personal e-data, e.g., names, email addresses, and bank memberships that are harvested by search engines, crawlers, trawlers of ISPs, online social networks, and electronic databases, which are used and maintained by e-data aggregators, which sell these data, or by blackhats that steal these data to launch their attacks.

Spams are visible expression of manipulation of personal e-data since they are targeted to predefined unsuspecting recipients whose personal e-data had been processed, without their consent. Furthermore, spamming is proof that the personal information of a data subject had been breached without the data subject’s consent.

In the hands of botmasters, who have command of thousands of compromised computers called zombies, spams sent by zombie PCs can be the means of unleashing a distributed denial of service (DDoS) attacks on specific targets for the right price. When this happens, a targeted account or user would not be able to read or even access his/her emails, since the spams can be so voluminous as to clog the target’s email system. In this case, the right to read emails, even unsolicited ones, which the Supreme Court upheld to be a constitutional right, would be denied to the target, due, ironically, to the unsolicited spams!

Dr. Atty. Ramiscal in one of his MCLE lectures for the IBP Leyte

The Philippine Supreme Court’s position on this matter is truly contrary to the position in other jurisdictions. For instance, the drafters of the Cybercrime Convention did not specifically nor expressly named spamming as a cybercrime. But they viewed it as a form of illegal interference that could fall under Article 5 of the Convention on “System Interference”. Spamming is considered a form of “computer sabotage” where the sending of data to a particular system in such a form, size or frequency is such that it has a significant detrimental effect on the ability of the owner or operator to use the system, or to communicate with other systems. U.S. courts have ruled that sending spam in quantities that place unreasonable burdens on e-mail networks constitutes a type of DDoS attack [See for example, CompuServe. Inc. v. Cyber Promotions, Inc., 962 F. Supp. 1015, 1022 (S.D. Ohio 1997); and White Buffalo Ventures, LLC v. Univ. of Texas at Austin, 420 F.3d 366, 377 (5th Cir. 2005).

The invalidated Section 4(c)(3) of Republic Act 10175 contained conditions against spamming which are tailored to prevent the sending of harmful malicious ads that can bring viruses, in which the addressee has no option to opt-out once they open the email. The Supreme Court should have analyzed those conditions first before concluding erroneously that all unsolicited ads are legitimate forms of expression.

From the foregoing, the blanket characterization by the SC that unsolicited spams are legitimate manifestations of the constitutional freedom of expression is legally indefensible, void of technical validity and lack jurisprudential support from other jurisdictions. Spams that harm computing systems by clogging access to email accounts, or used as the means to “phish” for personal information to the detriment of the recipient, or as the vehicles for computer viruses and malware are not, and should not be considered legitimate forms of constitutionally protected speech.

In what is probably the height of cruel irony, any spammer now can have a cause of action against Philippine entities that prohibit spamming, and any spammer that uses spam to commit DDos attacks, or phishing scams, or ID theft, can justify the legality of their actions and escape criminal liability because of the Philippine Supreme Court decision.

Dr. Atty. Noel G. Ramiscal with DFA Office of Legal Affairs, Exec. Dir. Atty. Leo Ausan Jr.

The newly constituted NPC and the DCIT, and the NTC, with the assistance of all concerned citizens should seek for a declaratory relief, or any other form of relevant relief, to overturn this invalid decision that could had, or could still wreak disastrous mischief and havoc on the personal information of millions of connected Philippine “data subjects”.

Dr. Atty. Noel G. Ramiscal at the DFA, August 12 2016 with Atty Arevalo and AttyFSO Donna F. Gatmaytan

As always, my deep heartfelt gratitude to all the MCLE providers, organizers, lawyers, universities, students, IT professionals, other professional organizations and stakeholders who have given me the opportunity and the platform to spread the gospel and my advocacies on Cyber Law to the different parts of the Philippines!

