‘Efforts were made during the sixth National Assembly to pass a cyber-crime law. Before now six private member bills were introduced at both chambers of the National Assembly seeking to provide a legal framework to combat cyber-crime and other related offences. These include the Computer Security and Critical Information Infrastructure Protection Bill 2005; Cyber Security and Data Protection Agency Bill 2008; Electronic Fraud Prohibition Bill 2008; Nigeria Computer Security and Protection Agency Bill 2009; Computer Misuse Bill 2009 and the Economic and Financial Crimes Commission Act (Amendment) Bill 2010.’
Before the Cybersecurity bill of 2011 was proposed in Nigeria, there was no particular law that was in place to combat cybercrime. This does not mean that cybercriminals were at liberty to act as it pleased them but it was just that there was no particular law solely talking about cybercrimes.
Despite this limitation, there are laws in existence that provide for circumstance construed to include cybercrimes and serve some purpose no matter how limited. These laws include: Economic and Financial Crimes Commission (Establishment) Act , Nigerian Criminal Code Act and Advanced Fee Fraud and other Related Offences Act.
1. Criminal Code: The Nigerian Criminal Code can now be used to indict offences on cybercrimes. As we know that some cybercrimes need a form of false pretense before they can be executed for example impersonation and identity theft which is regarded as a cybercrime. False pretense and cheating which Sections 419 and 421 of the criminal code forbids respectively. Section 419 states that ‘any person who by any false pretense, and with the intent to defraud, obtains from any other person anything capable of being stolen or induces any other person deliver to any person anything capable of being stolen, is guilty of a felony and is liable to imprisonment for 3 years.’ Section 418 defines false pretense as any representation made by words, writing, or conduct of a matter of fact, either past or present, which representation is false in fact and which the person making it knows to be false or does not believe to be true . By this, identity thieves and impersonators, pretend to be whom they are not in order to swindle their unwary victims. We have seen from cases and reports in newspapers, where celebrities come out to say that they do not have certain social media accounts thus, it is obvious, that cybercriminals and fraudsters are behind such accounts. Also in Section 421, the code states that ‘any person who by means of any fraudulent trick or device obtains from any other person anything capable of being stolen, or to pay or deliver to any person any money or goods or any greater sum of money or greater quantity of goods than he would have paid or delivered but for such trick or device, is guilty of a misdemeanor and is liable to imprisonment for two years. This offence is also known as offence of cheating’ . A person who cheats another person through the internet or use of a computer can be tried under this section.
2. Nigerian Evidence Act 2011: Prior to the amendment of the Nigerian Evidence Act 2011, the definition of ‘Document’ did not encompass computer generated evidence and electronic evidence. In the words of Pats Acholonu, JCA he said ‘it must be clearly understood that our Evidence Act is now more than 50 years old and is completely out of touch with the realities of the present scientific and technological achievements” This statement was made identifying the absence electronic evidence in the former Evidence Act of 2004. Also in ESSO WEST AFRICA INC V. T. OYEGBOLA the court held that:
‘The law cannot be and is not ignorant of modern business methods and must not shut its eyes to the mysteries of the computer.’
The Nigerian Evidence Act 2011, today by virtue of Section 84 has made it possible for the acceptance of computer generated evidence
3. EFCC ACT: Economic and financial crimes are accepted as a set of crimes which are wide in scope. The EFCC has powers to investigate and arraign according to Section 6 of the EFCC Act. The law states that the commission shall be responsible for:
a. The enforcement and the due administration of the provisions of this Act;
b. The investigation of all financial crimes including advance fee fraud, money laundering, counterfeiting, illegal charge transfer, futures market fraud, fraudulent encashment of negotiable instruments, computer credit card fraud, contract scam etc.
c. The coordination and enforcement of all economic and financial crime laws and enforcement functions conferred on any other persons or authority.
It is in paragraph (b) of this section 6, that the interest of this paper is drawn to predominantly because we see that the EFCC act gives the commission the power to investigate advance fee fraud and computer credit card fraud amongst others and these two frauds are types of cybercrimes.
