Digital privacy vs public security
THE #WarOnDrugs has reached a crescendo now that President Duterte has issued Proclamation No. 55 declaring a state of national emergency on account of lawless violence.
According to open-source reports, elements of the illegal drug trade have stepped up their battle against the government by establishing a partnership with terrorists and kidnap-for-ransom organizations in their efforts to distract or discourage law enforcers from doing their jobs. The bombing of a Davao City night market on Sept. 2 is a heinous sample of their criminal synergy.
Criminals today have the advantage
The #WarOnDrugs is not easy. The numbers are not in favor of our government. The 2015 Annual Report of the Philippine National Police revealed a volume of 201,010 for index crime, and 474,803 for nonindex crime, for a total of 675,813 reported crimes to the police alone.
Index crimes include reports of crime against persons like murder, physical injury and rape, as well as crimes against property, such as robbery, theft, car theft and even cattle rustling. Nonindex crimes include illegal drug use, cybercrime, physical injury and damage to property.
With regards to drug-related cases, conviction rates of criminal cases over the past five years have been poor, according to Justice Secretary Vitaliano Aguirre II. In 2015, there were 43,462 cases but only 782 convictions for a
2-percent success rate.
What is not widely publicized is that when a serious crime has been committed, every law enforcer knows that he has 48 hours to have solid leads, suspects or arrests by that time. Otherwise, the chances of solving the crime drop by half.
To add to the challenge, there are now some 101 million Filipinos. Combining all law enforcement and military personnel and all those from other government agencies, there are only about 400,000 of them.
In contrast, according to the Dangerous Drugs Board, there are roughly 1.7 million Filipinos engaged in illicit drug use. That’s 425 percent more than the number of our law enforcers and peace officers.
Rethink crime fighting
The time has come for our country to rethink the state’s crime-fighting processes and the tools required to support it. Our government needs to step back and see the big picture, to think unconventionally against enterprising criminals.
Criminals have come to be as progressive as commercial businesses in adopting technology to improve their capabilities, to be more effective and efficient in the conduct of their crimes.
For example, criminals have used the internet to conduct surveillance operations against their targets to plan out their crimes, as well as assess the net worth of victims and drug users if they are profitable targets or not.
Wikimapia or Google Maps can give criminals the ability to assess escape routes or vulnerabilities of bank branches or homes of kidnap victims, while Facebook or Instagram or Twitter can yield great information about the lifestyle patterns, family and friends, or the financial capacity of the victims. Waze can even give them the fastest escape route from the crime scene.
Most important for the criminals, however, is for technology’s ability to enable them to conspire invisibly with their members. Criminals have exploited technology to plan, communicate and commit a crime in the virtual world, meeting each other without the risk of physical presence and even share their profits, all online.
Technology: secret weapon of the state
Fortunately, technology can work for the law enforcers, too. The 101 million Filipinos have 110 million mobile devices.
Find the phone, find the criminal.
Nothing is more personal to the criminal than his or her mobile phone. The mobile phone knows more about each individual, about his secret lives more than he would care to admit, or more than what his friends or families know. A mobile phone tracks one’s activity, location, his relationship with friends or family or victims, his favorite food, political affiliation, likes or dislikes, his fears or fantasies, gender or sexual preferences, health, spending habits, travels, comments to friends and families that reveal his sentiments and social influence, his cars and home, or his fortunes and misfortunes, and can collect them all as big data.
Analyzing big data involves a process called psychometrics, enabling the measurement of mental traits, abilities and processes of the person.
Finding the phone to find the criminal means that there needs to be a continuous observation of a criminal in a place, the person or group that he or she interacts with, or any ongoing activity in order for the law enforcer to gather information about the criminal and the crime. Finding the phone means online surveillance and intelligence gathering.
Vigilance for data privacy rights
The concept of using high-tech tools for online surveillance is scary for everybody and reasonably so. Edward Snowden expressed this in Reddit succinctly: “Arguing that you don’t care about the right to privacy because you have nothing to hide is no different [from] saying you don’t care about free speech because you have nothing to say.”
Online surveillance is not a new idea or initiative, however.
Section 12 of the Cybercrime Prevention Act of 2012 provides for real-time collection of traffic data. “Law enforcement authorities, with due cause, shall be authorized to collect or record by technical or electronic means traffic data in real-time associated with specified communications transmitted by means of a computer system. Traffic data refer only to the communication’s origin, destination, route, time, date, size, duration, or type of underlying service, but not content, nor identities.”
In February 2014, however, the Supreme Court struck down this provision for being unconstitutional. The court explained that online surveillance was not evil by itself, but rather, the law was unclear on what “due cause” meant and that may lead to the state abusing this power, and using it as a tool for general warrantless search against anybody and everybody.
