- Advertisement -
Home Events PROSECUTING CYBERCRIME IN NIGERIA - By: Olusegun Adeyemi, Partner, Kanyi Karibi-Whyte &...

PROSECUTING CYBERCRIME IN NIGERIA – By: Olusegun Adeyemi, Partner, Kanyi Karibi-Whyte & Hastrup

- Advertisement -

 

BACKGROUND
The Cybercrime Bill, 2013 will soon (hopefully) be enacted into law, having passed through the legislative processes and now awaits the President’s assent. The need to formulate a policy for Cybercrime in Nigeria dates back to the work of the National Cybercrime Working Group (NCWG) set up by the former President Obasanjo administration in 2004 with the mandate to identify a framework policy that will deal with Cybercrime and related issues. The output of the group was the National Cybercrime Initiative (NCI)which, according to the Coordinator of the NCWG at the time ‘was to identify and outline appropriate legal and institutional framework to deliver its objectives of securing computer systems and networks and protect critical infrastructure in Nigeria, The NCI is to be delivered through the following policy measures,
•    Introduce or upgrade substantive and procedural law that will criminalize unauthorized conduct involving the use of computers.
•    Institutional capacity building that will ensure law enforcement and related mandates authorised by statute in the offline environment are migrated to the online environment as well.
•    Public Private Partnership  to build consensus, agree on standards, rules and best practices for cyber security
•    Public Enlightenment and,
•    International Law Enforcement Cooperation (NCWG presentation at the 8th Nigerian Software Exhibition – NISE 2004 Muson Center, Onikan, Lagos. September 3, 2004.

The initial draft of the Cybercrime Bill, sponsored by the NCWG in 2004 was proposed to the National Assembly in 2004 and had as its objective to provide the legal framework for the establishment of an independent Cybercrime agency and introduce legislation concerning Cybercrime and Cyber-Security.
The Bill has since gone through several changes by successive administrations and now awaits this administration’s president’s assent under the revised name, Cybercrime Bill, 2013.

Cybercrime4

The objectives of the proposed law are to:
•    Provide an ‘effective, unified and comprehensive legal, regulatory and institutional framework for the prohibition, prevention, detection, prosecution and punishment of cybercrimes in Nigeria.
•     Ensure the protection of critical national information infrastructure; and
•    promote cyber security and the protection of computer systems and networks, electronic communications; data and computer programs, intellectual property and privacy rights’

Assuming the Law is enacted under the present administration (which ends in May 2015) It is hoped that the proposed institutional agencies that will support the administration of this law have fully considered the issues concerning computer related crime so that whatever strategy is deployed to manage those issues are workable and will send the right signal to the international community about Nigeria and Nigerians’ commitment to address Cybercrime issues through measures like this proposed law

According to the United Nations Office on Drugs and Crime (UNODC) comprehensive study on Cybercrime 2013, the functions of Cybercrime legislation include:
·    Setting clear standards of behaviour for the use of computer devices
·    Deterring perpetrators and protecting citizens
·    Enabling law enforcement investigations while protecting individual privacy
·    Providing fair and effective criminal justice procedures
·    Requiring minimum protection standards in areas such as data handling and retention
·    Enabling cooperation between countries in criminal matters involving cybercrime and electronic evidence

This paper will carry out an overview of the substantive law provisions in the Cybercrime Bill and assess the adequacy of those provisions relative to the key Cybercrime issues in Nigeria.

What is Cybercrime?
From a legal definition perspective, there appears to be no clear definition of what constitutes Cyber Crime. In most Cybercrime models what is actually criminalized are specific forms of conduct that either target the integrity of computer and communications systems or conventional crimes that utilize computer and communications technology to achieve their aims.

