Upgrading Nigerian Law to Effectively Combat Cyber Crime

1

UPGRADING NIGERIAN LAW TO EFFECTIVELY COMBAT CYBERCRIME: THE

COUNCIL OF EUROPE CONVENTION ON CYBERCRIME IN PERSPECTIVE

OKE EMMANUEL KOLAWOLE∗

ABSTRACT

Cybercrime is a menace in Nigeria. The problem is further compounded by the high state of

unemployment. In order to stem the tide of cybercrime, two Bills have been presented before the

National Assembly but for inexplicable reasons, they have not been passed into law. This article

discusses the problem of cybercrime in Nigeria, it examines the provisions of the two Bills and

also analyses the Council of Europe Convention on Cybercrime. The article recommends that in

order to prevent Nigeria been labeled a haven for cybercrime it is imperative to either enact

domestic legislation to deal with cybercrime or domesticate the Convention.

1.0 INTRODUCTION

The fact that cybercrime has become a menace in Nigeria is now a notorious fact and that it has

contributed further to the besmirching of Nigeria’s image globally is no longer news. The

problem is further compounded by the current bad state of the Nigerian economy and the current

global financial crisis which has resulted in many Nigerians not being in gainful employment and

those in employment losing their jobs. Thus, a typical Nigerian youth finding no means of

livelihood resorts to using the internet to make all sorts of financial scams with a view to

defrauding foreigners. The aim of this paper is to give an insight into how this problem can be

∗ LLM Student (Intellectual Property & Technology Law), National University of Singapore. Email: [email protected] [This article has been published by the University of Botswana Law Journal in June 2011, Vol. 12 pages 143 – 161].

2

effectively tackled through legislation as is being done in other countries. Against the backdrop

of the fact that current laws in Nigeria cannot effectively confront this problem, it is being

recommended that Nigeria accede to, ratify and domesticate the Council of Europe Convention

on Cybercrime which is a multilateral convention designed to combat this menace on a global

scale. Fortunately, the convention is open to non-member countries of the Council of Europe.

Alternatively, it is recommended that the bill seeking to establish the Cybersecurity and Data

Protection Agency which is currently before the National Assembly should be enacted into law

as soon as possible.

This article will examine the problem of cybercrime in Nigeria and it also gives an appraisal of

the efforts that have been made so far to confront the problem, the focus will be on the two Bills

which have been presented to the National Assembly on the matter but none of which has since

been passed into law.1

2.0 THE PROBLEM OF CYBERCRIME IN NIGERIA

The article equally contains an analysis of the Council of Europe

Convention on Cybercrime. The article concludes with the recommendation that Nigeria should

accede, ratify and domesticate the convention or alternatively hasten the passage of a local

legislation that will effectively address the problem of cybercrime in Nigeria.

2

1 The first Bill is titled, “Computer Security & Critical Information Infrastructure Protection Bill, 2005” while the second Bill is titled, “Cyber Security and Data Protection Agency (Establishment) Bill, 2008.”

2 In the words of Nuhu Ribadu, “The truth is that cybercrime is depressing trade and investor confidence in our economy and to that extent it is a present and clear danger to our national security and the prosperity of our citizens. In deed of all the grand corruption perpetrated daily in our communities, most are of the nature of cybercrime executed through the agencies of computer and internet fraud, mail scam, credit card fraud, bankruptcy fraud, insurance fraud, government fraud, tax evasion, financial fraud, securities fraud, insider trading, bribery, kickbacks, counterfeiting, laundering, embezzlement, as well as economic and copyright/trade secret theft. From our experience also, while in the main they have been driven by the existence of an environment where power is monopolized over the long-term by only a few social and political elites, it must be understood that greed is the defining character of the crime.” See, Nuhu Ribadu, Cybercrime and Commercial Fraud: A Nigerian Perspective, paper presented at the

3

According to Brenner, cybercrime is simply the exploitation of a new technology to commit old

crimes in new ways and, concededly, to engage in a limited variety of ‘new’ types of criminal

activity.3

It has been noted that in fully characterizing the practice of cybercrime in Nigeria some issues

are fairly settled:

What this simply means is that cybercrime basically involves the adaptation of the

computer and the internet to commit traditional offences which are already covered by existing

criminal laws and also there are novel offences that are outside the contemplation of the existing

criminal legislations. For instance, the notorious fraudulent email scams commonly associated

with miscreants locally referred to as “yahoo boys” is actually a variation of the offence of

Obtaining Property by False Pretences which is a criminal offence by virtue of Section 419 of the

Criminal Code (the offence is now covered by the Advance Fee Fraud Act 1995 as amended in

2006, section 1 thereof). This is an example of a situation where the internet is being used to

commit a traditional offence. Whereas, hacking (unauthorized access) and distribution of

malicious codes (viruses) via the internet are instances of novel crimes not covered by existing

criminal legislations and which therefore require new criminal laws.

4

(i) The perpetrators are youths and thousands of unemployed but highly

knowledgeable ones who are computer savvy are involved and they actually drive

the process.

Congress to celebrate the fortieth annual session of UNCITRAL Vienna, 9-12 July 2007, available online at www.uncitral.org/pdf/english/congress/Ribadu_Ibrahim.pdf; see also Okonigene Robert Ehimen, & Adekanle Bola, Cybercrime in Nigeria, (2010) 3:1 Business Intelligence Journal 93. 3 Brenner, Cybercrime Investigation and Prosecution: The Role of Penal and Procedural Law, [2001] MurUEJL 8, available online at http://www.austlii.edu.au/au/journals/MurUEJL/2001/8.html 4 Nuhu Ribadu, supra note 2.

