Criminal Mind and Legal Thought : Escape from Grey
The 21st century as we know has progressed dramatically when it comes in to advancement of technology, before we only have phones which can only receive and text messages. That is not the only limitation we have though, to store short messaging system (SMS) texts was also a limitation in the 90’s. Even if you could save messages, you couldn’t save all the messages you wanted. The only threat that might come up is a scam, which would still require your own actions being tricked by another user. Later, different companies came up with different types of phones, phones with special features from gaming, to photography, to playing and creating music or internet browsing. The most advanced are smartphones capable to operate under water, dust proof, freeze proof and shock proof. But this is, as far as we are concerned, in regards to the external aspects and basic functions of such. It’s almost endless! It gets even more complicated and advanced, when it comes to navigation and security this phones may pin point where your exact location is using global positioning satellites (GPS), Wi-Fi connections and built-in navigation systems in the form of applications or widgets. The advancement of technology does not mean a stronger security systems though, computer experts whose target is to prejudice owners of such gadgets will always find ways in order to hack and take advantage of you in whatever form. At least the past 25 years has given us examples of what black hat hackers can do to the prejudice of your system, your belongings, the government and worse, the whole world. For us to see a clearer picture, let us not mistake all hackers as bad per se. The white hat hackers can do such too, but not to ones prejudice. One group for example, takes down some of private corporations’ and even some governments’ webpage. The group collectively known as Anonymousi has done such in the call for humanitarian causes, to wit, causes for education, calling for higher wages of workers. They are also known as hacktivists, coined from the words hacker and activist. Since they are working in a decentralized state, the group have hacked in the international stage from the United States to Egypt and various countries.
The general rule when the internet was introduced is that not to give any real information about you, why? Because of fraudulent acts of persons, the internet as a medium of consummating a crime, more or less. The problem now is that, how can these actions be sanctioned given a vague atmosphere? This is where laws are created as for us to determine whether actions from these users fall into the category of a crime or not. As such, the Philippine Congress has created Republic Act 10173 also known as the Data Privacy Act of 2012. The law mentioned however has just been created, what is lacking are actual cases which may result itself into jurisprudence. Now, the idea is for us to come up, theoretically speaking with cases that may come to the improvement (more or less) of the said law. Since there are no actual cases concerned, yet, and that if ever cases are concerned, this would take us years in order for the Supreme Court to come up with jurisprudence. Hence, the simulation of cases in theory that would possibly come to practice comes into play.
To further illustrate, I’ve structured my framework with Hegel’s so called Triadic Structureii, not absolutely. Some people might have heard of the words thesis, antithesis and synthesis in this concept. To wit, the thesis in this case will be the law (Data Privacy Act) introduced, and for our antithesis will be cases that we’ve come up in simulation and in an essence would negate some parts of the thesis given so that we will have to come up with our synthesis improving flaws that might arise in the future.
Law and Critique
The 1987 Constitution, particularly from the Bill of Rights states:
The right of the people to be secure in their persons, houses, papers, and effects against unreasonable searches and seizures of whatever nature and for any purpose shall be inviolable, and no search warrant or warrant of arrest shall issue except upon probable cause to be determined personally by the judge after examination under oath or affirmation of the complainant and the witnesses he may produce, and particularly describing the place to be searched and the persons or things to be seized.iii These are very much important to an individual and may further be elaborated in one case, through the words of Justice Cruz:
“One of the most precious rights of the citizen in a free society is the right to be left alone in the privacy of his own house. That right has ancient roots, dating back through the mists of history to the mighty English kings in their fortresses of power. Even then, the lowly subject had his own castle where he was monarch of all he surveyed. This was his humble cottage from which he could bar his sovereign lord and all the forces of the Crown.
