How to Protect Your Identity from AI Deepfakes under the Cybercrime Prevention Act

How to Protect Your Identity from AI Deepfakes under the Cybercrime Prevention Act

Introduction: Deepfakes as an identity and reputation threat

AI deepfakes can copy your face, voice, and mannerisms to create convincing fake videos or audio. In the Philippines, these materials are often used for fraud (for example, “boss” voice-clone scams), harassment, reputational attacks, and identity misuse in online transactions.

The legal response is not limited to one statute. Still, the Cybercrime Prevention Act of 2012 (Republic Act No. 10175, September 12, 2012) is frequently the most direct criminal-law tool because it covers computer-related identity theft and can elevate penalties when traditional offenses are committed through information and communications technology (ICT).

What the law means by “identity” misuse in cybercrime cases

Deepfakes usually involve one or more of these acts: (a) acquiring or using personal identifying information without permission, (b) creating deceptive content to make others act (send money, reveal OTPs, click links), or (c) publishing false material that harms a person’s name or safety.

Republic Act No. 10175 recognizes computer-related identity theft as a cybercrime offense: the intentional acquisition, use, misuse, transfer, possession, alteration, or deletion of identifying information belonging to another without right. This directly covers many deepfake-enabled identity attacks where a person’s name, face, voice, or other identifiers are exploited.

Why the Cybercrime Prevention Act (RA 10175) is often the primary defense

RA 10175 is commonly the first statute considered because it addresses both (1) cyber-specific crimes (including identity theft), and (2) cyber-enabled crimes, where an offense under the Revised Penal Code or a special law is committed through ICT and becomes punishable with a higher penalty under the law’s penalty provision for cyber-related offenses.

When a deepfake is used to deceive others for money, obtain confidential information, or damage reputation, prosecutors and complainants typically evaluate RA 10175 alongside other penal provisions depending on the facts.

Common deepfake scenarios and the most relevant legal hooks

1) Voice-clone scams and “boss instructions” to transfer money

Scenario: An employee receives an urgent voice note that sounds like the CEO ordering an immediate bank transfer. The voice is AI-generated. The money is sent to a mule account.

Possible legal directions include computer-related fraud and identity theft under RA 10175, plus other fraud provisions depending on the method used and the evidence available. RA 10175 is often central because the deception is executed through ICT.

2) Deepfake sexual content used for extortion or harassment

Scenario: A person’s face is inserted into explicit material and then sent to family members with threats demanding payment.

Depending on the evidence, legal directions may include cyber-related offenses and related crimes that involve unlawful creation, possession, distribution, or coercion, with RA 10175 used to capture the ICT component and support cybercrime warrants for preserving and obtaining data.

3) Fake “news” videos that damage reputation

Scenario: A fabricated video shows someone “admitting” to a crime or immoral act, posted publicly on social media and widely shared.

The law treats online speech differently in terms of reach and impact. The Supreme Court has recognized that internet media has a distinct culture and scale, and has discussed constitutional limits in regulating online speech, while sustaining the validity of cyberlibel as an offense under RA 10175 (while striking down certain related provisions for chilling effect). This matters because deepfakes are frequently disseminated in ways that implicate online speech rules.

Governing legal authorities in the Philippines

Cybercrime Prevention Act of 2012 (RA 10175, September 12, 2012)

RA 10175 defines punishable cybercrime acts and provides mechanisms for investigation and evidence gathering. For deepfakes, the most frequently relevant provisions are those on computer-related identity theft, computer-related fraud, and the concept of cyber-enabled offenses where penalties may increase when the crime is committed through ICT.

RA 10175 also defines related acts such as cyber-squatting, which may become relevant when scammers register domain names similar to a victim’s name or brand to support a deepfake scam.

Rules on Cybercrime Warrants (A.M. No. 17-11-3-SC, 2018)

Deepfake incidents move quickly: posts go viral, accounts get deleted, and platforms rotate logs. The Rules on Cybercrime Warrants provide procedures for courts to issue warrants and orders related to preservation, disclosure, search, seizure, and examination of computer data in cybercrime investigations.

For victims, these tools matter as much as the penal provisions because deepfake cases are often won or lost on whether electronic evidence is preserved early and collected through proper legal channels.

Supreme Court guidance on online speech and cybercrime

Philippine jurisprudence has repeatedly emphasized that online platforms change how speech spreads and how harm occurs. In discussing cyberspace and the constitutionality of regulating online speech, the Supreme Court has noted differences between internet media and print, sustained the constitutionality of cyberlibel, and rejected certain provisions that could chill speech too broadly.

In later cases involving online conduct, the Court has also discussed user responsibility regarding privacy tools and online settings, underscoring that internet users must exercise care in protecting their online privacy where tools are available.

Related government issuances affecting cybercrime case handling

From a prosecution and monitoring standpoint, the Department of Justice has issued guidelines affecting reporting and tracking of cybercrime and cyber-related cases. DOJ Department Circular No. 008 (2019) prescribes inventory and reporting requirements to the DOJ Office of Cybercrime, emphasizing proper identification of the specific cybercrime or cyber-related offense charged and the case status.

What you must prove in identity-related cybercrime complaints involving deepfakes

Deepfake incidents vary, but most successful complaints rely on clear proof in three areas: (1) identity misuse, (2) deception or wrongful intent, and (3) traceable digital evidence linking the suspect to the creation, upload, or use of the deepfake.

