Rappler [Pasig, Manila, Philippines]
June 15, 2021
By Neil Jayson Servallos
Lack of cooperation from internet service providers, limits to technology, and data privacy rules have hamstrung law enforcers running after perpetrators of online child sex abuse.
AS PUBLISHED BY PHILIPPINE CENTER FOR INVESTIGATIVE JOURNALISM
(Third of 4 parts)
It was the year 2010. National Bureau of Investigation (NBI) agent Bernard Dela Cruz remembered watching dozens of children move in and out of an internet café in Cebu City in central Philippines, wondering if they were the young boys and girls they needed to rescue.
The NBI had information that the children were being livestreamed naked to paying customers abroad. It’s one of the first cases of online sexual exploitation of children or OSEC that Dela Cruz handled as an agent, when it was still the “dark ages” for law enforcement on the internet. Because technology had limitations, they couldn’t locate the scene of the crime and had to rely on old methods of surveillance.
“The houses were shanties set up close to each other…. During that time, we haven’t been able to trace IP addresses. We relied on conventional ways of surveillance,” Dela Cruz told the Philippine Center for Investigative Journalism (PCIJ), referring to Internet Protocol (IP) addresses or numbers assigned to a device connected to the internet.
After several days of tedious work, the NBI finally swooped in. Dela Cruz’s hunch was right. Inside the internet cafe, where many children spent hours playing computer games, was a private room where the unspeakable happened.
“The kids were naked. [The facilitator] was using shampoo to make it appear that that was his [fluids on the kids],” Dela Cruz said.
Abby, who was 10 at the time, was among the children who frequented the private room to perform for paying customers. She had been abused for about a year when the internet café was raided.
She remembered how she was offered P150 or $3 to do the show. Now 21, she told PCIJ she didn’t realize the psychological harm of what the traffickers did to her, and was only happy to slip money into the pockets of her grandparents who took care of her.
The man who facilitated the trafficking – Archie Abala – was known to the children and their families. He was convicted in 2013 for violating Republic Act No. 9208 or the Anti-Trafficking in Persons Act of 2003. He was meted an eight-year sentence and a fine of P50,000.
Dela Cruz said he believes Abala could have served more time had he been put on trial by prosecutors under the Anti-Child Pornography Law of 2009, a new law at the time that dealt more comprehensively with OSEC as a digital crime. The only provision in the old law that applied to the internet was a prohibition against online advertising of human trafficking.
IP address, filtering mechanisms
A decade later, the Philippines has become the global epicenter of online sexual exploitation of children despite the efforts of law enforcement.
The big obstacle: internet service providers that have yet to upgrade to better technology and are thus unable to provide the IP addresses of computers used by perpetrators. Getting more information on the users of IP addresses is even more difficult as law enforcers need to secure court warrants and comply with data privacy rules.
In 2017, a study conducted by the Washington-based International Justice Mission (IJM) showed that 149 in every 10,000 IP addresses linked to child sexual exploitation originated from the Philippines.
It was three times higher than the rate of 43 in every 10,000 from three years earlier. “Internet-based CSE (child sexual exploitation), in general, and OSEC, specifically, appear to be rapidly growing crimes in the Philippines,” the IJM study concluded.
The situation worsened even with technological advancements that should allow law enforcement agents to easily track where livestreaming is conducted. Philippine law enforcement agencies also get tips from counterparts in other countries when they are able to arrest pedophiles preying on Filipino children.
Computer data and other evidence are sent to either the Philippine National Police or the NBI, which use them to track down the OSEC facilitators.
“Even now, getting information like IP addresses from ISPs is difficult. But they give them if you file properly in court,” said Angela de Gracia, a lawyer at the Office of Cybercrime under the Department of Justice (DOJ).
The problem is most of the Philippines is still under the IPV4 system – an internet protocol that hosts thousands of users in one IP address. Even when foreign law enforcers provide the IP addresses of OSEC facilitators, it could be just one of a multitude of users hosted in one IP address for a certain area.
“What they (ISPs) keep telling us is that because of their technology that allows thousands of users in one IP address, they can’t certainly tell which of the users is the perpetrator,” she said.
The DOJ has been pushing the National Telecommunications Commission to require internet companies to use the IPV6 system, which can designate one IP address for every device.
Globe Telecom, one of the country’s biggest internet broadband providers, said it had yet to upgrade. “It’s currently a work in progress as it requires a significant amount of investment and technical revisions, compatibility on our part,” Globe said in a statement sent to the PCIJ.
Section 9 of the Anti-Child Pornography Act of 2009 requires internet companies to “install available technology, program or software to ensure that access to or transmittal of any form of child pornography will be blocked or filtered.”
Globe said it implemented a DNS (Domain Name System) filtering mechanism in 2017 to prevent subscribers from accessing such sites.
PLDT and its mobile unit Smart also said they had complied with the law’s mandate, even partnering with the Internet Watch Foundation to deal with thousands of weblinks said to be containing child abuse materials.
Law enforcement and nongovernment organizations (NGOs) said the ISPs’ efforts had not been enough to comply with the law, however. Effective technology has not been installed almost 12 years since the law’s passing, De Gracia said.
“We tried dialogues, peaceful talks [with ISPs]. We haven’t gotten their commitment,” lamented De Gracia.
The DOJ is trying another way to make ISPs commit to their duties under the law, she said.
Data Privacy Act
Requiring internet companies to adopt the IPV6 system would not necessarily make the job of law enforcement easier, however.
Globe cited restrictions under the Data Privacy Act of 2012, which may also hinder the company from divulging the information of internet users.
ISPs are wary of cases that could be filed against them under Section 9 of the law. It reads: “Nothing in this Section may be construed to require an ISP to engage in the monitoring of any user, subscriber or customer, or the content of any communication of any such person.”
