By Tomiwa Ilori
The world is fast collapsing into a smaller structure. This collapse has shrunk our time, physical space and geographic setting into clicks of the computer. The human life is being continuously influenced by defining technological inventions. The computer has been revered as one of man’s greatest achievements at outliving himself and generations; the computer has helped us conquer most of man’s impending dangerous courses. However, the human nature is given to excesses of itself. These excesses occur in any given setting where man is the primal being. The Internet has not known a better fate of these excesses. There have been manipulations of information, cyber-thefts, cyber-laundering, spamming, hacking and several other human excesses on the Internet. This has caused governments to look inwards on how to combat new challenges brought about by new technological innovations. In trying to solve these issues by state actors, more issues are created like abuse of digital rights, wanton disregard for Internet freedom, mismanagement of private information, government surveillance and censorship. Nigeria has known its fair share of these anomalies on its cyberspace and has since then recognized the need to combat them.
One of Nigeria’s first attempts to criminalize Cybercrimes was in 1995. The draft legislation of the Electronic Crimes, Telecommunications and Postal Offences Decree of 1995 defined Cybercrime as “…engaging in computer fraud or does anything to fake payments, whether or not the payment is credited to the account of an operator or the account of the subscriber, is guilty of an offence.” This was the precursor to several legislations that were to shape contemporary activities on the Internet in Nigeria. Due to the advent of globalization and the fast movement of the world towards digitization, Nigeria saw the need to quickly embrace Information and Communications Technology as one of the means of survival in the 21st Century. This survival could however not be achieved due to the infiltration of the cyberspace with unscrupulous elements who have mastered the use of the Internet but to the decimation of Nigeria’s socio-economic and external image in the comity of nations. As a result of rapid digitization and cyber-activities, by early 21st century, nations’ external relations are being largely determined by the control of their cyberspace. Nigeria did not do well in this regard as perpetration of crimes on the cyberspace has so much eaten deep into what was left of our collective worth as a nation. Poverty and unemployment rates were used as excuse for cybercrimes. Young minds started deploying their raw gifts of perception to grow the country’s negative external image by committing Internet frauds and engaging in identity thefts. At this point in time, Nigeria was virtually helpless in tackling this scourge as political distraction took centre stage of her attention. So the country continued to bleed internally and externally thereby causing a haemorrhage of worth, integrity and positive external relations.
Nigeria recorded a fair attention to its cybercrime environment upon her transition to democracy in May, 1999. This helped the government reposition its core mandates and battling cybercrimes became one of these objectives. This saw to drafting and review of draft legislations which includes but not limited to the Computer Security and Infrastructure Bill of 2005, Electronic Provisions Bill of 2008, Cyber-security Bill of 2011, Criminal Code Amendment for Offences Relating to Computer Misuse and Cybercrimes of 2011, Electronic Transfer of Funds Crime Bill of 2001. Most of these Bills were either dropped due to lack of government sincerity of purpose or due to the inability of the Nigerian government to stay committed to the socio-legal growth of its citizens. These Bills showed that the government made attempts but did not follow-through with these attempts to have them materialize to effectively combat cybercrimes in Nigeria.
In July 2011, a Bill which is known today to be the Cybercrimes (Prohibition, Prevention, ETC) Act was introduced to the Nigerian parliament by the then Executive arm of government. The Bill was finally passed into law on the 23rd of October, 2014. This marked the beginning of an era which defined all cyber activities in Nigeria.
In this vein, that a Cybercrimes legislation was put in place did not mean the challenges on the Nigerian Internet space has been solved, it meant that more issues have now been created which needed the circumspect vigilance of every watchful citizen and advocates of human rights and Internet Freedom in Nigeria.
In modern jurisdictions dedicated to actual improvement of its citizens’ socio-economic wellbeing, legislations that deal with the peculiar dynamics of human developments like Information and Communications Technology need to pass important criteria to be adjudged fair in its regulations. Some of these criteria include but not limited to protecting and preserving human rights and values in the society; facilitation of synergy between public and private institutions; creating an environment where integrity can be vouched for; to pre-empt future dimensions in the ICT sector; helping to explore within means of honesty and enduring social values, the socio-economic aspect of the ICT sector and ensuring cyber-security. The Cybercrimes Act 2015 which will be hereinafter referred to as the Act will be analysed based on these touchstones.
ANALYSIS OF THE CYBERCRIMES ACT OF 2015
The explanatory memorandum of the Act is exhaustive of its intent, suggesting the deterrence theory of punishment. The nature of the legislation is punitive and this is sourced from the grown menace of cybercrimes in Nigeria. The core objectives of the Act are to also ensure cyber-security and protection of critical information infrastructure in Nigeria. The Act is divided into fifty-nine sections with eight parts with each part dealing with Objectives and Application; Protection of Critical Information Infrastructure; Offences and Penalties; Duties of Financial Institutions; Administration and Enforcement; Arrest, Search, Seizure and Prosecution; Jurisdiction and International Cooperation; Miscellaneous respectively.