That right has endured through the ages albeit only in a few libertarian regimes. Their number, regrettably, continues to dwindle against the onslaughts of authoritarianism. We are among the fortunate few, able again to enjoy this right after the ordeal of the past despotism. We must cherish and protect it all the more now because it is like a prodigal son returning.iv”
The Law, Republic Act 10173 also known as the Data Privacy Act of 2012, to introduce you with is a law which protects your personal information in information and communications systems, in other words, in the regulation of personal information, the law draws a line whether personal information from you are violated or otherwise inside or outside of the country. Here are some grey areas that have been simulated with regards to careful analysis of the law which may lead us to an obscure or if not, a doubtful arrival of conclusions in making decisions given the cases theoretically simulated and questions at hand. The Data Privacy Act provides the following:
Sec. 3 (b)Consent of the data subjectrefers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of the data subject by an agent specifically authorized by the data subject to do sov.
First case, it should be understood that upon registering, filling of personal information, or merely signing up for the creation of an online account be equated as consent itself, not just mere consent because there is an added overt act in the course of the process. In regards to consent, we may further come to think in the view of legal concept that in the need for the creation of one’s account, the terms and conditions of the website used must be complied and agreed with. Now, admittedly, most of us, in such haste would just click the terms and conditions laid down only for the utilization of the services provided from such.
What if disclosing your personal information to the members was part of the terms and conditions? Surely, your consent was acquired by the company from you, not just with the thought of agreeing but also reduced in the overt act of clicking the button. Third persons may now harness information from you with easier access and without fault.
Sec. 3 (i)Personal information processorrefers to any natural or juridical person qualified to act as such under this Act to whom a personal information controller may outsource the processing of personal data pertaining to a data subjectvi.
Second case, the possibility of the person holding this position may more or less be kicked out from the current job is great. What about it? Knowledge from the person regarding the systems is great and may be used to attack such in different ways. He may, prior to leaving such office, may install spywares that may direct information to his accounts even without grasp of the systems in the future or he could just adjust the security systems vulnerable to the public. In line with this, from the same law which states:
Sec 20. Security of Personal Information.
(a) The personal information controller must implement reasonable and appropriate organizational, physical, and technical measures intended for the protection of personal information against any accidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processingvii.
With the cases mentioned above, since personal information controllers are liable wheb these personal informations have been lost from their custody, who in this case might be liable? The former through accessing information from within the office upon leaving? Or the latter who has just assumed authority over these personal information? There might be a possibility of two (2) decisions, but to determine solely who is liable gives us doubt as which of the two (2). Cleearly the former would not fall to Sec. 31 of the said law, for he is no longer an employee, as such it states that
Sec. 31. Malicious Disclosure – Any personal information controller or personal information processor or any of its officials, employees or agents, who, with malice or in bad faith, discloses unwarranted or false information relative to any personal information or personal sensitive information obtained by him or her.viii
Sec. 6.Extraterritorial Application. – This Act applies to an act done or practice engaged in an outside of the Philippines by an entity if:
(a) The act, practice or processing relates to personal information about a Philippine citizen or a residentix;
Third grey area formulated, this requires the element of time and extraterritoriality, but regardless of the concepts of the English and French rule. Since the said law only applies when the personal information acquired involves a Philippine citizen or a resident, what if a person undergoing the process of citizenship, whose personal information was acquired before and prior to being a Philippine citizen, the information had already been disclosed to the public? To sum the facts up, lastly, that the information acquired was done where the person actually came from. So, for the Courts to tap in jurisdiction there must be at least a limited scope and application of retroactivity in this case. Clearly, the person whose personal information was acquired falls into this section, should the person be tried, this would give way to an ex post facto law or a Bill of Attainder.
Sec. 13.Sensitive Personal Information and Privileged Information – The processing of sensitive personal information and privileged information shall be prohibited, except in the following cases:
(e) The processing is necessary for purposes of medical treatment, is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of personal information is ensuredx;
Fourth case in mind, an individual is suffering from seizures, who has a room mate who happens to become a Medical Doctor. Since the Doctor has such pity on his room mate experiencing near death experiences (NDE) every month, he decided to access personal information from his room mate. After an in depth research, they’ve found out that the only cure in effectively reducing such is Medical Marijuana, specifically what is called Charlotte’s Web. The Doctor showing this to his room mate led to the purchase of the said cure the room mate being desperate of curing himself. Will the doctor be held to violate such information? If not, will he be charge of a crime? Will he be violating the Hippocratic oath against himself? Will he be held as an accomplice in the purchase of Medical Marijuana?
