1 UPGRADING NIGERIAN LAW TO EFFECTIVELY COMBAT CYBERCRIME: THE COUNCIL OF EUROPE CONVENTION ON CYBERCRIME IN PERSPECTIVE OKE EMMANUEL KOLAWOLE ∗ ABSTRACT Cybercrime is a menace in Nigeria. The problem is further compounded by the high state of unemployment. In order to stem the tide of cybercrime, two Bills have been presented before the National Assembly but for inexplicable reasons, they have not been passed into law. This article discusses the problem of cybercrime in Nigeria, it examines the provisions of the two Bills and also analyses the Council of Europe Convention on Cybercrime. The article recommends that in order to prevent Nigeria been labeled a haven for cybercrime it is imperative to either enact domestic legislation to deal with cybercrime or domesticate the Convention. 1.0 INTRODUCTION The fact that cybercrime has become a menace in Nigeria is now a notorious fact and that it has contributed further to the besmirching of Nigeria’s image globally is no longer news. The problem is further compounded by the current bad state of the Nigerian economy and the current global financial crisis which has resulted in many Nigerians not being in gainful employment and those in employment losing their jobs. Thus, a typical Nigerian youth finding no means of livelihood resorts to using the internet to make all sorts of financial scams with a view to defrauding foreigners. The aim of this paper is to give an insight into how this problem can be ∗ LLM Student (Intellectual Property & Technology Law), National University of Singapore. Email: [email protected] [This article has been published by the University of Botswana Law Journal in June 2011, Vol. 12 pages 143 – 161].
30
Embed
Upgrading Nigerian Law to Effectively Combat Cyber Crime
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
UPGRADING NIGERIAN LAW TO EFFECTIVELY COMBAT CYBERCRIME: THE
COUNCIL OF EUROPE CONVENTION ON CYBERCRIME IN PERSPECTIVE
OKE EMMANUEL KOLAWOLE∗
ABSTRACT
Cybercrime is a menace in Nigeria. The problem is further compounded by the high state of
unemployment. In order to stem the tide of cybercrime, two Bills have been presented before the
National Assembly but for inexplicable reasons, they have not been passed into law. This article
discusses the problem of cybercrime in Nigeria, it examines the provisions of the two Bills and
also analyses the Council of Europe Convention on Cybercrime. The article recommends that in
order to prevent Nigeria been labeled a haven for cybercrime it is imperative to either enact
domestic legislation to deal with cybercrime or domesticate the Convention.
1.0 INTRODUCTION
The fact that cybercrime has become a menace in Nigeria is now a notorious fact and that it has
contributed further to the besmirching of Nigeria’s image globally is no longer news. The
problem is further compounded by the current bad state of the Nigerian economy and the current
global financial crisis which has resulted in many Nigerians not being in gainful employment and
those in employment losing their jobs. Thus, a typical Nigerian youth finding no means of
livelihood resorts to using the internet to make all sorts of financial scams with a view to
defrauding foreigners. The aim of this paper is to give an insight into how this problem can be
∗ LLM Student (Intellectual Property & Technology Law), National University of Singapore. Email: [email protected] [This article has been published by the University of Botswana Law Journal in June 2011, Vol. 12 pages 143 – 161].
2
effectively tackled through legislation as is being done in other countries. Against the backdrop
of the fact that current laws in Nigeria cannot effectively confront this problem, it is being
recommended that Nigeria accede to, ratify and domesticate the Council of Europe Convention
on Cybercrime which is a multilateral convention designed to combat this menace on a global
scale. Fortunately, the convention is open to non-member countries of the Council of Europe.
Alternatively, it is recommended that the bill seeking to establish the Cybersecurity and Data
Protection Agency which is currently before the National Assembly should be enacted into law
as soon as possible.
This article will examine the problem of cybercrime in Nigeria and it also gives an appraisal of
the efforts that have been made so far to confront the problem, the focus will be on the two Bills
which have been presented to the National Assembly on the matter but none of which has since
been passed into law.1
2.0 THE PROBLEM OF CYBERCRIME IN NIGERIA
The article equally contains an analysis of the Council of Europe
Convention on Cybercrime. The article concludes with the recommendation that Nigeria should
accede, ratify and domesticate the convention or alternatively hasten the passage of a local
legislation that will effectively address the problem of cybercrime in Nigeria.
2
1 The first Bill is titled, “Computer Security & Critical Information Infrastructure Protection Bill, 2005” while the second Bill is titled, “Cyber Security and Data Protection Agency (Establishment) Bill, 2008.”
