Nigeria’s Cybercrime Law Leapfrogs Freedom of Expression

In May, outgoing Nigerian president Goodluck Jonathan signed the Cybercrime Prohibition and Prevention Act into law. The much-awaited legislation was passed by the Senate and House of Representatives in 2014, lacking only presidential approval.

The Act establishes clear punishments for offenses including unlawful access to a computer, unlawful interception of communications, unauthorized modifications of computer data, system interference, misuse of devices, computer-related forgery and fraud, and identity theft and impersonation, as well as child pornography, cyberstalking, cybersquatting, cyberterrorism, racism and xenophobia. It is expected to curb Nigeria’s current practice of losing $2.5 billion a year to cybercrime.

A July 7 conversation on CNBC Africa brought together Niyi Ajao, Executive Director of Technology at the Nigeria Inter-Bank Settlement System (NIBSS); Ayotunde Coker, Managing Director of Rack Centre; and Yemi Saka, Partner of Advisory Service at Ernst & Young West Africa to praise the benefits of the Cybercrime Act for the financial sector. Ajao argued that “the Act we have now has come at the right time.” Saka applauded the legislation as a “right first step to take;" he and Coker advocated that the next step is an education and awareness campaign, to better inform users of how passwords and personal devices can be compromised, and also to let cybercriminals know that their actions will no longer go unnoticed.

The Information Security Society of Africa-Nigeria (ISSAN) responded favorably as well: “We are delighted that Nigeria has joined the few countries in Africa and indeed, the world at large, to have a law which provides effective, unified and comprehensive legal, regulatory and institutional framework for the prohibition, detection, prosecution and punishment of cyber-crime in the country, while also ensuring the protection of computer systems and networks, electronic communications, data and computer programs, intellectual property and piracy rights.

“For sure, it is no longer business as usual for cyber criminals. From the petty criminals operating in cybercafés to the big time hackers, email scammers and other computer-based fraudsters, the law stipulates heavy penalties which the criminals should be made aware of before they embark on their ‘suicide’ mission.”

The endless stream of praise, however, has overlooked the Cybercrime Act’s undeniable willingness to compromise freedom of expression and privacy. While there remains some uncertainty as to the final iteration of the law, key clauses in the 2014 legislation include:

• A service provider shall, at the request of the relevant authority referred to in subsection (1) of this section or any law enforcement agency:

(a)    Preserve, hold or retain any traffic data, subscriber information or related content, or

(b)   Release any information required to be kept under subsection (1) of this section (21).

• The right to “order a service provider, through the application of technical means to collect, record, permit, or assist competent authorities with the collection or recording of content data associated with specified communications transmitted by means of a computer system” (22).

• The Attorney-General of the Federation will “provide appropriate legal framework, guidelines and mechanism for the blocking of offensive or inappropriate web-sites” (24).

• The Act applies “outside Nigeria, where the victim of the offence is a citizen or resident of Nigeria” (33).

Nigeria’s Cybercrime Act advocates for conformity with the African Union Conventions on Cybersecurity, which is precisely where it has gone wrong. We said it in February and we’ll say it again: the African Union’s approach to cybersecurity is too vague, gives too much power to states and infringes upon freedom of expression and privacy. Nigeria’s legislation cracks down on cybercrime by creating a surveillance state that requires service providers to collect, record and release information; enables the government to disappear that which is offensive; and even extends Nigeria’s power beyond its boundaries.

The digital age has frequently posited that Africa is unique in its capacity to leapfrog into the technological future; Nigeria’s Cybercrime Act, however, exposes the limitations of this notion. If the solution to unfettered cybercrime is to eliminate human rights, there are clearly some steps that have been overlooked.