Page 1 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved NK/NASS/HR/DB/HB154/1

July 15, 2009

Honourable Rabe Nasir

Chairman, House Committee on Drugs, Narcotics and Financial Crimes

Rm. 3.11, New Wing

House of Representatives

National Assembly, 3 Arms Zone, Abuja

Dear Sir,

REVIEW OF DRAFT CYBER SECURITY AND INFORMATION PROTECTION AGENCY

(ESTABLISHMENT, ETC) BILL 2008 – A SECTION-BY-SECTION ANALYSIS

EXECUTIVE SUMMARY

Niche Konsult Limited fully identifies with the aspirations that led the Chairman, House

Committee on Drugs, Narcotics and Financial Crimes, the Deputy Chairman/sponsor of

the Draft Cyber Security and Information Bill, Honourable Bassey Etim and his

colleagues in the three Joint Committees of the House of Representatives assigned the

enviable job of fashioning out a cyber security enactment for Nigeria that will stand the

test of time to hold this public hearing.

Niche Konsult Limited also appreciates the opportunity given its representative to make

a brief presentation on the occasion of the holding of the public hearing on the above on

July 8, 2009.

Niche Konsult Limited chooses to style itself Nigeria‟s Information Technology Security

Distributor and has partnership affiliations with several of the leading brands in the

information technology security space including but not limited to the following:

Absolute Software (developers of the world‟s leading laptop tracking product)

http://www.nichekonsult.com/Partners/AbsoluteSoftware/default.aspx

Acunetix (developers of the web application/website vulnerability

assessment/management tool - Acunetix Web Vulnerability Scanner)

http://www.nichekonsult.com/Partners/Acunetix/Default.aspx

Application Security Incorporated (the leading provider of database security

solutions for the enterprise and the developers of DBProtect and

AppDetectivePro)

http://www.nichekonsult.com/Partners/ApplicationSecurityInc/Default.aspx

Alwil Software (developers of the popular antivirus software known as avast!)

http://www.nichekonsult.com/Partners/Avast/default.aspx

BitDefender (a leading global provider of security solutions that satisfies the

protection requirements of today‟s computing environment)

http://www.bitdefender.com

Core Security (developer of strategic security solutions for Fortune 1000

corporations, government agencies and military organizations)

http://www.nichekonsult.com/Partners/CoreSecurity/Default.aspx

eEye (a leading developer of network security products and an active contributor

to network security research and education. eEye offers several award-winning

solutions including Enterprise Vulnerability Assessment and Remediation

Management. eEye products protect the networks and digital assets of thousands

of corporate and government entities in over forty countries)

http://www.eeye.com

Page 2 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved

GFI(GFI is a leading software developer that provides a single source for network

administrators to address their network security, content security and messaging

needs) http://www.gfi.com

Kaspersky (develops, produces and distributes information security solutions

that protect customers from IT threats and allow enterprises to manage risk.)

http://www.nichekonsult.com/Partners/Kaspersky/Default.aspx

McAfee (Provides anti-virus, vulnerability assessment, intrusion prevention,

and client security solutions)http://www.mcafee.com

N-Stalker (developers of the N-Stalker Web Application Security Scanner)

http://www.nstalker.com

Panda (one of the world's leading creators and developers of technologies,

products and services for keeping clients' IT resources free from viruses and

other computer threats at the lowest possible Total Cost of Ownership)

http://www.nichekonsult.com/Partners/Panda/Default.aspx Symantec (Symantec is a global leader in infrastructure software, enabling

businesses and consumers to have confidence in a connected world. The company

helps customers protect their infrastructure, information, and interactions by

delivering software and services that address risks to security, availability,

compliance, and performance. Headquartered in Cupertino, Calif., Symantec has

operations in 40 countries.) http://www.symantec.com

Niche Konsult Limited has been in the information technology security business since

2002. Between then and now, Niche Konsult Limited has consulted on Information

Technology security matters for two electronic cards/payment service providers, two

telecommunication service providers and six of Nigeria‟s current 26 banks on

Information Technology Security Solutions amongst several other clients in both the

private sector and governmental circles. Niche Konsult Limited and many of our clients

and potential clients are affected by the provisions of this proposed bill and so we have

taken time to do as thorough a review of this bill for the benefit of the Committee, our

clients and prospects.

Immediately below follows our section by section analysis of the merits and demerits of

the bill accompanied by suggestions/recommendations for improvement.

SECTION-BY-SECTION ANALYSIS

1. (1) There is hereby established a body to be known as Cyber Security and Information Protection Agency (in this Bill referred to as “the Agency”) which shall have such functions as conferred on it by this bill.

(2) The Agency:

(a) shall be a body corporate with perpetual succession and a common seal;

(b) may sue and be sued in its corporate have and may, for the purpose of its functions, acquire, hold or dispose of property;

COMMENTS

Our comprehensive study of the bill seems to indicate that there are no provisions on

“Information Protection” as suggested by the title of this Bill. We consider this a very

significant omission/Anomaly. For the purposes of the Committee, we wish to reproduce

below the following text entitled “The Data Protection Principles” obtained from

Schedule 1 to the UK Data Protection Act of 1998:

1. Personal data shall be

Page 3 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved

processed fairly and

lawfully and, in

particular, shall not be

processed unless-

(a) at least one of the conditions in Schedule 2 is

met, and

(b) in the case of sensitive personal data, at least

one of the conditions in Schedule 3 is also met.

2. Personal data shall be obtained only for one or more

specified and lawful purposes, and shall not be further

processed in any manner incompatible with that purpose

or those purposes.

3. Personal data shall be adequate, relevant and not

excessive in relation to the purpose or purposes for which

they are processed.

4. Personal data shall be accurate and, where

necessary, kept up to date.

5. Personal data processed for any purpose or

purposes shall not be kept for longer than is necessary for

that purpose or those purposes.

6. Personal data shall be processed in accordance with

the rights of data subjects under this Act.

7. Appropriate technical and organisational measures

shall be taken against unauthorised or unlawful

processing of personal data and against accidental loss or

destruction of, or damage to, personal data.

8. Personal data shall not be transferred to a country

or territory outside the European Economic Area unless

that country or territory ensures an adequate level of

protection for the rights and freedoms of data subjects in

relation to the processing of personal data.

