A CRITICAL REVIEW OF THE COMPUTER SECURITY AND CRITICAL INFORMATION INFRASTRUCTURE PROTECTION BILL 2005 AS NIGERIAN SPECIFIC CYBERCRIME LEGISLATION

Introduction

Nigerian government is determined to fight the menace of economic and financial crimes by putting in place the required legal framework and administrative measures.  However, the advancement in ICT provides new methods of committing crime which need to be addressed.  ICT experts unanimously agree that Nigeria needs to enact relevant laws to meet the changing phase of criminal activities since the existing laws are inadequate to combat the rising trends in economic and financial crimes in Nigeria facilitated by ICT infrastructures.  In a response to these challenges, the Federal Government of Nigeria in 2004 set up the Nigerian Cyber Crime Working Group (NCCWG) to design legislative and administrative solutions to Nigerian internet based fraud and cyber crimes generally.[1]
The NCCWG is an inter-Agency body made up of National Security Adviser, Justice Minister, Minister for Science and Technology, Chairman of the Senate and House of Representatives on science and technology, Inspector General of Police, State Security Service, National Intelligence Agency, EFCC, Nigerian Communication Commission, NITDA and private organisations in the ICT Sector, Nigerian Computer Society, Internet Service Providers Association of Nigeria (ISPAN) and Nigerian Internet Group.

The terms of reference of the Working Group include among others; engaging in public enlightenment programmes, building institutional consensus amongst existing agencies, providing technical assistance to the National Assembly on cyber Law and in the drafting of the Cyber Crime Act, laying the ground work for a Cyber Crime Agency that will eventually emerge to take charge of fighting Cyber Crime.[2]  The Working Group was also tasked with the responsibility of working with law enforcement agencies from advanced countries like USA, Canada, UK etc. who are indisputably ahead in ICT laws and techniques of fighting cyber crimes.  The outcome of the Working Group Committee on cyber crime is the “Draft Nigerian Computer Security and Critical Information Infrastructure Protection Bill 2005”.  The Committee in its report recommends the creation of legal and institutional framework in relation to the issue of cyber crime in Nigeria.  It also proposes the creation of central agency to enforce cyber crime or situates such responsibility within the existing law enforcement institutions in Nigeria.[3]

Against the above backdrop, this paper attempt a review of the draft Computer Security and Critical Information Infrastructure Protection Bill, 2005 as Nigerian specific cybercrime legislation with the aim of evaluating its adequacy in addressing the inherent militating factors against effective investigation and prosecution of economic crimes facilitated by ICTs infrastructure in Nigeria.  This paper also made recommendation for a quick passage of the pending Bill, 2005 without any further delay by the Nigerian National Assembly subject to observations and recommendation made thereto.

Militating Factors Against Effective Investigation, Prosecution of Economic and Financial Crimes Facilitated by ICTs in Nigeria

The common attitudinal problems against smooth prosecution of criminal cases in Nigeria include amongst others; failure of law enforcement agents to live up to their professional responsibilities, deliberate delay tactics by defence counsel to frustrate the proceedings, and archaic methods of recording court proceedings etc.  Related to the above, the following are the procedural and technical constraints militating against smooth investigation and prosecution of economic and financial crimes in Nigeria.

Likelihood of Success in Investigating and Prosecuting Economic and Financial Crimes Aided by ICT 

According to FBI estimates, less than 10% of all ICT infrastructure-related crimes result in a successful investigation while 10% or less than that number is prosecuted and about 10% of that number is eventually punished.[4]  The reason for the above problem is not farfetched.  Economic and financial crimes facilitated by ICT infrastructures or computer crimes generally involve the use of ICT infrastructures like internet, computer network, word processors, telex machines, fax machines and so on.  Thus, evidence to be generated from investigation of such crimes is substantially electronic evidence which is difficult to manage.  Electronic evidence can be destroyed, altered, stored, copied, and misused with unprecedented ease.

Thus, for a successful investigation and prosecution of computer related economic crimes, the law enforcement agents must be well grounded in ICT forensic investigation and prosecution of digital crimes.[5]  Investigating and prosecuting economic and financial crimes perpetrated via cyber space e.g. advance fee fraud, illegal money wire transfer, cyber laundering and so on, are ICT knowledge oriented, time consuming and require much endurance.  It sometimes cost more than the loss resulting from the alleged criminal conduct.  The above identified problems were acknowledged by the technical and professional officers of the EFCC during a series of interview sessions conducted by this researcher at EFCC specialised departments in the course of this study.[6]  

Another ICT related agency in Nigeria, the National Information Technology Development Agency (NITDA) identifies among others, inadequate ICT technical training and knowledge by the EFCC personnel as a serious militating factor in fighting economic and financial crimes in Nigeria.[7]  According to Mr. Eddet, legal officer at the NITDA Cyber Crime Unit, EFCC lacks the recent software and hardware to fight economic and financial crimes facilitated by ICT infrastructures especially the internet.  He was however quick to acknowledge the recent improvement in technical skills and training of the EFCC operating agents.  The training is being handled by the FBI and other international agencies.  He noted that the EFCC recently acquired some latest software and networking to monitor money laundering.

