Nigerian Cyber Crime and Privacy Legislations, Time for Review(Part 2)

Privacy of Electronic Communications Directive (EU 2002)

This Directive repeals the Telecommunications Data Protection Directive (97/66/EC) and lays certain obligations on telecommunications companies and service providers. One of the new developments of this Directive is that it extends controls on unsolicited direct marketing to all forms of electronic communications including unsolicited commercial e-mail (UCE or Spam) and SMS to mobile telephones.

It is to be noted that the Directive applies to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the Community.

A brief introduction of the salient points reveals the following in the Directives aims in ensuring fundamental human rights and freedoms particularly the right to privacy for subscribers of electronic communications:

 

? Security Measures

The Directive provides that communication service providers should adopt adequate security measures both from a technical and organisational point of view that are commensurate with the risks that can accrue.

With the spate of recent high profile security breaches that have occurred it is paramount that telecommunications providers implement adequate logical and physical security measures to ensure data under their control is safe from unauthorised access, which may lead to loss of privacy. It goes further to provides that users should be made aware of risks that are beyond the control of the service provider

 

 Confidentiality of Communications

In its attempt to maintain privacy of personal information, the directive requires service providers to ensure confidentiality of communications. This the directive states can be attained by making sure that communication over public telecommunications lines are free from interception and tapping save in the instance of lawful interception. The article also provides that where communication networks are used in the processing of data, the data subject shall be informed why this is being carried out. The data subject has a right to refuse such processing

Caller and Called Line Identification

It is to be noted that an individual’s telephone number is personal data going by the meaning given to data protection legislation. In order to protect this, the directive further provides privacy rules in relation to caller and connected line identification. Here the directive states that subscribers must be issued with the possibility of withholding the identification of their telephone numbers when making a call along with being able to reject incoming calls where the incoming caller has refused showing their number

Location Data Restrictions

Where the repealed telecommunications privacy directive only related to calls in circuit switched connections such as is found in traditional voice telephony, the new directive covers all kinds of traffic data as generated by users of mobile communication devices.
Location data is a valuable tool that can be used in the mobile phone sector to identify the location of an individual its use can be illustrated in the Danielle Jones case in the hunt for a missing child in the UK it was identified that calls purportedly from the girls phone to her uncle (later convicted for her murder) were in fact being made by her uncle from one location.

Emergency and Nuisance Calls

An exception to the privacy of caller line and location data is provided for in article 10 where the elimination of calling line identification and location data is sanctioned to trace nuisance calls and in relation to location data for it to be revealed on a temporary basis only to emergency services.

SPAM
Unsolicited mail (also known as Spam) has become a major problem; it causes loss of work productivity and also is an invasion of privacy.

The directive in recognising the harmful effects of Spam provides that there shall be no automated communication using electronic mail or faxes for the purpose of direct marketing without the consent of the data owner. The purpose of the directive in relation to SPAM is to make sure that EU member states strengthen data protection measures in relation to SPAM. The EU legislation supports the opt-in rather than the opt-out approach.

National Security

There are certain situations that may lead to events that make safeguarding privacy of communications a secondary issue. Such situations are where national security is at risk and where criminal investigations are being carried out. Where these are determined to be taking place, law enforcement agencies may on having obtained permission by appropriate bodies breach the data subjects’ right to privacy of communications in their investigations of such events. It is to be noted that the legislation also allows for data to be retained for limited periods of time during the investigation of such situations

Digital Millennium Copyright Act (US 1998)

The Digital Millennium Copyright Act, was signed into law on October 28, 1998, it amended the United States Copyright Act, Title 17 of the U.S. Code, to provide in part certain limitations on the liability of online service providers (OSPs) for copyright infringement.

The DMCA is divided into five titles:

Title I, the “WIPO Copyright and Performances and Phonograms Treaties Implementation Act of 1998,” implements the WIPO treaties.

Title II, the “Online Copyright Infringement Liability Limitation Act,” creates limitations on the liability of online service providers for copyright infringement when engaging in certain types of activities.

Title III, the “Computer Maintenance Competition Assurance Act,” creates an exemption for making a copy of a computer program by activating a computer for purposes of maintenance or repair.

Title IV contains six miscellaneous provisions, relating to the functions of the Copyright Office, distance education, the exceptions in the Copyright Act for libraries and for making ephemeral recordings, “webcasting” of sound recordings on the Internet, and the applicability of collective bargaining agreement obligations in the case of transfers of rights in motion pictures.