4

(ii) They are well connected through local insider conspiracy in the financial

institutions locally as well as with Nigerian immigrant community elements

abroad.

(iii) Knowing full well that Nigerian enforcement process has become so vigorous

they have migrated to mostly West African and other African nations with weak

enforcement mechanisms.

(iv) They also use a mechanism of reshippers mostly in Dubai, the UK, and the West

African way stations.

(v) They enjoy the fact that there are no cybercrime laws in any of these African

jurisdictions that they have chosen as their relay stations.

It is interesting to note that Nigeria has made an attempt to combat cybercrime with the

Computer Security and Critical Information Infrastructure Protection Bill 2005 (hereinafter

referred to as the Cybercrime Bill) which was presented to the National Assembly before the

expiration of the legislative term that ended in 2007.5

5 For a comprehensive overview of the history behind the legislative attempts in Nigeria see, Basil Udotai, National Cybersecurity Strategies: Case Study-Nigeria, paper presented at the African Regional Conference on Cybersecurity, Yamousoukro, November 17-20, 2008, available online at

The bill was prepared by the Nigerian

Cybercrime Working Group which was established by the Federal Executive Council on the

recommendation of the President on March 31 2004. Its functions amongst others include the

responsibility to create a legal and institutional framework for securing computer systems and

www.afcybersec.org/rapports/afcybersec_08_yakra_ci_1227101590.pdf; see also, Basil Udotai, Framework for Cybersecurity in Nigeria, paper presented at INET Africa Day Rockview Hotel, Abuja May 4, 2007, available online at www.isoc.org

5

networks in Nigeria and protecting critical information infrastructures in the country.6

Another bill has however been presented before the National Assembly, the bill is titled, Cyber

Security and Data Protection Agency (Establishment) Bill, 2008 (hereinafter referred to as the

Cyber Security Bill).

Unfortunately, the Cybercrime bill was not enacted into law before the expiration of the

legislative term that ended in 2007.

7 The Cyber Security bill seeks to provide for the establishment of a Cyber

Security and Information Protection Agency that will be charged with the responsibility to secure

computer systems and networks and equally liaise with the relevant law enforcement agencies

for the enforcement of cyber crimes laws. Obviously the scope of the Cyber Security bill is wider

than that of the Cybercrime bill. While the Cybercrime essentially creates certain punishable

offences, the Cyber Security bill not only creates certain offences, it equally seeks to create an

agency that will be in charge of data protection.8 An attempt will now be made to examine some

of the acts criminalized under the Cyber Security Bill.9

6 Nigerian Cybercrime Working Group, Terms of Reference, available online at http://www.cybercrime.gov.ng 7 This bill is sponsored by Honourable Bassey Etim. 8 The functions of the Agency are specified in section 4 of the Cyber Security bill as follows: “The Agency shall be responsible for the— (a) enforcement of the provision of this Bill; (b) investigation of all cyber crimes; (c) adoption of measures to eradicate the commission of the cyber crimes; (d) examination of all reported cases of cyber crimes with the views to identifying individuals, corporate organization involved in the commission of the crime; (e) registration and regulations of service providers in Nigeria with the views to monitor their activities; (f) organizing and undertaking campaigns and other forms of activities as will lead to increased public awareness on the nature and forms of cyber crimes; and (g) maintaining a liaison with the office of the Attorney General of the Federation, and Inspector General of police on the arrest and subsequent prosecution of the offenders.” 9 See also in this regard, Franklin Akinsuyi, Nigerian Cyber Crime and Privacy Legislation, Time for Review, available online at www.nigerianmuse.com/20100809085452g/nm-projects/science-technology/nigerian-cybercrime-and-privacy-legislation-time-for-review

6

2.1 Fraudulent Electronic Mail Messages

Within the last eight years, Nigeria has gained notoriety over the menace of the miscreants who

are referred to in local parlance as ‘yahoo boys’ who send fraudulent messages to individuals

abroad. In fact this crime is just another version of the popular 419 fraud which was named after

section 419 of the criminal code which criminalizes the offence of obtaining property by false

pretences. The initial mode of committing the offence was through the post but with the advent

of the internet and the email, the platform changed. This offence has now been subsumed in the

Advance Fee Fraud Act 1995 as amended in 2006 by virtue of section 1 thereof. The Cyber

Security Bill also criminalizes this act by virtue of section 9(1) thereof which provides that:10

“(1) Any person who with intent to defraud send electronic mail message to a recipient,

where such electronic mail message materially misrepresents any fact or set of facts upon

which reliance the recipient or another person is caused to suffer any damage or loss,

commits an offence and shall be liable on conviction to a fine of not less than 5 years or

to both such fine and imprisonments.”

2.2 Unauthorized Access

Unauthorized access to computers and network, commonly known as hacking, occurs when an

individual logs into a computer or network, and gains entry to it without having the necessary

10 The same offence is provided for in section 5(1) of the Cybercrime Bill.

7

authority to do so.11 By using software tools, hackers can break into computers to steal data,

plant viruses or work any other mischief. Hackers may be divided into two categories: persons

who attack from outside the network and wrongfully access a computer without authorization;

and persons who are insiders and thus have authorization to access specific portions of the

network but intrude into other parts of it by exceeding authorized access.12 Every country, every

network and every computer in the world is susceptible to an attack and the only deterrents

available are the limited defenses provided by security measures, such as cryptography, and

computer crime legislation. Therefore, due to the potential to cause havoc and create economic

losses over the Internet, strong criminal laws are a necessary tool in the arsenal to combat cyber-

crime.13

Initially, attempts were made to use a number of pre-existing statutes to combat the problem.

