10/COVER
24.05.2016
‘CYBERCRIME ACT DOES NOT CREATE AN ENFORCEMENT AGENCY’ CONTINUED FROM PAGE 9 nefarious purposes. For instance, the BVN database contains those unique credentials upon which a legitimate Nigerian Passport can be issued. This is made extremely easy by the fact that the Nigerian Immigration Services (NIS) maintains an ePassport Database as well, and is linked to the Internet. Forget the fact that BVN also contains intelligence on the health of our individual financial accounts. So, integrating or overlaying the BVN data on the SIM database reveals all the individual’s phone numbers and addresses, and the FRSC database will get the individual’s drivers license. It seems that to the extent that we have somehow created an environment where someone can sit in Kiev Ukraine, where a lot of hacks come from these days, and issue a Nigerian Passport, drivers license and a phone number/addresses in the name, face and biometric identity of a very rich Nigerian, it appears that Nigeria has succeeded in enabling a hackers’ paradise. Of course, if a lot of these databases were built by certified professionals, based on strict standards adopted at the national level, with severe consequences for violations, while being monitored by agencies with the required mandate and technology tools, perhaps the chances for abuse might already be curtailed. But we have no such standards, either for the databases or the professionals involved, and so this is an area where financial gains remain the driving force against all else. As far as the legal analysis that you asked for is concerned, my take is that only entities that have statutory authorities to collect and retain personal data of individuals should be able to do so. All other organisations, who only need that data for their regulatory functions should be required to secure privileged access to the databases maintained in agencies with the legal right to do so. If this approach is adopted, we would immediately see that many entities jostling to collect biometric data of Nigerians would be legally incapable of doing so. One organisation with the overriding legal authority over biometric data and databases of Nigerians is the National Identity Management Commission (NIMC). Interestingly the NIMC Act also contains regulatory mandates which the Commission can utilise to spearhead a regulatory clean up of the system. There has been a marked increase in eGovernment services at the federal and state level. Most salaries and contractors are now paid electronically, and organisations like INEC and FRSC have embraced technology with varying degrees of success. However, the recent effort by JAMB to adopt Computer based tests for candidates did not do very well. What in your assessment was the issue and how can this be corrected in the future? You are absolutely right, the manner in which government services are being constantly migrated online is very impressive. eGovernment is the responsibility of the National Information Technology Development Agency (NITDA) under the Ministry of Communication Technology. Right after the disastrous outing by JAMB, I had occasion to discuss the issue with people at the eGovernment Department in NITDA. I was very sad to realise that they were not even consulted by JAMB on this. It goes back to the issue of standards I raised earlier. NITDA too has realised that there are many things left undone in its law and working very hard now to accomplish them. I can say this now for sure, because I am in those discussions now. But a situation where a government agency simply hires a technology service organisation to deliver on a critical national project, with tremendous impact on not just citizens but the wider economy as a whole, should be discouraged. NITDA needs to work on standards across service and product line, including professional standards for individuals in the industry and adopt regulatory instruments that compel MDA’s to insist on these standards as conditions for services. This is the only way that projects like the computer based test of JAMB, or any other eGoverment service deployment can work. Technology is not witchcraft. A lot of what we are attempting to do in Nigeria has been done in other places. If we are too shy to copy their methods, we can at least copy their standards. It is allowed! You have been identified as one of the main architects of the Nigerian Cybercrime Act 2015. Why was this legislation so necessary? What does the legislation seek to correct from our existing body of laws? First of all, I would quickly run away from being identified as the main architect of this particular Cybercrime Act. Yes, I was involved for about 6 years in the early days of the drafting of some versions of the cybercrime bill. But when this law was proposed, I had left ONSA and was already in private practice. I was consulted every now and then, but my influence was very limited. This is
why, if you have noticed, I am not a very big fan of this law because a lot of provisions extraneous to both criminal law a very strict area of law, and cybercrime law as a technology field; found their ways into the law. I have also advanced a number of ways to circumvent those challenges and still deliver on respectable cybercrime enforcement on the basis of this law. Since my position is shared by many in the industry I am sure at the right time some of those considerations would be reviewed by the powers that be and appropriate actions taken accordingly. As for the necessity of a cybercrime legislation, it could not be gainsaid. Having exposed Nigeria to ICT and causing us to migrate practically all personal, business and now official government processes online, the least the government could do is enact and enforce a law to secure those processes and interactions. Besides, the only way to assure the utilisation of technology as the true engine for economic growth is to secure the computer systems and networks through which ICT services run. The government owed the duty to enact the law and though it took more than ten years to accomplish it, the fact that it is here now should nevertheless be acknowledged. Regarding the Cybercrimes Act specifically, to ensure proper compliance with the Act, there has to be a robust enforcement regime. How would you assess the enforcement of the Act since it was passed? As soon as the Cybercrime Act was enacted on May 15, 2015, I raised the alarm that I foresaw weak if not zero enforcement. And the reason I said that was because the law, unlike other criminal statutes in Nigeria, mandated “all relevant law enforcement agencies” to enforce it. As you would notice, the tradition in our justice administration system is to enact a law, which prohibits certain actions as crime and create an institution to enforce those specific laws. This is why you have NAFDAC enforcing pharmaceutical related law and NDLEA responsible for the narcotic related. The EFCC is responsible for economic crimes and the Copyright Commission is only conferred with the authority to enforce copyright laws. So, this tradition was not only broken with the Cybercrime Act, but the law then ended up creating too many “cooks” in the law enforcement agencies resulting in no one actually enforcing the cybercrime law. The unspoken rule in the law enforcement community, which this law did not bear in mind, is the fact that authorisation to carry out any function by a law enforcement agency must comply with the enabling law of that agency. The side effect of this lacuna is that Nigeria now does not seem to have anyone take up the leadership of enforcing the Cybercrime Act, because nobody truly sees it as their responsibility. That is why from the enactment of the law, it took nearly a year for any action to be taken at all under the law. This occurred a couple of weeks ago or so, when the National Security Adviser inaugurated the Cybercrime Advisory Council, which is only a policy making body under the Act, and does absolutely nothing in the area of advancing the enforcement of the Act. Our recommendation was for the law to create an agency, just like others, to be conferred with the authority to enforce cybercrime and assure cybersecurity in the country. If that recommendation was adopted, not only would we have seen some action on this matter we would have someone to blame for this current lapse in enforcement. What is Lawful Interception? To what extent
"AND YES, THE CYBERCRIME ACT HAS ADDRESSED MANY ONLINE FRAUDS IN ITS PROVISIONS, INCLUDING HACKING. BUT JUST HAVING THE LAW IN PLACE DOES NOT CONFER PROTECTION" can anti-crime security agencies legally invade our privacy in crime investigation? Interception of communication is illegal under Nigerian law. S. 12(1) of the Cybercrime Act provides for 2 years imprisonment and a fine of N5 million or both for its violation. Thus, interception is only legal if conducted upon securing prior judicial authorisation by way of an order of court and based on the strict requirements established under S.39 of the Cybercrime Act. So law enforcement and security agencies can validly intercept our communication, whether voice or data as well as location related information, for the purpose criminal investigation if approved by a Judge upon application. This law is complemented by the Nigerian Communication Act which in S.146 and S.147 mandates operators to cooperate with law enforcement in the investigation of crime, on the one hand, and also to make their networks intercept capable, on the other hand. Lawful interception is tricky under Nigerian Law, because a major deficiency in illegally obtained evidence in other jurisdiction is that such evidence would be thrown out in court. Our jurisprudence on this matter tends to indicate that the courts would look and consider evidence, even if obtained illegally, if such evidence is relevant to the case and dispositive of the matter at hand. The only safeguard now with the coming into force of the Cybercrime Act is the fact that law enforcement officials involved may be indicted under S.12 of the Cybercrime Act. Whether this is capable of deterring abuses in the area of interception in Nigeria remains to be seen. There have been reports on Nigeria’s Digital Switch Over (DSO) of Broadcasting Networks and how Nigeria has been left behind by the rest of the world failing to meet international broadcasting deadlines for the switch from analogue to digital broadcasting. How can this anomaly be addressed to avoid national embarrassment? What are the consequences of failing to switch to digital broadcasting? Digital Switch Over (DSO) was mandated by the International Telecommunications Union (ITU) for all its members in 2006. Nigeria as a member of the ITU was required to comply with this international obligation. However, only last year was the country able to find resources to enable DSO, which is being spiritedly implemented now by the National Broadcasting Commission (NBC) under the Ministry of Information and Culture. While the country has missed several deadlines already, including one last year in June, the benefits of DSO to television viewers and the broadcasting industry as well as the wider economy are so numerous that it may require another interview to go into it. Briefly, with about 30 million tv households, Nigeria has the largest free view population in the world. The immediate benefit, which everyone would
notice is the digital quality of the tv broadcast and increased number of channels offered free to all tv households in the country. For content owners, it creates an opportunity for maximum commercial value for content as broadcasters would pay for content, instead of the current situation where content owners are being required to pay broadcasters to have their content aired. DSO is also the strongest antipiracy platform. Nobody who has access to watch original programmes and films free of charge in good digital quality would buy pirated movies from street vendors. Digital also means that content owners can load and sell contents or license to third parties on valuable commercial considerations to sell in the market. For the broadcasting sector, DSO is the best thing that can happen to Nigeria. It would create thousands of opportunities for employment; establish audience measurements, which will directly impact advertisement value greatly. DSO was recently launched in Jos for about 300,000 tv households. So we can no longer talk about consequences for noncompliance because it appears the country is already set to meet the new deadline of June 2017. The only thing that remains to be said is for lawyers to educate themselves about DSO as many client offerings and services would be impacted, so they can continue to offer sound legal advise to clients as needed. What is Critical Information Infrastructure Protection? What would you recommend to the Nigerian Government and business community, including foreign investors, as a means to achieving it? Right after September 11 2001 many countries realised that several aspects of their national affairs can be gravely impacted if certain communication infrastructures are damaged. So a different set of security requirements were then established for those kinds of infrastructures, whether physical or cyber. That is the idea behind Critical Information Infrastructure Protection (CIIP). It is defined in the Cybercrime Act as “any systems and assets, which are so vital to the country that the destruction of such systems and assets would have an impact on the security, national economic security, and national public health and safety of the country.” The strategy adopted in the Act for CIIP is two fold. First, an order issued by the President, on the advise of the National Security Adviser (NSA) shall designate infrastructures in Nigeria that constitute CII. Secondly, the Act provides a very high level of penalty for offences against CII. In view of the destruction of telecoms and communication infrastructure in the northern parts of the country by terrorists as well as saboteurs and thieves in other parts of the country, operators have waited for a very long time to see some action on CIIP in the country. It is hoped that when the law is eventually implemented this aspect would attract enforcement priority. A few clients have asked me whether the provisions of CIIP in the Cybercrime Act can be enforced against States and Local Governments who on the basis of their laws and edicts take actions against CII thereby rendering them inoperable, non-functional and in some cases damaged. I think this can be certainly explored, not for the purposes of indicting and prosecuting state officials under the Cybercrime Act, but as a measure to seek a national consensus on CIIP, similar to what Lagos State did under Governor Fashola with the Association of Licensed Telecoms Operators in Nigeria (ALTON). Currently, technology exists which seeks to replace the roles carried out by humans with robots or artificial intelligence, proponents of this trend believe that it would save time and costs in addition to improving the quality of service delivery to clients. Do you believe that the services lawyers provide may one day be replaced by artificial intelligence? Lawyers’ role representing clients and advocacy in court, which require direct human involvement and emotional connection with the Judges may defy technology incursion a bit longer, than the mere process related aspects of our work- whether it is legal research, discovery, case management, billing, process filing etc. It is interesting that you asked this because I recently stumbled on an article published by Bob Goodman and Josh Harder as far back as December 2014, in which they both reviewed areas in law practice that are ripe for disruption by smart start-ups. I think you should find and read the article. Quite interesting. In any event, in the list of things to worry about as lawyers, I would definitely worry a lot less about the possibility of my services being totally automated so that I am no longer needed. What may even happen before then, as health and biotechnology develops, is that I may be cloned and my clone(s) work in my firm in other locations. But I would not lose sleep about that happening either.