Title V, the “Vessel Hull Design Protection Act,” creates a new form of protection for the design of vessel hulls.

Amongst the DCMA’s salient points are the following,

Makes it a crime to circumvent anti-piracy measures built into most commercial software.

Outlaws the manufacture, sale, or distribution of code-cracking devices used to illegally copy software.

Permits the cracking of copyright protection devices to conduct encryption research, assess product interoperability, and test computer security systems.

Provides exemptions from anti-circumvention provisions for non-profit libraries, archives, and educational institutions under certain circumstances.

In general, limits Internet service providers from copyright infringement liability for simply transmitting information over the Internet.

Service providers, however, are expected to remove material from users’ web sites that appears to constitute copyright infringement.

Limits liability of non-profit institutions of higher education — when they serve as online service providers and under certain circumstances — for copyright infringement by faculty members or graduate students.

Requires that “webcasters” pay licensing fees to record companies.

Requires that the Register of Copyrights, after consultation with relevant parties, submit to Congress recommendations regarding how to promote distance education through digital technologies while “maintaining an appropriate balance between the rights of copyright owners and the needs of users.”

Subsection 512(c)of the Copyright Act provides limitations on service provider liability for storage, at the direction of a user, of copyrighted material residing on a system or network controlled or operated by or for the service provider, if, among other things, the service provider has designated an agent to receive notifications of claimed infringement by providing contact information to the Copyright Office and by posting such information on the service provider’s website in a location accessible to the public

The provision of information to the Copyright Office about the service provider’s designated agent is a condition for reliance on the limitations on liability for service providers.

As can be seen there are a number of legislations that have been enacted within the last ten years aimed at countering the growing menace of computer related crime, there has also in the same measure been a similar surge in privacy laws aimed at getting government and corporate bodies that use our personal information to implement appropriate technical and procedural measures to safeguard them.

The laws identified here are by no means the only legislations dealing with cybercrime and privacy rather; they have been identified by the author to provide a backdrop to which the Nigerian law makers can garner suggestions for bringing our laws up to date.

Nigerian Cybercrime Bills Reviewed:

This section of the article takes the form of analysing the two Draft Bills with a view to highlight the impact these will have on governments, corporate organisations and individuals. It will also emphasize areas which in the author’s opinion require review and amendment. It rounds up with a suggestion for a total revamp of the Drafts and adoption of a new cybercrime framework.

As stated at the beginning of this article two cybercrime Bills have been drafted. A critical analysis of the draft Bills highlight disparity between already highlighted global legislations.

The first draft of the Bill titled “Computer Security and Critical Infrastructure Protection Bill ” 2005 raises a number of issues. Before delving into these gaps let us look at some KEY words and their implications.

The words “Critical Infrastructure” are very significant and bring about a number of issues for debate.  The first being, how do we determine infrastructure to be critical?

There are a number of questions to ask and points to be raised before infrastructure or systems are deemed critical.

One of such issues relates to the type of data held by the infrastructure or system. We need to determine what type of data it holds and the potential impact of any change or security breach.

The effect of the Bill will mean that prior to any system being defined as critical, risk assessments on a wide range of issues, including exposure to Terrorism, Business Continuity, and Unauthorised Access will need to be undertaken to determine the impact levels against information Confidentiality, Integrity and Availability.

If these have not been undertaken and defined then it will be unwise to label any infrastructure or system as being critical.

Another question we need to ask is, are critical infrastructure the only environments the law will apply to when it is passed? Are we indeed stating that computer crime legislation is not to be applied to other areas, i.e. home users and non-critical infrastructure? It would be appropriate for the Bill to cover all environments that could be impacted by computer crime and privacy issues.

The definition of Critical Infrastructure should be outlined in the Interpretation section to avoid confusion.

In the author’s opinion, while the title of the Bill is wide the sections do not go deep enough to encompass the issues that a Computer Security Bill or a Critical Infrastructure Bill should include.

A comparative analysis between the first draft of the Bill, European and US computer crime and data protection legislations identifies a number of gaps. Notable of which are the following;

No definition of what constitutes personal data;

No identification of the right to privacy;

No definition of what constitutes data subjects rights;

No appointment of a regulatory body to redress breach (i.e. a Data Protection Commissioner);

No identification of the fact that organisations can also breach data protection rules;

No provision for circumstances where the personal data needs to be utilised without the consent of the data subject;

No provision, definition, or mandatory requirement of technical measures to mitigate data protection breaches.