One of the celebrated case was that of R. v. Gold and Schifreen,

14

11Barrie Gordon, Internet Criminal Law, available online at

Gold and Schifreen hacked

for a hobby and had managed to obtain the password for the Prestel System operated by BT

which provided subscribers with both e-mail facilities and access to a number of database

services. The password they obtained was in fact that issued to BT engineers, so not only did it

not charge them for use, but it also gave them widespread access to all parts of the system. Their

activities eventually aroused suspicion and they were tracked down by monitoring their

telephone usage. The question then arose as to what could be an appropriate charge. A

prosecution was brought under section 1 of the Forgery and Counterfeiting Act of 1981. They

http://www.cyberlawsa.co.za/cyberlaw/cybertext/chapter15.htm 12 Ahmad Kamal, The Law of Cyberspace, 1st edn., Geneva, United Nations Institute for Training and Research, 2005, p.17. Available online at www.un.int/kamal/thelawofcyberspace 13 Rory McIntyre-O'Brien, Slipping Through The Net: Hacking Offences in Ireland, 2004 COLR 8. Available online at http://colr.ucc.ie 14 [1988] A.C. 1063.

8

were convicted but on appeal both the Court of Appeal and the House of Lords were of the view

that this statute was inappropriate and not intended to apply to this type of case.

The House of Lords approved the speech of Lord Lane CJ in the Court of Appeal,15

“The Procrustean attempt to force these facts into the language of an Act not designed to

fit them produced grave difficulties for both judge and jury which we would not wish to

see them repeated. The appellant's conduct amounted in essence, as already stated, to

dishonestly gaining access to the relevant Prestel data bank by a trick. That is not a

criminal offence. If it is thought desirable to make it so, that is a matter for the legislature

rather than the courts.”

where he

said :

The message was clear that a new law was urgently needed to confront this problem. In response

to this, the Computer Misuse Act of 1990 was enacted. Section 1 thereof provides that:

“(1) A person is guilty of an offence if:

(a) he causes a computer to perform any function with intent to secure access to any program or

data held in any computer;

(b) the access he intends to secure is unauthorized; and

(c) he knows at the time when he causes the computer to perform the function that that is the

case.”

15 [1987] Q.B. 1116 at 1124.

9

In Nigeria, the Cyber Security Bill in section 7(1) provides that:16

“Any person who without authority or in excess of his authority accesses any computer for the

purpose of—

(a) securing access to any program; or

(b) data held in that computer; or

(c) committing any act which constitute an offence under any law for time being in force in

Nigeria, commits an offence and shall be liable on conviction:

(i) In the case of offence in paragraph (a) of this subsection, to a fine of not less than N 10,000

or imprisonment for a term of not less than 6 months or to both such fine and imprisonment.

(ii) For the offence in paragraph (b), to a fine of not less N1 00,000 or a term of not less than 1

year or to both such fine and imprisonment.”

2.3 Distribution of Malicious Codes

A malicious code can be described as any code which modifies or destroys data, steals data,

allows unauthorized access, exploits or damage a system, and generally does something that a

user does not desire.17

16 The same offence is contained in section 3(1) of the Cybercrime Bill.

The most common type of malicious code is a virus, but apart from

viruses, we also have worms, trojan horses and logic bombs.

17 Ahmad Kamal, supra note 12 at p.40.

10

A 'computer virus' is a program which can reproduce itself within computers by attaching itself

to other programs.18 It can be passed from one machine to another by hiding in software files.

Usually it is created with malicious intent to damage computer hard disks and erase information.

A 'computer worm' is a similar program to a virus, but designed only to reproduce itself (segment

by segment like a worm) within computers and across networks.19 Unlike viruses, a worm is not

programmed to erase or alter files, but can create chaos by soaking up machine space and

crashing systems. A 'trojan horse' is a program hidden inside apparently normal files or software

which is introduced to the host system and can be triggered to cause damage or alter

information.20 A 'logic' or a 'time bomb' is a program inserted into the host computer which is set

to go off on a specific date or after a system has been accessed a certain number of times and can

be programmed to erase files or perform less malicious tasks.21

Section 3 of the Computer Misuse Act of 1990 of the U.K. covers this type of criminal activity.

It provides in subsection (1) that:

“A person is guilty of an offence if

(a) he does any act which causes an unauthorised modification of the contents of any computer;

and

(b) at the time when he does the act he has the requisite intent and requisite knowledge.”

18 Akdeniz, Y., Section 3 of the Computer Misuse Act 1990: an Antidote for Computer Viruses! [1996] 3 Web JCLI. Available online at http://webjcli.ncl.ac.uk/1996/issue3/akdeniz3.html 19 Ibid. 20 Ibid. 21 Ibid.

11

In R. v. Pile,22

In Nigeria, the Cyber Security Bill in section 12, which deals with the offence of Misuse of

Devices, provides that:

Pile, developed two particular viruses, called Queeg and Pathogen, and also

Smeg a guide to writing viruses. He also succeeded in incorporating a virus into an anti-virus

scan program. He spread his viruses via the internet and also hid them in computer games.

Prominent British companies were affected by these viruses. He was the first person to be

prosecuted and convicted in England for intentionally introducing computer viruses into a

computer system in breach of section 3 of the Computer Misuse Act.

23

“Any person who unlawfully produces, adapts or procures for use, distributes, offers for

sale, possesses or uses any devices, including a computer program or a component or

performs any of those acts relating to a password, access code or any other similar kind

of data, which is designed primarily to overcome security measures with the intent that

the devices be utilized for the purpose of violating any provision of this Bill, commits an

offence and is liable to a fine of not less than N l ,000,000 or imprisonment for a term of

not less than 5 years or to both such fine and imprisonment.”