The act then provides a very wide meaning for the phrase ‘Economic and financial crimes’ in Section 48 stating it to include:
‘The non-violent criminal and illicit activity committed with the objectives of earning wealth illegally either individually or in a group or organized manner thereby violating existing legislation governing the economic activities of government and its administration and includes any form of fraud, narcotic drug trafficking, money laundering, embezzlement, bribery, looting and any form of corrupt practices, illegal arms dealing, smuggling, human trafficking and child labor, illegal oil bunkering and illegal mining, tax evasion, foreign exchange malpractices including counterfeiting of ceremony, theft of intellectual property and piracy, open market abuse, dumping of toxic waste and prohibited goods, etc.’
This description covers a few cybercrimes as evidently seen in Nigeria. For example the activities of ‘Yahoo boys’. To this extent, it constitutes a crime which EFCC Act can deal with.
Advance Fee Fraud and other Fraud Related Offences Act 2006, was the only law in Nigeria that majorly deals with few internet crime issues even though the act only covers the regulation of internet service providers and cybercafes, but does not deal with the broad spectrum of computer misuse and cybercrimes.
3.2 THE 2011 BILL
In 2011, the NSA proposed the first bill that majorly highlights issues of cybercrime. It was known as the Cybersecurity Bill, 2011.
Given the undesirable and often devastating impact of cybercrime on businesses around the world, and the worries raised by such activity in Nigeria, the calls for legal and, to some extent, political involvement in the fight against cybercrime have grown progressively. Although Nigerian security agencies, particularly the Economic and Financial Crimes Commission, have made efforts to tackle this disease, they have had little success, primarily because Nigeria just put a legislation that precisely targets cybercrime or improves Cybersecurity.
Despite the intensive efforts of some stakeholders to have Cybersecurity legislation passed by the National Assembly, there have been numerous hindrances over the years. The proposed Cybersecurity Bill 2011 was the product of several years of determination and urging, was intended to providing processes for the national Cybersecurity and for the prevention, detection, response and prosecution of cybercrimes and other related matters. Several versions of the bill sponsored by different stakeholders found their way into the legislative houses but not making it tough to achieve the desired level of advancement. This stimulated the Office of the National Security Adviser (hereinafter referred to as NSA) to take charge of harmonizing the various versions of the bill on Cybersecurity that have appeared since 2004 in order to present a bill to the National Assembly.
The bill of 2011, covered issues like unlawful access to a computer, unlawful interception of communications, unauthorized modification of computer program or data System interference, Misuse of devices, Computer related forgery, Computer related fraud. Child pornography and related offences, Identity theft and impersonation, Cybersquatting, Cyberterrorism, Racist and xenophobic offences, Records retention and protection of data.by service providers, Interception of electronic communications etc. The key aim of the act, as seen in section 1 (1) which is to
a. Provide an effective legal framework for the prohibition, punishment, detection, prosecution and punishment of cybercrimes in Nigeria; and
b. Enhance cyber security and the protection of computer systems and networks, electronic communications, data and computer programs in Nigeria.
We see that this bill spoke generally about prohibiting, punishing, detecting and prosecuting cybercrimes in Nigeria.
Secondly it then went on to say that the bill was to improve and defend computer systems and cybersecurity in Nigeria.
The sponsor of the bill Aisha Modibbo in her lead debate on the bill, cited the gruesome murder of Cynthia Osokogu who was lured to Lagos, raped, robbed and strangled by her ‘friend’ on a Facebook chat room as one of the ills of cybercrime which must be fixed.
According to her, the nonexistence of cybercrime laws portrayed Nigeria as ‘very porous nation’ for cybercrime.
The first defect of the 2011 bill is noticed in section 1(2) where the act further provides that the Act shall be enforced by law enforcement agencies in Nigeria to the extent of the agency’s statutory powers. This provision could amount to abuse by the law enforcement agencies. This is because paramilitary agencies are law enforcement agencies.
Even though the act says that it’s to the agency’s statutory power, it is still a risky part.