There is also a lack of security breach requirements.

A critical analysis of the second draft titled “Cybersecurity and Information Protection Agency Bill” 2008 which while much better in its ambit, highlights a number of gaps and identifies the challenges Nigeria faces when it comes to understanding and implementing adequate and sufficient computer crime and privacy legislations.

There are a number of sections within this Bill that will need to be amended, removed or added to, before it can be deemed an appropriate and up to date legislation to deal with computer crime related activity as applies in the 21^st century.

Second Draft Overview

The new Bill is made up of 37 Sections; the following highlights the themes of its sections.

The first 6 sections of the Bill provides for the establishment of a cyber security and information protection agency, along with staffing requirements.

Sections 7-23 see the introduction of new computer related offences and associated punishments on conviction. These include but are not limited to the unlawful access to computers, unauthorised disclosure of passwords, fraudulent email and spamming  computer fraud and data forgery, system interference, misuse of devices, impersonation and fraudulent access

Sections 24 and 25 introduce the critical information infrastructure, audit and offences.

Sections 27 Looks at civil liability

Sections 28-30 identify jurisdiction, powers of court, authorised o

fficer search and arrest.

Sections 31 and 32 make way for electronic evidence and tampering with computer evidence

Sections 33-36 introduces the Agencies powers of prosecution, forfeiture of asset and payment of compensation

Section 37 rounds up with definitions

Sections for Review

There are a number of issues that need to be raised in relation to this Bill; I shall now look at sections for review and amendment along with their impact.

 

Section 9

Section 9 relates to Unsolicited Commercial e-mail (UCE), Unsolicited Bulk e-mail (UBE) or fraudulent email messages and spamming. Fraudulent email Spamming has for a long time been the scourge of Nigeria’s reputation.

This section is a welcome development in attempting to reverse Nigeria’s somewhat tarnished Internet image. There will need to be collaboration between appropriate authorities to let all countries and bodies know that we have introduced this as a way of combating the issue.

The inclusion of this section will have the impact of showing that we have an understanding of the problem and could go a long way in reversing the tainted image.

Subsection 3 states that persons who do not have commercial or transactional relations with receipts should not send spamming commercial messages.

This subsection may need to be amended to include wording to the effect that spammers should include in their message headings warnings/notices that the message sent is spam. This will be in line with other legislations on the issue.

It should be mentioned here that not all spam messages are illegal. Indeed, while many messages can be deemed to be a waste of people’s time and are basically advance fee fraud, some of them actually provide informational and commercial benefit.

As such what the Bill should provide is wording to the effect that anyone sending spam should let recipients know that the message is spam. This will allow recipients a choice of whether to read or delete it when it arrives in the mailbox.  Users can then configure their emails so that spam messages automatically get sent to their deleted email folders.

The subsection should then state that persons who do not warn that they are sending spam messages will be liable to the penalties for none compliance.

A few words will need to be changed and defined for instance, the word receipts should be recipient and the word “He” should be changed to “They” to include both male and females.

Section 11

Section 11 introduces the system interference offence; this recognises the fact that an authorised person can commit an offence if they exceed their authorised duties.

This has the potential to impact anyone who in their course of work configures information technology or telecommunications systems.

The introduction of this section will have an impact on the way work organisations, staff and third parties develop operational and disciplinary, policies and procedures.

It will indeed lead to organisations defining and developing roles and duties matrices along with putting appropriate change control policies in place.

This will include Human Resources designing induction packs for new starters so that they are aware of their obligations. It will also lead to organisations having to retrain staff on the issues, so that they are aware of the disciplinary aftermath of any unauthorised actions.

It will also impact companies that specialise in conducting security penetration and vulnerability testing, and will call on them to ensure systems they are testing for loopholes and vulnerabilities have a defined scope when conducting their tests, otherwise they could be sued under the provisions of this section in the event that networks and systems outside of the scope are affected by their tests.

The section will undoubtedly lead to organisations including warnings to their staff that they can be prosecuted under this law in the event that they in anyway act maliciously towards them in the operation of their duties.

This is especially necessary given the fact that a majority of system interference cases are caused or initiated by insiders or third parties that have confidential knowledge about an organisations environment.

