ISSUES CONFRONTING THE EFFECTIVE ADMINISTRATION OF CYBERCRIME LAW IN NIGERIA – JOHN ODEY
The Concept of Cybercrime Law
Cybercrime law identifies standards of acceptable behaviour for information and communication technology (ICT) users; establishes socio-legal sanctions for cybercrime; protects ICT users, in general, and mitigates and/or prevents harm to people, data, systems, services, and infrastructure, in particular; protects human rights; enables the investigation and prosecution of crimes committed online (outside of traditional real-world settings); and facilitates cooperation between countries on cybercrime matters. Cybercrime law provides rules of conduct and standards of behaviour for the use of the Internet, computers, and related digital technologies, and the actions of the public, governmental, and private organizations; rules of evidence and criminal procedure, and other criminal justice matters in cyberspace; and regulation to reduce risk and/or mitigate the harm done to individuals, organizations, and infrastructure, should a cybercrime occur. Accordingly, cybercrime law includes substantive, procedural and preventive law.
Cybercrime law is substantive because no person can be punished for the commission of an offence without an existing law that criminalizes such offence. Thus, the Latin maxim, ullum crimen sine lege (“no crime without law”). For a criminal act to be worthy of punishment, the offence must be clearly stated with its attendant punishment. Substantive laws therefore define the rights of legal subjects which includes persons, corporate organizations, or state. The sources of substantive laws are the Acts of parliaments and Codes, State laws, Bye laws and Judicial Declarations. Substantive cybercrime laws are the specific laws that prohibit and punish cybercrimes in Nigeria. Example of that such law is The Cybercrimes (Prohibition, Prevention, ETC) Act, 2015. The Act provides an effective, unified and comprehensive legal, regulatory and institutional framework for the prohibition, prevention, detection, prosecution and punishment of cybercrimes in Nigeria. The act also ensures the protection of critical national information infrastructure, and promotes cybersecurity and the protection of computer systems and networks, electronic communications, data and computer programs, intellectual property and privacy rights.
It should be noted that Cybercrime includes traditional, real-world (offline) crimes (e.g., fraud, forgery, organized crime, money-laundering, and theft) perpetrated in cyberspace that are ‘hybrid’ or ‘cyber-enabled’ crimes, as well as ‘new’ or ‘cyber-dependent’ crimes that have been made possible with the advent of the Internet and Internet-enabled digital technologies. As such, it is therefore possible for a single criminal act to both constitute an offence under the cybercrime law as well as under a ‘non-cybercrime’ law. This means that there could be two laws to punish a single type of offence. As for example, the Cybercrime Act as well as the Criminal Code Act provides for the offence of forgery.
Again, cybercrime law is procedural because it prescribes the rules and guidelines to be followed in applying the substantive law to an offender. This procedure guides law enforcement and even the court in handling matters relating to cybercrimes. An important part of the criminal procedure is the criminal procedure rules and the Administration of Criminal Justice Act. Ultimately, procedural cybercrime law includes provisions on jurisdiction and investigative powers, rules of evidence and criminal procedure that relate to data collection, wiretapping, search and seizure, data preservation and data retention. Cybercrime presents certain unique challenges regarding procedure, especially with respect to jurisdiction, investigations, and digital evidence.
Preventive law focuses on regulation and risk mitigation. In the context of cybercrime, preventive legislation seeks to either prevent cybercrime or, at the very least, mitigate the damage resulting from the commission of a cybercrime. Some provisions of the law are not only reactive but also preemptory and they are designed to lessen or mitigate the effect of the commission of cybercrimes. Take for instance part iii, subsection 7 of the Cybercrimes Act, 2015 which requires cybercafe operators to register with the Computer Professionals’ Registration Council in addition to registration with the Corporate Affairs Commission. This provision seeks to prevent the commission of cybercrimes through unregistered or untraceable cybercafes. Other laws enable criminal justice agents to identify, investigate, and prosecute cybercrime by ensuring that the necessary tools, measures, and processes are in place to facilitate these actions.
These are laws that are enacted to prevent, prohibit, and punish cybercrimes in Nigeria. In addition, the laws also establish the investigative and prosecuting authorities, set out the competent judicial institution to try offences under them as well as establish the regulatory institutions for its effective administration.
Apart from the Cybercrimes Act, 2015 which is the principal legislation, the following are other legislations bearing indirectly on cybercrimes in Nigeria.
