http://allafrica.com/stories/200610190334.html
This Day (Lagos)
ANALYSIS
October 18, 2006
By Eijeagbon Ohicheoya
Lagos
There is an important executive Bill before the Nigerian National
Assembly called the "Computer Security & Critical Information
Infrastructure Protection Bill" ("the Bill"). Because of the importance
of this Bill, we would consider in this paper, the highlights of the
provisions of the Bill, share the highlights of other similar
legislations in the United Kingdom, the United States of America,
Australia, South Africa, Canada and Switzerland in the greater
expectation that the laws in these other jurisdictions would further
assist the Nigerian National Assembly and the Nigerian people in having
a better Law on wire tapping, computer and cyber crimes, and
anti-terrorism.
Wire Tapping, Cyber Crimes & Anti-Terrorism Bill
The introductory part of the Bill describes its objectives to include "
secure computer systems and networks and protect critical information
infrastructure in Nigeria by prohibiting certain undesirable
computer-based activities ..". This Bill seeks to create legal liability
and responsibility for modern global crimes carried on over a computer
or computer systems, i.e. the internet.
Some of these crimes, which carry penalties of fines ranging from the
average sum of N100,000.00 (One Hundred Thousand Naira) to terms of
imprisonment ranging on the average from six months imprisonment,
include: -Hacking and unlawful access to a computer or a computer
network.Spamming - this is unsolicited mails - fraudulent electronic
mails, etc.Computer fraud, computer forgery, system
interference.Identity theft and impersonation on the
internet.Cyber-terrorism, cybersquarting, misuse of computer for
unlawful sexual purposes, etc.
Unlawful Interception of Communications & Mandatory Retention.Section 3
of this Bill makes it an offence for any person, without authority or in
excess of such authority where it exist, to access any computer or
access a computer for an unlawful purpose. It is also an offence for any
person to disclose any password, access code or disclose any other means
of access to any computer program without lawful authority.
Section 12 of this Bill requires every service provider to keep a record
of all traffic and subscriber information on their computer networks for
such a period as the President of the Federal Republic of Nigeria may by
Federal Gazette, specify. Service Providers are further required to
record and retain any related content at the instance of any Law
Enforcement Agency.
This Bill also allows any Law Enforcement Agency in Nigeria, on the
production of a warrant issued by a Court of competent jurisdiction, to
request a service provider to release any information in respect of
communications within its network, and the service provider must comply
with the terms of the warrant.
This Bill seeks to ensure the protection of the privacy and civil
liberties of persons by requiring that all communications released by a
service provider shall only be used for legitimate purposes authorised
by the affected individual or by a Court of competent jurisdiction or by
other lawful authority.
All law enforcement agencies carrying out their duties under this Bill
must also have due regard to the constitutional rights to freedom of
privacy guaranteed under the 1999 Nigerian Constitution and " take
appropriate technological and organisational measures to safeguard the
confidentiality of the data retained, processed or retrieved for the
purposes of law enforcement".
To ensure compliance by the service providers or body corporate, who are
the providers of all form of telecommunication services in Nigeria, this
Bill recommends that any breach of the provisions of the contemplated
Law, by these persons, shall on conviction be liable to the payment of a
fine of not less than N5Million. In addition, each Director, Manager or
Officer of the service provider shall be liable to a fine of not less
than N500,000 or imprisonment for a term of not less than three years or
to both the fine and the term of imprisonment.
The first and fundamental concern with this Bill is that there are no
internal and external checks and balances provisions whatsoever in the
Bill. There are no mandatory reporting procedures to either the Nigerian
parliament or the Nigerian judiciary on the activities of law
enforcement agencies in carrying out these wire tapping or lawful
interception activities. The law enforcement agencies that have the
responsibility of carrying out the provisions of this Bill are not
enumerated in the Bill. There is no independent commissioner to monitor
these activities.
There is also no provision for award of compensation where the civil
liberties of individuals are breached neither is there provision for
reporting to the citizens after the wire tapping activities have ceased.
In jurisdictions with a longer history of democracy and wire tapping
activities, where these checks and balances are regulated by Statutes,
allegations and investigations of abuses continue to occur.
