CHAPTER THREEPROSPECTIVE LAWS ON CYBER CRIME IN NIGERIA3.1 INTRODUCTIONThe impact on cybercrime in Nigeria, especially its economy has been proved to be negatively huge, and the lack of a single legislation tackling this menace has largely also contributed to the increase of this practice. In Nigeria, the major type of Cybercrime being committed is the computer fraud, popularly known as 419 or yahoo yahoo, with the EFCC Act, the Advanced Free Fraud Act and the Criminal Code has proved to be effective in tackling this issue. In 2012, EFCC reported they had convicted more than 288 persons for various cases of cybercrime[footnoteRef:1]. In the area of computer-related offences and Money Laundering, Nigerias Legislation has shown, to be effective but there are other types or classifications of cybercrime which are also being committed but our laws are insufficient in tackling them. Examples of such other classification of Cybercrimes include Hacking, Cracking, Phishing, Data Espionage and Cyber stalking, Cyber bullying, Child pornography etc. It is the known fact that the world keeps evolving thereby creating new kinds of trends in the world, and Nigeria as a country is not left out in this evolution. The world is in Technology era, where almost everything is done digitally, including the storing of High-Class information of the Government and inadequacies of laws to protect such information from falling into the wrong hands by Hackers and failure to punish such crime can cripple or destabilise such a nation, as it will give such criminals the incentive to continue such crime. This view was also expressed by the Director, New Media and Information Security, Nigerian Communication Commission, Sylvanus Ehikioya, in an interview: [1: O. Adeniyi Over 288 persons jailed in Nigeria for Internet fraud, EFCC says Technology Times Online Available at: http://www.technologytimesng.com/news/2012/04/over-288-persons-jailed-in-nigeria-for-cybercrime-efcc-says/ Accessed: (1/8/2013)]

For the Nigerian government, to a very large extent, we are protecting our systems, using the best practice. But until we pass the Cyber Security Bill, there is nothing that the Nigerian government can really do. Because, as of now, if you hack into any computer system, you cannot be prosecuted because there is no enabling act,[footnoteRef:2] [2: The interviewed can be read online on the PREMIUM TIMES NEWSPAPER Website available at: http://premiumtimesng.com/news/124330-nigerian-not-ready-to-fight-cyber-crime-ncc.html Accessed: (4/7/2013)]

This means that the major inadequacy of Nigerian laws in tackling cybercrime is the absence of a Central Legislative Framework in tackling the crime. The Constitution clearly states that: no person shall be convicted of a criminal offence except it is defined and the penalty therefor is prescribed in a written law.[footnoteRef:3] This section proves that a non-legislated crime cannot be punished in Nigeria and the effect of this is that, crimes which are usually prohibited in the real world, will escape liability in the Cyber world where there is no single legislation in that area. [3: See Section 36(12) Constitution of the Federal Republic Of Nigeria 1999 Cap. C23 L.F.N. 2004 ]

Another inadequacy in our Legal Framework is the out-dated laws currently in use and used in prosecuting crimes. Nigerias current laws are mostly old and enacted before the use of the internet in Nigeria[footnoteRef:4] and never envisaged the use of the internet to commit specific computer crimes such as Hacking, Phishing, Cracking, use and sale of tools for hacking and cracking. There is also no law restricting the creation of computer viruses whether or not they are used to exploit computer users. This view was enunciated by Adejoke Oyewumi, [4: An example of such law is Criminal Justice (Misc. Prov) Act. The deficiencies of this Act are visible in the provisions of Section 7(1) and (2) which puts prosecution at the instance of the Attorney-General of the Federation. According to David Ashaolu, in Combatting Cybercrimes in Nigeria op cit. note 84 supra pp.28With that office being more politically concerned than it is with the administration of justice, prosecution may never happen and the hilarious fine of N500 makes it seem to me like this obsolete law is more of a toothless dog. Another insufficiency evidenced in the Criminal Procedure Act is the provision of Section 171 which discourages the conviction of an offence twice. According to David Ashaolu, Ashaolu, the rationale behind this provision hangs in the balance of reasoning as the effect of a crime being committed eventually and the resultant damage is far greater than that of its attempt. For example, a person convicted of attempting to disseminate a virus or malicious code will definitely serve a lesser punishment than if he had actually disseminated it. Where, unknown to the law enforcement agents at the time of his arrest, he had released the virus and the brutal effect had been found out later, he technically escapes proper punishment]

The fact however, is that there is a limit to which laws, which were promulgated in a different technological and socio-economic context, can adequately cater for the new technological realities presented by ICTs. It thus becomes necessary for legal rules to be developed to tackle the issues and challenges brought about by ICTs, in order to promote public confidence, maximise the benefits of the technology and encourage wider acceptance and use by individuals as well as private and public organisations[footnoteRef:5]. [5: A. O. Oyewunmi, The Ict Revolution and Commercial Sectors in Nigeria: Impacts and Legal Interventions (2012) British Journal of Arts and Social Sciences Vol.5 No.2 pp.235]

