Rule on Cybercrime Warrants: Salient Provisions

Scope and Applicability.

This Rule sets forth the procedure for the application and grant of warrants and related orders involving
the preservation, disclosure, interception, search, seizure, and/or examination, as well as the custody, and
destruction of computer data, as provided under Republic Act No. (RA) 10175, otherwise known as the “Cybercrime
Prevention Act of 2012.”

Supplementary Nature.
This Rule supplements the existing Rules of Criminal Procedure, which provisions shall continue to govern the
preliminary investigation and all stages of prosecution of criminal actions involving violations of RA 10175, including
all crimes defined and penalized by the Revised Penal Code, as amended, and special laws, committed by, through,
and with the use of information and communications technologies.

Definitions.
Communication – refers to the transmission of information through information and communications technology (ICT)
media, including voice, video, and other forms of data;
Content data – refers to the content of the communication, the meaning or purported meaning of the communication,
or the message or information being conveyed by the communication, other than traffic data;
Cybercrime court – refers to any of the Regional Trial Courts which are designated as special cybercrime courts;
Forensic image – also known as a forensic copy, refers to an exact bit-by-bit copy of a data carrier, including slack,
unallocated space, and unused space;
Hash value – refers to the mathematical algorithm produced against digital information (a file, a physical disk or a
logical disk) thereby creating a “digital fingerprint” or “digital DNA” for that information;
Interception – refers to listening to, recording, monitoring or surveillance of the content of communications, including
procuring of the content data, either directly, through access and use of a computer system, or indirectly through the
use of electronic eavesdropping or tapping devices, at the same time that the communication is occurring;
Off-site search – refers to the process whereby law enforcement authorities, by virtue of a warrant to search, seize,
and examine, are allowed to bring the computer device/s and/or parts of the computer system outside the place to be
searched in order to conduct the forensic examination of the computer data subject of the warrant;
On-site search – refers to the process whereby law enforcement authorities, by virtue of a warrant to search, seize,
and examine, obtains the computer data subject thereof for forensic examination, without the need of bringing the
related computer device/sand/or parts of the computer system outside the place to be searched;
Preservation – refers to the keeping of data that already exists in a stored form, protected from anything that would
cause its current quality or condition to change or deteriorate;
Service provider – refers to: (a) any public or private entity that provides users of its service the ability to
communicate by means of a computer system; and (b) any other entity that processes or stores computer data on
behalf of such communication service or users of such service;
The term service provider as used in this Rule is understood to include any service provider offering its services
within the territory of the Philippines, regardless of its principal place of business;
Subscriber’s information – refers to any information contained in the form of computer data or any other form that is
held by a service provider, relating to subscribers of its services, other than traffic or content data, and by which any
of the following can be established:
The type of communication service used, the technical provisions taken therewith, and the period of service;
The subscriber’s identity, postal or geographic address, telephone and other access number, any assigned network
address, billing and payment information that are available on the basis of the service agreement or arrangement; or
Any other available information on the site of the installation of communication equipment that is available on the
basis of the service agreement or arrangement; and
Traffic data – refers to any computer data other than the content of the communication, including, but not limited to,
the communication’s origin, destination, route, time, date, size, duration, or type of underlying service.

Venue.
The criminal actions for violation of Section 4 (Cybercrime offenses) and/or Section 5 (Other offenses), Chapter II of
RA 10175 (Cybercrime Prevention Act of 2010), shall be filed before the designated cybercrime court:
Of the province or city where the offense where any of its elements is committed,
Or where any part of the computer system used is situated,
Or where any of the damage caused to a natural or juridical person took place: Provided, that the court where the
criminal action is first filed shall acquire jurisdiction to the exclusion of the other courts.
All other crimes defined and penalized by the Revised Penal Code, as amended, and other special laws, committed
by, through, and with the use of ICT, as provided under Section 6, Chapter II of RA 10175, shall be filed before
the regular or other specialized regional trial courts, as the case may be.