We had wanted to comment extensively in our paper on the Data Protection Provisions of

the Bill, but have been forced to hold back. However, we think that it would be an

anomaly in fact and law for the proposed agency to be prosecutor/investigator of

cybercrimes and regulator of country‟s cyber security space on the one hand and

privacy/information/data protection watchdog on the other hand at the same time. It is

therefore suggested that either a new Data Protection Agency modelled after that in the

UK or the Act establishing the Consumer Protection Council be amended to

accommodate the functions currently being carried out by the Information Commissioner

in Great Britain. We are of the considered opinion that the second option would be the

preferred option since it will permit and/or extend the powers of the Consumer

Protection Council to cover breaches involving personally identifiable information (PII), a

Page 4 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved rampant from of consumer abuse and extend its turf to consumer protection matters in

today‟s world of the internet and pervasive telecommunications networks, which

developments the CPC Act of 1992 did not envisage nor prepare for and thus match

what obtains in the United States of America in which the Federal Trade Commission (FTC) plays similar roles.

We wish the committee to note that breaches of data protection laws are also considered

to be violations of human rights in several countries including Austria, Canada, Denmark,

France, Germany, Luxembourg, Norway, Sweden, the United Kingdom and the United States and should also be so in Nigeria.

It is our wish that the Committee will recommend to the House that it adopts the

attitude of the American Congress which enacted several “Special Statutes” to expand the responsibilities of the FTC with respect to Data Protection.

If the House so wishes, it can maintain the current name of the CPC or change its name

to Information and Consumer Protection Council (ICPC) or Information and Consumer

Protection Agency (ICPA). (Please see attached some documents we sent to the CPC on these matters in February 2005.)

Until Data Protection provisions are included in our laws, it will not be possible for the

House of Representatives to give legal teeth and effect to Section 37 of the 1999

Constitution of Nigeria which states “The privacy of citizens, their homes,

correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected.”

We recommend that the Committee visits the following links for more general

information on Data Protection Laws and the role(s) played by Information

Commissioner who heads the UK Data Protection Agency:

http://www.out-law.com/page-10137 which deals with data protection watchdogs urging

The European Commission to make sure that outsourcing providers who process

personal data are bound by consistent rules irrespective of whether they are based inside or outside the EU

http://www.out-law.com/page-10116 which deals with breaking of the Data Protection

Act by the Manchester City Council when it failed to encrypt laptop computers containing

data on nearly two thousand workers. The local authority has promised to ensure all mobile computers are encrypted.

http://www.timesonline.co.uk/tol/news/uk/crime/article6373645.ece which discusses the

court case involving Ian Kerr who maintained a constructor worker blacklist database but

failed to comply with the Data Protection Act which requires that unless very simple

processing is done, all organizations handling personally identifiable information (PII) must be registered with the Agency

http://www.independent.co.uk/news/uk/politics/nhs-loses-thousands-of-medical-

records-1690398.html The UK Information Commissioner‟s hard knocks on the National

Health Service which has been involved in some 140 data security breaches in the last four months.

http://www.out-law.com/page-9965 The UK Information Commissioner comments on complaints‟ and enquiries on Google‟s Street View service

Page 5 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved http://www.theregister.co.uk/2009/04/20/british_council_data_loss/ The UK Information

Commissioner's Office comments on the loss of an unencrypted disk containing

personally identifiable information on over 2,000 members of staff

In closing our comments on data protection, we would like to call attention of the

Committee to the distinction between a Data Protection Act and a Cyber Crime Act such

as the proposed Bill. Lord HobHouse of Woodborough observed in Regina v Bow Street

Metropolitan Stipendiary Magistrate and Another, ex parte Government of the

United States of America 2002 2 AC 216:

“As Astill J. said in Bignell's Case [1998] 1 Cr.App.R. 1, 12b, the Act of 1990

was enacted to criminalise the 'hacking' of computer systems and the Data

Protection Act 1984 was enacted to criminalise improper use of data."

We look forward to an opportunity to perform/conduct a Section-by-Section analysis on

the Data Protection Bill as well.

In respect of the controversy that arose at the public hearing on the utility of creating a

new cyber security agency, I wish to draw the attention of the Committee to the

following internet links which discuss the establishment of a similar agency in the UK and

France:

http://www.pcworld.com/article/168135/france_creates_new_national_it_security_agenc

y.html

http://www.ecommerce-

journal.com/news/16770_france_launches_a_new_agency_to_strike_cyber_attacks

http://www.ssi.gouv.fr/IMG/pdf/ANSSI_PRESS_RELEASE.pdf

http://news.cnet.com/8301-1009_3-10272925-

83.html?part=rss&subj=news&tag=2547-1009_3-0-20

http://www.scmagazineuk.com/UK-cyber-security-strategy-launched/article/139033/

http://www.theregister.co.uk/2009/06/25/uk_cyber_security_strategy/

2. (1) The Agency shall consist of:

(a) the Chairman of the agency shall be the National Security Adviser;

(b) Executive Vice chairman to be appointed by the president, who shall be:

(i) a retired or serving member in any security agency of the Federation not below the rank of deputy commissioner of police or it’s equivalent, with cybersecurity experience

(ii) a lawyer with not less than 10 years post call experience, who must be an expert in cybersecurity

(iii) responsible for the day to day running of their affairs of the Agency.

(c) a representative each of the following Federal Ministries.

Page 6 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved

(i) commerce, industry;

(ii) science and technology;

(iii) justice;

(d) The Executive Vice Chairman and members of the Agency, other than ex-officio shall each hold office for a period of four years and may be re-appointed for one further term.

(e) a representative each from the following organizations:

(i) the department of state security services;

(ii) the Nigerian police force;

(iii) the Nigeria communications commission;

(iv) the Nigeria Security & civil Defence Corps and

(2) Four persons whom:

(a) two must be experts in telecommunication with not less than 10 years experience

(b) two computer scientists with specialization in cyber crime with not less than 10 years experience

(3) The Executive Vice Chairman and four other members of the agency shall be appointed by the president subject to confirmation by the senate.

(4) The Executive Vice Chairman appointed pursuant to sub-section (1) of this section shall be the chief executive of the agency and shall be responsible for the day to day running of its affairs.

COMMENTS

Page 1, Line 7 - missing word after corporate “name”, then a comma after name

Page 1, Line 9- should read “The Agency shall consist of the following”

Page 1, Line 10 – should read “the Chairman of the Agency who shall be the National

Security Adviser”

Page 1, Line 14 – which did the draftsman mean “its” or “it‟s” – these two words are

commonly confused

Page 1, Lines 11 – 18 – What is the rationale for limiting the Office of the Executive

Vice Chairman to a “retired or serving member in any security agency of the

Federation”? And how do we define the phrase “with cyber security experience”? And

how do we measure such experience? If this becomes law as passed, then a large pool of

talent has been automatically disenfranchised from this position. That the head should

be a lawyer just makes sense given the fact that this is not just about technology but

how technology meets the law and vice versa, there is no objection to lines 16 and 17 as

they stand. The Committee is well advised to conduct an audit of all “retired or serving

Page 7 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved members in any security agency of the Federation not below the rank of deputy

commissioner of police or its equivalent” in order to find how many of them currently

have “cyber security experience” to be assured that there will always be a pool of them

to drawn from.

