Review of Draft Nigerian Cybercrime Act By Femi Oyesanya Several
months ago, the Nigerian President announced After many weeks of deliberations, the committee presented a Draft Cybercrime Act to the President, and the committee formed the Nigerian Cybercrime Working Group (NCWG), to accelerate the implementation of it’s Cybercrime research efforts, and to assist the Nigerian National Assembly in the quick passage of a Cybercrime Bill. An essential document that came out of the closed door Presidential Committee on Cybercrime, is the “Draft Nigerian Cybercrime Act”. This paper provides an in-depth review of that document. In summary, the Draft Nigerian Cybercrime Act provides the legal framework for the establishment of an Independent Cybercrime Agency and for the legislation regarding Cybercrime and Cyber-Security. Basically, the Draft Nigerian Cybercrime Act was divided into eight different sections namely: A) PRELIMINARY,B) OFFENSES, C)PROTECTION & SECURITY OF CRITICAL INFORMATION AND COMMUNICATION INFRASTRUCTURE , D) ANCILLARY AND GENERAL PROVISIONS, E)CYBERCRIME & CYBERSECURITY AGENCY ESTABLISHMENT OF THE CYBERCRIME AGENCY, ETC, F)FUNCTIONS AND POWERS OF THE AGENCY, G) MANAGEMENT AND STAFF OF THEAGENCY, H) FINANCIAL PROVISIONS. REVIEW
OF THE STRUCTURE OF THE COMMITTEE
The Presidential Committee on Cybercrime consisted ofgroup membership from the government and the private sector, the composition of the group included: The National Security Advisor, Justice Minister, Minister of Science and Technology, Chairmen of the Senate and House of Representatives Committee on Science and Technology, Inspector-General of Police, State Security Service, National Intelligence Agency, Economic and Financial Crimes Commission, Nigerian Communications Commission, National Information Technology Development Agency, Nigerian Computer Society, Internet Services Providers Association of Nigeria, and the Nigerian Internet Group.[1] The
composition of the group was well represented, except with the omission
of a group from the academia and the Military. It was rather surprising
that the Nigerian Government did not feel a need to include any Nigerian
University or any branch of the Nigerian Military.
This omission
is important because historically, most of the research Initiative
underlying old and new Cybercrime technology has origins either in
studies conducted by the military, or research efforts from the academic
community. The Internet itself, was largely a creation of the USA
Department of Defense, and several Digital Security Initiatives can be
traced to academic institutions. REVIEW
OF CYBER_COMMTTEE ORGANIZATINAL DYNAMICS Once
the Presidential on Cybercrime began it’s deliberations, sources
within the committee reported that Inter-Agency
turf issues soon emerged. Rather
than focusing In
short, the committee lost focus. Rather
than deliberating on a creation of a Cybercrime model geared at
attaining strategic synergetic efficiency, tuff issues became dominant.
At a time when the Nigerian Government was announcing to the
world, key economic reform programs such
as the National Economic Empowerment and Development Strategy (NEEDS),
why did the Presidential Committee on Cybercrime not border itself with
evaluating economic efficiency models as it relates to the creation of
an Independent Cybercrime Agency? Why
did it not consider issues such as duplication of resources? Already, the Nigerian government is investing millions into
the creation of a Financial Intelligence Unit (FIU), would an
organizational synergy of the FIU and Cybercrime not benefit Now,
we have the Minister of Finance, Ngozi Okonjo-Iweala at a recently
concluded World Economic Forum saying she is The
Presidential Committee on Cybercrime needs to research various models
underlying the creation of an Independent Cybercrime Agency.
The focus of the research should be on efficiency and
effectiveness. Questions such as duplication of resource should be
addressed, and a feasibility study of all proposed Cybercrime
organizational REVIEW OF HARMONIZATION PRACTICE WITHIN THE COMMTTEE A 419 Email letter that originates from Nigeria, and claims a victim elsewhere in the world, might not only violate the territorial laws of Nigeria, but also those of the territorial boundaries of the victim. Digital evidence trails, for this example, might be found on the electronic pathway of several International States when investigating a 419 crime. Thus, to be effective, there is clear indication from Cybercrime experts around the world, that the harmonization of laws, and the harmonization of law enforcement practices, provides a clearer framework for any effective State sponsored Anti-Cybercrime effort. In an article by Phil Williams titled: “Organized Crime and Cybercrime: Synergies, trends and responses”, he writes, “Harmonization is necessary for both substantive and procedural laws. All countries have to reappraise and revise rules of evidence, search and seizure, electronic eavesdropping, and the like to cover digitized information, modern computer and communication systems, and the global nature of the Internet. Greater coordination of procedural laws, therefore, would facilitate cooperation in investigations that cover multiple jurisdictions”[3] Harmonization
of global and local administrative procedural laws are essential issues
that the Committee On Cybercrime failed to factor into it’s
deliberations. Specific
examples of local administrative policy and procedural issues can be
found in the following examples: A)
Page 53 of the National IT Policy mandated the formation of Local
Administrative laws: 1)
Establishing Government IT Procedure Act (GITPA) to
enhance equipment standards, performance and security. 2)
Establishing a Data Protection Act (DPA) for safeguarding
privacy of National computerized records
electronic document.[4] Surprisingly,
the Draft Nigerian Cybercrime Act did not
reference any of the above bills. Amazingly,
the agency that created the Nigerian IT Bill was NITDA, and a
representative of NITDA is the Chairperson of the Presidential Committee
on Cybercrime. Nigerians
must note that NITDA is always present, whenever there is a
technological issue mess. For example, NITDA was at the center of the
Nigerian Top-Level Domain issue crisis.
