Dealing with the Challenge of Cybercrime in Nigeria under the

new Cybercrime Act 2015

The Lagos Chamber of Commerce & Industry2015 Seminar of the Financial Services Group

September 3, 2015Lagos

Basil Udotai, Esq.,Managing Partner, Technology Advisors LLP

ICT LAWYERS & CONSULTANTS

Summary of Presentation

• Nature of Technology (ICT)• Does Technology (ICT) Challenge Law?• Is Cybercrime a Challenge in Nigeria?• Typical Cybercrime Framework – Legal & Institutional;• Nigerian Cybercrime Act 2015 – the solution?• Legislative History of the Act;• General Review of the Law;• Financial Services Sector under the Act – the “Danger of a

single story” – Chimamanda Adichie;• First known case currently being tried under the Act;• Conclusions

Nature of Technology (ICT)• Global – reaches across multiple jurisdictions and legal

systems – issues with applicable law and jurisdiction – e.g. the Law of Torts and the “Neighbor Principle” as basis for liability;

• Knowledge based – proprietary (Apple vs Samsung) • Digital/Electronic – Traditionally law regulates tangibles;• Fast Paced and Real Time – efficiency generation and

transaction completion (reversal challenges); • Inherent Insecurity vs Interoperability; • Mired by Legal Externalities - 3rd Party Technologies –

software, systems, solutions, etc; indeterminate Intermediaries - PRIVITY vs TRUST;

Nature of Technology (ICT)

• Anonymity; • Unlimited Scalability;• Fiercely Competitive;• Cheaper Communication; • Constantly changing and evolving – “All computers to

communicate and all communication gadgets to compute!” INTEL CEO, 2004, in Abuja. VOICE as APPLICATION!

• Operates in the physical: ATTRIBUTION vs ANONYMITY; • Value-neutral – the Good, the Bad and the Ugly!!!; • Shared System

Does Technology Challenge Law?

• Form: recognition of electronic materials; no denial of legal effect on the basis of form only; ephemeral nature of eEvidence - Data Retention & Preservation;

• Identity & Authentication: attribution of electronic activities, undeniably, to identifiable individual actors (digital signatures – e.g., PKI or Biometric technology)

• Liability: whether civil (cause of action) or criminal (prohibition), specific laws must be enacted; enforceability of electronic transactions and criminalization of electronic illegalities; including privacy, data protection, IPRs, security, etc

• See section 36(12) Nigerian Constitution: conduct prohibition & legal sanction provisions

Does Technology Challenge Law?

• Authority: substantive legal authority to act and technical capacity to investigate and prosecute – enabling the judiciary to act – Courts only interpret LAWS!

• Legal Process: Evidential standards and Court rules and/or procedures (civil and criminal) specifically amended; Admissibility; Collection and Presentation of electronic evidence in judicial proceedings;

• Jurisdiction: location of party and the effects doctrine determines jurisdiction: whatever “substantially” affects forum or interest therein, is within the forum’s jurisdiction, irrespective of origin; nationality (Nigerian Cybercrime Act 2015)

Is Cybercrime a Challenge?

• Dumb question, right?• “For years the Nigerian digital economy had carried on

with the absence of a legal and institutional framework for cybercrime/cybersecurity; maintaining a glaring legal and transactional gap as well as deficiencies in our law enforcement and national security systems – thereby causing a major and debilitating “weak link” in our digital economy value chain, with imponderable and unimaginable consequences” – Basil Udotai, Esq., Technology Times Outlook, Lagos – August 21, 2015

Is Cybercrime a Challenge?Dr. Ibe Kachikwu

- Appointed August 4; Impersonated same day, NNPC reacted August 16

There is no operating system or technology that has not yet been hacked! And some of the most protected and secured corporations and governments institutions have already been compromised!!!

Typical Cybercrime Framework• Criminalization of actions – substantive provisions

(offences); • Creation of institution with statutory powers –

enforcement authority;• Creation of procedures for investigation – procedural

provisions;• Jurisdiction – in personam and subject matter jurisdiction;• International harmonization and relations – MLAT,

Extradition, Global Conventions and Protocols;

• A review of the Cybercrime Act 2015 indicates, as a matter of checklist, that the law has met the foregoing milestones commendably

The Cybercrime Act 2015 – the Solution?

