Review of Draft Nigerian Cybercrime Act

Several months ago, the Nigerian President announced the formation of a Cybercrime committee. The 15-member committee consisted of representatives from the both Government and private sector, and were tasked with designing solutions for Nigerian Internet based fraud and Cybercrime.

After many weeks of deliberations, the committee presented a Draft Cybercrime Act to the President, and the committee formed the Nigerian Cybercrime Working Group (NCWG), to accelerate the implementation of it’s Cybercrime research efforts, and to assist the Nigerian National Assembly in the quick passage of a Cybercrime Bill.

An essential document that came out of the closed door Presidential Committee on Cybercrime, is the “Draft Nigerian Cybercrime Act”. This paper provides an in-depth review of that document.

In summary, the Draft Nigerian Cybercrime Act provides the legal framework for the establishment of an Independent Cybercrime Agency and for the legislation regarding Cybercrime and Cyber-Security. Basically, the Draft Nigerian Cybercrime Act was divided into eight different sections namely: A) PRELIMINARY,B) OFFENSES, C)PROTECTION & SECURITY OF CRITICAL INFORMATION AND COMMUNICATION INFRASTRUCTURE , D) ANCILLARY AND GENERAL PROVISIONS, E)CYBERCRIME & CYBERSECURITY AGENCY ESTABLISHMENT OF THE CYBERCRIME AGENCY, ETC, F)FUNCTIONS AND POWERS OF THE AGENCY, G) MANAGEMENT AND STAFF OF THEAGENCY, H) FINANCIAL PROVISIONS.

REVIEW OF THE STRUCTURE OF THE COMMITTEE

The Presidential Committee on Cybercrime consisted ofgroup membership from the government and the private sector, the composition of the group included: The National Security Advisor, Justice Minister, Minister of Science and Technology, Chairmen of the Senate and House of Representatives Committee on Science and Technology, Inspector-General of Police, State Security Service, National Intelligence Agency, Economic and Financial Crimes Commission, Nigerian Communications Commission, National Information Technology Development Agency, Nigerian Computer Society, Internet Services Providers Association of Nigeria, and the Nigerian Internet Group.[1]

The composition of the group was well represented, except with the omission of a group from the academia and the Military. It was rather surprising that the Nigerian Government did not feel a need to include any Nigerian University or any branch of the Nigerian Military. This omission is important because historically, most of the research Initiative underlying old and new Cybercrime technology has origins either in studies conducted by the military, or research efforts from the academic community. The Internet itself, was largely a creation of the USA Department of Defense, and several Digital Security Initiatives can be traced to academic institutions.

Once the Presidential on Cybercrime began it’s deliberations, sources within the committee reported that Inter-Agency turf issues soon emerged. Rather than focusing on the creation of an effective Inter-agency driven Cybercrime agency, the quest for control of a newly created agency soon emerged. Certain agencies within the committee wanted the creation of a new and independent Cybercrime Commission. NITDA, for example argued in favor of creating the new agency under its umbrella, while the EFCC maintained the need to retain national anti-Cybercrime efforts under it’s control, and agencies such as the NCS, argued in favor of the creation of a private Independent body.

In short, the committee lost focus. Rather than deliberating on a creation of a Cybercrime model geared at attaining strategic synergetic efficiency, tuff issues became dominant. At a time when the Nigerian Government was announcing to the world, key economic reform programs such as the National Economic Empowerment and Development Strategy (NEEDS), why did the Presidential Committee on Cybercrime not border itself with evaluating economic efficiency models as it relates to the creation of an Independent Cybercrime Agency? Why did it not consider issues such as duplication of resources? Already, the Nigerian government is investing millions into the creation of a Financial Intelligence Unit (FIU), would an organizational synergy of the FIU and Cybercrime not benefit Nigeria?

Now, we have the Minister of Finance, Ngozi Okonjo-Iweala at a recently concluded World Economic Forum saying she is angry at 419 email and the negative impact it has on Nigeria[2]. Whilst any patriotic Nigerian should be disturbed about the International 419 image, Ngozi Okonjo-Iweala, owes Nigerians a national duty to ensure that the Presidential Committee on Cybercrime, does not squander upon Nigerians the creation of an Independent Cybercrime Commission, that is not based on feasible economic impact analysis.

The Presidential Committee on Cybercrime needs to research various models underlying the creation of an Independent Cybercrime Agency. The focus of the research should be on efficiency and effectiveness. Questions such as duplication of resource should be addressed, and a feasibility study of all proposed Cybercrime organizational design concepts should be transparently studied.