B)
Page 45 of the same Nigerian IT Policy ascribes one of the
objectives of NITDA, as to “Ensure the protection of individual and
collective privacy, security, and confidentiality of information”[5], yet a section in the Draft Nigerian Cybercrime Act
proposed that “all
service providers under this Act shall have the responsibility of
keeping all transactional records of operations generated in their
systems and networks for a minimum period of 5 years”, hereby raising
key privacy infringement issues. C) Architects of the National Economic Empowerment and Development Strategy (NEEDS), recognized that an essential ingredient of an effective economic reform program has to be supplemented with an effective anti-corruption program, yet the NEEDS matrix of measures, published at the Federal Ministry of Finance Web-site, failed to accommodate an effective Cybercrime and Cyber-Security strategy. The primary focus of the NEEDS program, seems to be on issues related to transparency in the Oil and Gas sector, and providing increased resources for EFCC to combat Money Laundering activities[6]. Proponents of the NEEDS program should be cautioned that as long as Nigeria remains the 419 Capital of the World, the Foreign Investment climate that will guide the success of NEEDS will never happen. Review
of the Preliminary Section of the Draft Cybercrime Act The
preliminary section of the Draft Cybercrime Act has two topics: A) The
title of the Act, which it called the “Nigerian Cybercrime and
Cybersecuirty Act 2004”, and, B)
The Interpretation sub section. The
Interpretation section attempts to provide clear legal definition for
keywords used in the body of the Act.
One such definition is the word,
“Computer Contaminant” which was defined as “any set of
computer instructions that are designed to modify, damage, destroy,
record, or transmit information within a computer, computer system, or
computer network without the intent or permission of the owner of the
information. They
include, but are not limited to, a group of computer instructions
commonly called viruses or worms, which are self-replicating or
self-propagating and are designed to contaminate other computer programs
or computer data, consume computer resources, modify, destroy, record,
or transmit data, or in some other fashion usurp the normal operation of
the computer, computer system, or computer network” The
question one raises from this definition of Computer Contaminant, is the
issue of authorized access and malicious
destruction of data and computing resource.
For example, if a person was granted security access to a Computer resource, and he writes a program to knowingly destroy or alter data in a manner contrary to the intended use of the data, is that program a contaminant? Another keyword, under the Interpretation Section is the word “Computer Injury”. The section defines Computer Injury as “any alteration, deletion, damage, or destruction of a computer system, computer network, computer program, or data caused by the access.” The underlying issue here that this definition does not seem to address is the issue of Computer Injury that could result as a consequence of unauthorized disclosure of confidential information, theft of that information, and other forms of illegal use of data by an authorized or unauthorized person. The other issue that comes to mind with the Computer Injury term, is the harmonization of the definition with local and Intellectual property Laws. This section, also defines, “Computer Security”, as including: “software, program or computer device that: is intended to protect the confidentiality and secrecy of data and information stored in or accessible through the computer system; and may display a warning to a user that the user is entering a secure system or requires a person seeking access to knowingly respond by use of an authorized code to the program or device in order to gain access” Generally, Computer Security has 3 attributes: confidentiality, Integrity, and availability. The above definition does not take into account the other key attributes of Computer Security. The Interpretation Section also tries to define “Computer Service” as including “ any and all services provided by or through the facilities of any computer system which is capable of allowing the input, output, examination, or transfer, of computer data or computer programs from one computer to another.” Again,
the 3 phrases of a Computer operation are input, processing, and output. The definition of Computer Servicesomehow,
skipped the fact that data processing is an important component of
Computer Service. In
defining “Electronic Message”, the Interpretation Section stated that electronic message “includes electronic mail message, short mail messages and text messages sent to any electronic messaging system.” This definition does not take into account other potential forms of electronic messaging Systems. Should the definition also include electronic transmissions such as; Electronic Fax and SMS transmitted via a Computer System. Does VOIP qualify as an electronic message? “Electronic Message Address”, was defined as including “ a destination commonly expressed as a string of characters, consisting of a unique user name or mailbox commonly referred to as the local part and a reference to an Internet domain name commonly referred to as the domain part, whether or not displayed to which an electronic mails message can be sent or delivered”. Again, the definition of Electronic Message Address did not include other forms of electronic identifiers that can uniquely identify other types of electronic message. These may include unique identifiers for FAX messages, SMS messages, and VOIP. In defining the word, “Recipient”, the section declares that “ when used with respect to an electronic message means an authorized user of the electronic mail address to which a message was sent or delivered if a recipient of an electronic mail message has one or more electronic mail addresses in addition to the address to which the message was sent or delivered, the recipient shall be treated as a separate recipient with respect to each such address”. This
definition of the recipient, seems to give a many too many relationship
to the Internet identify of a person.