2 In the words of Nuhu Ribadu, “The truth is that cybercrime is depressing trade and investor confidence in our economy and to that extent it is a present and clear danger to our national security and the prosperity of our citizens. In deed of all the grand corruption perpetrated daily in our communities, most are of the nature of cybercrime executed through the agencies of computer and internet fraud, mail scam, credit card fraud, bankruptcy fraud, insurance fraud, government fraud, tax evasion, financial fraud, securities fraud, insider trading, bribery, kickbacks, counterfeiting, laundering, embezzlement, as well as economic and copyright/trade secret theft. From our experience also, while in the main they have been driven by the existence of an environment where power is monopolized over the long-term by only a few social and political elites, it must be understood that greed is the defining character of the crime.” See, Nuhu Ribadu, Cybercrime and Commercial Fraud: A Nigerian Perspective, paper presented at the
3
According to Brenner, cybercrime is simply the exploitation of a new technology to commit old
crimes in new ways and, concededly, to engage in a limited variety of ‘new’ types of criminal
activity.3
It has been noted that in fully characterizing the practice of cybercrime in Nigeria some issues
are fairly settled:
What this simply means is that cybercrime basically involves the adaptation of the
computer and the internet to commit traditional offences which are already covered by existing
criminal laws and also there are novel offences that are outside the contemplation of the existing
criminal legislations. For instance, the notorious fraudulent email scams commonly associated
with miscreants locally referred to as “yahoo boys” is actually a variation of the offence of
Obtaining Property by False Pretences which is a criminal offence by virtue of Section 419 of the
Criminal Code (the offence is now covered by the Advance Fee Fraud Act 1995 as amended in
2006, section 1 thereof). This is an example of a situation where the internet is being used to
commit a traditional offence. Whereas, hacking (unauthorized access) and distribution of
malicious codes (viruses) via the internet are instances of novel crimes not covered by existing
criminal legislations and which therefore require new criminal laws.
4
(i) The perpetrators are youths and thousands of unemployed but highly
knowledgeable ones who are computer savvy are involved and they actually drive
the process.
Congress to celebrate the fortieth annual session of UNCITRAL Vienna, 9-12 July 2007, available online at www.uncitral.org/pdf/english/congress/Ribadu_Ibrahim.pdf; see also Okonigene Robert Ehimen, & Adekanle Bola, Cybercrime in Nigeria, (2010) 3:1 Business Intelligence Journal 93. 3 Brenner, Cybercrime Investigation and Prosecution: The Role of Penal and Procedural Law, [2001] MurUEJL 8, available online at http://www.austlii.edu.au/au/journals/MurUEJL/2001/8.html 4 Nuhu Ribadu, supra note 2.
(ii) They are well connected through local insider conspiracy in the financial
institutions locally as well as with Nigerian immigrant community elements
abroad.
(iii) Knowing full well that Nigerian enforcement process has become so vigorous
they have migrated to mostly West African and other African nations with weak
enforcement mechanisms.
(iv) They also use a mechanism of reshippers mostly in Dubai, the UK, and the West
African way stations.
(v) They enjoy the fact that there are no cybercrime laws in any of these African
jurisdictions that they have chosen as their relay stations.
It is interesting to note that Nigeria has made an attempt to combat cybercrime with the
Computer Security and Critical Information Infrastructure Protection Bill 2005 (hereinafter
referred to as the Cybercrime Bill) which was presented to the National Assembly before the
expiration of the legislative term that ended in 2007.5
5 For a comprehensive overview of the history behind the legislative attempts in Nigeria see, Basil Udotai, National Cybersecurity Strategies: Case Study-Nigeria, paper presented at the African Regional Conference on Cybersecurity, Yamousoukro, November 17-20, 2008, available online at
The bill was prepared by the Nigerian
Cybercrime Working Group which was established by the Federal Executive Council on the
recommendation of the President on March 31 2004. Its functions amongst others include the
responsibility to create a legal and institutional framework for securing computer systems and
www.afcybersec.org/rapports/afcybersec_08_yakra_ci_1227101590.pdf; see also, Basil Udotai, Framework for Cybersecurity in Nigeria, paper presented at INET Africa Day Rockview Hotel, Abuja May 4, 2007, available online at www.isoc.org
networks in Nigeria and protecting critical information infrastructures in the country.6
Another bill has however been presented before the National Assembly, the bill is titled, Cyber
Security and Data Protection Agency (Establishment) Bill, 2008 (hereinafter referred to as the
Cyber Security Bill).
Unfortunately, the Cybercrime bill was not enacted into law before the expiration of the
legislative term that ended in 2007.