There are a lot of crimes that now being perpetuated through the use of the internet or ICT, that Nigerian law are not adequately equipped in tackling them, or there are no direct laws restricting and criminalizing the access to certain websites engaged in criminal activities such as Child Pornography, Hate Speech and Offences against public morality. There are three main characteristics that differentiate traditionally terrestrial crimes from cybercrimes. First, the absence of physical barriers such as customs to enter or exit the World Wide Web allow netizens[footnoteRef:6] to roam freely within it and to visit web pages wherever their origin. In turn, this means that the actions and potential victims for cyber-criminals are not geographically limited. Hence, for example, the randomness and volume of emails sent in the attempt to perpetrate scams online, most famously the Nigerian scam involving advanced fee fraud. Second, the cyber realm affords the cloak of anonymity, fakery and deception much more easily than the physical realm. This is even more so if the entire criminal transaction can be performed electronically without the need for physical manifestation[footnoteRef:7]. Third, traditional evidence gathering techniques are not effective because cyber-criminals can execute their schemes without being physically present and they can do so through automatic agents. These pose unique challenges to law enforcement and criminal investigations and forensics. They all contribute to the electronic medium as an attractive tool for criminal activity, over and above the speed, ease of use, low costs (e.g. no need for the middleman) and efficiency of the digital realm. [6: Netizen means Internet user: somebody who uses the Internet frequently. Microsoft Encarta Microsoft Corporation. 2009] [7: For example, electronic communications can lead to online money transfers for the sale and purchase of digital products and services that can be delivered electronically without the need for any physical contact or movement at all]

With all these inadequacies of Nigerias current legal framework including the unavailability of public infrastructure and personnel to fight cybercrime in Nigeria known to the government, different Bills have sprung up to enable Nigeria rise up to the task and eradicate or reduce the threat and rate of cybercrime in Nigeria. In the past decades more than 5 different Bills, either sponsored by the executives or the legislature, have been raised in the National Assembly but none has been enacted. It is in this light that this chapter aims to examine the provisions of these bills, which have been brought before the National Assembly these past years and how they help in reduce or eradicate the threat or rate of cybercrime in Nigeria.

3.2 BILLS ON CYBERCRIME3.2.1 DRAFT NIGERIAN CYBERCRIME ACT 2004[footnoteRef:8] [8: Titled Nigerian Cybercrime and Cybersecuirty Act 2004. In 2004, the Former Nigerian President, Olusegun Obasanjo announced the formation of a Cybercrime committee. The 15-member committee consisted of representatives from the both Government and private sector, and were tasked with designing solutions for Nigerian Internet based fraud and Cybercrime. The committee presented a Draft Cybercrime Act to the Ex-President, and the committee formed the Nigerian Cybercrime Working Group (NCWG), to accelerate the implementation of its Cybercrime research efforts, and to assist the Nigerian National Assembly in the quick passage of a Cybercrime Bill.An essential document that came out of the closed door Presidential Committee on Cybercrime is the Draft Nigerian Cybercrime Act.]

This Bill was one of the first bills proposed to the National Assembly but was never enacted. The Draft Nigerian Cybercrime Act provides the legal framework for the establishment of an Independent Cybercrime Agency and for thelegislation concerning Cybercrime and Cyber-Security. Basically, the Draft Nigerian Cybercrime Act was divided into eight different sections namely: A) Preliminary, B) Offences, C) Protection & Security of Critical Information and Communication Infrastructure, D) Ancillary and General Provisions, E) Cybercrime & Cybersecurity Agency Establishment Of The Cybercrime Agency, Etc, F) Functions and Powers of The Agency, G) Management and Staff Of The agency, H) Financial Provisions. The preliminary section of this Bill has two topics: A) The title of the Act, which it called the Nigerian Cybercrime and Cybersecuirty Act 2004, and,B) The Interpretation sub section. The Interpretation section attempts to provide clear legal definition forkeywordsused in the body of the Act. One such definition is the word,Computer Contaminant which was defined as: any set of computer instructions that are designed to modify damage, destroy, record, or transmit information within a computer, computer system, or computer network without the intent or permission of the owner of the information. They include, but are not limited to, a group of computer instructions commonly called viruses or worms, which are self-replicating or self-propagating and are designed to contaminate other computer programs or computer data, consume computer resources, modify, destroy, record, or transmit data, or in some other fashion usurp the normal operation of the computer, computer system, or computer network. This definition of Computer Contaminant has been criticised and said to raise the issue of authorized access and malicious destruction of data and computing resource[footnoteRef:9], for example, if a person was granted security access to a Computer resource, and he writes a program to knowingly destroy or alter data in a manner contrary to the intended use of the data, is that program a contaminant? Another keyword, under the Interpretation Section is the word Computer Injury. The section defines Computer Injury asany alteration, deletion, damage, or destruction of a computer system, computer network, computer program, or data caused by the access. The underlying issue also raised here, is that the definition does not seem to address the issue of Computer Injury that could result as a consequence of unauthorized disclosure of confidential information, theft of that information, and other forms of illegal use of data by an authorized or unauthorized person[footnoteRef:10]. The second issue that was also raised was about the Computer Injury term, is the harmonization of the definition with local and Intellectual property Laws. The section, also defines, Computer Security, as including: [9: F. Oyesanya Review Of Draft Nigerian Cybercrime Act Nigeria Village Square Available at: http://nigeriavillagesquare.com/articles/femi-oyesanya/review-of-draft-nigerian-cybercrime-act.html Accessed: ( 29/6/2013)] [10: Ibid]