There is secondly, in the matter of obtaining a warrant or release of
information for legitimate reasons, a recurring reference to either a
Court of Law or " any other lawful authority " for obtaining either the
warrant or the information. There is no enumeration or definition
anywhere in the Bill, as has been done in other jurisdictions, of whom
or what constitutes "lawful authority". It is recommended that this is a
very good loophole for a breaching government to avoid an independent
judiciary and constitute itself into ".. any other lawful authority"
from where the civil liberties of individuals would be continuingly
breached.
The treatment of evidence obtained from wire tapping activities in
criminal proceedings are not described anywhere in this Bill. While
there are civil law provisions requiring that illegally obtained
evidence are not admissible without special circumstances been
disclosed, this Bill would do well to emulate the laudable provisions in
wire tapping legislations in the United Kingdom and the United States of
America on the treatment of evidence obtained from wire tapping
activities in criminal proceedings.
There is further a problem with the definition of what constitutes
traffic information under this Bill? What also is "content" under this
Bill? Would traffic information also include the recording of voice
communication by service providers? If traffic information would include
voice communication, who would be responsible for the huge storage and
preservation costs of these voice communication? In the United States,
statutes on wire tapping or lawful interception require that the
government reasonably compensates individuals for expenses incurred for
providing facilities and technical assistance in wire tapping
activities. In Canada, service providers are provided with some costs
savings for their networks whilst in Netherlands, the government had to
grant some moratorium on compliance and waiver when some service
providers faced bankruptcy as a result of the huge technological costs
of ensuring compliance. Requiring the service providers to alone bear
these expected huge costs would mean that the customers in Nigeria would
ultimately bear the costs.
A fifth concern is the requirement by this Bill for service providers to
deliver intercepted communications and data to locations of law
enforcement agencies which naturally would be outside those of the
service provider. There are no procedures for securing and or
guaranteeing that these external deliveries would not compromise the
network of the service providers or the civil liberties of individuals
by persons other than the authorised service providers. There is
currently no available evidence of serious hacking into the networks of
the service providers in Nigeria even though there is available
literature on the internet that there are technologies with which GSM
communications can be monitored without the knowledge of the parties or
of the service providers.
A sixth major concern with this Bill is that it imposes further duties
of assistance in the identification, apprehension, legal prosecution,
trailing and confiscation of proceeds of offenders for cyber crimes and
unlawful interference with communications on the service providers and
other relevant body corporate. These are onerous law enforcement
responsibilities sought to be imposed on private businesses especially
as there are also serious security risks of injury from the offenders
that service providers and relevant body corporate may be ill equipped
to provide for themselves.
A seventh concern is the requirement that in special circumstances a
service provider or body corporate could be required to release
information without a court warrant. There are no procedures for
ensuring that this would only occur in cases of extreme emergencies and
that immediately information is obtained, an equally urgent effort would
be made to secure a court warrant as is done in the United States for
example.
An eight concern with this Bill is the provision that the President of
the Federal Republic of Nigeria could direct the law enforcement
agencies to make such rules and regulations giving effect to the
provisions of this Bill. This provision appears to be an over
concentration of powers on the executive arm of government. Also, this
provision appears to be making the law enforcement agencies both the
accusers and the judge in relation to their own procedures? An
independent body should be constituted for this and other aspects of
giving full effect to this Bill.
Conclusion
It is necessary that further amendments are made to this Bill before it
is passed into Law. International conventions on human rights
preservation to which Nigeria is a signatory must be respected. Full
definitions of key words like " . any other lawful authority ",
"content", etc is highly recommended. An independent body should be
constituted to oversee and interface between the executive, law
enforcement agencies and the Nigerian parliament on the activities of
cyber crime enforcement and applications in Nigeria. Provisions should
be made for compensatory damages to be paid to citizens whose rights are
infringed in any way by any interception activity found to be either
wrongful or unwarranted. Further enlightenment of the members of the
public on the application of this Bill and the civil liberties of
citizens is also recommended as many Nigerians are not aware that this
Bill is before the National Assembly.
Copyright 2006 This Day. All rights reserved. Distributed by AllAfrica
Global Media
_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org
This archive was generated by hypermail 2.1.3 : Fri Oct 20 2006 - 03:05:37 PDT