7 The Cyber Security bill seeks to provide for the establishment of a Cyber
Security and Information Protection Agency that will be charged with the responsibility to secure
computer systems and networks and equally liaise with the relevant law enforcement agencies
for the enforcement of cyber crimes laws. Obviously the scope of the Cyber Security bill is wider
than that of the Cybercrime bill. While the Cybercrime essentially creates certain punishable
offences, the Cyber Security bill not only creates certain offences, it equally seeks to create an
agency that will be in charge of data protection.8 An attempt will now be made to examine some
of the acts criminalized under the Cyber Security Bill.9
6 Nigerian Cybercrime Working Group, Terms of Reference, available online at http://www.cybercrime.gov.ng 7 This bill is sponsored by Honourable Bassey Etim. 8 The functions of the Agency are specified in section 4 of the Cyber Security bill as follows: “The Agency shall be responsible for the— (a) enforcement of the provision of this Bill; (b) investigation of all cyber crimes; (c) adoption of measures to eradicate the commission of the cyber crimes; (d) examination of all reported cases of cyber crimes with the views to identifying individuals, corporate organization involved in the commission of the crime; (e) registration and regulations of service providers in Nigeria with the views to monitor their activities; (f) organizing and undertaking campaigns and other forms of activities as will lead to increased public awareness on the nature and forms of cyber crimes; and (g) maintaining a liaison with the office of the Attorney General of the Federation, and Inspector General of police on the arrest and subsequent prosecution of the offenders.” 9 See also in this regard, Franklin Akinsuyi, Nigerian Cyber Crime and Privacy Legislation, Time for Review, available online at www.nigerianmuse.com/20100809085452g/nm-projects/science-technology/nigerian-cybercrime-and-privacy-legislation-time-for-review
Within the last eight years, Nigeria has gained notoriety over the menace of the miscreants who
are referred to in local parlance as ‘yahoo boys’ who send fraudulent messages to individuals
abroad. In fact this crime is just another version of the popular 419 fraud which was named after
section 419 of the criminal code which criminalizes the offence of obtaining property by false
pretences. The initial mode of committing the offence was through the post but with the advent
of the internet and the email, the platform changed. This offence has now been subsumed in the
Advance Fee Fraud Act 1995 as amended in 2006 by virtue of section 1 thereof. The Cyber
Security Bill also criminalizes this act by virtue of section 9(1) thereof which provides that:10
“(1) Any person who with intent to defraud send electronic mail message to a recipient,
where such electronic mail message materially misrepresents any fact or set of facts upon
which reliance the recipient or another person is caused to suffer any damage or loss,
commits an offence and shall be liable on conviction to a fine of not less than 5 years or
to both such fine and imprisonments.”
2.2 Unauthorized Access
Unauthorized access to computers and network, commonly known as hacking, occurs when an
individual logs into a computer or network, and gains entry to it without having the necessary
10 The same offence is provided for in section 5(1) of the Cybercrime Bill.
7
authority to do so.11 By using software tools, hackers can break into computers to steal data,
plant viruses or work any other mischief. Hackers may be divided into two categories: persons
who attack from outside the network and wrongfully access a computer without authorization;
and persons who are insiders and thus have authorization to access specific portions of the
network but intrude into other parts of it by exceeding authorized access.12 Every country, every
network and every computer in the world is susceptible to an attack and the only deterrents
available are the limited defenses provided by security measures, such as cryptography, and
computer crime legislation. Therefore, due to the potential to cause havoc and create economic
losses over the Internet, strong criminal laws are a necessary tool in the arsenal to combat cyber-
crime.13
Initially, attempts were made to use a number of pre-existing statutes to combat the problem.
One of the celebrated case was that of R. v. Gold and Schifreen,
14
11Barrie Gordon, Internet Criminal Law, available online at
Gold and Schifreen hacked
for a hobby and had managed to obtain the password for the Prestel System operated by BT
which provided subscribers with both e-mail facilities and access to a number of database
services. The password they obtained was in fact that issued to BT engineers, so not only did it
not charge them for use, but it also gave them widespread access to all parts of the system. Their
activities eventually aroused suspicion and they were tracked down by monitoring their
telephone usage. The question then arose as to what could be an appropriate charge. A
prosecution was brought under section 1 of the Forgery and Counterfeiting Act of 1981. They
http://www.cyberlawsa.co.za/cyberlaw/cybertext/chapter15.htm 12 Ahmad Kamal, The Law of Cyberspace, 1st edn., Geneva, United Nations Institute for Training and Research, 2005, p.17. Available online at www.un.int/kamal/thelawofcyberspace 13 Rory McIntyre-O'Brien, Slipping Through The Net: Hacking Offences in Ireland, 2004 COLR 8. Available online at http://colr.ucc.ie 14 [1988] A.C. 1063.
were convicted but on appeal both the Court of Appeal and the House of Lords were of the view
that this statute was inappropriate and not intended to apply to this type of case.
The House of Lords approved the speech of Lord Lane CJ in the Court of Appeal,15
“The Procrustean attempt to force these facts into the language of an Act not designed to
fit them produced grave difficulties for both judge and jury which we would not wish to
see them repeated. The appellant's conduct amounted in essence, as already stated, to
dishonestly gaining access to the relevant Prestel data bank by a trick. That is not a
criminal offence. If it is thought desirable to make it so, that is a matter for the legislature
rather than the courts.”
where he
said :
The message was clear that a new law was urgently needed to confront this problem. In response
to this, the Computer Misuse Act of 1990 was enacted. Section 1 thereof provides that:
“(1) A person is guilty of an offence if:
(a) he causes a computer to perform any function with intent to secure access to any program or
data held in any computer;
(b) the access he intends to secure is unauthorized; and
(c) he knows at the time when he causes the computer to perform the function that that is the
case.”
15 [1987] Q.B. 1116 at 1124.
9
In Nigeria, the Cyber Security Bill in section 7(1) provides that:16
“Any person who without authority or in excess of his authority accesses any computer for the
purpose of—
(a) securing access to any program; or
(b) data held in that computer; or
(c) committing any act which constitute an offence under any law for time being in force in
Nigeria, commits an offence and shall be liable on conviction:
(i) In the case of offence in paragraph (a) of this subsection, to a fine of not less than N 10,000
or imprisonment for a term of not less than 6 months or to both such fine and imprisonment.
