Review of Draft Nigerian Cybercrime Act By Femi Oyesanya
Several
Months ago, the Nigerian President announced the
formation of a Cybercrime committee.
The 15-member committee consisted of representatives from the
both Government and private sector, and were tasked with designing
solutions for Nigerian Internet based fraud and Cybercrime.
After
many weeks of deliberations, the committee presented a Draft Cybercrime
Act to the President, and the committee formed the Nigerian Cybercrime
Working Group (NCWG), to accelerate the implementation of it’s
Cybercrime research efforts, and to assist the Nigerian National
Assembly in the quick passage of a Cybercrime Bill.
An essential document that came out of the closed door Presidential Committee on Cybercrime, is the “Draft Nigerian Cybercrime Act”. This paper provides an in-depth review of that document.
In
summary, the Draft Nigerian Cybercrime Act provides the legal framework for the establishment of an Independent Cybercrime Agency and for the legislation concerning Cybercrime and Cyber-Security. Basically, the Draft Nigerian Cybercrime Act was divided into eight different sections namely: A) PRELIMINARY, B)OFFENSES, C)PROTECTION & SECURITY OF CRITICAL INFORMATION AND COMMUNICATION INFRASTRUCTURE , D) ANCILLARY AND GENERAL PROVISIONS, E)CYBERCRIME & CYBERSECURITY AGENCY ESTABLISHMENT OF THE CYBERCRIME AGENCY, ETC, F)FUNCTIONS AND POWERS OF THE AGENCY, G) MANAGEMENT AND STAFF OF THEAGENCY, H) FINANCIAL PROVISIONS. REVIEW
OF THE STRUCTURE OF THE COMMITTEE
The
Presidential Committee on Cybercrime consisted of group membership from the government and the private sector, the composition of the group included: The National Security Advisor, Justice Minister, Minister of Science and Technology, Chairmen of the Senate and
House
of Representatives Committee on Science and Technology, Inspector-General
of Police, State Security Service,
National Intelligence Agency, Economic and Financial Crimes
Commission, Nigerian Communications Commission, National Information
Technology Development Agency, Nigerian Computer Society, Internet
Services Providers Association of Nigeria, and the Nigerian Internet
Group. [1]
The
composition of the group was well represented, except with the omission
of a group from the academia and the Military. It was rather surprising
that the Nigerian Government did not feel a need to include any Nigerian
University or any branch of the Nigerian Military.
This REVIEW
OF CYBER_COMMITTEE ORGANIZATIONAL DYNAMICS Once
the Presidential on Cybercrime began it’s deliberations, sources
within the committee reported that Inter-Agency
turf issues soon emerged. Rather
than focusing
In
short, the committee lost focus. Rather
than deliberating on a creation of a Cybercrime model geared at
attaining strategic synergetic efficiency, tuff issues became dominant.
At a time when the Nigerian Government was announcing to the
world, key economic reform programs
Now,
we have the Minister of Finance, Ngozi Okonjo-Iweala at a recently
concluded World Economic Forum saying she is angry at 419 email and the
negative impact it has on Nigeria[2].
Whilst any patriotic Nigerian should be disturbed about the
International 419 image, Ngozi Okonjo-Iweala, owes Nigerians a national
duty to ensure that the Presidential Committee on Cybercrime, does not
squander upon Nigerians the
creation of an Independent Cybercrime Commission, that is not based on
feasible economic impact analysis.
The
Presidential Committee on Cybercrime needs to research various models
underlying the creation of an Independent Cybercrime Agency.
The focus of the research should be on efficiency and
effectiveness. Questions such as duplication of resource should be
addressed, and a feasibility study of all proposed Cybercrime
organizational design concepts should be transparently studied.
REVIEW OF HARMONIZATION PRACTICE WITHIN THE COMMITTEE A
419 Email letter that originates from Nigeria, and claims a victim
elsewhere in the world, might not only violate the territorial laws of
Nigeria, but also those of the territorial boundaries of the victim.
Digital evidence trails, for this example, might be found on the
electronic pathway of several International States when investigating a
419 crime. Thus, to be
effective, there is clear indication from Cybercrime experts around the
world, that the harmonization of laws, and the harmonization of law
enforcement practices, provides a clearer framework for any effective
State sponsored Anti-Cybercrime effort.
