Lesson Objectives
At the end of this lesson, learners should be able to explain why cybercrime jurisdiction can extend beyond one physical location, understand the basic role of lawful investigative procedures, and identify responsible steps after an incident.
Why Location Is Complicated in Cybercrime
In a physical offense, the place where the act happened may be easy to identify. A cybercrime may involve a victim in one city, an offender in another country, a bank account in a third location, and a platform whose records are stored elsewhere.
Jurisdiction means the legal authority of a court or government to hear, investigate, or act on a matter.
Under RA 10175, Philippine jurisdiction may arise in several situations, including when the offense is committed by a Filipino national regardless of the place of commission, when an element of the offense occurs within the Philippines, when a computer system involved is situated wholly or partly in the Philippines, or when damage is caused to a person in the Philippines, subject to the law’s conditions.
This broad framework reflects the borderless nature of digital conduct, but international cases may still require cooperation with foreign governments, platforms, service providers, and financial institutions.
Preservation of Computer Data
Preservation means keeping existing data from being deleted, altered, or lost while lawful processes are undertaken.
Preservation is different from immediately handing all data to investigators. A provider may be required to retain specified data so that it remains available while the proper legal authority for disclosure is obtained.
RA 10175 and its implementing rules contain procedures involving preservation, disclosure, search, seizure, examination, custody, and destruction of computer data. These powers are subject to legal requirements, including court authority where required.
The Supreme Court also invalidated some of the original law’s investigative provisions. In particular, the Court declared unconstitutional the original broad real-time collection authority under Section 12 and the DOJ restriction-or-blocking power under Section 19.
This illustrates that cybercrime investigation remains subject to constitutional rights, privacy, due process, and judicial oversight.
Search, Seizure, and Examination of Digital Devices
A phone or laptop may contain highly personal information unrelated to the suspected offense. Lawful search and examination therefore require proper legal authority and procedural safeguards.
Search means looking for specified evidence.
Seizure means taking lawful custody of an item or data.
Examination involves inspecting the device or information to locate, recover, interpret, or analyze relevant evidence.
Possession of a device does not automatically authorize unrestricted examination of everything stored inside it. Investigators must act within the authority granted by law, a warrant, consent, or another recognized legal basis.
Chain of Custody
Chain of custody is the documented history showing who collected, handled, transferred, stored, examined, and presented an item of evidence.
For digital evidence, chain of custody helps demonstrate that the device or file presented later is connected to the original item and was protected against unauthorized alteration.
A chain-of-custody record may include the date and time of collection, description of the item, identifying details, names of handlers, transfer records, storage location, and actions performed during examination.
It does not automatically prove that the content is true. Rather, it supports the reliability of the handling process.
Screenshots and Original Evidence
Screenshots are useful because they capture what appeared on a screen at a particular moment. They may preserve usernames, posts, messages, dates, and visible transaction details.
However, screenshots have limitations. They may be cropped, edited, detached from the full conversation, or missing technical information. A screenshot may show what an account displayed but may not establish who controlled the account.
Whenever possible, users should preserve:
- the original device;
- the complete conversation;
- account links or profile addresses;
- original files and attachments;
- transaction records;
- dates and times;
- email headers;
- and official platform or financial records.
An email header is technical information attached to an email that may describe its route, sending servers, timestamps, and related details. It is different from the visible subject and message body.
Responsible Initial Response
After discovering a possible cybercrime incident, a person should first reduce further harm. This may involve stopping contact with the suspicious account, avoiding additional payments, changing compromised passwords through a secure device, and notifying affected banks, platforms, employers, or institutions.
Relevant information should be preserved rather than immediately deleted. The victim should record what happened while the details are fresh.
The victim should not retaliate by attempting to access the offender’s account, installing tracking software, threatening the suspect, or publishing unverified accusations. Such actions may destroy evidence, alert the offender, create additional legal problems, or expose innocent persons.
Reporting Channels
The proper reporting destination depends on the incident. A banking or digital-wallet fraud should be reported immediately to the financial provider so that available protective measures can be considered. A compromised workplace account should be reported to the organization’s information-technology or security team. Platform abuse should be reported through official platform mechanisms.
Serious incidents may also require reporting to law-enforcement or other competent government authorities. When a child may be at risk, child-protection and law-enforcement channels should be contacted promptly.
Delay can matter because online accounts may disappear, transactions may continue, and service providers may retain records only for limited periods.
Professional and Practical Relevance
Organizations should develop an incident response plan. This is a written procedure explaining what employees should do when a cyber incident occurs.
A useful plan identifies:
- who must be contacted;
- how accounts should be secured;
- how evidence should be preserved;
- who may communicate with clients or the public;
- when legal counsel or law enforcement should be involved;
- and how normal operations will be restored.
Planning before an incident reduces panic and prevents well-intentioned employees from deleting evidence or making unauthorized public statements.
Key Takeaways
- Cybercrime jurisdiction may involve several locations and countries.
- Preservation keeps data from being lost while lawful procedures are pursued.
- Searches and examinations of digital devices remain subject to legal authority and constitutional safeguards.
- Chain of custody documents the handling of evidence.
- Screenshots are useful but should not automatically replace original records.
- Victims should secure accounts, preserve information, report promptly, and avoid retaliation.