Some BPI employees who attended Dr. Ramiscal’s AUGUST 3 2016 lecture

Some BPI employees who attended Dr. Ramiscal’s AUGUST 3 2016 lecture

Special acknowledgment to: the BPI LEADr, BPI University, Attys. Lito Viniegra and Paul Ysmael, Esq. Dennis Soto, and Mr. Roberto Mercado and all the wonderful BPI officials and employees; the UP IAJ, Prof. Patricia Daway, Atty. Armand Arevalo, Ms. Mabel Perez, Ms. Evelyn Cuasto, Ms. Zen Antonio, and all the amazing staff; The ACLEx and its President, Mr. Roberto Borromeo, the gorgeous CEU School of Law Associate Dean, Atty.Ritalinda Jimeno, and Mr. Alex Canata; The IBP National, IBP Bulacan, IBP CALMANA, IBP Laguna, IBP Leyte, IBP Negros Oriental, IBP Lanao del Norte, IBP Batangas, IBP Misamis Oriental, IBP Nueva Vizcaya, IBP Nueva Ecija, IBP IBP Cavite, IBP PPLM, and all their splendid officers and helpful staff; The Globe Telecommunications officers and lawyers; The Department of Foreign Affairs lawyers and Foreign Service Officers, particularly their Executive Director for the Office of Legal Affairs, Atty. Leo Tito Ausan Jr., and my truly fabulous UST and UP schoolmate, Atty. Donna Celeste Feliciano Gatmaytan! Mabbalo! Dios ti Agnina! Daghang Salamat! Salamalaikum!

Lawbytes 113 : Why the Bangko Sentral ng Pilipinas and Telcos are violating the Spamming Law in the Philippines [Part 1] Copyright by Dr. Atty. Noel G. Ramiscal

In my lecture tours since last year, I have been requested to dissect the many interesting and complex issues concerning different kinds of cybercrimes for different audiences. I always make it a point to discuss the interconnections between the Cybercrime Prevention Act (R.A. 10175) with the Data Privacy Law (R.A. 10173), both of which were passed in 2012. Since the National Privacy Commission (NPC) was operationalized by the past President only last March 8, 2016, and the Implementing Rules and Regulations for R.A. 10173 are still in the process of being formulated, almost after four years since this law was passed, I have apprised the audiences of the various complications these circumstances have wrought, in the light of several security and data breaches that government agencies and private businesses have suffered, with the personal identifying information of over forty million Philippine registered voters being hacked from the Commission on Elections (COMELEC) database prior to the May 2016 elections, and published on wehaveyourdata.com, a U.S. website, as a most recent reminder that personal data can be lost via official “nincompoopery” and brazen non-accountability.

But a most pressing matter that probably many people would not know about is the LEGALITY of spamming in the Philippines! Yes, Maria, Pedro, Juan, spamming is LEGAL in the Philippines. It was not always so.

R.A. 10175 actually criminalized “The transmission of commercial electronic communication with the use of computer system which seek to advertise, sell, or offer for sale products and services” [Sec.4.c.(3), Chapter II]. The law however made exceptions when spamming is allowed, and these are when any of these conditions are present:
Sec.4.c.(3) XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
(i) There is prior affirmative consent from the recipient; or
(ii) The primary intent of the communication is for service and/or administrative announcements from the sender to its existing users, subscribers or customers; or
(iii) The following conditions are present:
(aa) The commercial electronic communication contains a simple, valid, and reliable way for the recipient to reject. receipt of further commercial electronic messages (opt-out) from the same source;
(bb) The commercial electronic communication does not purposely disguise the source of the electronic message; and
(cc) The commercial electronic communication does not purposely include misleading information in any part of the message in order to induce the recipients to read the message.
These conditions were placed in the law for the protection of both the recipients and the senders of unsolicited electronic communications.

However, in the February 11, 2014 decision of the Philippine Supreme Court in the consolidated cases of Biraogo v. NBI and PNP, G.R. No. 203299; ALAB NG MAMAMAHAYAG et al. v. Office of the President et al., G.R. No 203306; Adonis et al. v. Exec. Secretary et al., GR 203378; Disini et al v. DOJ Secretary et al., G.R. 203335; Senator Guingona III v. Executive Secretary et al, G.R. No. 203359; Bagong Alyansang Makabayan et al. v. Aquino III, GR 203407; Ateneo Human Rights Center v. Exec. Sec. et al, GR 203440; National. Union of Journalists, PPI, et al, v. Exec. Sec., GR NO. 203454; Castillo, Andres v. DOJ Sec. et al., GR No. 203454; Cruz et al, v. Aquino III, et al., GR 203469; Philippine Bar Association v. Pres. Aquino III, GR NO. 203501; Bayan Muna v. Exec. Sec., GR 203509; National Press Club v. Aquino III, GR 203515; and Philippine Internet Freedom Alliance v. Exec. Sec., et al, GR 203518, ruled that spamming is NOT illegal.

To get the full understanding of how the Supreme Court grasped the issues concerning spam, the relevant three paragraphs of its decision are quoted here:

The Government, represented by the Solicitor General, points out that unsolicited commercial communications or spams are a nuisance that wastes the storage and network capacities of internet service providers, reduces the efficiency of commerce and technology, and interferes with the owner’s peaceful enjoyment of his property. Transmitting spams amounts to trespass to one’s privacy since the person sending out spams enters the recipient’s domain without prior permission. The OSG contends that commercial speech enjoys less protection in law.
But, firstly, the government presents no basis for holding that unsolicited electronic ads reduce the “efficiency of computers.”