In
an article by Phil Williams titled: “Organized Crime and Cybercrime:
Synergies, trends and responses”, he writes, “Harmonization
is necessary for both substantive and procedural laws. All countries
have to reappraise and revise rules of evidence, search and seizure,
electronic eavesdropping, and the like to cover digitized information,
modern computer and communication systems, and the global nature of the
Internet. Greater coordination of procedural laws, therefore, would
facilitate cooperation in investigations that cover multiple
jurisdictions”[3]
Harmonization
of global and local administrative procedural laws are essential issues
that the Committee On Cybercrime failed to factor into it’s deliberations. Specific
examples of local administrative policy and procedural issues can be
found in the following examples: A)
Page 53 of the National IT Policy mandated the formation of Local
Administrative laws: 1)
Establishing Government IT Procedure Act (GITPA) to
enhance equipment standards, performance and
security. 2) Establishing a Data Protection Act (DPA) for safeguarding privacy of National computerized records electronic document.[4]
Surprisingly,
the Draft Nigerian Cybercrime Act did not
reference any of the above bills. Amazingly,
the agency that created the Nigerian IT Bill was NITDA, and also,
a representative of NITDA is
the Chairperson of the Presidential Committee on Cybercrime.
Nigerians must note that NITDA is always present, whenever there
is a technological issue mess. For example, NITDA was at the center of
the Nigerian Top Level Domain issue crisis.
B)
Page 45 of the same Nigerian IT Policy ascribes one of the
objectives of NITDA, as to “Ensure the protection of individual and collective
privacy, security, and confidentiality of information”[5],
yet a section in the Draft Nigerian Cybercrime Act proposed that “all
service providers under this Act shall have the responsibility of
keeping all transactional records of operations generated in their
systems and networks for a minimum period of 5 years”, hereby raising
key privacy infringement issues. C)
Architects of the National Economic Empowerment and Development
Strategy (NEEDS), recognized that an essential ingredient of an
effective economic reform program has to be supplemented with an
effective anti-corruption program, yet the NEEDS matrix of measures, published
at the Federal Ministry of Finance Web-site, failed
to accommodate an effective Cybercrime and
Cyber-Security strategy. The primary focus of the NEEDS program, seems to be on issues related to transparency in the Oil and Gas sector, and providing increased resources for EFCC to combat Money Laundering activities[6]. Proponents of the NEEDS program should be cautioned that as long as Nigeria remains the 419 Capital of the World, the Foreign Investment climate that will guide the success of NEEDS will never happen.
Review
of the Preliminary Section of the Draft Cybercrime Act The preliminary section of the Draft Cybercrime Act has two topics:
A) The title of the Act, which it called the “Nigerian Cybercrime and Cybersecuirty Act 2004”, and, B)
The Interpretation sub section. The
Interpretation section attempts to provide clear legal definition for
keywords used in the
body of the Act. One such
definition is the word, “Computer
Contaminant” which was defined as “any set of computer instructions
that are designed to modify, damage, destroy, record, or transmit
information within a computer, computer system, or computer network
without the intent or permission of the owner of the information.
They include, but
are not limited to, a group of computer instructions commonly called
viruses or worms, which are self-replicating or self-propagating and are
designed to contaminate other computer programs or computer data,
consume computer resources, modify, destroy, record, or transmit data,
or in some other fashion usurp the normal operation of the computer,
computer system, or computer network”
The
question one raises from this definition of Computer Contaminant, is the
issue of authorized access and malicious destruction of data and computing resource. For example, if a person was granted security access to a Computer resource, and he writes a program to knowingly destroy or alter data in a manner contrary to the intended use of the data, is that program a contaminant?
Another keyword, under the Interpretation Section is the word “Computer Injury”. The section defines Computer Injury as “any alteration, deletion, damage, or destruction of a computer system, computer network, computer program, or data caused by the access.”
The underlying issue here that this definition does not seem to address is the issue of Computer Injury that could result as a consequence of unauthorized disclosure of confidential information, theft of that information, and other forms of illegal use of data by an authorized or unauthorized person. The other issue that comes to mind with the Computer Injury term, is the harmonization of the definition with local and Intellectual property Laws.
This section, also defines, “Computer Security”, as including: “software, program or computer device that: is intended to protect the confidentiality and secrecy of data and information stored in or accessible through the computer system; and may display a warning to a user that the user is entering a secure system or requires a person seeking access to knowingly respond by use of an authorized code to the program or device in order to gain access”
Generally, Computer Security has 3 attributes: confidentiality, Integrity, and availability. The above definition does not take into account the other key attributes of Computer Security.
The
Interpretation Section also tries to define “Computer Service” as including
“ any and all services provided by or through the facilities of any
computer system which is capable of allowing the input, output,
examination, or transfer, of computer data or computer programs from one
computer to another.” somehow, skipped the fact that data processing is a key component of Computer Service. In defining “Electronic Message”, the Interpretation Section stated that Electronic message “includes electronic mail message, short mail messages and text messages sent to any electronic messaging system.” This definition does not take into account other potential forms of electronic messaging Systems. Should the definition also include electronic transmissions such as; Electronic Fax and SMS transmitted via a Computer System. Does VOIP qualify as an electronic message?