Page 1, Line 15 – It is important to decide which is preferred “cyber security” as one

word or “cyber security” as two words. Please see also Page 1, Line 1

Page 2, Line 5 – the word “members” is missing after ex-officio

Page 2, Line 15 – It is important to decide which is preferred “cybercrime” as one word

or “cyber security” as two words

Page 2, Line 19 –replace underscore between “sub_section” with “sub-section”

3. (1) A member of the agency may at any time resign his office in writing

addressed to the president and may be removed from office because of:

(a) infirmity of mind or body;

(b) permanent incapacity; or

(c) any other reason subject to confirmation by the senate.

(2) Members of the agency shall be paid such allowances as may be determined by the salary and wages Commission.

COMMENTS

None

4. The Agency shall be responsible for the:

(a) enforcement of the provision of this bill

(b) investigation of all cyber crimes

(c) adoption of measures to eradicate the commission of the cyber crimes;

(d) examination of all reported cases of cyber crimes with the views to identifying individuals, corporate organization involve in the commission of the crime;

(e) registration and regulations of service providers in Nigeria with the views to monitor their activities; organizing and undertaking campaigns and other forms of activities as will lead to increased public awareness on the nature and forms of cyber crimes; and

(g) maintaining a liaison with the office of the Attorney General of the Federation, and inspector General of police on the arrest and subsequent prosecution of the offenders.

COMMENTS

Page 8 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved Page 2, Line 31 – should read “enforcement of the provisions of this Bill”

Page 3, Line 2 – should read “…to eradicate the commission of cyber crimes”

Page 3, Lines 3 – 5 – How does the House of Representatives purport to handle the

conflict between the powers given to the EFCC first under the Advance Fee Fraud and

other Related Offences Act No 13 of 1995 (now repealed), and the Advance Fee Fraud

and other related Offences (Amendment) Act 2005 (now repealed) and now the Advance

Fee Fraud and Other Related Fraud Offences Act 2006 which has placed certain

obligations on banks and other financial and designated non financial institutions,

telecommunications companies, internet service providers, cybercafé operators, property

owners, transporters, etc and which provisions are enforced by the EFCC?

Page 3, Lines 3 – 5 – In line 3 mention is made of “cyber crimes” and in line 5 “the

crime”. It is suggested that lines 3 to 5 should read “examination of all reported cases of

cybercrimes with a view to identifying individuals, corporate organizations (and not

organization) involved (and not involve) in the commission of the crimes (and not

crime)

Page 3, Lines 6-9- The House of Representatives may wish to remember that the

Advanced Fee Fraud and Other Related Fraud Offences Act 2006 also gave the EFCC the

power to register internet service providers and cybercafés. Pursuant to the powers

granted the EFCC under that Act, the EFCC held a series of meetings with stakeholders,

including the Internet Service Providers Association of Nigeria (ISPAN), Association of

Cybercafé and Telecentre Operators of Nigeria (ACTONigeria), Private Telecoms

Operators (PTOs) and Global System for Mobile Communication (GSM) operators.

Following such meetings a number of resolutions were agreed for immediate

implementation:

1. All Internet Service Providers (ISPs), and cybercafé operators providing services

in Nigeria must be registered with the Corporate Affairs Commission (CAC),

Nigerian Communications Commission (NCC) and EFCC;

2. All upstream Internet Service Providers rendering services to Internet Service

Providers and Cybercafés in Nigeria, must be physically located and be registered

and licensed as Internet Services Providers (ISPs) above;

3. All users of Internet services must migrate to Internet Service Providers

registered with EFCC and licensed by NCC

4. Registration with EFCC shall be online at www.efccnigeria.org/operators within

the periods stated below: Internet Service Providers: July 25 September 7, 2006

Cybercafé Operators: September 8 – November 24, 2006

Source: Daily Trust, Tuesday, July 25, 2006 page 32

Bearing in mind the above and the interpretation of “service provider” in Section 38 of

this bill (page 19 lines 4 to 7) virtually any organization that provides internet access is

required to register. It seems to the undersigned that this provision is unnecessary as it

should not be a requirement and indeed is not a required for this law to have effect or

take effect. To that extent, we think that the first two words of line 6, page 3 should be

expunged.

Page 3, Lines 6 – 9 – the word “regulations” should be replaced with “regulation”

Page 3, Line 11 – “Inspector” should replace “inspector”

Page 9 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved Page 3, Line 10 – 12 It is suggested that the list should be expanded to read:

“Maintaining a liaison with the Office of the Attorney General of the Federation, the

Inspector General of Police and the Executive Chairman of the Economic and Financial

Crimes Commission on the arrest and subsequent prosecution of the offenders. The

rationale for this suggestion is that until this Bill is passed into law, the EFCC has been

acknowledged as the premier cybercrime fighting agency and will so be until this Bill

makes the proposed “Cyber Security and Information Protection Agency” to upstage it.

So this suggestion just makes sense for purposes of continuity.

Finally, it is suggested a new sub-section 4(h) be included giving the proposed agency

powers to oversee cyber security across the government in the manner and fashion

proposed by President Obama in relation to his proposed Cyber Security Coordinator for

the White House.

5. (1) In execution of its functions and powers under this Bill, the Agency

may appoint:

(a) persons or second officers from government security or law enforcement agencies; and

(b) specialist in the area of communication, science and technology, law, which will assist the agency in the performance of its functions.

(2) The agency may, make staff regulations relating generally to the conditions of service of the employees, and such regulations may provide for:

(a) the appointment, promotion and disciplinary control; and

(b) appeals by such employees against any disciplinary measures taken against them, shall be regulated by the provision of the civil services rules, until such regulations are made.

(3) Service in the agency shall be public service for the purposes of pension Act.

COMMENTS

Page 3, Line 17 - specialists should replace specialist; telecommunications should

replace communication

Page 3, Line 26 - Pension should replace pension

6. The Agency shall maintain a fund which shall consist of:

(a) money to be received from the federal government for the purposes of take off;

(b) proceeds from all activities, services and operations of the Agency.

(c) grants, gifts and donations made to the Agency.

(d) such other sums as may accrue to the Agency.

COMMENTS

Page 10 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved None

7. (1) Any person who without authority or in excess of his authority accesses any computer for the purpose of:

(a) securing access to any program; or

(b) data held in that computer; or

(c) committing any act which constitute an offence under any law for time being in force in Nigeria, commits an offence and shall be liable on conviction:

(i) in the case of offence in paragraph (a) of this subsection, to a fine of not less than N10,000 or imprisonment for a term of not less than 6 months or to both such fine and imprisonment.