Cybercrime1

Cybercrime Bill, 2013: Substantive Law Provisions
As an introduction to the Cybercrime Bill, 2013 and, for the purpose of this paper, what is considered Cybercrime and the categorization used to distinguish between different types of activities that constitute this offence will be taken from the regulatory model that has been adopted as the primary international legal instrument and the first multilateral instrument drafted to address the problems posed by the spread of criminal activity on computer networks in the area, and which has also influenced the Cybercrime Bill, the Council of Europe Convention on Cybercrime 2001 (The Convention)

The Cybercrime Bill which is modelled on the Convention, is divided into 8 parts and includes a schedule, covering provisions on substantive Law, Procedural and Mutual legal assistance. In this edition, we will focus mainly on Part III of the Bill titled OFFENCES AND PENALTIES

PART III – OFFENCES AND PENALTIES
A.:  Computer integrity offences under the Convention are described as ‘dangerous threats to and attacks against the security (i.e. the confidentiality, integrity and availability) of computer systems and data
In the Bill, Computer system is defined in the interpretation section (S42) as ‘any device or a group of interconnected or related devices, one or more of which, pursuant to a program, performs automatic processing of data. Some of the Computer integrity offences criminalized in the Bill are:
•    Offences against Critical Information Infrastructure
One of the key drivers behind the new legislative initiative in the fight against Cybercrime is the recognition of societal dependence on computer and communication technologies. With the threat of terrorism on the agenda for most countries and the need to protect critical information infrastructure against terrorist attacks, many countries have adopted policies and measures aimed at protecting their country’s critical information infrastructure.

Section 5 of the Bill introduces the offence punishable upon conviction of not less than 15 years for any person who commits an offence against the country’s critical national information infrastructure (Section 5:1-2). Where death occurs as a result of the offence, the penalty is death S5 (2).

Part II (Section 3) of the Bill vests power in the president on the recommendation of the National Security Adviser, to designate certain computer systems or networks as critical national information infrastructure. The President may inter alia make orders on the minimum standards, guidelines, rules or procedure in respect of the protection and preservation of, and the general management of critical national infrastructure. This includes the power to issue presidential orders with respect to access to, transfer and control of data in any critical information infrastructure.
Critical national information infrastructure is defined in Section 42 of the Bill to include ‘assets, systems and networks, whether physical or virtual, so vital to the security , defense or international relations of Nigeria; the provisions of service directly related to communications infrastructure, banking and financial services, public utilities, public transportation or public key infrastructure or the protection of public safety including systems related to essential emergency services such as police, civil defense and medical services.’ It is expected that critical Banking applications, Air traffic control systems, telephone and communications systems and cloud services platforms will be categorized under this definition   •  Unlawful access to     a computer (Section 6)

This section (Similar to the UK Computer misuse Act 1990) introduces three elements of criminal liability namely, unauthorized access to computer per se, unauthorised modification and unauthorised access with intent to commit a further offence
Section 6(1) makes it an offence for any person who ‘without authority or in excess of authority’ intentionally accesses in whole or in part, a computer system or network or

Where it is established that the unlawful access was committed with the intent to steal confidential data, or obtain computer data, the punishment shall be no less than three years in jail or Seven Million Naira fine or both (6.2)

Where the offence involves the use of any device ‘to avoid detection, or otherwise prevent identification with the act or omission’, the minimum tariff upon conviction shall be imprisonment for a term of not less than three years or seven million Naira fine or both (Section 6.3)

An issue that can arise from the application of Section 6 in terms of enforcement will be how to determine excess of authority where an accused works in an organization that is the victim of the unauthorized access. It is advisable for most business organizations and indeed governmental departments to define limits of staff access to Computer program or data in either their contracts of employment or some other code of conduct policy. Whilst criminal prohibition of unauthorized access is able to give additional protection to the system and the data, it should be understood that the most effective means of preventing unauthorized access is, of course, the introduction and development of effective security measures.

Cybercrime

Section 7 Unlawful interception of communications
According to the explanatory note to the Convention, this provision aims to protect the right of privacy of data communication. The right to privacy of correspondence is enshrined in Section 37 of 1999 Constitution.

In protecting privacy of correspondence the section provides ‘Any person, who intentionally and without authorization or in excess of authority, intercepts by technical means, transmissions of non-­public computer data, content data or traffic data, including electromagnetic emissions or signals from a computer, computer system or network carrying or emitting signals, to or from a computer, computer system or connected system or network; commits an offence and liable on conviction to imprisonment for a term of not less than two years or to a fine of not less than N5,000,000.00 or to both fine and imprisonment’.