Sec. 16 (7) The period for which the information will be storedxi
There was one question that still is not clearly answered, in a segment from National Geographic in the year 2013, a very few had the opportunity to not just ask a question from mere curiosity but also to be actually on the video, this was played during commercial breaks back then. The most important question that is still stuck on my mind is the question “What is the lifespan of an information or an electronic data?” Information Technology experts may not yet conclude on this but information data deleted from your computer to your Recycle Bin is not actually gone, what’s more shocking is that even though hard drives are reformatted there’s still a possibility that your information may come to appearxii. In line with this, how sure are citizens who had given their information to these information processors that there information is actually out of the system? This is also good news for people who have accidentally deleted some files, this is actually proof that deleted files may be recovered again from the Recycle Bin.
Outside the Law
With further analysis, the grey areas theoretically created is still not enough but we have come to conclude some points were the law has flaws on it. Considering also that to come up with such took little time, and an in depth analysis with this law would surely lead us to more questions regarding to it. Another problem is that, not all laymen are into computers, if there are some, it is only as regarding to its basic utility. Also, to bridge the gap between law and information technology would need a helping hand from Information Technology experts, lawyers and or both. Since the golden age of Social Networking has arrived, congress should also tap in this sphere as to acquire more jurisdiction. This scope has only introduced us within the Law or Philippine jurisdiction. The realm of private information and social networking is slowly integrating as to equate the two without distinction. Accordingly, this is not just the case, society is fast evolving, but technology with greater speed. The congress must carefully craft not necessarily another law but to redefine such as to cope up with these factors mentioned. Information now can travel halfway the Earth in a span of an hour through Social Networking. Another problem in this medium may arise, say for example sharing from your profile account, your virtual friends have the capacity to harness these information and actually spread it to third persons, your consent was actually consummated the moment you posted such. Hence, as to third persons your consent has been obtained by them your common friend becoming the medium. One important thing is that, once you’ve posted your personal information, this does not only travel from computer to computer but each copy shared and received actually has its own lifespan. Once actually acquired and saved, your act of deleting the information, which originally came from you actually replicated itself therefore having no effect. Once you are done reading this, you would have realized how many information from different Social Networks have been published and or traveled. You might also come to realize that upon reading this, you might be restricting some information from your profile accounts. Another last situation gives us into question, since younger generations are getting very active much more than we do in regards to Social Networking, Hacking and the like. This has come to mind, what if violation of such was done by a child and the effects itself are really prejudicial not only to an individual, but the economy of a whole regional block or manipulate radio and information controlled military of superpowers. It may sound insane but this has actually done by high profile black hat hackers. If one person can do this, there is greater power when done with an organization. This should be taken into account. As we’ve mentioned earlier, hacking, as what Anonymous does is not always evil. To further inform fraud should also be considered as that is what white hat hackers do, to negate a norm where there’s no way but of taking down the site, then it should be justified as in a form of protest or strike, say big corporations oppressing its workers.
i We Are Legion – Story of the Hacktivists (2012), by Brian Knappenberger
ii Hegel for Beginners (1996), by Lloyd Spencer and Andrzej Krauze
iii Art. III Bill of Rights, 1987 Constitution of the Philippines
iv Josefino Roan v Honorable Romulo T. Gonzales, Presiding Judge, Regional Trial Court of Marinduque; Branch XXXVIII; The Provincial Fiscal of Marinduque; The Provincial Commander. PC-INP, Marinduque (G. R. No. 71410)
v Data Privacy Act (R. A. 10173)
xii Hard Drives Dumped; Your Information Isn’t (2003), Larry Magid