2.4 Unsolicited Commercial Mails (Spam)

Spam includes all electronic messages that are unsolicited or unwanted, sent to a large number of

users (bulk) without regard to the identity of the individual user, usually having commercial 22 (1995) May, unreported, Plymouth Crown Court, referred to in Rowland, D., and Macdonald, E., Information Technology Law, 1st edn., (London, Cavendish, 1997) at p.354. 23 The same offence is contained in section 9 of the Cybercrime Bill.

12

purposes.24 It has become commonplace for users to receive directly via the e-mail, product and

service information from companies and individuals. The nature of the Internet allows these e-

mail messages to be sent to millions of users, anytime, anywhere within seconds.25

The main objection to spam is the cost and time spent in dealing with it. A great amount of time

is spent by Internet users sifting through the numerous emails in order to separate genuine

electronic mails from junk.

Most spam is

nothing more than commercial advertising.

26 The deluge of spam may overload the user’s inbox hence

preventing the receipt of legitimate e-mails. Spam also increases the cost to the user in terms of

increased storage capacity.27 Internet Service Providers (ISPs) are also facing a serious and

unnecessary financial burden as a result of spamming. Currently, ISPs find monitoring 15 - 20

million electronic mails a day (with the numbers expected to increase if no law is in place), an

onerous and difficult task. Without doubt, spam increases the overall management costs of ISPs.

This is seen in terms of network and server congestion, increasing demand for faster and larger

bandwidth, attending to customers’ (users’) complaints and the time spent to eliminate or to

reduce the problems.28 The real cost of spamming is borne by ISPs and their users in terms of

increased bandwidth, increased server and storage capacity and the additional cost of installing

anti-spam filtering devices.29

24 Ahmad Kamal, supra note 12 at p.44.

25 Ong, R., Regulating Spam in Hong Kong and Malaysia: Lessons From Other Jurisdictions 2005 (1) The Journal of Information, Law and Technology (JILT). Available online at http://www2.warwick.ac.uk/fac/soc/law2/elj/jilt/2005_1/ong/ 26 Ibid. 27 Ibid. 28 Ibid. 29 Ibid.

13

In response to this problem, various countries have enacted legislation to confront spam. But the

laws vary considerably in their approach to the problem. For e-mail to be legitimate, many anti-

spam legal instruments require the prior consent of the recipient or the existence of a prior

business relationship before the sending of any commercial e-mail (the opt-in approach).30 In

some countries, where this approach is considered too severe, unsolicited emails, in themselves,

are not considered illegal, but they must allow a recipient to no longer receive commercial

communications from a certain sender (opt-out approach).31

In the United States, the Controlling the Assault of Non Solicited Pornography and Marketing

Act of 2003 (CAN-SPAM Act) came into effect on January 1 2004. The CAN-SPAM Act allows

the sending of commercial e-mail messages to users who have not given their prior consent to

such mailings nor had any pre-existing or current business relationship although it does require

the sender to provide users with the option to opt out by sending a reply message. A user is

required to opt out within 30 days of the reception of the e-mail to prevent reception of future e-

mails from the sender. Once the user has exercised his right to opt out, the sender must within 10

days of the receipt of the opt out request, cease transmission of all commercial e-mails to the

user. Thus, the approach under the CAN-SPAM Act is the opt-out approach.

In the United Kingdom, in compliance with the EU Directive on Privacy and Electronic

Communications, UK’s Privacy and Electronic Communications (EC Directive) Regulations

2003 became effective on December 11 2003. Under the Directive, all unsolicited

communications by e-mail are prohibited unless the recipient has previously consented to

30 Ahmad Kamal, supra note 12 at p.46. 31 Ibid.

14

receiving such unsolicited communications. The sender may send unsolicited communications to

the recipient where he has obtained the recipient’s contact details during the course of a sale or

negotiations for the sale of the same or similar products provided a valid return address enabling

the recipient to opt out of receiving future unsolicited communications by e-mail is included. In

addition, senders are prohibited from disguising or concealing their identity when sending the

unsolicited communications to recipients. Thus, the approach in the UK is primarily the opt-in

approach but it also makes provision for opting out.

In Nigeria, the approach adopted is the opt-in approach. Thus, the Cyber Security Bill in section

9(3) provides that:32

“Any person spamming33

2.5 Identity Theft

electronic mail messages to receipts with whom he has no

previous commercial or transactional relationship commits an offence and shall be liable

on conviction to a fine not less than N500,000 or imprisonment for a term of not less than

3 years or to both such fine and imprisonment.”

Identity theft is the unauthorized collection and fraudulent use of key pieces of information, such

as social security or credit card numbers of an individual in order to impersonate that individual.

The information can be used to obtain credit, merchandise, and services in the name of the

32 The same offence is provided for in section 5(3) of the Cybercrime Bill. 33 Spamming is defined in section 38 of the Cyber Security Bill as, “unsolicited electronic mail message having false headers, address and lines.”

15

victim, or to provide the thief with false credentials.34 A new form of identity theft is phishing,

which occurs when scammers send mass e-mails posing as banks, credit card companies, or

popular commercial web-sites, asking recipients to confirm or update personal and financial

information in a hyperlink to a look-alike web-site for the spoofed company.35

Section 14 of the Cyber Security Bill criminalizes this act when it provides that:

36

“Any person who with the intent to deceive or defraud, accesses any computer or

network and uses or assumes the identity of another person, commits an offence and shall

be liable on conviction to a fine of not less than N500,000 or imprisonment for a term of

not less than 3 years or to both such fine and imprisonment.”

