Developments in the use of Modern means of electronic communication has radically changed the dynamics of what can be classified as crime. Now more than ever, the internet has taken over almost every sphere of human activity and volumes of transactions financially or otherwise are carried out on the cyberspace. Owing to the continuous advancement of Information Technology (IT), the Cyberspace has witnessed the growth of massive infraction from transactions conducted therein which might give rise to criminal or civil wrong. Drawing a dichotomy on these infractions to attribute to an offender to make him liable criminally or otherwise in cyberspace, especially with the applicability of the “de diminis rule” has resulted in a lot of legal debates. The consideration of these issues has given rise to the development of new criminal regimes across various jurisdictions; creating liability for certain activities in cyberspace.  This article will attempt a perspective to this seeming confusion, especially with the abstract nature of criminalizing offences in the cyberspace and establishing criminal responsibility. It will also attempt to an overview of the extant legislation regulating the Subject matter in Nigeria.

CRIMINAL LIABILITY

Traditional Criminal laws were drafted without envisaging the emergence of trending activities in the cyberspace; therefore the primary problem was the applicability of the existing legislations to cybercrime and to what extent.

It is now settled that a crime is only a crime where it has been specifically written down and a punishment prescribed for such an offence.  Section 36(12) of the 1999 CFRN.  See Aoko v. Fagbemi (1961) 1 ANLR 400.  The realization that traditional Criminal Laws were not sufficient to deal with cybercrimes led to the development of several initiatives to address the issue; the most popular of them being the Council of Europe Convention on Cybercrime 2001 in Budapest, Hungary. The deliberations at this convention eventually led to the development of the Council of Europe on Cybercrime, which is a multi-lateral treaty that responded to the patent inadequacy of legislations criminalizing certain activities occurring on the cyberspace. The convention amongst other things facilitated International cooperation in the prosecution of cybercrime. Following the example of the Council of Europe, many jurisdictions have since enacted legislations whose primary focus is on cybercrime. In Nigeria, the National Assembly in 2015 took the initiative and proactively enacted the Cybercrimes (Prohibition, Prevention ETC) Act of 2015, specifically to address cybercrimes in the country.

 

OVERVIEW OF THE NIGERIA CYBERCRIMES PROHIBITION, PREVENTION ACT 2015

As stated earlier the Cybercrime Act is the extant principal statute regulating cybercrime in Nigeria. The objective of the Act is to ensure the protection of critical national infrastructures and promote cyber security and the protection of computer systems and networks, electronic communications, data and computer programs, IP related issues, etc. One of the most outstanding provisions of this piece of legislation is perhaps the establishment and protection of Critical National Information infrastructure (CNII). The Act provides in Part 2 that the President may by way of an Order, publish in the Gazzette, designate Certain computer systems and/or networks whether physical or virtual, and/or computer programs, computer data and/or traffic data vital to the country that the incapacitation or destruction of or interference with such system and assets would have a debilitating impact on the security, national or economic security, national public health and safety or a combination of these matters as constituting critical National Information Infrastructure. Part 2 equally makes provisions to the effect that the Gazzette establishing the CNII may also prescribe guidelines for the protection, preservation and general management of the CNII. The CNII is not expressly defined in the Act but confers powers on the president acting on the recommendation of the National Security Agency, to designate the Computer Systems or networks which would constitute CNII. This is a laudable approach because technology advances at a very high speed and it is expected that the category of networks which constitute CNII may change rapidly and therefore requires swift legislative response by way of regulation which enjoys the status of subsidiary legislation as opposed to waiting for the whole circle of legislative amendment before the National Assembly. This is very fundamental to the extent that upon the emergence of new technologies which falls within the contemplation of CNII, the Commander-in-Chief designates same as CNII and therefore gets the protection that such critical infrastructure should receive under the Act especially if such technology or technologies are critical to national security, public health or environment.

