McAsh's Thoughts

December 27, 2011

Combating Cybercrimes in Nigeria II

Filed under: Nigeria — David Ashaolu (McAsh) @ 7:26 pm

In the first series, I explained the reasons prosecuting cybercrimes in Nigeria is a mirage. I examined the impact of absence of cyberlaws in the country and the efforts currently being undertaken by the government to enact the Nigerian Cybersecurity Act. In this series, I shall be exposing the procedural predicaments faced by law enforcement agents even where the crime is triable under traditional criminal law provisions.

Procedural Inadequacies in Combating Cybercrimes in Nigeria

As stated in the previous series, most cybercrimes have no definition in Nigeria’s criminal law. Thus, they can not be a cause of action, or basis for liability in a criminal case.  On certain occasions, however, the criminal acts complained of on the Internet may come within the ambit of the traditional legislations as with certain instances of cybercrime like fraud and cyber theft. Where this happens, the law enforcement has in its hands an accusatorial tool for bringing cybercriminals to book. And on lesser occasions, they have secured very highly priced convictions.

The reason the rate of convictions recorded is inversely proportional to the number of  trials executed is the backward state of our criminal justice system in Nigeria. The two legislations which are responsible for that aspect of our law are the Criminal Procedure Act[1] and the Evidence Act.[2]

(a)    The Criminal Procedure Act (CPA)

The Act was enacted June 1, 1945,[3] decades before the Internet was invented and scores before Internet licences were granted in Nigeria. It makes provisions for the mode of prosecuting criminals including certain fundamental issues like jurisdiction, examination of witnesses and admissibility of evidences. Unfortunately, however, the CPA was not enacted with ICT in mind. This is understandable as the cyberspace was still in oblivion as at the time it was codified.

Under the CPA, witnesses are expected to be physically present in court during trials. In fact, any witness who fails to appear personally could be summoned (subpoenaed) and detained and may be released on bail upon the same bail conditions available to the accused person.[4] Even children, infants and young persons (below 17 years) who may need to give evidences in court in camera for security and other reasons still have to be physically present or their testimonies would not be accepted.[5]

Cybercrime offences are trans-border and the needed witness who would give the very material evidence may not be in Nigeria to attend the proceedings. Upon that ground, the accused may be acquitted for failure to establish a prima facie case against him by reason of insufficient evidence. He may also be discharged for want of diligent prosecution. This was not envisaged by the drafters of the Act.

This position is contrary to what obtains in England, for example. The Criminal Justice Act 1988[6] makes an important provision for the admission of video recordings of interview with child witnesses carried out before the trial. By Section 28(1) of the same Act, cross-examinations and re-examinations can be recorded and televised in court.

Another insufficiency evidenced in the CPA is the provision of Section 171 of the Act which is to the effect that once a person is convicted of attempting to commit a crime, he cannot be charged subsequently with committing the offence where the crime is eventually occasioned. The rationale behind this provision hangs in the balance of reasoning as the effect of a crime being committed eventually and the resultant damage is far greater than that of its attempt. For example, a person convicted of attempting to disseminate a virus or malicious code will definitely serve a lesser punishment than if he had actually disseminated it. Where, unknown to the law enforcement agents at the time of his arrest, he had released the virus and the brutal effect had been found out later, he technically escapes proper punishment.

Also worth mentioning is the conventional evidential practice of the court visitation to the locus in quo.[7] While in some other jurisdictions a video recording of the locus will suffice,[8] our laws still mandate our Judges in this 21st century to travel to the locus with the accused and physically inspect it.

On admissibility and relevance of evidences tendered to prove a criminal act and other activities relating to witnesses, the CPA provides that the Evidence Act shall apply in the criminal proceedings.[9] The provisions of the Evidence Act 2011 shall be considered in a later blog, with particular focus on the provisions of the new Act as regards computer generated evidence.

(b)          Criminal Justice (Misc. Prov) Act

This Act is an addendum to the Criminal Code and the Criminal Procedure Act. It is an Act to impose “stiffer penalties” on persons who damage, disrupt or destroy telecommunications, electrical transmission lines and oil pipelines. The provisions as they relate to cybercrimes are examined hereunder.

Any person who… prevents or obstructs the sending or delivering of communications by means of telecommunications… is guilty of an offence.”[10]

The penalty is a fine of N500 or 3 years imprisonment or both.[11] Thus, hacking, where interception is occasioned, can come under this heading, since a hacker uses the telecoms. This will also sufficiently cover offences like illegal interception. Dissemination of viruses and other malicious codes, especially where the motive is a DDoS (Denial of Service attack), will naturally “prevent or obstruct” the to and fro movement of communication codes. All these can be tried under this statute.

