Lawbytes 114: Why the Supreme Court’s legalization of Spamming should be overturned and what the NPC, DCIT and the NTC should do [Part 2] Copyright by Dr. Atty. Noel G. Ramiscal

In this Part, I state the reasons that I have advanced in my lectures for different stakeholders in the Philippines, why the Supreme Court’s February 11, 2014 decision legalizing spamming is erroneous and deleterious to the online, personal and even economic well being of the targeted victims of spammers.

There are different kinds of spams. Unsolicited commercial communications sent through emails are the original and popular manifestations of spam. Spams sent through instant messaging services are denominated “spims”. Spams that appear through text messaging or “push messaging” are also known as “smishes”.

In my April 11, 2016 MCLE lecture for UP IAJ, and my August 12, 2016 MCLE lecture for the Department of Foreign Affairs lawyers and foreign service officers, I gave the example of a lawyer who was suspended for spamming and eventually disbarred for other reasons in the U.S. Known as a “father” of spamming, Laurence Canter sent emails advertising his immigration practice to several thousands of individuals and Internet groups in 1994, when there was as yet no law prohibiting spamming. He was found guilty of violating legal ethical prohibitions on law advertising and misrepresentation since he was not a certified immigration law specialist. He received a one year suspension of his law license in Tennessee which he was made to serve concurrently with disbarment for his other infractions that included writing bouncing checks, neglecting cases and conversion of his clients’ funds.

Dr. Atty. Noel G. Ramiscal’s DFA MCLE LECTURE, August 12 2016

In my lectures for different Integrated Bar of the Philippines (IBP) Chapters last year and this year, and for the UP IAJ and ACLEx, on the topics of electronic evidence and in cybercrimes, I discuss how spams which contain seemingly innocent messages, can be the vehicles for malware and fraudulent e-scams. Scams can be the carriers of malicious codes or attachments that contain viruses, worms or Trojan horses.

Dr. Ramiscal at ACLEX MCLE lecture, July 22, 2016

Spam messages are sent in phishing scams. The U.S. Department of Justice defines phishing as the “creation and use of e-mails and Web sites–designed to look like e-mails and Web sites of well-known legitimate businesses, financial institutions, and government agencies–in order to deceive Internet users into disclosing their bank and financial account information or other personal data such as usernames or passwords.” In one type of phishing scam that I showed in my August 3, 2016 lecture for the Bank of Philippine Islands officers and employees, which involved a bank, the professional looking email emulated the bank’s correspondence style and logo and placed a link on a rogue bank site which, when clicked would ask the user to enter their bank password and other log-in details to steal the funds of the user. These spams used in spear phishing scams target specific groups of individuals whose email addresses have been collected or compromised and can be quite convincing.

The National Privacy Commission (NPC), the Department of Communication Information Technology and the National Telecommunications Commission (NTC) must seriously consider this matter.

From the perspective of the privacy advocate, spams are tangible manifestations of wrongful use of personal e-data, e.g., names, email addresses, and bank memberships that are harvested by search engines, crawlers, trawlers of ISPs, online social networks, and electronic databases, which are used and maintained by e-data aggregators, which sell these data, or by blackhats that steal these data to launch their attacks.

Spams are visible expression of manipulation of personal e-data since they are targeted to predefined unsuspecting recipients whose personal e-data had been processed, without their consent. Furthermore, spamming is proof that the personal information of a data subject had been breached without the data subject’s consent.

In the hands of botmasters, who have command of thousands of compromised computers called zombies, spams sent by zombie PCs can be the means of unleashing a distributed denial of service (DDoS) attacks on specific targets for the right price. When this happens, a targeted account or user would not be able to read or even access his/her emails, since the spams can be so voluminous as to clog the target’s email system. In this case, the right to read emails, even unsolicited ones, which the Supreme Court upheld to be a constitutional right, would be denied to the target, due, ironically, to the unsolicited spams!