Due to the constraints of time and space some of the other offences created by the Cyber

Security Bill and the Cybercrime Bill will not be examined in details here. It suffices to mention

that the bills criminalizes acts like, unauthorized disclosure of access codes and password,37

computer fraud and data forgery,38 system interference,39 denial of service,40 unlawful

interception,41 cyber squatting,42 cyber terrorism,43

34 Ahmad Kamal, supra note 12 at p.61.

violation of intellectual property rights with

35 Ibid. 36 The same offence is provided for in section 11 of the Cybercrime Bill. 37 Section 8 of the Cyber Security Bill; section 4 of the Cybercrime Bill. 38 Section 10 of the Cyber Security Bill; Sections 6 & 7 of the Cybercrime Bill. 39 Section 11 of the Cyber Security Bill; Section 8 of the Cybercrime Bill. 40 Section 13 of the Cyber Security Bill; Section 10 of the Cybercrime Bill. 41 Section 16 of the Cyber Security Bill; Section 13 of the Cybercrime Bill. 42 Section 19 of the Cyber Security Bill; Section 15 of the Cybercrime Bill.

16

the use of a computer44 and using a computer for unlawful sexual purposes including child

pornography.45

2.6 Computer-Generated Evidence

Another quick point which must also be made about the bills is that computer generated evidence

is now specifically recognized as primary evidence under the Cyber Security Bill. If this

provision is enacted into law it will avoid all the unnecessary obstacles usually encountered by

prosecutors when attempting to build their case on computer generated evidence or electronic

evidence due to the absence of any specific provision in the Evidence Act dealing with computer

generated evidence. Although, it must be stressed that despite the absence of any specific

provision in the Evidence Act, Nigerian courts usually adopt the posture of judicial activists and

fill in the loopholes in order to admit computer generated evidence especially since there is no

provision in the Evidence Act making computer generated inadmissible.46

Section 31 of the Cyber Security Bill provides that:

47

43 Section 20 of the Cyber Security Bill; Section 16 of the Cybercrime Bill.

44 Section 21 of the Cyber Security Bill; Section 17 of the Cybercrime Bill. 45 Section 22 of the Cyber Security Bill; Section 18 of the Cybercrime Bill. 46 See the following cases, Esso West Africa Inc v. Oyagbola (1969) NSCC 354; Anyaebosi v. R.T. Briscoe (1987) 3 NWLR Pt. 59 p.108; Ogolo v. IMB (1993) 9 NWLR Pt. 49 p.314; Trade Bank v. Chami (2003) 13 NWLR Pt. 836 p.261. The recent Court of Appeal ruling in the Fani Kayode case is also apposite, in that case the Court of Appeal overruled the trial court’s ruling which had held that a computerized statement of account was inadmissible. See also, Prof. Taiwo Osipitan, Why Computerized Statement of Accounts is Admissible in Nigerian Courts, available online at www.nigerianlawguru.com/articles/practiceandprocedure; A. I. Chukwuemerie, Affidavit Evidence and Electronically Generated Materials in Nigerian Courts, (2006) 3:3 SCRIPT-ed 176 available online at <http://www.law.ed.ac.uk/ahrc/script-ed/vol3-3/affidavit.asp> 47 A similar provision is contained in section 27 of the Cybercrime Bill.

17

“Notwithstanding anything contained in any enactment or law in Nigeria, an information

contained in any computer which is printed out on paper, stored, recorded or copied on

any media, shall be deemed to be primary evidence under this Bill.”

3.0 AN ANALYSIS OF THE COUNCIL OF EUROPE CONVENTION ON

CYBERCRIME

In 1989, the Council of Europe published a set of recommendations addressing the need for new

substantive laws criminalizing disruptive conduct committed through computer networks.48 This

was followed by a second study, published in 1995, addressing the inadequacy of computer-

related, criminal procedural laws.49 Building on these reports, the Council of Europe established

a Committee of Experts on Crime in Cyberspace in 1997 to draft a binding convention

facilitating international cooperation in the investigation and prosecution of computer crimes. On

April 27th, 2000, this committee released its first public draft of the convention. The convention

was adopted by the Committee of Ministers during the Committee’s 109th session on the 8th of

November 2001 and it was opened for signature in Budapest, on November 23rd, 2001.50 The

convention has so far been signed by 46 states out of which 30 have ratified it.51

48 Recommendation No. R. (89) 9 of the Committee of Ministers to Member States on Computer-related Crime, available at http://www.cm.coe.int/ta/rec/1989/89r9.htm.

Four non-

member states of the Council of Europe have signed the Convention, they include, Canada,

Japan, South Africa (which is the only African signatory to the convention), and the United

49 Recommendation No. R. (95) 13 of the Committee of Ministers to Member States Concerning Problems of Criminal Procedure Law Connected with Information Technology, available at http://www.coe.int/ta/rec/1995/95r13.htm. 50 The Council of Europe’s website, at http://conventions.coe.int/treaty/en/cadreprincipal.htm. 51 This is the current status of the treaty as at 2010.

18

States of America (which is the only non-member state to have ratified the convention; the US

ratified the convention on the 29th of September, 2006).52 The convention entered into on the 1st

of July, 2004 when the conditions stipulated for entry into force in article 36 of the convention

was met.53

In November 2002, the Council of Europe introduced an “Additional Protocol to Convention on

Cybercrime, concerning the criminalization of acts of a racist and xenophobic nature committed

through computer systems.” This additional protocol was opened for signature in January 2003

in Strasbourg, France.

According to article 36, the convention will enter into force when the convention has

been ratified by 5 states, three of which must be member states of the Council of Europe.