(ii) For the offence in paragraph (b), to a fine of not less N1 00,000 or a term of not less than 1
year or to both such fine and imprisonment.”
2.3 Distribution of Malicious Codes
A malicious code can be described as any code which modifies or destroys data, steals data,
allows unauthorized access, exploits or damage a system, and generally does something that a
user does not desire.17
16 The same offence is contained in section 3(1) of the Cybercrime Bill.
The most common type of malicious code is a virus, but apart from
viruses, we also have worms, trojan horses and logic bombs.
17 Ahmad Kamal, supra note 12 at p.40.
10
A 'computer virus' is a program which can reproduce itself within computers by attaching itself
to other programs.18 It can be passed from one machine to another by hiding in software files.
Usually it is created with malicious intent to damage computer hard disks and erase information.
A 'computer worm' is a similar program to a virus, but designed only to reproduce itself (segment
by segment like a worm) within computers and across networks.19 Unlike viruses, a worm is not
programmed to erase or alter files, but can create chaos by soaking up machine space and
crashing systems. A 'trojan horse' is a program hidden inside apparently normal files or software
which is introduced to the host system and can be triggered to cause damage or alter
information.20 A 'logic' or a 'time bomb' is a program inserted into the host computer which is set
to go off on a specific date or after a system has been accessed a certain number of times and can
be programmed to erase files or perform less malicious tasks.21
Section 3 of the Computer Misuse Act of 1990 of the U.K. covers this type of criminal activity.
It provides in subsection (1) that:
“A person is guilty of an offence if
(a) he does any act which causes an unauthorised modification of the contents of any computer;
and
(b) at the time when he does the act he has the requisite intent and requisite knowledge.”
18 Akdeniz, Y., Section 3 of the Computer Misuse Act 1990: an Antidote for Computer Viruses! [1996] 3 Web JCLI. Available online at http://webjcli.ncl.ac.uk/1996/issue3/akdeniz3.html 19 Ibid. 20 Ibid. 21 Ibid.
In Nigeria, the Cyber Security Bill in section 12, which deals with the offence of Misuse of
Devices, provides that:
Pile, developed two particular viruses, called Queeg and Pathogen, and also
Smeg a guide to writing viruses. He also succeeded in incorporating a virus into an anti-virus
scan program. He spread his viruses via the internet and also hid them in computer games.
Prominent British companies were affected by these viruses. He was the first person to be
prosecuted and convicted in England for intentionally introducing computer viruses into a
computer system in breach of section 3 of the Computer Misuse Act.
23
“Any person who unlawfully produces, adapts or procures for use, distributes, offers for
sale, possesses or uses any devices, including a computer program or a component or
performs any of those acts relating to a password, access code or any other similar kind
of data, which is designed primarily to overcome security measures with the intent that
the devices be utilized for the purpose of violating any provision of this Bill, commits an
offence and is liable to a fine of not less than N l ,000,000 or imprisonment for a term of
not less than 5 years or to both such fine and imprisonment.”
2.4 Unsolicited Commercial Mails (Spam)
Spam includes all electronic messages that are unsolicited or unwanted, sent to a large number of
users (bulk) without regard to the identity of the individual user, usually having commercial 22 (1995) May, unreported, Plymouth Crown Court, referred to in Rowland, D., and Macdonald, E., Information Technology Law, 1st edn., (London, Cavendish, 1997) at p.354. 23 The same offence is contained in section 9 of the Cybercrime Bill.
12
purposes.24 It has become commonplace for users to receive directly via the e-mail, product and
service information from companies and individuals. The nature of the Internet allows these e-
mail messages to be sent to millions of users, anytime, anywhere within seconds.25
The main objection to spam is the cost and time spent in dealing with it. A great amount of time
is spent by Internet users sifting through the numerous emails in order to separate genuine
electronic mails from junk.
Most spam is
nothing more than commercial advertising.
26 The deluge of spam may overload the user’s inbox hence
preventing the receipt of legitimate e-mails. Spam also increases the cost to the user in terms of
increased storage capacity.27 Internet Service Providers (ISPs) are also facing a serious and
unnecessary financial burden as a result of spamming. Currently, ISPs find monitoring 15 - 20
million electronic mails a day (with the numbers expected to increase if no law is in place), an
onerous and difficult task. Without doubt, spam increases the overall management costs of ISPs.
This is seen in terms of network and server congestion, increasing demand for faster and larger
bandwidth, attending to customers’ (users’) complaints and the time spent to eliminate or to
reduce the problems.28 The real cost of spamming is borne by ISPs and their users in terms of
increased bandwidth, increased server and storage capacity and the additional cost of installing
anti-spam filtering devices.29
24 Ahmad Kamal, supra note 12 at p.44.
25 Ong, R., Regulating Spam in Hong Kong and Malaysia: Lessons From Other Jurisdictions 2005 (1) The Journal of Information, Law and Technology (JILT). Available online at http://www2.warwick.ac.uk/fac/soc/law2/elj/jilt/2005_1/ong/ 26 Ibid. 27 Ibid. 28 Ibid. 29 Ibid.