The law has been thus interpreted to be enforceable only if there is a warrant issued “with specifity and definiteness” so that our law enforcers would not be given unlimited surveillance powers. The only thing waiting now is for a criminal investigation case to test this law. That will not be too far off from today.
The Supreme Court decision is consistent with the provisions of the Data Privacy Act of 2012, which declares that “it is the policy of the state to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth.
“The state recognizes the vital role of information and communications technology in nation-building and its inherent obligation to ensure that personal information in information and communications systems in the government and in the private sector [is] secured and protected.”
The Data Privacy Act applies to everyone, protecting “individual personal information in information and communications systems in the government and the private sector.”
At its core, this law prescribes appropriate jail time and fines for any violation against any person’s personal information, that “refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.”
Sensitive personal info
It goes even further by defining sensitive personal information and then prescribing even harsher penalties. Sensitive personal information includes anything:
About an individual’s race, ethnic origin, marital status, age, color and religious, philosophical or political affiliations
About an individual’s health, education, genetic or sexual life of a person, or any proceedings for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings
Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, health records, licenses or its denials, suspension or revocation and tax returns
Specifically established by an executive order or an act of Congress to be kept classified.
However, recognizing that no human right is absolute, this law also states that it does not apply to any private or sensitive information that is “necessary in order to carry out the functions of public authority which include the processing of personal data for the performance by the independent, central monetary authority and law enforcement and regulatory agencies of their constitutionally and statutorily mandated functions.”
Update antiwiretap law
Additionally, it is also interesting to monitor developments in today’s 17th Congress, specifically the five bills that have been separately filed by Senators Gregorio Honasan, Ping Lacson, Grace Poe and Sonny Angara. These seek to update Republic Act No. 4200, or the Anti-Wiretapping Law of 1965.
Their proposals are unified in using the force-multiplying power of technology to go after the criminals in drug-related cases and those charged with plunder, kidnapping, money-laundering, robbery, piracy, rebellion, treason, espionage, provoking war and sedition.
Privacy vs security and Equilibrium-Adjustment Theory
Obviously, zipping along the fine line between privacy and security will be challenging across an undefined and foggy cyberterrain.
To help the Philippines along, a navigational aid like the Theory of Equilibrium-Adjustment may be used by our government decision-makers. Back in 2011, professor Orin Kerr from George Washington University Law School proposed that a government balance the application of laws with the protection of human rights. This means that a government shall tighten or relax the law’s protections in response to changing technology and social acceptance.
When new technologies expand law enforcement’s capabilities, the law does (and should) respond by placing new controls on the government; when new technologies give criminals the advantage, the law does (and should) respond by loosening the government’s restraints.
Negative legal right
To complement the Theory of Equilibrium-Adjustment, the paradigm that the Data Privacy Act is just one of the regulators of our human right to privacy, must also be embraced. When one begins to realize that the law is a negative legal right (i.e. it explicitly says what we should not do with respect to the rights of another person), then one would also follow the realization that there are other previously unrecognized factors affecting our privacy rights and interests.
These structural constraints include economic and physical and technological barriers, and are associated with costs that act as nonlegal regulations. These factors are expressed by professor Harry Surden of Stanford Law School in his essay “Structural Rights in Privacy.”
Combining both legal ideas above in the context of Section 12 of the Cybercrime Prevention Act and that of the Data Privacy Act, a new guidance can be generated: If a proposed law enforcer’s online system for real-time collection of traffic data makes it too cheap (in terms of financial cost, social acceptance, technology and logical controls) for our government to collect investigation data, that otherwise would have been physically impossible or too expensive to do so, then the use of that high-tech system violates our expectations of privacy. Otherwise, it is all acceptable.
Defining and enforcing the privacy interests of the Philippines is not a one-time activity, but is a very dynamic and contentious process. To paraphrase, our country’s privacy interests is not a destination, but a journey.
Security vs security
Referring to the landmark February 2014 decision of the Supreme Court, one will realize that we are not looking at the question of privacy versus security after all. Rather, it’s actually a question of security versus security.
The question of security against criminals, or security against law enforcement abuse, maybe easier to answer. When law enforcers are empowered with “due cause” to collect or record by technical or electronic means traffic data in real-time, do you trust them that they have just reason or motive to do so?
That they will conduct their online surveillance with faithful adherence to a lawful procedure all the time? Are you hopeful that the operational risks against the abuse of the online surveillance system have proper countermeasures? Do you have confidence that the countermeasures against abuse are sufficient and correct all the time?
Until the answer is “yes” to all these questions, only then can the question of security versus security can be reliably answered.
(Drexx D. Laggui, principal consultant of Laggui & Associates Inc., conducts vulnerability assessment, internet preparation testing and computer forensics.)