Nigerian Cyber Crime and Privacy Legislation, Time for Review

4 Comments » August 9th, 2010 posted by // Categories: Science & Technology



Nigerian Cyber Crime and Privacy Legislations, Time for Review

F. Franklin Akinsuyi (LL.B, BL, MSc, LLM) MBCS[1]


Nigeria has been in the throes of implementing technology law and computer crime legislation for the best part of half a decade. Within this period, there have been two Bills drafted in an attempt to bring our laws up to date and in line with our counterparts in other parts of the globe.

It is to be noted however that while these attempts are an acknowledgement of the need for such legislation, the reality is that there are a number of gaps in relation to what has been proposed in these Bills and what is required for the laws to be adequate enough to tackle the growing risks, threats and vulnerabilities that can accrue to governments, organisations, and individuals when trying to legislate for computer crime.

This article provides insight into current global computer crime and privacy legislations, a critique of the Draft Nigerian Bills, followed by a recommendation for review based on the implementation of a cybercrime legislation framework for Nigeria.

Global Computer Crime and Privacy Legislation

This section provides an introduction to a number of legislations that have been enacted to cater for computer crime and privacy. The format being to identify global cybercrime legislation, highlight key sections before rounding up with punishment and examples of breaches that have gone before the relevant authorities. It is to be noted that most of these legislations have come into being due to the rise of criminal activity over the internet, identity theft and the need to protect personal information. These laws have also been a reaction to such new computer crime trends. They have also recognised the need for organisations that have been provided personal information in exchange for services to become responsible for the safeguard of such information with resultant penalties for breach. There has also been the need to react to the changes in technological advancements which have made previous legislations redundant in their capacity to deal with the issues.

Cybercrime Convention (EU 2004)

A good starting point on what makes up good Global Computer Crime legislation is the European Cybercrime Convention[2]. This is a Treaty entered into force on 1st July 2004 with an additional Protocol for the criminalisation of racist and xenophobic material through computer systems coming into force on 1st March 2006. It has been adopted by member states of the European Union along with the United States and South Africa[3], to address computer related crime by harmonising national laws.

The Computer Crime Convention defines a number of offences which members can include in their national laws. Examples of such computer related offences include but are not limited to the following:

  • Offences against the confidentiality, integrity and availability of computer data and systems[4]
  • Illegal access[5]
  • Illegal interception[6]
  • Data interference[7]
  • System interference[8]
  • Misuse of devices[9]
  • Computer-related offences[10]
  • Computer-related forgery[11]
  • Computer-related fraud[12]
  • Content-related offences[13]
  • Offences related to child pornography[14]
  • Offences related to infringements of copyright and related rights[15]
  • Offences related to infringements of copyright and related rights[16]
  • Computer-related offences[17]
  • Attempt and aiding or abetting[18]
  • Corporate liability[19]
  • Expedited preservation of stored computer data[20]
  • Expedited preservation and partial disclosure of traffic data[21]

A key feature of the Treaty is identifying that Legal persons can be held liable for a computer crime related criminal offence established in accordance with the convention. Such criminal activity may be committed for their benefit by any natural person, acting either individually or as part of an organ of the legal person. This takes into account industrial espionage and other corporate illegal activity.

It is to be noted that South Africa is the only African country that has signed up to the Treaty .

Computer Misuse Act (UK 1990)

The UK Computer Misuse Act of 1990 has been enacted to secure computer material against unauthorised access or modification: and for connection purposes. Prior to 1990, there were no laws in the UK relating to Computer Misuse. The Act identifies three main computer misuse offences:

· Unauthorised access to computer material.

  • Unauthorised access with intent to commit or facilitate commission of further offences.
  • Unauthorised modification of computer material.

Unauthorised access offences are typically punished upon conviction with up to 6 months imprisonment and or a maximum fine of £5000.

The other two offences are taken more seriously with jail terms of up to 5 years and unlimited fines.

Data Protection Directive (EU 1995)

The Data Protection Directive is a European Union directive which regulates the processing of personal data within the European Union. It is an important component of EU privacy and human rights law. The directive was implemented in 1995 by the European Commission. It requires anyone who handles personal information to comply with a number of important principles. It also gives individuals rights over their personal information. In the age of the Internet and the abuses that may be derived, Europeans’ guardedness of secret government files has translated into a distrust of corporate databases. Governments in Europe have taken decisive steps to protect personal information from abuse.