A 419 Email letter that originates from Nigeria, and claims a victim elsewhere in the world, might not only violate the territorial laws of Nigeria, but also those of the territorial boundaries of the victim. Digital evidence trails, for this example, might be found on the electronic pathway of several International States when investigating a 419 crime. Thus, to be effective, there is clear indication from Cybercrime experts around the world, that the harmonization of laws, and the harmonization of law enforcement practices, provides a clearer framework for any effective State sponsored Anti-Cybercrime effort.

In an article by Phil Williams titled: “Organized Crime and Cybercrime: Synergies, trends and responses”, he writes, “Harmonization is necessary for both substantive and procedural laws. All countries have to reappraise and revise rules of evidence, search and seizure, electronic eavesdropping, and the like to cover digitized information, modern computer and communication systems, and the global nature of the Internet. Greater coordination of procedural laws, therefore, would facilitate cooperation in investigations that cover multiple jurisdictions”[3]

Harmonization of global and local administrative procedural laws are essential issues that the Committee On Cybercrime failed to factor into it’s deliberations.

Specific examples of local administrative policy and procedural issues can be found in the following examples:

A) Page 53 of the National IT Policy mandated the formation of Local Administrative laws:

1) Establishing Government IT Procedure Act (GITPA) to enhance equipment standards, performance and security.

2) Establishing a Data Protection Act (DPA) for safeguarding privacy of National computerized records electronic document.[4]

not reference any of the above bills. Amazingly, the agency that created the Nigerian IT Bill was NITDA, and a representative of NITDA is the Chairperson of the Presidential Committee on Cybercrime. Nigerians must note that NITDA is always present, whenever there is a technological issue mess. For example, NITDA was at the center of the Nigerian Top-Level Domain issue crisis.

B) Page 45 of the same Nigerian IT Policy ascribes one of the objectives of NITDA, as to “Ensure the protection of individual and collective privacy, security, and confidentiality of information”[5], yet a section in the Draft Nigerian Cybercrime Act proposed that “all service providers under this Act shall have the responsibility of keeping all transactional records of operations generated in their systems and networks for a minimum period of 5 years”, hereby raising key privacy infringement issues.

C) Architects of the National Economic Empowerment and Development Strategy (NEEDS), recognized that an essential ingredient of an effective economic reform program has to be supplemented with an effective anti-corruption program, yet the NEEDS matrix of measures, published at the Federal Ministry of Finance Web-site, failed to accommodate an effective Cybercrime and Cyber-Security strategy. The primary focus of the NEEDS program, seems to be on issues related to transparency in the Oil and Gas sector, and providing increased resources for EFCC to combat Money Laundering activities[6]. Proponents of the NEEDS program should be cautioned that as long as Nigeria remains the 419 Capital of the World, the Foreign Investment climate that will guide the success of NEEDS will never happen.

The preliminary section of the Draft Cybercrime Act has two topics: A) The title of the Act, which it called the “Nigerian Cybercrime and Cybersecuirty Act 2004”, and,

B) The Interpretation sub section. The Interpretation section attempts to provide clear legal definition for keywords used in the body of the Act. One such definition is the word, “Computer Contaminant” which was defined as “any set of computer instructions that are designed to modify, damage, destroy, record, or transmit information within a computer, computer system, or computer network without the intent or permission of the owner of the information. They include, but are not limited to, a group of computer instructions commonly called viruses or worms, which are self-replicating or self-propagating and are designed to contaminate other computer programs or computer data, consume computer resources, modify, destroy, record, or transmit data, or in some other fashion usurp the normal operation of the computer, computer system, or computer network”

The question one raises from this definition of Computer Contaminant, is the issue of authorized access and malicious destruction of data and computing resource.

For example, if a person was granted security access to a Computer resource, and he writes a program to knowingly destroy or alter data in a manner contrary to the intended use of the data, is that program a contaminant?

Another keyword, under the Interpretation Section is the word “Computer Injury”. The section defines Computer Injury as “any alteration, deletion, damage, or destruction of a computer system, computer network, computer program, or data caused by the access.”

The underlying issue here that this definition does not seem to address is the issue of Computer Injury that could result as a consequence of unauthorized disclosure of confidential information, theft of that information, and other forms of illegal use of data by an authorized or unauthorized person. The other issue that comes to mind with the Computer Injury term, is the harmonization of the definition with local and Intellectual property Laws.

