Niche Konsult Limited Section By Section Analysis Of Cyber Security And Information Protection Agency Bill 2008 Complete Versionv2

of 34 © 2009 –Niche Konsult Limited. All Rights Reserved

NK/NASS/HR/DB/HB154/1

July 15, 2009

Honourable Rabe Nasir
Chairman, House Committee on Drugs, Narcotics and Financial Crimes
Rm. 3.11, New Wing
House of Representatives
National Assembly, 3 Arms Zone, Abuja

Dear Sir,

REVIEW OF DRAFT CYBER SECURITY AND INFORMATION PROTECTION AGENCY
(ESTABLISHMENT, ETC) BILL 2008 – A SECTION-BY-SECTION ANALYSIS

EXECUTIVE SUMMARY

Niche Konsult Limited fully identifies with the aspirations that led the Chairman, House
Committee on Drugs, Narcotics and Financial Crimes, the Deputy Chairman/sponsor of
the Draft Cyber Security and Information Bill, Honourable Bassey Etim and his
colleagues in the three Joint Committees of the House of Representatives assigned the
enviable job of fashioning out a cyber security enactment for Nigeria that will stand the
test of time to hold this public hearing.

Niche Konsult Limited also appreciates the opportunity given its representative to make
a brief presentation on the occasion of the holding of the public hearing on the above on
July 8, 2009.

Niche Konsult Limited chooses to style itself Nigeria‟s Information Technology Security
Distributor and has partnership affiliations with several of the leading brands in the
information technology security space including but not limited to the following:

 Absolute Software (developers of the world‟s leading laptop tracking product)
http://www.nichekonsult.com/Partners/AbsoluteSoftware/default.aspx
 Acunetix (developers of the web application/website vulnerability
assessment/management tool - Acunetix Web Vulnerability Scanner)
http://www.nichekonsult.com/Partners/Acunetix/Default.aspx
 Application Security Incorporated (the leading provider of database security
solutions for the enterprise and the developers of DBProtect and
AppDetectivePro)
http://www.nichekonsult.com/Partners/ApplicationSecurityInc/Default.aspx
 Alwil Software (developers of the popular antivirus software known as avast!)
http://www.nichekonsult.com/Partners/Avast/default.aspx
 BitDefender (a leading global provider of security solutions that satisfies the
protection requirements of today‟s computing environment)
http://www.bitdefender.com
 Core Security (developer of strategic security solutions for Fortune 1000
corporations, government agencies and military organizations)
http://www.nichekonsult.com/Partners/CoreSecurity/Default.aspx
 eEye (a leading developer of network security products and an active contributor
to network security research and education. eEye offers several award-winning
solutions including Enterprise Vulnerability Assessment and Remediation
Management. eEye products protect the networks and digital assets of thousands
of corporate and government entities in over forty countries)
http://www.eeye.com


 GFI(GFI is a leading software developer that provides a single source for network
administrators to address their network security, content security and messaging
needs) http://www.gfi.com
 Kaspersky (develops, produces and distributes information security solutions
that protect customers from IT threats and allow enterprises to manage risk.)
http://www.nichekonsult.com/Partners/Kaspersky/Default.aspx
 McAfee (Provides anti-virus, vulnerability assessment, intrusion prevention,
 and client security solutions)http://www.mcafee.com
 N-Stalker (developers of the N-Stalker Web Application Security Scanner)
http://www.nstalker.com
 Panda (one of the world's leading creators and developers of technologies,
products and services for keeping clients' IT resources free from viruses and
other computer threats at the lowest possible Total Cost of Ownership)
http://www.nichekonsult.com/Partners/Panda/Default.aspx
 Symantec (Symantec is a global leader in infrastructure software, enabling
businesses and consumers to have confidence in a connected world. The company
helps customers protect their infrastructure, information, and interactions by
delivering software and services that address risks to security, availability,
compliance, and performance. Headquartered in Cupertino, Calif., Symantec has
operations in 40 countries.) http://www.symantec.com

Niche Konsult Limited has been in the information technology security business since
2002. Between then and now, Niche Konsult Limited has consulted on Information
Technology security matters for two electronic cards/payment service providers, two
telecommunication service providers and six of Nigeria‟s current 26 banks on
Information Technology Security Solutions amongst several other clients in both the
private sector and governmental circles. Niche Konsult Limited and many of our clients
and potential clients are affected by the provisions of this proposed bill and so we have
taken time to do as thorough a review of this bill for the benefit of the Committee, our
clients and prospects.

Immediately below follows our section by section analysis of the merits and demerits of
the bill accompanied by suggestions/recommendations for improvement.

SECTION-BY-SECTION ANALYSIS

1. (1) There is hereby established a body to be known as Cyber Security and Information Protection
Agency (in this Bill referred to as “the Agency”) which shall have such functions as conferred on it
by this bill.

(2) The Agency:

(a) shall be a body corporate with perpetual succession and a common seal;

(b) may sue and be sued in its corporate have and may, for the purpose of its functions,
acquire, hold or dispose of property;

COMMENTS

Our comprehensive study of the bill seems to indicate that there are no provisions on
“Information Protection” as suggested by the title of this Bill. We consider this a very
significant omission/Anomaly. For the purposes of the Committee, we wish to reproduce
below the following text entitled “The Data Protection Principles” obtained from
Schedule 1 to the UK Data Protection Act of 1998:

1. Personal data shall be


processed fairly and
lawfully and, in
particular, shall not be
processed unless-

(a) at least one of the conditions in Schedule 2 is
met, and
(b) in the case of sensitive personal data, at least
one of the conditions in Schedule 3 is also met.
2. Personal data shall be obtained only for one or more
specified and lawful purposes, and shall not be further
processed in any manner incompatible with that purpose
or those purposes.

3. Personal data shall be adequate, relevant and not
excessive in relation to the purpose or purposes for which
they are processed.

4. Personal data shall be accurate and, where
necessary, kept up to date.

5. Personal data processed for any purpose or
purposes shall not be kept for longer than is necessary for
that purpose or those purposes.

6. Personal data shall be processed in accordance with
the rights of data subjects under this Act.

7. Appropriate technical and organisational measures
shall be taken against unauthorised or unlawful
processing of personal data and against accidental loss or
destruction of, or damage to, personal data.

8. Personal data shall not be transferred to a country
or territory outside the European Economic Area unless
that country or territory ensures an adequate level of
protection for the rights and freedoms of data subjects in
relation to the processing of personal data.

We had wanted to comment extensively in our paper on the Data Protection Provisions of
the Bill, but have been forced to hold back. However, we think that it would be an
anomaly in fact and law for the proposed agency to be prosecutor/investigator of
cybercrimes and regulator of country‟s cyber security space on the one hand and
privacy/information/data protection watchdog on the other hand at the same time. It is
therefore suggested that either a new Data Protection Agency modelled after that in the
UK or the Act establishing the Consumer Protection Council be amended to
accommodate the functions currently being carried out by the Information Commissioner
in Great Britain. We are of the considered opinion that the second option would be the
preferred option since it will permit and/or extend the powers of the Consumer
Protection Council to cover breaches involving personally identifiable information (PII), a


rampant from of consumer abuse and extend its turf to consumer protection matters in
today‟s world of the internet and pervasive telecommunications networks, which
developments the CPC Act of 1992 did not envisage nor prepare for and thus match
what obtains in the United States of America in which the Federal Trade Commission
(FTC) plays similar roles.

We wish the committee to note that breaches of data protection laws are also considered
to be violations of human rights in several countries including Austria, Canada, Denmark,
France, Germany, Luxembourg, Norway, Sweden, the United Kingdom and the United
States and should also be so in Nigeria.

It is our wish that the Committee will recommend to the House that it adopts the
attitude of the American Congress which enacted several “Special Statutes” to expand
the responsibilities of the FTC with respect to Data Protection.

If the House so wishes, it can maintain the current name of the CPC or change its name
to Information and Consumer Protection Council (ICPC) or Information and Consumer
Protection Agency (ICPA). (Please see attached some documents we sent to the
CPC on these matters in February 2005.)

Until Data Protection provisions are included in our laws, it will not be possible for the
House of Representatives to give legal teeth and effect to Section 37 of the 1999
Constitution of Nigeria which states “The privacy of citizens, their homes,
correspondence, telephone conversations and telegraphic communications is hereby
guaranteed and protected.”