Anyone who processes personal information must comply with the following eight data protection principles:

Personal Information must be processed:

  • Fairly and lawfully
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate
  • Not kept- longer than necessary
  • Processed in accordance with the data subject’s rights secure
  • Not transferred to countries without adequate protection.

It is important to note that Data Protection affords redress against breaches to these principles and as such more organisations are taking heed that they could be liable to penalties in the event of such contraventions. Indeed in the UK, the limit of such fines has been raised from £5000 to £500,000.

In the UK, Mobile Phone Company Orange was criticised for not keeping its customers’ personal information secure[22].

 

It was investigated after the ICO received a complaint about the way Orange processed personal information.

New staff shared user names and passwords when accessing the company IT system, which meant that information, could be accessed by unauthorised members of staff.

Orange was ordered to sign an undertaking to comply with the rules of the Data Protection Act.

Several banks were also criticised for dumping customers’ personal information in bins outside their premises.

The institutions were HBOS, Alliance & Leicester, Royal Bank of Scotland, Scarborough Building Society, Clydesdale Bank, NatWest, United National Bank, Barclays Bank, Co-operative Bank, HFC Bank and Nationwide building society.

The probe followed evidence from the BBC’s Watchdog programme which found information including details of a bank transfer for £500,000 outside a Nottingham branch of the Royal Bank of Scotland.

They promised to comply with the Data Protection Act following the investigation and can be prosecuted if they fail.

Security Breach Legislation (US 2002)

In the United States, security breach notification laws have been enacted in most states since 2002. These laws were enacted in response to the escalating number of breaches to personally identifiable information located in consumer databases.

The first of such laws, the California data security breach notification law, Cal. Civ. Code 1798.82 and 1798.29, was enacted in 2002 and became effective on July 1, 2003. This law requires state agencies, businesses or people who conduct business in California that own or license computerised data which includes personal information to disclose in specified ways, any breach of the security of such data, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been acquired by an unauthorised person.

It is to be noted that the law permits delayed notification if a law enforcement agency determines that it would impede a criminal investigation. It also requires any entity that licenses such information to notify the owner or licensee of the information of any breach in the security of the data.

In general, most state laws follow the basic principles of California’s original law: Companies must immediately disclose a data breach to customers, usually in writing. California has since broadened its law to include compromised medical and health insurance information.

It is to be noted that the 2009 Health Information Technology for Economic and Health Act also requires covered entities to notify affected individuals and the Secretary for Health and Human Services following a breach of unsecured protected health information[23].

Europe is in the process of passing security breach notification laws. In Nigeria, it would be wise for us to include the notification requirement in the new cybercrime bill, given that we have already suffered such issues with the recent ATM incidents and will be requiring mobile phone users to provide personal information when registering for SIM cards.

Personal Data Privacy and Security Act US (2005 updated 2009)

This legislation was enacted after security breaches at Choicepoint (See penalty below) and LexisNexis.

The Act provides criminal penalties for identity theft involving electronic personal data by: increasing penalties for computer fraud when such fraud involves personal data. It also adds fraud involving unauthorised access to personal information as a predicate offence. The Act also makes it a crime to intentionally or wilfully conceal a security breach involving personal data.

It gives individuals access to, and the opportunity to correct, any personal information held by data brokers; and

  • Requires entities that maintain personal data to establish internal policies that protect such data and vet third-parties they hire to process that data;
  • Requires entities that maintain personal data to give notice to individuals and law enforcement when they experience a breach involving sensitive personal data;
  • Limits the buying, selling or displaying of a social security number without consent from the individual whose number it is, prohibits companies from requiring individuals to use social security numbers as their account numbers and places limits on when companies can force individuals to turn over those numbers in order to obtain goods or services, and bars government agencies from posting public records that contain Social Security numbers on the Internet;
  • Requires the government to establish rules protecting privacy and security when it uses data broker information, to conduct audits of government contracts with data brokers and imposes penalties on government contractors that fail to meet data privacy and security requirements.

Consumer data broker ChoicePoint, Inc., which in 2005 year acknowledged that the personal financial records of more than 163,000 consumers in its database had been compromised, will pay $10 million in civil penalties and $5 million in consumer redress to settle Federal Trade Commission charges that its security and record-handling procedures violated consumers’ privacy rights and federal laws. The settlement requires ChoicePoint to implement new procedures to ensure that it provides consumer reports only to legitimate businesses for lawful purposes, to establish and maintain a comprehensive information security program, and to obtain audits by an independent third-party security professional every other year until 2026[24]

Identity Theft Act US 1998

Following testimony by the Federal Trade Commission in front of the US Senate, federal officials deemed it necessary to address growing concerns over identity theft scams.

The Identity Theft Act was passed in the United States to offer identity theft protection for individuals and businesses that can or have been victims to identity thieves. Fully entitled The Identity Theft and Assumption Deterrence Act, it was passed by the US Congress and signed into law by President Bill Clinton in 1998. An amendment to the law was enacted in 2003.

The law came into being due to the exponential rate in which consumer’s personal information was being exploited in the United States due to the advent of the Internet and the rise in large consumer databases. It was also fuelled by the increased access to computers which now housed detailed information about individuals and their financial records.

The Identity Theft Act identifies crimes involving loans, mortgages, credit cards and lines of credit that can be prosecuted. It also includes additional crimes to which people can be prosecuted should they be caught. US Code Title 18 was amended to include any fraud committed using identification documents or personal information. It also made it illegal to knowingly transfer this information to other people without authorisation, regardless of intent.

The identity thief needs to have the intention of defrauding a person, business or government agency within the country. Criminals can be charged if they commit identity theft either through the mail, across state lines or internationally.

The Identity Theft Act allows for punishments of 5, 15, 20 or 30 years depending on the crime. It also calls for fines determined by certain factors such as the extent of financial disparity caused.

In extreme cases, there is also a statute that defines certain incidents as “Aggravated Identity Theft” which allows for consecutive sentences to be enforced upon criminals[25].

Privacy of Electronic Communications Directive (EU 2002)

This Directive repeals the Telecommunications Data Protection Directive (97/66/EC) and lays certain obligations on telecommunications companies and service providers. One of the new developments of this Directive is that it extends controls on unsolicited direct marketing to all forms of electronic communications including unsolicited commercial e-mail (UCE or Spam) and SMS to mobile telephones.

It is to be noted that the Directive applies to the processing of personal data in connection with the provision of publicly available electronic communications services[26] in public communications networks[27] in the Community.

A brief introduction of the salient points reveals the following in the Directives aims in ensuring fundamental human rights and freedoms particularly the right to privacy for subscribers of electronic communications:

· Security Measures

The Directive provides that communication service providers should adopt adequate security measures both from a technical and organisational point of view that are commensurate with the risks that can accrue. With the spate of recent high profile security breaches that have occurred it is paramount that telecommunications providers implement adequate logical and physical security measures to ensure data under their control is safe from unauthorised access, which may lead to loss of privacy. It goes further to provides that users should be made aware of risks that are beyond the control of the service provider[28].

· Confidentiality of Communications

In its attempt to maintain privacy of personal information, the directive requires service providers to ensure confidentiality of communications. This the directive states can be attained by making sure that communication over public telecommunications lines are free from interception and tapping save in the instance of lawful interception[29]. The article also provides that where communication networks are used in the processing of data, the data subject shall be informed why this is being carried out. The data subject has a right to refuse such processing[30].

· Caller and Called Line Identification

It is to be noted that an individual’s telephone number is personal data going by the meaning given to data protection legislation. In order to protect this, the directive further provides privacy rules in relation to caller and connected line identification. Here the directive states that subscribers must be issued with the possibility of withholding the identification of their telephone numbers when making a call along with being able to reject incoming calls where the incoming caller has refused showing their number[31].

  • Location Data Restrictions

Where the repealed telecommunications privacy directive only related to calls in circuit switched connections such as is found in traditional voice telephony, the new directive covers all kinds of traffic data as generated by users of mobile communication devices.
Location data is a valuable tool that can be used in the mobile phone sector to identify the location of an individual[32] its use can be illustrated in the Danielle Jones case in the hunt for a missing child in the UK it was identified that calls purportedly from the girls phone to her uncle (later convicted for her murder) were in fact being made by her uncle from one location[33].

  • Emergency and Nuisance Calls

An exception to the privacy of caller line and location data is provided for in article 10 where the elimination of calling line identification and location data is sanctioned to trace nuisance calls and in relation to location data for it to be revealed on a temporary basis only to emergency services.

  • SPAM
    Unsolicited mail (also known as Spam) has become a major problem it causes loss of work productivity and also is an invasion of privacy.

The directive in recognising the harmful effects of Spam provides that there shall be no automated communication using electronic mail or faxes for the purpose of direct marketing without the consent of the data owner[34]. The purpose of the directive in relation to SPAM is to make sure that EU member states strengthen data protection measures in relation to SPAM. The EU legislation supports the opt-in[35] rather than the opt-out[36]approach.

