Dealing with the Challenge of
Cybercrime in Nigeria under the
new Cybercrime Act 2015
The Lagos Chamber of Commerce & Industry
2015 Seminar of the Financial Services Group
September 3, 2015
Lagos
Basil Udotai, Esq.,
Managing Partner, Technology Advisors LLP
ICT LAWYERS & CONSULTANTS
Summary of Presentation
•
•
•
•
•
•
•
•
Nature of Technology (ICT)
Does Technology (ICT) Challenge Law?
Is Cybercrime a Challenge in Nigeria?
Typical Cybercrime Framework – Legal & Institutional;
Nigerian Cybercrime Act 2015 – the solution?
Legislative History of the Act;
General Review of the Law;
Financial Services Sector under the Act – the “Danger of a
single story” – Chimamanda Adichie;
• First known case currently being tried under the Act;
• Conclusions
Nature of Technology (ICT)
• Global – reaches across multiple jurisdictions and legal
systems – issues with applicable law and jurisdiction – e.g. the
Law of Torts and the “Neighbor Principle” as basis for liability;
• Knowledge based – proprietary (Apple vs Samsung)
• Digital/Electronic – Traditionally law regulates tangibles;
• Fast Paced and Real Time – efficiency generation and
transaction completion (reversal challenges);
• Inherent Insecurity vs Interoperability;
• Mired by Legal Externalities - 3rd Party Technologies –
software, systems, solutions, etc; indeterminate
Intermediaries - PRIVITY vs TRUST;
Nature of Technology (ICT)
•
•
•
•
•
Anonymity;
Unlimited Scalability;
Fiercely Competitive;
Cheaper Communication;
Constantly changing and evolving – “All computers to
communicate and all communication gadgets to compute!”
INTEL CEO, 2004, in Abuja. VOICE as APPLICATION!
• Operates in the physical: ATTRIBUTION vs ANONYMITY;
• Value-neutral – the Good, the Bad and the Ugly!!!;
• Shared System
Does Technology Challenge Law?
• Form: recognition of electronic materials; no denial of legal
effect on the basis of form only; ephemeral nature of
eEvidence - Data Retention & Preservation;
• Identity & Authentication: attribution of electronic activities,
undeniably, to identifiable individual actors (digital signatures
– e.g., PKI or Biometric technology)
• Liability: whether civil (cause of action) or criminal
(prohibition), specific laws must be enacted; enforceability of
electronic transactions and criminalization of electronic
illegalities; including privacy, data protection, IPRs, security,
etc
• See section 36(12) Nigerian Constitution: conduct prohibition
& legal sanction provisions
Does Technology Challenge Law?
• Authority: substantive legal authority to act and technical
capacity to investigate and prosecute – enabling the judiciary
to act – Courts only interpret LAWS!
• Legal Process: Evidential standards and Court rules and/or
procedures (civil and criminal) specifically amended;
Admissibility; Collection and Presentation of electronic
evidence in judicial proceedings;
• Jurisdiction: location of party and the effects doctrine
determines jurisdiction: whatever “substantially” affects
forum or interest therein, is within the forum’s jurisdiction,
irrespective of origin; nationality (Nigerian Cybercrime Act
2015)
Is Cybercrime a Challenge?
• Dumb question, right?
• “For years the Nigerian digital economy had carried
on with the absence of a legal and institutional
framework for cybercrime/cybersecurity;
maintaining a glaring legal and transactional gap as
well as deficiencies in our law enforcement and
national security systems – thereby causing a major
and debilitating “weak link” in our digital economy
value chain, with imponderable and unimaginable
consequences” – Basil Udotai, Esq., Technology
Times Outlook, Lagos – August 21, 2015
Is Cybercrime a Challenge?
Dr. Ibe Kachikwu
- Appointed August 4; Impersonated same day, NNPC reacted August 16
There is no operating system or technology that has not yet been
hacked! And some of the most protected and secured corporations
and governments institutions have already been compromised!!!
Typical Cybercrime Framework
• Criminalization of actions – substantive provisions
(offences);
• Creation of institution with statutory powers – enforcement
authority;
• Creation of procedures for investigation – procedural
provisions;
• Jurisdiction – in personam and subject matter jurisdiction;
• International harmonization and relations – MLAT,
Extradition, Global Conventions and Protocols;
• A review of the Cybercrime Act 2015 indicates, as a matter
of checklist, that the law has met the foregoing milestones
commendably
The Cybercrime Act 2015 – the Solution?