- The Criminal Code Act. For instance, this Act provides for the offence of forgery and fraud which has great similarity with cyber forgery and cyber fraud as established under the Cybercrime Act.
- The money Laundering (prohibition) Act, 2011. For instance, section 2 of this Act provides against the undeclared transfer of funds or securities to and from a foreign country in excess of 10,000 US dollars which could be effected through the use of the internet.
- Nigeria Data protection Regulation, 2019.
- Advance fee fraud Act, 2006. For instance, section 1 of this Act is the notorious section that law enforcement (EFCC) utilizes in the prosecution of ‘yahoo boys’ – internet scams and fraud.
- Nigeria communications Act, 2003. For instance, section 146 of this Act imposes a duty on licensees or telecom providers to ensure that measures are put in place to disallow their platform to be used for the commission of any offence.
Inadequacies and Challenges of the Nigerian Cybercrime Law
The cybercrime law in Nigeria is fraught with so many inadequacies:
First, the way and manner the sections were drafted; and
Second, issues surrounding its enforcement – chiefly because of jurisdiction.
Because cybercrime is a unique type of crime that can be committed from anywhere in world – cybercrime is not constrained by territory as long as there is the ability to connect to the world wide web –it is arduous to investigate and ultimately to prosecute, coupled with the fact that there is a dearth of forensic experts, technical analysts and professionals in the field.
The Cybercrime Act of 2015 (“the Act”) is the first legislation enacted by the National Assembly to directly deal with cybercrimes. This could explain why some of the sections of this law seem so fluid, ambiguous and hassled with several loopholes which could pose serious challenges for law enforcement agencies.
I will first address some technical shortcomings in the provisions of the Cybercrimes Act before finally addressing the jurisdictional issue posed in its enforcement.
The Act is made up of eight parts. My discussion would be limited to part 3 of the Act which deals with offences and penalties. It should be noted from the onset that despite the shortcomings of some provisions of this Act, the enactment of the Act is a great relief and its effectiveness in dealing with cybercrime cannot be shrugged off.
Section 6 of part 3; this section appears to lump two different offences into one with a requirement of different elements of proof. It states that:
“Any person, who without authorization, intentionally accesses in whole or in part, a computer system or network for fraudulent purposes and obtain data that are vital to national security, commits an offence…”
Here, what this section is suggesting is “unlawful access” coupled with “access to a national security component”. Also note the use of the conjunctive word “and” which suggests that for there to be an offence under that section, there must first be an unlawful and fraudulent access to a computer in addition to a relationship of such access with national security. The question would then be – if there were an unlawful access to a computer, either private or government, that is not vital to national security, would there be an offence?
Again, section 8 of part 3 of the Act criminalises any activity without lawful authority that directly or indirectly “seriously” hinders the functioning of a computer. What constitutes a “serious hinderance”? Would a minor hinderance or a mere attempt to hinder exculpate someone who is charged under that section? This section leaves bare the possibility of an accused who is charged under it to successfully argue that his actions under that provision are not “serious” enough to ground a conviction.
In like vein, section 10 of the Act also introduces tampering with critical infrastructure by any person employed by or under a Local Government of Nigeria, private organization, or financial institution with respect to working with any critical infrastructure. What this means is that only persons under the employment of government, private organizations or financial institutions can be guilty under that section. Again, this is a major loophole in the drafting of the legislation.
Section 12 of the Act deals with electronic transmission of data with respect to non-public transmission. In essence, it only relates to interception of transmitted private data and networks without making provision for public data and without even offering any explanation as to what constitute “non-public” data. Similarly, section 15 of the Act is too restrictive in that it only limits the commission of an offence under it to any person who steals a Financial Institution’s Public Infrastructure Terminal. How about any person who steals a private infrastructural terminal? Perhaps prosecutors could bring a charge of stealing to protect private entities. This however does not absolve the fact that the provision is too restrictive.
Lastly, section 19 of the Act together with its subsections is fraught with procedural inconsistency that may lead to a problem of enforcement. It states that no financial institution shall give posting and authorizing access to any single employee and that any person or persons authorized to give access to computer to employees who gives more than one access to any person or persons is guilty of an offense. First, it does not seem to recognize how technical departments work within financial institutions or how computer networks are managed from day to day. An Information Technology (IT) manager for example has access to a bank’s computer servers as one their primary roles and allocates passwords to new and existing members of staff. In doing their job as administrator, where they give out more than one access to computers on the bank’s network, are they caught by this section?