  • National Security

There are certain situations that may lead to events that make safeguarding privacy of communications a secondary issue. Such situations are where national security is at risk and where criminal investigations are being carried out. Where these are determined to be taking place, law enforcement agencies may on having obtained permission by appropriate bodies breach the data subjects’ right to privacy of communications in their investigations of such events. It is to be noted that the legislation also allows for data to be retained for limited periods of time during the investigation of such situations[37].

Digital Millennium Copyright Act (US 1998)

The Digital Millennium Copyright Act, was signed into law on October 28, 1998, it amended the United States Copyright Act, Title 17 of the U.S. Code, to provide in part certain limitations on the liability of online service providers (OSPs) for copyright infringement.

The DMCA is divided into five titles:

  • Title I, the “WIPO Copyright and Performances and Phonograms Treaties Implementation Act of 1998,” implements the WIPO treaties.
  • Title II, the “Online Copyright Infringement Liability Limitation Act,” creates limitations on the liability of online service providers for copyright infringement when engaging in certain types of activities.
  • Title III, the “Computer Maintenance Competition Assurance Act,” creates an exemption for making a copy of a computer program by activating a computer for purposes of maintenance or repair.
  • Title IV contains six miscellaneous provisions, relating to the functions of the Copyright Office, distance education, the exceptions in the Copyright Act for libraries and for making ephemeral recordings, “webcasting” of sound recordings on the Internet, and the applicability of collective bargaining agreement obligations in the case of transfers of rights in motion pictures.
  • Title V, the “Vessel Hull Design Protection Act,” creates a new form of protection for the design of vessel hulls.

Amongst the DCMA’s salient points are the following,

  • Makes it a crime to circumvent anti-piracy measures built into most commercial software.
    • Outlaws the manufacture, sale, or distribution of code-cracking devices used to illegally copy software.
    • Permits the cracking of copyright protection devices to conduct encryption research, assess product interoperability, and test computer security systems.
    • Provides exemptions from anti-circumvention provisions for non-profit libraries, archives, and educational institutions under certain circumstances.
    • In general, limits Internet service providers from copyright infringement liability for simply transmitting information over the Internet.
    • Service providers, however, are expected to remove material from users’ web sites that appears to constitute copyright infringement.
    • Limits liability of non-profit institutions of higher education — when they serve as online service providers and under certain circumstances — for copyright infringement by faculty members or graduate students.
    • Requires that “webcasters” pay licensing fees to record companies.
    • Requires that the Register of Copyrights, after consultation with relevant parties, submit to Congress recommendations regarding how to promote distance education through digital technologies while “maintaining an appropriate balance between the rights of copyright owners and the needs of users.”[38]

Subsection 512(c)of the Copyright Act provides limitations on service provider liability for storage, at the direction of a user, of copyrighted material residing on a system or network controlled or operated by or for the service provider, if, among other things, the service provider has designated an agent to receive notifications of claimed infringement by providing contact information to the Copyright Office and by posting such information on the service provider’s website in a location accessible to the public. The provision of information to the Copyright Office about the service provider’s designated agent is a condition for reliance on the limitations on liability for service providers.

As can be seen there are a number of legislations that have been enacted within the last ten years aimed at countering the growing menace of computer related crime, there has also in the same measure been a similar surge in privacy laws aimed at getting government and corporate bodies that use our personal information to implement appropriate technical and procedural measures to safeguard them. The laws identified here are by no means the only legislations dealing with cybercrime and privacy rather, they have been identified by the author to provide a backdrop to which the Nigerian law makers can garner suggestions for bringing our laws up to date.

Nigerian Cybercrime Bills Reviewed:

This section of the article takes the form of analysing the two Draft Bills with a view to highlight the impact these will have on governments, corporate organisations and individuals. It will also emphasize areas which in the authors opinion require review and amendment. It rounds up with a suggestion for a total revamp of the Drafts and adoption of a new cybercrime framework.

As stated at the beginning of this article two cybercrime Bills have been drafted. A critical analysis of the draft Bills highlight disparity between already highlighted global legislations.

The first draft of the Bill titled “Computer Security and Critical Infrastructure Protection Bill ” 2005 raises a number of issues. Before delving into these gaps let us look at some KEY words and their implications.

The words “Critical Infrastructure” are very significant and bring about a number of issues for debate. The first being, how do we determine infrastructure to be critical?

There are a number of questions to ask and points to be raised before infrastructure or systems are deemed critical.

One of such issues relates to the type of data held by the infrastructure or system. We need to determine what type of data it holds and the potential impact of any change or security breach.