(ii) For the offence in paragraph (b), to a fine of not less N100, 000 or a term of not less than 1 year or to both such fine and imprisonment.

(2) Where damage or loss is caused to any computer as a result of the commission of an offence under subsection (1) of this section, the offender shall be liable to a fine of not less than N1,000,000 or imprisonment for a term of not less than 5 years or to both such fine and imprisonment.

(3) In pronouncing sentence under this section, the court shall have regard to the extent of damage or loss occasioned by the unlawful act.

COMMENTS

Page 4, lines 2 – 19 – Section 7 creates the offences of “access without authority” or

access “in excess of his authority.” It is suggested that a new offence be created and

made Section 7(3) and make the present Section 7(3) become Section 7(4).

The proposed new offence is “access with authority for an unauthorised purpose.” To

illustrate, imagine a Policeman using his access to police computers to obtain information

on a guy who took over his girlfriend, or imagine an officer attached to the Federal

Inland Revenue Service using his ”access with authority” to snoop on tax files of

politically exposed personalities or of other public figures or a civil servant with access

with access to personally identifiable information at the National Identity Management

Commission/National Pension Commission misusing his/her “access with authority” in a

similar manner.

It is submitted that Section 7 as currently constituted does not provide for such a

possibility. The House of Representatives is well advised to study the startling ruling in

DPP v Bignell (1998) 1 Cr App R 1 and the public hue and cry that followed that

ruling since it affects the issue raised above.

To quote the summary of that case provided by David I Bainbridge in his book

“Introduction to Computer Law” published by Longman in 2000 on pages 312 -313: “Two

police officers had used the police national computer to gain access to details of motor

cars which they had wanted for private purposes unconnected with their duties as police

officers. They were charged with the unauthorised access to computer material offence

Page 11 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved under Section 1 of the Computer Misuse Act 1990… From the reported facts of the case,

it would seem beyond doubt that the accused police officers had consciously and

deliberately misbehaved … by using the police national computer to gain access to

information to be used for their own private purposes.” (Italics Ours)

This is very important because insiders have time again been proved to be the greatest

security threat an organization can face.

In the alternative, an entirely new Section should be created for the offence of “access

with authority for an unauthorised purpose.”

Page 4, line 6 – constitutes should replace constitute

Page 4, line 10 – did the draftsman mean M10, 000.00 or 10,000 Naira

Page 4, line 14 – Since the value of a computer is not so much in the hardware but in

the software and data resident therein, it is suggested that the words “or its contents”

immediately after computer

8. (1) Any person who, knowingly and without authority or in excess of

authority, disclose any:

(a) password;

(b) access code; or

(c) any other means of gaining access to any program data or database held in any computer for any unlawful purpose or gain, commits an offence and shall be liable on conviction to a fine of not less than N500,000 or to imprisonment for a term of not less than 3 years or to both such find and imprisonment, and in the case of a second or subsequent conviction, to a fine not exceeding N1,000,000 or to imprisonment for a term of not less than 5 years or both such fine and imprisonment.

(2) Where the offence under subsection (1) results in damage or loss, the offender shall be liable to a fine of not less than N1,000,000 or imprisonment for a term of not less than 5years or both such fine and imprisonment.

(3) Any person who with intent to commit any offence under this Act uses any automated means or device or any computer program or software to:

(a) retrieve;

(b) collect; and

(c) store password, access code; or

any means of gaining access to any program, date or database held in any computer, commits an offence and shall be liable on conviction to a fine of N1, 000,000 or to imprisonment for a term of 5 years or to both such fine and imprisonment.

COMMENTS

Page 12 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved Page 4, line 21 – discloses should replace disclose

Page 4, line 24 – “any other means of gaining access to any program data or

database” should instead read “any other means of gaining access to any program, data,

or database”

9. (1) Any person who with intent to defraud send electronic mail message

to a recipient, where such electronic mail message materially misrepresents any fact or set of facts upon which reliance the recipient or another person is caused to suffer any damage or loss, commits an offence and shall be liable on conviction to a fine of not less than 5 years or to both such fine and imprisonments.

(2) It shall not operate as a defense for any person charged with an offence under subsection (1) of this section to claim that:

(a) he could not have carried out his intended act; or

(b) it is impossible to execute the ultimate purpose of his intention; or

(c) the object of his deceit is non-existent.

(3) Any person spamming electronic mail messages to receipts with whom he has no previous commercial or transactional relationship commits an offence and shall be liable on conviction to a fine not less than N500, 000 or imprisonment for a term of not less than 3 years or to both such fine and imprisonment.

(4) Any person who with intent to commit any offence under this Bill;

(a) uses any automated means, device; or

(b) any computer program, software; to collect or store electronic mail addresses from any sources whatsoever, commits an offence and shall be liable on conviction to a fine not less than N1,000,000 or to imprisonment for a term not below 5 years or both such fine and imprisonment.

COMMENTS

Page 5, Lines 12 – 31 Does the wording of Section 9 (1) as presently constituted cover

the unsolicited delivery of advertisements via mobile text messages, e-mail, fax and

automatic dialling systems or just emails? Especially when read with the definition of the

word “Spamming” as contained in Section 38 under Interpretation (page 19, lines 10 –

11) The use of the words “materially misrepresents any fact or set of facts” is very

limiting because an email may not materially misrepresent any fact or sets of facts and

yet be spam although not fraudulent. It is suggested that Section 9 be re-drafted to

cover both fraudulent and non-fraudulent spam, and to extent to unsolicited

communication irrespective of channel such as text messages, email, fax, and automate

dialling systems. This is the position adopted by the Amendment 40 to the

Communications Law of Israel. To illustrate that it is necessary to expand the definition

of spam, between the date of the public hearing and date, the undersigned has received

12 messages with identical content from a very well know beer brand in Nigeria

Page 13 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved celebrating its 60th anniversary and inviting him to answer 3 questions correctly to win a

chance to be a part of the celebration.

Finally, the Bill as presently worded does not make blackmail via email a crime, the

Committee would do well to look into this matter with a view to including it in the

proposed legislation.

Section 9 (3) is unduly restrictive. This is the case because it is not just Advance Fee

Fraud Practitioners that need to reach out to potential targets through the medium of

electronic mail messages, even legitimate advertisers often have course. The House of

Representatives may wish to take a cue from the “Amendment 40 to the

Communications Law of Israel” which permits an advertiser to contact a business

recipient just once per recipient with the question whether they agree to receive

advertisements from that advertiser.