software, program or computer device that: is intended to protect the confidentiality and secrecy of data and information stored in or accessible through the computer system; and may display a warning to a user that the user is entering a secure system or requires a person seeking access to knowingly respond by use of an authorized code to the program or device in order to gain access. Generally, Computer Security is said to have three attributes: confidentiality, Integrity, and availability, but the above definition did not take into account the other key attributes of Computer Security[footnoteRef:11]. The Interpretation Section also tries to define Computer Service as including: [11: Ibid]

Any and all services provided by or through the facilities of any computer system which is capable of allowing the input, output, examination, or transfer, of computer data or computer programs from one computer to another.There are three phrases of a Computer operation which are input, processing, and output, and the definition of Computer Service has been said to somehow skip the fact that data processing is a key component of Computer Service.[footnoteRef:12] [12: Ibid]

The Offenses Section of the Draft Cybercrime Act is the Criminal Law Part of the ACT. The section contains a lot of provisions that criminalises a lot of acts like:Unauthorized access to computer, electronic or ancillary devices, Access with intent to commit an offence, Unauthorized modification of the contents of any computer, Illegal communication using electronic messages, Illegal interception,Data interference, System interference, Misuse of devices, Denial of service, Email bombing, Computer trespass, Computer vandalism, Computer identity theft and impersonation, Attempt, conspiracy and abetment, Duties of Service Providers, Records Retention by Service Provider, Cybersquatting, Computer contamination, Cyber-terrorism, Intellectual Property, Soliciting a Minor with a Computer for Unlawful Sexual Purposes and Computer Offences against Minors and Other sexual offences.The System interference law, in the Offenses section declares:Any person who unlawfully produces, sells, designs, adapts for use, distributes, or offers for sale, procures for use, possesses any devices, including a computer program or a component, which is designed primarily to overcome security measures for the protection of data, or performs any of those acts relating to a password, access code or any other similar kind of data with the intent to unlawfully utilize such item to contravene this Act, commits an offence and liable upon conviction to a fine not less than =N=1 million or imprisonment for a term not less than 3 years or to both such fine and imprisonment. This section has been criticised has failing to note that Computer Security professionals conducting security assessments sometimeshave a need to design or use products with the capacity for System penetration[footnoteRef:13]. According to this definition, Computer penetration testing tools, computer forensic tools, will become a System Interference.Also, Virus Software re-engineering process, which sometimes requires writing viruses and sometimes the disassembly of Software virus also, will be illegal in Nigeria.In this view this law will also hinder the Cybercrime Agency in performing its functions. Also the provisions on Email Bombing[footnoteRef:14] and Records Retention by Service Provider also have their criticism. The Email Bombing Law has been said to fail to accommodate the fact that legitimate Email marketing may produce the same effect of mail bomb to a single System.Whereas the Data Retention Law, as suggested by this Bill, has been said to potentially become a national security issue,[footnoteRef:15] as what would stop Political Parties from colludingwith ISPs and gaining access to confidential transactional records of political opponents? The provision states that: All service providers under this Act shall have the responsibility of keeping all transactional records of operations generated in their systems and networks for a minimum period of 5 years [13: Ibid] [14: The section provides that: Any person who uses a computer, computer network, computerized communications system, or the Internet to purposefully: a) send or induce others to send, massive amounts of electronic mail to a single system or person with the intent to interfere with the operating ability of recipient's computer system; or b) send an unreasonably large file attached to electronic Mail or multiple copies of identical messages to the recipient with intent of stopping or slowing the Recipients ability to retrieve mail; or c) subscribe the intended recipient without authorization to multiple Internet mailing lists resulting in the recipient d) receiving unwanted electronic mails: Commits the offence of email bombing under this Act and liable upon conviction to a fine of not less than =N=500,000 or imprisonment to a term not less than 2 years or both such fine and imprisonment. ] [15: ]