In this act, the minimum sentence for any Cybersecurity offence is a jail term of 2 years of a fine of 5,000,000 or both. This shows the level of interest the lawmakers put into this bill thus at least scaring cybercriminals off.
We will look at a few provisions of this bill from here onwards.
This bill is quite self-explanatory.
It has been divided into 6 chapters.
I. General Objectives
II. Offences and Penalties
III. Critical Information Infrastructure Protection
IV. Search, arrest and Prosecution
V. International Cooperation
We see that from theses chapters, the bill made attempts to touch various aspects. We see that in section 2, the act deals with Unlawful access to a computer. Here, subsection 1 talks about anybody intentionally assessing without authority, or in excess authority (i.e. acting ‘ultra vires’) either in whole or in part a computer system or network commits an offence. Thus merely using a computer without necessary authority is a crime. In subsection 2, it says that if a person gains access in the same mode as in subsection 1, in order to gain access to any program or data or confidential information or industrial secret, such a person is liable to conviction for a crime.
Subsection 3 of this section, further says that any individual who thereby uses any device what’s so ever to avoid discovery or tries to distance him from the act that has been committed, is also liable.
We see that form this section 2, any way any person tries to gain access to any form computer without authority, is guilty.
In section 3, this bill talks about unlawful interception of communication. It says anyone who intentionally and without authorization intercepts by technical means, transmissions of non-public computer data, content data or traffic data, including electromagnetic emissions or signals from a computer, computer system or network; commits an offence. Any slight unlawful interception of communications is an offence.
Section 6, says any person who misuses, adapts, imports, manipulates, distributes offers for sale any computer device or computer program designed to commit offences in section 2,3,4 or 5 of the act. Or any person who does such for a computer password or access code or similar data which is capable of committing an offence under the act. This section also talks about any device designed to overcome security measures in any computer for the purpose of committing an offence under this act. Also, any person who knowledgeably discloses any passwords or access code or any means of gaining access to any program or data held in any computer for any unlawful purpose or gain commits an offence. In subsection 4 of this act, it says that if offence under subsection (1) of this section results to substantial loss or damage to the victim, the offender shall be liable to imprisonment or a fine of nothing less than 10,000,000.
Section 7 of the act then talks about forgery committed by a computer. Any form of fraud originating from a computer is liable to a fine of 7,000,000 or 3 years.
Section 9 then talks about child pornography and related offences. It says that any person intentionally uses any computer or network system for production of child pornography for the purpose of its circulation or offering or making available child pornography, or transmitting child pornography or acquiring child pornography for oneself or for another person.
This section places a huge sentence on offenders under this section. Subsection (2) then goes ahead to tell what can be regarded as pornographic materials in respect to the section. It then further states the age for a minor or child as regards to this section. Such age is any person below the age of 16.
Section 10 then talks about identity theft and impersonation using a computer or a computer system or network. As we know that impersonation and identity theft is one of the most common forms of cybercrime in Nigeria
Section 12 talks about cyberterrorism. It says that any person who accesses any computer or computer system or network for the purpose of terrorism commits an offence and is liable to a jail term of nothing less than 25 years or a fine or 25,000,000 or both
Section 14 says that service providers are a service provider shall keep all traffic data and subscriber information as may be set by the agency for the time being responsible for the rule of communication services in Nigeria. It goes further to say that service providers shall at the request of a law enforcement agency; through its authorized officer release any information that has been preserved as seen in subsection (2) (b) of this section and the service provider shall have to comply. The section then says that any data gotten by the law enforcement agency shall not be utilized except for genuine purposes as prescribed under this act or in other relevant legislature. It further says that any one exercising the responsibility of the law enforcement agency, must take due care to respect the provision of the constitution of the Federal Republic of Nigeria 1999 and shall take suitable measure in respect of the confidentiality of the data taken.
Section 18 then talks about corporate liability. In this section, the act says that any body corporate that commits an offence under this act shall be liable on conviction to a fine of nothing less than 10,000,000. This means that any ‘big’ company that commits an offence under this act, just pays nothing less than 10 million naira even if the offence they committed has fetched them probably triple the amount.