Pat on the Back:
 First ever statutory instrument criminalizing online actions,
prescribing punishment and creating legal procedures for
investigation, prosecution and enforcement;
 International Legal Cooperation – beating the “Dual Criminality”
challenge;
 Critical Information Infrastructure Protection (CIIP);
 Institutionalized CERT and a National Forensic Lab;
 Creation of Regulatory Mandate over Cybercrime & Cybersecurity in
the Attorney General of the Federation;
 Created a Stakeholder Community through the Advisory Council;
 Truly ground breaking with potential to greatly impact
jurisprudence and legal development; governance (eGovt);
businesses and commercial activities; law enforcement and national
security; foreign direct investment and economic growth, etc
So why are we not celebrating?
Challenges:
 Decentralized and Distributed Enforcement Framework;
 Issues with compliance;
 Possible Constitutional challenge (the NSA Act);
 Impact of the Cybersecurity Fund doubtful;
 Technology-specificity, a major flaw;
 Special provisions on the Financial Sector worrisome and
needless really; and tendency for focus shifting to the
financial services sector very dangerous – compliance and
potential conflicts with CBN’s regulatory authority;
 Unnecessarily Transactional in certain areas – provisions on
eSignature, protocols for internal banking transactions; etc
not advisable in a criminal law
Legislative History
Long, tortuous and complicated Legislative History:
• 2004/5 – Cybercrime Bill 2005 by the Nigerian Cybercrime Working Group (NCWG)
• 2006 – 2008 – Computer Security Bill;
• 2009 – 2010 – More than 10 different bills (including the Electronic Fraud
Protection Bill sponsored by Senator Ayo Arise of Ekiti)
• 2011 – Harmonization of the various bills by the ONSA culminated in the
Cybersecurity Bill 2011; and
• 2012 – 2015 Attorney General initiated process resulted in the Cybercrimes Act
2015;
- The Former Attorney General and the last National Assembly could have done a
better job at this
NOTE:
I was involved in the process up to 2011; provided only nonbinding and informal
advise between 2014 – 15
INTRODUCTION
Summary of the Act
Summary of the Act
The Cybercrime Act is made up of:
• 59 Sections
• 8 Parts; and
• 2 Schedules;
1st Schedule lists the Cybercrime Advisory Council;
2nd Schedule lists businesses to be levied for the purpose of the
Cybersecurity Fund under S.44(2)(a):
•
•
•
•
•
GSM service providers and all telecom companies
Internet service providers
Banks and other financial institutions
Insurance companies
Nigerian Stock Exchange
Summary of the Act
The Act is comprehensive in its coverage:
• Critical Infrastructure Protection;
• Computer related offences;
• Content related offences;
• Offences against integrity, functionality and confidentiality of
systems and networks;
• Procedural provisions – investigation, prosecution and general
enforcement;
• Jurisdiction and International Cooperation
Section-by-Section Review
Part I- Objects and Application
• Section 1: Objectives
• Section 2: Application
Part II-protection of critical National Information
Infrastructure
• Section 3: Designation of certain computer
systems or networks as Critical National
Information Infrastructure.
• Section 4: Audit and Inspection of Critical
National Information Infrastructure.
Section-by-Section
Part III- offences & Penalties
• Section 5: Offences against Critical National Information Infrastructure
• Section 6: Unlawful Access to computers
• Section 7: Registration of Cybercafé
• Section 8: System Interference.
• Section 9: Intercepting Electronic Messages, Emails Electronic Money Transfers.
• Section 10: Tampering with Critical Infrastructure
• Section 11: Willful Misdirection of Electronic Messages.
• Section 12: Unlawful interceptions.
• Section 13: Computer Related Forgery.
• Section 14: Computer Related Fraud.
• Section 15: Theft of Electronic Devices.
• Section 16: Unauthorized modification of computer systems, network data and
System interference.
• Section 17: Electronic Signatures.
• Section 18: Cyber Terrorism.
Section-by-Section
Offences & Penalties
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Section 19: Exceptions to Financial Institutions Posting and authorized options.
