Blog

Deepfakes, Troll Farms, and a Bill That Might Criminalize the Wrong People

Stylized illustration of a shield protecting a speech bubble, representing cybersecurity and press freedom

Cybersecurity and press freedom used to be separate conversations in the Philippines. A disinformation bill with heavy prison penalties made them the same one.


Three Filipino journalists were shot dead in 2025. The International Federation of Journalists counted them among 128 media workers killed worldwide that year (FMA / Human Rights Online Philippines). In the same stretch, the government exposed over 52 million credentials in a single quarter of data breaches, and reported phishing links nearly quadrupled (CYFIRMA; Learning News). Cybersecurity and press freedom used to sit in different chapters of the national conversation. In the Philippines right now, they are the same chapter.

The bill that split the disinformation debate

In May 2026, the House passed the Digital Media Anti-False Information Act on second reading. Its sponsors describe it as a tool to dismantle troll farms and coordinated disinformation networks ahead of elections. Human Rights Watch reads the same bill differently: vague definitions of "false information," penalties of six to twelve years in prison, and a provision targeting content coordinated with foreign actors broad enough to sweep up ordinary journalists reporting on legitimate diplomatic contact (Human Rights Watch).

That is the tension running through nearly every piece of Philippine digital policy this year. Everyone agrees troll farms are a real problem. Nobody agrees on how to write a law that stops them without giving the state a lever to decide what counts as truth.

DICT's separate proposal to require identity verification for all social media users sits in the same bind. Framed as an anti-abuse measure, it drew immediate pushback from digital rights and privacy advocates before DICT walked it back to a voluntary system (FMA Digital Rights Round-up, January 2026). The pattern repeats: a real harm, a broad proposed fix, a civil society pushback that softens it before it becomes law.

The threat landscape behind the policy debate

The policy fights are not happening in a vacuum. The Philippine National Police has publicly backed stronger laws specifically targeting AI-generated deepfakes and troll farm operations, calling them a national security risk rather than a nuisance (FMA, May 2026). Cybersecurity firm Whoscall's country lead has described the rise of "emotion-engineered fraud," AI-driven scams built specifically to exploit Filipino values like trust in family and community rather than generic phishing tricks.

CYFIRMA's 2025-2026 threat assessment for the Philippines describes something bigger than isolated breaches: automated, AI-driven campaigns targeting trust and identity at scale, compounded by Chinese state-linked cyber-espionage activity tied to South China Sea tensions (CYFIRMA). The Department of National Defense responded by formally launching an IT and cybersecurity governance circular at CYBERCON 2025, the first standardized framework of its kind for the department (FMA, December 2025).

Meanwhile, women public figures carry a disproportionate share of the harm. UN Women's 2026 data shows reports of online violence against women journalists doubling since 2020, and technology-facilitated abuse has become a documented tool for silencing Filipino women human rights defenders specifically (FMA, April 2026).

Disinformation as a business risk

A February 2026 BusinessWorld analysis put a number on public sentiment: 67% of Filipinos say they are concerned about misinformation online, the highest share recorded since the Reuters Institute began tracking the country in 2020, and above the global average of 58% (BusinessWorld). ManageEngine's chief IT security evangelist frames disinformation bluntly as a core business risk that belongs inside a company's cybersecurity strategy, not a separate PR function.

That framing matters for anyone doing digital advocacy work in the Philippines. A civil society organization defending press freedom and a bank defending its brand against fake product warnings are, increasingly, fighting the same infrastructure of coordinated inauthentic accounts.

Reading the threat before it hits the news cycle

Government advisories and FMA's monthly Digital Rights Round-up (fma.ph) remain the most reliable trackers of Philippine cyber policy, but they lag the public conversation by days or weeks. Reddit threads on r/Philippines often surface a scam pattern, a phishing wave, or a new troll farm tactic before it becomes a formal PNP advisory, because the people getting scammed post about it in real time. TikTok plays a parallel role for younger users: creators dissecting the "false information" bill in sixty-second explainers, or walking through how to spot an AI-cloned voice call, often reach a wider Gen Z audience than the Senate hearing they're summarizing. Anyone building digital literacy or advocacy content for a Filipino audience should treat those platforms as early-warning feeds, not distractions from the "real" policy work.

What advocacy groups are asking for

Strip away the technical language, and most digital rights advocates in the Philippines are asking for the same three things: narrow legal definitions that cannot be stretched to target journalists, independent oversight of any content-takedown power, and cybersecurity investment that protects citizens' data without expanding state surveillance of citizens' speech. The Cybersecurity Act, still pending, is the bill most industry groups want passed first, precisely because it targets infrastructure and breach response rather than speech (Learning News).

Whether the Philippines gets a disinformation law that survives that test, or one that becomes a tool against the people it claims to protect, is still an open question. It will not be settled by a press release. It will be settled in committee markup, line by line.

Further reading