This section, also defines, “Computer Security”, as including: “software, program or computer device that: is intended to protect the confidentiality and secrecy of data and information stored in or accessible through the computer system; and may display a warning to a user that the user is entering a secure system or requires a person seeking access to knowingly respond by use of an authorized code to the program or device in order to gain access”

Generally, Computer Security has 3 attributes: confidentiality, Integrity, and availability. The above definition does not take into account the other key attributes of Computer Security.

The Interpretation Section also tries to define “Computer Service” as including “ any and all services provided by or through the facilities of any computer system which is capable of allowing the input, output, examination, or transfer, of computer data or computer programs from one computer to another.”

processing, and output. The definition of Computer Service

somehow, skipped the fact that data processing is an important component of Computer Service.

Section stated that electronic message “includes electronic mail message, short mail messages and text messages sent to any electronic messaging system.”

This definition does not take into account other potential forms of electronic messaging Systems. Should the definition also include electronic transmissions such as; Electronic Fax and SMS transmitted via a Computer System. Does VOIP qualify as an electronic message?

“Electronic Message Address”, was defined as including “ a destination commonly expressed as a string of characters, consisting of a unique user name or mailbox commonly referred to as the local part and a reference to an Internet domain name commonly referred to as the domain part, whether or not displayed to which an electronic mails message can be sent or delivered”.

Again, the definition of Electronic Message Address did not include other forms of electronic identifiers that can uniquely identify other types of electronic message. These may include unique identifiers for FAX messages, SMS messages, and VOIP.

In defining the word, “Recipient”, the section declares that “ when used with respect to an electronic message means an authorized user of the electronic mail address to which a message was sent or delivered if a recipient of an electronic mail message has one or more electronic mail addresses in addition to the address to which the message was sent or delivered, the recipient shall be treated as a separate recipient with respect to each such address”.

This definition of the recipient, seems to give a many too many relationship to the Internet identify of a person.

The true Internet Identity of a recipient is one to many. I have many Email addresses, am I a different recipient for each address? Separate recipient seems to suggest many to many Internet Identity relationships.

This section of the Draft Nigerian Cybercrime Act is the Criminal Law Part of the ACT. The section covered a very extensive set of Criminal activities listed as follows:

School of Law, has published an Internet Web Site titled “Model State Computer Crime Code”[7] The site provides a

model for various Computer Crime Laws that serves as template for Countries wishing to implement Cybercrime Laws. One sees a lot of word for word similarities between

Professor Susan Brenner. For example, the Email Bombing section of the Nigerian Cybercrime Act was essentially copied from the Web Site. The issue here is not plagiarism, as inquiries to Professor Susan Brenner confirms that she does not mind duplication of her work. Nevertheless, she should be credited in the body of the Draft Nigerian Cybercrime Act.

The System interference law, in the Offenses section declares: “Any person who unlawfully produces, sells, designs, adapts for use, distributes, or offers for sale, procures for use, possesses any devices, including a computer program or a component, which is designed primarily to overcome security measures for the protection of data, or performs any of those acts relating to a password, access code or any other similar kind of data with the intent to unlawfully utilize such item to contravene this Act, commits an offence and liable upon conviction to a fine not less than =N=1 million or imprisonment for a term not less than 3 years or to both such fine and imprisonment”

This section fails to note that Computer Security professionals conducting security assessments sometimes have a need to design or use products with the capacity for System penetration. According to this law, a Computer penetration-testing tool becomes System Interference. In addition, some computer forensic tool will be termed System Interference tools. Virus Software re-engineering process, which sometimes requires writing viruses and sometimes the disassembly of Software virus also will be illegal in Nigeria. This particular law will also hinder the Cybercrime Agency in performing its functions.

The Email Bombing Section declares that “Any person who uses a computer, computer network, computerized communications system, or the Internet to purposefully:

a) send or induce others to send, massive amounts of electronic mail to a single system or person with the intent to interfere with the operating ability of recipient's computer system; or

b) send an unreasonably large file attached to electronic Mail or multiple copies of identical messages to the recipient with intent of stopping or slowing the Recipient’s ability to retrieve mail; or

c) subscribe the intended recipient without authorization to multiple Internet mailing lists resulting in the recipient

Commits the offence of email bombing under this Act and liable upon conviction to a fine of not less than =N=500,000 or imprisonment to a term not less than 2 years or both such fine and imprisonment”

The Email Bombing Law fails to accommodate that legitimate Email marketing may produce the same effect of mail bomb to a single System. The legitimate consideration for email bomb should be clarified in this section.