The provisions in this section can apply to the illegal use of key loggers and wireless interception tools that intercept communications between ‘non-public’ computers. In the explanatory report to the Convention, the term ‘non-public’ qualifies the nature of the transmission (communication) process and not the nature of the data transmitted. The data communicated may be publicly available information, but the parties wish to communicate confidentially. Examples of activities that will fall under this offence include interception of pay per view services or correspondence between employees of an organization intercepted by a third party

Cyber Crime

Section 8 Unauthorized modification of computer data
The unauthorized modification of Computer Data ‘directly or indirectly’ with intent to cause modification of data or where the person ‘engages in damaging, deletion, deteriorating, alteration, restriction or suppression of data within computer systems or networks, including data transfer from a computer system…. without authority or in excess of authority’ on the computer is criminalized. Minimum tariff on conviction is three years imprisonment of 7 Million Naira fine or both.

Data Modification takes place where;
(i) program or data held in a computer is altered or erased;
(ii) program or data is added to or removed from any program or data held in the computer or network; or
(iii) an act occurs which impairs the normal operation of any computer, computer system or network concerned

Section 9 System Interference
‘Any person who without authority or in excess of authority, intentionally does an act which causes directly or indirectly the serious hindering of the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data or any other form of interference in the computer system, which prevents the computer system or any part thereof, from functioning in accordance with its intended purpose, commits an offence and liable on conviction to imprisonment for a term of not less than two years or to a fine of not less than N5,000,000.00 or to both fine and imprisonment’

In this section, the intentional hindering of the lawful use of computer systems including telecommunications facilities by using or influencing computer data where it is done intentionally and without right, is criminalized.  Activities that will fall into this section include Denial of Service attacks (DOS) and Spamming. The trigger for criminal liability for this offence is the intent to ‘seriously hinder’ the functioning of a computer system.

Section 10 Misuse of Devices
This section establishes multiple independent offences relating to the intentional commission of specific illegal acts regarding certain devices (e.g. Hacking tools). The offences include
Section 10.1 The unlawful production, sale, procurement for use, import, distribution or otherwise making available of:

a.. a device, including a computer program, designed or adapted primarily for the purpose of committing any of the Computer integrity offences established in accordance with sections 6-9; of the Cybercrime Bill

b. a computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed with intent that it be used for the purpose of committing any of the offences established above or

c. the possession of an item referred to in paragraphs (a) or (b) above, with intent that it be used for the purpose of committing any of the Computer integrity offences established above, is criminalized and liability on conviction is for a term of imprisonment of not less than three years or a fine of not less than N7, 000,000.00 or to both imprisonment and fine.

10.2    In possession of any of the devices described in 10.1 above with intent to commit any of the Computer integrity offences established above

10.3 knowingly and without authority, discloses any password, access code or any other means of gaining access to any program or data held in any computer or network for any unlawful purpose or gain

10.4    Where substantial loss occurs as a result of the offences established in section 10.1, liability upon conviction is for a term of imprisonment of not less than 5 years or fine of 10 Million Naira or both.,

10.5 Using any automated means or device with intent to commit an offence or software to retrieve, collect and store password, access code or any means of gaining access to any program, data or database held in any computer

B.    Computer Related Offences
Following Convention model, these types of crime are committed using computers as the instrument of crime rather than the target of criminal activities. Activities criminalized under this category in the Convention include Forgery, Fraud (including identity fraud)

Cybercrime Bill: Section 11 Forgery & Section 12- Computer related Fraud

These sections criminalize the activity in which ‘Any person who knowingly accesses any computer or network and inputs, alters, deletes or suppresses any data resulting in inauthentic data with the intention that such inauthentic data will be considered or acted upon as if it were authentic or genuine, regardless of whether or not such data is directly readable or intelligible, commits an offence and is liable on conviction to imprisonment for a term of not less than three years or to a fine of not less than N7,000,000.00 or to both fine and imprisonment’.