We recommend that the Committee visits the following links for more general
information on Data Protection Laws and the role(s) played by Information
Commissioner who heads the UK Data Protection Agency:

http://www.out-law.com/page-10137 which deals with data protection watchdogs urging
The European Commission to make sure that outsourcing providers who process
personal data are bound by consistent rules irrespective of whether they are based
inside or outside the EU

http://www.out-law.com/page-10116 which deals with breaking of the Data Protection
Act by the Manchester City Council when it failed to encrypt laptop computers containing
data on nearly two thousand workers. The local authority has promised to ensure all
mobile computers are encrypted.

http://www.timesonline.co.uk/tol/news/uk/crime/article6373645.ece which discusses the
court case involving Ian Kerr who maintained a constructor worker blacklist database but
failed to comply with the Data Protection Act which requires that unless very simple
processing is done, all organizations handling personally identifiable information (PII)
must be registered with the Agency

http://www.independent.co.uk/news/uk/politics/nhs-loses-thousands-of-medical-
records-1690398.html The UK Information Commissioner‟s hard knocks on the National
Health Service which has been involved in some 140 data security breaches in the last
four months.

http://www.out-law.com/page-9965 The UK Information Commissioner comments on
complaints‟ and enquiries on Google‟s Street View service


http://www.theregister.co.uk/2009/04/20/british_council_data_loss/ The UK Information
Commissioner's Office comments on the loss of an unencrypted disk containing
personally identifiable information on over 2,000 members of staff

In closing our comments on data protection, we would like to call attention of the
Committee to the distinction between a Data Protection Act and a Cyber Crime Act such
as the proposed Bill. Lord HobHouse of Woodborough observed in Regina v Bow Street
Metropolitan Stipendiary Magistrate and Another, ex parte Government of the
United States of America 2002 2 AC 216:

“As Astill J. said in Bignell's Case [1998] 1 Cr.App.R. 1, 12b, the Act of 1990
was enacted to criminalise the 'hacking' of computer systems and the Data
Protection Act 1984 was enacted to criminalise improper use of data."

We look forward to an opportunity to perform/conduct a Section-by-Section analysis on
the Data Protection Bill as well.

In respect of the controversy that arose at the public hearing on the utility of creating a
new cyber security agency, I wish to draw the attention of the Committee to the
following internet links which discuss the establishment of a similar agency in the UK and
France:
http://www.pcworld.com/article/168135/france_creates_new_national_it_security_agenc
y.html

http://www.ecommerce-
journal.com/news/16770_france_launches_a_new_agency_to_strike_cyber_attacks

http://www.ssi.gouv.fr/IMG/pdf/ANSSI_PRESS_RELEASE.pdf

http://news.cnet.com/8301-1009_3-10272925-
83.html?part=rss&subj=news&tag=2547-1009_3-0-20

http://www.scmagazineuk.com/UK-cyber-security-strategy-launched/article/139033/

http://www.theregister.co.uk/2009/06/25/uk_cyber_security_strategy/

2. (1) The Agency shall consist of:

(a) the Chairman of the agency shall be the National Security Adviser;

(b) Executive Vice chairman to be appointed by the president, who shall be:

(i) a retired or serving member in any security agency of the Federation not
below the rank of deputy commissioner of police or it’s equivalent, with
cybersecurity experience

(ii) a lawyer with not less than 10 years post call experience, who must be an
expert in cybersecurity

(iii) responsible for the day to day running of their affairs of the Agency.

(c) a representative each of the following Federal Ministries.


(i) commerce, industry;

(ii) science and technology;

(iii) justice;

(d) The Executive Vice Chairman and members of the Agency, other than ex-officio shall
each hold office for a period of four years and may be re-appointed for one
further term.

(e) a representative each from the following organizations:

(i) the department of state security services;

(ii) the Nigerian police force;

(iii) the Nigeria communications commission;

(iv) the Nigeria Security & civil Defence Corps and

(2) Four persons whom:

(a) two must be experts in telecommunication with not less than 10 years experience

(b) two computer scientists with specialization in cyber crime with not less than 10 years
experience

(3) The Executive Vice Chairman and four other members of the agency shall be appointed by the
president subject to confirmation by the senate.

(4) The Executive Vice Chairman appointed pursuant to sub-section (1) of this section shall be the
chief executive of the agency and shall be responsible for the day to day running of its
affairs.

COMMENTS

Page 1, Line 7 - missing word after corporate “name”, then a comma after name

Page 1, Line 9- should read “The Agency shall consist of the following”

Page 1, Line 10 – should read “the Chairman of the Agency who shall be the National
Security Adviser”

Page 1, Line 14 – which did the draftsman mean “its” or “it‟s” – these two words are
commonly confused

Page 1, Lines 11 – 18 – What is the rationale for limiting the Office of the Executive
Vice Chairman to a “retired or serving member in any security agency of the
Federation”? And how do we define the phrase “with cyber security experience”? And
how do we measure such experience? If this becomes law as passed, then a large pool of
talent has been automatically disenfranchised from this position. That the head should
be a lawyer just makes sense given the fact that this is not just about technology but
how technology meets the law and vice versa, there is no objection to lines 16 and 17 as
they stand. The Committee is well advised to conduct an audit of all “retired or serving


members in any security agency of the Federation not below the rank of deputy
commissioner of police or its equivalent” in order to find how many of them currently
have “cyber security experience” to be assured that there will always be a pool of them
to drawn from.

Page 1, Line 15 – It is important to decide which is preferred “cyber security” as one
word or “cyber security” as two words. Please see also Page 1, Line 1

Page 2, Line 5 – the word “members” is missing after ex-officio

Page 2, Line 15 – It is important to decide which is preferred “cybercrime” as one word
or “cyber security” as two words

Page 2, Line 19 –replace underscore between “sub_section” with “sub-section”

3. (1) A member of the agency may at any time resign his office in writing

addressed to the president and may be removed from office because of:

(a) infirmity of mind or body;

(b) permanent incapacity; or

(c) any other reason subject to confirmation by the senate.

(2) Members of the agency shall be paid such allowances as may be determined by the salary and
wages Commission.

COMMENTS

None

4. The Agency shall be responsible for the:

(a) enforcement of the provision of this bill

(b) investigation of all cyber crimes

(c) adoption of measures to eradicate the commission of the cyber crimes;

(d) examination of all reported cases of cyber crimes with the views to identifying individuals,
corporate organization involve in the commission of the crime;

(e) registration and regulations of service providers in Nigeria with the views to monitor their
activities; organizing and undertaking campaigns and other forms of activities as will lead
to increased public awareness on the nature and forms of cyber crimes; and

(g) maintaining a liaison with the office of the Attorney General of the Federation, and inspector
General of police on the arrest and subsequent prosecution of the offenders.

COMMENTS


Page 2, Line 31 – should read “enforcement of the provisions of this Bill”

Page 3, Line 2 – should read “…to eradicate the commission of cyber crimes”

Page 3, Lines 3 – 5 – How does the House of Representatives purport to handle the
conflict between the powers given to the EFCC first under the Advance Fee Fraud and
other Related Offences Act No 13 of 1995 (now repealed), and the Advance Fee Fraud
and other related Offences (Amendment) Act 2005 (now repealed) and now the Advance
Fee Fraud and Other Related Fraud Offences Act 2006 which has placed certain
obligations on banks and other financial and designated non financial institutions,
telecommunications companies, internet service providers, cybercafé operators, property
owners, transporters, etc and which provisions are enforced by the EFCC?

Page 3, Lines 3 – 5 – In line 3 mention is made of “cyber crimes” and in line 5 “the
crime”. It is suggested that lines 3 to 5 should read “examination of all reported cases of
cybercrimes with a view to identifying individuals, corporate organizations (and not
organization) involved (and not involve) in the commission of the crimes (and not
crime)

Page 3, Lines 6-9- The House of Representatives may wish to remember that the
Advanced Fee Fraud and Other Related Fraud Offences Act 2006 also gave the EFCC the
power to register internet service providers and cybercafés. Pursuant to the powers
granted the EFCC under that Act, the EFCC held a series of meetings with stakeholders,
including the Internet Service Providers Association of Nigeria (ISPAN), Association of
Cybercafé and Telecentre Operators of Nigeria (ACTONigeria), Private Telecoms
Operators (PTOs) and Global System for Mobile Communication (GSM) operators.
Following such meetings a number of resolutions were agreed for immediate
implementation:

1. All Internet Service Providers (ISPs), and cybercafé operators providing services
in Nigeria must be registered with the Corporate Affairs Commission (CAC),
Nigerian Communications Commission (NCC) and EFCC;
2. All upstream Internet Service Providers rendering services to Internet Service
Providers and Cybercafés in Nigeria, must be physically located and be registered
and licensed as Internet Services Providers (ISPs) above;
3. All users of Internet services must migrate to Internet Service Providers
registered with EFCC and licensed by NCC
4. Registration with EFCC shall be online at www.efccnigeria.org/operators within
the periods stated below: Internet Service Providers: July 25 September 7, 2006
Cybercafé Operators: September 8 – November 24, 2006

Source: Daily Trust, Tuesday, July 25, 2006 page 32

Bearing in mind the above and the interpretation of “service provider” in Section 38 of
this bill (page 19 lines 4 to 7) virtually any organization that provides internet access is
required to register. It seems to the undersigned that this provision is unnecessary as it
should not be a requirement and indeed is not a required for this law to have effect or
take effect. To that extent, we think that the first two words of line 6, page 3 should be
expunged.

