The development of the Internet and the proliferation of computer technology has

created new opportunities for those who would engage in illegal activity.[1] The rise of
technology and online communication has not only produced a dramatic increase in the
incidence of criminal activity, it has also resulted in the emergence of what appear to be
some new varieties of criminal activity.[2] Both the increase in the incidence of criminal
activity and the possible emergence of new varieties of criminal activity pose challenges
for legal systems, as well as for law enforcement.

Source: Cybercrime Investigation and Prosecution: the Role of Penal and Procedural
Law By Susan W Brenner University of Dayton School of Law

This webinar will discuss the following:

1. Evolution of cyberlaws in the Philippines (10 mins.)
2. Salient points of the cybercrime and data privacy act (20 mins)
3. Notable cases involving schools, teachers and students (20 mins)
- Maria Ressa

1. Evolution of cyberlaws in the Philippines (10 mins.)

Background of the study

The “I LOVE YOU” Computer Virus

The “I LOVE YOU” Computer Virus The virus was received in e-mail inboxes in Hong
Kong on 4 May, 2000, with subject “I LOVE YOU” and an attachment “LOVE-LETTER-
FOR-YOU.TXT.vbs.”. It erases or blurs the graphics and data in the computer and gets
the contact addresses in the computer directory, and sends the same email to all
contacts listed in that directory. The replication went on and on, sweeping all computers
where the email was received and opened, from Hong Kong, to Europe, to the United
States, infecting and damaging computers and networks of small and big companies,
private and government institutions. The damage was about US$ 5.5 billion; some
reports say US$ 10 billion.

An international manhunt was conducted; the investigators traced the origin of the virus
to its creator, a programming student (Onel de Guzman) at the AMA Computer
University in Manila.

When arrested (11 May 2000), the suspect apologized to the public and said he had no
intention of causing such great harm. Government prosecutors filed cases against him,
but even at the first stage, the indictment was dismissed as

Effect of the “I LOVE YOU” Virus

The “I LOVE YOU” virus illustrated that a person armed with a computer could, from a
distant location, attack and/or disrupt computers and networks worldwide and cause
severe damage.
This whole episode points to the need for a domestic law to address a particular
criminal act, and international/ bilateral legal instruments to give “no-safe haven” to
cyber-criminals (or would-be cyber-terrorists).

The Security Illusion

Each year, consumers and business around the world put their faith in the computer
security software industry to protect them from the burgeoning threat of computer
malware. According to a study by the Gartner group, worldwide spending on security
software totaled nearly $20 billion in 2012 and is forecast to skyrocket to $94 billion
spent annually on cyber security by 2017.

Ask most individuals what to do about more viruses, and their very first answer would
be to use an antivirus product from a company like Symantex, MaAfee, or Trend Micro.
The response is instinctual from a public that has been trained well. While such tools
might have proven useful in the past, they are rapidly losing their efficacy, and the
statistics are deeply revealing. In December 2012, Researchers at Imperva, a data
security research firm in Redwood Shores, California, and students at the Technion-
Israel Institute of Technology decided to put the standard antivirus tools to the test.
They collected eighty-two new computer viruses and ran the malware against the
threat-detection engines of more than forty of the world’s largest antivirus companies,
including Microsoft, Symantec, MacAfee, and Kapersky Lab. The result: the initial threat
detection date was only 5%, meaning that 95% of the malware went completely
undetected.

The Malware Explosion

Now it’s not just about the “lulz” but for want of money, information, and power that
heckers ply their trade. In the early twenty-first century, as criminal figured out ways to
monetize their malicious software through identity theft and other techniques, the
number of new viruses began to soar. By 2015, the volume had been astonishing. In
2010, the German research institute AV-Test had assessed that there were forty-nine
million strains of computer malware in the wild. By 2011, the antivirus company McAfee
reported it was identifying two million new pieces of malware every month. In the
summer of 2013, the cyber-security firm Kaspersky Lab reported it identified and
isolated nearly 200,000 new malware samples every single day.

