A Study on Juan "spyder" de la Cruz' Case
By Franklin I. Cueto

     A computer virus released last May 4, 2000, first appeared as an "ILOVEYOU" e-mail greeting, and spread by e-mail messages, infected Asian and European computers while Americans were still sleeping. Dispersion of the virus in the United States shoot up when the workday began. It eventually crippled computer systems around the world, and according to one estimate, the virus could cause up to $10 billion in damages.

     The hacker who identified himself as "spyder" was allegedly a Filipino because embedded in the message are the words "Manila, Philippines" and the phrase "I hate to go to School ". Initially , bank em-ployee Rommel Ramores was detained by the National Bureau of Investigation as a primary suspect, but was later on released for insufficiency of evidence. Subsequently, Onel de Guzman was presented, who neither confirmed nor denied that he created the virus. De Guzman is a student of AMA Computer College who did not graduate because his password-thesis proposal was rejected as it provide means to commit cyber theft. Several other suspects were also included in the investigation, inlcuding Michael Buen, a graduate of AMA, and a key member of Grammersoft, an organization of young computer programmers and students from AMA Computer College who create and sell software to small businesses and write thesis for students.

What is exactly a "love bug"?

     The virus, technically known as a worm, is software written to spread itself automatically through e-mail or chat rooms. It can destroy or hide certain graphics, music and other files. It may also steal certain passwords and send them to an e-mail account believed to be based in the Philippines. As the virus replicates, it can also clog computer networks, causing delay and shutdowns.1

     Of the tens of thousand of known computer virus, security experts say this is the fastest to spread, partly because it does not limit its targets. David Perry at Trend Micro Inc., an anti-virus software maker, also notes "brilliant social engineering" on the part of the virus writer. Instinctively, people would open an e-mail that says "I Love You".

Access Device Regulation Act

     The virus emerged on May 4, 2000, Thursday, but a search warrant was not obtained by the National Bureau of Investigation until Monday, May 8, 2000. Apparently, investigators could not get a judge to issue a search warrant over the weekend because they could not find a Philippine law which had been violated. The NBI eventually found the 1998 Access Device Regulation Act, and so a raid was finally conducted on the strength of a search warrant issued by Manila Trial Court Executive Judge Rebecca Salvador.

     R.A. 8484, otherwise known as the Access Device Regulation Act, was passed primarily to protect consumers from scams involving devices used to obtain money, goods or services, such as credit cards or personal identification numbers. The law bans the use of access devices, including credit cards and automated teller machine cards, for fraudulent purposes. Conviction under the law carries a maximum imprisonment of 20 years and a minimum fine of P 10,000.00. Doubts as to the applicability of the said Act were put in issue, as Chief State Prosecutor Jovencito Zuno admitted that R.A. 8484 is not related to computer hacking as the law pertains to credit card fraud. According to Senator Ramon Magsaysay Jr., chief sponsor of the proposed law on electronic commerce, the NBI was wrong to use the access device law because "they may be violating citizen's civil rights".

     Although the virus was designed to shutdown computers by clogging the e-mail system, the virus also had a second purpose: when activated by a user, it attempted to fetch another program from a Website in the Philippines that would sniff through the user's computer for internet access passwords and e-mail those passwords back to an address here. Officials believe the author of the virus simply wanted to gather passwords in the Philippines, although they do not yet know whether the author wanted to sell those passwords or put them to personal use.2 In effect, the author would be charged with using stolen passwords to connect to two Manila internet service providers, and not with actually unleashing the virus, which is not specifically prohibited by Philippine law. Under Section 9 of R. A. 8484, t h e act of disclosing any information imprinted on the access device, such as, but not limited to, the account number or name or address of the device holder, without the latter's authority or permission; or obtaining money or anything of value through the use of an access device, with intent to defraud or with intent to gain and fleeing constitutes access device fraud. According to the NBI, with stolen user names and passwords, the author of the virus could have gained access to a multitude of computers, making this law applicable.

     However, the Department of Justice issued an opinion on May 19, 2000, categorically stating that Republic Act 8484, otherwise known as the Access Device Regulation Act of 1998, could not be used against the suspects. The DOJ opinion said that computer hacking was different from credit card fraud, contradicting the NBI's position that the illegal use of Internet accounts to access the web was covered by RA 8484.

RP-US Extradition Treaty

     There are suggestions that the suspected author of the love bug be extradited to the United States, which has very tough laws against computer fraud.3 The United States and the Philippines do have an extradition treaty which allows a suspect to be prosecuted in both countries. Its applicability, however, is questionable.

     The critical element in determining whether an offense is subject to extradition is: it is both punishable under Philippine and US laws. If the act in question is considered a crime only in the US but not in the Philippines, or vice versa, then the offender cannot be extradited. Extradition is defined as "the surrender by one state to another of an individual convicted or accused of having committed a crime within the jurisdiction of the demanding State for trial and punishment." It rest on the principle that a fugitive from justice should be returned to the country he fled from to answer the criminal charges against him, or, if he has been found guilty already, serve the punishment meted on him.4 In the case of the love virus author, the suspect cannot be extradited because the offense was committed in the Philippines and no laws were broken here.

