Internet Service Providers: Can they be held liable for cybercrimes?


One of the current challenges in cybercrime prevention legislation includes the determination of liability of Internet Service Providers (ISPs) in offenses including cyber trafficking, copyright infringement, and the like. Undeniably, ISPs play a significant role as intermediaries in providing means for relaying information to internet users through their systems.

While the Cybercrime Prevention Act of 2012 outlines the responsibilities of ISPs with respect to the conduct of cybercrimes, certain provisions of the Act also exempt them from liabilities. As ISPs are not mere passive actors in the industry, our government should be more progressive in rethinking these exemptions granted to these platforms.

ISPs defined

ISPs provide access to the World Wide Web and allow subscribers or users to generate, store, and publish content. The “Electronic Commerce Act of 2000” defines a “Service Provider” either as a provider of “on-line services or network access or the operator of facilities therefore, including entities offering the transmission, routing, or providing of connections for online communications, digital or otherwise, between or among points specified by a user, of electronic documents of the user’s choosing;” or a provider of “the necessary technical means by which electronic documents of an originator may be stored and made accessible to designated or undesignated third party.” [1] These descriptions seem broad enough to include web hosting sites for blogs such as WordPress, user-generated content websites like YouTube, or social networking sites such as Facebook.

Aside from this general definition, special laws also provide their own definition of service providers. The Cybercrime Prevention Act of 2012 for instance, defines a service provider as “1) Any public or private entity that provides to users of its service the ability to communicate by means of a computer system; and 2) Any other entity that processes or stores computer data on behalf of such communication service or users of such service.” [2]

With regard to giving liability to pornographic hubs, the Anti-Child Pornography Act of 2003 provides that ISPs refers to “a person who, or entity that, supplies or proposes to supply, an internet carriage service to the public.” [3]

The slight variances in these definitions are inconsequential. Generally, the e-Commerce Act should govern. With regard to specific offenses, however, authorities must look into the more precise provisions of special laws such as the Cybercrime Prevention Act and the Anti-Child Pornography Act, depending on the circumstances of each case.

With these definitions, various questions arise. Suppose one sets up a network of computers at home or in the office using a wireless router, can he/she be considered a service provider? Suppose that data are stored on account of using such network, does that make the creator of the network liable as a service provider? A basic reading of these descriptions seems to give us an affirmative answer.

Responsibilities of ISPs

The Cybercrime Prevention Act outlines the basic responsibilities of ISPs. First, they are required to preserve computer data within the mandatory retention period of six months, which may be extended once for another six months pursuant to an order by a law enforcement authority. [4] Second, they need to disclose or submit subscriber’s information, traffic data or relevant data in his/its possession or control within 72 hours, pursuant to a court-issued warrant in relation to a valid complaint officially docketed and assigned for investigation and provided that such disclosure is necessary and relevant for the purpose of investigation. [5] Third, search warrants for relevant computer data could also be enforced against ISPs. [6]

Upon the expiration of the relevant periods provided for above, service providers and law enforcement authorities must immediately and completely destroy the computer data subject of a preservation and examination. [7]

Failure to comply with any of the above duties or specific orders of law enforcement authorities subjects service providers to penalties of either imprisonment of prision correctional in its maximum period or a fine of Php100,000.00, or both, for every noncompliance. [8]

Exemptions from Liability

Even with these liabilities provided by law, ISPs are not left without recourse. Section 30 of the Electronic Commerce Act exempts ISPs from any civil or criminal liability if it merely provides access with respect to the electronic data message or electronic document.

This exemption is further qualified by circumstances providing that the ISP: (i) must not have actual knowledge of the unlawful nature or infringing activity in relation to the material, (ii) does not receive a financial benefit directly attributable to the infringing activity, and (iii) does not directly commit any infringement or any other unlawful act nor induce another party to commit. The exemption applies provided that there exists no contrary obligation imposed on the service provider under a contract, licensing or other regulatory regime established under written law. Neither should there be a contrary obligation imposed under any written law or by a court order.

This is also substantially reproduced in Section 20 of the Implementing Rules and Regulations of the Cybercrime Prevention Act.

Difficulty in prosecuting ISPs

The provisions exempting ISPs from liability have made it difficult to prosecute them for unlawful activities committed through web sites they host. It is quite easy to set up as a defense their lack of knowledge and/or participation in the unlawful activities, especially since it is equally problematic to gather sufficient evidence to support such allegations.

As a result, it seems that there is little to no measure of accountability with respect to ISPs. In fact, under this law, the very definition of ISPs states that they have “no authority to modify or alter the content of the electronic data message or electronic document received or to make any entry therein on behalf of the originator, addressee, or any third party unless specifically authorized to do so.”