Future Crimes by Marc Goodman 2016 Edition

Criminals perpetually update their techniques to incorporate the very latest emerging
technologies into their modi operandi. The have evolved well beyond they days when
they were the first on the street carrying pagers and using five-pound cell phones to
send coded messages to one another. Today, they are building their own nationwide
encrypted cellular radio telecommunications systems, like those employed by the narco-
cartels of Mexico.
Organized crime groups have established themselves as early adopters of technology.
Criminals embraced the online world long before the police ever contemplated it, and
they have outpaced authorities ever since.

Congress’ Response In order to curb the threat posed by cybercrime, the Philippine
Congress enacted Republic Act (RA) 8792, otherwise known as the “Electronic
Commerce Act of 2000”. RA 8792 provides for the legal recognition and admissibility of
electronic data messages, documents and signatures. This was signed into law on 14
June 2000.

Penalizes limited online crime, such as hacking, introduction of viruses and copyright
violations of at least Php100,000 and a maximum commensurate to the damage
incurred, and imprisonment of six months to three years, among others.

Likewise, the Supreme Court drafted the Rules on Electronic Evidence, which took
effect on 1 August 2000, to emphasize the admissibility of evidence in electronic form,
subject to its authenticity and reliability.

While RA 8792 is already in place, it was found to have failed to address all forms of
cybercrime that are enumerated in the Budapest Convention on Cybercrime of 2001,
namely:

Cybercrime offenses

In order to cope with the daunting problem of cybercrime, the Department of Justice
(DOJ) created the Task Force on E-Government, Cyber-security and Cybercrime in
2007 to deal with cyber-security issues in relation to legislation and investigation.

The first Filipino to be convicted of cybercrime, particularly hacking, was JJ Maria Giner.
He was convicted in September 2005 by Manila MTC Branch 14 Judge Rosalyn Mislos-
Loja. Giner pleaded guilty to hacking the government portal “gov.ph” and other
government websites. He was sentenced to one to two years of imprisonment and fined
Php100,000. However, he immediately applied for probation, which was eventually
granted by the court. The conviction is now considered a landmark case, as he is the
first local hacker to be convicted under section 33a of the E-Commerce Law or Republic
Act 8792.

The Act has universal jurisdiction: its provisions apply to all Filipino nationals regardless
of the place of commission. Jurisdiction also lies when a punishable act is either
committed within the Philippines, whether the erring device is wholly or partly situated in
the Philippines, or whether damage was done to any natural or juridical person who at
the time of commission was within the Philippines. Regional Trial Courts shall have
jurisdiction over cases involving violations of the Act.

The Act also mandates the National Bureau of Investigation and the Philippine National

Police to organize a cybercrime unit, staffed by special investigators whose
responsibility will be to exclusively handle cases pertaining to violations of the Act,
under the supervision of the Department of Justice.

Aside from this, Section 6 effectively added another group when it provided that “all
crimes defined and penalized by the Revised Penal Code, as amended, and special
laws, if committed by, through and with the use of information and communications
technologies shall be covered by the relevant provisions of (the law)” and that “the
penalty to be imposed shall be one (1) degree higher than that provided for by the
Revised Penal Code, as amended, and special laws, as the case may be.”

Section 10 mandated the National Bureau of Investigation (NBI) and Philippine National
Police (PNP) to create special units within their respective organizations which are to be
manned by investigators trained and tasked to only handle cybercrime cases. Section
12 authorizes these law enforcement units, with due cause, to collect or record real-time
electronic traffic data which are transmitted through a computer system.

87% of Filipino internet users are identified as victims of crimes and malicious activities
committed online. (DOJ Primer, November 2012).

