Review of Draft Nigerian Cybercrime Act
By
Femi Oyesanya
Several months ago, the Nigerian President announced
After many weeks of deliberations, the committee presented a Draft Cybercrime Act to the President, and the committee formed the Nigerian Cybercrime Working Group (NCWG), to accelerate the implementation of it’s Cybercrime research efforts, and to assist the Nigerian National Assembly in the quick passage of a Cybercrime Bill.
An essential document that came out of the closed door Presidential Committee on Cybercrime, is the “Draft Nigerian Cybercrime Act”. This paper provides an in-depth review of that document.
In summary, the Draft Nigerian Cybercrime Act provides the legal framework for the establishment of an Independent Cybercrime Agency and for the legislation regarding Cybercrime and Cyber-Security. Basically, the Draft Nigerian Cybercrime Act was divided into eight different sections namely: A) PRELIMINARY,B) OFFENSES, C)PROTECTION & SECURITY OF CRITICAL INFORMATION AND COMMUNICATION INFRASTRUCTURE , D) ANCILLARY AND GENERAL PROVISIONS, E)CYBERCRIME & CYBERSECURITY AGENCY ESTABLISHMENT OF THE CYBERCRIME AGENCY, ETC, F)FUNCTIONS AND POWERS OF THE AGENCY, G) MANAGEMENT AND STAFF OF THEAGENCY, H) FINANCIAL PROVISIONS.
The Presidential Committee on Cybercrime consisted ofgroup membership from the government and the private sector, the composition of the group included: The National Security Advisor, Justice Minister, Minister of Science and Technology, Chairmen of the Senate and House of Representatives Committee on Science and Technology, Inspector-General of Police, State Security Service, National Intelligence Agency, Economic and Financial Crimes Commission, Nigerian Communications Commission, National Information Technology Development Agency, Nigerian Computer Society, Internet Services Providers Association of Nigeria, and the Nigerian Internet Group.[1]
The composition of the group
was well represented, except with the omission of a group from the academia and
the Military. It was rather surprising that the Nigerian Government did not feel
a need to include any Nigerian University or any branch of the Nigerian
Military. This
omission is important because historically, most of the research Initiative
underlying old and new Cybercrime technology has origins either in studies
conducted by the military, or research efforts from the academic community. The
Internet itself, was largely a creation of the USA Department of Defense, and
several Digital Security Initiatives can be traced to academic institutions.
REVIEW OF CYBER_COMMTTEE
ORGANIZATINAL DYNAMICS
Once the Presidential on
Cybercrime began it’s deliberations, sources within the committee reported that
Inter-Agency turf issues soon emerged. Rather than focusing
In short, the committee lost
focus. Rather than deliberating on a creation of a Cybercrime model geared at
attaining strategic synergetic efficiency, tuff issues became dominant. At a
time when the Nigerian Government was announcing to the world, key economic
reform programs
such as the National Economic Empowerment and Development Strategy (NEEDS), why
did the Presidential Committee on Cybercrime not border itself with evaluating
economic efficiency models as it relates to the creation of an Independent
Cybercrime Agency? Why did it not consider issues such as duplication of
resources? Already, the Nigerian government is investing millions into the
creation of a Financial Intelligence Unit (FIU), would an organizational synergy
of the FIU and Cybercrime not benefit
Now, we have the Minister of
Finance, Ngozi Okonjo-Iweala at a recently concluded World Economic Forum saying
she is
The Presidential Committee on
Cybercrime needs to research various models underlying the creation of an
Independent Cybercrime Agency. The focus of the research should be on
efficiency and effectiveness. Questions such as duplication of resource should
be addressed, and a feasibility study of all proposed Cybercrime organizational
REVIEW OF HARMONIZATION PRACTICE WITHIN THE COMMTTEE
A 419 Email letter that originates from Nigeria, and claims a victim elsewhere in the world, might not only violate the territorial laws of Nigeria, but also those of the territorial boundaries of the victim. Digital evidence trails, for this example, might be found on the electronic pathway of several International States when investigating a 419 crime. Thus, to be effective, there is clear indication from Cybercrime experts around the world, that the harmonization of laws, and the harmonization of law enforcement practices, provides a clearer framework for any effective State sponsored Anti-Cybercrime effort.
In an article by Phil Williams titled: “Organized Crime and Cybercrime: Synergies, trends and responses”, he writes, “Harmonization is necessary for both substantive and procedural laws. All countries have to reappraise and revise rules of evidence, search and seizure, electronic eavesdropping, and the like to cover digitized information, modern computer and communication systems, and the global nature of the Internet. Greater coordination of procedural laws, therefore, would facilitate cooperation in investigations that cover multiple jurisdictions”[3]
Harmonization of global and local administrative
procedural laws are essential issues that the Committee On Cybercrime failed to
factor into it’s deliberations.