The effect of the Bill will mean that prior to any system being defined as critical, risk assessments on a wide range of issues, including exposure to Terrorism, Business Continuity, and Unauthorised Access will need to be undertaken to determine the impact levels against information Confidentiality, Integrity and Availability. If these have not been undertaken and defined then it will be unwise to label any infrastructure or system as being critical.

Another question we need to ask is, are critical infrastructure the only environments the law will apply to when it is passed? Are we indeed stating that computer crime legislation is not to be applied to other areas, i.e. home users and non-critical infrastructure? It would be appropriate for the Bill to cover all environments that could be impacted by computer crime and privacy issues.

The definition of Critical Infrastructure should be outlined in the Interpretation section to avoid confusion.

In the author’s opinion, while the title of the Bill is wide the sections do not go deep enough to encompass the issues that a Computer Security Bill or a Critical Infrastructure Bill should include.

A comparative analysis between the first draft of the Bill, European and US computer crime and data protection legislations identifies a number of gaps. Notable of which are the following;

  • No definition of what constitutes personal data;
  • No identification of the right to privacy;
  • No definition of what constitutes data subjects rights;
  • No appointment of a regulatory body to redress breach (i.e. a Data Protection Commissioner);
  • No identification of the fact that organisations can also breach data protection rules;
  • No provision for circumstances where the personal data needs to be utilised without the consent of the data subject;
  • No provision, definition, or mandatory requirement of technical measures to mitigate data protection breaches.
  • There is also a lack of security breach requirements.

A critical analysis of the second draft titled “Cybersecurity and Information Protection Agency Bill” 2008 which while much better in its ambit, highlights a number of gaps and identifies the challenges Nigeria faces when it comes to understanding and implementing adequate and sufficient computer crime and privacy legislations. There are a number of sections within this Bill that will need to be amended, removed or added to, before it can be deemed an appropriate and up to date legislation to deal with computer crime related activity as applies in the 21st century.

Second Draft Overview

The new Bill is made up of 37 Sections; the following highlights the themes of its sections.

  • The first 6 sections of the Bill provides for the establishment of a cyber security and information protection agency, along with staffing requirements.
  • Sections 7-23 see the introduction of new computer related offences and associated punishments on conviction. These include but are not limited to the unlawful access to computers, unauthorised disclosure of passwords, fraudulent email and spamming computer fraud and data forgery, system interference, misuse of devices, impersonation and fraudulent access
  • Sections 24 and 25 introduce the critical information infrastructure, audit and offences.
  • Sections 27 Looks at civil liability
  • Sections 28-30 identify jurisdiction, powers of court, authorised officer search and arrest.
  • Sections 31 and 32 make way for electronic evidence and tampering with computer evidence
  • Sections 33-36 introduces the Agencies powers of prosecution, forfeiture of asset and payment of compensation
  • Section 37 rounds up with definitions

Sections for Review

There are a number of issues that need to be raised in relation to this Bill; I shall now look at sections for review and amendment along with their impact.

Section 9

Section 9 relates to Unsolicited Commercial e-mail (UCE), Unsolicited Bulk e-mail (UBE) or fraudulent email messages and spamming. Fraudulent email Spamming has for a long time been the scourge of Nigeria’s reputation. This section is a welcome development in attempting to reverse Nigeria’s somewhat tarnished Internet image. There will need to be collaboration between appropriate authorities to let all countries and bodies know that we have introduced this as a way of combating the issue. The inclusion of this section will have the impact of showing that we have an understanding of the problem and could go a long way in reversing the tainted image.

Subsection 3 states that persons who do not have commercial or transactional relations with receipts should not send spamming commercial messages.

This subsection may need to be amended to include wording to the effect that spammers should include in their message headings warnings/notices that the message sent is spam. This will be in line with other legislations on the issue.

It should be mentioned here that not all spam messages are illegal. Indeed, while many messages can be deemed to be a waste of people’s time and are basically advance fee fraud, some of them actually provide informational and commercial benefit. As such what the Bill should provide is wording to the effect that anyone sending spam should let recipients know that the message is spam. This will allow recipients a choice of whether to read or delete it when it arrives in the mailbox. Users can then configure their emails so that spam messages automatically get sent to their deleted email folders.

The subsection should then state that persons who do not warn that they are sending spam messages will be liable to the penalties for none compliance.

A few words will need to be changed and defined for instance, the word receipts should be recipient and the word “He” should be changed to “They” to include both male and females.

