Supreme Court Idol brings you the Cybercrime Law oral arguments last January 15 as you never saw in the traditional media. Only here: Benchslaps, doctrinal slips, Justices’ jokes and gravitas-laced lawyer answers like you never saw in law school recitation.
All this plus Rep Neri Colmenares’ trademark line: “I’m not very good at the Internet.”
Rodel Cruz had a spectacular run.
He gave a textbook-perfect presentation of why the government should not be able to block or restrict websites or other data with a mere “prima facie” finding by the Department of Justice. He reopened the Estrada v Sandiganbayan debate on the “facial challenge” began by Constitutional Law god UP Law Dean Pacifico Agabin in 2001, with peer deities Justice Vicente V. Mendoza and then Justice Reynato Puno on the bench. Cruz used precise technical jargon and the right case citations.
Cruz also came out of questioning largely unscathed, using the questions on exceptions to unreasonable search doctrine from Justices Roberto Abad and Diosdado Peralta to beautifully set up his own position. Cruz appeared to falter only before a barrage of questions from Justice Marvic Leonen, and only when he was being cut off while speaking or with analogies that were trickily phrased.
(For example, Leonen stumped him by asking whether moving packets of data should be treated like moving cars, a modern exception to the Constitution’s search warrant requirement. This is a trick question, however, because we deal with non-moving servers and cables, not moving packets of data.)
Could longtime UP cyberlaw professor Jose Jesus “JJ” Disini measure up?
If Supreme Court Idol were baseball, JJ hit a home run every time he went to bat.
Moment #29: Justices fail to ask difficult questions
Disini took a craftily different approach.
While Cruz gave a powerful, concise opening speech complete with the correct highly technical legal jargon and case citations, Disini appeared deceptively superficial, speaking in the simplest language and citing only one case.
Disini likely anticipated that he would need to convince the Justices on the nuances of technology, not advanced legal doctrine. Beginning with Senior Associate Justice Antonio Carpio’s analogy to a phone bill, Disini received exactly the questions he wanted: Analogies regarding technology in non-legal language.
However, Disini set up the arena so shrewdly that he completely steered the Justices away from heavy legal doctrine and lost his chance to rebut the Solicitor General’s likely arguments.
For example, no Justice asked Disini whether there is really no search when traffic data is collected under the Cybercrime Law. Disini invoked the right to privacy, and no Justice probed regarding the related right against unreasonable search, which contains the Constitution’s search warrant requirement.
Had a Justice convincingly shown that the data collection involved is not technically a “search” that requires a search warrant, Disini’s case would have disintegrated.
One wonders if the UP Law professors in the cast would still be smug were their own Constitutional Law professor, the legendary Justice Vicente V. Mendoza, still on the bench to show how a real interrogation is done.
WINNER: Legendary retired Justice and UP Law Professor V.V. Mendoza
Moment #30: Disini tells Carpio traffic data is more than a phone bill
Senior Justice Carpio’s previous questions were simple but brutal intellectual attacks against the Cybercrime Law. He set up the perfect straw man for Disini to pummel by asking: Does the law not merely say, “give me your phone bill, just blacken your name and your address?”
Disini attacked the lack of a search warrant requirement for the real-time collection of “traffic data” under Section 12 of the Cybercrime Law, which reads:
“Section 12. Real-Time Collection of Traffic Data. Iraw enforcement authorities, with due cause. shall be authorized to collect or record by technical or electronic means traffic data in real-time associated with specified communications transmitted by means of a computer system.
“Traffic data refer only to the communication’s origin, destination, route, time, date, size, duration, or type of underlying service, but not content, nor identities.
“All other data to be collected or seized or disclosed will require a court warrant.
“Service providers are required to cooperate and assist law enforcement authorities in the collection or recording of the above-stated information.”
In his opening speech, Disini framed his attack solely under the right to privacy. He argued that Section 12 cannot withstand the “strict scrutiny” mandated by the landmark decision Ople v. Torres (1997). He emphasized “traffic data” is defined very broadly as anything other than the content of messages and the identities of the parties involved.
Disini correctly answered Carpio that “traffic data” clearly goes beyond the basic data one expects to see in a phone bill.
For example, he outlined that a mobile phone bill contains the numbers of people one calls, call durations and the type of service (such as voice or data) involved. It does not, however, “specify the particular cell site from where the call originated,” showing rough location, or show other data, such as data on calls received or smartphone apps used.
He outlined that Internet traffic data is even more revealing, showing the websites one visits and length of time spent in each. Section 12 all but places a Big Brother beside a citizen as he uses the Internet, revealing interests and patterns that would normally be secret. Disini added that a person’s Internet behavior would likely be different if he believed he was being monitored.