The Criminal Law Section on “Records Retention by Service Provider”, states that “All service providers under this Act shall have the responsibility of keeping all transactional records of operations generated in their systems and networks for a minimum period of 5 years”

Some Years ago the European Union struggled to define Data Retention policies for its Internet Service Providers. Important issues of the debate were privacy concerns and feasibility of maintaining huge record sets for a period. The fact that the EU did not implement a Data Retention Law is not the primary issue here, but that of personal data privacy and the clear definition of transactional records. Data attributes associated with data retention needs to be clearly defined. All ISP records can be classified as transactional. This might intrude on privacy and might not be feasible. Rather than transactional records, communication logs and customer information record should be retained. Conceptually, this Law could allow Nigerian ISP is to keep confidential government Information that is routed through their Networks. The Data Retention Law, as suggested by the Presidential Committee on Cybercrime can potentially become a national security issue. What would stop Political Parties from colluding with ISP’s and gaining access to confidential transactional records of political opponents?

REVIEW OF PROTECTION & SECURITY OF CRITICAL INFORMATION AND COMMUNICATION INFRASTRUCTURE

Essentially, this section is divided into: Critical information and communication infrastructure,

Access to critical information and communication infrastructure, Audit and inspection of critical information and communication infrastructure, and Offenses against critical information and communication infrastructure.

Here again, we see harmonization deficiencies with Cyber-Security section of the Draft Cybercrime Act, in particular, it fails to harmonize with the Nigerian IT Policy, which prescribes the “ Establishing Government IT Procedure Act GITPA) to enhance equipment standards, performance and security” A program to protect National Information technology Asset should have Information assurance as it’s focus. National Information Technology assets should be identified and diligent process for the certification and accreditation of these assets implemented.

In addition, an essential principal in National Information Assurance, is the uniformity of Standards. The importance

of uniform national standards was not emphasized in this section. Standards such as ISO/IEC 15408, Common Criteria for Information Technology Security Evaluation, ought to be interpreted and adopted as a national standard.

A sub-section in the part of the Draft Nigerian Cybercrime Act, titled “Powers Of Search and Arrest”, is very troubling. The section in question, gives the Cybercrime Agency the power to: “have access to any information code or technology which has the capability of retransforming or unscrambling encrypted data contained or available to such computer into readable and comprehensible format or text for the purpose of investigating any offence under this Act or any other offence which has been disclosed in the course of the lawful exercise of the powers under this Act”.

The implication here is serious privacy issues. The power to require the release of encryption information to a government agency annuls all rights of the individual to privacy. Encryption keys or algorithms might be instruments of protecting free communication in a free and democratic society. In cases where crimes have been committed and encryption issues arise, encryption keys of algorithms can be kept in 3^rd party Encryption escrow.

As stated earlier in the introductory parts of this paper, the feasibility of creating a new Cybercrime agency may not be warranted. The Committee on Cybercrime did not conduct a feasibility study on why the creation of a new agency was justified. In addition, the Federal Ministry of Finance should be consulted to assist in the determination a cost benefit analysis that compares creating a new agency versus a cross-organizational model.

The agency should not be allowed to arbitrarily have the power to access informational assets of citizens for determining if a crime has been committed. It should be required to obtain the order of a court.

REVIEW MANAGEMENT AND STAFF OF THE AGENCY

In outlining the criteria for the managerial leadership of the Cybercrime Agency the Draft Nigerian Cybercrime Act stated that “there shall be for the Agency a Director-General who shall be a) appointed by the President; b) the chief executive and accounting officer of the Agency; c) responsible for the day-to-day administration of the affairs of the Agency; d)a person with cognate experience in Information and Communications Technology and Law with requisite international exposure in matters connected to Cybercrime”

The International exposure prerequisite eliminates Nigerians who might be qualified but do not have International experience. It also eliminates qualified Nigerians that do not have the professional duality of Law and Information Technology background.

[1] See, http://efccnigeria.org/links/nl2003120401dailychampion.html

[2] See, http://computercops.biz/article4726.html

[3] See, http://www.iwar.org.uk/ecoespionage/resources/state/internet-crime.htm

[4] See, http://www.nitda.org/docs/policy/ngitpolicy.pdf , Page 53

[5] See, http://www.nitda.org/docs/policy/ngitpolicy.pdf, Page 45

[6] See, http://www.fmf.gov.ng/economic_reform_fighting_corruption.htm

[7] See, http://cybercrimes.net/98MSCCC/MSCCCMain.html

DAWODU.COM

Dedicated to Nigeria's socio-political issues

REVIEW OF THE STRUCTURE OF THE COMMITTEE

processing, and output. The definition of Computer Service

REVIEW MANAGEMENT AND STAFF OF THE AGENCY