Page 3, Lines 6 – 9 – the word “regulations” should be replaced with “regulation”

Page 3, Line 11 – “Inspector” should replace “inspector”


Page 3, Line 10 – 12 It is suggested that the list should be expanded to read:
“Maintaining a liaison with the Office of the Attorney General of the Federation, the
Inspector General of Police and the Executive Chairman of the Economic and Financial
Crimes Commission on the arrest and subsequent prosecution of the offenders. The
rationale for this suggestion is that until this Bill is passed into law, the EFCC has been
acknowledged as the premier cybercrime fighting agency and will so be until this Bill
makes the proposed “Cyber Security and Information Protection Agency” to upstage it.
So this suggestion just makes sense for purposes of continuity.

Finally, it is suggested a new sub-section 4(h) be included giving the proposed agency
powers to oversee cyber security across the government in the manner and fashion
proposed by President Obama in relation to his proposed Cyber Security Coordinator for
the White House.

5. (1) In execution of its functions and powers under this Bill, the Agency

may appoint:

(a) persons or second officers from government security or law enforcement agencies;
and

(b) specialist in the area of communication, science and technology, law, which will assist
the agency in the performance of its functions.

(2) The agency may, make staff regulations relating generally to the conditions of service of the
employees, and such regulations may provide for:

(a) the appointment, promotion and disciplinary control; and

(b) appeals by such employees against any disciplinary measures taken against them,
shall be regulated by the provision of the civil services rules, until such regulations
are made.

(3) Service in the agency shall be public service for the purposes of pension Act.

COMMENTS

Page 3, Line 17 - specialists should replace specialist; telecommunications should
replace communication

Page 3, Line 26 - Pension should replace pension

6. The Agency shall maintain a fund which shall consist of:

(a) money to be received from the federal government for the purposes of take off;

(b) proceeds from all activities, services and operations of the Agency.

(c) grants, gifts and donations made to the Agency.

(d) such other sums as may accrue to the Agency.

COMMENTS


None

7. (1) Any person who without authority or in excess of his authority accesses any computer for the
purpose of:

(a) securing access to any program; or

(b) data held in that computer; or

(c) committing any act which constitute an offence under any law for time being in force in
Nigeria, commits an offence and shall be liable on conviction:

(i) in the case of offence in paragraph (a) of this subsection, to a fine of not less than
N10,000 or imprisonment for a term of not less than 6 months or to both such fine
and imprisonment.

(ii) For the offence in paragraph (b), to a fine of not less N100, 000 or a term of not less
than 1 year or to both such fine and imprisonment.

(2) Where damage or loss is caused to any computer as a result of the commission of an offence
under subsection (1) of this section, the offender shall be liable to a fine of not less than
N1,000,000 or imprisonment for a term of not less than 5 years or to both such fine and
imprisonment.

(3) In pronouncing sentence under this section, the court shall have regard to the extent of
damage or loss occasioned by the unlawful act.

COMMENTS

Page 4, lines 2 – 19 – Section 7 creates the offences of “access without authority” or
access “in excess of his authority.” It is suggested that a new offence be created and
made Section 7(3) and make the present Section 7(3) become Section 7(4).

The proposed new offence is “access with authority for an unauthorised purpose.” To
illustrate, imagine a Policeman using his access to police computers to obtain information
on a guy who took over his girlfriend, or imagine an officer attached to the Federal
Inland Revenue Service using his ”access with authority” to snoop on tax files of
politically exposed personalities or of other public figures or a civil servant with access
with access to personally identifiable information at the National Identity Management
Commission/National Pension Commission misusing his/her “access with authority” in a
similar manner.

It is submitted that Section 7 as currently constituted does not provide for such a
possibility. The House of Representatives is well advised to study the startling ruling in
DPP v Bignell (1998) 1 Cr App R 1 and the public hue and cry that followed that
ruling since it affects the issue raised above.

To quote the summary of that case provided by David I Bainbridge in his book
“Introduction to Computer Law” published by Longman in 2000 on pages 312 -313: “Two
police officers had used the police national computer to gain access to details of motor
cars which they had wanted for private purposes unconnected with their duties as police
officers. They were charged with the unauthorised access to computer material offence


under Section 1 of the Computer Misuse Act 1990… From the reported facts of the case,
it would seem beyond doubt that the accused police officers had consciously and
deliberately misbehaved … by using the police national computer to gain access to
information to be used for their own private purposes.” (Italics Ours)

This is very important because insiders have time again been proved to be the greatest
security threat an organization can face.

In the alternative, an entirely new Section should be created for the offence of “access
with authority for an unauthorised purpose.”

Page 4, line 6 – constitutes should replace constitute

Page 4, line 10 – did the draftsman mean M10, 000.00 or 10,000 Naira

Page 4, line 14 – Since the value of a computer is not so much in the hardware but in
the software and data resident therein, it is suggested that the words “or its contents”
immediately after computer

8. (1) Any person who, knowingly and without authority or in excess of

authority, disclose any:

(a) password;

(b) access code; or

(c) any other means of gaining access to any program data or database held in any
computer for any unlawful purpose or gain, commits an offence and shall be liable
on conviction to a fine of not less than N500,000 or to imprisonment for a term of
not less than 3 years or to both such find and imprisonment, and in the case of a
second or subsequent conviction, to a fine not exceeding N1,000,000 or to
imprisonment for a term of not less than 5 years or both such fine and
imprisonment.

(2) Where the offence under subsection (1) results in damage or loss, the offender shall be liable to a fine
of not less than N1,000,000 or imprisonment for a term of not less than 5years or both such fine and
imprisonment.

(3) Any person who with intent to commit any offence under this Act uses any automated means
or device or any computer program or software to:

(a) retrieve;

(b) collect; and

(c) store password, access code; or

any means of gaining access to any program, date or database held in any computer, commits
an offence and shall be liable on conviction to a fine of N1, 000,000 or to imprisonment for
a term of 5 years or to both such fine and imprisonment.

COMMENTS


Page 4, line 21 – discloses should replace disclose

Page 4, line 24 – “any other means of gaining access to any program data or
database” should instead read “any other means of gaining access to any program, data,
or database”

9. (1) Any person who with intent to defraud send electronic mail message

to a recipient, where such electronic mail message materially misrepresents any fact or set
of facts upon which reliance the recipient or another person is caused to suffer any
damage or loss, commits an offence and shall be liable on conviction to a fine of not less
than 5 years or to both such fine and imprisonments.

(2) It shall not operate as a defense for any person charged with an offence under subsection (1)
of this section to claim that:

(a) he could not have carried out his intended act; or

(b) it is impossible to execute the ultimate purpose of his intention; or

(c) the object of his deceit is non-existent.

(3) Any person spamming electronic mail messages to receipts with whom he has no previous
commercial or transactional relationship commits an offence and shall be liable on
conviction to a fine not less than N500, 000 or imprisonment for a term of not less than 3
years or to both such fine and imprisonment.

(4) Any person who with intent to commit any offence under this Bill;

(a) uses any automated means, device; or

(b) any computer program, software; to collect or store electronic mail addresses from
any sources whatsoever, commits an offence and shall be liable on conviction to a
fine not less than N1,000,000 or to imprisonment for a term not below 5 years or
both such fine and imprisonment.

COMMENTS

Page 5, Lines 12 – 31 Does the wording of Section 9 (1) as presently constituted cover
the unsolicited delivery of advertisements via mobile text messages, e-mail, fax and
automatic dialling systems or just emails? Especially when read with the definition of the
word “Spamming” as contained in Section 38 under Interpretation (page 19, lines 10 –
11) The use of the words “materially misrepresents any fact or set of facts” is very
limiting because an email may not materially misrepresent any fact or sets of facts and
yet be spam although not fraudulent. It is suggested that Section 9 be re-drafted to
cover both fraudulent and non-fraudulent spam, and to extent to unsolicited
communication irrespective of channel such as text messages, email, fax, and automate
dialling systems. This is the position adopted by the Amendment 40 to the
Communications Law of Israel. To illustrate that it is necessary to expand the definition
of spam, between the date of the public hearing and date, the undersigned has received
12 messages with identical content from a very well know beer brand in Nigeria


celebrating its 60th anniversary and inviting him to answer 3 questions correctly to win a
chance to be a part of the celebration.

Finally, the Bill as presently worded does not make blackmail via email a crime, the
Committee would do well to look into this matter with a view to including it in the
proposed legislation.