Section 11

Section 11 introduces the system interference offence; this recognises the fact that an authorised person can commit an offence if they exceed their authorised duties. This has the potential to impact anyone who in their course of work configures information technology or telecommunications systems.

The introduction of this section will have an impact on the way work organisations, staff and third parties develop operational and disciplinary, policies and procedures. It will indeed lead to organisations defining and developing roles and duties matrices along with putting appropriate change control policies in place. This will include Human Resources designing induction packs for new starters so that they are aware of their obligations. It will also lead to organisations having to retrain staff on the issues, so that they are aware of the disciplinary aftermath of any unauthorised actions.

It will also impact companies that specialise in conducting security penetration and vulnerability testing, and will call on them to ensure systems they are testing for loopholes and vulnerabilities have a defined scope when conducting their tests, otherwise they could be sued under the provisions of this section in the event that networks and systems outside of the scope are affected by their tests.

The section will undoubtedly lead to organisations including warnings to their staff that they can be prosecuted under this law in the event that they in anyway act maliciously towards them in the operation of their duties. This is especially necessary given the fact that a majority of system interference cases are caused or initiated by insiders or third parties that have confidential knowledge about an organisations environment.

Section 15

Section 15 (1) relates to data retention. It is to be noted that there are some concerns associated with this subsection that need to be discussed.

Firstly, Nigeria does not have a Data Protection Legislation. It is to be noted that one of the principles of Data Protection is that personal data should not be kept for longer than is necessary. This then brings to question the absence of Data protection requirements within the draft Bill. Bearing in mind that the Bill provides for the establishment of an Information Protection Agency, one would have thought that requirements about how personal information is to be handled from a legal perspective are spelt out.

It is therefore recommended that a section should be introduced within the Bill, which makes it a requirement for organisations to adhere to Data Protection principles. This should then be followed with a section within the Bill which introduces Data Protection principles and the penalties for none compliance.

A note on data protection: This is one of the key legislations Nigeria will need to enact, if it really wants to be a player in the extremely lucrative outsourcing space. A lot has been written and discussed about making Africa an outsourcing outpost, with great debates about technologies and infrastructure required to be in place before that can happen. It has to be mentioned however that without the appropriate legislative framework in place, we will not be able to hit first base. It is the author’s very strong suggestion that we include provisions for data protection in our legislations before discussing the types of technology, data centres and other infrastructure required for us to partake in outsourcing. As an example, one of the principles of the European Data Protection Directive is that Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. Now bearing in mind that processing of personal data constitutes a large segment of outsourcing, it makes a clear cut case for Nigeria to implement the legislation first before trying to identify what technologies are required.

Another point to note is that the Bill does not provide guidelines stipulating how long data various types of data may be retained.

The impact of the data retention section is that in the event that time-frames for keeping data types are not set in stone, ISP’s and other organisations will need to ensure they have adequate backup and data storage facilities including policies and procedures for keeping information. This will without a doubt raise privacy, security and costing issues.

In relation to costs, the key question will bear the burden of these costs, government or the organisations requested to retain the data? ISP’S will therefore need to look at how this piece of legislation will impact their operations from a cost perspective.

An immediate impact of the retention issues will be in relation to the SIM Card registration directive. For example, in the event that a subscriber is no longer a customer of a telecommunications service provider, how long will their data be kept with that ISP? Under Data Protection Laws, the information should be deleted once the customer notifies them of the fact. Is this something that has been identified for the SIM card personal details retention?

Subsection (4), which states that ISP data retrieved for law enforcement agencies shall not be utilized without consent of the individual to whom the data applies is quite intriguing.

The wording in this section will definitely need to be rephrased as in its present state it can be interpreted that if a suspect under investigation by law enforcement agencies does not consent to their data being accessed, then that data cannot be used.

Section 18

Section 18 introduces obligations on service providers to assist law enforcement agencies in identifying offenders. It should be noted that due to the fact that many breaches are internal breaches, there should also be an obligation on all organisations to develop, implement and ensure enforcement of industry standard policies, processes and procedures for computer related breaches.

Section 24

One of the most controversial and potentially dangerous sections in this Bill and one which should raise National security concerns is section 24. This section stipulates that information about critical infrastructure will be published in a gazette.

This will definitely need to be reworded. In a time of state sponsored hacking along with terrorism and Cybercrime attacks, the last thing we need to be doing is publishing information about our critical infrastructure in gazettes for public consumption. From my experience as a government risk assessor accrediting government systems, I can state here that we need to adopt a “need to know” policy in relation to government systems whereby only persons who have been vetted appropriately have access to such information.