Section 3 of the legislation vests the apportioning and designation of certain computer systems and networks as critical national information infrastructure in the President of the Federal Republic of Nigeria on the recommendation of the National Security Adviser to the President. Subsection (2) of the Act also vests the powers of prescribing minimum standards operational in handling critical national information infrastructure in the President. Section 4 also delegates these functional powers of the President to the Office of the National Security Adviser as it may require. Considering the age-long constitutional debate of the overwhelming powers granted to the Executive in Presidential systems of government, there is an agreeable apprehension of likely abuse of powers. Concentrating the control of the critical national information infrastructure in the Executive without a corresponding check of other arms of government in reviewing its actions poses a threat of tyranny. There should be a considerable divestment of powers in the Executive to other arms of government to allow for balance in making policies especially as it concerns enforcing legislations on cybercrimes in Nigeria.
Section 6 of the Act criminalises the unlawful access to a computer which houses critical information infrastructure that are vital to National Security. Again, as typical of jurisdictions with queries of sincerity of purpose, the weight of “National Security” is thrown around in legislations to shroud the actual essence of government activities.
The government has failed as usual, to define what constitutes National security to be able to sponge governments’ nefarious activities. Subsection (3) and (4) of the Act also begs the fact of an “intent to commit an offence” and “lawful authority” in relation to an ethical hacker of an organisation other than that of the Nigerian government.
Section 8 of the Act does not explain exhaustively what happens in the event of a launch of malware against computer information and in the course of protecting that computer information, the malware is neutralized and causes alteration of malware source. This section of the Act is open-ended enough to cause unforeseen interpretations.
It is pertinent to query the purport of Section 9 of the Act with respect to encrypted e-mails, when money or any valuable is contained. Does the fact that the interception is carried out by a Nigerian government agency makes the interception lawful or the government is included in the “unlawful interception” should any be carried out by the government? Also, Section 11 of the Act fails to define “authorisation”. What qualifies as “non-public transmissions of public data?” Who and what defines “non-public transmissions of public data?” This is one of the extended challenges the powers vested in the Executive in Section 3 of the Act.
However, Section 13, 14 and 15 of the Act registers a good note for an effective prosecution of Nigerian cybercrimes activities. They resonate directly with the procedural principles of Section 84 of the Nigerian Evidence Act of 2011 for proving electronic evidence in Nigerian courts which had until recently caused a roadblock in proving electronic-related crimes in Nigeria. Also, it is commendable that Section 16 (3) and 32 (3) of the Act are futuristic in approach, even though there has not been any reported case of Nigerian virus content against computer information, it already criminalises the act should it occur at any point in Nigeria.
The effect of Section 17 of the Act on the socio-economic prospects of the Nigerian ICT sector is also of concern. Even though it supports electronic contracts which are fast replacing the traditional execution of contracts, which is of crucial importance in supporting e-commerce in Nigeria, subsection (2) of the Section sets the pace of digitization in Nigeria backwards. The exception of testamentary documents and court processes attests to this. With a global environment fast embracing paperless transactions, this section should be reviewed.
The culpability of financial institutions in Section 19, 20 and 37 of the Act is a welcome development given the incessant ripping of innocent Nigerians of their hard-earned monies through spurious charges in the name of rendering “seamless services” to them. The Act proactively superintends over the docility of the Nigerian Apex bank, the Central Bank of Nigeria in helping to sanitize its own jurisdiction. Also, this section is a sword for any litigant in Nigeria whose identity has been stolen due to the negligence of any financial institution especially during the era of proliferation of private data like the Bank Verification Exercise.
Section 21 of the Act poses a dilemma. What happens when the threat to a computer system or network is launched by a government agency? Should the victim still report such attack to the National Computer Emergency Response Team Coordination Team? Also, why must such non-reportage of threat be criminalised in subsection (3) of the Act? Does that not paint a picture of being a fowl before a jury of Jackals?