As with Computer related fraud, Computer related forgery aims to criminalize any undue manipulation of data in the course of data processing with the intention to effect an illegal transfer of property. The minimum tariff on  conviction for this offence is imprisonment for a term of not less than three years or to a fine of not less than N7,000,000.00 or to both fine and imprisonment’
Section 13 – Identity Theft and Impersonation

Identity theft occurs when someone unlawfully obtains another’s personal information and uses it to commit theft or fraud. Identity theft can involve credit/debit card fraud, Internet fraud, or mail theft, among other crimes. As an alternative charge to fraud, identity theft is something that is currently out of scope of our criminal laws in Nigeria and provides difficulties of interpretation under current Laws. The lacuna arising from our Constitutional guarantee on Privacy underscores the need to have a regulatory framework on data protection

Section 13 provides; ‘any person who….
(a) Knowingly obtains or possesses another person’s or entity’s information with intent to deceive or defraud, or
(b) Fraudulently impersonates another entity or person, living or dead, with intent to –
(I) Gain advantage for himself or another person;
(ii) Obtain any property or an interest in any property;;
(iii) Cause disadvantage to the entity or person being impersonated or another person; or
(iv) Avoid arrest or prosecution or to obstruct, pervert or defeat the course of justice,
commits an offence and liable on conviction to imprisonment for a term of not less than three years or a fine of not less than N7,000,000.00 or to both fine and imprisonment.
Other Computer related offences provided in the Bill include cyber stalking, cyber squatting and cyber terrorism
C.    Content Related Offences

Cybercrime2

Child Pornography
The distribution of pornography using information systems, particularly the Internet, is one of the most prevalent forms of content-related computer crimes, as well as attracting a high public profile in most jurisdictions.

Article 9 of the convention focuses on child pornography issues and directs signatories to the Convention to adopt protective measures for ‘children, including their protection against sexual exploitation, by modernizing criminal law provisions to more effectively circumscribe the use of computer systems in the commission of sexual offences against children’ The convention also defines child pornography to include material that visually depicts ‘a person appearing to be a minor engaged in sexually explicit conduct’

By comparison, Section 14 (1) of the Cybercrime Bill makes it an offence for any person who intentionally uses any computer or network system in or for-­
(a) producing child pornography for the purpose of its distribution;;
(b) offering or making available child pornography;
© distributing or transmitting child pornography;
(d) procuring child pornography for oneself or for another person;
(e) possessing child pornography in a computer system or on a computer-­data storage medium;
Is guilty of an offence under this section, in the case of paragraphs (a-c) to imprisonment for a term of ten years or a fine of not less than N20, 000,000.00 or to both fine and imprisonment, and, (ii) in the case of paragraphs (d) and (e) of this subsection, to imprisonment for a term of not less than five years or a fine of not less than N10, 000,000.00 or to both fine and imprisonment.

Cybercrime3

It is interesting to note that whilst there is no definition of ‘Child Pornography’ in the interpretation section of the Bill, the words ‘sexually explicit conduct’ also does not appear  anywhere in Section 14 of the Bill, however, sexually explicit conduct in the interpretation section  is defined to include ‘at least the following real or simulated acts-­
(a) sexual intercourse, including genital-­genital, oral-­genital, anal-­genital or oral-­anal, between children, or between an adult and a child, of the same or opposite sex;;
(b) bestiality;;
(c) masturbation;
(d) sadistic or masochistic abuse in a sexual context;; or
(e) lascivious exhibition of the genitals or the pubic area of a child. It is not relevant whether the conduct depicted is real or simulated’

The omission of the definition of Child Pornography in the Bill and the absence of the words ‘sexually explicit conduct’ anywhere in section 14 may be an oversight on the  part of the framers of the Bill and will almost certainly constitute and should be reviewed.