Dr. Atty. Ramiscal in one of his MCLE lectures for the IBP Leyte

The Philippine Supreme Court’s position on this matter is truly contrary to the position in other jurisdictions. For instance, the drafters of the Cybercrime Convention did not specifically nor expressly named spamming as a cybercrime. But they viewed it as a form of illegal interference that could fall under Article 5 of the Convention on “System Interference”. Spamming is considered a form of “computer sabotage” where the sending of data to a particular system in such a form, size or frequency is such that it has a significant detrimental effect on the ability of the owner or operator to use the system, or to communicate with other systems. U.S. courts have ruled that sending spam in quantities that place unreasonable burdens on e-mail networks constitutes a type of DDoS attack [See for example, CompuServe. Inc. v. Cyber Promotions, Inc., 962 F. Supp. 1015, 1022 (S.D. Ohio 1997); and White Buffalo Ventures, LLC v. Univ. of Texas at Austin, 420 F.3d 366, 377 (5th Cir. 2005).

The invalidated Section 4(c)(3) of Republic Act 10175 contained conditions against spamming which are tailored to prevent the sending of harmful malicious ads that can bring viruses, in which the addressee has no option to opt-out once they open the email. The Supreme Court should have analyzed those conditions first before concluding erroneously that all unsolicited ads are legitimate forms of expression.

From the foregoing, the blanket characterization by the SC that unsolicited spams are legitimate manifestations of the constitutional freedom of expression is legally indefensible, void of technical validity and lack jurisprudential support from other jurisdictions. Spams that harm computing systems by clogging access to email accounts, or used as the means to “phish” for personal information to the detriment of the recipient, or as the vehicles for computer viruses and malware are not, and should not be considered legitimate forms of constitutionally protected speech.

In what is probably the height of cruel irony, any spammer now can have a cause of action against Philippine entities that prohibit spamming, and any spammer that uses spam to commit DDos attacks, or phishing scams, or ID theft, can justify the legality of their actions and escape criminal liability because of the Philippine Supreme Court decision.

Dr. Atty. Noel G. Ramiscal with DFA Office of Legal Affairs, Exec. Dir. Atty. Leo Ausan Jr.

The newly constituted NPC and the DCIT, and the NTC, with the assistance of all concerned citizens should seek for a declaratory relief, or any other form of relevant relief, to overturn this invalid decision that could had, or could still wreak disastrous mischief and havoc on the personal information of millions of connected Philippine “data subjects”.

Dr. Atty. Noel G. Ramiscal at the DFA, August 12 2016 with Atty Arevalo and AttyFSO Donna F. Gatmaytan

As always, my deep heartfelt gratitude to all the MCLE providers, organizers, lawyers, universities, students, IT professionals, other professional organizations and stakeholders who have given me the opportunity and the platform to spread the gospel and my advocacies on Cyber Law to the different parts of the Philippines!

Some BPI employees who attended Dr. Ramiscal’s AUGUST 3 2016 lecture

Some BPI employees who attended Dr. Ramiscal’s AUGUST 3 2016 lecture

Special acknowledgment to: the BPI LEADr, BPI University, Attys. Lito Viniegra and Paul Ysmael, Esq. Dennis Soto, and Mr. Roberto Mercado and all the wonderful BPI officials and employees; the UP IAJ, Prof. Patricia Daway, Atty. Armand Arevalo, Ms. Mabel Perez, Ms. Evelyn Cuasto, Ms. Zen Antonio, and all the amazing staff; The ACLEx and its President, Mr. Roberto Borromeo, the gorgeous CEU School of Law Associate Dean, Atty.Ritalinda Jimeno, and Mr. Alex Canata; The IBP National, IBP Bulacan, IBP CALMANA, IBP Laguna, IBP Leyte, IBP Negros Oriental, IBP Lanao del Norte, IBP Batangas, IBP Misamis Oriental, IBP Nueva Vizcaya, IBP Nueva Ecija, IBP IBP Cavite, IBP PPLM, and all their splendid officers and helpful staff; The Globe Telecommunications officers and lawyers; The Department of Foreign Affairs lawyers and Foreign Service Officers, particularly their Executive Director for the Office of Legal Affairs, Atty. Leo Tito Ausan Jr., and my truly fabulous UST and UP schoolmate, Atty. Donna Celeste Feliciano Gatmaytan! Mabbalo! Dios ti Agnina! Daghang Salamat! Salamalaikum!