Sources:
COUNTRY REPORT ON CYBERCRIME: THE PHILIPPINES Gilbert C. Sosa, Chief,
Anti-Transnational Crime Division of Criminal Investigation and Detection Group,
Philippine National Police.

a. Offences against confidentiality, integrity and availability of computer data and

systems:

(1) Illegal Access. – The access to the whole or any part of a computer system without
right.

(2) Illegal Interception. – The interception made by technical means without right of any
non-public transmission of computer data to, from, or within a computer system
including electromagnetic emissions from a computer system carrying such computer
data.

(3) Data Interference. — The intentional or reckless alteration, damaging, deletion or

deterioration of computer data, electronic document, or electronic data message,
without right, including the introduction or transmission of viruses.

(4) System Interference. — The intentional alteration or reckless hindering or

interference with the functioning of a computer or computer network by inputting,
transmitting, damaging, deleting, deteriorating, altering or suppressing computer data or
program, electronic document, or electronic data message, without right or authority,
including the introduction or transmission of viruses.

(5) Misuse of Devices.

(i) The use, production, sale, procurement, importation, distribution, or otherwise making
available, without right, of:

(aa) A device, including a computer program, designed or adapted primarily for the
purpose of committing any of the offenses under this Act; or

(bb) A computer password, access code, or similar data by which the whole or any part
of a computer system is capable of being accessed with intent that it be used for the
purpose of committing any of the offenses under this Act.

(ii) The possession of an item referred to in paragraphs 5(i)(aa) or (bb) above with intent
to use said devices for the purpose of committing any of the offenses under this section.

(6) Cyber-squatting. – The acquisition of a domain name over the internet in bad faith to
profit, mislead, destroy reputation, and deprive others from registering the same, if such
a domain name is:

(i) Similar, identical, or confusingly similar to an existing trademark registered with the
appropriate government agency at the time of the domain name registration:

(ii) Identical or in any way similar with the name of a person other than the registrant, in
case of a personal name; and

(iii) Acquired without right or with intellectual property interests in it.

• Computer-related offences which include computer-related forgery and computer-

related fraud;

• Content-related offences such as child pornography;

• Offences related to infringement of copyright and related rights.

(b) Computer-related Offenses:

(1) Computer-related Forgery. —

(i) The input, alteration, or deletion of any computer data without right resulting in
inauthentic data with the intent that it be considered or acted upon for legal purposes as
if it were authentic, regardless whether or not the data is directly readable and
intelligible;
or

(ii) The act of knowingly using computer data which is the product of computer-related
forgery as defined herein, for the purpose of perpetuating a fraudulent or dishonest
design.
(2) Computer-related Fraud. — The unauthorized input, alteration, or deletion of
computer data or program or interference in the functioning of a computer system,
causing damage thereby with fraudulent intent: Provided, That if no damage has yet
been caused, the penalty imposable shall be one (1) degree lower.

(3) Computer-related Identity Theft. – The intentional acquisition, use, misuse, transfer,
possession, alteration or deletion of identifying information belonging to another,
whether natural or juridical, without right: Provided, That if no damage has yet been
caused, the penalty imposable shall be one (1) degree lower.

(c) Content-related Offenses:

(1) Cybersex. — The willful engagement, maintenance, control, or operation, directly or

indirectly, of any lascivious exhibition of sexual organs or sexual activity, with the aid of
a computer system, for favor or consideration.

(2) Child Pornography. — The unlawful or prohibited acts defined and punishable by
Republic Act No. 9775 or the Anti-Child Pornography Act of 2009, committed through a
computer system: Provided, That the penalty to be imposed shall be (1) one degree
higher than that provided for in Republic Act No. 9775.

(3) Unsolicited Commercial Communications. — The transmission of commercial

electronic communication with the use of computer system which seek to advertise, sell,
or offer for sale products and services are prohibited unless:

(i) There is prior affirmative consent from the recipient; or

(ii) The primary intent of the communication is for service and/or administrative
announcements from the sender to its existing users, subscribers or customers.