Section 20: Fraudulent issuance of E- Instructions.
Section 21: Reporting of Cyber Threats.
Section 22: Identity theft and impersonation.
Section 23: Child pornography and related offences.
Section 24: Cyberstalking.
Section 25: Cybersquatting.
Section 26: Racist and xenophobic offences.
Section 27: Attempt, conspiracy, aiding and abetting.
Section 28: Importation and fabrication of E-Tools.
Section 29: Breach of Confidence by Service Providers
Section 30: Manipulation of ATM/POS Terminals.
Section 31: Employees Responsibility
Section 32: Phishing, Spamming, Spreading of Computer Virus.
Section 33: Electronic cards related fraud.
Section 34: Dealing in Card of Another.
Section 35: Purchase or Sale of Card of Another
Section 36: Use of Fraudulent Device or Attached E-mails and Websites.
Section-by-Section
Offences & Penalties/Administration
Part IV- Duties of Financial Institutions
• Section 37: Duties of Financial Institutions
Duties of Service Providers
• Section 38: Records retention and protection of data.
• Section 39: Interception of electronic communications
• Section 40: Failure of service provider to perform certain duties.
Part V- Administration and Enforcement
• Section 41: Co-ordination and enforcement.
• Section 42: Establishment of the Cybercrime Advisory Council
• Section 43: Functions and powers of the Council
• Section 44: Establishment of National Cyber Security Fund
Section-by-Section
Part VI- Arrest, Search, Seizure and Prosecution
• Section 45: Power of arrest, search and seizure.
• Section 46: Obstruction and refusal to release information
• Section 47: Prosecution of offences
• Section 48: Order of forfeiture of assets.
• Section 49: Order for payment of compensation or restitution.
Part VII- Jurisdiction and International Co-operation
• Section 50: Jurisdiction
• Section 51: Extradition.
• Section 52: Request for mutual assistance
• Section 53: Evidence pursuant to a request.
• Section 54: Form of request from a foreign state.
• Section 55: Expedited Preservation of computer data
• Section 56: Designation of contact point.
Part VIII- Miscellaneous
• Section 57: Regulations.
• Section 58: Interpretation.
• Section 59: Citation
Enforcement Framework
• Is there a conspiracy to ensure Nigeria doesn’t enforce cybercrime?
You may feel that way if you look at the enforcement framework
designed for this Law. But I think it was an error, which should be
corrected:
• Decentralized and Distributed Enforcement Framework: NSA to
coordinate enforcement by all LEA and Security Agencies (“relevant
law enforcement agencies”);
- Cybercrime investigation, prosecution and enforcement –
separated?
- Traditional approach in our Criminal Justice System;
- Usually based on CONFERED Authority;
- Unprecedented departure from the norm, and very unlikely to
work;
- Threat of chaotic compliance
Possible Constitutional Challenge
The NSA Act
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
CONSTITUTION OF THE FEDERAL REPUBLIC OF NIGERIA
Section 315
315. (1) Subject to the provisions of this Constitution, an existing law shall have effect with such modifications as
may be necessary to bring it into conformity with the provisions of this Constitution and shall be deemed to be (a) an Act of the National Assembly to the extent that it is a law with respect to any matter on which the National
Assembly is empowered by this Constitution to make laws; and
(b) a Law made by a House of Assembly to the extent that it is a law with respect to any matter on which a House
of Assembly is empowered by this Constitution to make laws.
(2) The appropriate authority may at any time by order make such modifications in the text of any existing law as
the appropriate authority considers necessary or expedient to bring that law into conformity with the provisions
of this Constitution.
(3) Nothing in this Constitution shall be construed as affecting the power of a court of law or any tribunal
established by law to declare invalid any provision of an existing law on the ground of inconsistency with the
provision of any other law, that is to say(a) any other existing law;
(b) a Law of a House of Assembly;
(c) an Act of the National Assembly; or
(d) any provision of this Constitution.