Perhaps, the most notorious aspect of the Cybercrimes Act of 2015 is its Section 24. The section is significant because of the role it plays on the regulation of the social media in Nigeria. Contemporary history is replete with examples of repressive legislations not standing the test of the masses’ collective might. In not too distant future, this history will happen on the cancerous nature of this section with regards to human rights and Internet freedom in Nigeria. Even though the commendable provision of Section 45 (1) (b) of the 1999 Constitution of the Federal Republic of Nigeria (as amended) is very much agreed with, Nigerians have become more vigilant of where this section of the Act encroaches on rights of their fellow citizens online. The Supreme Court, through one of its most revered jurists, Justice Kayode Esho in Ransome Kuti v. Attorney General of the Federation (1985) LPELR – SC.123/1984 stated that “Fundamental right is a right which stands above the ordinary laws of the land and which in fact is antecedent to the political society itself. It is a primary condition to a civilised existence…” Not only does the Section 24 of this Act reeks of state regulation and management of the social media, it also seeks to erode the principles of freedom of expression online in Nigeria. The hashtag revolution is gradually phasing out protests with placards. It is best advised that this section is removed in its entirety.
That Section 25 of the Act finally criminalises cybersquatting in the Nigerian cyberspace has offered hope to the body corporates who suffer economic loses from the menace. Also, as an addition, Section 29 and 34 also criminalises the negligent handling of personal data of citizens by service providers in Nigeria. It has been argued that the crime of cybersquatting is being aided by the sales of devices with citizens’ data used by these services providers to third party vendors who in turn use this information to harass innocent Nigerians.
Section 28 of the Act amplifies sections 4 and 17 of the National Office for Technological Acquisition and Promotion Act Cap. N62 LFN 2004. Both legislations should be revised to have one take care of this head.
With the advent of malwares in the cyberspace, the Nigerian cyberspace has also over the years been affected by phishing and spamming activities. The Section 32 (1) (2) of the Act satisfactorily penalises the act to properly achieve its deterrence motive. Section 33 of the Act also tackles an aspect of the socio-economic scourge of Yahoo-Yahoo in Nigeria which involves credit card frauds.
Section 38 (2) (3) and (4) of the Act could be said to pass the digital rights test of having recourse to the provisions of Section 37 of the 1999 Constitution of the Federal Republic of Nigeria (as amended) in the use of personal data between government agencies and service providers. However, a more transparent process must be put in place such that these rights will not just be perceived to be protected but will manifestly be seen protected by these agencies.
Section 39 and 40 of the Act however crushes the optimism in Section 38. The Section fails to qualify what will pass as a reasonable suspicion. This has again left the interpretation of that portion of the law to loose imaginations. Whatever has to deal with the privacy of the Nigerian citizen ought not to be left to conjectures but definitive terms for proper referencing.
Section 50 of the Act vests the Federal High Courts with jurisdiction to try matters pertaining to the Act. This is most likely to pose judicial impediments as the effective prosecution of matters in the Act requires a firm command of the principles of laws that govern the cyberspace by Federal High Court Judges and which there is little or no training of Judges in this area. Subsection (4) also registers one of the most remarkable landmarks of the Cybercrimes Act as it provided that no Stay of Proceeding must be granted on any criminal matter with respect to the Act. Section 56 of the Act deals with designated contact points between foreign countries with Nigeria which sees to exchange of important information as it concerns the enforcement of the Act. This offers the Act as a global commodity of reference when it comes to fairness electronic dealings in Nigeria. However, like Sections 43 and 44 of the Act in relation of the constitution and functions of the Cybercrimes Advisory Council, there is doubt as to whether the contact point has been established.
Conclusively, the Cybercrimes (Prohibition, Prevention, ETC) Act is adjudged to be a fair demonstration of combating cybercrimes in Nigeria, however, the Act failed to address important issues raised above. One of these issues is whether the Act passes digital rights and preservation of online freedom test, it does not. Typical of most governments in developing and developed societies, there is the paranoia of wanting to limit human expression and interaction and this is evinced in Section 24 of the Act. Also, there is the relationship between the private and public sector and if this was utilized for the common good of Nigerians in the cyberspace. The synergy between these two players raises doubts as it involves bypassing the Nigerian citizen and liaising with each other behind his back. This does not easily translate to the sincerity of the explanatory memorandum of the Act.
The Act has not been able to effectively tackle this issue. In an environment where integrity is the currency like the cyberspace, the Nigerian cybercrimes Act has been able to show with ample evidence its readiness to restore confidence in the Nigerian cyberspace. The punitive nature of the Act has helped to show a low tolerance of cybercrime activities by the government. The Act may be said to have achieved a fair result in this regard. Also, the Act has been able to show its dedication to sanitization of ICT sector in Nigeria to help boost its prospects in e-commerce but leaves much to be desired in the areas of implementation and enforcement of the provisions of the Act. Most importantly, with new provisions proscribing nefarious cyber-activities to ensure cyber-security in Nigeria, it shows to an extent Nigeria’s readiness for digitization in the global cyber-society where technological innovations are fast becoming the best means of achieving positive might.
Tomiwa Ilori is the Program Assistant at Paradigm Initiative Nigeria (ICT Policy) and a Lawyer called to the Nigerian Bar. E-mail: [email protected]