(4) Libel. — The unlawful or prohibited acts of libel as defined in Article 355 of the
Revised Penal Code, as amended, committed through a computer system or any other
similar means which may be devised in the future.

Libel is an offense under Section 355 of the Revised Penal Code of the Philippines, also
criminalizing them when committed using a computer system. 

SEC. 5. Other Offenses. — The following acts shall also constitute an offense:

(a) Aiding or Abetting in the Commission of Cybercrime. – Any person who willfully
abets or aids in the commission of any of the offenses enumerated in this Act shall be
held liable.

(b) Attempt in the Commission of Cybercrime. — Any person who willfully attempts to
commit any of the offenses enumerated in this Act shall be held liable.

2. Salient points of the cybercrime and data privacy act (20 mins)
Republic Act No. 10173, otherwise known as the Data Privacy Act is a law that seeks to
protect all forms of information, be it private, personal, or sensitive. It is meant to cover
both natural and juridical persons involved in the processing of personal information.

In other words, processing of personal information is any operation where personal

information is involved. Whenever your information is, among other things, collected,
modified, or used for some purpose, processing already takes place.

What is personal information?

Under Sec. 3(g) of the Data Privacy Act, “[p]ersonal information refers to any
information whether recorded in a material form or not, from which the identity of an
individual is apparent or can be reasonably and directly ascertained by the entity
holding the information, or when put together with other information would directly and
certainly identify an individual.”

What is privileged information?

Under Sec. 3(k) of the Data Privacy Act, “[p]rivileged information refers to any and all
forms of data which under the Rules of Court and other pertinent laws constitute
privileged communication.” One such example would be any information given by a
client to his lawyer. Such information would fall under attorney-client privilege and
would, therefore, be considered privileged information.

The difference between personal information and sensitive personal information matter?

Yes. The law treats both kinds of personal information differently. Personal information
may be processed, provided that the requirements of the Data Privacy Act are complied
with. On the other hand, the processing of sensitive personal information is, in general,
prohibited. The Data Privacy Act provides the specific cases where processing of
sensitive personal information is allowed.

Section 13 of the Data Privacy Act enumerates the cases where sensitive personal
information and privileged information may be processed. These are the following:

(a) The data subject has given his or her consent, specific to the purpose prior to the
processing, or in the case of privileged information, all parties to the exchange have
given their consent prior to processing;

(b) The processing of the same is provided for by existing laws and regulations:
Provided, That such regulatory enactments guarantee the protection of the sensitive
personal information and the privileged information: Provided, further, That the consent
of the data subjects are not required by law or regulation permitting the processing of
the sensitive personal information or the privileged information;
(c) The processing is necessary to protect the life and health of the data subject or
another person, and the data subject is not legally or physically able to express his or
her consent prior to the processing;

(d) The processing is necessary to achieve the lawful and noncommercial objectives of
public organizations and their associations: Provided, That such processing is only
confined and related to the bona fide members of these organizations or their
associations: Provided, further, That the sensitive personal information are not
transferred to third parties: Provided, finally, That consent of the data subject was
obtained prior to processing;

(e) The processing is necessary for purposes of medical treatment, is carried out by a
medical practitioner or a medical treatment institution, and an adequate level of
protection of personal information is ensured; or

(f) The processing concerns such personal information as is necessary for the
protection of lawful rights and interests of natural or legal persons in court proceedings,
or the establishment, exercise or defense of legal claims, or when provided to
government or public authority.

3. Notable cases involving schools, teachers and students (20 mins)

Can a student be disciplined by the school for an inappropriate article in the

school paper? Application by analogy.