The Philippine Chamber of Telecom Operators sent a position paper to the DOJ, saying the Data Privacy Act of 2012, which requires strict privacy on personal information of customers, clashed with their duties under the Anti-Child Pornography Act. The PCTO is the lobby group of telecommunication entities and ISPs, including PLDT, Smart, and Globe.
In an opinion piece on OSEC published on Rappler, law professor Tony La Viña wrote that there was a need to rethink interpretations of the Data Privacy Act that have allowed it to protect criminals.
“[I]t must be noted that the Act shall not apply to information necessary for law enforcement and regulatory agencies to carry out their constitutionally and statutorily mandated functions,” he wrote.
De Gracia also noted that ISPs should not read the provisions of the Anti-Child Pornography Act and the Data Privacy Act as contrary to each other.
“The same paragraph (Section 9 of the Data Privacy Act) provides that the duty to notify does not constitute monitoring of contents and even provides protection to ISPs against civil liability for any notice given to law enforcement in good faith,” she explained. “Instead of reading it as contrary to each other, the aforesaid provision is more of complementary.”
Globe also argued that content monitoring falls in the hands of internet content hosts or electronic service providers (ESPs), as well as websites and platform moderators.
“Internet hosts are among the largest cloud providers. Majority of the child porn content is being hosted in these large cloud or media platforms, which are encrypted or hidden via VPN (virtual private networks). Thus, we cannot selectively block the illegal content unless we block the entire platform itself,” the company explained.
Globe said it was difficult to track down perpetrators on social media and encrypted messaging apps like WhatsApp, Messenger, Viber, Telegram, where they look for customers.
WhatsApp, Telegram, Viber, Messenger and other messaging platforms all say they do not allow the proliferation of child sex abuse imagery. WhatsApp says it has been using automated technology to scan group names, group descriptions, and possible suspicious activity. Facebook, meanwhile, says the Messenger app has employed artificial intelligence (AI) to detect content.
“I will have to understand that position (Section 9 of the Data Privacy Act) better because [for us], as telco operators, that’s very sophisticated and not doable,” said Angel Redoble, PLDT’s chief information security officer.
A priest’s campaign
Irish priest Shay Cullen, who founded the Olongapo-based child rights organization Preda Foundation, is one of the few advocates who have been challenging ISPs over their failures in protecting children.
Cullen has written opinion articles in newspapers and penned letters to ISP companies several times in the last 10 years, reminding them that they were capable of stopping these crimes but were more concerned about “losing subscribers.”
Preda’s campaign to hold ISPs responsible, he said, was met in 2020 with a “grudging, reluctant and miserable response.” He was told by the ISPs that they had blocked thousands of child pornography websites.
The 78-year-old priest admitted to having limited knowledge on technology, but this has not stopped him from reminding ISPs of their responsibilities under the law.
Cullen has written letters and phoned AI developers that could help detect the transmission of exploitative imagery, including Microsoft and the Zyalin Group, a tech company from his hometown of Dublin, Ireland.
“I believe that if they (ISPs) have a good heart and they are interested in protecting Filipino children from this horrific abuse, they would certainly do something about it,” Cullen told the PCIJ.
Cloud storage services like Google Drive, Dropbox, and Microsoft OneDrive have detection technologies that allow them to report online exchanges of child abuse materials.
But no technology has been developed by video call and social media platforms to detect livestream abuse, according to the Philippine Internet Crimes Against Children Center (PICACC).
Local and international law enforcement agents have decried the failure of ESPs to hatch aggressive steps to prevent the transmission of child sexual exploitation materials.
“Social media platforms are protecting their privacy. There might be good things about that, but the problem is this is being exploited by cybercriminals,” said Major Joseph Villaran of the Philippine National Police’s Anti-Cybercrime Group.
Lawyer Sheila Guico of the IJM Cebu Field Office said the timely detection of online exploitation would need the cooperation of ISPs and ESPs.
“I would say they would see a 180-degree turnaround and that would really mean a lot of survivors would be provided intervention,” she said.
In June, police rescued 14 children from at least three different households in an uphill farm village in Camarines Sur province. Police Lieutenant Colonel Lucrecio Rodrigueza Jr. said the barangay chairman had told them the scheme was rampant in his area.
Lieutenant Noeralyn Tamayo, police deputy of the PICACC, said there had been a “communal acceptance” of OSEC in impoverished places, where families find easy money from trafficking their children and luring their neighbors into the scheme.
“A neighbor would ask what they did to achieve [financial gain] and that’s where it begins,” Tamayo said.
Meanwhile, it’s the children who suffer the lasting impact of the abuse.
In 2017, social workers brought Abby back to her village in Cebu City to reintegrate her with her family. They found out that her family was incapable of taking her in, however, and the community was found unfit for a survivor of online sexual abuse.
“When you’ve been in this work for a long time, you’d see the red flags immediately. There were five young girls we saw going into a house we had been observing for days. We saw them going up the stairs,” Karen Navera, the social worker assigned to Abby, told the PCIJ.
“You’d know what was up, immediately. We thought to ourselves: ‘The community stayed as it was even after the raid where Abby was rescued.’”
She suspected that the families in that community continued to peddle their children to online predators.
The social workers brought Abby back to Manila.
At about the time Abby went back for a visit, Archie Abala – the neighbor who was convicted of trafficking children in the village a decade before – was released from prison. A discharge sheet from the Leyte Regional Prison showed that Abala was granted parole on July 31, 2017. He had since returned to the village, and was hired by the local government.
Voice of the Free, a nongovernment organization working against trafficking, said OSEC survivors should not be in the same community as their former abusers because it risked re-traumatizing the victims. – Rappler.com