Section 9 (3) is unduly restrictive. This is the case because it is not just Advance Fee
Fraud Practitioners that need to reach out to potential targets through the medium of
electronic mail messages, even legitimate advertisers often have course. The House of
Representatives may wish to take a cue from the “Amendment 40 to the
Communications Law of Israel” which permits an advertiser to contact a business
recipient just once per recipient with the question whether they agree to receive
advertisements from that advertiser.

The law also permits an advertiser to send advertisements to the recipient even if they
were not explicitly solicited, in cases when prior business relations have existed between
the advertiser and the recipient and the recipient is the one who provided his/her
mailing/messaging details to the advertiser. But even then – as well as for any case
where the recipient has given consent to receiving advertisements – still the recipient
has the right, under the law, to inform the advertiser of his refusal to receive any more
advertisements. Such refusal notice will cancel the validity of the previous consent. For
more information, the committee may wish to refer to
http://www.moc.gov.il/sip_storage/FILES/5/1545.pdf

The Israeli law also requires advertisers to include in a commercial message the word
"advertisement" and the advertiser's name, address and contact information, including
an email address that recipients may use to opt out.

The Israeli law enforces the prior consent requirement which may be in writing or a
recorded call to receive electronic mail messages

The modifications suggested above are required for the law to balance the need to
protect citizens and strike a balance with respect to the requirements of legitimate
business concerns to advertise.

10. (1) Any person who, with the intent to commit an offence, uses any

computer program or software to deliberately block being traced or avoid detection,
commits an offence and shall be liable on conviction to a fine of not less than N500,000 or
imprisonment for a term of not less than 3 years or both such find and imprisonment.

(2) Any person who knowingly accesses any computer and inputs, alters, deletes or suppresses
any data resulting in unauthentic data with the intention that such inauthentic data be
considered or acted upon as if it were authentic or genuine, whether or not such data is
readable or intelligible, commits an offence and shall be liable on conviction to a fine of
not less than N500,000 or imprisonment for a term of not less than 3 years or both such
fine and imprisonment.

(3) Any person who knowingly and without right causes any loss of property to another by
altering, erasing, inputting or suppressing any data held in any computer for the purpose of


conferring any benefits whether for himself or another person, commits an offence and
shall be liable on conviction to a fine of not less than N500, 000 or imprisonment for a term
of not less than 3 years or both such fine and imprisonment.

COMMENTS

Page 6, Lines 1 – 2 The side note accompanying these lines are most deceptive. It is
submitted that it should be renamed/replaced with “Illegitimate/ Illegal use of proxies.”

Page 6, Lines 6, 7- The side note that is currently situated at Lines 1 and 2 should be
moved to Lines 6 and 7.

Page 6, Lines 6 – 12 -The House of Representatives may wish to note that David I
Bainbridge in the Fourth Edition of his book “Introduction to Computer Law” observed
“The phrase „computer fraud‟ is used to describe stealing money or property by means of
a computer; that is, using a computer to obtain dishonestly, property (including money
and cheques) or credit or services or to evade dishonestly some debt or liability.” In the
light of the above description, it is obvious that there is an overlap between the Offences
which can be committed under the Advance Fee Fraud and Other Fraud Related Offences
Act 2006. In other words, what happens if the offence of obtaining property be false
pretence is committed using the computer, the question then arises: „Which agency
investigates‟? Which agency prosecutes? Is it the Economic and Financial Crimes
Commission? Or the proposed “Cyber Security and Information Protection Agency”? Or
both? If both, which agency will act as the lead? This is an area of potential conflict and
unwarranted and wasteful duplication of resources which the House of Representatives
may which to address.

In doing so, we recommend studying the provisions of the following UK Acts and cases:

 The Theft Act
 Finance Act 1972
 DPP v Ray (1974) AC 370
 Davies v Flackett (1973) RTR 8
 R v Preddy (1996) AC 815
 Criminal Law Act 1977
 Criminal Attempts Act 1981
 Scott v Metropolitan Police Commissioner (1975) AC 819
 R v Lloyd (1985) 2 All ER 661
 R v Ghosh (1982) QB 1053
 Chan Man-sin v Attorney-General for Hong Kong (1988) 1 All ER 1
 R v Morris (1984) AC 320
 Lawrence v Metropolitan Police Commissioner (1972) AC 626
 R v Mavji (1987) 2 All ER 758
 Computer Misuse Act 1990
 and the equivalent Nigerian Acts

11. (1) Any person who without authority or in excess of authority interferes

with any computer network in such a manner as to cause any data or program or software
held in any computer within the network to be modified, damaged, suppressed, destroyed,
deteriorated or otherwise rendered ineffective, commits an offence and shall be liable on


conviction to a fine of not less than N1, 000,000 or imprisonment for a term of not less
than 5 years or to both such fine and imprisonment.

COMMENTS

Page 6, Line 22 – It is suggested that the word “Deteriorated” is out of place and
should be deleted. While the word “ineffective” should be replaced with “unusable”

12. Any person who unlawfully produces, adapts or procures for use, distributes, offers for sale, possesses
or uses any devices, including a computer program or a component or performs any of those acts
relating to a password, access code or any other similar kind of data, which is designed primarily to
overcome security measures with the intent that the devices be utilized for the purpose of violating
any provision of this Bill, commits an offence and is liable to a fine of not less than N1,000,000 or
imprisonment for a term of not less than 5 years or to both such fine and imprisonment.

COMMENTS

Page 6, Lines 26 – 31, Page 7,lines 1 – 2 – It is submitted that the House of
Representatives should re-consider the text of Section 12 with a view to making a very
clear distinction between things that can be used to overcome security measures but
which have legitimate uses and things specifically designed to overcome security
measures. The following cases are quite instructive in that regard: Amstrad Consumer
Electronics PLC v the British Phonograph Industry Limited (1986) FSR 159, CBS
Songs Limited v Amstrad Consumer Electronics PLC (1988) 2 WLR 1191

To illustrate practically what is meant by the above, Niche Konsult Limited conducts
penetration testing as well as offers for sale software and hardware capable of being
used to violate some provisions of this Bill, but such software was not “designed
primarily to overcome security measures with the intent that the devices be utilized for
the purpose of violating any provision of this Bill.”

On the other hand, the same software/hardware is being legitimately employed by
transportation, healthcare, financial institutions, information technology security
consultants, payment processors, telecommunication firms, large enterprises, state
governments, educational institutions, military academies within and outside Nigeria to
conduct comprehensive penetration testing across their infrastructure and applications.

One such solution goes by the name Core Impact Pro and can be used to perform
penetration testing* which tells organizations using it:

 what an attacker can definitely do to their network
 by exploiting identified vulnerabilities, just as a hacker would
 leaving little doubt as to what a hacker can do or cannot do and thus eliminating
the guesswork involved in protecting their network by providing them with the
information they need to effectively prioritize their vulnerabilities.

* Penetration testing is a localized, time-constrained, and authorized attempt to breach
the security of a system using attacker techniques. During a penetration test,
organizations actually try to replicate in a controlled manner, the kinds of access an
intruder or worm could achieve. With a penetration test, network managers can identify
what resources are exposed and determine if their current security investments are
detecting and preventing attacks.


13. Any person who without authority or in excess of authority intentionally interferes with access to any
computer or network so as prevent any:

(a) part of the computer from functioning; or

(b) denying or partially denying any legitimate user of any service of such computer or network;
commits an offence and shall be liable on conviction to a fine of not less than N2,000,000
or imprisonment for a term of not less than 7 years or to both such fine and
imprisonment.

COMMENTS

Page 7, lines 3 – 9 It is suggested that a new Head Note to be called “Denial of
Service/Distributed Denial of Service Attack(s)”

Page 7, line 5 – It is suggested that the words “or network” be inserted immediately
after computer

14. Any person who with the intent to deceive or defraud, accesses any computer or network and uses or
assumes the identity of another person, commits an offence and shall be liable on conviction to a
fine of not less than N500, 000 or imprisonment for a term of not less than 3 years or to both such
fine and imprisonment.

COMMENTS

Page 7, Lines 10 – 14 - The Houses of Representatives may wish to compare and
contrast the wordings of Section 14 of this Bill with the wordings of Section 202 of the
Norwegian Criminal Law (2008 – 2009) which when translated states:

“With a fine or imprisonment not exceeding 2 years shall whoever be punished,
that without authority possesses of a means of identity of another, or acts with
the identity of another or with an identity that easily may be confused with the
identity of another person with the intent of (a) procuring an economic benefit for
oneself or for another, or (b) causing a loss of property or inconvenience to
another person.”

Source: http://www.cybercrimelaw.net

15. (1) Every service provider shall keep all traffic, subscriber information or

any specific content on its computer or network for such period of time as the Agency may
require.