MIRIAM COLLEGE FOUNDATION, INC., Petitioner, v. HON. COURT OF APPEALS,

JASPER BRIONES
G.R. No. 127930 December 15, 2000

"Obscene," "vulgar," "indecent," "gross," "sexually explicit," "injurious to young readers,"

and devoid of all moral values."1 This was now some members of the Miriam College
community allegedly described the contents of the September-October 1994 issue (Vol.
41, No. 14) of Miriam College's school paper (Chi-Rho), and magazine (Ang Magasing
Pampanitikan ng Chi-Rho). The articles in the Chi-Rho included:

. . . a story, clearly fiction, entitled 'Kaskas' written by one Gerald Garry Renacido . . .
Kaskas, written in Tagalog, treats of the experience of a group of young, male, combo
players who, one evening, after their performance went to see a bold show in a place
called "Flirtation". This was the way the author described the group's exposure during
that stage show:

"Sige, sa Flirtation tayo. Happy hour na halos . . . he! he! he! sambit ng kanilang
bokalistang kanina pa di maitago ang pagkahayok sa karneng babae na kanyang
pinananabikan nuong makalawa pa, susog naman ang tropa.
The members of the editorial board of the Miriam College Foundation’s school paper
were subjected to disciplinary sanction by the College Discipline Committee after letters
of complaint were filed before the Board following the publication of the school paper
that contains obscene, vulgar, and sexually explicit contents. 

Issue:

Whether Miriam College has the power to discipline and dismiss the students. 

Held:

YES. Section 5 (2), Article XIV of the Constitution guarantees all institutions of higher

learning academic freedom. This institutional academic freedom includes the right of the
school or college to decide for itself, its aims and objectives, and how best to attain
them free from outside coercion or interference save possibly when the overriding public
welfare calls for some restraint. 

The essential freedoms subsumed in the term “academic freedom” encompasses the
freedom to determine for itself on academic grounds: (1) Who may teach, (2) What may
be taught, (3) How it shall be taught, and (4) Who may be admitted to study. The right of
the school to discipline its students is at once apparent in the third freedom,  i. e., “how it
shall be taught.” A school certainly cannot function in an atmosphere of anarchy. 

Incidentally, the school not only has the right but the duty to develop discipline in its
students. The Constitution no less imposes such duty.

All educational institutions shall inculcate patriotism and nationalism, foster love
of humanity, respect for human rights, appreciation of the role of national heroes
in the historical development of the country, teach the rights and duties of
citizenship, strengthen ethical and spiritual values, develop moral character and
personal discipline, encourage critical and creative thinking, broaden scientific
and technological knowledge, and promote vocational efficiency.

The right of the students to free speech in school premises, however, is not absolute.
The right to free speech must always be applied in light of the special characteristics of
the school environment.53 Thus, while we upheld the right of the students to free
expression in these cases, we did not rule out disciplinary action by the school for
"conduct by the student, in class or out of it, which for any reason - whether it stems
from time, place, or type of behavior - which materially disrupts classwork or involves
substantial disorder or invasion of the rights of others."

Is school’s authority to discipline its students limited only within the school premises?
The school, its administrators and teachers have special parental authority and
responsibility over the minor child while under their supervision, instruction, or custody.

Authority and responsibility shall apply to all authorized activities whether inside or
outside the premises of the school.

Under the Manual of Regulations for Private Higher Education of 2008, every higher
education institution shall maintain discipline inside its campus as well as within the
immediate surroundings of the school premises. An institution shall also exercise
disciplinary authority over students outside its campus, and beyond school hours, term
or year in the following instances:

1. Where school policies or regulations were violated; and

2. Where the misconduct involves or affects a student’s status, or the good name
and reputation of the school.

In the case of Angeles v. Sison (G.R. No. L-45551, February 16, 1982), the Supreme
Court said that there are instances where the school may be called upon to exercise its
power over its student or students for acts committed outside the school and beyond the
school hours:

1. In cases of violation of school policies or regulations of school policies or

regulations occurring in connection with school-sponsored activity off-campus; or
2. In cases where the misconduct of the student involves his status as a student or
affects the good name or reputation of the school.

Balancing the freedom of speech of the students and the right of schools to discipline

There are two instances when freedom of speech and expression cannot be invoked:
1. When the expression substantially disrupts a school activity; or
2. When the expression materially interferes with a school policy on discipline.