Professor Susan Brenner of the University Of Dayton School Of Law, published an Internet Web Site titled Model State Computer Crime Code[footnoteRef:16]. The site provides a model for various Computer Crime Laws that serves as template for Countries wishing to implement Cybercrime Laws. One sees a lot of word for word similarities between the Draft Nigerian Cybercrime Act and the works ofProfessor Susan Brenner. For example, the Email Bombing section of the Nigerian Cybercrime Act was essentially copied from the Web Site. [16: See http://cybercrimes.net/98MSCCC/MSCCCMain.html Accessed: (6/7/2013)]

3.2.2 COMPUTER SECURITY & CRITICAL INFORMATION INFRASTRUCTURE PROTECTION BILL 2005.[footnoteRef:17] [17: Titled A Bill For An Act To Secure Computer Systems And Networks And Protect Critical Information Infrastructure In Nigeria By Prohibiting Certain Undesirable Computer-Based Activities And For Matters Connected Therewith.]

This Bill seeks to create legal liability and responsibility for modern global crimes carried on over a computer or computer systems, i.e. the internet. in its self it prohibits crimes which are considered as classifications of cybercrime. Some of these crimes, which carry penalties of fines ranging from the average sum of N100, 000.00 (One Hundred Thousand Naira) to terms of imprisonment ranging on the average from six months imprisonment, include: Hacking and unlawful access to a computer or a computer network[footnoteRef:18]; Spamming - this is unsolicited mails fraudulent electronic mails[footnoteRef:19], etc.; Computer forgery[footnoteRef:20], Computer fraud[footnoteRef:21], system interference[footnoteRef:22], Identity theft and impersonation on the internet[footnoteRef:23]; Cyber-terrorism[footnoteRef:24], cybersquatting, misuse of computer for unlawful sexual purposes[footnoteRef:25], etc. [18: s.3] [19: s.5] [20: s.6] [21: s.7] [22: s.10] [23: s.11] [24: s.16] [25: s.18]

The Bill allows for the enforcement of its provisions by any law enforcement agency in Nigeria, to the extent of the agencys statutory powers in relation to similar offences committed, with or without, the use of a computer.[footnoteRef:26] Section 3 of this Bill makes it an offence for any person, without authority or in excess of such authority where it exist, to access any computer or access a computer for an unlawful purpose. This section generally prohibits unauthorised access regardless of the intentions of the person. It is also an offence for any person to disclose any password, access code or disclose any other means of access to any computer program without lawful authority[footnoteRef:27]. Section 12 of this Bill requires every service provider to keep a record of all traffic and subscriber information on their computer networks for such a period as the President of the Federal Republic of Nigeria may by Federal Gazette, specify. Service Providers are further required to record and retain any related content at the instance of any Law Enforcement Agency. It also allows any Law Enforcement Agency in Nigeria, on the production of a warrant issued by a Court of competent jurisdiction, to request a service provider to release any information in respect of communications within its network, and the service provider must comply with the terms of the warrant. In the protection of the privacy and civil liberties of persons, the Bill requires that all communications released by a service provider shall only be used for legitimate purposes authorised by the affected individual or by a Court of competent jurisdiction or by other lawful authority[footnoteRef:28]. The Bill makes it unlawful for any person to intercept any communication without the authority of the Owner of the communication and conviction for a breach of this provision is a fine of not less than N5Million or imprisonment for a period of not less than ten years or to both the fine and the term of imprisonment.[footnoteRef:29] Also it makes it mandatory for all Service Providers to ensure that their networks are accessible and available to enable law enforcement agencies, on the production of an Order of a Court of Law or of any other lawful authority, to intercept and monitor all communications on their networks, access call data or traffic, access the content of communications, monitor these communications uninterrupted from locations outside those of the Service Providers, provided that these convert activities are for the purpose of law enforcement.[footnoteRef:30] The bill also makes it an offence for a service provider to breach the above provisions on cooperation with the law enforcement agencies and they could be convicted or fined or both[footnoteRef:31]. This bill also confers both universal jurisdiction and the effect doctrine jurisdiction alongside territorial jurisdiction in the prosecution of the offences criminalised in the bill.[footnoteRef:32] The state and federal High court has jurisdiction to try offenders under the bill.[footnoteRef:33] [26: s.2 ] [27: s.4] [28: s.12(4)] [29: s.13] [30: Ibid] [31: Ibid] [32: s.24] [33: Ibid ]

3.2.3 THE CYBER SECURITY AND DATA PROTECTION AGENCY BILL 2008[footnoteRef:34] [34: Titled A Bill for an Act to Provide for the Establishment of the Cyber Security and Information Protection Agency Charged with the Responsibility to Secure Computer Systems and Networks and Liaison with the Relevant Law Enforcement Agency for the Enforcement of Cyber Crime Laws, and for Related Matters No. C 4445 (HB 154). Sponsored by HON. Bassey Etim; the major difference between this Bill and the Previous Bill discussed is the establishment of an Agency while latter did not provide for the establishment of an Agency.]