54

Mention must also be made of the role of the United States of America in the drafting of the

convention. The US has an observer status in the executive arm of the Council of Europe i.e. the

Committee of Ministers and this gives it the right to participate in all the decisions made by the

Committee of Ministers, though it has no right to vote. Since one of the largest numbers of

computers in the world and consequently one of the biggest numbers of individuals and

companies connected to the internet are located in the US, it follows that the US will have one of

the highest amounts of cybercrimes.

55

52 The Council of Europe’s website, at

The United States Departments of Justice, State and

Commerce, in close consultation with other US government agencies, played a big role in the

http://conventions.coe.int/Treaty/Commun/ChercheSig.asp 53 Ibid. 54 Press Release, Council of Europe, “The Council of Europe fights against racism and xenophobia on the Internet” (Nov. 11, 2002), available at http://press.coe.int/cp/2002/554a(2002).htm. 55 Magnin, C., (2001) “The Council of Cybercrime Convention on Cybercrime: an Efficient Tool to Fight Crime in Cyberspace”; Unpublished LL.M. Dissertation, Santa Clara University. p.46.

19

negotiations at both the plenary sessions and the drafting of the convention.56 As a result, the

central provisions of the convention are consistent with the existing framework of US

cybercrime laws.57 Nearly every substantive offence created by the convention is already

criminalized in some fashion under US Federal laws.58

3.1 An Appraisal of the Provisions of the Convention

Once a large number of states have ratified a treaty, then it becomes acceptable to treat it as

general law.59 Treaties are the only machinery that exists for adapting international law to new

conditions and strengthening the force of a rule of law between states.60

The purpose of the Council of Europe Convention on Cybercrime is described in the ninth

paragraph of its preamble thus:

Thus, it is not out of

place for an international regime to be set up to combat cybercrime in a global society that is

increasingly dependent on information and communications technology.

“…the present convention is necessary to deter actions directed against the

confidentiality, integrity and availability of computer systems, networks and computer

data, as well as the misuse of such systems , networks and data, by providing for the

56 U.S. Department of Justice: Computer Crime and Intellectual Property Section, Frequently Asked Questions and Answers About the Council of Europe Convention on Cybercrime, [December 1st, 2000], available at http://www.cybercrime.gov/newCOEFAQ’s.html. 57 Ibid. 58 Weber, A.M., “The Council of Europe’s Convention on Cybercrime” (2003) 18, Berkeley Technology Law Journal 425 at 435. 59 Brierly, The Law of Nations: An Introduction to the International Law of Peace, 6th edn., Humphrey Waldock ed., Oxford University Press, 1963, p.57. cited in Keyser, M., “The Council of Europe Convention on Cybercrime” (2003) Vol.12. No.2, J. of Transnational Law & Policy 287 at 296. 60 Ibid.

20

criminalization of such conduct, as described in this convention, and the adoption of

powers sufficient for effectively combating such criminal offenses, by facilitating the

detection, investigation and prosecution of such criminal offenses at both the domestic

and international level, and by providing arrangements for fast and reliable international

cooperation.”

The Explanatory Report to the convention61

“ The Convention aims principally at

at paragraph 16 also states that:

(1) harmonizing the domestic criminal substantive law elements of offences and connected

provisions in the area of cyber-crime;

(2) providing for domestic criminal procedural law powers necessary for the investigation and

prosecution of such offences as well as other offences committed by means of a computer system

or evidence in relation to which is in electronic form;

(3) setting up a fast and effective regime of international co-operation.”

The convention is structured into four chapters. The first chapter defines some of the terms used

in the convention. The second chapter establishes a common canon of computer-based and

computer-related crimes, it also outlines a set of procedural powers, and it equally establishes a

set of rules by which parties can assert jurisdiction. Chapter 3 sets up a framework for

international cooperation and mutual assistance. Chapter 4 includes miscellaneous provisions

common to most Council of Europe treaties, it contains articles dealing with declarations,

61 Explanatory Report to the Convention on Cybercrime para. 16, available at http://conventions.coe.int/Treaty/en/Reports/Html/185.htm.

21

amendments and withdrawals among others. The focus here will be on the substantive provisions

located in chapters one, two and three of the convention.

Chapter one contains only one article, and it defines four of the terms used in the convention.

These terms are vital because they are heavily relied upon throughout the convention. The

convention first defines “computer system” as a device consisting of hardware and software

developed for automatic processing of digital data.62 For purposes of this convention, the second

term, “computer data,” holds a meaning different than that of normal computer language.63 The

data must be “in such a form that it can be directly processed by the computer system.”64 In other

words, the data must be electronic or in some other directly processable form. The third term,

“service provider” includes a broad category of entities that play particular roles “with regard to

communication or processing of data on computer systems.”65 This definition not only includes

public or private entities, but it also extends to include “those entities that store or otherwise

process data on behalf of” public or private entities.66 The fourth defined term is “traffic data.”

“Traffic data” is generated by computers in a chain of communication in order to route that

communication from an origin to its destination.67 Thus, it is auxiliary to the actual

communication. When a convention party investigates a criminal offense within this treaty,

“traffic data” is used to trace the source of the communication.68

62 Article 1(a)

63 Explanatory Report to the Convention on Cybercrime, para. 25. 64 Article 1(b) 65 Article 1(c) 66 Explanatory Report to the Convention on Cybercrime, paras. 26-27. 67 Article 1(d) 68 Explanatory Report to the Convention on Cybercrime, paras. 28-31.