These and more are some legal loopholes inherent in the Act.
The issue of jurisdiction cannot be trivialized. Jurisdiction is so fundamental as it touches right deep into the foundational framework or genesis of a case. Jurisdiction in this context refers to a state’s power and authority to enforce laws and punish noncompliance with laws as it is linked to a state’s sovereignty.
The critical question in relation to cybercrimes is whether it can be said that cybercrime offences lack locus delicti or whether the offences could be said to have multiple locus delicti because the cases are multijurisdictional. It is important to state that law enforcement can only carry out investigation and the court can only adjudicate on a matter only if they have the power to do so or if they are conferred with jurisdiction on the subject matter or on the legal subject. Cybercrime is not constrained by territorial limitation, as such, an offence can be committed within the cyberspace from anywhere around the world therefore making it extremely hard to identify the locus delicti.
Because of this difficulty that is posed by the issue of jurisdiction, States utilize some factors to determine jurisdiction, the first of which is the nationality of the offender. A state can and has the power to exercise jurisdiction over its national and can prosecute them even though they commit a crime outside the shores of the State. To this extent, the nationality of an offender may be used to assert jurisdiction over a crime.
A state can further establish jurisdiction because a crime committed in another state (e.g., treason or espionage) impacts the interests and security of the state seeking jurisdiction over the case. Again, any state can establish jurisdiction over certain transnational crimes, such as mass atrocities (e.g., genocide), which are viewed as affecting all human beings irrespective of geographic location, when the state where the crime was committed is unwilling or unable to prosecute the offender.
Lastly, another way to surmount this legal hurdle is through extradition. For this to be effective, there must be an extradition treaty between relevant states to return offenders who have committed crimes within the cyberspace for further investigation and prosecution. Section 52 of the Nigerian Extradition Act confers power on the Attorney General of Federation torequest or receive assistance from any agency or authority of a foreign state in the investigation or prosecution of offences and may authorize or participate in any joint investigation or cooperation carried out for detecting, preventing, responding and prosecuting any offence under the Act. Such joint investigation or cooperation may be carried out whether or not any bilateral or multilateral agreements exist between Nigeria and the requested or requesting country.
This provision is laudable as it has the effect of curing the cosmic jurisdictional defect. States are encouraged to collaborate and cooperate with each other in the detection, prevention and fight against cybercrime all over the world. An example is the collaboration between the Economic and Financial Crimes Commission and the FBI in the fight against cybercrime. That collaboration yielded great success and as of 2019, the EFCC has recovered over $314,000 and about N373 million from Internet fraudsters.
There is an extraordinary need for a review of the Cybercrimes Act, 2015 to cure all the defects and loopholes that have been identified in the relevant provisions as well other provisions not considered in this article. Where there is a major lacuna in the law, criminals and sharp lawyers will not hesitate to hide under those weak and flawed provisions to prevent or escape justice. It makes the job of the prosecutor and court also extremely tough.
There is the equal need for Nigeria to train more forensic experts and professionals to effectively investigate and prosecute cybercrimes. Countries should be encouraged to enact laws that would enhance international cooperation in the fight against the monstrous lackey of cybercrime.
 John Odey, ESQ, Principal Partner, Situs Partners, Lagos, Nigeria.
 The United Nations Office on Drugs and Crime (UNODC, 2013, p. 52).
 Cybercrime module 3 key issues; The Role of Cybercrime Law, 2019.
 Section 465.
 Part iii, subsection 13.
 UNODC, 2013, p. 55
 Barrister Karl Obayi, Cybercrime Law in Nigeria- Principles and Strategies. 2015, p. 69.
 Mayiwa Imue, The Jurisdiction Challenge in the Enforcement of Cybercrime laws in Nigeria. An ALP NG & Co publication, April 2021. https://www.alp.company/resources/business-advisory/jurisdiction-challenge-enforcement-cybercrime-laws-nigeria
 protective principle under international law
 principle of universality under international law
 Section 1 and 2 of Extradition Act, CAP E25, Volume 6, Laws of the Federation of Nigeria, 2004
 https://guardian.ng/news/efcc-fbi-recover-314000-n373-million-from-internet-fraudsters/ last visited 7th June, 2021.