Cybercrime in the Era of Cloud Computing: Assessing the
Data Retention, Lawful Interception and Privacy Provisions
of the Nigerian Cybercrime Bill 2013.
Cloud Computing has emerged as an enabler for business growth across the world. Organizations, public and private institutions and governments now leverage on Cloud services to provide streamlined business operations to their employees and customers.
To the extent that cloud services may be used for criminal activities or targeted by organized crime, then public law enforcement authorities [LEA] will want and need to obtain access to data held in cloud services either for crime prevention or in the course of investigations.
The Cybercrime bill 2013 proposes to introduce a harmonized legal framework that will provide an effective and unified legal, regulatory and institutional framework for the prohibition, prevention, detection, prosecution and punishment of cybercrimes in Nigeria.
Part of the Bill, titled ‘Duties of Service Providers’ imposes obligations on service providers to retain traffic data and subscriber information for Law Enforcement Authority access and provided some safeguards on data protection. There are also provisions for LEA interception of communications data, including penalty for failure of Service Providers to cooperate with the provisions of the Bill.
The objective of this session is to assess the data retention and privacy provisions in the bill and determine the adequacy of the safeguards as it affects our constitutional rights to respect of private life and the protection of personal data.
What is Cloud Computing?
Cloud computing can be defined in general terms as ‘distributed processing of data on remotely located computers accessed through the Internet’
Services which are offered in cloud computing can be described under 3 categories: Infrastructure as a Service (Iaas)- Hardware, servers, processing power, Platform as a Service (PaaS) – For developing, deploying and hosting software applications, and the third is Software as a Service
Each of these forms of cloud services allow customers to be billed for the resources they use. A further distinction can be made between Public Cloud, Private Cloud and Hybrid.
Cloud Computing, Cybercrime Bill and Privacy
It is pertinent to state at this stage that Cloud computing does not introduce new types of cybercrime; rather, it provides new avenues for cyber criminals to perpetuate their crime. Our focus therefore in this discuss concern issues arising from LEA access to data held in the cloud and the security and privacy safeguards introduced in the Bill.
According to a recent European Parliament study on fighting cybercrime and protecting privacy in the cloud, ‘the main concern arising from the growing reliance on cloud computing is less the possible increase in Cyber fraud or crime than the loss of control over individual identity and data’.
RECORDS RETENTION – SAFEGUARDS
Any data retained, processed or retrieved by the service provider shall be utilized only ‘for legitimate purposes as may be provided for under this Act, any other legislation, regulation or by an order of a court of competent jurisdiction.
Anyone exercising any function ‘shall have due regard to the individual right to privacy under the Constitution of the Federal Republic of Nigeria, 1999 and shall take appropriate measures to safeguard the confidentiality of the data retained, processed or retrieved for the purpose of law enforcement’.
‘Any person or entity who contravenes any of the provisions of this section commits an offence and is liable on conviction to imprisonment for a term of not less than three year or a fine of not less than N7,000,000.00 or to both fine and imprisonment’
Issues for Consideration
Human Rights and Privacy
The absence of judicial oversight in the retention, preservation and collection of traffic data by LEA is an issue that our law makers should consider. Traffic data can be used for multiple purposes that can infringe on our Constitutional rights. Website cookies are an example of Traffic data that can be used in an unconstitutional manner. These are small pieces of data that is stored on a user’s computer while the user is browsing the Internet, and records all the websites the user visits. By analyzing cookies, it is easy to identify and profile a person’s way of life, their sexual orientation including their ethnic and religious affiliations. Giving LEA access to such data in the course of investigation without judicial oversight can jeopardize an individual’s Constitutional rights to privacy and family life as guaranteed by the 1999 Constitution.
Lack of Proportionality: Any traffic data and subscriber information held by service providers can be handed over to LEA upon request under the provisions of the Bill.
Adequacy of safeguards: Most safeguards provided do not go far enough to ensure that Fundamental Human Rights remain guaranteed. Mere reference to protecting privacy rights in the constitution is hardly enough in the absence of Data protection legislation, as the Constitution is silent on how these rights are to be protected.
Provides for the real-time collection or recording of traffic data and interception of communication content are allowed, subject to judicial oversight with their own authorization procedures.
Provides for search and seizure of any computer or electronic device and relevant material found therein.
Where there is ‘verifiable urgency’ or urgent need to prevent the commission of an offence, an authorized LEO may (while a search warrant is being sought for) enter and search any premises or place and ‘use or cause to use a computer or any device to search any data contained in or available to any computer system or computer network’.
This provision is likely to be used against a suspect (stored computer data) rather than a cloud service provider. Where the data on the suspect’s computer or smart phone is located in a computer system outside of Nigeria (Google drive, Drop box) the admissibility of such information may be challenged if the jurisdiction in which that data resides requires more stringent production orders than our law provides. Lawful and voluntary consent may be required from the person with lawful authority to disclose the data.
Under current practice however, cloud providers generally cater for the possibility of law enforcement disclosures of customer data in their standard terms, This will help to facilitate informal co-operation with LEAs while mitigating their legal risks
Where Cloud computing is involved, LEAs will face the challenge of differentiating data in the course of transmission and stored (Traffic) data.
Kanyi Karibi-Whyte & Hastrup
25b Wumego Crescent, off Christ Avenue,
Off Admiralty Road Lekki Scheme I, Lagos, Nig.
Newswire Law and Events Magazine is Out. It's a collector's item. Get one - or two,or more - for yourself and loved ones.