The true Internet Identity of a recipient is one to many. I have many Email addresses, am I a different recipient for each address? Separate recipient seems to suggest many to many Internet Identity relationships. Review
of Offenses Section of the Draft Cybercrime Act This
section of the Draft Nigerian Cybercrime Act is the Criminal Law Part of
the ACT. The section covered a very extensive set of Criminal
activities listed as follows: 1.
Unauthorized access to computer, electronic or ancillary devices.
2.
Access with intent to commit an offence. 3.
Unauthorized modification of the contents of any computer. 4.
Illegal communication using electronic messages 5.
Illegal interception 6.
Data interference 7.
System interference 8.
Misuse of devices 9.
Denial of service 10.
Email bombing 11.
Computer
trespass 12.
Computer vandalism 13.
Computer
identity theft and impersonation 14.
Attempt,
conspiracy and abetment 15.
Duties
of Service Providers 16.
Records
Retention by Service Provider 17.
Cybersquatting 18.
Computer contamination 19.
Cyberterrorism 20.
Intellectual
Property 21.
Soliciting
a Minor with a Computer for Unlawful Sexual Purposes 22.
Computer Offences against Minors. 23.
Other sexual offences Professor
Susan Brenner of the University of Dayton School
of Law, has published an Internet Web Site titled “Model State
Computer Crime Code”[7]
The site provides a model
for various Computer Crime Laws that serves as template for Countries
wishing to implement Cybercrime Laws.
One sees a lot of word for word similarities between the
Draft Nigerian Cybercrime Act and the works of Professor
Susan Brenner. For example,
the Email Bombing section of the Nigerian Cybercrime Act was essentially
copied from the Web Site. The
issue here is not plagiarism, as inquiries to Professor Susan Brenner
confirms that she does not mind duplication of her work.
Nevertheless, she should be credited in the body of the Draft
Nigerian Cybercrime Act.
The
System interference law, in the Offenses section declares: “Any person who unlawfully produces, sells, designs, adapts
for use, distributes, or offers for sale, procures for use, possesses
any devices, including a computer program or a component, which is
designed primarily to overcome security measures for the protection of
data, or performs any of those acts relating to a password, access code
or any other similar kind of data with the intent to unlawfully utilize
such item to contravene this Act, commits an offence and liable upon
conviction to a fine not less than =N=1 million or imprisonment for a
term not less than 3 years or to both such fine and imprisonment” This section fails to note that Computer Security professionals conducting security assessments sometimes have a need to design or use products with the capacity for System penetration. According to this law, a Computer penetration-testing tool becomes System Interference. In addition, some computer forensic tool will be termed System Interference tools. Virus Software re-engineering process, which sometimes requires writing viruses and sometimes the disassembly of Software virus also will be illegal in Nigeria. This particular law will also hinder the Cybercrime Agency in performing its functions. The
Email Bombing Section declares that “Any
person who uses a computer, computer network, computerized
communications system, or the Internet to purposefully: a)
send or induce others to send, massive amounts of electronic mail
to a single system or person with the intent to interfere with the
operating ability of recipient's computer system; or b)
send an unreasonably large file attached to electronic Mail or
multiple copies of identical messages to the recipient with intent of stopping or slowing the Recipient’s
ability to retrieve mail; or c)
subscribe the intended recipient without authorization to
multiple Internet mailing lists resulting in the recipient d)
receiving unwanted electronic mails: Commits the offence of email bombing under this Act and liable upon conviction to a fine of not less than =N=500,000 or imprisonment to a term not less than 2 years or both such fine and imprisonment” The Email Bombing Law fails to accommodate that legitimate Email marketing may produce the same effect of mail bomb to a single System. The legitimate consideration for email bomb should be clarified in this section. The
Criminal Law Section on “Records Retention
by Service Provider”, states that
“All service providers under this Act shall have the
responsibility of keeping all transactional records of operations
generated in their systems and networks for a minimum period of 5
