THIRD OF FOUR PARTS
Warning: This article contains depictions of child sexual abuse
It was the year 2010. National Bureau of Investigation (NBI) agent Bernard Dela Cruz remembered watching dozens of children move in and out of an internet cafe in Cebu City in central Philippines, wondering if they were the young boys and girls they needed to rescue.
The NBI had information that the children were being livestreamed naked to paying customers abroad. It’s one of the first cases of online sexual exploitation of children or OSEC that Dela Cruz handled as an agent, when it was still the “dark ages” for law enforcement on the internet. Because technology had limitations, they couldn’t locate the scene of the crime and had to rely on old methods of surveillance.
“The houses were shanties set up close to each other…. During that time, we haven’t been able to trace IP addresses. We relied on conventional ways of surveillance,” Dela Cruz told the Philippine Center for Investigative Journalism (PCIJ), referring to Internet Protocol (IP) addresses or numbers assigned to a device connected to the Internet.
After several days of tedious work, the NBI finally swooped in. Dela Cruz’s hunch was right. Inside the internet cafe, where many children spent hours playing computer games, was a private room where the unspeakable happened.
“The kids were naked. [The facilitator] was using shampoo to make it appear that that was his (fluids on the kids),” Dela Cruz said.
Abby, who was 10 at the time, was among the children who frequented the private room to perform for paying customers. She had been abused for about a year when the internet cafe was raided.
She remembered how she was offered P150 or $3 to do the show. Now 21, she told PCIJ she didn’t realize the psychological harm of what the traffickers did to her, and was only happy to slip money into the pockets of her grandparents who took care of her.
The man who facilitated the trafficking – Archie Abala – was known to the children and their families. He was convicted in 2013 for violating Republic Act 9208, or the Anti-Trafficking in Persons Act of 2003. He was meted an eight-year sentence and a fine of P50,000.
Dela Cruz said he believes Abala could have served more time had he been put on trial by prosecutors under the Anti-Child Pornography Law of 2009, a new law at the time that dealt more comprehensively with OSEC as a digital crime. The only provision in the old law that applied to the internet was a prohibition against online advertising of human trafficking.
IP address, filtering mechanisms
A decade later, the Philippines has become the global epicenter of online sexual exploitation of children despite the efforts of law enforcement.
The big reason: internet service providers are still largely unable to provide the IP addresses of computers used by perpetrators as they have yet to upgrade to better technology. Getting more information on the users of IP addresses is even more difficult as law enforcers need to secure court warrants and comply with data privacy rules.
In 2017, a study conducted by the Washington-based International Justice Mission (IJM) showed that 149 in every 10,000 IP addresses linked to child sexual exploitation originated from the Philippines.
It was three times higher than the rate of 43 in every 10,000 from three years earlier. “Internet-based CSE (child sexual exploitation), in general, and OSEC, specifically, appear to be rapidly growing crimes in the Philippines,” the IJM study concluded.
The situation worsened even with technological advancements that should allow law enforcement agents to easily track where livestreaming is conducted. Philippine law enforcement agencies also get tips from counterparts in other countries when they are able to arrest pedophiles preying on Filipino children.
Computer data and other evidence are sent to either the Philippine National Police or the NBI, which uses them to track down the OSEC facilitators.
“Even now, getting information from ISPs like IP addresses is difficult. But they give them if you file properly in court,” said Angela de Gracia, a lawyer at the Office of Cybercrime under the Department of Justice (DOJ).
The problem is most of the Philippines is still under the IPV4 system – an internet protocol that hosts thousands of users in one IP address. Even when foreign law enforcers provide the IP addresses of OSEC facilitators, it could be just one of a multitude of users hosted in one IP address for a certain area.
“What they (ISPs) keep telling us is that because of their technology that allows thousands of users in one IP address, they can’t certainly tell which of the users is the perpetrator,” he said.
The DOJ has been pushing the National Telecommunications Commission to require internet companies to use the IPV6 system, which can designate one IP address for every device.
Globe Telecom, one of the country’s biggest internet broadband providers, said it had yet to upgrade. “It's currently a work in progress as it requires a significant amount of investment and technical revisions, compatibility on our part,” Globe said in a statement sent to the PCIJ. (Editor's note: The attribution of the quote was corrected.)