Where to file an Application for a Warrant.

Same as the venue of the action. See above.
Note: The cybercrime courts in Quezon City, the City of Manila, Makati City, Pasig City, Cebu City, Iloilo City, Davao
City and Cagayan De Oro City shall have the special authority to act on applications and issue warrants which shall
be enforceable nationwide and outside the Philippines.

Effective Period of Warrants.

Not exceeding 10 days from its issuance. May be extended for 10 days from the expiration of original period based
on justifiable reasons.

Preservation of Computer Data.

Pursuant to Section 13, Chapter IV of R A 10175, the integrity of traffic data and subscriber’s information shall be
kept, retained, and preserved by a service provider for a minimum period of six (6) months from the date of the
transaction. On the other hand, content data shall be preserved for six (6) months from the date of receipt of the
order from law enforcement authorities requiring its preservation.
Law enforcement authorities may order a one-time extension for another six (6) months.
See full text for definitions of Traffic Data, Subscriber’s Information, and Content Data.

Disclosure of Computer Data.

Pursuant to Section 14, Chapter IV of RA 10175, law enforcement authorities, upon securing a Warrant to Disclose
Computer Data (WDCD) under this Rule, shall issue an order requiring any person or service provider to disclose or
submit subscriber’s information, traffic data or relevant data in his/her or its possession or control within seventy-two
(72) hours from receipt of the order in relation to a valid complaint officially docketed and assigned for investigation
and the disclosure is necessary and relevant for the purpose of investigation.
ORIDEMO
Warrant to Disclose Computer Data (WDCD)
A WDCD is an order in writing issued in the name of the People of the Philippines, signed by a judge, upon
application of law enforcement authorities, authorizing the latter to issue an order to disclose and accordingly, require
any person or service provider to disclose or submit subscriber’s information, traffic data, or relevant data in his/her
or its possession or control.

Warrant to Intercept Computer Data (WICD)

Interception, as defined under Section 3 (m), Chapter I of RA 10175, may be carried out only by virtue of a court
issued warrant, duly applied for by law enforcement authorities.
A WICD is an order in writing issued in the name of the People of the Philippines, signed by a judge, upon application
of law enforcement authorities, authorizing the latter to carry out any or all of the following activities: (a) listening to,
(b) recording, (c) monitoring, or (d) surveillance of the content of communications, including procuring of the content
of computer data, either directly, through access and use of a computer system or indirectly, through the use of
electronic eavesdropping or tapping devices, at the same time that the communication is occurring.
Remedy of a Person whose Communications or Computer Data have been Intercepted
Within ten (10) days from notice, the person whose communications or computer data have been intercepted may
challenge, by motion, the legality of the interception before the issuing court.
Warrant to Search, Seize and Examine Computer Data (WSSECD).
A Warrant to Search, Seize and Examine Computer Data (WSSECD) is an order in writing issued in the name of the
People of the Philippines, signed by a judge, upon application of law enforcement authorities, authorizing the latter to
search the particular place for items to be seized and/or examined.
Off-site and On-site Principle; Return of Items Seized Off-site.
Law enforcement authorities shall, if the circumstances so allow, endeavor to first make a forensic image of the
computer data on-site as well as limit their search to the place specified in the warrant.
Otherwise, an off-site search may be conducted, provided that a forensic image is, nevertheless, made, and that the
reasons for the said search are stated in the initial return.
Remedy of a person whose Computer Devices or Computer System have been Searched and Seized Off-site
A person whose computer devices or computer system have been searched and seized off-site may, upon motion,
seek the return of the said items from the court issuing the WSSECD: Provided, that a forensic image of the
computer data subject of the WSSECD has already been made.
The court may grant the motion upon its determination that no lawful ground exists to otherwise withhold the return of
such items to him.

Warrant to Examine Computer Data (WECD).