In chapter three of this act, we see that it talks about the protection of critical information structure.
In section 19, it states the grounds for the classifications of certain computer systems, networks and information infrastructure to vital national security or the economic and social welfare of its citizens as constituting critical information infrastructure. It then say that before anything is considered as critical information, it must be by order published in the federal gazette by the president which could be on recommendation of the NSA.
Section 20 then says that the presidential order on what is classified as critical information may require audit from time to time. I personally feel that the word ‘may’ is suggestive in this context as NSA may choose not to approve the audit.
Section 21 then shows that if any person commits any offence under this act to any critical information as designated in section 19, such a person will be liable to 25 years or a fine of 25,000,000 or both. It then further says it causes serious bodily injury, the conviction shall be nothing less than 30 years or a fine of nothing less than 50,000,000 or both.
It then extends and says that if it causes death, the offender is liable to life imprisonment. This is the only part of the act where life imprisonment is mentioned. I personally feel this should not be so because even where cyber terrorism was mentioned, the punishment was not life imprisonment. What if lives were loss in the act, so the value of lives lost through Cyberterrorism would be valued at nothing less than 25,000,000 which goes to the government not even to the families of the victims?
Section 22 is an important part of this act because it confers the jurisdiction to determine cases from this act on the Federal High Court or High Court of a State or the Federal Capital Territory. It then goes on to tell that it is when the offence is committed either wholly or partly within the territory of Nigeria or the act of the offender is committed wholly outside Nigeria constitutes a plot to commit an offence under the Act within Nigeria; and an act in continuance of the plot was committed within Nigeria, either directly by the offender or at his prompting; or the act of the offender committed solely or partly within Nigeria constitutes an attempt, solicitation or conspiracy to commit an offence in another jurisdiction under the laws of both Nigeria and such other jurisdiction. Furthermore it then says that the action would be deemed to have been committed in Nigeria if the offence or any of its elements substantially affects a person or interest in Nigeria.
In section 29, it says that offences under the act, shall be extraditable offences under the extradition act, CAP E25 Laws of the Federation 2004.
In summary, this bill even though does not fully tackle all issues of cybercrime in Nigeria, would have been a good starting point.
A particular issue that keeps baffling me, is the fact that this bill that has bust been summarized, was never passed. It was just a draft. No National Assembly records show the passage of this bill. Both in the upper legislative chamber or in the lower legislative chamber.
Assuming this bill was passed in 2011 it would have been a great avenue to start the heavy combating of cybercrime in Nigeria even though it did not completely address all issues on cybercrime Rome was not built in a day.
3.3 A REVIEW OF THE CYBERCRIME BILL 2014
I believe the 2013 act is actually a 2014 act. We will never know where the whole misconstruction and misunderstanding of the reason why it was popularly called the cybercrime bill 2013.
According to the website of the national assembly which as we know comprises of the Senate and the House of Representatives, the cybercrime bill is regarded as a 2014 bill and in section 43 of the Cybercrime Bill, 2014. It says ‘This Act may be cited as the Cybercrime Bill, 2014.’
This bill is the end product of what was started on the 28th of June 2011 after senator Gbenga Kaka of Ogun, state suggested that a bill be passed as regards to cybercrime operations in Nigeria.
With this Act in operation a huge step in combating the threat of cybercrime in Nigeria has started.
Unlike in the draft of the 2011 Cybersecurity bill, the arrangement and chapterization of this bill is different even though they share quite similar provisions. This bill is divided into 8 parts consisting of 43 sections and a schedule.
Here are the parts of the cybercrime bill 2014:
I. OBJECT AND APPLICATION
II. PROTECTION OF CRITICAL NATIONAL INFORMATION INFRASTRUCTIJRE
III. OFFENCES AND PENALTIES
IV. DUTIES OF SERVICE PROVIDERS
V. ADMINISTRATION AND ENFORCEMENT
VI. SEARCH, ARREST AND PROSECUTION
VII. JURISDICTION AND INTERNATIONAL CO-OPERATION
From here on, I will briefly discus a few sections of this act.