In response to this problem, various countries have enacted legislation to confront spam. But the
laws vary considerably in their approach to the problem. For e-mail to be legitimate, many anti-
spam legal instruments require the prior consent of the recipient or the existence of a prior
business relationship before the sending of any commercial e-mail (the opt-in approach).30 In
some countries, where this approach is considered too severe, unsolicited emails, in themselves,
are not considered illegal, but they must allow a recipient to no longer receive commercial
communications from a certain sender (opt-out approach).31
In the United States, the Controlling the Assault of Non Solicited Pornography and Marketing
Act of 2003 (CAN-SPAM Act) came into effect on January 1 2004. The CAN-SPAM Act allows
the sending of commercial e-mail messages to users who have not given their prior consent to
such mailings nor had any pre-existing or current business relationship although it does require
the sender to provide users with the option to opt out by sending a reply message. A user is
required to opt out within 30 days of the reception of the e-mail to prevent reception of future e-
mails from the sender. Once the user has exercised his right to opt out, the sender must within 10
days of the receipt of the opt out request, cease transmission of all commercial e-mails to the
user. Thus, the approach under the CAN-SPAM Act is the opt-out approach.
In the United Kingdom, in compliance with the EU Directive on Privacy and Electronic
Communications, UK’s Privacy and Electronic Communications (EC Directive) Regulations
2003 became effective on December 11 2003. Under the Directive, all unsolicited
communications by e-mail are prohibited unless the recipient has previously consented to
30 Ahmad Kamal, supra note 12 at p.46. 31 Ibid.
14
receiving such unsolicited communications. The sender may send unsolicited communications to
the recipient where he has obtained the recipient’s contact details during the course of a sale or
negotiations for the sale of the same or similar products provided a valid return address enabling
the recipient to opt out of receiving future unsolicited communications by e-mail is included. In
addition, senders are prohibited from disguising or concealing their identity when sending the
unsolicited communications to recipients. Thus, the approach in the UK is primarily the opt-in
approach but it also makes provision for opting out.
In Nigeria, the approach adopted is the opt-in approach. Thus, the Cyber Security Bill in section
9(3) provides that:32
“Any person spamming33
2.5 Identity Theft
electronic mail messages to receipts with whom he has no
previous commercial or transactional relationship commits an offence and shall be liable
on conviction to a fine not less than N500,000 or imprisonment for a term of not less than
3 years or to both such fine and imprisonment.”
Identity theft is the unauthorized collection and fraudulent use of key pieces of information, such
as social security or credit card numbers of an individual in order to impersonate that individual.
The information can be used to obtain credit, merchandise, and services in the name of the
32 The same offence is provided for in section 5(3) of the Cybercrime Bill. 33 Spamming is defined in section 38 of the Cyber Security Bill as, “unsolicited electronic mail message having false headers, address and lines.”
15
victim, or to provide the thief with false credentials.34 A new form of identity theft is phishing,
which occurs when scammers send mass e-mails posing as banks, credit card companies, or
popular commercial web-sites, asking recipients to confirm or update personal and financial
information in a hyperlink to a look-alike web-site for the spoofed company.35
Section 14 of the Cyber Security Bill criminalizes this act when it provides that:
36
“Any person who with the intent to deceive or defraud, accesses any computer or
network and uses or assumes the identity of another person, commits an offence and shall
be liable on conviction to a fine of not less than N500,000 or imprisonment for a term of
not less than 3 years or to both such fine and imprisonment.”
Due to the constraints of time and space some of the other offences created by the Cyber
Security Bill and the Cybercrime Bill will not be examined in details here. It suffices to mention
that the bills criminalizes acts like, unauthorized disclosure of access codes and password,37
computer fraud and data forgery,38 system interference,39 denial of service,40 unlawful
35 Ibid. 36 The same offence is provided for in section 11 of the Cybercrime Bill. 37 Section 8 of the Cyber Security Bill; section 4 of the Cybercrime Bill. 38 Section 10 of the Cyber Security Bill; Sections 6 & 7 of the Cybercrime Bill. 39 Section 11 of the Cyber Security Bill; Section 8 of the Cybercrime Bill. 40 Section 13 of the Cyber Security Bill; Section 10 of the Cybercrime Bill. 41 Section 16 of the Cyber Security Bill; Section 13 of the Cybercrime Bill. 42 Section 19 of the Cyber Security Bill; Section 15 of the Cybercrime Bill.
16
the use of a computer44 and using a computer for unlawful sexual purposes including child
pornography.45
2.6 Computer-Generated Evidence
Another quick point which must also be made about the bills is that computer generated evidence
is now specifically recognized as primary evidence under the Cyber Security Bill. If this
provision is enacted into law it will avoid all the unnecessary obstacles usually encountered by
prosecutors when attempting to build their case on computer generated evidence or electronic
evidence due to the absence of any specific provision in the Evidence Act dealing with computer
generated evidence. Although, it must be stressed that despite the absence of any specific
provision in the Evidence Act, Nigerian courts usually adopt the posture of judicial activists and
fill in the loopholes in order to admit computer generated evidence especially since there is no
provision in the Evidence Act making computer generated inadmissible.46
Section 31 of the Cyber Security Bill provides that:
47
43 Section 20 of the Cyber Security Bill; Section 16 of the Cybercrime Bill.
44 Section 21 of the Cyber Security Bill; Section 17 of the Cybercrime Bill. 45 Section 22 of the Cyber Security Bill; Section 18 of the Cybercrime Bill. 46 See the following cases, Esso West Africa Inc v. Oyagbola (1969) NSCC 354; Anyaebosi v. R.T. Briscoe (1987) 3 NWLR Pt. 59 p.108; Ogolo v. IMB (1993) 9 NWLR Pt. 49 p.314; Trade Bank v. Chami (2003) 13 NWLR Pt. 836 p.261. The recent Court of Appeal ruling in the Fani Kayode case is also apposite, in that case the Court of Appeal overruled the trial court’s ruling which had held that a computerized statement of account was inadmissible. See also, Prof. Taiwo Osipitan, Why Computerized Statement of Accounts is Admissible in Nigerian Courts, available online at www.nigerianlawguru.com/articles/practiceandprocedure; A. I. Chukwuemerie, Affidavit Evidence and Electronically Generated Materials in Nigerian Courts, (2006) 3:3 SCRIPT-ed 176 available online at <http://www.law.ed.ac.uk/ahrc/script-ed/vol3-3/affidavit.asp> 47 A similar provision is contained in section 27 of the Cybercrime Bill.
“Notwithstanding anything contained in any enactment or law in Nigeria, an information
contained in any computer which is printed out on paper, stored, recorded or copied on
any media, shall be deemed to be primary evidence under this Bill.”
3.0 AN ANALYSIS OF THE COUNCIL OF EUROPE CONVENTION ON
CYBERCRIME
In 1989, the Council of Europe published a set of recommendations addressing the need for new
substantive laws criminalizing disruptive conduct committed through computer networks.48 This
was followed by a second study, published in 1995, addressing the inadequacy of computer-
related, criminal procedural laws.49 Building on these reports, the Council of Europe established
a Committee of Experts on Crime in Cyberspace in 1997 to draft a binding convention
facilitating international cooperation in the investigation and prosecution of computer crimes. On
April 27th, 2000, this committee released its first public draft of the convention. The convention
was adopted by the Committee of Ministers during the Committee’s 109th session on the 8th of
November 2001 and it was opened for signature in Budapest, on November 23rd, 2001.50 The
convention has so far been signed by 46 states out of which 30 have ratified it.51
48 Recommendation No. R. (89) 9 of the Committee of Ministers to Member States on Computer-related Crime, available at http://www.cm.coe.int/ta/rec/1989/89r9.htm.
Four non-
member states of the Council of Europe have signed the Convention, they include, Canada,
Japan, South Africa (which is the only African signatory to the convention), and the United
49 Recommendation No. R. (95) 13 of the Committee of Ministers to Member States Concerning Problems of Criminal Procedure Law Connected with Information Technology, available at http://www.coe.int/ta/rec/1995/95r13.htm. 50 The Council of Europe’s website, at http://conventions.coe.int/treaty/en/cadreprincipal.htm. 51 This is the current status of the treaty as at 2010.
18
States of America (which is the only non-member state to have ratified the convention; the US
ratified the convention on the 29th of September, 2006).52 The convention entered into on the 1st
of July, 2004 when the conditions stipulated for entry into force in article 36 of the convention
was met.53
In November 2002, the Council of Europe introduced an “Additional Protocol to Convention on
Cybercrime, concerning the criminalization of acts of a racist and xenophobic nature committed
through computer systems.” This additional protocol was opened for signature in January 2003
in Strasbourg, France.
According to article 36, the convention will enter into force when the convention has
been ratified by 5 states, three of which must be member states of the Council of Europe.
54
Mention must also be made of the role of the United States of America in the drafting of the
convention. The US has an observer status in the executive arm of the Council of Europe i.e. the
Committee of Ministers and this gives it the right to participate in all the decisions made by the
Committee of Ministers, though it has no right to vote. Since one of the largest numbers of
computers in the world and consequently one of the biggest numbers of individuals and
companies connected to the internet are located in the US, it follows that the US will have one of
the highest amounts of cybercrimes.
55
52 The Council of Europe’s website, at
The United States Departments of Justice, State and
Commerce, in close consultation with other US government agencies, played a big role in the
http://conventions.coe.int/Treaty/Commun/ChercheSig.asp 53 Ibid. 54 Press Release, Council of Europe, “The Council of Europe fights against racism and xenophobia on the Internet” (Nov. 11, 2002), available at http://press.coe.int/cp/2002/554a(2002).htm. 55 Magnin, C., (2001) “The Council of Cybercrime Convention on Cybercrime: an Efficient Tool to Fight Crime in Cyberspace”; Unpublished LL.M. Dissertation, Santa Clara University. p.46.
negotiations at both the plenary sessions and the drafting of the convention.56 As a result, the
central provisions of the convention are consistent with the existing framework of US
cybercrime laws.57 Nearly every substantive offence created by the convention is already
criminalized in some fashion under US Federal laws.58
3.1 An Appraisal of the Provisions of the Convention
Once a large number of states have ratified a treaty, then it becomes acceptable to treat it as
general law.59 Treaties are the only machinery that exists for adapting international law to new
conditions and strengthening the force of a rule of law between states.60
The purpose of the Council of Europe Convention on Cybercrime is described in the ninth
paragraph of its preamble thus:
Thus, it is not out of
place for an international regime to be set up to combat cybercrime in a global society that is
increasingly dependent on information and communications technology.