Section 9 of the Anti-Child Pornography Act of 2009 requires internet companies to “install available technology, program or software to ensure that access to or transmittal of any form of child pornography will be blocked or filtered.”
Globe said it implemented a DNS (Domain Name System) filtering mechanism in 2017 to prevent subscribers from accessing such sites.
PLDT and its mobile unit Smart also said they have complied with the law’s mandate, even partnering with the Internet Watch Foundation to deal with thousands of weblinks said to be containing child abuse materials.
Law enforcement and nongovernment organizations (NGOs) said the ISPs’ efforts had not been enough to comply with the law, however. Effective technology has not been installed almost 12 years since the law’s passing, De Gracia said.
“We tried dialogues, peaceful talks (with ISPs). We haven’t gotten their commitment,” lamented De Gracia.
The DOJ is trying another way to make ISPs commit to their duties under the law, she said.
Data Privacy Act
Requiring Internet companies to adopt the IPV6 system would not necessarily make the job of law enforcement easier, however.
Globe cited restrictions under the Data Privacy Act of 2012, which may also hinder the company from divulging the information of internet users.
ISPs are wary of cases that could be filed against them under Section 9 of the law. It reads: “nothing in this Section may be construed to require an ISP to engage in the monitoring of any user, subscriber or customer, or the content of any communication of any such person.”
The Philippine Chamber of Telecom Operators sent a position paper to the DOJ saying the Data Privacy Act of 2012, which requires strict privacy on personal information of customers, clashed with their duties under the Anti-Child Pornography Act. The PCTO is the lobby group of telecommunication entities and ISPs, including PLDT, Smart, and Globe.
In an opinion piece on OSEC published on Rappler, law professor Tony La Viña wrote that there was a need to rethink interpretations of the Data Privacy Act that have allowed it to protect criminals.
“[I]t must be noted that the Act shall not apply to information necessary for law enforcement and regulatory agencies to carry out their constitutionally and statutorily mandated functions,” he wrote.
De Gracia also noted that ISPs should not read the provisions of the Anti-Child Pornography Act and the Data Privacy Act as contrary to each other.
“The same paragraph (Section 9 of the Data Privacy Act) provides that the duty to notify does not constitute monitoring of contents and even provides protection to ISPs against civil liability for any notice given to law enforcement in good faith,” she explained. “Instead of reading it as contrary to each other, the aforesaid provision is more of complementary.”
Globe also argued that content monitoring falls in the hands of internet content hosts or electronic service providers (ESPs), as well as websites and platform moderators.
“Internet hosts are among the largest cloud providers. Majority of the child porn content is being hosted in these large cloud or media platforms, which are encrypted or hidden via VPN (virtual private networks). Thus, we cannot selectively block the illegal content unless we block the entire platform itself,” the company explained.
Globe said it was difficult to track down perpetrators on social media and encrypted messaging apps like WhatsApp, Messenger, Viber, Telegram, where they look for customers.
WhatsApp, Telegram, Viber, Messenger and other messaging platforms all say they do not allow the proliferation of child sex abuse imagery. WhatsApp said it has been using automated technology to scan group names, group descriptions and possible suspicious activity. Facebook, meanwhile, said the Messenger app has employed an artificial intelligence (AI) to detect content.
"I will have to understand better that position (Section 9 of the Data Privacy Act) because from the perspective of where we are coming from as a telco operator, that's very sophisticated," said Angel Redoble, PLDT’s chief information security officer. "But I don't think that’s doable because (1) we are not inspecting every photo and every video that is being accessed by our subscribers; (2) that is in violation of our privacy laws; (3) we are just a pass-through -- we are a telco. If you are familiar with the seven OSI layers -- application, session, transport, network, IP -- we do not operate on the layer seven, six and five. We only operate on the network layer, which is the IP and that is why we are only able to provide information about IPs, IP headers."
A priest’s campaign
Irish priest Shay Cullen, who founded the Olongapo-based child rights organization Preda Foundation, is one of the few advocates who have been challenging ISPs over their failures in protecting children.
Cullen has written opinion articles in newspapers and penned letters to ISP companies several times in the last 10 years, reminding them that they were capable of stopping these crimes but were more concerned about “losing subscribers.”
Preda’s campaign to hold ISPs responsible, he said, was met in 2020 with a “grudging, reluctant and miserable response.” He was told by the ISPs that they had blocked thousands of child pornography websites.
The 78-year-old priest admitted to having limited knowledge on technology but this has not stopped him from reminding ISPs of their responsibilities under the law.
Cullen had written letters and phoned AI developers that could help detect the transmission of exploitative imagery, including Microsoft and the Zyalin Group, a tech company from his hometown of Dublin, Ireland.
“I believe that if they (ISPs) have a good heart and they are interested in protecting Filipino children from this horrific abuse, they would certainly do something about it,” Cullen told the PCIJ.
Cloud storage services like Google Drive, Dropbox and Microsoft OneDrive have detection technologies that allow them to report online exchanges of child abuse materials.
But no technology has been developed by video call and social media platforms to detect livestream abuse, according to the Philippine Internet Crimes Against Children Center (PICACC).
Local and international law enforcement agents have decried the failure of ESPs to hatch aggressive steps to prevent the transmission of child sexual exploitation materials.
“Social media platforms are protecting their privacy. There might be good things about that, but the problem is this is being exploited by cybercriminals,” said Maj. Joseph Villaran of the Philippine National Police’s Anti-Cybercrime Group.
Lawyer Sheila Guico of the IJM Cebu Field Office said the timely detection of online exploitation would need the cooperation of ISPs and ESPs.
“I would say they would see a 180-degree turnaround and that would really mean a lot of survivors would be provided intervention,” she said.
Just this month, police rescued 14 children from at least three different households in an uphill farm village in Camarines Sur province in northern Philippines. Police Lt. Col. Lucrecio Rodrigueza Jr. said the barangay (village) chairman had told them the scheme was rampant in his area.
Lt. Noeralyn Tamayo, police deputy of the PICACC, said there had been a “communal acceptance” of OSEC in impoverished places, where families find easy money from trafficking their children and luring their neighbors into the scheme. (READ: The Filipino mothers selling their children for online sexual abuse)
“A neighbor would ask what they did to achieve [financial gain] and that’s where it begins,” Tamayo said.
Meanwhile, it’s the children who suffer the lasting impact of the abuse.
In 2017, social workers brought Abby back to her village in Cebu City to reintegrate her with her family. They found out that her family was incapable of taking her in, however, and the community was found unfit for a survivor of online sexual abuse.
“When you’ve been in this work for a long time, you’d see the red flags immediately. There were five young girls we saw going into a house we have been observing for days. We saw them going up the stairs,” Karen Navera, Abby’s social worker, told the PCIJ.
“You’d know what was up, immediately. We thought to ourselves: ‘The community stayed as it was even after the raid where Abby was rescued.’”
She suspected that the families in that community continued to peddle their children to online predators.
The social workers brought Abby back to Manila.
At about the time Abby went back for a visit, Archie Abala – the neighbor who was convicted of trafficking children in the village a decade ago – was released from prison. A discharge sheet from the Leyte Regional Prison showed that Abala was granted parole on July 31, 2017. He had since returned to the village, and was hired by the local government.
Voice of the Free, a nongovernment organization working against trafficking, said OSEC survivors should not be in the same community as their former abusers because it risked re-traumatizing the victims. END
PCIJ included Redoble's quote in full for a better understanding of PLDT-Smart's position.
Update: PLDT-Smart said in a letter that it has "made significant progress in the deployment of IPV6." These are developments that supposedly took place after the author's interview with company representatives in February 2021. The author asked for this information during the interview but the company did not provide them. PLDT-Smart also said that it is ahead of global statistics in IPV6 migration/adoption. According to Akamai data, the Philippines ranks 52nd out of more than 200 countries in IPV6 adoption. The same data indicates that only 11% of the country has migrated.
*Neil Jayson Servallos, an M.A. Journalism student at the UST Graduate School, originally wrote this story for one of his reporting classes. It was expanded into a series with the editorial guidance of the PCIJ.
*Illustration by Alexandra Paredes
*This story is supported by the Judith Neilson Institute’s Asian Stories project, in collaboration with ABS-CBN News, the South China Morning Post, The Korea Times and Tempo in Indonesia.