Pat on the Back: First ever statutory instrument criminalizing online actions,

prescribing punishment and creating legal procedures for investigation, prosecution and enforcement;

International Legal Cooperation – beating the “Dual Criminality” challenge;

Critical Information Infrastructure Protection (CIIP); Institutionalized CERT and a National Forensic Lab; Creation of Regulatory Mandate over Cybercrime & Cybersecurity

in the Attorney General of the Federation; Created a Stakeholder Community through the Advisory Council; Truly ground breaking with potential to greatly impact

jurisprudence and legal development; governance (eGovt); businesses and commercial activities; law enforcement and national security; foreign direct investment and economic growth, etc

So why are we not celebrating?

Challenges: Decentralized and Distributed Enforcement Framework; Issues with compliance; Possible Constitutional challenge (the NSA Act); Impact of the Cybersecurity Fund doubtful; Technology-specificity, a major flaw; Special provisions on the Financial Sector worrisome and

needless really; and tendency for focus shifting to the financial services sector very dangerous – compliance and potential conflicts with CBN’s regulatory authority;

Unnecessarily Transactional in certain areas – provisions on eSignature, protocols for internal banking transactions; etc not advisable in a criminal law

Legislative HistoryLong, tortuous and complicated Legislative History: • 2004/5 – Cybercrime Bill 2005 by the Nigerian Cybercrime Working Group (NCWG)• 2006 – 2008 – Computer Security Bill;• 2009 – 2010 – More than 10 different bills (including the Electronic Fraud

Protection Bill sponsored by Senator Ayo Arise of Ekiti)• 2011 – Harmonization of the various bills by the ONSA culminated in the

Cybersecurity Bill 2011; and• 2012 – 2015 Attorney General initiated process resulted in the Cybercrimes Act

2015;- The Former Attorney General and the last National Assembly could have done a

better job at this

NOTE:I was involved in the process up to 2011; provided only nonbinding and informal

advise between 2014 – 15

INTRODUCTIONSummary of the Act

Summary of the ActThe Cybercrime Act is made up of:• 59 Sections• 8 Parts; and • 2 Schedules;

1st Schedule lists the Cybercrime Advisory Council;

2nd Schedule lists businesses to be levied for the purpose of the Cybersecurity Fund under S.44(2)(a):• GSM service providers and all telecom companies• Internet service providers• Banks and other financial institutions• Insurance companies• Nigerian Stock Exchange

Summary of the Act

The Act is comprehensive in its coverage:• Critical Infrastructure Protection;• Computer related offences;• Content related offences;• Offences against integrity, functionality and confidentiality of

systems and networks;• Procedural provisions – investigation, prosecution and

general enforcement;• Jurisdiction and International Cooperation

Section-by-Section Review

Part I- Objects and Application• Section 1: Objectives• Section 2: ApplicationPart II-protection of critical National Information

Infrastructure• Section 3: Designation of certain computer

systems or networks as Critical National Information Infrastructure.

• Section 4: Audit and Inspection of Critical National Information Infrastructure.

Section-by-SectionPart III- offences & Penalties • Section 5: Offences against Critical National Information Infrastructure • Section 6: Unlawful Access to computers• Section 7: Registration of Cybercafé• Section 8: System Interference.• Section 9: Intercepting Electronic Messages, Emails Electronic Money Transfers.• Section 10: Tampering with Critical Infrastructure• Section 11: Willful Misdirection of Electronic Messages.• Section 12: Unlawful interceptions. • Section 13: Computer Related Forgery.• Section 14: Computer Related Fraud.• Section 15: Theft of Electronic Devices.• Section 16: Unauthorized modification of computer systems, network data and

System interference.• Section 17: Electronic Signatures.• Section 18: Cyber Terrorism.