“…the present convention is necessary to deter actions directed against the
confidentiality, integrity and availability of computer systems, networks and computer
data, as well as the misuse of such systems , networks and data, by providing for the
56 U.S. Department of Justice: Computer Crime and Intellectual Property Section, Frequently Asked Questions and Answers About the Council of Europe Convention on Cybercrime, [December 1st, 2000], available at http://www.cybercrime.gov/newCOEFAQ’s.html. 57 Ibid. 58 Weber, A.M., “The Council of Europe’s Convention on Cybercrime” (2003) 18, Berkeley Technology Law Journal 425 at 435. 59 Brierly, The Law of Nations: An Introduction to the International Law of Peace, 6th edn., Humphrey Waldock ed., Oxford University Press, 1963, p.57. cited in Keyser, M., “The Council of Europe Convention on Cybercrime” (2003) Vol.12. No.2, J. of Transnational Law & Policy 287 at 296. 60 Ibid.
amendments and withdrawals among others. The focus here will be on the substantive provisions
located in chapters one, two and three of the convention.
Chapter one contains only one article, and it defines four of the terms used in the convention.
These terms are vital because they are heavily relied upon throughout the convention. The
convention first defines “computer system” as a device consisting of hardware and software
developed for automatic processing of digital data.62 For purposes of this convention, the second
term, “computer data,” holds a meaning different than that of normal computer language.63 The
data must be “in such a form that it can be directly processed by the computer system.”64 In other
words, the data must be electronic or in some other directly processable form. The third term,
“service provider” includes a broad category of entities that play particular roles “with regard to
communication or processing of data on computer systems.”65 This definition not only includes
public or private entities, but it also extends to include “those entities that store or otherwise
process data on behalf of” public or private entities.66 The fourth defined term is “traffic data.”
“Traffic data” is generated by computers in a chain of communication in order to route that
communication from an origin to its destination.67 Thus, it is auxiliary to the actual
communication. When a convention party investigates a criminal offense within this treaty,
“traffic data” is used to trace the source of the communication.68
62 Article 1(a)
63 Explanatory Report to the Convention on Cybercrime, para. 25. 64 Article 1(b) 65 Article 1(c) 66 Explanatory Report to the Convention on Cybercrime, paras. 26-27. 67 Article 1(d) 68 Explanatory Report to the Convention on Cybercrime, paras. 28-31.
22
Chapter two, which deals with measures to be taken by each party to the convention at the
national level, is divided into three sections. The first section calls on each party to provide
legislatives and other measures to establish as criminal offences under its domestic law nine
offences.
The offences are in four categories. The first category targets offences against the confidentiality,
integrity and availability of computer data and systems. The offences in this category include,
illegal access,69 illegal interception,70 data interference,71 system interference72 and misuse of
devices.73 The second category deals with computer-related offences and it includes provisions
calling for the criminalization of computer-related forgery and computer-related fraud.74
The third category deals with content-related offences and it has only one article, article 9 which
calls for the criminalization of offences related to child pornography. This third category was
supplemented by the additional protocol, referred to above, which addresses the dissemination of
racist or xenophobic materials through computer systems. The fourth category, contained in
article 10, deals with offences related to copyright and related rights.
The second section of chapter two deals with procedural law. It requires parties to establish a
minimum set of procedural tools at the national level whereby the appropriate law enforcement
authorities within a state would have the authority to conduct certain types of investigation
specific to cybercrime offences. Such procedural powers include: expedited preservation of
An interesting provision is contained in article 35. This article makes it obligatory for each party
to designate a point of contact that is available 24 hours per day, 7 days a week in order to ensure
the provision of immediate assistance for the purpose of investigations or proceedings
concerning cybercrime offences. The “24/7 network” is a way to effectively combat cybercrime
considering the fact that requests for mutual assistance in cybercrime cases usually require a
rapid response due to the volatile nature of computer data. This article was considered by the
drafters to be one of the most important means of effectively responding to enforcement
challenges posed by cybercrime.88 The assistance envisaged by this article include, the provision
of technical advice, preservation of data pursuant to articles 29 and 30, the collection of
evidence, the provision of legal information and the locating of suspects.89 It is further stated that
each party shall ensure that trained and equipped personnel are available in order to facilitate the
operation of the network.90
3.2 Criticisms against the Convention
One of the strongest criticisms against the convention is its limited possibility for global
coverage. The convention is open to countries outside the Council of Europe and therefore, in
principle at least, has the potential to apply globally. Under article 36, the convention is open for
signature by member states of the Council of Europe and by non-member states which
participated in its elaboration, such as the US, South Africa, Canada, and Japan which have
88 Explanatory Report to the Convention on Cybercrime, para. 298. 89 Article 35 para. 1. 90 Article 35 para. 3.
27
already signed it. The convention is also open for accession by other non-member states.91
However, the process for accession could be cumbersome and time consuming as it is only after
consulting with and obtaining the unanimous consent of all the state parties may the Committee
of Ministers invite a non-member state to accede.92
Another criticism against the convention is that the convention does not define the specific
elements of the crimes it covers; rather it allows the parties to establish their own elements
without guidance detailing the elements required for those offences.