22

Chapter two, which deals with measures to be taken by each party to the convention at the

national level, is divided into three sections. The first section calls on each party to provide

legislatives and other measures to establish as criminal offences under its domestic law nine

offences.

The offences are in four categories. The first category targets offences against the confidentiality,

integrity and availability of computer data and systems. The offences in this category include,

illegal access,69 illegal interception,70 data interference,71 system interference72 and misuse of

devices.73 The second category deals with computer-related offences and it includes provisions

calling for the criminalization of computer-related forgery and computer-related fraud.74

The third category deals with content-related offences and it has only one article, article 9 which

calls for the criminalization of offences related to child pornography. This third category was

supplemented by the additional protocol, referred to above, which addresses the dissemination of

racist or xenophobic materials through computer systems. The fourth category, contained in

article 10, deals with offences related to copyright and related rights.

The second section of chapter two deals with procedural law. It requires parties to establish a

minimum set of procedural tools at the national level whereby the appropriate law enforcement

authorities within a state would have the authority to conduct certain types of investigation

specific to cybercrime offences. Such procedural powers include: expedited preservation of

69 Article 2 70 Article 3 71 Article 4 72 Article 5 73 Article 6 74 Articles 7 and 8.

23

stored computer data,75 expedited preservation and partial disclosure of traffic data,76 production

orders,77 search and seizure of computer data,78 real-time collection of traffic data,79 and

interception of content data.80

It must be noted that all the procedural powers provided for in the convention are subject to the

provisions of article 15 which provides in paragraph one thereof that:

“Each Party shall ensure that the establishment, implementation and application of the

powers and procedures provided for in this Section are subject to conditions and

safeguards provided for under its domestic law, which shall provide for the adequate

protection of human rights and liberties, including rights arising pursuant to obligations

it has undertaken under the 1950 Council of Europe Convention for the Protection of

Human Rights and Fundamental Freedoms, the 1966 United Nations International

Covenant on Civil and Political Rights, and other applicable international human rights

instruments, and which shall incorporate the principle of proportionality.”

The third section of chapter two deals with jurisdiction. This is provided for in article 22 which

states in paragraph one thereof that:

“ Each Party shall adopt such legislative and other measures as may be necessary to establish

jurisdiction over any offence established in accordance with Articles 2 through 11 of this

Convention, when the offence is committed:

75 Article 16 76 Article 17 77 Article 18 78 Article 19 79 Article 20 80 Article 21

24

a. in its territory; or

b. on board a ship flying the flag of that Party; or

c. on board an aircraft registered under the laws of that Party; or

d. by one of its nationals, if the offence is punishable under criminal law where it was

committed or if the offence is committed outside the territorial jurisdiction of any State.”

The convention therefore permits parties to claim jurisdiction on the territorial and active

nationality principles of jurisdiction.

Chapter three of the convention deals with international cooperation and mutual assistance. This

chapter contains a series of provisions relating to the mutual legal assistance member countries

must afford each other under the Convention. This chapter is divided into two sections. The first

section deals with general principle relating to international cooperation. Some of the articles

contained in this first section are examined below.

Article 23 provides that parties should cooperate to the widest extent possible and the obligation

to cooperate extends not only to the crimes in the convention, but also to the collection of

electronic evidence whenever it relates to a criminal offence.

Article 24 deals with extradition of criminals between member countries. The obligation to

extradite applies only to those crimes committed in articles 2 to 11 and a threshold penalty also

exists to minimize the massive extradition of criminals. Accordingly, article 24 provides that

extradition can only be sought where the maximum penalty is at least one year imprisonment.

25

Article 25 requires mutual assistance to the widest extent possible by the parties for the purpose

of investigations or proceedings concerning cybercrimes. While article 26 discusses

“spontaneous information” which refers to instances when a member country obtains vital

information in relation to a case that it believes may assist another member country in its

criminal investigation or proceedings. In these situations, the member country that does not have

the information may not even know that it exists, and thus will never request for such

information. This article empowers the country with “spontaneous information” to forward it to

the applicable foreign officials in the other country without a prior request.81

The second section of chapter three deals with specific provisions on mutual assistance. The

provisions of this section make possible concerted international investigations of cybercrime

offences. These provisions mirror the procedural powers that states are required to have as

contained in section two of chapter two referred to above. These provisions include, mutual

assistance regarding expedited preservation of stored computer data,

82 mutual assistance

regarding expedited disclosure of preserved traffic data,83 mutual assistance regarding accessing

of stored computer data,84 trans-border access to stored computer with consent or where publicly

available,85 mutual assistance regarding the real-time collection of traffic data,86 and mutual

assistance regarding the interception of content data.87

81 Explanatory Report to the Convention on Cybercrime, para 260.

82 Article 29 83 Article 30 84 Article 31 85 Article 32 86 Article 33 87 Article 34

26

An interesting provision is contained in article 35. This article makes it obligatory for each party

to designate a point of contact that is available 24 hours per day, 7 days a week in order to ensure

the provision of immediate assistance for the purpose of investigations or proceedings

concerning cybercrime offences. The “24/7 network” is a way to effectively combat cybercrime

considering the fact that requests for mutual assistance in cybercrime cases usually require a

rapid response due to the volatile nature of computer data. This article was considered by the

drafters to be one of the most important means of effectively responding to enforcement

challenges posed by cybercrime.88 The assistance envisaged by this article include, the provision

of technical advice, preservation of data pursuant to articles 29 and 30, the collection of

evidence, the provision of legal information and the locating of suspects.89 It is further stated that

each party shall ensure that trained and equipped personnel are available in order to facilitate the

operation of the network.90

3.2 Criticisms against the Convention

One of the strongest criticisms against the convention is its limited possibility for global

coverage. The convention is open to countries outside the Council of Europe and therefore, in

principle at least, has the potential to apply globally. Under article 36, the convention is open for

signature by member states of the Council of Europe and by non-member states which

participated in its elaboration, such as the US, South Africa, Canada, and Japan which have

88 Explanatory Report to the Convention on Cybercrime, para. 298. 89 Article 35 para. 1. 90 Article 35 para. 3.

27

already signed it. The convention is also open for accession by other non-member states.91

However, the process for accession could be cumbersome and time consuming as it is only after

consulting with and obtaining the unanimous consent of all the state parties may the Committee

of Ministers invite a non-member state to accede.92

Another criticism against the convention is that the convention does not define the specific

elements of the crimes it covers; rather it allows the parties to establish their own elements

without guidance detailing the elements required for those offences.