(2) Every service provider shall, at the request of any law enforcement agency:

(a) provide the law enforcement agency with any traffic of subscriber information
required to be kept under subsection (1) of this section; or

(b) preserve, hold or retain any related content.

(3) Any law enforcement agency may with warrant issued by a court of competent jurisdiction,
request for the release of any information in respect of subsection (2) (b) of this section
and it shall be the duty of the service provider to comply.


(4) Any data retained, processed or retrieved by the service provider for the law enforcement
agency under this Bill, shall not be utilized except for legitimate purposes either with the
consent of individuals to whom the data applies or if authorized by a court of competent
jurisdiction.

(5) A person exercising any function under this section shall have due regard to the individual
right to privacy under the constitution of the Federal Republic of Nigeria 1999 and shall
take appropriate technological and organizational measure to safeguard the confidentiality
of the data retained, processed or retrieved for the purpose of law enforcement.

(6) A person or service provider, body corporate who willfully contravenes the provisions of this
section commits an offence and shall be liable on conviction to a fine of not less than
N500,000 or imprisonment for a term not less than 3 years or both fine and imprisonment.

COMMENTS

Page 7, Lines 15 – 17 – There should be a side note “Records Retention for law
enforcement”. This also raises the question “who bears the cost?” The service provider
or the government? This issue is very important because given the cost of the devices
required to fulfil the requirements of this section, small players may be edged out of
business. Neither does it make sense in a time of economic gloom such as this to pass
on such costs to the end-user. It is also suggested that the words “for such period of
time as the Agency may require” be replaced by the words “for two years.” This will be
in line with a Directive issued by the European Union on data retention which although
not binding on Nigeria is evidence of best practice. That Directive requires retaining such
records for a minimum of six months and a maximum of two years.

Page 7, Line 19 – The words “and backed with a warrant issued by a court of
competent jurisdiction which shall be issued when there is compelling evidence that a
crime is imminent” should be introduced immediately after agency. This is required for
uniformity of Section 15 (2) (a) with Section 15 (2) (b). This is required to keep with
international best practice. The House of Representatives may wish to recall the hue and
cry over the high-handedness of the EFCC in the recent past, which was made possible
by provisions such as the below which was contained in the Advance Fee Fraud and
Other Offences Act 2006, under duties of telecommunications and internet service
providers and internet cafes we have the following provision: “Any person whose normal
course of business involves the provision of non-fixed line or Global System of Mobile
Communications (GSM) or is in the management of any such services, shall submit on
demand to the Commission such data and information as are necessary or
expedient for giving full effect to the performance of the functions of the
Commission under this Act.

Inserting the above will provide for much needed checks and balances on the power of
the Executive as represented by the proposed agency. The House of Representative may
also which to consider amending the above provision in the Advance Fee Fraud and
Other Offences Act 2006 as well to allow of checks on the power of the agency by the
judicial arm of the government.

Page 7, Line 22 – It is suggested that the words “preserve, hold or retain any related
content” be expunged from this bill. What this means in practice is that service providers
would be required to keep a copy of every email sent/received, every instant message,
every text message, every call made, every web page viewed to mention but a few. Of
course, it is not in doubt that service providers already have this information. However,


rather than giving such retention legitimacy, it is recommended that the Committee
should consider this an opportunity to enact an electronic communications/email archival
legislation which always places the obligation of such archival on the organization
sending or receiving the email and not on the service provider, and limit the service
provider to retaining only to traffic and subscriber information. This will distribute the
cost of such data retention much more evenly and reduce the likelihood of the general
public thinking that Nigeria‟s government is desirous of creating a police state. The
Committee would also like to note that the UK Communications Bill currently under
consideration which proposes to amend the UK Regulation of Investigatory Powers Act
(RIPA) does not propose the retention of content by service providers. It is suggested
that the Committee should expunge this provision. Please see

http://www.examiner.ie/ireland/retention-period-for-phone-data-to-be-cut-96213.html

http://www.siliconrepublic.com/news/article/13407/government/irish-govt-to-retain-all-
web-text-and-phone-data-for-two-years

http://www.examiner.ie/ireland/watchdog-concern-at-revenue-data-access-96329.html

http://www.scmagazineuk.com/Government-lines-up-central-database-of-phone-and-
internet-records/article/110337/

http://news.bbc.co.uk/2/hi/technology/7410885.stm

The Committee might also like to make very clear with it means by traffic information.
The UK Communications Bill and Data Retention Directive help here because they define
traffic information to include the initiator of the communication, the recipient of the
information, the time of the communication, the duration of the communication, the
location of the initiator and the recipient, the type of communication.

Page 7, Line 27 – 30 – It is suggested that the wordings of Section 15 (4) be revisited.
In particular the words “…shall not be utilized except for legitimate purposes either with
the consent of individuals to whom the data applies or if authorized by a court of
competent jurisdiction.”

Page 7, Line 31 – The words “or organization” should be inserted immediately after
“person”

Page 8, Line 5 – No such word as “willfully”, but there is a word “wilfully”

16. (1) A person who intentionally, without authority or in excess of

authority intercepts any communication originated, terminated or directed from, at or to
any equipment, facilities or services in Nigeria, commits an offence and shall be liable on
conviction to;

(a) a fine of not less than N500, 000;

(b) imprisonment for a term of not less than 10 years; or

(c) both such fine and imprisonment.


(2) Notwithstanding the provision of subsection (1) of this section, any service provider, its employee or
duly authorized agent may, in the normal course of work, carryout the activity mentioned in section 16 of
this Bill.

COMMENTS

None

17. Every service provider shall ensure that any of its equipment, facilities or services that provides a
communication is capable of:

(a) enabling a law enforcement agency to intercept all communications on its network for the
purpose of investigation and prosecution;

(b) accessing call data or traffic record;

(c) delivering intercepted communications and call data or traffic record in such a format that
they may be transmitted by means of equipment, facility or service procured by any law
enforcement agency to a location other than the premises of the service provider; and

(d) facilitating authorized communications interceptions and access to call data or traffic records
unobtrusively with minimum interference with any subscriber’s communication service
and in a manner that protects:

(i) the privacy and security of communications and call data or traffic records not
authorized to be intercepted.

(ii) information regarding the interception.

(2) A service provider who contravenes the provision of subsection (1) of this section, commits an
offence and shall be liable on conviction, in case of;

(a) service provider, a fine of not less than N100, 000; and

(b) director, manager or officer of the service provider, a fine of not less than N500,000 or
imprisonment for a term of not less than 3 years or to both such fine and imprisonment.

COMMENTS

We appreciate the need to ensure that the equipment deployed by service providers
have on-going intercept capabilities, as well as the obligations placed on service
providers to enable/facilitate lawful interception and to deliver intercepted
communications in the course of a lawful investigation.

The provisions of Section 17 as presently constituted and Section 17(d)(i) and Section
17(d)(ii) notwithstanding, it is sad that the House of Representatives is giving the
proposed agency what may be likened to a blank cheque. We are not against lawful
interception, but we strongly urge the insertion of the following “such interception to be
carried out by the Agency shall be lawful if accompanied by a warrant issued by a judge
of a Federal or State High Court.

Please compare with the UK Regulation of Investigatory Powers Act 2000, Section 2
Interception of Communications Act 1985, Malone v United Kingdom (1984) 7 EHRR 14


Please see evidence of misuse of such provisions as the above in the UK, the Committee
may wish to ensure that the bill does not make this a possibility in Nigeria:

http://news.bbc.co.uk/1/hi/england/dorset/7341179.stm

http://www.theregister.co.uk/2008/04/11/poole_council_ripa/

http://news.bbc.co.uk/1/hi/england/dorset/7343445.stm

http://www.schneier.com/blog/archives/2007/11/animal_rights_a.html

http://www.out-law.com/page-9956

http://www.vnunet.com/computing/news/2240543/government-announces-review

http://nds.coi.gov.uk/Content/Detail.asp?ReleaseID=398807&NewsAreaID=2

The Committee may which to compare and contrast the provisions of this Section with
the provisions of Sections 165 – 176 of the Evidence Act dealing with Official and
Privileged Communications to ensure that there is no conflict.

18. (1) It shall be the duty of every service provider at the request of any

law enforcement agency or at the initiative of the service provider, to provide assistance
towards the:

(a) identification, arrest and prosecution of offenders; or

(b) identification, tracing and confiscation of proceeds or any offence or any property,
equipment or device used in the commission of any offence; or

(c) freezing, removal, erasure or cancellation of the services of the offender which
enables the offender to either commit the offence or hide, preserve the proceeds
of any offence or any property, equipment or device used in the commission of
the offence.