It is clear that without universal or at least
very broad application, cybercriminals may simply concentrate their activities in non-
participating states. Sponsorship of a convention or treaty on cybercrime may have wider
adoption if it rests with the United Nations rather than a regional body such as the Council of
Europe.
93 The drafters of the
convention purposely empowered signatories to enact crime legislation out of concern that if the
Convention retained too much power, members would be reluctant to ratify it. The drafters
believed this was a better solution than if only a few countries ratified the Convention.94
However, the Convention would have been more valuable if it also included the elements of the
crimes rather than leaving this decision to the signatories.95
The convention has also drawn the ire of civil liberty activists who argue that the treaty is
fundamentally imbalanced in that it requires the establishment of sweeping new powers of
investigation without requiring appropriate safeguards and limitations on the use of such powers.
91 Article 37. 92 Article 37 para. 1. 93 Hopkins, S.L., “Cybercrime Convention: A Positive Beginning to a Long Road Ahead” (2003) Vol.2 No.1, Journal of High Technology Law 101 at 113. 94 Explanatory Report to the Convention on Cybercrime, paras. 122 & 145. 95 Hopkins, supra note 94 at pp.114-115.
28
On the other hand, the drafters of the convention argue that since parties differ too radically in
their conceptions of civil liberties and privacy, it is better for parties to sort out for themselves
how they will counterbalance the new powers consistent with their established legal principles
and cultural norms.96 In response, the activists argue that references to the protection of human
rights are brief at best especially when compared with myriad espousals of the importance of
serving the interests of law enforcement agencies.97
Another flaw pointed out by the activists is the secretive and undemocratic manner in which the
convention was drafted. The Council of Europe’s Committee of Experts on Crime in Cyberspace
completed nineteen drafts of the convention before the document was released to the public.
Between 1997 when the committee was set up and 2000 when it released it first draft, no draft
was released and no public input was solicited.
98 The convention was drafted by persons and
groups primarily concerned with law enforcement, and it reflects their concerns almost
exclusively to the detriment of the privacy of individuals and civil liberties interests.99
Another loophole in the convention is its lack of guidance on priority for granting jurisdiction
over transnational cybercrime offences. The convention establishes the grounds on which parties
may assert jurisdiction over cybercrime offences
100
96 Article 15; Explanatory Report to the Convention on Cybercrime, para. 15.
but it does not provide guidance on how
cases of conflicts, in which multiple parties claim jurisdiction, will be resolved. Parties are only
required to consult with a view to determining the most appropriate jurisdiction for
97 Electronic Privacy Information Center (EPIC), Statement on Council of Europe Convention on Cybercrime: The Convention Threatens Core United States Civil Liberties Interests, [Letter to United States Senate Committee on Foreign Relations]. Sent on July 26, 2005. Available online at www.epic.org/privacy/intl/senateletter-072605.pdf. 98 Ibid. 99 Ibid. 100 Article 22
prosecution.101 A possible solution would be the establishment of priority of jurisdiction.102 For
example, the Convention could establish a hierarchy where the nation that incurred the harm has
jurisdictional priority over the nation where the crime was initiated.103
On the whole, the convention is a welcome and long-overdue start towards addressing the
exigent circumstances evolving from the internet revolution.
104
Despite its flaws, the convention
is a starting point towards achieving global consensus in the fight against cybercrime. Though it
may not have global appeal, it is a commendable initiative and a precursor to a truly global
convention on cybercrime. The identified loopholes in the convention only show the need to
involve a wide range of interest groups in the drafting of any international instrument on
cybercrime. The interests of the private sector and the human rights of individuals should be
considered in any future attempt to draft an international convention on cybercrime. Law
enforcement interests should not be the overriding consideration. This would ensure a greater
level of acceptability by all the parties concerned and also enhance the effectiveness of such a
convention.
4.0 CONCLUSION
It will be observed that most of the offences which the convention enjoins parties to criminalize
in their domestic law have been covered by the Nigerian Cyber Security Bill. This leaves Nigeria
101 Article 22 para. 5. 102 Hopkins, supra note 94 at p.118. 103 Ibid. 104 Hopkins, supra note 94 at p.121.
30
with two choices in the matter, either to accede to, ratify and domesticate the convention105
or to
speedily pass in to law the Cyber Security Bill. This is necessary because Nigeria cannot afford
to leave its law in this current state as these can lead to the country being perceived as a haven
for cybercriminals.
105 See also, J.O. Mbamalu, Nigeria’s Roadmap To Accession To Council Of Europe Convention On Cyber Crime, available online at www.jumbolaw.com/nigeria.doc. It must be pointed out that preliminary steps have been taken in this regard. In July 2009, a Pre-Accession Workshop & Stakeholder Consultation was organized by the Federal Ministry of Justice, but there have been no reported significant advancements afterwards.