Cybercrime Complaint for Illegal Access Under the Cybercrime Prevention Act of 2012

1) The legal foundation: what “Illegal Access” is under Philippine cybercrime law

The primary statute is Republic Act No. 10175, the Cybercrime Prevention Act of 2012, which criminalizes certain acts when committed through or against computer systems.

The offense: Illegal Access

Under Section 4(a)(1) of R.A. 10175, Illegal Access is essentially accessing the whole or any part of a computer system without right.

Key idea: The law targets the unauthorized entry itself—often described colloquially as “hacking,” though “hacking” can also refer to other cybercrime acts depending on what was done after access.

“Without right” (the pivot point)

“Without right” generally means without authority, permission, or legal justification. In practice, disputes often revolve around:

  • whether the complainant actually restricted access (passwords, role-based access, policies),
  • whether the respondent had legitimate credentials and scope (e.g., employee access but exceeded authorized scope),
  • whether there was consent (explicit or implied),
  • whether the system owner had the right to grant consent.

What counts as a “computer system”

This is typically broad and includes:

  • laptops/desktops/servers,
  • mobile phones and tablets,
  • cloud accounts and hosted environments,
  • email, social media, and business platforms,
  • internal company systems (ERP/HRIS/CRM),
  • databases and admin panels,
  • routers, network appliances, and sometimes IoT devices.

The practical test is whether it is a device or set of devices that performs automated processing of data and can be accessed (locally or remotely).

2) Elements of Illegal Access: what you must prove in a complaint

A cybercrime complaint is strongest when it is organized around the elements prosecutors look for.

Element A — There was “access”

You must show some form of entry into the system, such as:

  • successful login events,
  • admin panel access,
  • mailbox access,
  • file share access,
  • remote access sessions,
  • API access and token use,
  • database queries initiated by the user/session.

Access does not require permanent damage, copying, or alteration—those are separate offenses (data interference/system interference) that may be charged in addition to illegal access.

Element B — The target was a “computer system” (or a part of it)

Identify the system precisely:

  • the account (email address/username),
  • the platform (e.g., corporate Google Workspace, Microsoft 365, website admin panel),
  • the machine (hostname/device name, asset tag),
  • the server or cloud tenant,
  • the database or specific folder.

Element C — The access was “without right”

This is proven through:

  • ownership or control of the system by the complainant (or by the organization),
  • access control settings (passwords, MFA, IP restrictions, role permissions),
  • policies and user agreements,
  • termination notices (for ex-employees),
  • written revocation of permission,
  • proof the credentials used were stolen/guessed/phished, or otherwise not authorized.

Element D — Attribution to the respondent

The hardest part in many cases is linking a person to the access. Typical attribution evidence includes:

  • IP logs correlated with ISP subscriber info (usually requiring lawful process),
  • device fingerprints/session identifiers,
  • MFA prompts and approvals,
  • recovery email/phone changes,
  • internal CCTV/entry logs if access happened from a workplace,
  • admissions (chat messages, emails),
  • witness testimony (IT staff).

3) How Illegal Access differs from related cybercrime offenses (why this matters in drafting charges)

Illegal access is often only one part of the story. Depending on what happened after entry, other provisions may apply:

a) Illegal Interception

If communications were intercepted (sniffing, wiretapping-like capture, unauthorized reading of transmissions), a different subsection may apply.

b) Data Interference

If data was altered, deleted, deteriorated, or suppressed—charges can shift beyond mere access.

c) System Interference

If the attacker hindered the functioning of the system (DDoS, disabling services, locking admins out), that may be charged separately.

d) Misuse of Devices

If tools/passwords/access codes were possessed or distributed for committing cybercrime, this can be an additional charge.

e) Computer-related Identity Theft / Fraud / Forgery

If the unauthorized access was used to impersonate someone, steal credentials, transact, or defraud, prosecutors often consider these provisions, sometimes alongside offenses under other laws (and, in some cases, Revised Penal Code provisions depending on the fact pattern).

Why it matters: If your complaint alleges only “illegal access” but your evidence clearly shows data deletion, impersonation, or fraud, you may undersell the case. Conversely, overcharging without evidence can weaken credibility. A good complaint narrates the incident and matches each act to a specific offense.

4) Penalties, attempt, and participation (how liability expands)

Penalty framework

R.A. 10175 contains a penalty structure by category of offense. Illegal access falls under the cyber-offenses in Section 4(a). Penalties commonly include imprisonment (often in the prision mayor range) and/or a substantial fine, depending on the precise classification and any accompanying offenses.

Because penalty interpretation can be charge-specific and fact-sensitive (especially when multiple offenses are alleged), complaints should focus on facts and evidence; the prosecutor applies the appropriate penalty provisions when drafting the Information.

Attempt and aiding/abetting

Even if the intruder did not succeed (e.g., repeated password attempts, failed MFA, blocked access), attempt can still be chargeable under R.A. 10175’s provisions on punishable participation.

Also, people who did not personally log in can still be liable if they:

  • supplied credentials,
  • instructed another person,
  • paid for the intrusion,
  • provided tools or infrastructure,
  • knowingly benefited from the intrusion.

Corporate/juridical persons

If the act was done through or for a corporation (and it’s supported by evidence), R.A. 10175 contemplates liability mechanisms for juridical entities, usually implemented through fines and accountability of responsible officers.

5) Jurisdiction and venue: where you can file (and why cyber cases are flexible)

Cybercrime is uniquely “borderless,” so Philippine rules recognize multiple connection points.

In general, Philippine authorities can act where any essential element of the crime occurred, which in cyber cases can include:

  • where the offender was located when accessing,
  • where the victim or affected system is located,
  • where the data or service provider infrastructure is located (in some situations),
  • where the damage or effect was felt.

Practically, complainants often file where:

  • they reside or principally do business,
  • the system owner/IT office is located,
  • the respondent is located (if known),
  • the local prosecutor’s office has practical access to law enforcement cyber units.

Cybercrime cases are commonly tried in designated cybercrime courts (a matter handled institutionally by the judiciary), but from the complainant’s standpoint, the immediate concern is getting the complaint into the preliminary investigation pipeline.

6) Who you complain to: the usual entry points

A cybercrime complaint is typically built as a criminal complaint-affidavit and lodged for investigation and prosecution support.

Common institutions involved include:

  • Philippine National Police (particularly its cybercrime units),
  • PNP Anti-Cybercrime Group,
  • National Bureau of Investigation (cybercrime-capable divisions),
  • Department of Justice (policy/prosecution oversight; offices involved in cybercrime coordination),
  • Cybercrime Investigation and Coordinating Center (coordination and policy role; not typically your first stop for filing evidence-heavy complaints, but relevant in ecosystem terms).

Core pathway: For prosecution, complaints typically move through the Office of the City/Provincial Prosecutor for preliminary investigation when the penalty threshold requires it (as many cyber offenses do).

7) The anatomy of a strong cybercrime complaint for illegal access

A. The Complaint-Affidavit (what it should contain)

A good complaint-affidavit is chronological, specific, and evidence-led:

  1. Parties
  • Complainant’s name, address, contact details
  • Respondent’s name and address (or “John/Jane Doe” if unknown)
  • Relationship (ex-employee, acquaintance, competitor, stranger, etc.)
  1. The system/account
  • What was accessed (email, server, admin panel, device)
  • Who owns/controls it (you personally or your company)
  • How access is normally restricted (password, MFA, admin permissions)
  1. Discovery timeline
  • When you noticed something wrong
  • What alerts/logs you saw
  • Any user-reported anomalies
  1. Specific unauthorized access facts
  • Date/time stamps (with time zone if available)
  • IP addresses and geolocation flags (if shown by the platform)
  • Devices/browsers shown in security logs
  • Failed login attempts and lockouts
  • Password reset events
  • MFA prompt history
  • “New device signed in” notifications
  • Changes to recovery email/phone/security settings
  • Creation of forwarding rules, filters, new admin users (if applicable)
  1. Why it was “without right”
  • You never gave permission
  • Any permission was revoked (and when/how)
  • The respondent had no role requiring access
  • The access bypassed controls (stolen credentials, phishing, guessing)
  1. Attribution facts

  • Why you believe it was the respondent:

    • motive,
    • opportunity,
    • technical indicators,
    • admissions,
    • correlating evidence (e.g., access times matching the respondent’s known presence/usage)
  1. Damage/effects (even if not required)
  • Business disruption
  • Exposure risk
  • Loss of confidentiality
  • Remediation cost
  • Emotional distress (if personal account)
  • Secondary harms (fraud attempts, impersonation, reputational issues)
  1. Reliefs/requests
  • Request for investigation and prosecution for Illegal Access under Sec. 4(a)(1), R.A. 10175
  • Request for identification of offender if unknown
  • Request for lawful preservation of relevant logs and data

B. Supporting affidavits (often overlooked but powerful)

  • IT Administrator Affidavit: explains logs, access controls, security architecture, how to interpret entries.
  • Custodian of Records Affidavit: for company-owned systems.
  • Witness Affidavits: those who received suspicious emails/messages, observed unusual behavior.

8) Evidence: what usually convinces prosecutors in illegal access cases

1) Platform security logs

Examples:

  • Google/Microsoft sign-in logs
  • Facebook/Instagram login activity (for account takeover cases)
  • Website server logs (nginx/apache)
  • VPN logs
  • Firewall/router logs
  • Endpoint detection logs (EDR)

Best practice: Export logs in native format and also generate a human-readable summary.

2) Screenshots—useful but not enough alone

Screenshots help, but cyber cases often fail when the only evidence is screenshots without:

  • underlying logs,
  • verification by an IT custodian,
  • timestamps and context.

3) Email headers and message metadata

If the intruder sent emails from your account, preserve:

  • full headers,
  • message IDs,
  • forwarding rules,
  • recovery change confirmations.

4) Device evidence (when available)

If the access involved a device you possess:

  • preserve the device,
  • stop “cleaning” it,
  • document chain of custody.

5) Authentication and integrity (electronic evidence)

Philippine practice relies heavily on:

  • proper identification of the electronic document,
  • proof of integrity,
  • reliable extraction methods,
  • testimony of the person who generated/extracted the record or who can explain system reliability.

This is where IT affidavits matter.

9) Preservation, lawful process, and the “you can’t just subpoena it yourself” reality

Many key records are held by service providers (email platforms, social media, ISPs). In the Philippines, obtaining subscriber info and non-public logs generally requires lawful process—typically through law enforcement coordination and court-authorized mechanisms.

Preservation

Early in the case, you want logs preserved before they rotate out. Your complaint should include:

  • exact account identifiers,
  • exact time ranges,
  • request that investigators seek preservation orders as appropriate.

Court-issued cyber warrants and court orders

Philippine cyber investigations often use specialized court processes for:

  • search and seizure of computer devices/data,
  • disclosure of traffic data and other stored data,
  • preservation and examination of computer data.

From a complainant perspective, the key is: provide enough specificity so investigators can seek the proper court authorization.

10) The procedural path: from complaint to court

Step 1 — Prepare and file the complaint-affidavit

You file your complaint (with annexes) with the appropriate prosecutor’s office and/or through law enforcement cybercrime units who can assist with evidence handling.

Step 2 — Preliminary investigation

If the offense carries a penalty that requires preliminary investigation, the process usually includes:

  • respondent is sent a subpoena and given time to submit a counter-affidavit,
  • complainant may reply,
  • clarificatory hearing may be set (or resolved on submissions),
  • prosecutor issues a resolution: dismiss or find probable cause.

Step 3 — Filing of Information in court

If probable cause is found, the case is filed in court, and the case proceeds through arraignment, pre-trial, trial, and judgment.

Step 4 — Parallel civil action (optional, fact-dependent)

Criminal cases can carry civil liability. Separate civil actions may also be considered depending on the harms (breach of contract, tort, damages), but strategy depends on facts and counsel assessment.

11) Common pitfalls that lead to dismissals (and how to avoid them)

  1. Vague system description
  • “My account was hacked” without identifying the platform, account ID, and access logs.
  1. No proof of unauthorized access
  • Suspicion without security logs, notifications, or IT attestations.
  1. Attribution is speculative
  • Naming a respondent without technical or circumstantial linkage.
  1. Evidence integrity issues
  • Edited screenshots, missing originals, inconsistent timestamps.
  1. Delayed reporting
  • Logs expire; service provider retention windows pass.
  1. Overinclusive allegations
  • Claiming multiple crimes without evidence for each element.