What are the two constitutional guarantees that create zones of privacy for students?
a. The right against unreasonable searches and seizure; and
b. The right to privacy

What is the test in assessing whether there is an impermissible or unjustified intrusion

on these zones of privacy?

Whether a person has a “reasonable expectation of privacy”.

Are searches conducted against a student in school premises, legal?

The objective is to strike a balance between a student’s expectation of privacy and a

school official’s equally legitimate need to maintain a secure and orderly learning
environment.
 1. Was the search “justified in its inception”? A search is justified when there are
reasonable grounds for suspecting that the search would turn up evidence that
the student has violated or is violating either a law or school policy.

2. Was the search “reasonably related in scope to the circumstances which justified
the interference in the first place”? Whether a search of a student in a school is
legal depends simply on the reasonableness, under all circumstances, of the
search.

Questions:

Can a teacher confiscate a cellphone during classes?

When a teacher so confiscates, can he/she check the contents of the cellphone?

What is the policy of the Department of Education on use of cellphones in schools?

Department of Education Order No. 83 Series of 2003 prohibits elementary and

secondary students from using cellphones during class hours in all public elementary
and secondary schools.

Do lawful authorities have the right to use the text messages as tools to arrest and
prosecute individuals?

Cybercrime Prevention Act implies the need to secure a warrant in order to open the
contents of a cellphone.

Section 15. Search, Seizure and Examination of Computer Data. — Where a search

and seizure warrant is properly issued, the law enforcement authorities shall likewise
have the following powers and duties.

Law enforcement authorities may request for an extension of time to complete the
examination of the computer data storage medium and to make a return thereon but in
no case for a period longer than thirty (30) days from date of approval by the court.

Section 18. Exclusionary Rule. — Any evidence procured without a valid warrant or

beyond the authority of the same shall be inadmissible for any proceeding before any
court or tribunal.

Is there a reasonable expectation of privacy on a Facebook post?

RHONDA AVE S. VIVARES and SPS. MARGARITA and DAVID

SUZARA, Petitioners,
vs.
ST. THERESA'S COLLEGE, MYLENE RHEZA T. ESCUDERO, and JOHN DOES,
 Julia and Julienne, both minors, were graduating high school students at St. Theresa’s
College (STC), Cebu City. Sometime in January 2012, while changing into their
swimsuits for a beach party they were about to attend, Julia and Julienne, along with
several others, took digital pictures of themselves clad only in their undergarments.
These pictures were then uploaded by Angela on her Facebook profile.

At STC, Mylene Escudero, a computer teacher at STC’s high school department,

learned from her students that some seniors at STC posted pictures online, depicting
themselves from the waist up, dressed only in brassieres.  Escudero then asked her
students if they knew who the girls in the photos are. In turn, they readily identified Julia
and Julienne, among others.

Using STC’s computers, Escudero’s students logged in to their respective personal

Facebook accounts and showed her photos of the identified students, which include: (a)
Julia and Julienne drinking hard liquor and smoking cigarettes inside a bar; and (b) Julia
and Julienne along the streets of Cebu wearing articles of clothing that show virtually
the entirety of their black brassieres.

Investigation ensued. Then Julia, Julienne and other students involved were barred
from joining the commencement exercises.

Petitioners, who are the respective parents of the minors, filed a Petition for the
Issuance of a Writ of Habeas Data. RTC dismissed the petition for habeas data on the
following grounds:

1. Petitioners failed to prove the existence of an actual or threatened violation of the

minors’ right to privacy, one of the preconditions for the issuance of the writ of habeas
data.
2. The photos, having been uploaded on Facebook without restrictions as to who
may view them, lost their privacy in some way.
3. STC gathered the photographs through legal means and for a legal purpose, that
is, the implementation of the school’s policies and rules on discipline.