Disini emphasized that the level of surveillance under the Cybercrime Law is from “a vantage point never before possible in human history.”
Moment #31: Disini argues citizens expect data to be private
Senior Justice Carpio let Disini establish the breadth of Section 12’s term “traffic data,” then asked the seemingly rhetorical question, what is illegal about collecting all this data?
“What is legally wrong with that?” Carpio asked. “Do they have the right to ask you for your phone bill without a court order? Okay, they cannot seize that from you without a search warrant. They cannot get it from you without violating your right to privacy.”
Carpio slyly preempted the Solicitor General’s likely argument that obtaining traffic data is not a “search” that requires a warrant under the right against unreasonable search, but akin to observing what appear in plain view.
Disini continued without missing a beat.
“In the case of real time collection of traffic data, you are unaware.” Not only is the term traffic data broad, there is no requirement to inform a subject that he is under surveillance unless a warrant for “content data” is obtained. Disini stressed there is no obligation to examine data for a limited period only, to use the data for the purpose claimed by a law enforcer or to destroy data if it will not be used as evidence in prosecution.
Disini then opined that there is a reasonable expectation of privacy to the data in the Philippines. He argued, “The Solicitor General claims that, citing US jurisprudence, there is no reasonable expectation to privacy with respect to traffic data. I believe the case cited is not applicable in this jurisdiction.”
The Justices declined to delve into doctrine, however, and no one grilled Disini on the case he mentioned.
Disini, in contrast to Colmenares’ inflexible stances, readily conceded that the State has the power to examine traffic and content data. What he is arguing is the need for “judicial intervention and supervision of the State’s ability to engage in these types of surveillance.” Various kinds of data, he stressed, reveal many things a citizen has the right to expect will be private.
He presented himself perfectly as a reasonable and objective law professor, not an advocate pushing his argument to the hilt.
Moment #32: Disini argues traffic data reveals identities and patterns
Disini stressed that traffic data is broadly defined as everything but messages’ content and the parties’ identities. However, the broad information can be used by law enforcers to discover parties’ identities.
Carpio asked whether one can easily find out who the owner of a phone number is once one has the number.
Disini readily agreed. One can search for the number on the Internet or enter the number into an Internet service and see if the owner comes up as a user of that service. (He gave the example of Cheetah.com, where persons register their numbers to get promotions.) One can even call the number.
In a later reply to Chief Justice Maria Lourdes Sereno, Disini highlighted that traffic data will precisely be used to determine the identity of an unknown Internet user. The Solicitor General used the example of a hacker, Disini said, and traffic data will be used to attempt to tie an identity to a hacker’s IP address from his Internet connection.
Carpio and Disini then discussed how traffic data can establish patterns, especially with people’s identities determined. Law enforcers, for example, can determine who a person talks to most often and for the longest times in a period.
Disini explained to Sereno that under the US Patriot Act, law enforcers also conduct surveillance on target associates and relatives. There is an off chance, for example, that the target might use someone else’s phone. Under Section 12, it is up to law enforcement agencies to determine the scope of surveillance.
In his opening speech, Disini also argued that real time traffic data collection can now be automated and is relatively cheap. Law enforcers have thus never had the combination of wide discretion and technology that Section 12 presents.
Moment #33: Disini tells Sereno that ‘due cause’ is undefined
Chief Justice Sereno asks the obvious but crucial question: Does anyone know what “due cause” means, which is Section 12’s requirement to collect traffic data without a search warrant.
Disini argued that he could not find a “stable meaning” for the phrase “due cause” in existing laws and Supreme Court decisions. “Without a stable standard,” he argued, “the law enforcement agency will engage in real time collection of traffic data based on their belief of the reasonableness of the collection.”
The standard’s exacerbated the danger of evading judicial scrutiny. First, the lack of a warrant requirement for traffic data means neither the target nor any judge is notified of the surveillance. Second, even if data collection is discovered, it is too easy for a citizen to stop pursuing the case if collection is stopped or data collected is destroyed.
Moment #34: Disini argues government collection of content hard to stop
Disini raised in his opening that Section 12 covers even private networks which do not have the technical capability to compile traffic data. Operators of such networks, even the Supreme Court’s, would have to cooperate or face obstruction of justice charges.
Disini thus argued that the government would have to develop systems for collecting data from such networks. A law enforcer’s conscience would be the only barrier between the collection of traffic data, which does not require a warrant, and the collection of content data, which does. Disini argued for a single standard for all data collection, a judicial warrant.
Chief Justice Sereno returned to the point and asked if there is any assurance that a law enforcer with no warrant will collect only traffic data.