It is clear that without universal or at least

very broad application, cybercriminals may simply concentrate their activities in non-

participating states. Sponsorship of a convention or treaty on cybercrime may have wider

adoption if it rests with the United Nations rather than a regional body such as the Council of

Europe.

93 The drafters of the

convention purposely empowered signatories to enact crime legislation out of concern that if the

Convention retained too much power, members would be reluctant to ratify it. The drafters

believed this was a better solution than if only a few countries ratified the Convention.94

However, the Convention would have been more valuable if it also included the elements of the

crimes rather than leaving this decision to the signatories.95

The convention has also drawn the ire of civil liberty activists who argue that the treaty is

fundamentally imbalanced in that it requires the establishment of sweeping new powers of

investigation without requiring appropriate safeguards and limitations on the use of such powers.

91 Article 37. 92 Article 37 para. 1. 93 Hopkins, S.L., “Cybercrime Convention: A Positive Beginning to a Long Road Ahead” (2003) Vol.2 No.1, Journal of High Technology Law 101 at 113. 94 Explanatory Report to the Convention on Cybercrime, paras. 122 & 145. 95 Hopkins, supra note 94 at pp.114-115.

28

On the other hand, the drafters of the convention argue that since parties differ too radically in

their conceptions of civil liberties and privacy, it is better for parties to sort out for themselves

how they will counterbalance the new powers consistent with their established legal principles

and cultural norms.96 In response, the activists argue that references to the protection of human

rights are brief at best especially when compared with myriad espousals of the importance of

serving the interests of law enforcement agencies.97

Another flaw pointed out by the activists is the secretive and undemocratic manner in which the

convention was drafted. The Council of Europe’s Committee of Experts on Crime in Cyberspace

completed nineteen drafts of the convention before the document was released to the public.

Between 1997 when the committee was set up and 2000 when it released it first draft, no draft

was released and no public input was solicited.

98 The convention was drafted by persons and

groups primarily concerned with law enforcement, and it reflects their concerns almost

exclusively to the detriment of the privacy of individuals and civil liberties interests.99

Another loophole in the convention is its lack of guidance on priority for granting jurisdiction

over transnational cybercrime offences. The convention establishes the grounds on which parties

may assert jurisdiction over cybercrime offences

100

96 Article 15; Explanatory Report to the Convention on Cybercrime, para. 15.

but it does not provide guidance on how

cases of conflicts, in which multiple parties claim jurisdiction, will be resolved. Parties are only

required to consult with a view to determining the most appropriate jurisdiction for

97 Electronic Privacy Information Center (EPIC), Statement on Council of Europe Convention on Cybercrime: The Convention Threatens Core United States Civil Liberties Interests, [Letter to United States Senate Committee on Foreign Relations]. Sent on July 26, 2005. Available online at www.epic.org/privacy/intl/senateletter-072605.pdf. 98 Ibid. 99 Ibid. 100 Article 22

29

prosecution.101 A possible solution would be the establishment of priority of jurisdiction.102 For

example, the Convention could establish a hierarchy where the nation that incurred the harm has

jurisdictional priority over the nation where the crime was initiated.103

On the whole, the convention is a welcome and long-overdue start towards addressing the

exigent circumstances evolving from the internet revolution.

104

Despite its flaws, the convention

is a starting point towards achieving global consensus in the fight against cybercrime. Though it

may not have global appeal, it is a commendable initiative and a precursor to a truly global

convention on cybercrime. The identified loopholes in the convention only show the need to

involve a wide range of interest groups in the drafting of any international instrument on

cybercrime. The interests of the private sector and the human rights of individuals should be

considered in any future attempt to draft an international convention on cybercrime. Law

enforcement interests should not be the overriding consideration. This would ensure a greater

level of acceptability by all the parties concerned and also enhance the effectiveness of such a

convention.

4.0 CONCLUSION

It will be observed that most of the offences which the convention enjoins parties to criminalize

in their domestic law have been covered by the Nigerian Cyber Security Bill. This leaves Nigeria

101 Article 22 para. 5. 102 Hopkins, supra note 94 at p.118. 103 Ibid. 104 Hopkins, supra note 94 at p.121.

30

with two choices in the matter, either to accede to, ratify and domesticate the convention105

or to

speedily pass in to law the Cyber Security Bill. This is necessary because Nigeria cannot afford

to leave its law in this current state as these can lead to the country being perceived as a haven

for cybercriminals.

105 See also, J.O. Mbamalu, Nigeria’s Roadmap To Accession To Council Of Europe Convention On Cyber Crime, available online at www.jumbolaw.com/nigeria.doc. It must be pointed out that preliminary steps have been taken in this regard. In July 2009, a Pre-Accession Workshop & Stakeholder Consultation was organized by the Federal Ministry of Justice, but there have been no reported significant advancements afterwards.