Specific examples of local
administrative policy and procedural issues can be found in the following
examples:
A)
Page 53 of the National IT Policy mandated the formation of Local
Administrative laws:
1)
Establishing Government IT Procedure Act (GITPA) to enhance equipment
standards, performance and security.
2) Establishing a Data Protection Act (DPA) for safeguarding privacy of National
computerized records electronic document.[4]
Surprisingly, the Draft
Nigerian Cybercrime Act did
not reference any of the above bills. Amazingly, the agency that created the
Nigerian IT Bill was NITDA, and a representative of NITDA is the Chairperson of
the Presidential Committee on Cybercrime. Nigerians must note that NITDA is
always present, whenever there is a technological issue mess. For example, NITDA
was at the center of the Nigerian Top-Level Domain issue crisis.
B)
Page 45 of the same Nigerian IT Policy ascribes one of the objectives of
NITDA, as to “Ensure the protection of individual and collective privacy,
security, and confidentiality of information”[5],
yet a section in the Draft Nigerian Cybercrime Act proposed that “all
service providers under this Act shall have the responsibility of keeping all
transactional records of operations generated in their systems and networks for
a minimum period of 5 years”, hereby raising key privacy infringement issues.
C) Architects of the National Economic Empowerment and Development Strategy (NEEDS), recognized that an essential ingredient of an effective economic reform program has to be supplemented with an effective anti-corruption program, yet the NEEDS matrix of measures, published at the Federal Ministry of Finance Web-site, failed to accommodate an effective Cybercrime and Cyber-Security strategy. The primary focus of the NEEDS program, seems to be on issues related to transparency in the Oil and Gas sector, and providing increased resources for EFCC to combat Money Laundering activities[6]. Proponents of the NEEDS program should be cautioned that as long as Nigeria remains the 419 Capital of the World, the Foreign Investment climate that will guide the success of NEEDS will never happen.
Review of the Preliminary
Section of the Draft Cybercrime Act
The preliminary section of the
Draft Cybercrime Act has two topics: A) The title of the Act, which it called
the “Nigerian Cybercrime and Cybersecuirty Act 2004”, and,
B) The Interpretation sub
section. The Interpretation section attempts to provide clear legal definition
for keywords used in the body of the Act. One such definition is the word,
“Computer Contaminant” which was defined as “any set of computer instructions
that are designed to modify, damage, destroy, record, or transmit information
within a computer, computer system, or computer network without the intent or
permission of the owner of the information. They include, but are not limited
to, a group of computer instructions commonly called viruses or worms, which are
self-replicating or self-propagating and are designed to contaminate other
computer programs or computer data, consume computer resources, modify, destroy,
record, or transmit data, or in some other fashion usurp the normal operation of
the computer, computer system, or computer network”
The question one raises from
this definition of Computer Contaminant, is the issue of authorized access and
malicious
destruction of data and computing resource.
For example, if a person was granted security access to a Computer resource, and he writes a program to knowingly destroy or alter data in a manner contrary to the intended use of the data, is that program a contaminant?
Another keyword, under the Interpretation Section is the word “Computer Injury”. The section defines Computer Injury as “any alteration, deletion, damage, or destruction of a computer system, computer network, computer program, or data caused by the access.”
The underlying issue here that this definition does not seem to address is the issue of Computer Injury that could result as a consequence of unauthorized disclosure of confidential information, theft of that information, and other forms of illegal use of data by an authorized or unauthorized person. The other issue that comes to mind with the Computer Injury term, is the harmonization of the definition with local and Intellectual property Laws.
This section, also defines, “Computer Security”, as including: “software, program or computer device that: is intended to protect the confidentiality and secrecy of data and information stored in or accessible through the computer system; and may display a warning to a user that the user is entering a secure system or requires a person seeking access to knowingly respond by use of an authorized code to the program or device in order to gain access”
Generally, Computer Security has 3 attributes: confidentiality, Integrity, and availability. The above definition does not take into account the other key attributes of Computer Security.
The Interpretation Section also tries to define “Computer Service” as including “ any and all services provided by or through the facilities of any computer system which is capable of allowing the input, output, examination, or transfer, of computer data or computer programs from one computer to another.”
Again, the
3 phrases of a Computer operation are input,
somehow,
skipped the fact that data processing is an important component of Computer
Service.
In
defining “Electronic Message”, the Interpretation
Section stated that electronic message “includes electronic mail message, short mail messages and text messages sent to any electronic messaging system.”
This definition does not take into account other potential forms of electronic messaging Systems. Should the definition also include electronic transmissions such as; Electronic Fax and SMS transmitted via a Computer System. Does VOIP qualify as an electronic message?