Section 9 defines “telephone works” as meaning wire or wires used for telegram and telecommunications, with any casing, coating, tube, pipe, insulator, etc and including any apparatus for transmitting messages or other matters including the television, by means of electronic signals whether by overhead lines or underground cables or cables lying under water and any apparatus for transmitting messages with or without wires.[12]

The futuristic manner in which this Act was drafted is highly commendable. It is intriguing for an Act drafted October 16, 1975[13] — two decades before the first ISP licence was issued in Nigeria — to envisage wireless connections and hydro-optic fibre cables. However, one could still argue that from the strict interpretation of the wordings of the definition, a computer system was not in the contemplation of the drafters of the law, neither was the Internet. The consistent mentioning of cables and wires and other physical equipments, specifically the express mention of a television shows that the cyberspace was unknown to the drafters at the time, which was understandable. One can safely deduct that its aim is to protect government appliances and equipment and other public property from sabotage, damage and theft.

A major inadequacy in the Act is visible in the provision of Section 7(1) and (2) which puts prosecution at the instance of the Attorney-General of the Federation. With that office being more politically concerned than it is with the administration of justice, prosecution may never happen. Also, the hilarious fine of N500 makes it seem to me like this obsolete law is more of a toothless dog, whose bark is worse than its bite. Elsewhere in the world where cybercrimes are prohibited, fines range from ten thousand dollars ($10,000) to millions.

My conclusion remains the same. Only a cyber specific legislation that expressly provides for procedures in cyber litigation can sufficiently help police the cyberspace.
The regime of the law of evidence in Nigeria as contained in the new Evidence Act shall be the subject of my next blog, available here next Tuesday. Specifically, I shall be focusing on the new provisions concerning the admissibility of computer generated evidence.
Thanks for your time.

[1] Cap C41, LFN 2004. See as addendum, Criminal Justice (Misc. Prov) Act, Cap C39, LFN 2004 and by necessary implication, the Criminal Procedure Code.

[2] Cap E18, LFN 2004 effectively repealed by the Evidence Act, 2011 (HB 214)

[3] CPA page C41-21. It is yet to be amended.

[4] Section 186-198, CPA provides for the witness’ expenses and convenience

[5] Section 204

[6] Section 32A Also Sec 54, Criminal Justice Act, 1991

[7] Section 207 CPA

[8] In USA, 3-dimensional images of scenes which afford the court the opportunity to reach out, touch and handle objects have been used in both civil and criminal cases. See D O’Flaherty, “Computer-Generated Displays in Courtrooms: For Better or Worse?” available at http://webjcli.ncl.ac.uk/2001/issue1/girvan1.html

[9] Section 199 CPA

[10] Section 1 (1) (b)

[11] Section 7 (2) (b)

[12] Section 9 (a) and (b) This may be construed extensively to include the Internet

[13] See Criminal Justice (Misc. Prov) Act page C39-1. I am yet to find any prosecution under this Act, neither has it been amended since it was first enacted.

December 24, 2011

Combating Cybercrimes in Nigeria 1

Filed under: Nigeria — David Ashaolu (McAsh) @ 8:37 am

In its most simplistic form, cybercrimes can be described as criminal actions committed on Cyberspace. They are of two major categories: crimes committed solely with the aid of the Internet, which were unknown to our criminal law prior to the advent of the Internet. Examples of such will include dissemination of viruses and other malicious codes. The second category relates to crimes which became enhanced through the aid of the Internet. These criminal activities were committed traditionally, but have been introduced to the cyberspace and their operations have been aided by Internet’s anonymity and inventiveness. Examples here include online fraud (Nigerian 419 scams).

Nigeria’s notoriety in cybercrimes worldwide is an open secret. There is hardly any crime which is not perpetrated by Nigerians more for gain than for play. Being Africa’s most populated nation and powerhouse, the behaviour of Nigerians come under the spot light as role models, and as a model of African behaviour. Nigeria should therefore be at the fore of cyberspace policing in Africa.

The legal regime of a phenomenon can be traced to two broad sources: the legislature and the judiciary. Perhaps, a third arm is the institutional framework which is the implementing agency that enforces the policies made by various authorities.[1]

Nigeria is yet to enact an ICT Law which would criminalize unlawful acts committed via and with the aid of information technology, computers or computer networks. Since cybercrime is by nature committed on the cyberspace, a direct enactment prohibiting cybercrime in its intrinsic original cyber nature is nullus secondus in this combat.

It will be pretentious to assume that with the few cybercrime prosecutions and convictions achieved by the EFCC to date in Nigeria, we are achieving much in our fight against cybercrimes. When compared with what obtains in other countries around the world, we see we are nowhere near where we should be. Certain factors which hamper the prosecution of cybercrime in Nigeria are examined hereunder.

Challenges

The factors militating against an effective policing of Nigeria’s cyberspace are numerous. I shall take them one by one, starting with the administrative quagmire faced by prosecutors.

Administrative Predicament

Section 36(12), 1999 Constitution of the Federal Republic of Nigeria (as amended) provides thus:

“a person shall not be convicted of a criminal offence unless that offence is defined and the penalty thereof prescribed in a written law; and a written law refers to an Act of the National Assembly or a law of a State

Thus, the factors involved in the prosecution of a crime under the Nigerian law emanate from one major source: legislation. An uncodified crime is not punishable.[2]

This fundamental fair hearing position has enjoyed tremendous support from the courts over the years.[3] In Udokwu v Onugha[4], the act complained of was committed 6 months before they were prohibited by legislation. The court held that the accused had committed no offence by virtue of Section 22(10), 1963 Constitution.[5]

In prosecuting cybercrimes, the acts complained of must have been defined as criminal and punishable by a law of the land.[6] Prosecuting an accused person for acts which, though we all know are wrong and unacceptable, are not criminalized by local enactments, will be tantamount to a breach of the fundamental right to fair hearing of the person so tried.