Secondly, people, before the arrival of the age of computers, have already been receiving such unsolicited ads by mail. These have never been outlawed as nuisance since people might have interest in such ads. What matters is that the recipient has the option of not opening or reading these mail ads. That is true with spams. Their recipients always have the option to delete or not to read them.

To prohibit the transmission of unsolicited ads would deny a person the right to read his emails, even unsolicited commercial ads addressed to him. Commercial speech is a separate category of speech which is not accorded the same level of protection as that given to other constitutionally guaranteed forms of expression but is nonetheless entitled to protection. The State cannot rob him of this right without violating the constitutionally guaranteed freedom of expression. Unsolicited advertisements are legitimate forms of expression (italics supplied, citations omitted).

This ruling as of now had not been overturned. According to the Philippine Civil Code, the decisions of the Supreme Court form part of the law of the land. Even if this decision is riddled with technical and legal errors, it is the law as far as spamming is concerned.

Dr.Atty.Noel G. Ramiscal at his lecture for the BPI LEADr and BPI University, August 3, 2016

An interesting development that I discovered in my research on, and advocacies against cybercrime, since 2015 was the Bangko Sentral ng Pilipinas (BSP) Circular issued by the BSP Deputy Governor, Nestor Espenilla Jr., last March 25, 2015, which was Memorandum Circular No. -M2015-017. It had the title “Prohibition against push messages or commonly known as unsolicited text messages”.
Banks and their subsidiaries were reminded by this BSP Circular of Sec. 4 of R.A. 10175 or the Cybercrime Prevention Act concerning the criminalization of spamming or sending unsolicited commercial messages as well as several National Telecommunications Commission’s (NTC) pronouncements including Memorandum Circular No. 03-03-2005 A, dated July 3, 2006, as amended by NTC MC No. 04-07-2009 dated July 7, 2009 on this subject. The BSP Circular even stated that the NTC circulars “protects and promotes the interest of the subscribers/end-users of public telecommunications entities (PTEs) by prohibiting content and/or information providers (CP) from sending and/or initiating push messages. A subscriber who wants to avail the services of the CPs and/or PTEs may send his written consent through correspondence, text message, internet or other similar means of communication to the PTE.”

Finally, the Circular stated that the Banks “shall remain responsible for all the violations of the aforementioned regulations and law committed by their outsourced agency/personnel”.
I apprised the lawyers and employees of the Bank of Philippine Islands in my August 3, 2016 lecture for them sponsored by the BPI LEADr and the BPI University, as well as the lawyers and foreign service officers of the Department of Foreign Affairs, last August 12, 2016 and the lawyers who attended my lecture for the UP IAJ last August 15, 2016, of this matter.

It seems apocryphal, even downright scandalous, that the BSP which has over 200 lawyers in its employ could miss the February 11, 2014 decision of the Supreme Court legalizing spamming, or the “push messages” which it viewed as “criminal” citing the same provision of R.A. 10175 which the Supreme Court struck down as illegal. In the decretal portion of the Supreme Court’s decision, the court even stated:

WHEREFORE, the Court DECLARES:

1.VOID for being UNCONSTITUTIONAL:

a. Section 4(c)(3) of Republic Act 10175 that penalizes posting of unsolicited commercial communications.

Dr. Atty. Noel G. Ramiscal”s MCLE Lecture for Globe Telecom last April 6, 2016

The BSP apparently is not alone in thinking that spamming is still illegal. In my lecture for the lawyers of the Globe Telecommunications last April 6, 2016 at their Tower in Bonifacio Global City, I apprised the lawyers that Globe Telecom’s privacy policy and fair use policy which prohibit spamming do not comport with the Supreme Court’s ruling. One of the lawyers cited the NTC Circulars which prohibit spamming. But these are not in point because they were issued way back in 2006 and 2009. Smart’s Corporate Website Terms and Conditions states: You further understand and agree that sending unsolicited e-mail advertisements to the Web site or any user of the Web site or through voice computer systems is expressly prohibited by these Terms and Conditions. Any such unauthorized use of our computer systems is a violation of these Terms and Conditions and applicable “anti-spam” laws.

Adding to the confusion is the monumental oversight by the NTC in not coming up with a clear guideline [after February 11, 2014 and up to now] that will construe and implement the Supreme Court decision for the telecommunication companies.

This is a very important issue that affects not merely the telecommunication companies, but all Philippine net denizens, whose personal identifying information could have been compromised due to some vicious spamming attacks. More on Part 2 of this series.