Elements that often matter for computer-related identity theft

For computer-related identity theft under RA 10175, the prosecution commonly focuses on showing: (a) the presence of identifying information belonging to another, (b) intentional acquisition, use, misuse, or transfer of that information, and (c) lack of right or authority.

In deepfake contexts, “identifying information” can include the victim’s name, voice, face, likeness, social media identifiers, and other data that enables others to believe the content is genuinely the victim.

When fraud and reputational harm become the center of the case

If the deepfake is used to cause others to send money, reveal credentials, or take harmful steps, investigators and prosecutors often prioritize fraud-type offenses (including computer-related fraud under RA 10175). If the deepfake is published to destroy reputation or provoke harassment, cyberlibel and related theories may be evaluated depending on content, dissemination, and available evidence.

Evidence: what to preserve immediately (before accounts disappear)

Victims should treat early evidence capture as urgent. Online content can be deleted, hidden, or made private within minutes. What matters is not only screenshots, but also metadata and platform records that can connect a deepfake to an uploader and devices.

Minimum evidence checklist

  • Direct copies of the deepfake files (download the video/audio when possible).
  • Screenshots showing the post URL, username/handle, timestamps, and comments.
  • Screen recordings showing the content being played and the account page.
  • Conversation logs if the deepfake was sent via chat (including message headers if available).
  • Witness statements from recipients who were deceived or threatened.

These items support later court applications under the Rules on Cybercrime Warrants and help investigators target the correct accounts, numbers, and devices.

How cybercrime warrants help in deepfake cases

The Rules on Cybercrime Warrants (A.M. No. 17-11-3-SC, 2018) allow law enforcement, through court processes, to compel preservation and disclosure of computer data and to search and examine devices and stored data where justified.

What victims should understand about preservation and disclosure

In many deepfake cases, identifying the perpetrator requires platform-side data (account registration details, IP logs, device identifiers) and telco or service provider records. The cybercrime warrant system exists to obtain these through judicial authorization, rather than informal requests that may fail or violate due process.

Bank and financial account information: limits and what can be obtained

Deepfake scams often end in bank transfers or e-wallet transactions. The Supreme Court has addressed how cybercrime investigations intersect with bank secrecy and subscriber information disclosure, recognizing that basic identifying information may be disclosed under a valid court-issued warrant to disclose computer data (WDCD) in the context of cybercrime investigations, without treating RA 10175 as a repeal of bank secrecy protections.

This distinction matters in tracing money mules and fraud networks while preserving statutory confidentiality of deposits.

Preventive measures to reduce deepfake risk

Criminal remedies help after harm occurs. Prevention lowers exposure and strengthens later claims by showing careful account security practices.

Account, device, and identity controls

  • Harden account security: enable multi-factor authentication, update recovery emails/phone numbers, and use unique passwords.
  • Limit voice and face samples: consider reducing public access to long videos with clear voice and face angles if you are high-risk (executives, public figures, finance personnel).
  • Set internal verification protocols: for businesses, require call-backs on known numbers, dual approvals for transfers, and “no voice-note approvals” for high-value transactions.
  • Use privacy tools on social media and review changes in privacy settings regularly; the Supreme Court has noted the importance of user diligence in using available privacy controls.

Reputation defense and incident response steps

Deepfakes thrive on delay. A disciplined response can reduce spread and preserve evidence for prosecution.

  1. Preserve evidence before reporting/removing content.
  2. Report to the platform using impersonation/deceptive media reporting channels.
  3. Notify affected contacts that the media is fake, especially those likely to be targeted for scams.
  4. File a police report with cybercrime units and prepare for complaint-affidavit drafting.
  5. Coordinate for cybercrime warrants where identification of the uploader requires platform logs and related records.

Summary table: Deepfake risk and legal responses under Philippine cybercrime tools

Deepfake scenarioTypical harmOften relevant legal directionEvidence that matters most
Voice-clone “urgent transfer”Financial lossRA 10175 computer-related fraud; identity theft; cyber-enabled offensesChat/audio file, transfer records, recipient account details, device/platform logs
Deepfake impersonation of a person onlineIdentity misuse, deceptionRA 10175 computer-related identity theftAccount profile capture, URLs, timestamps, metadata, platform registration/log data
Fabricated “confession” video posted publiclyReputational damage, harassmentCyberlibel evaluation under RA 10175; related offenses depending on contentOriginal post, shares, comments, account identifiers, preservation of copies
Deepfake explicit content + extortionEmotional distress, coercionCyber-related offenses; warrant tools for preservation and identificationThreat messages, payment demands, files, identities of recipients, platform logs

Final observations

AI deepfakes are a modern form of identity abuse, but Philippine law already supplies strong tools to respond. The Cybercrime Prevention Act of 2012 (RA 10175) provides direct criminal hooks for identity theft and fraud and supports evidence-gathering through court-supervised cybercrime warrant processes under A.M. No. 17-11-3-SC (2018).

For victims and counsel, the most important steps are rapid evidence preservation, early coordination for cybercrime warrants where platform data is needed, and consistent security and verification protocols that reduce exposure to impersonation and deception.

About Nicolas and De Vega Law Offices

 Nicolas and de Vega Law Offices is a full-service law firm in the Philippines.  You may visit us at the 16th Flr., Suite 1607 AIC Burgundy Empire Tower, ADB Ave., Ortigas Center, 1605 Pasig City, Metro Manila, Philippines.  You may also call us at +632 84706126, +632 84706130, +632 84016392 or e-mail us at [email protected]. Visit our website https://ndvlaw.com.

SEARCH