The major setback to the prosecution of all forms of cybercrimes is the lack of a direct legislation prohibiting these acts. At present, they are sociologically perceived as social vices and morally condemned as wrongs. But legally, they are not punishable. An ICT Law is the very first step towards ensuring a crime free ICT world.

This situation is not unique to Nigeria. In 2000, the notorious “I Love You” virus was released. It caused severe damages worldwide. Eventually, it was traced to some individuals in the Philippines after investigations that involved both the FBI and Philippine’s National Bureau of Investigation. The joint operation however ran into difficulties and eventhough they identified the criminals, they could not prosecute them since there was no ICT law in the Philippines and thus the creation and dissemination of malicious codes was not an offence.

Sometimes in 2004, the Nigerian Cyber-crime Working Group (NCWG) was set up. The NCWG was charged with the duty of producing a Cybercrime Bill, an ICT Law for Nigeria. But its members spent more resources on “resource control” than “crime control”. Instead of setting out to work with the rigour and gusto their Terms of Reference required, they spent precious time clarifying who had more powers than whom. The NITDA claimed that the Cybercrime Agency should be instituted under it while the EFCC wanted the agency to be integrated into its Commission. The Nigerian Computer Society was advocating for a fresh independent body altogether as the Cybercrime Agency. That was how seven precious years have passed us by with no meaningful progress.

As a result, law enforcement agencies have been condemned to prosecuting cybercrimes by the repertoire of traditional crime legislations. For example, a crime like cyberfraud can be prosecuted under the Advanced Fee Fraud and other Related Offences Act, 1995 or the offence of obtaining by false pretences under the Criminal Code.[7]

Abuse of privacy crimes committed on the Internet would have been perfectly prosecuted under a Data Protection legislation. Plagiarism, piracy and other intellectual property offences currently prosecuted under the Nigerian Copyright Act is ineffective, as the definition of ‘property’ does not include data stored on the computer system or certain types of software which only exist on the ICT world.[8]

These traditional provisions are inadequate in sufficiently catering for all forms of cybercrimes, owing to the latter’s inventiveness and cyber nature, characterized by cyber-anonymity and pseudo-identity.

It is worth mentioning here that the office of the National Security Agency (NSA) this year prepared a draft Cybersecurity Bill which is still making rounds and taking comments before a final draft is sent to the National Assembly. It is available here and comments on this bill can be made below.[9] 

When this law is enacted, we should be singing a different tune as regards the legal regime of cybercrimes in Nigeria. But for now, law enforcement agents make do with traditional criminal law enactments to prosecute cybercrimes wherever the acts intersect. Save a special cybercrime procedural law, the existing criminal law procedural practices as contained in the criminal procedure Act, Criminal Procedure Code and the Evidence Act, shall apply at the moment to these prosecutions.

I shall be considering these procedural practices in a later blog, while exposing their inadequacies at prosecuting cybercrimes.

 

Nigeria Cybersecurity Bill 2011 Comments

(To comment to this blog, kindly go to the top right corner of this page or down below the References) Please get a copy of the Bill from the blog, review it and post your comments below. Be specific, so that the drafters will be able to easily identify the issues you spot and incorporate them appropriately.
  • You can provide a Nickname if you wish
  • kindly provide a valid e-mail address for feedback
  • Please be brief and specific

[1] Ashaolu & Oduwole, Policing Cyberspace in Nigeria, (Lifegate Publishers, Ibadan) 2009 at page 129

[2] Section 151 (3) CPA, Cap C41 LFN 2004 provides that a charge against a suspect must contain the “written law” prohibiting the act and the Section in that written law. Where these are absent, the charge is void.

[3] See Aoko v. Fagbemi (1961) 1 All NLR 400

[4] (1963) 7 ENLR 1

[5] Also Section 33 (10), 1979 Constitution

[6] By Section 12 of the 1999 Constitution, a foreign treaty, ratified or not, is not enforceable inNigeria except it has been codified in a local Nigerian legislation.

[7] Section 419

[8] See Section 41, Copyright Act, Cap C28, LFN 2004 which defines “literary works” to include “computer programmes” (defined as a set of instructions and languages which facilitate the smooth operation of the computer system, promptly excluding things like software and raw digital data like personal information stored on computer drives).

[9] This Bill is a response to the issue of inadequacy of Cyberlaws in Nigeria which I have previously raised severally. (See, for example, Ashaolu and Oduwole, Policing Cyberspace in Nigeria, ibid.) The Bill was made available for comments and I have since sent my thoughts, hoping it will be more properly drafted. We are eagerly awaiting the future of the Draft, although I believe the Draft needs a wholesale evaluation which some people are doing a great job on at the moment. Kindly make your contributions to this Bill.