(4) In this section, the following expressions have the meanings assigned to them, respectively (a) "appropriate authority" means (i) the President, in relation to the provisions of any law of the Federation,
(ii) the Governor of a State, in relation to the provisions of any existing law deemed to be a Law made by the
House of Assembly of that State, or
(iii) any person appointed by any law to revise or rewrite the laws of the Federation or of a State;
Constitution and the NSA Act
•
•
•
•
•
•
•
(b) "existing law" means any law and includes any rule of law or any enactment or
instrument whatsoever which is in force immediately before the date when this
section comes into force or which having been passed or made before that date
comes into force after that date; and
(c) "modification" includes addition, alteration, omission or repeal.
(5) Nothing in this Constitution shall invalidate the following enactments, that is to
say (a) the National Youth Service Corps Decree 1993;
(b) the Public Complaints Commission Act;
(c) the National Security Agencies Act;
(d) the Land Use Act,
and the provisions of those enactments shall continue to apply and have full effect
in accordance with their tenor and to the like extent as any other provisions
forming part of this Constitution and shall not be altered or repealed except in
accordance with the provisions of section 9 (2) of this Constitution.
(6) Without prejudice to subsection (5) of this section, the enactments mentioned
in the said subsection shall hereafter continue to have effect as Federal
enactments and as if they related to matters included in the Exclusive Legislative
List set out in Part I of the Second Schedule to this Constitution.
Cybersecurity Fund
MAY NOT DELIVER:
- By Section 44 (a) levy of 0.005 of all electronic
transactions by the businesses specified in the
second schedule to this Act:
•
•
•
•
•
GSM service providers and all telecom companies
Internet service providers
Banks and other financial institutions
Insurance companies
Nigerian Stock Exchange
With a trillion or so worth of transactions, someone
put the number that is likely to result to the fund
at N600m
Financial Services Sector
• Technology laws are supposed to be technology neutral, not
technology specific;
• Cybercrime laws are supposed to be generic in provisions, not
particular;
• All provisions specific to technologies and particular to
processes in the Financial Sector can be excised from the Act,
without any impact on the substance of the law;
• Leaving those provisions intact is guaranteed to cause severe
harm to the sector – especially banks and payment services
providers;
• Challenges regulatory integrity of the CBN and the CBN Act;
• Criminalizes internal procedures of the banking system;
• Create chilling effect on investments in creative and
innovative solutions in the sector, etc
First Known Case under the Act
• The Blogger vs Fidelity Bank MD – Malicious Publication
• A Federal High Court in Lagos on August 26, 2015 ordered the
remand of a blogger, Seun Oloketuyi, in prison over alleged
malicious publication against the Managing Director and Chief
Executive Officer of Fidelity Bank Plc, Nnamdi Okonkwo.
Okonkwo had petitioned the police, and after investigation,
Oloketuyi was charged to court. According to the charge with
reference number FHC/L/346C/15, Oloketuyi in count one was
accused of intentionally sending message and other matters
by means of computer system or network against Okonkwo,
which he knew to be false, for the purpose of causing him
annoyance, insult and ill-will.
State vs Seun Oloketuyi
• The offence was said to be contrary to and punishable under
Section 24 (1) (b) of the Cybercrime (Prohibition Prevention
Etc) Act, 2015 which provides that
• “b) he knows to be false, for the purpose of causing
annoyance, inconvenience danger, obstruction, insult, injury,
criminal intimidation, enmity, hatred, ill will or needless
anxiety to another or causes such a message to be sent:
commits an offence under this Act and shall be liable on
conviction to a fine of not more than N7, 000,000.00 or
imprisonment for a term of not more than 3 years or to both
such fine and imprisonment.”
• http://www.thisdaylive.com/articles/blogger-remanded-overmalicious-publication-against-fidelity-bank-md/218491/
CONCLUSION
“The Cybercrime Act though long in coming and beset with
major challenging components, may be applied to effective
tackle cybercrime and cybersecurity issues in the country.
However, the chances of this happening naturally is slim to
zero. Thus, deliberate efforts must be made by the key players
- ONSA and the OAGF, working with stakeholders, to
strategically position this law to take us to this highly desirable
end” – Basil Udotai, Esq.,
Those efforts must aim, amongst others, in seeking to – in the
short run: create a single enforcement authority; prevent the
enforcement of technology specific and industry particular
provisions (financial sector mostly); while proposing a
comprehensive amendment in collaboration with the National
Assembly.
THANK YOU
CONTACT:
basil@ta.com.ng
08033066004