Disini reiterated that there are no such assurances in the Cybercrime Law and real time collections of traffic data may turn into content investigations. Disini recalled the example where the US Federal Bureau of Investigation engaged in real time collection of traffic data to determine the source of anonymous threatening e-mails received by a lady in Florida. When an account belonging to US Central Intelligence Agency Director David Petraeus was found to be involved, the FBI agents investigated the content, fearing his account was compromised. The investigation uncovered a draft folder in the e-mail account where Petraeus and a paramour exchanged intimate messages (these were left in the draft folder that both accessed but were not sent to avoid an obvious e-mail trail), and the affair’s discovery led to Petraeus’s resignation.
Sereno then asked if, assuming the government builds its own systems to gather data, there is a way of monitoring whether only traffic data is being gathered.
Disini reiterated that this is not reflected in the law’s wording. However, he stated, it might be possible depending on how such systems are built.
Moment #35: Abad asks big question: No privacy for envelope in mail?
Justice Abad asked the most important question of the day, although it was easily missed.
He asked Disini to confirm his understanding that data travels around the Internet in packets, enclosed in a wrapper with a header and a footer. The information in the wrapper tells a computer what data is contained and how to fit the packet with others.
(The oral arguments shed interesting light on how older Justices perceive the technology involved and relate technology we now take for granted with jurisprudence on older technologies. Rodel Cruz, for example, ran into some technical difficulties in his attempt to explain to a Justice that there are now beneficial computer viruses.)
Abad then asked Disini if traffic data is not analogous to the address information on the envelope sent to the post office. While a law enforcer is not given access to the content, he can readily check the name and address written on the envelope, and Abad argued that there is “no right to privacy in what you write outside the envelope.”
This was crucial because Abad was really asking Disini a simplified version of the Solicitor General’s comment, based on an article by Harvard Professor Orin Kerr. (Justice Leonen earlier asked Cruz about the article even though it was in a portion of the Solicitor General’s comments to be covered by Disini. Leonen did not ask Disini to comment on Kerr’s article, however.)
Disini likely wanted to be asked the question the way Abad phrased it and debunked the analogy. He argued that there is a reasonable expectation that the post office will use the non-private information on the envelope solely to deliver the letter, and that it will not collect data on who a person has been writing to and on what dates.
Abad pressed Disini, asking if traffic data is not something a sender voluntarily discloses and thus has no reasonable expectation of privacy over.
Disini argued that there must be a reasonable expectation of privacy in data one transmits. If Abad’s argument is accepted, it would mean no one would have any expectation of privacy over data transmitted to someone else.
Justice Leonen later picked up the point and Disini reiterated: “Yes, there is a reasonable expectation of privacy. The standard is a subjective one. E-mail messaging, your Honor, is notorious. I tell people that it is the equivalent of a postcard, and they are surprised. Why? Because as far as they are concerned, they understand e-mails to be secure and not subject to the prying eyes of administrators. And so precisely your Honor, there is a subjective belief, possibly an erroneous one, that there is a reasonable expectation of privacy.”
Moment #36: Abad asks whether the law is valid due to national security
Justice Abad then asked about national security. He asked if it is not legitimate for government to monitor traffic data, for example, to filter appearances of the word bomb in messages to detect potential terrorists.
Disini reiterated his position that such might be legitimate if authorized by court order. He noted that under the Anti-Terrorism Act, law enforcers may apply to the Court of Appeals for authorization to conduct surveillance on suspected terrorists and are required to surrender data collected under seal to the court.
Disini summed up, “If the Cybercrime Prevention Act would impose similar safeguards, I believe it would pass constitutional muster.”
Disini then reiterated that the scale of data collection contemplated could not be compared to the real world. For example, should the government want to conduct similarly extensive surveillance on Disini without his knowledge, they would need to assign multiple officers and vehicles, possibly supported by helicopters. In comparison, if the government builds systems to collect traffic data on persons, the incremental cost to add memory to such a system is very low.
In his opening, Disini emphasized that the right to privacy has been recognized as fundamental and mandates strict scrutiny in reviewing alleged violations of privacy. To pass this scrutiny, the government must demonstrate a compelling interest and use means narrowly drawn to address the problem.
Disini argued that the Solicitor General implicitly conceded that Section 12 could not pass this scrutiny, as his comment encouraged Congress to enact more robust procedural safeguards; at a minimum, to enact warrant requirements.
Disini ended his opening by reminding us to “believe that privacy is a vital ingredient to liberty. Without privacy, we are not free.”
The inexorable march of technology, he ended, threatens privacy and liberty. “To permit these rights to be trampled upon in the name of fighting cybercrime is offensive to democracy itself.”
He reiterated the danger as that of a government that can “engage in unparalleled surveillance of hundreds if not thousands of citizens simultaneously.”