Upon acquiring possession of a computer device or computer system via a lawful warrantless arrest, or by any other
lawful method, law enforcement authorities shall first apply for a warrant before searching the said computer device
or computer system for the purpose of obtaining for forensic examination the computer data contained therein. The
warrant therefor shall be denominated as a Warrant to Examine Computer Data (WECD).

Deposit and Custody of Seized Computer Data.

Upon the filing of the return for a WDCD or WICD, or the final return for a WSSECD or WECD, all computer data
subject thereof shall be simultaneously deposited in a sealed package with the same court that issued the warrant.
It shall be accompanied by a complete and verified inventory of all the other items seized in relation thereto, and by
the affidavit of the duly authorized law enforcement officer.

Access to and Use of Computer Data.

The package containing the computer data so deposited under Section 7.1 of this Rule shall not be opened, or the
recordings replayed, or its contents revealed, or, in any manner, used as evidence, except upon motion duly granted
by the court.
The motion for the purpose shall state:
The relevance of the computer data sought to be opened, replayed, revealed, or used as evidence; and
The names of the persons who will be allowed to have access thereto, if the motion is granted.
The motion shall further include proof of service of copies sent to the person or persons whose computer data is the
subject of the motion. The said person or persons shall be given ten (10) days from receipt of notice thereof to file a
comment, after which the court shall rule on the motion, unless it finds it necessary to conduct a clarificatory hearing
for the purpose

Duty of Service Providers and Law Enforcement Authorities to Destroy.

Pursuant to Section 17 of RA 10175, upon expiration of the periods as provided in Sections 13 and 15 of the said
law, service providers and law enforcement authorities, as the case may be, shall immediately and completely
destroy the computer data subject of preservation and examination.

Destruction and Return of Computer Data in the Custody of the Court.

Upon motion and due hearing, the court may, for justifiable reasons, order the complete or partial destruction, or the
return to its lawful owner or possessor, of the computer data or any of the related items turned over to its custody.
Likewise, the court may, and upon written notice to all the parties concerned, order the complete or partial
destruction, or return to its lawful owner or possessor, of the computer data or any of the related items turned over to
its custody if no preliminary investigation or case involving these items has been instituted after thirty-one (31) days
from their deposit, or if preliminary investigation has been so instituted within this period, upon finality of the
prosecutor’s resolution finding lack of probable cause. In its sound discretion, the court may conduct a clarificatory
hearing to further determine if there is no reasonable opposition to the items’ destruction or return.
If the court finds the destruction or return of disclosed computer data or subscriber’s information subject of a WDCD
to be justified under this Section, it shall first issue an order directing the law enforcement authorities to turn- over the
retained copy thereof as described in paragraph 3 of Section 4.5 of this Rule. Upon its turn-over, the retained copy
shall be simultaneously destroyed or returned to its lawful owner or possessor together with the computer data or
subscriber’s information that was originally turned over to the issuing court.

Destruction of Computer Data; How Made.

The destruction of computer data and related items, if so allowed under Section 8.2 of this Rule, shall be made in the
presence of the Branch Clerk-of-Court, or in his/her absence, in the presence of any other person duly designated by
the court to witness the same.
The accused or the person/s from whom such items were seized, or his/her representative or counsel, as well as the
law enforcement officer allowed access to such items as indicated in the inventory, or his/her duly authorized
representative, may also be allowed to witness the said activity; Provided, that they appear during the scheduled date
of destruction upon written notice to them by the Branch Clerk-of-Court at least three (3) days prior to the
aforementioned date.
Within twenty-four (24) hours from the destruction of the computer data, the Branch Clerk-of-Court or the witness
duly designated by the court shall issue a sworn certification as to the fact of destruction and file the said certificate
with the same court.
The storage device, or other items turned over to the court’s custody, shall be destroyed by shredding, drilling of four
holes through the device, prying the platters apart, or other means in accordance with international standards that will
sufficiently make it inoperable.