The Bill proposes the establishment of a body to be known as the Cyber Security and Information Protection Agency, to be charged with the duties of investigation of all cybercrimes, adoption of measures to eradicate the commission of cybercrimes, registration and regulation of service providers in Nigeria, and organisation of campaigns and other activities to create public awareness on the nature and forms of cybercrimes[footnoteRef:35]. The bill requires the agency to maintain a liaison with the office of the Attorney General of the Federation, and the Inspector General of the Police on the arrest and subsequent prosecution of the offenders.[footnoteRef:36] The Bill does not define what Cybercrime is but it also contains a number of provisions criminalising unlawful access to computers, unauthorised disclosure of access information or passwords, sending of fraudulent electronic mail messages and spamming, system interference, unlawful interception, Cyber Squatting, Cyber Terrorism and other forms of computer fraud and data forger, which are all under the various classification of cybercrime. [35: Proposed Section 4] [36: Ibid]

As to the provision that prohibits unlawful access to computer, states that:Any person who without authority or in excess of his authority accesses any computer for the purpose of: (a) securing access to any program; or (b) data held in that computer commits an offence and shall be liable on conviction: (/) in the case of offence in paragraph (a) of this subsection, to a fine of not less than N 10,000 or imprisonment for a term of not less than 6 months or to both such fine and imprisonment; (ii) For the offence in paragraph (b), to a fine of not less N1 00,000 or a term of not less than 1 year or to both such fine and imprisonment.An issue that comes up here is that this provision seems to criminalise any form of unauthorised access into a computer. It does not state what constitute an unauthorised access. In this case, if some uses the computer of another person without the authority of the owner, in other to use a computer program, for example Microsoft word, has committed an offence. The interpretation section[footnoteRef:37] of the bill does not help in resolving this vagueness in its definition of access and computer program. The section interprets access as includes gaining entry to, instructing, making use of any resources of a computer, computer system or networking. Computer program" means data or a set of instructions or statements that when executed in a computer causes computer to perform function. The definition of computer program here will include computer software and computer codes. [37: s.38]

The provision that prohibit the Misuse of devices is similar to that of System Interference Law of the Draft cybercrime bill of 2004, in that they both prohibit the misuse of certain devices. The bill states, in s.12, that:Any person who unlawfully produces, adapts or procures for use, distributes, offers for sale, possesses or uses any devices, including a computer program or a component or performs any of those acts relating to a password, access code or any other similar kind of data, which is designed primarily to overcome security measures with the intent that the devices be utilized for the purpose of violating any provision of this Bill, commits an offence and is liable to a fine of not less than N l ,000,000 or imprisonment for a term of not less than 5 years or to both such fine and imprisonment.The criticism about the Draft Cybercrime Act on System interference also applies here[footnoteRef:38] and the exercise of this section will also hinder the Agency in performing its functions. [38: The criticism that the section fails to note that Computer Security professionals conducting security assessments sometimeshave a need to design or use products with the capacity for System penetration. Also Computer penetration testing tools, computer forensic tools, will become a System Interference.Also, Virus Software re-engineering process, which sometimes requires writing viruses and sometimes the disassembly of Software virus also, will be illegal in Nigeria.]

The Bill also criminalises the use of computers to violate any intellectual property rights protected under any law or treaty applicable in Nigeria, and making such punishable upon conviction, by payment of a fine of not less than one million naira or imprisonment for a term of not less than five years or to both such fine and imprisonment[footnoteRef:39]. Similarly, any person who, on the Internet, intentionally takes or makes use of a name, business name, trademark, domain name, or other word or phrase registered, owned or in use by any individual, body corporate or government agency without authority or right, or for the purpose of interfering with their use on the Internet by the owner, registrant or legitimate prior user, commits an offence, punishable on conviction by payment of a fine and/or term of imprisonment.[footnoteRef:40] This provision relates to the crime of Cyber Squatting. The criminalisation of acts against intellectual property may not be sufficient to provide succour to right holders, who may be more interested in civil remedies which afford the opportunity of pecuniary relief and compensation to the wronged party.[footnoteRef:41] This bill also confers both universal jurisdiction and the effect doctrine jurisdiction in the prosecution of the offences criminalised in the bill.[footnoteRef:42] The state and federal High court has jurisdiction to try offenders under the bill[footnoteRef:43] [39: s.21] [40: s.19] [41: A. O. Oyewunmi, The ICT Revolution and Commercial Sectors in Nigeria: Impacts and Legal Interventions (2012) British Journal of Arts and Social Sciences Vol.5 No.2 pp. 241] [42: s.28; The effect doctrine of Jurisdiction occurs when none of the constituent elements of the crime took place in the territory of the state that is asserting jurisdiction; rather, it is only the effect of a crime, which is planned and executed elsewhere, that is felt on its territory of the state that is felt on its territory. See Abass on international law pp.532] [43: Ibid ]