Even with the little improvements in technical training, acquisition of software and hardware by EFCC, the task is still as daunting as ever.  EFCC technical and professional personnel still need to acquire knowledge on how to retrieve and authenticate electronically generated evidence for the purpose of prosecution.  This perhaps is a germane and difficult task considering the “volatile nature and ease of manipulation, falsification, technological protection or deletion of electronic data.”[8]

In view of the above handicap, it is hereby suggested that considerable efforts should be made by the EFCC in the area of continuous specialised training for its operational staff.  It is imperative also to note that computer related criminal investigation and prosecution techniques are changing more rapidly compared to those in the typical traditional crimes.  In the United States for example, special Data Processing (DP) training for prosecution agencies are always on a continuous basis to ensure that a high proportion of agents are literate in computer and ICT investigation and prosecution techniques. [9]  It is important however to acknowledge the recent initiative taken by the EFCC to organise workshops, seminars, and training sessions for the Commission’s personnel and those from other organisations.  The expected benefit of such initiative is that it will create an avenue for exchange of ideas, technical skills and experiences by agents from different organisations.

Furthermore, judicial staff, judges and state counsel (Public Prosecutors) are not left out of the need to acquire ICT techniques and training to enhance their understanding of electronic related criminal cases.  Presenting the challenges in investigation and prosecution of economic and financial crimes in Nigeria, Honourable Justice Joseph O. Oyewole of the Lagos State High Court, Ikeja Division Nigeria observed that, “the same way the development in technology are yet to be embraced by the existing laws of evidence and criminal procedure; it also seems that the investigation and prosecution of these cases are yet to show substantial comprehension of development in modern technology”.[10]  His lordship in his assessment of the forensic efficacy of the Nigerian law enforcement agents and prosecutors expressed dissatisfaction and condemned the common phenomenon of criminal investigations being geared towards getting what his lordship called “the magic formula i.e. confessional statements”.[11]  As a possible solution to this technical problem Hon. Justice Joseph .O. Oyewole advocated for the involvement of private sector experts in specialised forensic investigation and prosecution.

Procedural Law Issues

The advancement in ICT has impacted and is still impacting positively and negatively on human socio-economic cum political activities.  It is truism therefore that law is always lagging behind in keeping abreast of the developments in the society.  However it is surprising that despite global response to the ICT advancement, Nigerian procedural laws and rules of evidence are yet to prescribe how computer generated or related evidence is to be treated by court of law.[12]  As Nigeria joins the rest of the world in exploiting the great potentials of ICT and its various infrastructures, quite a number of criminal activities are also facilitated by ICT as a tool.

Unfortunately, the Nigerian Evidence Act, Cap. 112 Laws of Federation of Nigeria 1990 which regulates the presentation and admissibility of any piece of evidence never contemplated the modern phenomenon of electronically generated evidence.  This gap no doubt is affecting smooth prosecution of economic and financial crimes facilitated by ICT infrastructures.  While lamenting the problems faced in prosecuting financial crimes in Nigeria, the former chairman of the Economic and Financial Crimes (EFCC), Mallam Nuhu Ribadu, stated as follows; [13]

Quite a number of economic and financial crimes these days are carried out through the use of computers, word processors, telex machines, fax machines, etc.  The problem that has arisen from the use of the above stated gadgets is the evidential value and admissibility of the materials generated by them viz-a-viz the law of evidence and proof of guilt of a culprit of economic and financial crime.

Defining computer evidence or electronically generated evidence and its evidential value or status has been problematic.  Computer evidence, according to Kevin Lee Thomason, J.O, can be classified into two types; computer printout of business record i.e. computer stored evidence, and computer animations i.e. taking data and using it to create a “virtual reality”.[14]  However, under the general principle of law of evidence, the best evidence rule in relation to documentary evidence is the original document itself otherwise known as the primary evidence.[15]  In the context of electronically generated evidence, then what amounts to “Best Evidence” in the circumstance since electronic evidence or documents do not really have an “original” so to say?[16]

The position of the Nigerian law of evidence with regard to computer or electronically generated evidence is that such evidence may be admissible only as secondary evidence and depending also on the circumstance of its origin.  This position was further buttressed by the Nigerian Supreme Court in the case of Anyaebosi  v. R. T. Briscoe Nigeria Ltd[17] where the court held thus; “The computerised statement of account (Exhibit P4) does not fall into the category of evidence absolutely inadmissible by law as it is admissible as secondary evidence under Section 96(2) of the Evidence Act…”[18]

In the case of Yesufu v. A .B .C.[19] and a host of others,[20] the Nigerian Supreme Court expressed willingness to interpret the provisions of the Nigerian Evidence Act more liberally in view of the technological advancement of the modern age which the court cannot claim ignorance of.  It is submitted that unless a positive amendment is made to the Nigerian Evidence Act in respect of the admissibility of electronically generated evidence, investigation and prosecution of economic and financial crimes facilitated by ICT infrastructures will continue to suffer set back due to the rule of evidence.