ISSUE:

Whether or not there was indeed an actual or threatened violation of the right to privacy
in the life, liberty, or security of the minors involved in this case. (Is there a right to
informational privacy in online social network activities of its users?)

HELD:

Right to informational privacy

 Right to informational privacy is the right of individuals to control information
about themselves. Several commentators regarding privacy and social networking
sites, however, all agree that given the millions of OSN users, “in this Social Networking
environment, privacy is no longer grounded in reasonable expectations, but rather in
some theoretical protocol better known as wishful thinking.” So the underlying question
now is: Up to what extent is the right to privacy protected in OSNs?

Facebook Privacy Tools

To address concerns about privacy, but without defeating its purpose, Facebook was
armed with different privacy tools designed to regulate the accessibility of a user’s
profile as well as information uploaded by the user. In H v. W, the South Gauteng High
Court recognized this ability of the users to “customize their privacy settings,” but did so
with this caveat: “Facebook states in its policies that, although it makes every effort to
protect a user’s information, these privacy settings are not foolproof.”

For instance, a Facebook user can regulate the visibility and accessibility of digital
images (photos), posted on his or her personal bulletin or “wall,” except for the user’s
profile picture and ID, by selecting his or her desired privacy setting:

1. Public – the default setting; every Facebook user can view the photo;
2. Friends of Friends – only the user’s Facebook friends and their friends can view
the photo;
3. Friends – only the user’s Facebook friends can view the photo;
4. Custom – the photo is made visible only to particular friends and/or networks of
the Facebook user; and
5. Only Me – the digital image can be viewed only by the user.

The foregoing are privacy tools, available to Facebook users, designed to set up
barriers to broaden or limit the visibility of his or her specific profile content, statuses,
and photos, among others, from another user’s point of view. In other words, Facebook
extends its users an avenue to make the availability of their Facebook activities
reflect their choice as to “when and to what extent to disclose facts about
themselves – and to put others in the position of receiving such confidences.”

LONE ISSUE:

NONE. The Supreme Court held that STC did not violate petitioners’ daughters’ right to
privacy as the subject digital photos were viewable either by the minors’ Facebook
friends, or by the public at large.

Without any evidence to corroborate the minors’ statement that the images were visible
only to the five of them, and without their challenging Escudero’s claim that the other
students were able to view the photos, their statements are, at best, self-serving, thus
deserving scant consideration.

It is well to note that not one of petitioners disputed Escudero’s sworn account that her
students, who are the minors’ Facebook “friends,” showed her the photos using their
own Facebook accounts. This only goes to show that no special means to be able to
view the allegedly private posts were ever resorted to by Escudero’s students, and that
it is reasonable to assume, therefore, that the photos were, in reality, viewable either by
(1) their Facebook friends, or (2) by the public at large.

Considering that the default setting for Facebook posts is “Public,” it can be surmised
that the photographs in question were viewable to everyone on Facebook, absent any
proof that petitioners’ children positively limited the disclosure of the photograph. If such
were the case, they cannot invoke the protection attached to the right to informational
privacy.

No privacy invasion by STC; fault lies with the friends of minors

Respondent STC can hardly be taken to task for the perceived privacy invasion since it
was the minors’ Facebook friends who showed the pictures to Tigol. Respondents were
mere recipients of what were posted. They did not resort to any unlawful means of
gathering the information as it was voluntarily given to them by persons who had
legitimate access to the said posts. Clearly, the fault, if any, lies with the friends of the
minors. Curiously enough, however, neither the minors nor their parents imputed any
violation of privacy against the students who showed the images to Escudero.

Different scenario of setting is set on “Me Only” or “Custom”

Had it been proved that the access to the pictures posted were limited to the original
uploader, through the “Me Only” privacy setting, or that the user’s contact list has been
screened to limit access to a select few, through the “Custom” setting, the result may
have been different, for in such instances, the intention to limit access to the particular
post, instead of being broadcasted to the public at large or all the user’s friends en
masse, becomes more manifest and palpable.