It is likewise expected to “retain the electronic document in accordance with the specific request or as necessary for the purpose of performing the services it was engaged to perform.” This means that without any specific authorization from the content-creator, an ISP can simply argue lack of control over the content uploaded into their web sites.

In effect it results to situations where ISPs have no duty to notify or take remedial measures against subscribers who upload unlawful or infringing content online. This creates a problem because, although ISPs do not control the content appearing on their sites, they still host the web sites that in turn host the content that end up being visible to site visitors.

‘Secondary liability’ in the Intellectual Property Code

This scenario is somehow addressed by the recently introduced amendments to the Intellectual Property Code brought by Republic Act No. 10372. The amended Section 216 of the Code postulates the concept of secondary liability, which makes more parties liable even if they are not direct participants in the infringing activity.

Under the amended provision, an infringement may also take place when a person “benefits from the infringing activity of another person” and if this person “has been given notice of the infringing activity, and has the right and ability to control the activities of the other person.” It also arises when a person, “with knowledge of the infringing activity, induces, causes, or materially contributes to the infringing activity of the other.”

The legal effect of these amendments is that ISPs may now be subjected to liability even if they do not directly participate in the infringing activity, so long as it may be proven that the ISPs derive some form of benefit from it.

Moreover, secondary liability is also imposed when ISPs induce, cause, or materially contribute to the infringing activity. Under this provision, an ISP notified of the infringing activities such as illegal downloading, on websites they host may be liable for infringement, especially if they continue to benefit from such activities, for instance through monetized traffic. While there is no clear authority, the Cybercrime Prevention Act contains what may be construed as a catch-all provision that allows service providers to be held intermediately liable for aiding and abetting any of the offenses so enumerated in the law. [9]

When liability attaches

While it seemed to offer a solution, these amendments also pose the question on when exactly secondary liability attaches. When users upload material online, it is highly unlikely that ISPs are able to immediately detect whether there is infringing activity or not. Under the provision, it seems that liability only attaches once the ISP gets notified of the presence of infringing activity on hosted websites. There is danger of imputing automatic liability on the ISPs, since they will not be able to shield themselves from criminal liability despite lack of initial participation in the unlawful act. The amendment is silent as to whether it allows ISPs sufficient time to remedy the situation by taking down the infringing material from the website.

In contrast, the Digital Millennium Copyright Act passed in the United States exempts ISPs from liability for infringement if, after notification, it responds expeditiously to remove or disable access to the infringing material. [10] This implies that they are given a reasonable time to avoid being subject to criminal prosecution. This seems to be a fairer way of interpreting ISP liability in light of the dynamics actually governing the relationship between ISPs and its subscribers.

Progressive legislation: ISPs not mere passive actors

As can be gleaned above, the present state of our law still leaves much to be desired. Much of our legislation still skew in favor of granting exemptions to ISPs. They are generally perceived to be passive actors in the industry as there are mere conduits of material or information provided by their users.

In reality, ISPs also host content and allow users to store material online. Through this service, users consequently are also able to publish material that can be seen by other users who traffic their websites. In addition to these, ISPs also cache content – which means that they make temporary copies of each material created and/or uploaded online which allow users who regularly access the page to do so at a faster pace since there is already a “memory” of the content that has been loaded before.

Given these circumstances, we can see that there is a certain level of control that allows ISPs to oversee activities within their facilities. The same is true, especially, if the terms of service existing between the parties allow the service provider to regulate and delete content uploaded or shared by the subscriber or user. In this instance, there is little room to credit the defense of lack of knowledge. Assuming that there is no control, the fact that ISPs are able to benefit from site traffic raises a myriad of questions regarding the genuine passivity of their roles as merely providing access.

Legislators may also have to rethink granting too much exemptions to ISPs, given that they are not duty-bound to take proactive measures against unlawful activities being conducted on websites they host. Future legislation should impose stricter obligations on ISPs to monitor content and/or to remove unlawful or infringing material within their systems.


Read more about the Technology and Telecommunications practice at Disini & Disini Law Office

Read more about the Data Privacy practice at Disini & Disini Law Office

[1] Section 5, paragraph j, Republic Act No. 8792 or the “Electronic Commerce Act of 2000.”

[2] Section 3, Republic Act No. 10175 or the “The Cybercrime Prevention Act of 2012.”

[3] Section 3, paragraph g, Republic Act No. 9775 or the “Anti-Child Pornography Act of 2003.”

[4] Section 13, Republic Act No. 10175 or “The Cybercrime Prevention Act of 2012.”

[5] Section 14, ibid.

[6] Section 15, ibid.

[7] Section 17, ibid.

[9] Section 19, ibid.

[8] Section 20, ibid.

[9] Section 5(a), ibid.

[10] Section 512 (c)(1), Digital Millennium Copyright Act.

Image Courtesy of jeffwilcox via Source / CC BY from

Post a Comment