12) Defenses and contested issues respondents commonly raise

  1. Authority/consent
  • “I was allowed access,” “shared password,” “I was an admin,” “I was tasked to do it.”
  1. Scope of authorization
  • Even if authorized generally, did they exceed permitted scope? This can be nuanced.
  1. Identity and access by third parties
  • “My device was stolen,” “someone else used my Wi-Fi,” “account was compromised,” “I was framed.”
  1. Unreliable logs or lack of custody
  • Challenge how logs were generated, stored, and presented.
  1. No “access” occurred
  • Attempted access only; or the logs show failed attempts rather than entry (though attempt may still be relevant under the law’s participation provisions).

13) Drafting guide: what to attach as annexes

Typical annex pack:

  • Annex A: Screenshot of security alert (“new login,” “password changed,” “MFA prompt”)
  • Annex B: Exported sign-in/activity log (CSV/PDF/system report)
  • Annex C: Proof of account ownership (billing, admin console ownership, registration emails)
  • Annex D: Affidavit of IT admin / custodian of records
  • Annex E: Copies of suspicious emails/messages with full headers (if applicable)
  • Annex F: Timeline table (date/time/event/evidence reference) — optional but helpful
  • Annex G: Demand letter / revocation notice (if respondent is known and previously had access)
  • Annex H: Proof of damages (incident response costs, business disruption notes)

14) Special scenarios in Philippine practice

A. Insider access (employee/ex-employee)

Cases often hinge on:

  • when employment ended,
  • whether credentials were disabled,
  • what role permissions were,
  • written policies on authorized access and monitoring.

B. Shared passwords and family/relationship accounts

If credentials were voluntarily shared, “without right” becomes contested. Prosecutors look at:

  • whether permission was revoked,
  • whether access exceeded the agreed purpose,
  • whether there were clear account ownership boundaries.

C. Cloud/SaaS systems

Logs are usually strong, but preservation and lawful disclosure become crucial.

D. Unknown offender (“John Doe”)

You can file against an unknown person if:

  • you show illegal access occurred,
  • you provide leads for attribution (IP addresses, timestamps, platform case IDs),
  • you request investigative steps.

15) Practical checklist before filing

  • Freeze your narrative timeline (write down dates/times/events)
  • Export security logs immediately
  • Preserve original notifications and emails (including headers)
  • Change passwords and enable MFA (do not destroy evidence—document what you changed and when)
  • Identify all possible access points (email, recovery email, phone number, SIM, authenticator app)
  • Get an IT affidavit if the system is corporate/technical
  • Prepare a clean annex index and label each attachment
  • Use precise statutory citation: Sec. 4(a)(1), R.A. 10175
  • Avoid speculation; state what you know, what logs show, and why it indicates unauthorized access

16) Short complaint template (structure you can adapt)

COMPLAINT-AFFIDAVIT I, [Name], of legal age, Filipino, and residing at [Address], after being duly sworn, state:

  1. I am the owner/authorized representative of [Account/System], specifically [identify system/account].
  2. On [date/time], I discovered unauthorized access to [system/account] as shown by [describe logs/alerts].
  3. The access originated from [IP/device/location indicator], at [timestamps], and involved [events: login, password reset, recovery change, forwarding rule, etc.].
  4. I did not authorize any person, including [Respondent/John Doe], to access the system at those times, and such access was without right.
  5. I believe [Respondent] is responsible because [state concrete technical/circumstantial reasons].
  6. The unauthorized access caused [effects/damages].
  7. I am executing this affidavit to file a criminal complaint for Illegal Access under Sec. 4(a)(1), R.A. 10175, and for such other offenses as the evidence may warrant.

Attached are true copies of supporting documents marked as Annexes “A” to “__”.

IN WITNESS WHEREOF, I have hereunto set my hand this __ day of __ in Philippines.

[Signature] [Name]

SUBSCRIBED AND SWORN before me…

17) Bottom line

A Philippine cybercrime complaint for Illegal Access succeeds when it does three things clearly:

  1. Shows the access event with reliable logs and timestamps,
  2. Establishes lack of authority (“without right”), and
  3. Links the event to the respondent through technical indicators and corroborating circumstances—supported by affidavits that make electronic evidence understandable and credible.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login