(2) Any service provider who contravenes the provisions of subsection (1) of this section, commits
an offence and shall be liable on conviction, in the case of

(a) service provider, a fine of not less than N5, 000, 00; and

(b) director, manager or officer of the service provider, a fine of not less than N500,000
or imprisonment for a term of not less than 3 years or to both such fine and
imprisonment.

COMMENTS

Page 9, Line13 – “of” should replace “or”

19. (1) Any person who on the internet, intentionally takes or makes use of

a name, business name, trademark, domain name or other word of phrase registered,
owned or in use by any individual, body corporate or belonging to either the Federal, state
or local government without:


(a) authority or right; or

(b) for the purpose of interfering with their use in the internet by the owner; commits an
offence under this Bill and shall be liable on conviction to a fine of not less than
N100, 000 or imprisonment for a term of not less than 1 year or to both such fine
and imprisonment.

(2) In the determination of the case against an offender, a court shall have regard to:

(a) a refusal by the offender to relinquish, upon formal request by the rightful owner of
the name, trademark, words or phrase; or

(b) an attempt by the offender to obtain compensation in any form for the release to the
rightful owner for use in the internet, of the name, business name, trade mark, or
words or phrase registered, owned or in use by any individual, body corporate or
belonging to either the Federal, State or Local Government of Nigeria.

(3) In addition to the penalty specified under this section, the court shall make an order directing
the offender to relinquish to the rightful owner.

COMMENTS

Page 9, Line 27 – “or” should replace “of”

Page 9, Line 29 – should it be limited to Nigerian entities alone, what of Nigeria‟s
obligations under international property treaties

Page 10, Line 14 – should read “make an order directing the offender to relinquish it or them to the
rightful owner

20. (1) Any person, group or organization that intentionally accesses any

computer or network for purposes of terrorism, commits an offence and shall be liable on
conviction to a fine of not less than N10, 000,000 or a term of imprisonment of not less
than 20 years of to both such fine and imprisonment.

(2) For the purpose of this section, terrorism means any act which:

(a) may seriously damage a country or an international organization; or

(b) is intended or can reasonably be regarded as having been intended to:

(i) intimidate a population;

(ii) compel a government or international organization to performance abstain
from performing any act;

(iii) destabilize or destroy the fundamental political, constitutional; economic or
social structures of a country or any internal organization, or;

(iv) otherwise influence such government or international organization.

(c) Involves or causes, as the case may be to:


(i) attaches upon a person is life which may cause death,

(ii) attacks upon the integrity of a person;

(iii) kidnapping of a person,

(iv) destruction of a Government or public facility, including;

an information system, private property, likely to endanger human life or
result in major economic loss.

(v) the manufacture, possession, acquisition, transport, supply, or use of
weapons, explosive nuclear, biological or chemical as well as research
into their development without lawful authority;

(vi) the release of dangerous substance or causing of fires, explosions of flood
the effect of which is to endanger human life;

(vii) interference with or disruption of the supply of water, power or any other
fundamental natural resource, the effect of which is to endanger life; or

(viii) propagation of information or information materials whether true or false,
calculated to cause immediate panic, evolve violence.

COMMENTS

Page 10, Lines 23 – 24 – compel a government or international organization to
perform or abstain from performing any act

Page 10, Line 30 – clarification of the statement in this line is sort

21. Any person who uses any computer to violate any intellectual property rights protected under any law
or treaty applicable in Nigeria, commits an offence under this Bill and shall be liable on conviction
to a fine of not less than N1, 000,000 or imprisonment for a term of not less than 5 years or to both
such fine and imprisonment, in addition to any penalty or relief provided under laws.

COMMENTS

Page 11, Line 15 - The words “any intellectual property rights” is considered to be too
wide. It is also submitted that the penalty should not be uniform for all types of
intellectual property rights but should depend on the type of right infringed.

Intellectual property rights consist of but are not limited to copyrights, patents, designs,
industrial designs, semiconductor design, trade secrets and business know-how, cable
retransmission rights, satellite broadcasting rights, lending rights and rental rights. It is
suggested that the House Committee(s) seriously consider strengthening the existing
intellectual property laws especially the Nigerian Copyright Act.

According to David BainBridge, “The Copyright, Designs and Patents Act 1988 has been
used increasingly to prosecute computer software pirates and magistrates and judges
are at last taking this form of crime seriously, using custodial sentences in some cases.”
The point we wish to make from this quotation is that it is not wrong to strengthen the
Nigerian Copyright Act to make for prosecution of intellectual property rights violated


using a computer by a computer. If that is done, it is very important that Nigeria
upgrade its laws on database rights to meet what obtains in other climes.

22. Any person who use any computer to:

(a) engage or solicits or entices or compels any minor in any sexual or related act; or

(b) engage in, or facilitates any indecent exposure of a minor or creates, possesses or distributes
child pornography; or

(c) facilitates the commission of a sexual or related act which constitutes an offence under any
law for the time being in force in Nigeria, commits an offence and shall be liable on
conviction:

(i) in case of paragraph (a), to a time of not less than N3,000,000 or imprisonment for a
term of not less than 7 years or to both such fine and imprisonment.

(ii) in case of paragraph ( b, and (c), to a fine of not less than N1,000,000 or
imprisonment for a term of not less than 5 years or both such fine and
imprisonment.

COMMENTS

Page 11, Line 28 – fine should replace time

23. Any person who:

(a) attempts to commit any offence under this Bill; or

(b) does any act preparatory to or in furtherance of the commission of

an offence under this Bill; and

(c) abets or engages in a conspiracy to commit any offence, commits an offence and shall be liable
on conviction to the punishment provided for such an offence, under this Bill.

COMMENTS

Page 12, Lines 4 – 5 – It is unnecessary to split/attempt to differentiate between
“attempts to commit any offence under this Bill” and “does any act preparatory to or in
furtherance of the commission of an offence under this Bill.” Case law does not support
that distinction. Case law seems to indicate that both Section 23(a) and Section 23(b)
are talking about one and the same thing. Please refer to the following cases and
statutes:

 R v Eagleton (1855) Dears CC 515,
 Section 4 Criminal Code,
 Section 508 Criminal Code,
 Section 95 Penal Code,


 R v Whybrow (1951) 35 Cr App Rep 141 CCA,
 R v Robinson (1915) 2 KB 342,
 Orija v ICP 1957 NRNLR 189,
 DPP v Stonehouse 1977 2 All ER 909,
 R v Offiong 1936 3 WACA 83,
 Jones v Brooks & Brooks 1968 52 Cr App R 614.

Page 12, Line 7 - 9 – Section 23(c ) should read „aids or abets‟ the commission of an
offence, and should become Section 23 (b).

According to National Coal Board v Gamble (1959) 1 QB 11, “a person who supplies
the instrument for a crime or anything essential to its commission aids in the
commission of it; if he does so knowingly and with intent to aid, he abets it as well and
is guilty of aiding and abetting.

Attorney General’s Reference (No.1 of 1975) 1975 2 All ER 684 noted that “Aiding
and abetting almost inevitably involves a situation in which the secondary party and the
main offender are together at some stage discussing the plans which they may be
making in respect of the alleged offence, and are in contact so that each know what is
passing through the mind of the other.”

The portion of this Section on conspiracy should be separated to form a new Section
23(c) dealing with conspiracy only. This is very important because case law treats aiding
and abetting as a separate crime from conspiracy.

Additionally, the bill as presently worded does not clearly answer the following questions
raised in the book “Criminal Law Cases and Materials” published by Smith and Hogan:

 Must a principal conspirator intend to play some part in the agreed course of
conduct? And what if he doesn‟t?
 Is “the mere fact of agreement” without intent to carry out the agreement
enough? This is relevant when law enforcement sets up traps for an accused.
 What if the agreement was to be carried out by not a party to the agreement but
by a third party? Please see R v Hollinshead 1985 2 All ER 701

We consider this a very relevant issue because according to the same book, the common
law position is that: “an agreement will amount to a conspiracy only if carrying it out will
necessarily amount to or involve a commission of an offence by one or more of the
parties to the crime.”

24. (1) The president may on the recommendation of the Agency, by order

published in the Federal Gazette, designate certain computer systems, networks and
information infrastructure vital to the national security of Nigeria of the economic and
social well being of its citizens, as constituting critical information infrastructure.

(2) The president order in subsection (1) of this section may prescribe standards, guidelines, rules
or procedures in respect of:

(a) the registration, protection or presentation of critical information infrastructure;

(b) the general management of critical information infrastructure;

(c) access to, transfer and control of data in any critical information infrastructure;


(d) procedural rules and requirements for securing the integrity and authenticity of data
or information contained in any of the information;

(e) procedures or methods to be used in the storage of data or information in critical
information infrastructure;

(f) disaster recovery plans in the event of loss of the critical information infrastructure or
any part thereof; and

(g) any other matter required for the adequate protection, management and control of
data and other resources in any critical information infrastructure.