3.2.4 THE PROHIBITION OF ELECTRONIC-FRAUD BILL 2008[footnoteRef:44] [44: Titled: An Act To Provide For The Prohibition Of Electronic Fraud In All Electronic Transactions In Nigeria And For Other Related Matters Sponsored By Senator Ayo Arise]

The Bill seeks to prohibit all Electronic Fraud in Nigeria, unauthorized access to computer be it public or private, registration of Cyber cafe to ensure monitoring of such cybercafs[footnoteRef:45], interception of electronic messages[footnoteRef:46], wilful misdirection of E-messages for fraudulent purposes[footnoteRef:47], fraudulent issuance of E-money orders.[footnoteRef:48], sending obscene messages, manipulation of computer data[footnoteRef:49], purchase of forged E-cards[footnoteRef:50], falsification of E-data[footnoteRef:51], diversion of E-mail for personal gains in financial institutions, E-identity theft, E-card fraud, usage of fake E-access devices, manipulation of ATM/POS terminals, computer damage and for other related matters.[footnoteRef:52] Also financial institutions and their employees are criminally liable if they directly or indirectly engage in, or authorise the unlawful diversion of electronic mails, and they are also required to render monthly reports of attempted electronic fraud to the appropriate security agencies[footnoteRef:53]. In prohibiting unauthorised access into computers, the proposed section 3 seems to clearly state what will constitute unauthorised access. The section states that: [45: s.4] [46: s.8] [47: s.8] [48: s.13] [49: s.16] [50: s.19] [51: s.21] [52: See generally the Explanatory Memorandum] [53: s.25-28]

Whoever intentionally accesses a computer or electronic device without authorisation or exceeds authorised access and thereby obtains information contained in a financial database of a financial institution or a card issuer or contained in a file of a customer and or consumer, or information from any electronic device for any advantageous reasons without due authorization from the administrator or owner of such a device, or information from any department, ministry or agency of the government or obtain information from any classified computer of government shall be guilty of an offence and upon conviction shall be liable to a fine of 5 million Naira or imprisonment for 5 years or both.Also the Bill prohibits any person or body corporate to access computer and or electronic device to commit espionage; traffic in passwords for public, private and or financial institutions computer or relevant electronic devices; traffic in any password or similar information through which a computer may be accessed without authorisation with intent to defraud, copy financial institutions website, email customers with intention to defraud customers and financial institutions; and intentionally create computer worms to destroy government computer[footnoteRef:54]. Anybody who contravenes these acts shall be guilty of an offence punishable with a sentence of 7 years imprisonment or a fine of 5 million Naira or both.[footnoteRef:55] [54: s.1] [55: Ibid]

3.2.5 COMPUTER MISUSE BILL 2009[footnoteRef:56] [56: Titled: A Bill For An Act To Make Provision For The Safety And Security Of Electronic Transactions And Information Systems; To Prevent Unlawful Access, Abuse Or Misuse Of Information Systems Including Computers And To Make Provision For Securing The Conduct Of Electronic Transaction In A Trustworthy Electronic Environment And To Provide For Other Related Matters Sponsored By Senator Wilson Ake]

This Bill seeks to make provision for the safety and security of electronic transactions and information systems; to prevent unlawful access, abuse or misuse of information systems including computers and to make provision for securing the conduct of electronic transaction in a trustworthy electronic environment[footnoteRef:57]. This bill has similar provisions as that of the previous bills discussed above. It also does not criminalise Cybercrime but criminalises acts that are under the classification of cybercrime, such as unauthorized access;[footnoteRef:58] Unauthorised modification; Child pornography[footnoteRef:59]; unlawful interception; the production, sale, procurement, use, distribution or possession of any device including a computer program or component which is designed primarily to overcome security measures for the protection of data, or the performance of any of those acts with regard to a password, access code or any other similar kind of data with the intent to unlawfully utilize such item. It further stipulates a liability on conviction to an imprisonment for five years or to a fine of two thousand Naira or both as penalty for the contravention of this section.[footnoteRef:60] This Bill mainly focuses on the prohibition of any unauthorised access or unauthorised interception into a computer, access with intent to commit or facilitate commission offence. This Bill provides a clear instance of what securing access is,[footnoteRef:61] but just like the Cyber Security and Data Protection Agency Bill, it also prohibits general unauthorised access into a computer and its criticism also applies here. [57: See Explanatory Memorandum] [58: s. 8] [59: s.17] [60: s. 10] [61: See: s. 2]

It also addresses some of the procedural deficiencies of the existing framework by making provisions for search and seizure,[footnoteRef:62] the admissibility of electronic evidence in criminal proceedings[footnoteRef:63] and; territorial jurisdiction and universal jurisdiction.[footnoteRef:64] The Federal High Court by virtue of this bill has jurisdiction to try any offender under this bill.[footnoteRef:65] [62: s. 18] [63: s. 19] [64: s. 20] [65: s.21]