General Review of the Draft Nigerian Computer Security and Critical Information Infrastructure Protection Bill 2005

The rate of internet penetration in Africa is still very slow compared to the amazing growth of internet usage in America and Asia.  Nigeria and South Africa however account for the largest growth and use of internet and other ICT infrastructures in the continent of Africa.  Therefore by the Nigerian Computer Security and Critical Information Infrastructure Protection Bill 2005 (herein after referred to as the Bill 2005), Nigeria is proposing a new legal framework to strengthen her existing laws to combat computer related economic and financial crimes.  The Bill 2005 also intends to address the security of information infrastructures for national growth and development.

No doubt the scope of the Bill 2005 is very wide and extensive on issues relating to security of computer systems and networks, protection of critical ICT infrastructures, investigation and prosecution of online crimes among others.  However, the focus of this research is to examine the statutory response of the Bill 2005 to the prevalence of economic and financial crimes facilitated by ICT infrastructures especially the internet.  This section of this study will discuss the legal implications of the provisions of the Bill 2005 and appropriate suggestions will be proffered.

Legislative Goals and Scope of the Draft Bill 2005

The primary objective of Bill 2005 is, among other things; to criminalise illegal conducts against ICT systems, to secure the use of ICT infrastructures and systems for national development and to improve Nigerian “e-Readiness” and ICT as enabler.[21]  However, the scope of the Bill 2005 incidentally covers substantive law and procedural rules which regulate certain online activities some of which are economic and financial crimes.  The Bill 2005 also creates procedures for investigation and prosecution of computer related crimes while it enhanced global collaboration in cyber crime enforcement.  Be that as it may, the discussion under this section of the study will be primarily focused on economic and financial crimes perpetrated with ICT infrastructures as enabler.

The Bill 2005 is divided into three parts; Part I the enforcement and offences under the ACT with total number of 18 sections. Part II provides for security and protection of critical information infrastructure and the Part III i.e. the general provisions, dealing with procedural and jurisdictional matters.





Criminalising Unlawful Access to Computer with Intent to Commit or Facilitate the Commission of Further Crimes

The Bill 2005 is modelled on and more similar in content to computer crimes legislations of most developed jurisdictions like UK Computer Misuse Act 1990, Australia and even to some extent the Malaysian Computer Crimes Act of 1997 and the Computer Amended Act 1998 of Singapore.  Despite the similarities, the legislative goals of the Bill 2005 as earlier stated, is to prevent all forms of criminal conducts against ICT infrastructures or computer systems and economic crimes facilitated by ICT infrastructures.  It is important to note that the Bill 2005 deliberately attempts to address some aspect of economic and financial crimes as shall soon be demonstrated in the later part of this chapter.

The combined effect of Section 2 of the Bill 2005 which deals with unauthorised access to a computer and Section 3; unauthorised disclosure of access code, is to criminalise any forms of access to a computer, whether with prior authority or in excess of such authority or without any such authority, with the intention to commit any act which constitutes an offence under the enactment (Bill 2005) or any law for the time being in force in Nigeria.  The above provisions of Sections 2 and 3 of the Bill 2005 are similar to the provision of Sections 3, 4 and 6 of the Malaysian Computer Crimes Act 1997.  These sections are intended to act as a general deterrent and to criminalise any form of hacking.[22]

The punishment for unlawful access to a computer in order to secure access to any programme or data held therein or commit any act which amounts to a criminal offence under any law in force for the time being in Nigeria attracts the punishment of a minimum fine of N10, 000 (NGN), maximum fine of N100, 000 (NGN) or minimum imprisonment for a term not less than 6 months and maximum of 1 year or both..[23]  Procedurally, to secure conviction for the offence under Section 3 of the Bill 2005, the prosecutor must establish beyond reasonable doubt that the accused intends to gain access to any computer program and that he knows that the access he intends to secure is unauthorised or intends to use or exceeds earlier access authorisation to commit crime.[24]  It is interesting to note that the drafters of the Bill 2005 omitted to define what constitutes “unauthorised access” under the above provisions.[25]  However, borrowing from the UK Computer Misuse Act 1990 and Malaysia Computer Crimes Act 1997, access is unauthorised if the person gaining access is not legally entitled to such access or does not have consent or exceeds the limit of the consent given to him to access a computer network.[26]  The criminalisation of mere hacking by virtue of the provision of Sections 2 and 3 of the Bill 2005 which are in pari materia to the provisions of Sections 3 and 4 of the Malaysian Computer Crimes Act 1997 has been criticised for “being wide and bringing accidental or unintentional or unauthorised access into the purview of the Act”.[27]

In our view, countries’ experience of the negative effects of hacking differs and most often than not it is the impact of such effects that relatively determines the appropriate legal sanction in the circumstance.  It is of common knowledge that Nigerians are famous for internet fraud, credit card fraud, money laundering, etc.  The general criminalisation of hacking with severe penalty is most appropriate in the circumstance to serve as deterrence and therefore redeem the battered image of the nation in the comity of nations.