Also of immense importance is Part 3 of the Act which clearly defines the offences that can be committed in the Cyberspace. The offences are bifurcated into different headings (1) offences against the confidentiality, integrity and availability of Computer data and systems; (2) computer related offences; (3) content-related offences and (4) offences related to the infringement of intellectual property. These headings, encompasses sections which provides for various severe punishments for offences committed within the Cyberspace.

One unique feature of this Act in typical Nigeria legislative regime, is that it is quite contemporary and makes sufficient provision for different forms of common cybercrimes. Albeit so, owing to the dynamic nature of the cyberspace and the fast emergence of new criminal mechanisms, these offences created under it may soon become obsolete. Hence the statute is expected to be as dynamic as possible to keep up with the changing nature of cybercrime. However, it may still be entirely possible to draw parallels with existing crimes under other statutes or under civil liabilities for which there are prescribed punishments. The Statute provides for duties of financial institutions which are enjoined to verify the identity of customers carrying out electronic financial transactions, to apply the Know Your Customer (KYC) principle in carrying out documentation. Where a financial institution fails to properly identify its customer’s identity before executing any electronic instruction commits an offence and shall be liable on conviction to a fine of N5, 000,000.00. Prosecution of offences created under the Act is vested in the relevant law enforcement agencies however, in case of the offences committed under Section 19 and 21 of the Act, the consent of the AGF must be sought and obtained by virtue of Section 47(2) of the Act.

The Act further establishes a Cybercrime Advisory Council whose primary function is to create an enabling environment for members to share intelligence and information on a regular basis and provide recommendations on issues relating to the prevention and combating of cybercrimes and the promotion of cyber security in Nigeria. One concern which can be deduced from these numerous bodies created under the Act is that it will create an overlap in the exercise of their functions and may result in duplicity which might engender confusion.

The primary organ for the enforcement of the Act is the office of the NSA, who shall provide support to all relevant security, intelligence, law enforcement agencies and military services to prevent and combat cybercrime in Nigeria. Interestingly, the Act also provides for the establishment and maintenance of the following (a) National Computer Emergency response Team (CERT) and (b) National Computer Forensics Laboratory. The Functions of these bodies are not provided for, and it is quite confusing; their role in the prohibition and prevention of cybercrime in Nigeria.

 

JURISDICTIONAL ISSUE IN CYBERSPACE

The transformation of this specie of crimes exposes several gaps in the substantive and procedural laws because one of the biggest problems with the application of the traditional criminal law concept to cyberspace is the difficulty of establishing the proper forum. Cybercrimes being sui generis in criminal jurisprudence and because the theft offences are intangible, the issue of sovereignty and jurisdictional conflicts in borderless cyberspace arise. Other consideration of jurisdiction includes the anonymity that internet affords, in addition to the multiple locations that may be involved in committing a single offence. These issues present certain tough questions which the drafters of our legislation failed to apply their minds to in enacting the law, such as cross border jurisdiction and cross border enforcement.  One major concern with jurisdiction in this subject is the dearth of both enforcement mechanism and procedural law provisions. In an attempt to address these issues, the Council of Europe convention on cybercrime provides for international cooperation between member states and sets out the mechanisms by which parties to the convention will assist each other in investigating cybercrimes. The convention was the answer to the jurisdictional issues created by the evolution of the internet. Note that one of the most fundamental tenets of criminal law is that it is tied to national sovereignty. There is therefore an obvious issue of jurisdiction and enforcement given the global character of the internet vis-à-vis the national base exercise of criminal prosecution. Typically, in emerging legislations in this regard, the incorporation of reciprocity in tackling cybercrime amongst countries becomes paramount.  However, in the absence of a soft law by way of an international regulation in a treaty or convention mandating compulsory cooperation, it may be difficult to enforce criminal jurisdiction in the changing era of international relations.  In Nigeria, the Act merely provides for the AGF to make some rules as are necessary for the efficient implementation of the Act including “mutual legal assistance”. How mutual legal assistance will be achieved is a question for debate. Nigeria is not a signatory to any convention on the prevention of cybercrime, therefore it is quite difficult to determine how we may be entitled to mutual legal assistance from another country. It is at the prerogative of any neighboring state to either cooperate or not.