“Electronic Message Address”, was defined as including “ a destination commonly expressed as a string of characters, consisting of a unique user name or mailbox commonly referred to as the local part and a reference to an Internet domain name commonly referred to as the domain part, whether or not displayed to which an electronic mails message can be sent or delivered”.
Again, the definition of Electronic Message Address did not include other forms of electronic identifiers that can uniquely identify other types of electronic message. These may include unique identifiers for FAX messages, SMS messages, and VOIP.
In defining the word, “Recipient”, the section declares that “ when used with respect to an electronic message means an authorized user of the electronic mail address to which a message was sent or delivered if a recipient of an electronic mail message has one or more electronic mail addresses in addition to the address to which the message was sent or delivered, the recipient shall be treated as a separate recipient with respect to each such address”.
This definition of the
recipient, seems to give a many too many relationship to the Internet identify
of a person.
The true Internet Identity of a recipient is one to many. I have many Email addresses, am I a different recipient for each address? Separate recipient seems to suggest many to many Internet Identity relationships.
Review of Offenses
Section of the Draft Cybercrime Act
This section of the Draft
Nigerian Cybercrime Act is the Criminal Law Part of the ACT. The section
covered a very extensive set of Criminal activities listed as follows:
1.
Unauthorized access to computer, electronic or ancillary devices.
2.
Access with intent to commit an offence.
3.
Unauthorized modification of the contents of any computer.
4.
Illegal communication using electronic messages
5.
Illegal interception
6.
Data interference
7.
System interference
8.
Misuse of devices
9.
Denial of service
10.
Email bombing
11.
Computer trespass
12.
Computer vandalism
13.
Computer identity theft and impersonation
14.
Attempt, conspiracy and abetment
15.
Duties of Service
Providers
16.
Records Retention by
Service Provider
17.
Cybersquatting
18.
Computer contamination
19.
Cyberterrorism
20.
Intellectual Property
21.
Soliciting a Minor with a Computer for Unlawful
Sexual Purposes
22.
Computer Offences against Minors.
23.
Other sexual offences
Professor Susan Brenner of the
University of Dayton
School of Law, has published an
Internet Web Site titled “Model State Computer Crime Code”[7]
The site provides a
model for various Computer
Crime Laws that serves as template for Countries wishing to implement Cybercrime
Laws. One sees a lot of word for word similarities between
the Draft Nigerian Cybercrime
Act and the works of
Professor Susan Brenner. For
example, the Email Bombing section of the Nigerian Cybercrime Act was
essentially copied from the Web Site. The issue here is not plagiarism, as
inquiries to Professor Susan Brenner confirms that she does not mind duplication
of her work. Nevertheless, she should be credited in the body of the Draft
Nigerian Cybercrime Act.
The System interference law, in
the Offenses section declares: “Any person who unlawfully produces, sells,
designs, adapts for use, distributes, or offers for sale, procures for use,
possesses any devices, including a computer program or a component, which is
designed primarily to overcome security measures for the protection of data, or
performs any of those acts relating to a password, access code or any other
similar kind of data with the intent to unlawfully utilize such item to
contravene this Act, commits an offence and liable upon conviction to a fine not
less than =N=1 million or imprisonment for a term not less than 3 years or to
both such fine and imprisonment”
This section fails to note that Computer Security professionals conducting security assessments sometimes have a need to design or use products with the capacity for System penetration. According to this law, a Computer penetration-testing tool becomes System Interference. In addition, some computer forensic tool will be termed System Interference tools. Virus Software re-engineering process, which sometimes requires writing viruses and sometimes the disassembly of Software virus also will be illegal in Nigeria. This particular law will also hinder the Cybercrime Agency in performing its functions.
The Email Bombing Section
declares that “Any person who uses a computer,
computer network, computerized communications system, or the Internet to
purposefully:
a)
send or induce others to send, massive amounts of electronic mail to a
single system or person with the intent to interfere with the operating ability
of recipient's computer system; or
b)
send an unreasonably large file attached to electronic Mail or multiple
copies of identical messages to the recipient with intent of stopping or slowing
the Recipient’s ability to retrieve mail; or
c)
subscribe the intended recipient without authorization to multiple
Internet mailing lists resulting in the recipient
d)
receiving unwanted electronic mails:
Commits the offence of email bombing under this Act and liable upon conviction to a fine of not less than =N=500,000 or imprisonment to a term not less than 2 years or both such fine and imprisonment”
The Email Bombing Law fails to accommodate that legitimate Email marketing may produce the same effect of mail bomb to a single System. The legitimate consideration for email bomb should be clarified in this section.
