Nigeria Data Retention

The volatile nature of computerized based data, National Security considerations, and an overall Law Enforcement needs for substantive digital evidence, has necessitated Developed Countries around the world to require Information technology Service Providers to either voluntarily, or by legislative mandates, implement Data Retention Laws around the world. Triggered especially by the events of September 11^th, computerized Data Retention Laws around the world are generally a prolonged archival of specified attributes of computer based data for a specified period of time.

In 2004, the Nigerian Cybercrime Working Group (NCWG) proposed a draft Nigerian Cybercrime Bill. One provision of the Bill is a Data Retention Law that required Nigerian Information Technology and Telecommunications Service Providers, to implement prolonged archival procedures for all transactional records generated for a period of five years. The Draft Data Retention Law also compels these Service Providers, to make transactional records available to Nigerian Law Enforcement agencies, for investigation or prosecution proceedings. The proposed draft law, however, did not require Nigerian Law-Enforcement officials to obtain due process court order before obtaining Data Retention records from Nigerian Service providers.

In any case, there is new development. Recently, according to an article by Shina Badaru, an IT columnist for Techtimesnews.net, “the five year requirement has been dropped in the final draft of the law but new parameters have been set to ensure that ISPs keep records of traffic and transactions on their networks which will be made available to security agencies on request”, a source said today” [1]

In the same article, Shina went further to state, “the issue of the five-year data retention law has generated concern among operators ISPs reckon that resources for archiving customers data spanning a period of no less than five years will further tax their resources set” Apparently, it now appears the Nigerian Cybercrime Group is beginning to moderate it’s position away from the originally proposed Data Retention clause. However, the mere removal of the 5 years clause from Data Retention Bill is not enough. This paper will examine underlying pros and cons of a mandatory Data Retention law on Nigerian Service Providers. The following questions will be asked:

1) Does Nigerian have a National Security need that calls for Service providers to mandatory implement Data Retentions?

2) What are the possible impacts of mandatory Data Retention on Nigeria’s fragile Technology Development?

3) Does the proposed Data Retention assist Nigerian Law Enforcement in combating Cybercrime?

4) Is Nigeria Ready for mandatory Data Retention? Are there underlying Civil Liberty protections in place to complement Data Retention Policies?

The Nigerian Cybercrime Working Group (NCWG) has not been able to provide meaningful or substantive justifications for proposing its Data Retention policy. So far, the only argument put forth by the NCWG, is that; there is a Law-Enforcement prerequisite for digital evidence. The NCWG typically argues that Cybercrime is a Nigerian problem, and that Nigeria does not have digital evidence laws, and something has to be done.

The other argument that we often hear from members of the NCWG, is the notion that the United States of America, and most member nation of the European Nation, have some form of Data Retention law. The NCWG argues that National Security factors, such as events of September 11^th, demands that Nigeria becomes proactive and implements its own Data Retention regime, by following the examples and standards set by these developed nations.

The list of argument put forth by the NCWG seems to forgo all consequential impact that the proposal for Data Retention Law could have on Nigerian ICT development. In the first draft Bill, the argument did not clearly articulate why the five year term in the draft Bill was a necessary legislative requirement. Also, the NCWG reasoning does not take into account that Nigerian overall legal and law enforcement framework currently lacks civil liberties and data privacy protection mechanisms that we see in American and European Union Countries that have implemented Data Retention regimes.

Data Retention Laws around the world have always held contentious debates. For Instance, one Privacy International statement on the European Union’s Data Retention policy, simply describes Data Retention as illegal, the remark from the Privacy International article stated “the data retention regime envisaged by the Framework Decision, and now appearing in various forms at the Member State level, is unlawful. Article 8 of the European Convention on Human Rights (ECHR) guarantees every individual the right to respect for his or her private life, subject only to narrow exceptions where government action is imperative. The Framework Decision and national laws similar to it would interfere with this right, by requiring the accumulation of large amounts of information bearing on individuals’ private activities.” [2] Also, one report to the US Congress conducted by Congressional Research Service, commenting on possible impacts of the US Patriot Act on E-Government, stated, “Electronic government (e-government) could be affected by the Act in both positive and negative ways. The intense focus on improving data collection and information sharing practices and systems may contribute to the establishment of government-wide technical standards and best practices that could facilitate the implementation of new and existing e-government initiatives. It could also promote the utilization of secure Web portals to help ensure the data integrity of transactions between the government and citizens and business. However, concern about potential abuses of data collection provisions could dampen citizen enthusiasm for carrying out electronic transactions with the government.”[3]

One issue that the NCWG and other legislative authorities will have to address while implementing any national Data Retention regime for Nigeria is the issue of Retention data classification. The data attributes that constitute transactional, traffic, routing, and content data, must be clearly defined.