“Electronic Message Address”, was defined as including “ a destination commonly expressed as a string of characters, consisting of a unique user name or mailbox commonly referred to as the local part and a reference to an Internet domain name commonly referred to as the domain part, whether or not displayed to which an electronic mails message can be sent or delivered” .
Again, the definition of Electronic Message Address did not include other forms of electronic identifiers that can uniquely identify other types of electronic message. These may include unique identifiers for FAX messages, SMS messages, and VOIP.
In defining the word, “Recipient”, the section declares that “ when used with respect to an electronic message means an authorized user of the electronic mail address to which a message was sent or delivered if a recipient of an electronic mail message has one or more electronic mail addresses in addition to the address to which the message was sent or delivered, the recipient shall be treated as a separate recipient with respect to each such address”.
This
definition of the recipient, seems to give a many to many relationship
to the Internet identify of a person.
The true Internet Identity of a recipient is one to many. I have many Email addresses, am I a different recipient for each address? Separate recipient seems to suggest many to many Internet Identity relationships.
Review
of Offenses Section of the Draft Cybercrime Act
This section of the Draft Nigerian Cybercrime Act is the Criminal Law Part of the ACT. The section covered a very extensive set of Criminal activities listed as follows: 1.
Unauthorized access to computer, electronic or ancillary devices.
2.
Access with intent to commit an offence. 3.
Unauthorized modification of the contents of any computer. 4.
Illegal communication using electronic messages 5.
Illegal interception 6.
Data interference 7.
System interference 8.
Misuse of devices 9.
Denial of service 10.
Email bombing 11.
Computer
trespass 12.
Computer vandalism 13.
Computer
identity theft and impersonation 14.
Attempt,
conspiracy and abetment 15.
Duties
of Service Providers 16.
Records
Retention by Service Provider 17.
Cybersquatting 18.
Computer contamination 19.
Cyberterrorism 20.
Intellectual
Property 21.
Soliciting
a Minor with a Computer for Unlawful Sexual Purposes 22.
Computer Offences against Minors. 23.
Other sexual offences Professor
Susan Brenner of the University of Dayton School of Law, has published
an Internet Web Site titled “Model State Computer Crime Code”[7]
The site provides a model for various Computer Crime Laws that
serves as template for Countries wishing to implement Cybercrime Laws. One sees a lot of word for word similarities between
the Draft Nigerian Cybercrime Act and the works of Professor Susan Brenner. For example, the Email Bombing section of the Nigerian Cybercrime Act was essentially copied from the Web Site. The issue here is not plagiarism, as inquiries to Professor Susan Brenner confirms that she does not mind duplication of her work. Nevertheless, she should be credited in the body of the Draft Nigerian Cybercrime Act. The System interference law, in the Offenses section declares: “Any person who unlawfully produces, sells, designs, adapts for use, distributes, or offers for sale, procures for use, possesses any devices, including a computer program or a component, which is designed primarily to overcome security measures for the protection of data, or performs any of those acts relating to a password, access code or any other similar kind of data with the intent to unlawfully utilize such item to contravene this Act, commits an offence and liable upon conviction to a fine not less than =N=1 million or imprisonment for a term not less than 3 years or to both such fine and imprisonment” This section fails to note that Computer Security professionals conducting security assessments sometimes have a need to design or use products with the capacity for System penetration . According to this law, a Computer penetration testing tool becomes System Interference. Also, some computer forensic tool will be termed System Interference tools. Virus Software re-engineering process, which sometimes requires writing viruses and sometimes the disassembly of Software virus also will be illegal in Nigeria. This particular law will also hinder the Cybercrime Agency in performing its functions.
The Email Bombing Section declares that “Any person who uses a computer, computer network, computerized communications system, or the Internet to purposefully: a) send or induce others to send, massive amounts of electronic mail to a single system or person with the intent to interfere with the operating ability of recipient's computer system; or b)
send an unreasonably large file attached to electronic
Mail or multiple copies of identical messages to the c) subscribe the intended recipient without authorization to multiple Internet mailing lists resulting in the recipient d) receiving unwanted electronic mails: Commits
the offence of email bombing under this Act and liable upon conviction
to a fine of not less than =N=500,000 or imprisonment to a term not less
than 2 years or both such fine and imprisonment” The
Email Bombing Law fails to accommodate that legitimate
Email marketing may produce the same effect of mail bomb to a single
System. The
legitimate consideration for email bomb should be clarified in this
section.
The
Criminal Law Section on “Records Retention
by Service Provider”, states that
“All service providers under this Act shall have the
responsibility of keeping all transactional records of operations
generated in their systems and networks for a minimum period of 5
years”
Some Years ago the European Union struggled to define Data Retention policies for its Internet Service Providers. Important issues of the debate were privacy concerns and feasibility of maintaining huge record sets for a period. The fact that the EU did not implement a Data Retention Law is not the primary issue here, but that of personal data privacy and the clear definition of transactional records. Data attributes associated with data retention needs to be clearly defined. All ISP records can be classified as transactional. This might intrude on privacy and might not be feasible. Rather than transactional records, communication logs and customer information record should be retained. Conceptually, this Law could allow Nigerian ISP’s to keep confidential government Information that are routed through their Networks. The Data Retention Law, as suggested by the Presidential Committee on Cybercrime can potentially become a national security issue. What would stop Political Parties from colluding with ISP’s and gaining access to confidential transactional records of political opponents?
REVIEW
OF PROTECTION & SECURITY OF CRITICAL INFORMATION AND COMMUNICATION
INFRASTRUCTURE Essentially, this section is divided into: Critical information and communication infrastructure, Access to critical information and communication infrastructure, Audit and inspection of critical information and communication infrastructure, and Offenses against critical information and communication infrastructure. Here
again, we see harmonization deficiencies with Cyber-Security
section of the Draft Cybercrime Act, in particular, it fails to
harmonize with the Nigerian IT Policy, which prescribes the
“ Establishing Government
IT Procedure Act GITPA) to enhance equipment standards, performance and
security” A program to protect National Information technology Asset
should have Information assurance as it’s focus.
National Information Technology assets should be identified and
diligent process for the certification
and accreditation of these assets implemented.
Also,
an essential principal in National Information Assurance, is the
uniformity of Standards. The
importance of
uniform national standards was not emphasized in this section.
Standards such as ISO/IEC 15408, Common Criteria for Information
Technology Security Evaluation, ought to be interpreted and adopted as a
national standard.
REVIEW OF GENERAL PROVISIONS SECTION The General Provisions section is divided into : A) Jurisdiction, etc B)
Powers of search and arrest. C)
Obstruction D) Tampering with computer evidence E)
Prosecution. F)
Forfeiture G)
Power to compound offence H)
Order for Payment of Compensation I)
Conviction for alternative offence A
sub-section in the part of the Draft Nigerian Cybercrime Act,
titled “Powers Of Search and Arrest”, is very troubling.
The section in question, gives the Cybercrime Agency the power
to: “have access to any information code or technology which has the
capability of retransforming or unscrambling encrypted data contained or
available to such computer into readable and comprehensible format or
text for the purpose of investigating any offence under this Act or any
other offence which has been disclosed in the course of the lawful
exercise of the powers under this Act”.
The implication here is serious privacy issues. The power to require the release of encryption information to a government agency annuls all rights of the individual to privacy. Encryption keys or algorithms might be instruments of protecting free communication in a free and democratic society. In cases where crimes have been committed and encryption issues arise, encryption keys of algorithms can be kept in 3rd party Encryption escrow. REVIEW
OF CYBERCRIME AGENCY ESTABLISHMENT OF THE CYBERCRIME AGENCY. As
stated earlier in the introductory parts of this paper, the feasibility
of creating a new Cybercrime agency may not be warranted. The Committee on Cybercrime did not conduct a feasibility study on why the creation of a new agency was justified. In addition, the Federal Ministry of Finance should be consulted to assist in the determination a cost benefit analysis that compares creating a new agency versus a cross-organizational model. REVIEW FUNCTIONS AND
POWERS OF THE AGENCY The
agency should not be allowed to arbitrarily have the power to access
informational assets of citizens for determining if a crime has been
committed. It should be
required to obtain the order of a court. REVIEW
MANAGEMENT AND STAFF OF THE AGENCY In outlining the criteria for the managerial leadership of the Cybercrime Agency the Draft Nigerian Cybercrime Act stated that “there shall be for the Agency a Director-General who shall be a) appointed by the President; b) the chief executive and accounting officer of the Agency; c) responsible for the day-to-day administration of the affairs of the Agency; d) a person with cognate experience in Information and Communications Technology and Law with requisite international exposure in matters connected to Cybercrime”
The International exposure prerequisite eliminates Nigerians who might be qualified but do not have International experience. It also eliminates qualified Nigerians that do not have the professional duality of Law and Information Technology background. Conclusion
As is, the Draft Nigerian Cybercrime Act is
not ready to become Law. [1] See, http://efccnigeria.org/links/nl2003120401dailychampion.html [2] See, http://computercops.biz/article4726.html [4] See, http://www.nitda.org/docs/policy/ngitpolicy.pdf , Page 53 [5] See, http://www.nitda.org/docs/policy/ngitpolicy.pdf, Page 45 [6] See, http://www.fmf.gov.ng/economic_reform_fighting_corruption.htm |