The Criminal Law Section on “Records
Retention by Service Provider”, states that “All service providers under
this Act shall have the responsibility of keeping all transactional records of
operations generated in their systems and networks for a minimum period of 5
years”
Some Years ago the European Union struggled to define Data Retention policies for its Internet Service Providers. Important issues of the debate were privacy concerns and feasibility of maintaining huge record sets for a period. The fact that the EU did not implement a Data Retention Law is not the primary issue here, but that of personal data privacy and the clear definition of transactional records. Data attributes associated with data retention needs to be clearly defined. All ISP records can be classified as transactional. This might intrude on privacy and might not be feasible. Rather than transactional records, communication logs and customer information record should be retained. Conceptually, this Law could allow Nigerian ISP is to keep confidential government Information that is routed through their Networks. The Data Retention Law, as suggested by the Presidential Committee on Cybercrime can potentially become a national security issue. What would stop Political Parties from colluding with ISP’s and gaining access to confidential transactional records of political opponents?
REVIEW OF PROTECTION &
SECURITY OF CRITICAL INFORMATION AND COMMUNICATION INFRASTRUCTURE
Essentially, this section is divided into: Critical information and communication infrastructure,
Access to critical information and communication infrastructure, Audit and inspection of critical information and communication infrastructure, and Offenses against critical information and communication infrastructure.
Here again, we see
harmonization deficiencies with
Cyber-Security section of the Draft Cybercrime Act, in
particular, it fails to harmonize with the Nigerian IT Policy, which prescribes
the “ Establishing Government IT
Procedure Act GITPA) to enhance equipment standards, performance and security” A
program to protect National Information technology Asset should have Information
assurance as it’s focus. National Information Technology assets should be
identified and diligent process for the
certification and accreditation of these assets implemented.
In addition, an essential principal in National Information Assurance, is the
uniformity of Standards. The importance
of uniform national standards was not emphasized in this section. Standards
such as ISO/IEC 15408, Common Criteria for Information Technology Security
Evaluation, ought to be interpreted and adopted as a national standard.
REVIEW OF GENERAL PROVISIONS SECTION
The
General Provisions section is divided into:
A) Jurisdiction, etc
B) Powers of search and arrest.
C) Obstruction
D) Tampering with computer evidence
E) Prosecution.
F) Forfeiture
G) Power to compound offence
H) Order for Payment of
Compensation
I)
Conviction for alternative offence
A sub-section in the part of
the Draft Nigerian Cybercrime Act, titled “Powers Of Search and Arrest”, is very
troubling. The section in question, gives the Cybercrime Agency the power to:
“have access to any information code or technology which has the capability of
retransforming or unscrambling encrypted data contained or available to such
computer into readable and comprehensible format or text for the purpose of
investigating any offence under this Act or any other offence which has been
disclosed in the course of the lawful exercise of the powers under this Act”.
The implication here is serious
privacy issues. The power to require the release of encryption information to a
government agency annuls all rights of the individual to privacy. Encryption
keys or algorithms might be instruments of protecting free communication in a
free and democratic society. In cases where crimes have been committed and
encryption issues arise, encryption keys of algorithms can be kept in 3rd
party Encryption escrow.
REVIEW OF CYBERCRIME
AGENCY ESTABLISHMENT OF THE CYBERCRIME AGENCY.
As stated earlier in the introductory parts of this paper, the feasibility of creating a new Cybercrime agency may not be warranted. The Committee on Cybercrime did not conduct a feasibility study on why the creation of a new agency was justified. In addition, the Federal Ministry of Finance should be consulted to assist in the determination a cost benefit analysis that compares creating a new agency versus a cross-organizational model.
REVIEW FUNCTIONS AND
POWERS OF THE AGENCY
The agency should not be allowed to arbitrarily have the power to access informational assets of citizens for determining if a crime has been committed. It should be required to obtain the order of a court.
In outlining the criteria for the managerial leadership of the Cybercrime Agency the Draft Nigerian Cybercrime Act stated that “there shall be for the Agency a Director-General who shall be a) appointed by the President; b) the chief executive and accounting officer of the Agency; c) responsible for the day-to-day administration of the affairs of the Agency; d)a person with cognate experience in Information and Communications Technology and Law with requisite international exposure in matters connected to Cybercrime”
The International exposure prerequisite eliminates Nigerians who might be qualified but do not have International experience. It also eliminates qualified Nigerians that do not have the professional duality of Law and Information Technology background.
Conclusion
As is, the Draft Nigerian Cybercrime Act is not ready to become Law.
[1] See, http://efccnigeria.org/links/nl2003120401dailychampion.html
[2] See, http://computercops.biz/article4726.html
[4] See, http://www.nitda.org/docs/policy/ngitpolicy.pdf , Page 53
[5] See, http://www.nitda.org/docs/policy/ngitpolicy.pdf, Page 45
[6] See, http://www.fmf.gov.ng/economic_reform_fighting_corruption.htm