In general, the classification of Data Retention Informational attributes fall under two broad categories: A) Content records, B) Non-Content records. Content records are generally actual messages, for example in an email exchange, message content is the actual email message body.

Non-content records on the other hand, are generally either records obtained from the customer in the process of an online transaction or registration, or records generated by computer processing during the course of these transactions.

Examples of Non-Content records include; transactional logs and audit trails. Non-Content records are usually divided into two: A) Transactional Records, and B) Traffic Records or Routing Records.

Nevertheless, most Data Retention laws tend not to mandate the actual capture of record contents directly. These laws generally impose stipulations that only require the retention of record attributes that are only limited transactional, traffic, routing, or subscriber records.

However, the distinction between content and non-content records often can not be clearly defined. A statement by the American Civil Liberties Union (ACLU), while addressing civil liberties issues in regards to the USA Patriot Act and how it could impact Internet privacy, stated “Web addresses are rich and revealing content. The URLs or "addresses" of the Web pages we read are not really addresses; they are the titles of documents that we download from the Internet. When we "visit" a Web page what we are really doing is downloading that page from the Internet onto our computer, where it is displayed. Therefore, the list of URLs that we visit during a Web session is really a list of the documents we have downloaded - no different from a list of electronic books we might have purchased online. That is much richer information than a simple list of the people we have communicated with; it is intimate information that reveals who we are and what we are thinking about - much more like the content of a phone call than the number dialed. After all, it is often said that reading is a "conversation" with the author”[4]

The implication in the above statement is that; while most Data Retention laws do not specify that actual customer message content be captured, non-content records can actually reveal message content. Transactional records such as system audit logs, and software application logs, often can be direct pointers to actual messages, or may reveal some portions of actual message content.

Another example is in actual the revelation of Email content messages that we find in some Email Software exceptional error logs. In such cases, certain email error logs actually contain the message body while issuing a non-delivery error report. These records are transactional, but also contain actual message content.

The events of September 11, has necessitated nations around the world to take another look at how National Computer Infrastructure is protected and also invoked re-evaluation of Internet policing strategies . The resulting aftermath of September 11^th, in the United States for instance, was the introduction legislation such of the Patriot Act.

The Patriot Act and other similar legislations around the world, gave Law-Enforcement extended police powers, and thereby eroded civil liberty safeguards. Nancy Kranich, FEPP Senior Research Fellow, described impacts of the Patriot Act as follows, “The USA PATRIOT Act contains more than 150 sections and amends over 15 federal statutes, including laws governing criminal procedure, computer fraud, foreign intelligence, wiretapping, and immigration. Particularly troubling to free speech and privacy advocates are four provisions: section 206, which permits the use of "roving wiretaps" and secret court orders to monitor electronic communications to investigate terrorists; sections 214 and 216, which extend telephone monitoring authority to include routing and addressing information for Internet traffic relevant to any criminal investigation; and, finally, section 215, which grants unprecedented authority to the Federal Bureau of Investigation (FBI) and other law enforcement agencies to obtain search warrants for business, medical, educational, library, and bookstore records merely by claiming that the desired records may be related to an ongoing terrorism investigation or intelligence activities -- a very relaxed legal standard which does not require any actual proof or even reasonable suspicion of terrorist activity” [5]

Thus, the fundamental question as it applies to Nigerian then becomes, does Nigeria have a National Security interest that warrants sweeping reforms such as those introduced by the USA Patriot Act? Does Nigeria have a National Security need for a mandatory Data Retention law? There are two views. The first view is that Nigeria, like the rest of the world needs to be proactive. This view stresses that in order to effectively police and protect Nigeria’s Information Technology assets, adequate legislation must evolve. Also, this point of view argues that terrorist threats to Nigeria are real. In an article commenting about terrorist threats in Africa, Princeton N. Lyman and J. Stephen Morrison, writes, “in Nigeria, for example, a potent mix of communal tensions, radical Islamism, and anti-Americanism has produced a fertile breeding ground for militancy and threatens to tear the country apart.”[6]