The law also permits an advertiser to send advertisements to the recipient even if they

were not explicitly solicited, in cases when prior business relations have existed between

the advertiser and the recipient and the recipient is the one who provided his/her

mailing/messaging details to the advertiser. But even then – as well as for any case

where the recipient has given consent to receiving advertisements – still the recipient

has the right, under the law, to inform the advertiser of his refusal to receive any more

advertisements. Such refusal notice will cancel the validity of the previous consent. For

more information, the committee may wish to refer to

http://www.moc.gov.il/sip_storage/FILES/5/1545.pdf

The Israeli law also requires advertisers to include in a commercial message the word

"advertisement" and the advertiser's name, address and contact information, including

an email address that recipients may use to opt out.

The Israeli law enforces the prior consent requirement which may be in writing or a

recorded call to receive electronic mail messages

The modifications suggested above are required for the law to balance the need to

protect citizens and strike a balance with respect to the requirements of legitimate

business concerns to advertise.

10. (1) Any person who, with the intent to commit an offence, uses any

computer program or software to deliberately block being traced or avoid detection, commits an offence and shall be liable on conviction to a fine of not less than N500,000 or imprisonment for a term of not less than 3 years or both such find and imprisonment.

(2) Any person who knowingly accesses any computer and inputs, alters, deletes or suppresses any data resulting in unauthentic data with the intention that such inauthentic data be considered or acted upon as if it were authentic or genuine, whether or not such data is readable or intelligible, commits an offence and shall be liable on conviction to a fine of not less than N500,000 or imprisonment for a term of not less than 3 years or both such fine and imprisonment.

(3) Any person who knowingly and without right causes any loss of property to another by altering, erasing, inputting or suppressing any data held in any computer for the purpose of

Page 14 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved

conferring any benefits whether for himself or another person, commits an offence and shall be liable on conviction to a fine of not less than N500, 000 or imprisonment for a term of not less than 3 years or both such fine and imprisonment.

COMMENTS

Page 6, Lines 1 – 2 The side note accompanying these lines are most deceptive. It is

submitted that it should be renamed/replaced with “Illegitimate/ Illegal use of proxies.”

Page 6, Lines 6, 7- The side note that is currently situated at Lines 1 and 2 should be

moved to Lines 6 and 7.

Page 6, Lines 6 – 12 -The House of Representatives may wish to note that David I

Bainbridge in the Fourth Edition of his book “Introduction to Computer Law” observed

“The phrase „computer fraud‟ is used to describe stealing money or property by means of

a computer; that is, using a computer to obtain dishonestly, property (including money

and cheques) or credit or services or to evade dishonestly some debt or liability.” In the

light of the above description, it is obvious that there is an overlap between the Offences

which can be committed under the Advance Fee Fraud and Other Fraud Related Offences

Act 2006. In other words, what happens if the offence of obtaining property be false

pretence is committed using the computer, the question then arises: „Which agency

investigates‟? Which agency prosecutes? Is it the Economic and Financial Crimes

Commission? Or the proposed “Cyber Security and Information Protection Agency”? Or

both? If both, which agency will act as the lead? This is an area of potential conflict and

unwarranted and wasteful duplication of resources which the House of Representatives

may which to address.

In doing so, we recommend studying the provisions of the following UK Acts and cases:

The Theft Act

Finance Act 1972

DPP v Ray (1974) AC 370

Davies v Flackett (1973) RTR 8

R v Preddy (1996) AC 815

Criminal Law Act 1977

Criminal Attempts Act 1981

Scott v Metropolitan Police Commissioner (1975) AC 819

R v Lloyd (1985) 2 All ER 661

R v Ghosh (1982) QB 1053

Chan Man-sin v Attorney-General for Hong Kong (1988) 1 All ER 1

R v Morris (1984) AC 320

Lawrence v Metropolitan Police Commissioner (1972) AC 626

R v Mavji (1987) 2 All ER 758

Computer Misuse Act 1990

and the equivalent Nigerian Acts

11. (1) Any person who without authority or in excess of authority interferes

with any computer network in such a manner as to cause any data or program or software held in any computer within the network to be modified, damaged, suppressed, destroyed, deteriorated or otherwise rendered ineffective, commits an offence and shall be liable on

Page 15 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved

conviction to a fine of not less than N1, 000,000 or imprisonment for a term of not less than 5 years or to both such fine and imprisonment.

COMMENTS

Page 6, Line 22 – It is suggested that the word “Deteriorated” is out of place and

should be deleted. While the word “ineffective” should be replaced with “unusable”

12. Any person who unlawfully produces, adapts or procures for use, distributes, offers for sale, possesses or uses any devices, including a computer program or a component or performs any of those acts relating to a password, access code or any other similar kind of data, which is designed primarily to overcome security measures with the intent that the devices be utilized for the purpose of violating any provision of this Bill, commits an offence and is liable to a fine of not less than N1,000,000 or imprisonment for a term of not less than 5 years or to both such fine and imprisonment.

COMMENTS

Page 6, Lines 26 – 31, Page 7,lines 1 – 2 – It is submitted that the House of

Representatives should re-consider the text of Section 12 with a view to making a very

clear distinction between things that can be used to overcome security measures but

which have legitimate uses and things specifically designed to overcome security

measures. The following cases are quite instructive in that regard: Amstrad Consumer

Electronics PLC v the British Phonograph Industry Limited (1986) FSR 159, CBS

Songs Limited v Amstrad Consumer Electronics PLC (1988) 2 WLR 1191

To illustrate practically what is meant by the above, Niche Konsult Limited conducts

penetration testing as well as offers for sale software and hardware capable of being

used to violate some provisions of this Bill, but such software was not “designed

primarily to overcome security measures with the intent that the devices be utilized for

the purpose of violating any provision of this Bill.”

On the other hand, the same software/hardware is being legitimately employed by

transportation, healthcare, financial institutions, information technology security

consultants, payment processors, telecommunication firms, large enterprises, state

governments, educational institutions, military academies within and outside Nigeria to

conduct comprehensive penetration testing across their infrastructure and applications.

One such solution goes by the name Core Impact Pro and can be used to perform

penetration testing* which tells organizations using it:

what an attacker can definitely do to their network

by exploiting identified vulnerabilities, just as a hacker would

leaving little doubt as to what a hacker can do or cannot do and thus eliminating

the guesswork involved in protecting their network by providing them with the

information they need to effectively prioritize their vulnerabilities.

* Penetration testing is a localized, time-constrained, and authorized attempt to breach

the security of a system using attacker techniques. During a penetration test,

organizations actually try to replicate in a controlled manner, the kinds of access an

intruder or worm could achieve. With a penetration test, network managers can identify

what resources are exposed and determine if their current security investments are

detecting and preventing attacks.