D.    Copyright and Related Offences

The last category of activities the convention directs its signatories to harmonize into local laws is Offences related to infringements of copyright and related rights.
Property rights (like Copyright) infringements are arguably the most committed offence on the internet. Most jurisdictions have updated Copyright infringement laws by criminalizing the infringement of Copyright and related offences when done ‘intentionally’ and ‘without right’ on a commercial level. Under Nigeria’s Copyright Law (Copyright Act CAP 68, Laws of the Federation of Nigeria 1990 (As amended by Copyright (Amended) Decree No 42 of 1999), Copyright is infringed if it is done without the license or authorization of the Copyright owner. Criminal liability is attached if the infringement is done on a commercial scale.

Although the Bill is silent on this issue, it may be possible to bring prosecution under Section 10 (Misuse of Devices).  Section 10 (1)(C) provides; ‘Any person who unlawfully produces, supplies, adapts, manipulates or procures for use, imports, exports, distributes, offers for sale or otherwise makes available…. any device designed primarily to overcome security measures in any computer, computer system or network with the intent that the devices be utilized for the purpose of violating any provision of this Act’. This provision is somewhat similar to EU Directive 2001/29/EC on the harmonization of certain aspects of copyright and related rights in the information society calling on members to criminalize the manufacture, sale or related acts, of devices and services designed to circumvent ‘effective technological measures. A ‘technological measure’ is defined “any technology, device or component which is designed, in the normal course of its operation, to protect a copyright work other than a computer program.

It would have been ideal to harmonize the existing Copyright legislation into the Cybercrime Bill since the Convention offers a model law on Cybercrime that encapsulates most of the issues associated with computer and communications technology and provides good reference point for our law makers.

E.    Racist and xenophobic Offences

In 2003, an additional protocol to the Cybercrime Convention opened up for signature of participating members, that criminalized acts of a racist and xenophobic nature committed through Computer systems.
Article 2 of the Protocol defines “racist and xenophobic material” as ‘any written material, any image or any other representation of ideas or theories, which advocates, promotes or incites hatred, discrimination or violence, against any individual or group of individuals, based on race, colour, descent or national or ethnic origin, as well as religion if used as a pretext for any of these factors’.

Section 18(2) of the Cybercrime Bill was lifted verbatim from the Protocol. Section 18(1a-d) Makes it an offence for any person to distribute or otherwise make available, threaten persons or a group of persons, insult publicly, through a Computer system or network, distribute or otherwise make available through a computer system to the public, material which denies, approves or justifies acts constituting genocide or crimes against humanity. Minimum tariff upon conviction is imprisonment for a term of not less than five years or to a fine of not less than N10, 000,000.00 or to both fine and imprisonment.

It is possible that this provision was inserted to meet the requirement for Mutual Legal Assistance. An important factor which can affect mutual legal assistance is the degree to which a jurisdiction has updated its legislation to take account of Cybercrime. Where one jurisdiction’s laws criminalize Cybercrime and another’s does not, mutual legal assistance may not be possible.

Conclusion
The Cybercrime Bill, 2013 provides a good model for the prosecution of Cybercrime and Cyber security in Nigeria. The substantive Law provisions are adequate deterrent to perpetrators of Cybercrime. The challenges that may arise from the application of the law will depend mainly on the proposed institutional agencies that will support the administration of the law and whether they have fully considered the issues concerning computer related crime.

By:
Olusegun Adeyemi
Partner,
Kanyi Karibi-Whyte & Hastrup
Barristers|Solicitors|Notaries Public
25b Wumego Crescent, off Christ Avenue,
Off Admiralty Road,
Lekki Scheme I, Lagos, Nig.
Mail:segun.adeyemi@kkh.com.ng

-Advertisement-

New mag

Newswire Law and Events Magazine is Out. It's a collector's item. Get one - or two,or more - for yourself and loved ones.

Do you want to be heard, your events covered, your articles published, or need to advertise your products and services on our Blog and Magazine, reach out to us at Newswire Law and Events, you will be glad you did. For more details about our services, please call: 08039218044, 09070309355. Email: newswiremagazine@yahoo.co.uk

- Advertisement -
Avatar
- Advertisement -

Stay Connected

16,985FansLike
2,458FollowersFollow
61,453SubscribersSubscribe

Must Read

- Advertisement -

Related News

- Advertisement -

LEAVE A REPLY

Please enter your comment!
Please enter your name here