Section-by-SectionOffences & Penalties

• Section 19: Exceptions to Financial Institutions Posting and authorized options.• Section 20: Fraudulent issuance of E- Instructions.• Section 21: Reporting of Cyber Threats.• Section 22: Identity theft and impersonation.• Section 23: Child pornography and related offences.• Section 24: Cyberstalking.• Section 25: Cybersquatting.• Section 26: Racist and xenophobic offences.• Section 27: Attempt, conspiracy, aiding and abetting.• Section 28: Importation and fabrication of E-Tools.• Section 29: Breach of Confidence by Service Providers• Section 30: Manipulation of ATM/POS Terminals.• Section 31: Employees Responsibility• Section 32: Phishing, Spamming, Spreading of Computer Virus.• Section 33: Electronic cards related fraud.• Section 34: Dealing in Card of Another.• Section 35: Purchase or Sale of Card of Another• Section 36: Use of Fraudulent Device or Attached E-mails and Websites.

Section-by-SectionOffences & Penalties/Administration

Part IV- Duties of Financial Institutions• Section 37: Duties of Financial Institutions

Duties of Service Providers• Section 38: Records retention and protection of data.• Section 39: Interception of electronic communications• Section 40: Failure of service provider to perform certain duties.

Part V- Administration and Enforcement• Section 41: Co-ordination and enforcement.• Section 42: Establishment of the Cybercrime Advisory Council• Section 43: Functions and powers of the Council• Section 44: Establishment of National Cyber Security Fund

Section-by-SectionPart VI- Arrest, Search, Seizure and Prosecution• Section 45: Power of arrest, search and seizure.• Section 46: Obstruction and refusal to release information• Section 47: Prosecution of offences• Section 48: Order of forfeiture of assets.• Section 49: Order for payment of compensation or restitution.

Part VII- Jurisdiction and International Co-operation• Section 50: Jurisdiction• Section 51: Extradition.• Section 52: Request for mutual assistance• Section 53: Evidence pursuant to a request.• Section 54: Form of request from a foreign state.• Section 55: Expedited Preservation of computer data• Section 56: Designation of contact point.

Part VIII- Miscellaneous • Section 57: Regulations.• Section 58: Interpretation.• Section 59: Citation

Enforcement Framework• Is there a conspiracy to ensure Nigeria doesn’t enforce cybercrime?

You may feel that way if you look at the enforcement framework designed for this Law. But I think it was an error, which should be corrected:

• Decentralized and Distributed Enforcement Framework: NSA to coordinate enforcement by all LEA and Security Agencies (“relevant law enforcement agencies”);

- Cybercrime investigation, prosecution and enforcement – separated?

- Traditional approach in our Criminal Justice System;- Usually based on CONFERED Authority;- Unprecedented departure from the norm, and very unlikely to

work;- Threat of chaotic compliance

Possible Constitutional ChallengeThe NSA Act

• CONSTITUTION OF THE FEDERAL REPUBLIC OF NIGERIA• • Section 315• • 315. (1) Subject to the provisions of this Constitution, an existing law shall have effect with such modifications as

may be necessary to bring it into conformity with the provisions of this Constitution and shall be deemed to be -• (a) an Act of the National Assembly to the extent that it is a law with respect to any matter on which the National

Assembly is empowered by this Constitution to make laws; and• (b) a Law made by a House of Assembly to the extent that it is a law with respect to any matter on which a House

of Assembly is empowered by this Constitution to make laws.• (2) The appropriate authority may at any time by order make such modifications in the text of any existing law as

the appropriate authority considers necessary or expedient to bring that law into conformity with the provisions of this Constitution.