Page 16 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved 13. Any person who without authority or in excess of authority intentionally interferes with access to any

computer or network so as prevent any:

(a) part of the computer from functioning; or

(b) denying or partially denying any legitimate user of any service of such computer or network; commits an offence and shall be liable on conviction to a fine of not less than N2,000,000 or imprisonment for a term of not less than 7 years or to both such fine and imprisonment.

COMMENTS

Page 7, lines 3 – 9 It is suggested that a new Head Note to be called “Denial of

Service/Distributed Denial of Service Attack(s)”

Page 7, line 5 – It is suggested that the words “or network” be inserted immediately

after computer

14. Any person who with the intent to deceive or defraud, accesses any computer or network and uses or assumes the identity of another person, commits an offence and shall be liable on conviction to a fine of not less than N500, 000 or imprisonment for a term of not less than 3 years or to both such fine and imprisonment.

COMMENTS

Page 7, Lines 10 – 14 - The Houses of Representatives may wish to compare and

contrast the wordings of Section 14 of this Bill with the wordings of Section 202 of the

Norwegian Criminal Law (2008 – 2009) which when translated states:

“With a fine or imprisonment not exceeding 2 years shall whoever be punished,

that without authority possesses of a means of identity of another, or acts with

the identity of another or with an identity that easily may be confused with the

identity of another person with the intent of (a) procuring an economic benefit for

oneself or for another, or (b) causing a loss of property or inconvenience to

another person.”

Source: http://www.cybercrimelaw.net

15. (1) Every service provider shall keep all traffic, subscriber information or

any specific content on its computer or network for such period of time as the Agency may require.

(2) Every service provider shall, at the request of any law enforcement agency:

(a) provide the law enforcement agency with any traffic of subscriber information required to be kept under subsection (1) of this section; or

(b) preserve, hold or retain any related content.

(3) Any law enforcement agency may with warrant issued by a court of competent jurisdiction, request for the release of any information in respect of subsection (2) (b) of this section and it shall be the duty of the service provider to comply.

Page 17 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved

(4) Any data retained, processed or retrieved by the service provider for the law enforcement agency under this Bill, shall not be utilized except for legitimate purposes either with the consent of individuals to whom the data applies or if authorized by a court of competent jurisdiction.

(5) A person exercising any function under this section shall have due regard to the individual right to privacy under the constitution of the Federal Republic of Nigeria 1999 and shall take appropriate technological and organizational measure to safeguard the confidentiality of the data retained, processed or retrieved for the purpose of law enforcement.

(6) A person or service provider, body corporate who willfully contravenes the provisions of this section commits an offence and shall be liable on conviction to a fine of not less than N500,000 or imprisonment for a term not less than 3 years or both fine and imprisonment.

COMMENTS

Page 7, Lines 15 – 17 – There should be a side note “Records Retention for law

enforcement”. This also raises the question “who bears the cost?” The service provider

or the government? This issue is very important because given the cost of the devices

required to fulfil the requirements of this section, small players may be edged out of

business. Neither does it make sense in a time of economic gloom such as this to pass

on such costs to the end-user. It is also suggested that the words “for such period of

time as the Agency may require” be replaced by the words “for two years.” This will be

in line with a Directive issued by the European Union on data retention which although

not binding on Nigeria is evidence of best practice. That Directive requires retaining such

records for a minimum of six months and a maximum of two years.

Page 7, Line 19 – The words “and backed with a warrant issued by a court of

competent jurisdiction which shall be issued when there is compelling evidence that a

crime is imminent” should be introduced immediately after agency. This is required for

uniformity of Section 15 (2) (a) with Section 15 (2) (b). This is required to keep with

international best practice. The House of Representatives may wish to recall the hue and

cry over the high-handedness of the EFCC in the recent past, which was made possible

by provisions such as the below which was contained in the Advance Fee Fraud and

Other Offences Act 2006, under duties of telecommunications and internet service

providers and internet cafes we have the following provision: “Any person whose normal

course of business involves the provision of non-fixed line or Global System of Mobile

Communications (GSM) or is in the management of any such services, shall submit on

demand to the Commission such data and information as are necessary or

expedient for giving full effect to the performance of the functions of the

Commission under this Act.

Inserting the above will provide for much needed checks and balances on the power of

the Executive as represented by the proposed agency. The House of Representative may

also which to consider amending the above provision in the Advance Fee Fraud and

Other Offences Act 2006 as well to allow of checks on the power of the agency by the

judicial arm of the government.

Page 7, Line 22 – It is suggested that the words “preserve, hold or retain any related

content” be expunged from this bill. What this means in practice is that service providers

would be required to keep a copy of every email sent/received, every instant message,

every text message, every call made, every web page viewed to mention but a few. Of

course, it is not in doubt that service providers already have this information. However,

Page 18 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved rather than giving such retention legitimacy, it is recommended that the Committee

should consider this an opportunity to enact an electronic communications/email archival

legislation which always places the obligation of such archival on the organization

sending or receiving the email and not on the service provider, and limit the service

provider to retaining only to traffic and subscriber information. This will distribute the

cost of such data retention much more evenly and reduce the likelihood of the general

public thinking that Nigeria‟s government is desirous of creating a police state. The

Committee would also like to note that the UK Communications Bill currently under

consideration which proposes to amend the UK Regulation of Investigatory Powers Act

(RIPA) does not propose the retention of content by service providers. It is suggested

that the Committee should expunge this provision. Please see

http://www.examiner.ie/ireland/retention-period-for-phone-data-to-be-cut-96213.html

http://www.siliconrepublic.com/news/article/13407/government/irish-govt-to-retain-all-

web-text-and-phone-data-for-two-years

http://www.examiner.ie/ireland/watchdog-concern-at-revenue-data-access-96329.html

http://www.scmagazineuk.com/Government-lines-up-central-database-of-phone-and-

internet-records/article/110337/

http://news.bbc.co.uk/2/hi/technology/7410885.stm

The Committee might also like to make very clear with it means by traffic information.

The UK Communications Bill and Data Retention Directive help here because they define

traffic information to include the initiator of the communication, the recipient of the

information, the time of the communication, the duration of the communication, the

location of the initiator and the recipient, the type of communication.

Page 7, Line 27 – 30 – It is suggested that the wordings of Section 15 (4) be revisited.

In particular the words “…shall not be utilized except for legitimate purposes either with

the consent of individuals to whom the data applies or if authorized by a court of

competent jurisdiction.”