Also, the arrest of Al Qaeda’s operative, Muhammad Naeem Noor Khan in Pakistan some months ago, actually revealed that terrorists actually used Nigerian Technology Infrastructure to relay messages around the world. According to a CNN News article, “U.S. sources said Khan told interrogators al Qaeda uses Web sites and e-mail addresses in Turkey, Nigeria and tribal areas of Pakistan to pass messages among themselves.”[7]

The other point of view argues, that one or two incidents of Al Qaeda’s operatives sending emails via Nigerian Email Systems, does not produce substantive evidence for sweeping reforms that may potentially water down Nigerian Civil liberties. Furthermore, the NCWG has not been able to produce any documented evidence of Nigerian National Security risks assessments, which warrants a need for mandatory Data Retention legislation. The NCWG has no data on malicious activities against Nigerian

Information Technology architecture, and has so far conducted no formal studies to substantiate that terrorist activities are a potential National Security risk.

Nevertheless, the NCWG’s decision to recommend a Data Retention Policy was not based on any particular National Information Security evaluation, but on the potential speculation of the need for such legislation.

Nigeria’s Information Technology Sector is just beginning to evolve. The current state of Nigerian ICT Development, affirms that the sector is still fragile. With low Internet usage penetration, and low Teledensity ratios, Nigeria’s ICT development is still a work in progress. Hence, particular attention needs to be paid to the impact of public policies on this emerging Technology Sector. For example, Nigeria can not afford to have recent gains made by the introduction of liberalized policies in the Telecommunications sector become subverted by a Data Retention Policy. Especially, if that policy would introduce higher Telecommunications Provider operating costs that may become detrimental to growth of that sector. In any case, the NCWG has not conducted an impact analysis of the Data Retention Policy on Nigeria’s Information Technology Development. The critical impact of Data Retention operating costs that might be incurred by GSM operators and Nigerian ISP’s as a result of compliance with a Data Retention regime has not been studied.

Also, the argument put forth by the NCWG seems to suggest that the need for National Security protection far out-weighs the burden that such regulations would impose on Technology development. Nigeria’s National Security is vital, but so is Nigeria’s Economic development. The important potential of Technology in Nigeria’s Economic development ought not to be flattened by policy inconsistencies.

Potentially, any device residing on Service Provider networking infrastructure, that creates log or audit data, is a candidate for the Data Retention regulation. Data Retention will affect all industries that you find a voice, data, or video Computer Network architecture. Examples of institutions affected will include; schools, ISP’s, GSM operators, Financial Institutions, Governmental agencies, etc.

The impact of the law on Nigerian Service Providers if it becomes law can only amount to increases in operating costs overheads that will in turn be passed on to consumers. Although, these additional overhead costs will vary from Service Provider to Service Provider, depending on volume of transactional record each generates in the course of doing business in Nigeria, the bottom line is that Information Technology service pricing can be impacted by Data Retention.

In Nigeria, one of the biggest obstacles to Information Technology diffusion is seen in the affordability of Information Technology services. The cost implication of

Data Retention has the potential to further hinder Nigeria’s Technology growth. These costs impacts are seen even in Developed Countries as a major burden on Technology growth. For example, while debating the cost impact of UK’s Data Retention policy, a Zdnet News article attributed the following statement to an American Online official, “for AOL, retaining communications data for one year would add an enormous cost, said de Stempel.”There are huge amounts of data involved. AOL has 329m user sessions a day, and its customers send 597m emails, and we're just one ISP." De Stempel said that to save all communications data on its UK customers for just one day would require 100 CDs. "If you multiply that (for a year) it will have an enormous impact on our business."[8]

In addition, it also should be noted that in 2003 and 2004, the number of licensed Nigerian ISP’s did not see an increase. The number of licensed ISP remained at 35 for both years respectively, this lack of growth was due to the high costs of business and low returns

The extent by which a mandatory Data Retention Law would assist Nigerian Law enforcement authorities is yet to be determined. Currently, Nigerian Law Enforcement authorities are hardly computer literate, and there might not be a single Computer Forensics laboratory within any

branch of the Nigerian Police or other Law Enforcement authority. What then is the point of having Service Providers retain Computer records, when Nigerian Law Enforcement authorities do not yet have the capability to convert such data into useful digital forensic evidence?

To date, Nigeria has not persecuted successfully one single case of Computer related crime in any Nigerian court.