years” Some Years ago the European Union struggled to define Data Retention policies for its Internet Service Providers. Important issues of the debate were privacy concerns and feasibility of maintaining huge record sets for a period. The fact that the EU did not implement a Data Retention Law is not the primary issue here, but that of personal data privacy and the clear definition of transactional records. Data attributes associated with data retention needs to be clearly defined. All ISP records can be classified as transactional. This might intrude on privacy and might not be feasible. Rather than transactional records, communication logs and customer information record should be retained. Conceptually, this Law could allow Nigerian ISP is to keep confidential government Information that is routed through their Networks. The Data Retention Law, as suggested by the Presidential Committee on Cybercrime can potentially become a national security issue. What would stop Political Parties from colluding with ISP’s and gaining access to confidential transactional records of political opponents? REVIEW
OF PROTECTION & SECURITY OF CRITICAL INFORMATION AND COMMUNICATION
INFRASTRUCTURE Essentially, this section is divided into: Critical information and communication infrastructure, Access to critical information and communication infrastructure, Audit and inspection of critical information and communication infrastructure, and Offenses against critical information and communication infrastructure. Here
again, we see harmonization deficiencies with Cyber-Security
section of the Draft Cybercrime Act, in particular, it fails to
harmonize with the Nigerian IT Policy, which prescribes the
“ Establishing Government
IT Procedure Act GITPA) to enhance equipment standards, performance and
security” A program to protect National Information technology Asset
should have Information assurance as it’s focus.
National Information Technology assets should be identified and
diligent process for the certification
and accreditation of these assets implemented. In
addition, an essential principal in National Information Assurance, is
the uniformity of Standards. The
importance of
uniform national standards was not emphasized in this section.
Standards such as ISO/IEC 15408, Common Criteria for Information
Technology Security Evaluation, ought to be interpreted and adopted as a
national standard. REVIEW OF GENERAL PROVISIONS SECTION The
General Provisions section is divided into: A) Jurisdiction, etc B)
Powers of search and arrest. C)
Obstruction D) Tampering with computer evidence E)
Prosecution. F)
Forfeiture G)
Power to compound offence H)
Order for Payment of Compensation I)
Conviction for alternative offence A
sub-section in the part of the Draft Nigerian Cybercrime Act, titled
“Powers Of Search and Arrest”, is very troubling. The section in
question, gives the Cybercrime Agency the power to: “have access to
any information code or technology which has the capability of
retransforming or unscrambling encrypted data contained or available to
such computer into readable and comprehensible format or text for the
purpose of investigating any offence under this Act or any other offence
which has been disclosed in the course of the lawful exercise of the
powers under this Act”. The
implication here is serious privacy issues.
The power to require the release of encryption information to a
government agency annuls all rights of the individual to privacy.
Encryption keys or algorithms might be instruments of protecting
free communication in a free and democratic society.
In cases where crimes have been committed and encryption issues
arise, encryption keys of algorithms can be kept in 3rd party
Encryption escrow. REVIEW
OF CYBERCRIME AGENCY ESTABLISHMENT OF THE CYBERCRIME AGENCY. As stated earlier in the introductory parts of this paper, the feasibility of creating a new Cybercrime agency may not be warranted. The Committee on Cybercrime did not conduct a feasibility study on why the creation of a new agency was justified. In addition, the Federal Ministry of Finance should be consulted to assist in the determination a cost benefit analysis that compares creating a new agency versus a cross-organizational model. REVIEW FUNCTIONS AND
POWERS OF THE AGENCY The agency should not be allowed to arbitrarily have the power to access informational assets of citizens for determining if a crime has been committed. It should be required to obtain the order of a court. REVIEW
MANAGEMENT AND STAFF OF THE AGENCY
In outlining the criteria for the managerial leadership of the Cybercrime Agency the Draft Nigerian Cybercrime Act stated that “there shall be for the Agency a Director-General who shall be a) appointed by the President; b) the chief executive and accounting officer of the Agency; c) responsible for the day-to-day administration of the affairs of the Agency; d)a person with cognate experience in Information and Communications Technology and Law with requisite international exposure in matters connected to Cybercrime” The International exposure prerequisite eliminates Nigerians who might be qualified but do not have International experience. It also eliminates qualified Nigerians that do not have the professional duality of Law and Information Technology background. Conclusion As is, the Draft Nigerian Cybercrime Act is not ready to become Law. [1] See, http://efccnigeria.org/links/nl2003120401dailychampion.html [2] See, http://computercops.biz/article4726.html [4] See, http://www.nitda.org/docs/policy/ngitpolicy.pdf , Page 53 [5] See, http://www.nitda.org/docs/policy/ngitpolicy.pdf, Page 45 [6] See, http://www.fmf.gov.ng/economic_reform_fighting_corruption.htm |