COMMENTS

None

25. The president order in section 23 of this Bill may require audits and

inspection to be carried out on any critical information infrastructure to evaluate compliance with
the provisions of this Bill.

COMMENTS

None

26. (1) Any person who violates any provision as to the critical information

infrastructure designated under section 23 of this Bill, commits an offence and shall be
liable on conviction to a fine of not less than N15,000,000 or imprisonment of a term of not
less than 25 years or both such find and imprisonment.

(2) where the offence committed under subsection (1) of this section results in serious bodily
injury, the offender shall be liable on conviction to a fine of not less than N20, 000,000 or
to imprisonment for a term of 30 years or to both such fine and imprisonment.

(3) where the offence committed resulted in death, the offender shall be liable on conviction to
imprisonment for life with no option of fine.

COMMENTS

None

27. Nothing in this Bill shall preclude the institution of a civil suit against a person liable under this Bill by
any interested party.

COMMENTS

None

28. (1) The Federal High Court or state High Court shall have jurisdiction to try offender under this Bill.

(2) Notwithstanding anything to the contrary, the court shall ensure that all matter brought before it
under this Bill against any person or body corporate are conducted with dispatch and given accelerated
hearing.


(3) for the purposes of this Bill, a person shall be subject to prosecution in Nigeria for an offence
committed while the offender is physically located either within or outside, if by the
conduct of the offender or that of another acting for him;

(a) the offence is committed either wholly or partly within Nigeria;

(b) the act of the offender committed wholly outside Nigeria constitutes a conspiracy to
commit an offence under this Bill within Nigeria; and an act in furtherance of the
conspiracy was committed within Nigeria, either directly by the offender or at his
instigation; or

(c) the act of the offender committed wholly or partly within Nigeria constitutes an
attempt, solicitation or conspiracy to commit offence in another jurisdiction under
the laws of both Nigeria and such other jurisdiction.

(4) For the purpose of this section:

(a) an offence or element of the offence is presumed to have been committed in Nigeria
if the offence or any of its elements substantially affects person of interest in
Nigeria;

(b) where any other country claims jurisdiction over an alleged offence which is subject
to prosecution in Nigeria as established by this section, the Attorney General of
the Federation may consult with such other country with a view to determine the
most appropriate jurisdiction for prosecution.

COMMENTS

None

29. (1) Pursuant Section (2) of this section, any authorized officer entitled to

enforce any provision of this Bill shall have the power to search any premises or computer
or network and arrest any person in connection with the offence.

(2) Subject to National Security Agency Act, an authorized officer of any law enforcement agency,
upon a reasonable suspicion that an offence has been committed or likely to be committed by any
person or body corporate, shall have power to:

(a) access and inspect or check the operation of any computer to which this act applies;
or

(b) use or cause to use a computer or any device to search any data contained in or
available to any computer or network; or

(c) use any technology to re-transform or decrypt any encrypted data contained in a
computer into readable text or comprehensible format; or

(d) seize or take possession of any computer used in connection with an offence under
this Bill, or


(e) require any person having charge of or otherwise concerned with the operation of
any computer in connection with an offence to produce such computer; or

(f) require any person in possession of encrypted data to provide access to any
information necessary to decrypt such data;

(g) require any person in authority to release any subscriber or traffic information or any
related content; and

(h) relate with any international law enforcement agencies for the purpose of giving or
receiving on information or exchanging any data or database for the purpose or
investigation and prosecution under this Bill.

(i) The Agency shall have power to cause or direct investigation by any law enforcement
agency.

COMMENTS

Page 14, line 11 –The term “any authorised officer” is ambiguous. It is important for
purposes of preventing ambiguity and abuse that the definition given in Section 38 (page
17, Lines 9 -10 be tightened up. Please refer to our comments on Section 17 above for
reasons.

30. Any person who:

(a) willfully obstructs any law enforcement agency in the exercise of any power under this Bill; or

(b) fails to comply with any lawful inquiry or request made by any authorized officer in
accordance with the provisions of this Bill, commits an offence and shall be liable on
conviction to a fine of not less than N500,000 or imprisonment for a term of not less than 3
years or to both such fine and imprisonment.

COMMENTS

Page 15, Line 8 – No such word as “willfully”

31. Notwithstanding anything contained in any enactment or law in Nigeria, an information contained in
any computer which is printed out on paper, stored, recorded or copied on any media, shall be
deemed to be primary evidence under this Bill.

COMMENTS

Page 15, lines 15 – 18 In the light of the quote following below taken from the
document Electronic Signature Assurance the Digital Chain-of-Evidence –
Executing Legally Admissible Digitally Signed Records produced by the
Microsoft U.S. National Security Team authored by Jacques R. Francoeur, B. A.
Sc., M.A.Sc., MBA: “Electronic data also presents its own inherent risks and challenges.
Represented by a series of zeros and ones, electronic data can be volatile and unstable.
The ability of data to move between systems, applications and people can make it
difficult to differentiate between “good” (original) and “bad” (manipulated) data.
Furthermore, evidentiary techniques to determine the “provenance” of data, such as
time-of-creation and unchanged state, are often immature or non-existent. To establish


the reliability of electronically signed records, mechanisms must be put in place to
prevent undetected manipulation of the electronic data’s content, and/or
evidence of the time and date created or modified.” (Italics Ours) We are of the
considered opinion that Section 31 as presently worded has not “put in place”
mechanisms to “prevent undetected manipulation of the electronic data‟s content and/or
evidence of the time and date created or modified.”

Michael I. Shamos, Ph.D., J.D. of the Institute for Software Research, School of
Computer Science, Carnegie Mellon University once noted that the purpose of evidence
is to “prove facts” and that “evidence makes the existence of fact that is of consequence
to the case either more or less probable than it would be without the evidence.” In other
words, from our point of view, Section 31 as presently worded raises questions in
relation to the standard of proof for electronic primary evidence.

The statement “notwithstanding anything contained in any enactment or law in Nigeria”
must primarily refer to the Evidence Act. The question that arises then is this, if the
Evidence Act is overridden to make electronic evidence admissible. Will the safeguards
such as relevancy, the direct evidence rule, circumstantial evidence rules, authentication
of evidence rules, chain of custody rules, best evidence rule, hearsay evidence rule, etc
established by the Evidence Act which was previously overridden now apply to such
electronic evidence?

We wish to draw the attention of the Committee to the following extract from the US
Federal Rules of Evidence 1001 (3): “if data are stored in a computer or similar device,
any printout or other output readable by sight, shown to reflect the data accurately, is
an „original‟.” This is known as the Computer “Best Evidence “Rule, in our considered
opinion Section 31 should be amended to accommodate this rule.

32. (1) Any person who tampers with any evidence in relation to any proceeding under this Bill by
intentionally:

(a) creating, destroying, (mutilating, removing or modifying data or program or any other
form of information existing within or outside a computer or network; or

(b) activating or installing or downloading or transmitting a program that is designed to
create, destroy, mutilate, remove or modify data, program or any other form of
information existing within or outside a computer or network; or

(c) creating, altering, or destroying a password, personal identification number, code or
method used to access a computer or network.

Commits an offence and shall be liable on conviction to affine of not less than N500,
000 or to imprisonment for a term of not less than 3 years or to both such fine and
imprisonment.

COMMENTS

None

33. Criminal proceedings under this Bill shall be instituted by the Agency.


COMMENTS

None

34. (1) The court imposing sentence on any person who is convicted of an

offences under this Bill may also order that the convicted person forfeits to the federal
republic of Nigeria:

(a) any assets, money or property (real or personal) constituting of traceable to gross
proceeds of such offence; and

(b) any computer, equipment, software or other technology used or intended to be used
to commit or to facilitate the commission of such offence.

(2) Any person convicted of an offence under this Bill shall forfeit his passport or international
traveling documents to the Federal Republic of Nigeria until he has paid the fines or served
the sentence imposed on him

(3) Notwithstanding subsection (2) of this section, the court may;

(a) upon the grant of pardon by the president to the convicted person; or

(b) the purposes of allowing the convicted person to travel abroad for medical
treatment, having made formal application before the court on that regard; or

(c) in the public interest, direct that the passport or traveling document of the convicted
person be released to him.

COMMENTS

Page 16, Line 11 – Did the draftsman really mean to use the word “travelling” or did he
mean “travelling” or “travel”?

35. (1) Without prejudice to section 174 of the Constitution of the Federal Republic of Nigeria, 1999, the
Attorney General may, subject to voluntary admission of the commission of the offence, compound any
offence punishable under this Bill by accepting such amount specified as fine to which the offender would
have been liable if he had been convicted of that offence.