Section 15

Section 15 (1) relates to data retention. It is to be noted that there are some concerns associated with this subsection that need to be discussed.

Firstly, Nigeria does not have a Data Protection Legislation. It is to be noted that one of the principles of Data Protection is that personal data should not be kept for longer than is necessary.

This then brings to question the absence of Data protection requirements within the draft Bill.

Bearing in mind that the Bill provides for the establishment of an Information Protection Agency, one would have thought that requirements about how personal information is to be handled from a legal perspective are spelt out.

It is therefore recommended that a section should be introduced within the Bill, which makes it a requirement for organisations to adhere to Data Protection principles. This should then be followed with a section within the Bill which introduces Data Protection principles and the penalties for none compliance.

A note on data protection: This is one of the key legislations Nigeria will need to enact, if it really wants to be a player in the extremely lucrative outsourcing space.

A lot has been written and discussed about making Africa an outsourcing outpost, with great debates about technologies and infrastructure required to be in place before that can happen. It has to be mentioned however that without the appropriate legislative framework in place, we will not be able to hit first base. It is the author’s very strong suggestion that we include provisions for data protection in our legislations before discussing the types of technology, data centres and other infrastructure required for us to partake in outsourcing.

As an example, one of the principles of the European Data Protection Directive is that Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Now bearing in mind that processing of personal data constitutes a large segment of outsourcing, it makes a clear cut case for Nigeria to implement the legislation first before trying to identify what technologies are required.

Another point to note is that the Bill does not provide guidelines stipulating how long data various types of data may be retained.

The impact of the data retention section is that in the event that time-frames for keeping data types are not set in stone, ISP’s and other organisations will need to ensure they have adequate backup and data storage facilities including policies and procedures for keeping information. This will without a doubt raise privacy, security and costing issues.

In relation to costs, the key question will bear the burden of these costs, government or the organisations requested to retain the data? ISP’S will therefore need to look at how this piece of legislation will impact their operations from a cost perspective.

An immediate impact of the retention issues will be in relation to the SIM Card registration directive. For example, in the event that a subscriber is no longer a customer of a telecommunications service provider, how long will their data be kept with that ISP?

Under Data Protection Laws, the information should be deleted once the customer notifies them of the fact. Is this something that has been identified for the SIM card personal details retention?

Subsection (4), which states that ISP data retrieved for law enforcement agencies shall not be utilized without consent of the individual to whom the data applies, is quite intriguing.

The wording in this section will definitely need to be rephrased as in its present state it can be interpreted that if a suspect under investigation by law enforcement agencies does not consent to their data being accessed, then that data cannot be used.

Section 18

Section 18 introduces obligations on service providers to assist law enforcement agencies in identifying offenders. It should be noted that due to the fact that many breaches are internal breaches, there should also be an obligation on all organisations to develop, implement and ensure enforcement of industry standard policies, processes and procedures for computer related breaches.

Section 24

One of the most controversial and potentially dangerous sections in this Bill and one which should raise National security concerns is section 24. This section stipulates that information about critical infrastructure will be published in a gazette.

This will definitely need to be reworded. In a time of state sponsored hacking along with terrorism and Cybercrime attacks, the last thing we need to be doing is publishing information about our critical infrastructure in gazettes for public consumption.

From my experience as a government risk assessor accrediting government systems, I can state here that we need to adopt a “need to know” policy in relation to government systems whereby only persons who have been vetted appropriately have access to such information.

Placing critical infrastructure information in a gazette is not a smart idea. Rather it shows a lack of understanding of the risk, threats and vulnerabilities that may accrue to critical systems. If this is the only recommendation that gets reviewed and amended from this Bill then for National Security reasons alone, it is justifiable.

Section 24 (2b) mentions procedural rules and requirements for securing the integrity and authenticity of data or information.  This should be amended to include the confidentiality and availability of information.

Confidentiality, Integrity and Availability are the cornerstone principles for information security and will need to be identified when carrying out impact assessments in relation to what will be affected when classifying systems for criticality.

There also needs to be an obligation placed on organisations that suffer security breach to personal information to be made to declare such breaches. This will allow persons affected to take necessary actions to prevent further loss and negative impact on them.

Development of The Nigerian Cybercrime Framework

Above are a number of points that can be raised in relation to the gaps in the adequacy of the Nigeria’s computer crime Bills.

While a review and amendment may make it more meaningful, I believe we need to take the proverbial bull by the horns and develop a list of legislations that will form our Cybercrime Framework to replace the current Bills.