The first part which contains section 1, states the aims and objectives of the act. It states that the act is to provide an operative and incorporated legal, regulatory and institutional framework for the prohibition, prevention, detection, prosecution and punishment of cybercrimes in Nigeria; also ensure the protection of critical national information infrastructure; and promote cybersecurity and the protection of computer systems and networks, electronic communications; data and computer programs, intellectual property and privacy rights.
It then says that the Application of the provisions of the Act shall apply throughout the Federal Republic of Nigeria.
Moving on, in the next part the Act looks at the position of the nation with reference to information and communication where it provides for the designation of certain computer systems or networks as critical national information structure. It provides in subsection (1) of section 3, that the President may on the recommendation of the NSA, by Order published in the Federal Gazette, designate certain computer systems, networks and information infrastructure vital to the national security of Nigeria or the economic and social welfare of its citizens, as constituting critical national information structure. It then goes further in subsection(2) to say give the president the power to prescribe the minimum standards, rules or procedures in respect to things like the protection or preservation of critical information infrastructure; the general management of critical information infrastructure; access to, transfer and control of data in any critical information structure; infrastructural or procedural rules and requirements for securing the integrity and authenticity of data or information contained in any critical national information structure. This simply empowers the president to decide and determine how critical information infrastructure is ‘used’
The act then looks at an audit aspect, where it provides that The Presidential Order made under section 3 of the act may require the audit and inspection of any critical national information infrastructure, from time to time, to evaluate compliance with the provisions of the act. My issue with this section is the use of the word ‘may’. This word may here mean that it could be audited or could not be audited. This can compromise the integrity of the critical information stored. For example assuming the NSA may include things that are not in in compliance with the act.
The next part is part 3 where the act discusses the offences and punishments in relation to cybercrime in Nigeria.
First in this part, we see the provision of the act, for offences against critical national information infrastructure in section 5. Subsection (1) of this section, provides that anyone who commits any offence punishable under the act against any critical national information infrastructure, designated pursuant to section 3 of the act, would be liable on conviction to imprisonment for a term of not less than fifteen years without an option of fine. Subsection (2) then goes ahead to provide that where the offence committed under subsection (1) of this section results in grievous bodily injury, the offender shall be liable on conviction to imprisonment for a minimum term of 15 years without option of fine. This is almost similar to the 2011 cyberseucurity draft. Subsection (3) is the only area in this act, where the death sentence is mentioned, provides that where the offence committed under subsection (1) of this section results in death, the offender shall be liable on conviction to death sentence without out option of fine. I personally believe that this part of the act, shows the level of seriousness of this act in the bid to quash cybercrimes.
From section 6, we see cybercrimes and their punishments in Nigeria, being mentioned. It provides that any person, who without an approval or in excess of authorization, intentionally accesses in whole or in part, a computer system or network, commits an offence and liable on conviction to imprisonment for a term of not less than two years or to a fine of not less than N5,000,000 or to both fine and imprisonment. This goes to the extent of ultra vires of authority. The act then goes on in subsection (2) that where the offence provided in subsection (1) of this section is committed with the resolve of obtaining computer data, securing access to any program, commercial or industrial secrets or confidential information, the punishment shall be imprisonment for a term of not less than three years or a fine of not less than N7, 000,000.00 or to both fine and imprisonment. Subsection (3) then provides against the covering up of the act or omission through any device. This means that it punishes anyone who tries to avoid detection of the offence committed under this section.
In section 8, the act provides against the unauthorized alteration of computer data. It says that any person who directly or indirectly does an act without authority and with an intention to cause unauthorized modification of any data held in any computer system or network, commits an offence and liable on conviction to imprisonment for a term of not less than 3 years or to a fine of not less than N7,000,000.00 or to both fine and imprisonment. It then goes further to say in subsection (2) that any person who engages in damaging, deletion, deteriorating, alteration, restriction or suppression of data within computer systems or networks, including data transfer from a computer system by any person without authority or in excess of authority, commits an offence and liable on conviction to imprisonment for a term of not less than three years or to a fine of not less than N7, 000,000.00 or to both fine and imprisonment.