(2) Notwithstanding the provision of subjection (1) of this section, the court may order the
payment of compensation to any person or body corporate, who suffers damages, injury,
or loss as a result of the offence committed.

COMMENTS


None

36. Where a person is charged with an attempt to commit an offence under this Bill but the evidence
establishes the commission of the full offence, the offender shall not be entitled to acquittal and
shall be convicted for the offence and punished under the relevant penalty.

COMMENTS

None

37. The president may by order published in the Gazette make such rules and regulations as in his opinion
and on the recommendation of the Agency are necessary to give full effect to the provisions of this
Bill.

COMMENTS

None

38. In this Bill,

“access” includes to gain entry to, instruct, make use of any resources of a computer, computer system
or network.

“Agency” means Cyber Security and Data Protection Agency.

“Authorized officer” means a person authorized by law to exercise a power this Bill

“Authority” means express or implied consent to access a computer

network, program, data or database, software.

“Computer” includes any electronic device or computational machinery

programmed instruction which has the capabilities of

storage, retrieval memory, logic, arithmetic or

communication and includes all input, output,

processing, storage, communication facilities which

are connected or related to such a device in a system

or network or control of functions by the manipulation

of signals whether electronic, magnetic or optical.

“computer network” includes the interconnection of computers or computer

system

“Computer program” means data or a set of instructions or statements that


when executed in a computer causes computer to

perform function.

“damage” means an impairment to the integrity or availability of data,

program or network.

“data” includes a representation of information, knowledge, facts, concepts

or instructions intended to be processed, being

processed or has been processed in a network.

“database name” includes any designation or name registered with the

domain registrar as part of an electronic address.

“intellectual property rights” include any right conferred or granted under

any of the following laws or treaties to which Nigeria is

a signatory:

(a) Copyright Act, CAP 68. LFN (as amended);

(b) Patents and Designs Act CAP 344, LFN;

(c) Trade Marks Act, CAP LFN;

(d) Berne Connection;

(e) World Intellectual Property Organization (WIPO)

Treaty;

(f) Trade-Related Aspects of Intellectual Property

Rights (TRIPs);

(g) Universal Copyright Convention (UCC); and

(h) Paria Convention (Lisbon Text).

“internet” means global information system linked by a unique address

space base on the internet protocol or its subsequent

extensions.


“intercept” includes the aural or acquisition of the contents of any wire,

electronic or oral communication through the use of

technical means so as to make some or all the

contents of a communication available to a person

other than whom it was intended, and includes;

(a) monitoring of such communication by any device;

(b) viewing, examination or inspection of the

contents of any communication; and

(c) diversion of any communication from its intended

destination.

“Law enforcement” agency means any institution created by law and

charged with the responsibility of enforcing

obedience to our written law.

“loss” means any reasonable lost to a victim, including the cost of

responding to an offence, conducting a damage

assessment and restoring the data, program,

system or information to its condition prior to the

offences and any revenue lost, cost incurred

and other consequential damages incurred

because of the interruption of service.

“Minor” means a person under 18 years.

“Modification” means (a) alteration or erasure of the content of any


program, data and data base;

(b) any event which occurs to impair the normal

operation of a computer;

(c) modification is unauthorized if:

(i) the person that causes the act is not himself entitled to
determine whether the modification should be made;
and

(ii) he does not have consent from anybody to modify.

“Service provider” includes but not limited to;

(a) internet service provider;

(b) communications service provide; and

(c) application service provider.

“Software” includes any program, data, database, procedure and

associated documentation concerned with the operation of a
computer system.

“Spamming” means unsolicited electronic mail message having false

headers, address and lines.

“Minister” means minister of information and communication.

COMMENTS

Page 17, Line 6 – 7 – replace “gain entry to, instruct, make” with gaining entry to,
instructing, making

Page 17, Line 13 – 18 The Committee may wish to take a second look at the definition
of “computer”: France, Germany and the UK do not define this term in their equivalent
legislation, however the United States of America does, please see the US Computer
Fraud and Abuse Act.


Page 19, Line 8 - 9 The Committee may wish to take a second look at the definition of
“software.” We propose the inclusion of the words “whether in source code or object
code form immediately after program

39. This Bill may be cited as Cyber Security and Data Protection Agency (Establishment etc) Bill, 2008.

COMMENTS

None

CONCLUSION

We are available to provide further support and consulting to the House Committee on
Drugs, Narcotics and Financial Crimes in respect of our submissions above and thank you
for taking the time to go through this and for giving us a chance to participate in the
law-making process.

Yours faithfully
NICHE KONSULT LIMITED

Idara Akpan
CHIEF HACKING OFFICER/DIRECTOR (BUSINESS DEVELOPMENT)
Email:Idara@nichekonsult.com
Mobile: 234 805 547 7646

February 22, 2005

The Director General
Consumer Protection Council
Plot 2215, Herbert Macaulay Way
P.M.B. 5077
Wuse Zone 6
Abuja

Dear Madam,

CPC: A PRIVACY AGENDA - TO BE OR NOT TO BE?

It occurs to us that CPC, Nigeria’s premier consumer protection champion may need to
revisit her role in relation to securing consumer privacy in the information age in keeping
with Section 37 of the 1999 Constitution.

And to that end, AIIA is interested in working with CPC to create a pro-active privacy
protection agenda to meet the needs of Nigerians. Possible pro-privacy agenda initiatives
include:

• Creating a Privacy Task Force to develop and implement the Director General’s
Privacy Agenda
• Developing a National Privacy Policy
• The need for privacy awareness campaigns to enlighten the consumer as to what is at
stake and why and of what CPC is doing in that regard
• The Task Force should among other things spearhead the drafting of appropriate
legislation requiring the following:
o that organizations collecting personal information (whether online or offline)
to create a privacy policy in line with the National Privacy Policy,
o that a copy of such privacy policy be lodged with the CPC for its necessary
action,
o that such privacy policy state clearly what information is being collected, how
it is stored, where it is stored (whether in Nigeria or elsewhere), how long it is
stored, how it is intended to be used, and how it is actually used, whether or
not such information is shared with third parties and on what basis/terms and
how the information is ultimately disposed of
o a comprehensive list of privacy breaches and appropriate fines

Thank you for taking matters a step further in our behalf.

Yours faithfully,
A.I.I. ASSOLCIATES

Barr. Ime Akpan
PRINCIPAL

PRIVACY: A BURNING CONSUMER ISSUE –
PRIVACY POLICY: A NATIONAL IMPERATIVE –
WANTED: A PRIVACY WATCHDOG

Definition of Privacy
The quality or state of being apart from company or observation. Privacy is closely
related to secrecy, that is, the condition of being concealed or hidden.

Definition of Policy
A definite course or method of action selected from among alternatives and in light
of given conditions to guide and determine present and future decisions.

A high-level overall plan embracing the general goals and acceptable procedure
especially of a governmental body

Definition of Privacy Policy
A high-level overall plan that lists both the goals of and acceptable procedures for
the collection, maintenance, use and disposal of personally identifiable customer
information in the normal course of business.

Two sides of the same coin: “Privacy as Secrecy” or Privacy as Control”
Privacy as secrecy
Private meaning personal, i.e., known only to ourselves and selected others

Privacy as control
Private meaning control, i.e., known to several others (businesses, governments,
and individuals) but usage is based on the user’s preferences and the user has
control over how his/her information is used

Why Privacy as Secrecy is giving way to Privacy as Control
“You have zero privacy anyway. Get over it.”
- An Information Technology industry CEO to a group of reporters

The internet is like a spider web. It connects all countries, all governments, all cities,
all homes and all peoples.

Information Technology in general and the internet in particular is creating a “world
without secrets” for individuals, enterprises and governments. In this world,
enormous amounts of structured information (transactions) and unstructured
information (audio, video, and narrative text) are gathered and shared globally by
and among businesses, governments, and individuals.

Many of us are familiar with Orwell’s novel 1984, however, unlike in Orwell’s
totalitarian nightmare scenario, the monster is not Big Brother because government
has no monopoly on technology.

© December 20, 2004. All Rights Reserved.
AII Associates. Private and Confidential. Distribution Restricted

Niche Konsult Limited Section By Section Analysis Of Cyber Security And Information Protection Agency Bill 2008 Complete Versionv2

Niche Konsult Limited Section By Section Analysis Of Cyber Security And Information Protection Agency Bill 2008 Complete Versionv2

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Destacado

Destacado (11)

Similar a Niche Konsult Limited Section By Section Analysis Of Cyber Security And Information Protection Agency Bill 2008 Complete Versionv2

Similar a Niche Konsult Limited Section By Section Analysis Of Cyber Security And Information Protection Agency Bill 2008 Complete Versionv2 (20)

Niche Konsult Limited Section By Section Analysis Of Cyber Security And Information Protection Agency Bill 2008 Complete Versionv2