• (3) Nothing in this Constitution shall be construed as affecting the power of a court of law or any tribunal established by law to declare invalid any provision of an existing law on the ground of inconsistency with the provision of any other law, that is to say-

• (a) any other existing law;• (b) a Law of a House of Assembly;• (c) an Act of the National Assembly; or• (d) any provision of this Constitution.• (4) In this section, the following expressions have the meanings assigned to them, respectively -• (a) "appropriate authority" means -• (i) the President, in relation to the provisions of any law of the Federation,• (ii) the Governor of a State, in relation to the provisions of any existing law deemed to be a Law made by the House

of Assembly of that State, or• (iii) any person appointed by any law to revise or rewrite the laws of the Federation or of a State;

Constitution and the NSA Act• (b) "existing law" means any law and includes any rule of law or any enactment or

instrument whatsoever which is in force immediately before the date when this section comes into force or which having been passed or made before that date comes into force after that date; and

• (c) "modification" includes addition, alteration, omission or repeal.• (5) Nothing in this Constitution shall invalidate the following enactments, that is to

say -• (a) the National Youth Service Corps Decree 1993;• (b) the Public Complaints Commission Act;• (c) the National Security Agencies Act;• (d) the Land Use Act,

and the provisions of those enactments shall continue to apply and have full effect in accordance with their tenor and to the like extent as any other provisions forming part of this Constitution and shall not be altered or repealed except in accordance with the provisions of section 9 (2) of this Constitution.(6) Without prejudice to subsection (5) of this section, the enactments mentioned in the said subsection shall hereafter continue to have effect as Federal enactments and as if they related to matters included in the Exclusive Legislative List set out in Part I of the Second Schedule to this Constitution.

Cybersecurity Fund

MAY NOT DELIVER:- By Section 44 (a) levy of 0.005 of all electronic

transactions by the businesses specified in the second schedule to this Act:• GSM service providers and all telecom companies• Internet service providers• Banks and other financial institutions• Insurance companies• Nigerian Stock Exchange

With a trillion or so worth of transactions, someone put the number that is likely to result to the fund at N600m

Financial Services Sector• Technology laws are supposed to be technology neutral, not technology

specific;• Cybercrime laws are supposed to be generic in provisions, not

particular;• All provisions specific to technologies and particular to processes in the

Financial Sector can be excised from the Act, without any impact on the substance of the law;

• Leaving those provisions intact is guaranteed to cause severe harm to the sector – especially banks and payment services providers;

• Challenges regulatory integrity of the CBN and the CBN Act;• Criminalizes internal procedures of the banking system;• Create chilling effect on investments in creative and innovative

solutions in the sector, etc

First Known Case under the Act

• The Blogger vs Fidelity Bank MD – Malicious Publication• A Federal High Court in Lagos on August 26, 2015 ordered the

remand of a blogger, Seun Oloketuyi, in prison over alleged malicious publication against the Managing Director and Chief Executive Officer of Fidelity Bank Plc, Nnamdi Okonkwo. Okonkwo had petitioned the police, and after investigation, Oloketuyi was charged to court. According to the charge with reference number FHC/L/346C/15, Oloketuyi in count one was accused of intentionally sending message and other matters by means of computer system or network against Okonkwo, which he knew to be false, for the purpose of causing him annoyance, insult and ill-will.

State vs Seun Oloketuyi

• The offence was said to be contrary to and punishable under Section 24 (1) (b) of the Cybercrime (Prohibition Prevention Etc) Act, 2015 which provides that

• “b) he knows to be false, for the purpose of causing annoyance, inconvenience danger, obstruction, insult, injury, criminal intimidation, enmity, hatred, ill will or needless anxiety to another or causes such a message to be sent: commits an offence under this Act and shall be liable on conviction to a fine of not more than N7, 000,000.00 or imprisonment for a term of not more than 3 years or to both such fine and imprisonment.”

• http://www.thisdaylive.com/articles/blogger-remanded-over-malicious-publication-against-fidelity-bank-md/218491/

CONCLUSION“The Cybercrime Act though long in coming and beset with major challenging components, may be applied to effective tackle cybercrime and cybersecurity issues in the country. However, the chances of this happening naturally is slim to zero. Thus, deliberate efforts must be made by the key players - ONSA and the OAGF, working with stakeholders, to strategically position this law to take us to this highly desirable end” – Basil Udotai, Esq.,

Those efforts must aim, amongst others, in seeking to – in the short run: create a single enforcement authority; prevent the enforcement of technology specific and industry particular provisions (financial sector mostly); while proposing a comprehensive amendment in collaboration with the National Assembly.

THANK YOU

CONTACT:basil@ta.com.ng08033066004