3.2.6 COMPUTER SECURITY AND PROTECTION BILL, 2009[footnoteRef:66] [66: Titled: A Bill For An Act To Establish A Legal And Institutional Framework For Securing Computers And Networks And Protecting Critical Information Infrastructure In Nigeria And For Matters Connected Therewith]

The Explanatory Memorandum of the bill state that:The Bill seeks to make provisions for- (a) securing computer and computer networks as well as critical information infrastructure in Nigeria; (b) offences and penalties relating to un lawful acts committed with the use of computers: and (c) the establishment of the Nigeria Computer Security and Protection Agency to provide legal basis and technical infrastructure for combating cybercrime in Nigeria.This Bill is divided into 9 Parts, they are: PART I Establishment of the Nigerian Computer Security and its Governing Board etc; PART II Functions and Powers of the Agency; PART III Management and staff of the Agency; PART IV Financial Provisions; PART V Offences; PART VI - Security And Protection Of Critical Information Infrastructure; PART VII - General Provisions; PART VIII - Legal Proceedings; PART IX Miscellaneous.The Bill provides of a Nigerian Computer Security and Protection Agency[footnoteRef:67] and the agency shall be a body corporate with perpetual succession and a common seal, it can sue and be sued.[footnoteRef:68] The provisions of this Bill are similar to that of the Cyber Security and Data Protection Agency Bill, with the difference in the introduction of the Part VIII concerning Legal Proceedings, for example, allowing the indemnifying of any member of the Board the Director General or any officer or employee of the Agency against any liability incurred by him in defending any proceeding whether civil or criminal, if the proceeding is brought against him as his capacity an officer of the Agency. Also the Bill recognises Civil Liability as regards acts criminalised by the bill. The proposed section 36 states that: [67: s.1] [68: s.2]

Notwithstanding any provisions to the contrary in any other enactment or law; any person who contravenes any provision of this Act may in addition to the penalty provided thereof, be liable in a civil suit.This provision is also similar to that of the cyber security and data protection bill, as an interested party can seek out civil remedies which will afford him/her the opportunity of pecuniary relief and compensations especially acts against Intellectual properties. Also the criticism also raised in the previous bill also applies here, especially that of the prohibition of unauthorised access. The same principle of jurisdiction provided for by the cybersecurity bill 2008 is the same principle also provided in this bill.

3.2.7 ECONOMIC AND FINANCIAL CRIMES COMMISSION ACT (AMENDMENT) BILL, 2010[footnoteRef:69]. [69: Titled: A Bill for an Act to amend The Economic and Financial Crimes Commission (Establishment Etc.) Act, 2007 to Facilitate the Investigation and Prosecution of Cyber and E-Payment Crimes and for Other Related Matters (HB C349). Sponsored By: Hon. Abubakar Shehubunu]

This Bill seeks to amend the Economic and Financial Crimes Commission Act, 2007 in order to empower the Commission to investigate and prosecute incidence of Cybercrimes and e-payment matters.[footnoteRef:70] The Bill in s.2 seeks to add one more function to the EFFC, which is stated in s.6 of the EFCC Act. The bill states that: [70: See Explanatory Memorandum]

Section 6 of the Principal Act is amended by inserting a new subsection (c) to read "the investigation and prosecution of all offences bordering on or connected with Cybercrime or e-payment matters".The principal act referred to is the current EFCC Act.[footnoteRef:71] This bill fails to state what cybercrime is, or list any offences that can be classified as cybercrime. The effect of this bill, if passed, will still be in effective as cybercrime is not defined or punishable under any written law in Nigeria. [71: S.1]

3.2.8 CYBERSECURITY BILL, 2011Cyber Security Bill first came to play in Nigeria in 2004 where some civil society advocated for the passage of the bill in order to make provision for an effective legal framework for the prohibition, prevention, prosecution and punishment of cybercrimes in the country[footnoteRef:72]. Hence to this effect, the Federal Ministry of Justice in collaboration with the National Security Adviser had come up with a draft of CyberSecurity Bill in 2011. This Bill is made of 6 parts, they are; Part I General Objectives; Part II Offences & Penalties; Part III Critical Information Infrastructure Protection; Part IV Search, Arrest and Prosecution; Part V International Cooperation; and Part VI: Miscellaneous. [72: http://www.tech360ng.com/the-nigeria-cybersecurity-2011/ Accessed (24/6/2013)]