Placing critical infrastructure information in a gazette is not a smart idea. Rather it shows a lack of understanding of the risk, threats and vulnerabilities that may accrue to critical systems. If this is the only recommendation that gets reviewed and amended from this Bill then for National Security reasons alone, it is justifiable.

Section 24 (2b) mentions procedural rules and requirements for securing the integrity and authenticity of data or information. This should be amended to include the confidentiality and availability of information.

Confidentiality, Integrity and Availability are the cornerstone principles for information security and will need to be identified when carrying out impact assessments in relation to what will be affected when classifying systems for criticality.

There also needs to be an obligation placed on organisations that suffer security breach to personal information to be made to declare such breaches. This will allow persons affected to take necessary actions to prevent further loss and negative impact on them.

Development of The Nigerian Cybercrime Framework

Above are a number of points that can be raised in relation to the gaps in the adequacy of the Nigeria’s computer crime Bills.

While a review and amendment may make it more meaningful, I believe we need to take the proverbial bull by the horns and develop a list of legislations that will form our Cybercrime Framework to replace the current Bills.

This may be difficult due to the tedious nature of passing legislation in Nigeria, it is however recommended that the legislative and Senate committees tasked with combating crime take this issue to the forefront of their initiatives with a view to enacting within a twelve month period ensuring that the best brains on the issue not only from a legal and technical point of view but also on experience are actually consulted and involved in the process. This is necessary so that we generate appropriate sections and wordings as well as anticipate what technologies are on the horizon so that the laws that constitute the framework are not obsolete and ineffective when passed.

This framework should comprise the following:

  • Computer Misuse
  • Data Protection
  • Data Retention
  • Electronic Commerce
  • Information Security
  • Lawful Interception

Impact of the legislation

Nigerian lawyers are undoubtedly losing out on lucrative cases due to the lack of legislation on cybercrime. It should be noted that a number of opportunities to challenge financial institutions for negligence in the implementation of online banking and the roll out of ATM cards which has led to customers losing money have not been taken due to either a lack of understanding of the issues as well as lawyers and judges not being adequately trained in information technology related issues

With the advent of these legislations will come the need for universities, schools of higher learning and academic institutions to devise specific courses designed to allow the next generation of Judges and Lawyers become skilled in what is a challenging but lucrative area.

It is the authors’ opinion that technology law needs to be on the curriculum of all Nigerian law faculties, as a minimum the following modules need to be mandatory to enable law students grasp the basics of the issues when dealing with the laws relating to technology:

New Technology Law Syllabus:

  • Computer Misuse
  • Data Protection
  • Data Retention
  • Electronic Commerce
  • Information Security
  • Information Technology
  • Internet
  • IT Contract Negotiations
  • Lawful Interception
  • Telecommunications

Current Judges and Lawyers will also need to become familiar with these issues through cross training, in order to be able get up to speed with the intricacies of computer crime so that they can take on cases and pronounce judgements.

Benefits of implementing this Framework:

The implementation of these laws will also allow us to tackle computer related criminal activity in a more structured manner. The laws will allow defined guide lines as to what constitutes unacceptable behaviour while using computers with defined penalties for breach.

The implementation of these laws will also allow us to join the European Convention on Cybercrime. This will give us a major boost from a reputational perspective. Many of us are also aware that Nigerian related IP addresses have been blocked by credit card companies, putting these laws in place can go a long way in showing that we have the base apparatus for dealing with credit card fraudsters once they are apprehended. This can be used as a tool for negotiations to remove such IP blocks in order for truthful and non fraudulent Nigerians to partake in the billion dollar e-commerce trade from the their homes.

From an economic perspective, one of the aims of the 2020 vision is to see Nigeria become recognised as a growth economy with similar growth patterns to the BRIC countries (Brazil, Russia, India, and China). A lot of discussion has been made on the impact technology will have in accelerating this aim. It must however be mentioned that the current legal framework will need to be overhauled to meet the changes and challenges that technology will bring, and for that purpose the need for us to revamp our technology related laws for us to meet the 2020 vision aims.

We have seen the impact of telecommunications and the interest it has received from foreign telecommunications companies and investors. The development and implementation of these laws can allow the same response from technology companies and investors. The offshoot of this is job opportunities for Nigerians and the development of new services and technology related products for the benefit of all.

With the development of these laws, we will be seen as a nation that does not solely depend on oil, but rather as one that wants to embrace and diversify into the new areas of technology. It will enable us to showcase our move into technology governance from a sound legal base thus providing us a positive image.