This may be difficult due to the tedious nature of passing legislation in Nigeria, it is however recommended that the legislative and Senate committees tasked with combating crime take this issue to the forefront of their initiatives with a view to enacting within a twelve month period ensuring that the best brains on the issue not only from a legal and technical point of view but also on experience are actually consulted and involved in the process.

This is necessary so that we generate appropriate sections and wordings as well as anticipate what technologies are on the horizon so that the laws that constitute the framework are not obsolete and ineffective when passed.

This framework should comprise the following:

?       Computer Misuse

?       Data Protection

?       Data Retention

?       Electronic Commerce

?       Information Security

?       Lawful Interception

Impact of the legislation

Nigerian lawyers are undoubtedly losing out on lucrative cases due to the lack of legislation on cybercrime. It should be noted that a number of opportunities to challenge financial institutions for negligence in the implementation of online banking and the roll out of ATM cards which has led to customers losing money have not been taken due to either a lack of understanding of the issues as well as lawyers and judges not being adequately trained in information technology related issues.

With the advent of these legislations will come the need for universities, schools of higher learning and academic institutions to devise specific courses designed to allow the next generation of Judges and Lawyers become skilled in what is a challenging but lucrative area.

It is the authors’ opinion that technology law needs to be on the curriculum of all Nigerian law faculties, as a minimum the following modules need to be mandatory to enable law students grasp the basics of the issues when dealing with the laws relating to technology:

New Technology Law Syllabus:

Computer Misuse

Data Protection

Data Retention

Electronic Commerce

Information Security

Information Technology

Internet

IT Contract Negotiations

Lawful Interception

Telecommunications

Current Judges and Lawyers will also need to become familiar with these issues through cross training, in order to be able get up to speed with the intricacies of computer crime so that they can take on cases and pronounce judgements.

Benefits of implementing this Framework:

The implementation of these laws will also allow us to tackle computer related criminal activity in a more structured manner.

The laws will allow defined guide lines as to what constitutes unacceptable behaviour while using computers with defined penalties for breach.

The implementation of these laws will also allow us to join the European Convention on Cybercrime.

This will give us a major boost from a reputational perspective. Many of us are also aware that Nigerian related IP addresses have been blocked by credit card companies, putting these laws in place can go a long way in showing that we have the base apparatus

for dealing with credit card fraudsters once they are apprehended. This can be used as a tool for negotiations to remove such IP blocks in order for truthful and non fraudulent Nigerians to partake in the billion dollar e-commerce trade from the their homes.

From an economic perspective, one of the aims of the 2020 vision is to see Nigeria become recognised as a growth economy with similar growth patterns to the BRIC countries (Brazil, Russia, India, and China).

A lot of discussion has been made on the impact technology will have in accelerating this aim. It must however be mentioned that the current legal framework will need to be overhauled to meet the changes and challenges that technology will bring, and for that purpose the need for us to revamp our technology related laws for us to meet the 2020 vision aims.

We have seen the impact of telecommunications and the interest it has received from foreign telecommunications companies and investors. The development and implementation of these laws can allow the same response from technology companies and investors.

The offshoot of this is job opportunities for Nigerians and the development of new services and technology related products for the benefit of all.

With the development of these laws, we will be seen as a nation that does not solely   depend on oil, but rather as one that wants to embrace and diversify into the new areas of technology. It will enable us to showcase our move into technology governance from a sound legal base thus providing us a positive image.

Conclusion

It is imperative that we get these legislations right, as there are a host of other African countries that are looking to implement similar legislative frameworks. We need to be leading by example as the self styled Giants of Africa.

Nigeria cannot afford to be in anything but first place as the potential rewards from an outsourcing perspective are there for the taking to the country that is chosen to spearhead the African outsourcing renaissance.

It should be noted that it is the absence of appropriate computer crime and privacy legislation rather than the lack of technology that prevents us partaking in this area.

We should also note that we are not alone in trying to implement these types of laws and are by no means in a unique position in Africa. Indeed many African nations are in the development stages of rolling out their technology laws.

We are in an arms race; it is my forecast that it is the country that develops the most cohesive set of laws in this area that will be spotlighted for outsourcing opportunities. The time has come for us to be accounted for; we urgently need to implement these laws to rejuvenate our economic chances for the future with the possibility to become true powerbrokers in this area.