Moment #37: Disini tells Reyes implementing rules will not fix the law
Justice Bienvenido Reyes, in his first question of the day, asked Disini whether the apparent lack of safeguards can be cured in implementing rules and regulations.
Disini said such would be an undue delegation of legislative power. Such a crucial portion of the law, he in effect argued, can only be provided by Congress itself.
Disini elaborated that in addition to a general requirement to have a warrant, Congress might allow an expedited process for emergencies to allow data to be collected subject to later disclosure by court order.
Justice Leonen opined in response that the government needs to be equipped for modern technological contexts, as approval in the Court of Appeals will not move as quickly as packets of data. He noted that hackers, for example, actively try to conceal their identities unlike ordinary citizens. They will never introduce themselves, “Hey, I’m Anonymous Philippines.”
Disini responded that the burden on government remains the same.
Moment #38: Disini distinguishes limits on government and companies
Justice Leonen then asked: “Amazon collects private information routinely, is that not correct?”
Disini responded, with the consent of its users.
Justice Leonen pressed: “Are the users really aware of the algorithms used by Amazon” to reveal their preferred books and products?
Disini submitted that if Leonen meant cookie information, then perhaps not.
Leonen then asked if people know that Google collects information on its users.
Disini conceded no, especially if they are signed in.
Leonen then summed up, is it not all right for private entities to collect such information and engage in things such as spam, commercial activities and perhaps even “commercial speech?”
(The choice of term “commercial speech” is curious because it is a special free speech term that had no relevance to Disini’s presentation. I wonder where he wanted to go with the term.)
Disini correctly clarified that he was not saying it was all right. He merely emphasized that the Constitution regulates government collection of data, not that of private entities.
Leonen then argued, the “State should come in to regulate these kinds of activities.”
Disini’s riposte was perfect: “Indeed it does, your Honor, under RA 10173, the Data Privacy Act.”
Disini did even better. He added that if the Solicitor General recognized that certain statutes such as the law on the secrecy of bank deposits can create a zone of privacy, he proposed that that the Data Privacy Act create a similar zone for personal data.
Moment #39: Disini and Leonen debate the proper balance
Justice Leonen then went into policy and proposed that the term “traffic data” represented Congress’ choice of balance between the needs of law enforcers and Internet users. Trying to be more specific, he argued, might make the law obsolete soon after it is signed, given changing technology.
Leonen asked, “In other words, isn’t due cause enough? Then allow the courts, the regulators the flexibility to find the balance?”
Disini replied: “Given it is a standard that is not known, it is insufficient to protect the right to privacy, your Honor. Citizens have a right to expect that their activities are not monitored by the State. Section 12 provides no protection at all, your Honor. The only requirement is that a law enforcement officer is satisfied that there is due cause. It may be subject to judicial review later, but perhaps your Honor, by the time the first case is filed, thousands of people would have been affected.”
Leonen deviously laid a law professor’s trap for Disini with a perfectly reasonable sounding argument regarding balance.
Disini spotted the flaw in the trap. Given the lack of a warrant requirement, courts will not necessarily have the opportunity to review collection of traffic data. Theoretically, law enforcers could use traffic data to lead them to other evidence, and the traffic data might never need to be presented to judges.
Moment #40: Disini argues effects of striking down Section 12
Justice Leonen then asked how vulnerable are Internet users in the Philippines to all various evils such as hacking, phishing, malware. Disini cited studies by companies such as Symantec evidencing the risk is substantial.
Leonen thus asked what the impact of striking down the portion of Section 12 allowing the collection of traffic data would be, given these risks.
Disini responded that law enforcers may still seek judicial authorization to collect data.
BONUS: Leonen discusses UP Law professors’ potential stalking
Justice Leonen argued that the government needed enhanced tools to keep up with the times, particularly hackers who actively try to conceal their online identities compared to ordinary citizens.
He outlined to Disini that to obtain information on persons decades ago, one would try to talk to that person’s acquaintances. Now, he said, one could rely on Google, Wikipedia, Facebook and Twitter to form a good profile of a person.
Leonen then asked Disini to confirm that such methods were also used by law professors.
Before Disini could answer, Leonen added: “You have the right to remain silent.” – Rappler.com
(Check out JJ Disini’s Cybercrime Law seminar at www.disini.ph/legalforum)
Oscar Franklin Tan (facebook.com/OscarFranklinTan, Twitter @oscarfbtan) teaches Constitutional Law in the University of the East. His article, “The Complete Philippine Right to Privacy (82(4) Phil. L.J. 78, 131 (2008))” outlines the breadth of Philippine “public figure” doctrine. He spoke at his Harvard Law School graduation, chaired the Philippine Law Journal, and holds the University of the Philippines record for legal writing awards won (including one for Internet libel and another for Internet jurisdiction.)