LAWBYTE 100: THE RIGHT AGAINST SELF-INCRIMINATION IN THE MIDST OF CYBER INNOVATIONS, Copyright by DR. ATTY. NOEL G. RAMISCAL

The dizzying pace of technological developments, particularly in software and machines that could capture or be embedded with sensors that can record and analyze human information, or data that could be collected from human subjects without any apparent intrusion or awareness of their subjects, is an enormous legal challenge for privacy and human rights activists, as well as for lawyers who have to contend with various sources of electronic data and their presentation in judicial or quasi-judicial bodies. Dr. Atty. Noel G. Ramiscal brought this to the fore in his several Mandatory Continuing Legal Education (MCLE) lectures for different chapters of the Integrated Bar of the Philippines which included the Parañaque, Pasay, Las Piñas and Muntinlupa, the Nueva Vizcaya and the Iloilo chapters.

IBP PPLM VP Atty. Paul Alcudia introducing Dr. Atty. Noel G. Ramiscal, September 4, 2015

In the cyberage, the electronic data privacy right and the right against self-incrimination of a human being are two different rights that are interrelated due to the fact that they arise from a human source. The Philippines has a Data Privacy law (R.A. 10173) that was passed in 2012, but for more than three years now, this law has not been implemented through any Implementing Rules and Regulation. The National Privacy Commission the law created lies inutile under the Office of the Philippine President. Even if the law appropriated money for its establishment, it has yet to be operationalized. This has had a deleterious effect on industries that rely on data processing and data management, including the BPOs. What is more, there is no guidance coming from the Executive, Legislative and Judicial branches of the government as to the proper appreciation and handling of sensitive personal information that includes health information and other pieces of information, that are processed in multifarious electronic devices, which in the wrong hands could lead to the damage and injury of the person affected.

Dr. Atty. Noel G. Ramiscal’s MCLE Lectures for IBP PPLM

An instance of a potential evidentiary question would arise in considering whether or not certain pieces of data generated by, or culled from human beings, are testimonial in nature, and thus could be subject to objections based on the right against self-incrimination.

Consider pattern locks in mobile phones and other devices that rely on certain hand movements known only to the users, which are tied to algorithms that these devices recognize, which result in their operation. Could these be in the same category as passwords or decryption keys, which in several U.S. cases have been determined to be “products of the mind”, and thus give the arrested person the right to object to their production?

Many e-devices like tablets and PCs are equipped with facial recognition software. They are opened by the user exposing his/her face to the device. It could be argued that a person subject to an arrest warrant, and whose e-devices are subject to a search warrant cannot deny the police his/her face to open the e-devices which could expose his/her criminal activity, the argument being the face is not a testimonial piece of evidence. Like a thumbprint, it is a mere biometric lock that reveals nothing by way of a “testimony” or evidence that is not already known by the police.

However, what about technologies that scan not merely the face, but the data about the regions of the face’s temperature, eye blinks, heart rates, body movements, to spot deceptive or suspicious behaviour (most of which are beyond the observation capacity of the police), and based on these, provide law enforcement agents with cause to arrest a person? These “pre-crime” technologies are now utilized in airports and even in employment situations.

Some of the IBP PPLM lawyers who attended Dr. Ramiscal’s lectures, September 4, 2015

But probably the most exciting and horrifying technological developments (depending on how one looks at it) center on machines that could actually read and print the thoughts of a person’s mind. This might not be a far- fetched possibility given the advances made on functional magnetic resonance imaging technologies.

As of now, these interesting issues have not been resolved, nor even apparently discussed in the Philippine setting. It is thus the mission of Dr. Ramiscal in his lectures to bring these issues to the attention of the lawyers, who may in the future be able to help resolve the evidentiary and Constitutional rights quagmires these technologies bring. Dr. Ramiscal would like to thank the IBP National, and the IBP PPLM, IBP Nueva Vizcaya and IBP Iloilo and UP IAJ for this opportunity given to him. Especial thanks to Atty. Paul Alcudia, the noble and kind IBP PPLM VP, and one time classmate of Dr. Ramiscal in UP Law, and to all the beautiful and supportive lawyers of IBP PPLM!