Part 1 deals with the general objectives, the scope of the Bill and its application. The objects and scope of this Act are to provide an effective, unified and comprehensive legal framework for the prohibition, prevention, detection, prosecution and punishment of cybercrimes in Nigeria; Enhance cybersecurity and the protection of computer systems and networks, electronic communications; data and computer programs, Intellectual property and privacy rights. The Bill provides that its provisions will be enforced by any law enforcement agencies in Nigeria to the extent of the agency's statutory powers in relation to similar offences.As regard Part II of the bill, the proposed sections 2 to 18 criminalizes specific computer and computer-related offences, which include: Unlawful access to a computer; Unauthorized disclosure of access code; Data forgery; Computer fraud; System interference; Misuse of devices; Denial of service; Identity theft and impersonation; Child Pornography; Records Retention and Preservation; Unlawful Interception; Cybersquatting; Cyberterrorism; Failure of Service Providers to Perform certain Duties; Racist and xenophobic Offences. If most of the provisions in this part are going to be effective, it will cause a serious implication in the administration of justice because, if someone access your system causing damage to it or a little malfunction, then the person is convictable under this bill. Online identity theft, in this bill gets a punishment of N7m or 3 years jail term imprisonment, or both.Part III provides for the security and protection of critical information infrastructure. It further provides for the audit and inspection of critical information infrastructure and punishment for offences against critical information infrastructure. Also Part IV deals with issues such on jurisdiction, powers of search and arrest, obstruction of law enforcement officers, prosecution, forfeiture of assets, compounding of offences; payment of compensation; and the power to make regulations. Part V deals with the issues of International Cooperation. As Cybercrime and cybersecurity issues are not restricted by geographical boundaries and legal jurisdictions but can only be checked through international cooperation which is covered in Sections 29 to 34 of the Bill. The issues covered include: Extradition; Mutual Assistance Requests; Expedited preservation of data, Evidence Pursuant to a Request; and Form of Requests. Part VI deals with issues of a general character such as Directives of a general character; Regulations and the Interpretation section.The above provisions of this Bill is said to have met the milestones required of legislation on cybercrime, after it was reviewed and compared against international instruments and standards, such as the Council of Europes Budapest Convention, 20013 and the ITU Toolkit on Cybersecurity Legislation[footnoteRef:73]. [73: T.G. George-Maria Tyendezwa, (Head, Computer Crime Prosecution Unit Nigeria) Cybercrime Legislation Development In Nigeria An Update Octopus Conference, Strasbourg 06 June, 2012]

3.2.9 CURRENT BILLS IN THE NATIONAL ASSEMBLYThere are three bills which centre on regulating and creating offences related to cybercrime that are currently in the National Assembly waiting to be enacted into law. The bills are; 1. A Bill for an Act to Amend the Criminal Code Act, Cap. C38, Laws of the Federation of Nigeria, 2004 in Order to Provide for Offences and Penalties Relating to Computer Misuse and Cybercrimes 2012 (HB. 391)[footnoteRef:74]" [74: The bill has been referred to the House committee on Justice]

2. A Bill for an Act to Amend the Penal Code (Northern States) Federal Provisions Act, Cap.P3, Laws of the Federation of Nigeria, 2004 in Order to Provide for Offences and Penalties Relating to Computer Misuse and Cybercrimes, 2012 (HB. 392)[footnoteRef:75]" [75: Ibid ]

3. A Bill for an Act to ensure the continued free flow of Business within Nigeria and with its Global Trading Partners through secure Cyber Communications, to Provide for the continued Development and Exploitation of the Internet and Internet Communications for such Purposes, to Provide for the development of a Cadre of information Technology Specialists to improve and Maintain effective Cyber Security Defences against Disruption, 2011 (HB. 84)[footnoteRef:76] [76: The bill has been referred to the House committee on Information Technology and Justice]

As regard the Bills amending the criminal code and the penal code, the Chair of Africa ICT Alliance, Dr Jimson Olufuye, while expressing his support for the passage of a Bill towards amending the Criminal Code Act, in order to provide for offences and penalties relating to computer misuse and cybercrimes, said that there is no need for a special cybercrime bill for Northern Nigeria and so supported the discontinuation of the bill that will apply to Northern states of Nigeria only.[footnoteRef:77] The AfICTA group also recommended that on the title Records retention and protection of data by service providers in paragraph 22 (1) be replaced with Data preservation and protection of data by service providers in order to maintain consistency of the subject on data rather than records[footnoteRef:78]. Olufuye gave other reasons for the recommended amendment to include the use of preservation instead of retention. He explained that; [77: D. Oyetola, AfICTA supports Cybercrime bill Punch Newspaper available at: http://www.punchng.com/business/technology/aficta-supports-cybercrime-bill/ Accessed: (1/7/2013)] [78: Ibid ]

Data preservation required Communications Service Providers (including Internet Service Providers) to store a particular individual traffic data for a finite period as specified under the appropriate judicial authority. Whereas, data retention is requiring all CSP to retain all of the certain types of the traffic data created by all users.[footnoteRef:79] [79: Ibid ]

On lawful interception by law enforcement officer, Olufuye recommended that the action of the law enforcement officer be backed up by judicial authorisation[footnoteRef:80]. This, he said, was essential to avoid any form of abuse of office by any law enforcement officer and to respect the privacy of service providers [80: Ibid ]