The crime of unauthorised disclosure of access code as defined by Section 3 of the Bill 2005 is directed at increasing incidence of disclosure of security passwords, access code by compromise or even by other technical means of gaining unlawful access to any program or data or database held in any computer for the purpose of committing a crime.  The crime can be considered to be serious and one of the various forms of committing economic and financial crimes via ICT infrastructures.  It is rational therefore that severe penalty be imposed for such violation as contained under Section 3 of the Bill 2005.  In the event of unlawful disclosure of any password, access code or obtaining same by whatever unlawful manner, the offender shall be liable on conviction to a fine of not less than N 500, 000 or imprisonment for a term of not less than 3 years or to both fine and imprisonment.[28]  However, where the commission of the offence resulted in damage or loss, the penalty is a fine of N 1,000, 000 or imprisonment of not less than 5 years or both fine and imprisonment.[29]

Relating the above provision of Sections 2 and 3 of the Bill 2005 to the subject of this research, it can be deduced that the sections are in actual fact a positive response to instances of commission of economic and financial crimes facilitated by ICT infrastructures.  For instance, unlawful access to a computer system or network can be a precursor to the commission of economic and financial crimes, e.g. online illegal charges transfer, future market fraud, fraudulent encashment of negotiable instruments, computer credit card frauds, suppression of suspicious transactions report, e.t.c.

Thus, Section 2 (1) of the Bill 2005 envisages situations where any person without authority or in excess of his authority accesses any computer network in order to commit any act which constitutes an offence under the Bill 2005 or law for the time being in force in Nigeria.  Therefore, offences committed under the relevant provisions of the Criminal and Penal Codes, and the EFCC Act 2004 and with the aid of ICT infrastructures are covered.  Thus, a suspect can be charged with the principal offence under any of the above enactments as well as for violating the provision of the Bill 2005 if found to have committed the offence with the aid of ICT infrastructures.

Section 3 (3) of the Bill 2005 is more specific and severe in punishment in responding to the phenomenon of credit card fraud and hacking.  Section 3 (3) provides as follow;

Any person who with the intent to commit any offence under this Act uses any automated means or device or any computer program or software to retrieve, collect or store passwords, access code or any other means of gaining access to any program, data or database held in any computer, commits an offence and shall be liable on conviction to a fine of N 1, 000, 000 (NGN) or to imprisonment for a term of 5 years or to both such fine and imprisonment.

The above provision of Section 3 of the Bill 2005 shares some semblance or similarity with Section 4 of the Malaysian Computer Crimes Act 1997.  Section 4 of the Malaysian Computer Crimes Act 1997 also envisages situations of unauthorised access to computer with the intent to commit or facilitate the commission of further offences involving fraud or dishonesty or which cause injury as defined in the Malaysian Penal Code.  The punishment for unauthorised access under the Malaysian Computer Crimes Act 1997 is a maximum imprisonment of 10 years or a maximum fine of RM 150, 000 or both.

The offence of unauthorised access with intent to commit or facilitate the commission of further offence under Section 4 (1) of the Malaysian Computer Crimes Act 1997 which attracts more punishment than Section 3 of the same Act, is justified as it takes care of a situation where insider or external hacker who gained unauthorised access to a computer or its system diverts funds from other person’s account into his own or others accounts.[30]

The imposition of severe punishment for hacking and other fraudulent economic crimes facilitated by ICT infrastructures under the Malaysian Computer Crimes Act 1997 is decisive and absolutely necessary to attract and protect investors in the nation’s IT giant stride, the Multimedia Super Corridor (MSC) which is being developed with first rate physical infrastructural facilities.[31]  Although Nigeria is yet to make such giant strides in the adoption of IT to all sector of human activities however, the recent launching of Nigerian Satellite 1 (Nigeria SAT 1),[32] and most recently the Nigerian Telecom SAT[33] are better indications of Nigeria’s e-Readiness.[34]  In furtherance to the above, Nigerian Telecommunication Act 2003 was enacted as a legal framework for regulating communication sector of the Nigerian economy while National Information Technology Development Agency Act 2007 established an agency called NITDA as a catalyst for transforming Nigeria into a knowledge based and IT driven economy for global compositeness through the implementation of the National IT Policy.[35]

Against the above background, it becomes imperative that the phenomenon of hacking and other forms of unlawful disclosure and unauthorised access to computer network be taken seriously by imposition of severe punishment in the nature of higher fine and long term imprisonment as deterrence.  It is therefore proposed that Section 4 of the Bill 2005 be amended by increasing the punishment to the fine of N 5,000,000 (NGN) and imprisonment for a maximum term of ten years.

Advance fee fraud is a prolific and pernicious type of fraudulent criminal activity often attributed to crime rings or individual criminals operating within and outside Nigeria by Nigerians and other nationals.  The perpetrators now use the internet to reach a greater number of their potential victims more quickly and electronically.  In response to this negative exploitation of the ICT infrastructures, Section 4 (1) of the Bill 2005 makes it an offence to send fraudulent electronic mail messages to any recipient where such electronic email materially misrepresents any fact or set of facts upon which the victim or recipient is made to suffer any damage or loss.  The punishment imposed on conviction for the violation of Section 4 is a fine of not less than N 1,000,000 (NGN) or imprisonment for a term of not less than 5 years or both fine and imprisonment.

By virtue of the provision of Section 4 (2) (a) (b) (c) of the Bill 2005 it is clear that the government intends to create a strict liability offence for fraudulent electronic email.  This is informed as a result of embarrassing spate of fraudulent and deceptive unsolicited emails sent by Nigerians and nationals of other countries, to millions of prospective victims across the globe.   To further demonstrate government commitment in curbing this menace, a law recently passed by the National Assembly makes it difficult to successfully pull off cyber crime in Nigeria.  To be precise, the Advance Fee Fraud and other Fraud Related Offence Act 2006 makes the cyber café operators, and the Internet Service Providers (ISPs) more involved in monitoring activities of the internet users against criminal abuse of ICT.

The effect of Section 4 (3) (4 ) of the Bill 2005 is to address offenders who specialise in sending unsolicited and spamming electronic mail messages to recipients to whom they have no prior social relationship and economic transaction with.  The section also deals with offenders who with intent to commit any offence under the Bill 2005 and use any automated means or device or any computer programme or software to collect or store electronic mail addresses from any sources.  It is however submitted that the inclusion of Section 4 (3) (4) in the Bill 2005 rather than in the Advance Fee Fraud and other Fraud Related Offences Act 2006 which is the principal enactment on the subject is not appropriate though criminalising the fraudulent acts of the spammers and other internet fraudsters is necessary.

The Part II of the recently enacted Advance Fee Fraud and other Fraud Related Offences Act 2006 titled “Electronic Telecommunication Offence, etc” seeks to secure the cooperation of persons and entities providing electronic communication services in investigating and gathering of evidence against cyber criminals and fraudsters by imposing responsibilities on them.[36]  However the Advance Fee Fraud and other Fraud Related Offences Act 2006 did not define what constitutes “Electronic Telecommunication Offences” nor state the punishment for committing such offences.  Therefore the inclusion of Part II, Section 12 and 13 in the Advance Fee Fraud and other Fraud Related Offences Act 2006 with the omission of what constitutes such offences makes Part II to the new Act meaningless.  The missing link to Sections 12 and 13 of Part II to Advance Fee Fraud and other Fraud Related Offences Act 2006 is the Section 4 of the Bill 2005 which defines and punishes fraudulent electronic mail messages.

The above mix-up can be regarded as a serious drafting error or clear indication of confusion on the part of the law makers as well as the Nigerian Cyber Crimes Working Group on how best to criminalise electronic mailing fraud and under what enactments to include such provision.  It is strongly suggested that Section 4 of the Bill 2005 would better synchronised with Part II, Sections 12 and 13 to the Advance Fee Fraud and other Fraud Related Offences Act 2006 which is the primary legislation on advance fee fraud offences in Nigeria.  Since the Bill 2005 has not been passed into law, it is hereby recommended that Section 4 of the Bill 2005 be removed from the draft bill and incorporated into Part II of the Advance Fee Fraud and other Fraud Related Offences Act 2006 by way of amendment.

However if such arrangement seems cumbersome to implement due to Nigerian factor i.e. undue delay in legislative process, prosecutors will be left with two options; prosecuting the offenders under the two enactments simultaneously or under either of the two enactments.  Adopting the latter option means that the accused will only be liable for the prescribed punishment for fraudulent electronic mail messages which is a fine of not less than N 1,000,000 (NGN) or imprisonment for a term of not less than 5 years or to both such fine and term of imprisonment.[37]  However if the accused is to be prosecuted for obtaining property by false pretence or fraudulent means, the punishment is severe under Sections 1 and 4 of the  Advance Fee Fraud and other Fraud Related Offences Act 2006.  The punishment is imprisonment for a term of not more than 20 years and not less than 7 years without option of fine.[38]  The dichotomy between the punishments prescribed for fraudulent electronic mail messages and spamming under Section 4 of the Bill 2005 and the punishment prescribed for similar offence under Sections 1 and of the Advance Fee Fraud and other Fraud Related Offences Act 2006 is fundamental and may in the long run defeat the objective of imposing severe punishment for the offences.

Criminalising Data Forgery, Computer Fraud and Identity Theft

Data forgery, computer fraud and identity theft can be classified as economic and financial crimes under the provision of Section 46 of the EFCC Act 2004.  Responding to the criminal phenomenon of altering, erasing, inputting or suppressing computer data with the aim of covering unlawful benefits on the offender, Section 6 of the Bill 2005 criminalised computer fraud and imposed on conviction for the said offence a fine of not less than N 500,000 (NGN) or imprisonment for a term of not less than 3 years or to both fine and imprisonment.  

The provision of Section 6 of the Bill 2005 is in pari materia in substance to Section 5 of the Malaysian Computer Crimes Act 1997 and Section 3 of the UK Computer Misuse Act 1990.  Section 6 of the draft bill is directed at unlawful interference with a computer data either by altering, erasing, inputting or suppressing any data held in any computer for the purpose of conferring a benefit to the offender or another person thereby causing loss of property to others.  Unlike Section 5 of the Malaysian Computer Crimes Act 1997 which excludes mens rea as a necessary condition for the commission of the crime, Section 6 of the Bill 2005 places the burden of proof on the prosecutor to establish the fact that the offender actually knows that his act is unauthorised and that the offender possesses the intention to cause loss of property to another as well as act in the expectation of covering benefits to himself or others.[39]

Section 3 of the UK Computer Misuse Act 1990 and Section 5 of the Malaysian Computer Crimes Act 1997 are both broad in scope in dealing with unauthorised modification of the content of any computer.  Section 6 of the Bill 2005 however, criminalised computer fraud or unauthorised modification of the content of any computer provided it is established that the offender actually intended or has the knowledge of the consequence of the act and the purpose of conferring any benefits upon him or others.  It can be said that Section 6 of the draft bill is policy focused and more specific to criminalised computer fraud committed with the objectives of covering wealth illegally acquired, either individually or in group.[40]  Thus, offences like credit card fraud which is commonly perpetuated through harvesting of PIN numbers e.t.c. can be prosecuted under Section 6 of the Bill 2005.

It is interesting to note that Section 6 of the Bill 2005 is derived from the Convention on Cyber Crimes 2001 and the OECD recommendation on fraudulent modification of computer program or data for the purpose of committing an illegal transfer of funds or thing of value, committing a forgery and intending to hinder the functioning of a computer or telecommunication system.[41]  The above response through the provision of Section 6 of the Bill 2005 is most plausible policy to criminalise economic and financial crimes in form of fraud.

Regarding identity theft, at recent the reported cases are alarming as earlier discussed and the EFCC has been fighting the phenomenon for a while using the existing enactments to prosecute offenders. However, in order to bring the offence of identity theft within well defined scope with appropriate punishment, Section 10 of the Bill 2005 criminalised identity theft and impersonation via the internet and imposed upon conviction a fine of not less than N 500,000 or imprisonment for a term of not less than 3 years or both such fine and imprisonment. 

The criminal offence of identity theft and impersonation are adequately covered by the provisions of Sections 132 and 179 of the Penal Code and Sections 107,108, 109, and 110 of the Criminal Code.  However, these Sections of the codes are narrow in scope as they only criminalised impersonation of public officers.  Identity theft in the digital age is such a serious crime which must not be limited to impersonation of public officers.

Criminalising Cyber Piracy

Since civil and criminal proscription for the violation of intellectual property rights in the existing Nigerian enactments never envisaged the contemporary digital criminal exploitation and gross violation of the classes of intellectual property rights, the inclusion of Section 16 in the Bill 2005 is most appropriate in the circumstance.  Section 16 of the Bill 2005 provides thus;

Any person who uses any computer to violate any intellectual property rights protected under any law or treaty applicable in Nigeria, commits an offence under this Act and shall be liable on conviction, in addition to any penalty or relief provided under the intellectual property law in question, to a fine of not less than N 1, 000, 000 (NGN) or imprisonment for a term of not less than 5 years or to both such fine and imprisonment

The apparent shortcoming in the above provision of the Bill 2005 is that it restricts instances of violation of intellectual property rights mainly to the use of computers.  The reality is that cyber privacy or violation of intellectual property in the cyber space can be committed with the aid of other electronic devices apart from the computer itself.  It is therefore difficult to believe that the intention of the Working Group Committee on cyber crime or the law makers is to limit unlawful violation of intellectual property rights via electronic means only to the use of computer.  The limitation therefore may be construed as an oversight which must be corrected to accommodate whatever devices are used to violate intellectual property rights.

The foregoing provisions are the relevant portion of the Bill 2005 in response to economic and financial crimes facilitated by ICT infrastructures.   The Bill 2005 also addresses other aspects of cyber crimes such as system interference, misuse of devices, unlawful interception, cyber squatting, cyber terrorism, use of ICT infrastructures for unlawful sexual purposes, child pornography, e.t.c.  These aforementioned aspects of the Bill 2005 will not be given any further consideration as they are beyond the scope of this research.  It is hoped that future research of similar nature will address other similar offences created by the draft bill.

The Draft Bill 2005 and Right of Privacy 

The issue regarding right of privacy as constitutionally guaranteed by Section 37 of the Constitution of the Federal Republic of Nigeria 1999 and the need to regulate and curb the prevalence of economic and financial crimes aided by ICT infrastructures or crime generally is quite controversial.  Section 11 of the Bill 2005 requires every service provider to keep all traffic, subscriber information or content on its computer for a fixed period of time and release same to law agents on request for legitimate purposes upon warrant issued by court.  Similar to the above provision are Sections 12 and 13 of the Advance Fee Fraud and other Fraud Related Offences Act 2006 which impose further responsibilities on cyber operators and ISPs and provides for punitive measures in case of violation.

The proposed Section 11 of the Bill 2005 and the already enacted Sections 12 and 13 of the Advance Fee Fraud and other Fraud Related Offences Act 2006 unjustifiably intrudes on the fundamental right of privacy of Nigerians.[42]  It is a common practice that the right of the individual or group must always be balanced against public interest and policy.  The above provisions are far from striking a balance between the two competing interests i.e. individual/ group interest in upholding the constitutional right of privacy as well as fixing the limitation of such constitutionally guaranteed right of privacy.  The Working Group on Nigerian cyber crime bill seems embroiled with confusion on how to strike this balance between the individual right of privacy and government’s responsibility to fight crime in the interest of the public.

It is amazing that Section 11 (5) of the Bill 2005 sounds a clear warning to the law enforcement agents to be mindful of individual right of privacy under the constitution.  This is nothing but rhetoric in as much as the provision gives near unlimited power to the law enforcement agents to utilise the data retained, processed or retrieved for “legitimate purposes”.  For all intent and purposes, the proposed Section 11 of the Bill 2005, Sections 12 and 13 of the Advance Fee Fraud and other Fraud Related Offences Act 2006 and particularly Section 12 (1) of the Money Laundering (Prohibition) Act 2004 empowers EFCC and other law enforcement agents upon granted ex parte order by court of law, to place any bank account under surveillance, obtain access to any computer system, obtain communication of any authentic instrument or private contract, together with all bank, financial and commercial records, when the account, telephone line or computer system is used by any person suspected of taking part in transaction involving the proceeds of a financial and other crimes.

It is therefore submitted that limitation of constitutional right of privacy should only be permitted subject to all the thresholds and protections contained in Section 35 of the Constitution of the Federal Republic of Nigeria 1990.  It is further submitted that seeking the co-operation and collaboration of the ISPs, cyber café operators in fighting economic and financial crimes as contained in the above sections is appropriate but placing heavy burden on them is uncalled for. 



Conclusion

This paper examined the general response of the Nigerian Computer Security and Infrastructure Protection Bill 2005 (Draft Bill 2005) to economic crimes facilitated by ICTs infrastructure.  The adequacy or otherwise of the Draft Bill 2005 in regulating economic and financial crimes and ICT were examined.  Aside from the above legislative response to economic crimes, this paper also espoused the militating factors against effective investigation and prosecution of economic crimes facilitated by ICTs infrastructure in Nigeria. The study suggests that for a successful investigation and prosecution of computer related economic crimes in Nigeria, the law enforcement must be well trained in ICT forensic investigation and prosecution of digital crimes. The study further suggested that such be extended to judicial staff, judges, state counsel, and that even private counsel are not left out in acquiring ICT technique and training to enhance their understanding and handling of electronic related economic crimes.    This further revealed that unless necessary amendement is effected in the existing Nigerian Evidence Act in respect of the admissibility of computer generate evidence, investigation and prosecution of electronic related economic crimes in Nigeria will continue to suffer a gulf setback.  It is in line with this finding that the study recommends for quick passage of the pending Draft Bill 2005 before the Nigerian National Assembly without any further delay.  If this is done, the lofty goal of the Draft Bill 2005 which is to criminalise illegal conducts against ICT systems, to secure online transactions and good use of ICTs infrastructure for national development will be achieved.



   









*Lecturer, Department of Public Law, Faculty of Law, University of Ilorin. Email: ibrahimyusuff@gmail.com

[1] The Cyber Crime Committee is comprised of 15 members from both government and private sector.  See Femi Ogunsanya, “Review of Draft Nigerian Cyber Crime Act”. Available at www.nigeriavillagesquare.com  Accessed on 5th September, 2007.

[2] Oluwaseun Ayantokun, “Fighting Cyber Crime in Nigeria”. Available at http://www.tribune.com.ng/08062006/infosys2.htm Accessed on 5th September, 2007.

[3] Basil Udotai Esq, Coordinator, Nigerian Cyber Crime Working Group (NCCWG), “The National Cyber Crime Security Initiative: Strategy to Secure ICT System for Economic Development and Growth” Available at www.cybercrime.gov.ng Accessed on 5th September,2007.

[4] Comdr. Dave Pettinari, Standard Operating Procedure-Pueblo High-Tech Crime Unit, “Investigating Cyber Crime/Hacking and Intrusions” 1st April, 2000 at darepet@cops.org Accessed on 5th September, 2007.

[5] Suzieana Uda Nagu, “How Do I Become a Computer Forensic Investigator?,” New Sunday Times, 3 February,2008, H18.

[6] In accordance with this study designed methodology, the researcher on 7th and 8th of June 2007 visited the Head Quarter of the EFCC in Abuja Nigeria wherein permission was granted to conduct the interview.  The Head of Operation, Mr Bala Ciroma and other officers of the Commission were interviewed. Relevant questions relating to this research were asked while answers, clarifications and comments were as well provided by Mr. Bala Ciroma and other officers of the Commission.  A similar interview was conducted at the Lagos branch office of the Commission between 9th-11th July, 2007 wherein Mr. Olaolu Adegbite, Head of ICT Unit, Mr. Abdulkarim Chukkol, Head of Cyber Crime Unit, and Mr. S.K. Atteh of Legal Unit among other were interviewed. During the visit to EFCC Head and Divisional offices in Abuja and Lagos respectively, relevant printed materials, Commission’s reports, hand booklet and unreported economic crimes decided cases conducted by the Commission were made available.  This research is grateful to above mentioned dedicated officers of EFCC and others numerous to mention for their assistance, accommodation and understanding during the visit. 

[7] NITDA is the statutory agency in Nigeria established on 25th May 2001, is empowers to implement the Nigerian National Information Technology (IT) Policy by virtue of NITDA Act 2007.  This researcher visited the NITDA office in Abuja – Nigeria on 10th June 2007 and conducted interview with the personnel of the Agency.. 

[8] See Commissions of the European Communities, Brussels XXX .com (2000)890 Final, Communication from Commission to the Council the European Parliament, the Economic and Social Committee and the Committee of the Regions.  

[9] Ulrich Sieber, The International Hand Book on Computer Crime, (New York: John Wiley & Sons, 1986) 143. Note that in Japan the police have also reached a high level of specialization in computer related crime through various national Conferences for investigators against computer crime.

[10] Justice Joseph O. Oyewole, “Adjudicating Corruption Cases in Nigeria”, Zero Tolerance, the magazine of the EFCC, vol.1, No.2, October, 2006, 51-53, at 52.

[11] Ibid.

[12] Oluwaseyi Oni, “Legal Challenges in the Admissibility of Computer Generated Evidence in Nigeria” Modern Practice Journal of Finance and Investment Law (MPJFIL) vol. 9, No. 5, 1- 2, Jan/April 2005, 214.

[13] Nuhu Ribadu, “Obstacles to Effective Prosecution of Corrupt  Practice Cases in Nigeria” Being a paper delivered at the 1st Stakeholders Summit on Corrupt Practices and Financial Crimes Cases in Nigeria organised by the House of Representatives Committee on Anti Corruption, National Ethics and Values, held at the International Conference Centre, Trade Fair Complex, Kaduna Nigeria, between 23rd – 25th November, 2004. Also available at www.efccnigeria.org/publications016.pdf Accessed on 5th September,2007.  

[14] Kevin Lee Thomason, J.D. “Using Computer Generated Evidence”. Available at http://www.lagalimaging.com/evidence.html  Accessed on 5th September,2007. See also Yemi Osinbajo, “ Problem of Proof of Computer and other Electronically Generated Evidence in Local and International  Transactions” in Yemi Osinbajo Cases and Materials on Nigerian Law of Evidence, (Lagos : Macmillan Nigeria Publisher Ltd, 1992) 270.

[15] Section 94 (1) of the Evidence Act Cap.112 Laws of the Federation of Nigeria 1990.

[16] Oluwaseyi Oni, n.12, at 218.

[17] (1987) NWLR 84 Pt. 59.

[18] Ibid.

[19] (1976) 4 S.C.1

[20] See Trade Bank Plc v. Chami (2003) 13 NWLR Pt 836.P.158, ESSO West Africa Inc v. T.Oyegbola (1969) NMLR 194 at 198.

[21] “e- Readiness” is a measure of the extent to which a country’s business environment is conducive to internet based commercial opportunities.  Thus e- Readiness is aimed to change the Nigeria’s habit of surfing the net for fun and crime but turning it into a money making platform as most manifested in nations like US, Singapore, Malaysia (MSC), Canada etc.

[22] Dr. Zaiton Hamin, “The Legal Response to Computer Misuse in Malaysia- The Computer Crimes Act 1997” (2004) 2 UiTM Law Journal, 214.

[23] Section 2(1) of the Bill 2005

[24] This is similar to the provision of Section 1(a) (b) (c) of the UK Computer Misuse Act 1990.

[25] Note that Section 34 of the draft bill, which is the interpretation section to the bill only defines “access” to includes to gain entry to, instruct, or otherwise make use of any resources of a computer, computer system or computer network.  

[26] See Section 2 (5) of the Malaysian Computer Crimes Act 1997 and Section 17 (5) (a) (b) of the UK Computer Misuse Act 1990.

[27] Dr. Zaiton Hamim, n.22, at 216.

[28] See Section 3 (1) of the Bill 2005.

[29] See Section 3 (2) of the Bill 2005.

[30] Dr. Zaiton  Hamin, n.22, at 216.

[31] P.S.  Sangal, “Cyber Laws and IT- Rich Society”, Malaysian Journal of Law and Society 5 (2001) 1- 24 at 4.

[32] The Satellite is meant for agricultural purpose and for disaster monitoring.

[33] For telecommunication purpose

[34] Basil Udotai, n.221.

[35] See “NITDA at a Glance”. A publication of the National Information Development Agency, 2007.  See also NITDA Act 2007.

[36] See Sections 12 and 13 of the Advance Fee Fraud and other Fraud Related Offences Act 2006.

[37] See Section 4 (1) of the draft Bill 2005.

[38] For details see Section 1 (3) and Section 4 of the Advance Fee Fraud and Fraud Related Offences Act 2006.

[39] Section 3 of the UK Computer Misuse Act 1990 was successfully applied against computer viruses on the internet from where several corporate computers were infected and costing huge damages to those companies.  See unreported case of Pile “Programmer jailed for planting computer viruses”, The Times, 16th November 1995, at 12.  See also Dr. Zaiton  Hamin, n. 22, 219.

[40] See Section 46 of the Economic and Financial Crimes (Establishment) Act 2004.  Computer Fraud can be classified as economic and financial crimes provided the act is done with the intent to earning wealth illegally.

[41] Dr. Zaiton Hamin, n.22, at 220.  See also Council of Europe, the Convention on Cyber Crime (ETS No.185), available at http://convention.coe.int/treaty/N/cadreprojrcts.htm. . see also UN Manual on the prevention and control of computer-related Crime, available at http://www.ifs.unvie.ac.at/pr2gq1/rev344.html/crime   

[42] See Femi Oyesanya, “The Patriot Act is Coming: Compliments of NITDA” available at www.nigeriavillagesequare.com Accessed on 10th September, 2007.
Share on Google Plus

Declaimer - MARTINS LIBRARY

NB: Join our Social Media Network on Google Plus | Facebook | Twitter | Linkedin