Page 7, Line 31 – The words “or organization” should be inserted immediately after

“person”

Page 8, Line 5 – No such word as “willfully”, but there is a word “wilfully”

16. (1) A person who intentionally, without authority or in excess of

authority intercepts any communication originated, terminated or directed from, at or to any equipment, facilities or services in Nigeria, commits an offence and shall be liable on conviction to;

(a) a fine of not less than N500, 000;

(b) imprisonment for a term of not less than 10 years; or

(c) both such fine and imprisonment.

Page 19 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved (2) Notwithstanding the provision of subsection (1) of this section, any service provider, its employee or duly authorized agent may, in the normal course of work, carryout the activity mentioned in section 16 of this Bill.

COMMENTS

None

17. Every service provider shall ensure that any of its equipment, facilities or services that provides a communication is capable of:

(a) enabling a law enforcement agency to intercept all communications on its network for the purpose of investigation and prosecution;

(b) accessing call data or traffic record;

(c) delivering intercepted communications and call data or traffic record in such a format that they may be transmitted by means of equipment, facility or service procured by any law enforcement agency to a location other than the premises of the service provider; and

(d) facilitating authorized communications interceptions and access to call data or traffic records unobtrusively with minimum interference with any subscriber’s communication service and in a manner that protects:

(i) the privacy and security of communications and call data or traffic records not authorized to be intercepted.

(ii) information regarding the interception.

(2) A service provider who contravenes the provision of subsection (1) of this section, commits an offence and shall be liable on conviction, in case of;

(a) service provider, a fine of not less than N100, 000; and

(b) director, manager or officer of the service provider, a fine of not less than N500,000 or imprisonment for a term of not less than 3 years or to both such fine and imprisonment.

COMMENTS

We appreciate the need to ensure that the equipment deployed by service providers

have on-going intercept capabilities, as well as the obligations placed on service

providers to enable/facilitate lawful interception and to deliver intercepted communications in the course of a lawful investigation.

The provisions of Section 17 as presently constituted and Section 17(d)(i) and Section

17(d)(ii) notwithstanding, it is sad that the House of Representatives is giving the

proposed agency what may be likened to a blank cheque. We are not against lawful

interception, but we strongly urge the insertion of the following “such interception to be

carried out by the Agency shall be lawful if accompanied by a warrant issued by a judge

of a Federal or State High Court.

Please compare with the UK Regulation of Investigatory Powers Act 2000, Section 2 Interception of Communications Act 1985, Malone v United Kingdom (1984) 7 EHRR 14

Page 20 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved Please see evidence of misuse of such provisions as the above in the UK, the Committee

may wish to ensure that the bill does not make this a possibility in Nigeria:

http://news.bbc.co.uk/1/hi/england/dorset/7341179.stm

http://www.theregister.co.uk/2008/04/11/poole_council_ripa/

http://news.bbc.co.uk/1/hi/england/dorset/7343445.stm

http://www.schneier.com/blog/archives/2007/11/animal_rights_a.html

http://www.out-law.com/page-9956

http://www.vnunet.com/computing/news/2240543/government-announces-review

http://nds.coi.gov.uk/Content/Detail.asp?ReleaseID=398807&NewsAreaID=2

The Committee may which to compare and contrast the provisions of this Section with

the provisions of Sections 165 – 176 of the Evidence Act dealing with Official and Privileged Communications to ensure that there is no conflict.

18. (1) It shall be the duty of every service provider at the request of any

law enforcement agency or at the initiative of the service provider, to provide assistance towards the:

(a) identification, arrest and prosecution of offenders; or

(b) identification, tracing and confiscation of proceeds or any offence or any property, equipment or device used in the commission of any offence; or

(c) freezing, removal, erasure or cancellation of the services of the offender which enables the offender to either commit the offence or hide, preserve the proceeds of any offence or any property, equipment or device used in the commission of the offence.

(2) Any service provider who contravenes the provisions of subsection (1) of this section, commits an offence and shall be liable on conviction, in the case of

(a) service provider, a fine of not less than N5, 000, 00; and

(b) director, manager or officer of the service provider, a fine of not less than N500,000 or imprisonment for a term of not less than 3 years or to both such fine and imprisonment.

COMMENTS

Page 9, Line13 – “of” should replace “or”

19. (1) Any person who on the internet, intentionally takes or makes use of

a name, business name, trademark, domain name or other word of phrase registered, owned or in use by any individual, body corporate or belonging to either the Federal, state or local government without:

Page 21 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved

(a) authority or right; or

(b) for the purpose of interfering with their use in the internet by the owner; commits an offence under this Bill and shall be liable on conviction to a fine of not less than N100, 000 or imprisonment for a term of not less than 1 year or to both such fine and imprisonment.

(2) In the determination of the case against an offender, a court shall have regard to:

(a) a refusal by the offender to relinquish, upon formal request by the rightful owner of the name, trademark, words or phrase; or

(b) an attempt by the offender to obtain compensation in any form for the release to the rightful owner for use in the internet, of the name, business name, trade mark, or words or phrase registered, owned or in use by any individual, body corporate or belonging to either the Federal, State or Local Government of Nigeria.

(3) In addition to the penalty specified under this section, the court shall make an order directing the offender to relinquish to the rightful owner.

COMMENTS

Page 9, Line 27 – “or” should replace “of”

Page 9, Line 29 – should it be limited to Nigerian entities alone, what of Nigeria‟s obligations under international property treaties

Page 10, Line 14 – should read “make an order directing the offender to relinquish it or them to the rightful owner

20. (1) Any person, group or organization that intentionally accesses any

computer or network for purposes of terrorism, commits an offence and shall be liable on conviction to a fine of not less than N10, 000,000 or a term of imprisonment of not less than 20 years of to both such fine and imprisonment.

(2) For the purpose of this section, terrorism means any act which:

(a) may seriously damage a country or an international organization; or

(b) is intended or can reasonably be regarded as having been intended to:

(i) intimidate a population;

(ii) compel a government or international organization to performance abstain from performing any act;

(iii) destabilize or destroy the fundamental political, constitutional; economic or social structures of a country or any internal organization, or;

(iv) otherwise influence such government or international organization.

(c) Involves or causes, as the case may be to:

Page 22 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved (i) attaches upon a person is life which may cause death,

(ii) attacks upon the integrity of a person;

(iii) kidnapping of a person,

(iv) destruction of a Government or public facility, including;

an information system, private property, likely to endanger human life or result in major economic loss.