For the purpose of this section, a modification of any data held in any computer system or network takes place where, by the operation of any function of the computer, computer system or network concerned any program or data held in it is altered or erased; any program or data is added to or removed from any program or data held in it; or an act occurs which impairs the disrupts operation of any computer, computer system or network concerned.
Section 10 then talks about the misuse of devices.
Here, the act says that anyone who illegally produces, supplies, adapts, manipulates or procures for use, imports or exports, distributes, offers for sale or otherwise makes available any device, including a computer program or a piece designed or adapted for the purpose of committing an offence mentioned in the act; a computer password, access code or similar data by which the whole or any part of a computer, computer system or network is capable of being accessed for the purpose of committing an offence under this act, or any device intended primarily to bypass security measures in any computer, or network with the intent that the devices be utilized for the purpose of violating any provision of this act, the punishment for such a person who commits such an offence is imprisonment for a term of not less than three years or a fine of not less than N7,000,000.00 or to both imprisonment and fine.
Subsection (2) then says any person who with intention to commit an offence under the act, has in his possession any device or program referred to in subsection (1) commits an offence and shall be liable on conviction to imprisonment for a term of not less than two years or to a fine of not less than N5, 000,000.00 or to both fine and imprisonment.
The act goes further to prescribe punishments for those who without authority knowingly divulge any password, access code or any other means of getting access into any program or data held in a computer. It then also prescribes punishments for those who have intentions to use any automated device or any computer program or software to retrieve, collect and store password, access code or any means of gaining access to any program, data or database held in any computer with the intention of committing crimes under this act.
In section 14, the act talks about Child pornography and related offences. It provides that any person who deliberately uses any computer network system in or for offering or making available child pornography; distributing or transmitting child pornography; producing child pornography for the purpose of its distribution; offering or making available child pornography. It attracts an imprisonment of nothing less than 10 years or a fine of 20,000,000 or both. And also places a punishment of a fine of 10,000,000 or an imprisonment of nothing less than 5 years or both for obtaining child pornography for oneself or for another person; possessing child pornography in a computer system or on a computer-data storage medium.
The act also provides that for the purpose of subsection (1), the term ‘child pornography’ shall include pornographic material that visually depicts
(a) A minor engaged in sexually explicit conduct;
(b) A person appearing to be a minor engaged in sexually explicit conduct; and
(c) Realistic images representing a minor engaged in sexually explicit conduct.
The Act then provides for the purpose of this section, the term ‘child’ or ‘minor’ shall include a person below 18 years of age.
The act in section 17, provides for Cyberterrorism and further discusses in subsection (2) that any person that accesses any computer or computer system or network for purposes of terrorism, commits an offence and liable on conviction to life imprisonment. Lastly in subsection (3) it provides that for the purposes of this section, ‘terrorism’ shall have the same meaning under the Terrorism (Prevention) Act, 2011, as amended.
The act in section 20 provides that corporate body that commits an offence under the act shall be liable on conviction to a fine of not less than N10,000,000.00 and any person who at the time of the commission of the offence was a chief executive officer, director, secretary, manager or other similar officer of the corporate body or was asserting to act in any such capability shall be liable on conviction to imprisonment for a term of two years or a fine of not less than N5,000,000.00 or to both fine and imprisonment; and in subsection (2) it provides that nothing contained in this section shall render any person liable to any punishment where he shows that the offence was committed without his awareness or that he exercised all due meticulousness to prevent the commission of the offence.
The act in section 21, provides for the record retention and protection of data by service providers as similarly seen in the draft of the cybersecurity bill of 2011. In subsection (1) we see that a service provider shall keep all traffic data and subscriber information as may be recommended by the appropriate authority for the time being responsible for the regulation of communication services in Nigeria.
Then subsection (2) shows that a service provider shall, at the request of the relevant authority referred to in subsection (I) of this section or any law enforcement agency:
(a) Preserve, hold or retain any traffic data, subscriber information or related content, or… [this essay was not submitted in full]