Current Statutes of Other Countries

     According to a list compiled by Stein Schjolberg, a Norwegian judge active in cyber jurisprudence, thirty-seven countries now have statutes dealing with "unauthorized access" to computers and computer systems.5 Unfortunately, the laws are not uniform and there are no international treaties governing cybercrime. It is indispensable that the international community formulate a uniform law since the internet transcends national borders. Incidentally, there is now a model law drafted by the United Nations Convention in International Trade Law or UNCITRAL, from which was patterned the proposed law on electronic commerce now pending in Philippine congress.

     The applicable criminal law in US Federal law is the Computer Fraud and Abuse Act. The law imposes a $250,000 fine or a five year prison term, or both, for each offense. An offense does not merely refer to the start-up of sending the virus, but that would be for each computer that was interfered with.6 The law essentially criminalizes anyone who gains unauthorized access to computer systems. Civil actions may be initiated under state laws governing theft, violation of privacy and even stalking. It was reported that internet legislation is pending in some 17 states.

     The German government wants to make spreading computer viruses a crime. Berlin is working with its European Union partners to enact such legislation. The 41-nation council of Europe, working with the United States, Canada, Japan and South Africa, is drafting a treaty to standardize cybercrime laws. The European treaty would require countries to pass laws against hacking, computer fraud and online child pornography, and set penalties, preserve evidence and cooperate in international investigations. It must be emphasized that such a measure would o n l y be effective if instituted on a global scale.

     Several other countries, including India,Thailand and Singapore, are independently considering laws against computer crimes and electronic commerce. Singapore has Electronic Transactions Act.

Malicious Mischief

     According to the NBI, the author of the virus could be charged with Malicious Mischief, under Article 327 of the Revised Penal Code. Malicious Mischief is the willful damaging of another's property for the sake of causing damage due to hate, revenge or other evil motive.7

     When primary suspect Onel de Guzman was interviewed by the media, he neither confirmed nor denied that he created the virus. De Guzman did acknowledged he might have accidentally released the virus. The word "accidentally" is very crucial in determining Onel's criminal liability because under the Revised Penal Code, to be guilty of malicious mischief, the offender should DELIBERATELY caused damage to the property of another. It follows that, in the very nature of things, malicious mischief cannot be committed through negligence, since culpa and malice are essentially incompatible.8 Obviously, Onel had been advised by his lawyer on this aspect because it has been anticipated that the said offense will be charged against him. Nonetheless, if there is no malice in causing the damage, Onel is still liable civilly under Article 2176 of the New Civil Code. The said provision states that "whoever by act or omission causes damage to another, there being fault or negligence, is obliged to pay for the damage done. Such fault or negligence, if there is no pre-existing contractual relation between the parties is called a quasi-delict."

"Bug" the Congress

     Senate President Franklin Drillon urged the House leadership to expedite the passage of the Electronic Commerce Act prescribing heavier fines and penalties for hacking and cracking of computer systems in the country. Under Section 29 of Senate Bill No. 1902, hacking or cracking which refers to unauthorized access into or interference in a computer system/server by or through the use of a computer or a computer system in the computer or in another computer, without the knowledge and consent of the owner of the computer or system, including the introduction of computer viruses and the like, resulting in the corruption, destruction, alteration, theft or loss of data messages shall be punished by a minimum fine of One hundred thousand pesos (P100,000.00) and a maximum commensurate to the damage incurred and a mandatory imprisonment of six (6) months to three (3) years.

     It is unfortunate that the Philippines was subjected to global embarrassment by the disclosure that although the virus seems to have been launched here, there is little that can be done about it. It is such a shame!

     Trivia: This is not the first time the Philippines landed on the international virus map. More than a decade ago, the C-Brain virus from Cebu, which infected the now-obsolete DOS platform from Microsoft, became one of the most common viruses in the PC world. In 1992, Jonathan Gumba became notorious for spreading the Possessed! Virus.9


* LLB. 2000, Article Editor, UB Law Journal
1 "Whats the love bug and what does it do" Philippine Daily Inquirer, May 6, 2000
2 "Computer virus suspect released" Manila Bulletin, May 10, 2000
3 Washington Post Foreign Service, May 9, 2000
4 "President can veto extradition", Philippine Daily Inquirer, July 1999, Raul Palabrica
5 Findlaw legal news
6 George Clark, CNN.com, May 9, 2000
7 The Revised Penal code, by Luis Reyes, p.753
8 Quizon vs. Justice of the Peace, et. al, 97 Phil.342
9 Philippine Daily Inquirer, Leo Magno, May 8, 2000