Furthermore, there is also another view that suggests that current legislation such as the Advance Fee Fraud Act, is already examples of Nigerian law that are capable of persecuting some forms of computer related crimes. The EFCC for example has several Computer Related criminal cases pending in Nigerian courts, and these charges were filed under offenses attributed to the Nigerian Advanced Fee Fraud Act.

In any case, there is no legal precedence by which the NCWG can use to support that a mandatory Data Retention law would be an effective tool for Law Enforcement. The NCWG can not produce case references, where a mandatory Data Retention Law would have proven to be an effective tool of Nigerian Computer Crime Law Enforcement.

Most Countries around the world that have implemented Data Retention polices also have underlying privacy protection schemes in place. The United States for instance, has laws that safeguard government, financial institutions, and health care facilities, from the indiscriminate disclosure of personal information. Examples of these laws in the United States include; 1974 U.S Privacy Act, 1986 US Electronic Communications Privacy Act, Health Insurance Portability and Accountability Act (HIPAA), and Sarbanes-Oxley Act. Besides these privacy protection laws, the United also have laws such as the Freedom of Information Act, which authorizes the Federal Government to disclose information to the public upon request.

Thus, there are fundamental safeguards within the laws of these other Countries that are missing in Nigerian legislative framework that are there to decrease the abuse of mandatory Data Retention. If Nigeria were to implement Data Retention, the

Unauthorized disclosure of such information will not be safeguarded because Nigeria does not yet have similar privacy protection regulations. Also, because the Nigerian Federal Government does not have transparent policies, oversight for the use of data gathered during the Data Retention process can become problematic. The ways which the data is used once in the hands of Law-Enforcement can not be monitored. Personal information such as health records, financial records, and Business Intelligence Information could easily be disclosed without authorized consent.

In addition, Nigeria also has very weak Intellectual Property enforcement and legislation, one article describes the state of Intellectual Property in Nigeria as “For example, the authors have not only observed the false labeling of goods as regards “country of origin” but also the infringement and “passing-off” of internationally well-known trademarks and designs and the illegal reproduction of cinematograph films, phonographic recordings and books. In some instances, third parties have even succeeded in establishing proprietary rights and a priority claim over international trademarks and designs which did not belong to them”[9] Data Retention abuses in Nigeria, could also lead to a Intellectual Property detriment.

Data Retention Laws are by their very own nature, pose potential threats to individual privacy, the fact that these information exists outside of the original purpose for which the Information was created, or because such data exists outside of regular business process, increases the threats of improper usage and disclosure.

An article by Privacy International, an International Privacy advocacy group has this to say, “The retention of personal data resulting from communications, or of traffic data, is necessarily an invasive act. With the progress of technology, this data is well beyond being simple logs of whom we've called and when we called them. Traffic data can now be used to create a map of human associations and more importantly, a map of human activity and intention. It is beyond our understanding as to why the EU Presidency and some select EU Member States insist on increasing the surveillance of traffic data even as this data becomes more and more sensitive, concomitant to a decreasing regard for civil liberties.” [10]

The map of human activities and intentions that can be derived from traffic data, Is an indication that non-content record even when they do not contain content data, can be used to monitor and derive personal activities? The use of Information Technology now spans most aspects of human daily activity. Since Data Retention helps to consolidate information about these activities for an extended period of time, the implication is that patterns of human behavior can be aggregated from these extensive collections of data.

Nigeria’s democracy are still at inceptive stages, the laws protecting individual civil liberties like we see in America or most European Union nations that have implemented Data Retention, do not yet exist .

[1] See, http://www.techtimesnews.net/articles.asp?id=328

[2] See, http://www.privacyinternational.org/countries/uk/surveillance/pi_data_retention_memo.pdf

[3] See, http://www.epic.org/privacy/terrorism/usapatriot/RL31289.pdf

[4] See, http://www.aclu.org/SafeandFree/SafeandFree.cfm?ID=12263&c=206

[5] See, http://www.bespacific.com/mt/archives/003877.html

[6] See, http://www.foreignaffairs.org/20040101faessay83108/princeton-n-lyman-j-stephen-morrison/the-terrorist-threat-in-africa.html

[7] See, http://www.cnn.com/2004/US/08/03/terror.threat/

[8] See, http://news.zdnet.co.uk/business/legal/0,39020651,2127408,00.htm

[9] See, http://www.nipc-nigeria.org/law_prop.htm

[10] See, http://www.edri.org/edrigram/number2.22/dataretention

DAWODU.COM

Dedicated to Nigeria's socio-political issues

Nigeria Data Retention: