The Efficacy Of Cybercrimes (Prohibition, Prevention Etc) Act 2015

By Nebo Ike
Click for Full Image Size
Listen to article

The objective of the Cybercrimes Act which took effect on 5th May 2015 is the protection of critical national infrastructure. This was deduced from the preamble that states: “An Act to provide for the prohibition, prevention, detection, response, investigation and prosecution of cybercrimes; and for other related matter 2015.” Critical national infrastructure includes the promotion of cyber security, protection of computer system as well as their network; electronic communication, data and computer programme, intellectual and privacy rights. The Act no doubt tried to be as encompassing as possible considering that all these vital provisions are found in s. 1 of the Act.

It is such a sensitive piece of legislation that National Information Infrastructure comes under the presidency and advice of the National Security Adviser. It is an Act that enjoins Nigeria with the global community on the thorny issue of policing the internet. Having localized this duty to national level it is only a matter off time to see the efficacy of these efforts.

For quite obvious reasons s. 7 of Cybercrimes Act prescribed the registration of Cybercafé with Corporate Affairs Commission as well as Computer Professionals’ and Registration Council. Cybercafés shall maintain a register of users through sign-in register, but made no provision for sanction if the section is violated. However Cybercafés may be guilty of connivance in the case of crimes committed by users, the proof of which lies with the prosecutor. For instance does connivance include docility on the part of such operators?

Enacted in a strange way s.10 made provision against committing crime called “tampering with critical infrastructure”. Those who are likely to commit this offence are local government staff, private organization or financial institutions with respect to working with any critical infrastructure, electronic mails when not authorized by the worker’s contract of service. This offence attracts a fine of N2m or 3 years imprisonment on conviction. However, one wonders, why the Act did not choose the words “Civil Servants” to extend the net beyond local government workers to all workers in government employ. In effect when any government worker who is not in the employ of the local government commits this offence, a defense may be available that the accused is neither employed by a local government, private company nor financial institution.

The Act in its part IV specifically stipulates the “Duties of Financial Institutions”. S. 37 (3) thereof provides; “Any Financial Institution that makes unauthorized debit on a customer’s account shall upon written notification by the customer, provide clear legal authorization for such debit to the customer, or reverse such debit within 72 hours. Any financial institution that fails to reverse such debit within 72 hours shall be guilty of an offence and liable on conviction to restitution of the debit and a fine of N5m”. How many financial institutions can swear not to have breached this provision? Where then lies the efficacy when s. 19 (3) Cybercrimes Act shifts the burden to the bank customer “to prove the financial institution in question could have done more to safeguard its information integrity”. I shall comment further on the experiences of an average beneficiaries of Cybercrimes Act latter.

S. 38 that provides for duties of service providers as records retention and protection of data also was apt when in its subsection (5) reflected the protections of the law: “Anyone exercising any function under this section shall have due regard to the individual’s right to privacy under the constitution of the Federal Republic of Nigeria 1999 and shall take appropriate measures to safeguard the confidentiality of the data retained: processed or retrieved for the purpose of law enforcement“. One wonders if such assurances can make a bank customer to go home and sleep like a baby.

By s. 40 of Cybercrimes Act which provides for failure of service provider to perform certain duties, the various telephone/ GSM network providers are obliged to render assistance to the law enforcement agencies with their duties to track offenders especially when the alleged crimes were committed. It takes the spirit of a patriotic NSA which has proved scarce to comply with these provisions. If not, why has Nigerian GSM network providers not assisted the Federal government in its onslaught against Boko Haram who have been using the mobile phones, videos and internet communications without detection.

S. 42 established the Cybercrimes Advisory Council to perform various functions and such powers listed in s. 43 of the Act. S. 44 went on to establish “National Cyber Security Fund” which is its major source of revenue, including funds from “grants in-aid and assistance from donor, bilateral and multilateral agencies. For an organization that receives donations one would have expected donor agencies to qualify to attend quarterly meetings of the council stipulated by s. 42 (5) of the Act. But the First Schedule to the Act does not contain any such name or organization. Do they not have interest, sympathy or concern for the cause for which money is donated? Since the offences under the Act are global and extraditable, giving option to attend the meetings or decline would have been most appropriate because they have been in the battle longer than developing knowledge economies.

Any attempt to assess the impact of this act would acknowledge the first casualty to be Lagos social media commentators/bloggers arrested for comments alleged to have breached the provision of s. 24 (2) which provides: “a person who knowingly or intentionally transmits or causes the transmission of any communication through a computer system or network (a) to bully, threaten or harass another person, where such communication places another person in fear of death, violence or bodily harm to another” and “(c) containing any threat to harm the property or reputation of a deceased person, firm, association or corporation, any money or other things of value”. This section punishes an offender on conviction with a fine of N25m, however in the case of paragraph (c) the offender faces the imprisonment of 5 years or minimum of N15m. If this is a preview of the Act, then George Orwell’s book “1984” is about to manifest, because the state would have taken away all the guaranteed freedoms of expression in 1999 constitution.

Some commentators have argued that Nigeria’s communication policy does not carry everyone along: digital literate, not quite digitally literate and totally digitally ignorant citizens/subscribers.

No one can say categorically whether the 8th Assembly is keen in considering a proposed “Nigerian Electronic Communications Bill” which failed to sail through the 7th Assembly. One of the provisions, s. 15 (1) criminalizes unsolicited and irritating messages which is common with most communication operators. Indeed a jail term of not less than 1 year or a fine of N2m, as well as a death sentence are imposed.

The highest sentence applied to “offenders who commits crimes against the law by penalizing any person who, by means of public electronic communication network, persistently sends a message or other matter that (a) is grossly offensive or causes any such message or matter to be so sent; (in this case telecom operators) or (b) sending electronic messages that are known to be false, and could cause annoyance, inconvenience or needless anxiety to another or cause”.

One of the principal objectives of the passage of Cybercrimes (prohibition, prevention etc) Act 2015 is the protection of critical National Information Infrastructure: but no where in the Act is “National Information Infrastructure” defined. However, s.4 provides for “Audit and inspection of critical National Information Infrastructure” by the office of the National Security Adviser (NSA) through a presidential order made under s.3.

Section 3 also failed to define what the “Audit” should include or exclude as the case may be, except providing for “Designation of certain computer systems or networks as critical National Information Infrastructure”. Perhaps the advantage is that by designating certain computer systems is like an open cheque which list could be expanded or diminished since the exercise may only be undertaken on the recommendation of the NSA.

Unless the exercise is transparent enough some fundamental rights of some citizens may be infringed. Some of the rights have been specifically guaranteed by s. 37 of the 1999 constitution even the advent of terrorism has led to suggestion and bills that tend to whittle down those provisions.

If the proposed Electronic Communications Bill referred to above aimed at the “Interception, Development and Protection of Communications Networks and Facilities for Public Interest and Other Related Matters” was passed into law, security agencies would have been empowered to monitor and seize internet and mobile data – SMS, Emails, Phone calls (Contents/ transactions) of subscribers nationwide.

Now, let me briefly comment on the common grievances on average banks/financial institutions customers. Quite often they complain of unauthorized disbursement from their accounts and the question becomes who bears the liability? This is one of the challenges of e-transaction which the Cybercrimes Act should have properly dealt with. Presently, the Act criminalizes a few activities through digital platform but allocation of liability when such thing happen is glaringly absent except that the Act prescribes mitigating effort and burden of proving that the bank had not done enough to protect their customers.

I doubt if limiting cardholders’ liability is protective enough as have been adopted in some jurisdictions. Builders of websites and digital products patronized by financial institutions should be bound by Sale of Goods Act (SOGA) so that the product must be fit for the purpose; failure which they take liability for customers’ losses. Phising and hacking are known threats to e-transactions. A corporate organization of substance, integrity and reputation should go for antivirus, antiphishing protectors to guard their domains appropriately with up-to-date security wares.

The result would be that in the absence of cardholder’s negligence or connivance, these corporate organizations holding out to be safe and certified should not only be safe but seen to be so. Otherwise liability should be pinned on them. In the meantime the glimmer of hope in the horizon appear to be the enactment into law of two bills that could address the potential problems which are still before the 8th Assembly. They are: “Payment System Management Bill” and “Electronic Transactions Bill”. To be or not to be? That is the question.

Iyke Ozemena
Ikechukwu O. Odoemelam & Co.,
Corporate Attorneys/Consultants