Conclusion

It is imperative that we get these legislations right, as there are a host of other African countries that are looking to implement similar legislative frameworks. We need to be leading by example as the self styled Giants of Africa.

Nigeria cannot afford to be in anything but first place as the potential rewards from an outsourcing perspective are there for the taking to the country that is chosen to spearhead the African outsourcing renaissance.

It should be noted that it is the absence of appropriate computer crime and privacy legislation rather than the lack of technology that prevents us partaking in this area.

We should also note that we are not alone in trying to implement these types of laws and are by no means in a unique position in Africa. Indeed many African nations are in the development stages of rolling out their technology laws. We are in an arms race; it is my forecast that it is the country that develops the most cohesive set of laws in this area that will be spotlighted for outsourcing opportunities. Ladies and gentlemen, the time has come for us to be accounted for; we urgently need to implement these laws to rejuvenate our economic chances for the future with the possibility to become true powerbrokers in this area.

Copyright 2010


[1] F. Franklin Akinsuyi is Founder and Course Director at DataLaws a UK based Information Technology Law Consultancy. Franklin can be contacted by email at fakinsuyi@datalaws.com

[2] For more information see http://conventions.coe.int/Treaty/EN/Treaties/html/185.htm

[3] For full List of signatories see www.coe.int

[4] Title One

[5] Article 2

[6] Article 3

[7] Article 4

[8] Article 5

[9] Article 6

[10] Title Two

[11] Article7

[12] Article 8

[13] Title Three

[14] Article 9

[15] Title 4

[16] Article 10

[17] Title 5

[18] Article 11

[19] Article 12

[20] Article 16

[21] Article 17

[22] See http://news.bbc.co.uk/1/hi/uk/6287504.stm

[23] See http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html

[24] http://www.ftc.gov/opa/2006/01/choicepoint.shtm

[25] http://www.wisegeek.com/what-is-the-identity-theft-act.htm

[26] According to European law, electronic communications service means a service normally provided for the remuneration which wholly or mainly in the conveyance of signals on electronic communications networks used for broadcasting, but exclude services providing, or exercising editorial control over content transmitted using electronic communications networks and services. Article 2 (c) Directive 2002/21/EC

[27] According to European law, public communications network means an electronic communications network used wholly or mainly for the provision of publicly available electronic communications services. Article 2 (d) Directive 2002/21/EC

[28] Article 4 (1&2) Directive on Privacy and Electronic Communications

[29] Article 5 (1)

[30] Article 5 (2)

[31] Article 8

[32] See Location Data is as sensitive as content data Alberto Escuardo Pascual Royal Insitute of Technology 22nd November 2001 available at www.it.kth.se/~aep/publications/EU-forum/20011127/EU-forum-locationdata.pdf

[33] See bbc.news.co.uk/2/low/technology/2593653.stm

[34] Article 13 Directive on Privacy and Electronic Communications

[35] In an opt-in regime, the consumer must affirmatively give permission to be sent information about new products or sales, or to share the consumer’s information with other companies in a business relationship with the company where that consumer has an opt-in agreement. Generally, a consumer must click on web site boxes or send an e- mail request to the company, or its affiliates in order to authorise consumer e-mail.

[36] In an opt-out regime, the privacy policy will indicate that the consumer is presumed to want information about sales or new products which will be sent unless the consumer “opts out” of receiving such.

[37] Article 15 (2) Directive on Privacy and Electronic Communications

[38] http://www.gseis.ucla.edu/iclp/dmca1.htm

Opt In Image
Send Me Free Email Updates

(enter your email address below)

Tags: , , , , , , , , , , , , , , , ,

4 Responses to “Nigerian Cyber Crime and Privacy Legislation, Time for Review”

  1. I says:

    I luv what you guys are always doing

  2. Akinbolusere Olufisayo says:

    I am doing a review on privacy and data protection in Nigeria and comparism with other nations of the world. I will like to call your attention to the daft of the National Information Technology Policies_(http://www.commtech.gov.ng/downloads/National_ICT_Policy_DRAFT_090112.pdf). I havent gone through each page but from the preview of the task given to the commitee, nothing was said about data protection. This will be a huge over sight and should be adress before signing it.

  3. Dick says:

    Hi! Do you know if they make any plugins to safeguard
    against hackers? I’m kinda paranoid about losing everything I’ve worked hard
    on. Any suggestions?

Leave a Reply

Home | About | Contact | Login