(v) the manufacture, possession, acquisition, transport, supply, or use of weapons, explosive nuclear, biological or chemical as well as research into their development without lawful authority;

(vi) the release of dangerous substance or causing of fires, explosions of flood the effect of which is to endanger human life;

(vii) interference with or disruption of the supply of water, power or any other fundamental natural resource, the effect of which is to endanger life; or

(viii) propagation of information or information materials whether true or false, calculated to cause immediate panic, evolve violence.

COMMENTS

Page 10, Lines 23 – 24 – compel a government or international organization to perform or abstain from performing any act

Page 10, Line 30 – clarification of the statement in this line is sort

21. Any person who uses any computer to violate any intellectual property rights protected under any law or treaty applicable in Nigeria, commits an offence under this Bill and shall be liable on conviction to a fine of not less than N1, 000,000 or imprisonment for a term of not less than 5 years or to both such fine and imprisonment, in addition to any penalty or relief provided under laws.

COMMENTS

Page 11, Line 15 - The words “any intellectual property rights” is considered to be too

wide. It is also submitted that the penalty should not be uniform for all types of intellectual property rights but should depend on the type of right infringed.

Intellectual property rights consist of but are not limited to copyrights, patents, designs,

industrial designs, semiconductor design, trade secrets and business know-how, cable

retransmission rights, satellite broadcasting rights, lending rights and rental rights. It is

suggested that the House Committee(s) seriously consider strengthening the existing intellectual property laws especially the Nigerian Copyright Act.

According to David BainBridge, “The Copyright, Designs and Patents Act 1988 has been

used increasingly to prosecute computer software pirates and magistrates and judges

are at last taking this form of crime seriously, using custodial sentences in some cases.”

The point we wish to make from this quotation is that it is not wrong to strengthen the

Nigerian Copyright Act to make for prosecution of intellectual property rights violated

Page 23 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved using a computer by a computer. If that is done, it is very important that Nigeria upgrade its laws on database rights to meet what obtains in other climes.

22. Any person who use any computer to:

(a) engage or solicits or entices or compels any minor in any sexual or related act; or

(b) engage in, or facilitates any indecent exposure of a minor or creates, possesses or distributes child pornography; or

(c) facilitates the commission of a sexual or related act which constitutes an offence under any law for the time being in force in Nigeria, commits an offence and shall be liable on conviction:

(i) in case of paragraph (a), to a time of not less than N3,000,000 or imprisonment for a term of not less than 7 years or to both such fine and imprisonment.

(ii) in case of paragraph ( b, and (c), to a fine of not less than N1,000,000 or imprisonment for a term of not less than 5 years or both such fine and imprisonment.

COMMENTS

Page 11, Line 28 – fine should replace time

23. Any person who:

(a) attempts to commit any offence under this Bill; or

(b) does any act preparatory to or in furtherance of the commission of

an offence under this Bill; and

(c) abets or engages in a conspiracy to commit any offence, commits an offence and shall be liable on conviction to the punishment provided for such an offence, under this Bill.

COMMENTS

Page 12, Lines 4 – 5 – It is unnecessary to split/attempt to differentiate between

“attempts to commit any offence under this Bill” and “does any act preparatory to or in

furtherance of the commission of an offence under this Bill.” Case law does not support

that distinction. Case law seems to indicate that both Section 23(a) and Section 23(b)

are talking about one and the same thing. Please refer to the following cases and statutes:

R v Eagleton (1855) Dears CC 515,

Section 4 Criminal Code,

Section 508 Criminal Code,

Section 95 Penal Code,

Page 24 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved

R v Whybrow (1951) 35 Cr App Rep 141 CCA,

R v Robinson (1915) 2 KB 342,

Orija v ICP 1957 NRNLR 189,

DPP v Stonehouse 1977 2 All ER 909,

R v Offiong 1936 3 WACA 83, Jones v Brooks & Brooks 1968 52 Cr App R 614.

Page 12, Line 7 - 9 – Section 23(c ) should read „aids or abets‟ the commission of an

offence, and should become Section 23 (b).

According to National Coal Board v Gamble (1959) 1 QB 11, “a person who supplies

the instrument for a crime or anything essential to its commission aids in the

commission of it; if he does so knowingly and with intent to aid, he abets it as well and is guilty of aiding and abetting.

Attorney General’s Reference (No.1 of 1975) 1975 2 All ER 684 noted that “Aiding

and abetting almost inevitably involves a situation in which the secondary party and the

main offender are together at some stage discussing the plans which they may be

making in respect of the alleged offence, and are in contact so that each know what is passing through the mind of the other.”

The portion of this Section on conspiracy should be separated to form a new Section

23(c) dealing with conspiracy only. This is very important because case law treats aiding and abetting as a separate crime from conspiracy.

Additionally, the bill as presently worded does not clearly answer the following questions raised in the book “Criminal Law Cases and Materials” published by Smith and Hogan:

Must a principal conspirator intend to play some part in the agreed course of

conduct? And what if he doesn‟t?

Is “the mere fact of agreement” without intent to carry out the agreement

enough? This is relevant when law enforcement sets up traps for an accused.

What if the agreement was to be carried out by not a party to the agreement but by a third party? Please see R v Hollinshead 1985 2 All ER 701

We consider this a very relevant issue because according to the same book, the common

law position is that: “an agreement will amount to a conspiracy only if carrying it out will

necessarily amount to or involve a commission of an offence by one or more of the parties to the crime.”

24. (1) The president may on the recommendation of the Agency, by order

published in the Federal Gazette, designate certain computer systems, networks and information infrastructure vital to the national security of Nigeria of the economic and social well being of its citizens, as constituting critical information infrastructure.

(2) The president order in subsection (1) of this section may prescribe standards, guidelines, rules or procedures in respect of:

(a) the registration, protection or presentation of critical information infrastructure;

(b) the general management of critical information infrastructure;

(c) access to, transfer and control of data in any critical information infrastructure;

Page 25 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved

(d) procedural rules and requirements for securing the integrity and authenticity of data or information contained in any of the information;

(e) procedures or methods to be used in the storage of data or information in critical information infrastructure;

(f) disaster recovery plans in the event of loss of the critical information infrastructure or any part thereof; and

(g) any other matter required for the adequate protection, management and control of data and other resources in any critical information infrastructure.

COMMENTS

None

25. The president order in section 23 of this Bill may require audits and

inspection to be carried out on any critical information infrastructure to evaluate compliance with the provisions of this Bill.

COMMENTS

None

26. (1) Any person who violates any provision as to the critical information

infrastructure designated under section 23 of this Bill, commits an offence and shall be liable on conviction to a fine of not less than N15,000,000 or imprisonment of a term of not less than 25 years or both such find and imprisonment.

(2) where the offence committed under subsection (1) of this section results in serious bodily injury, the offender shall be liable on conviction to a fine of not less than N20, 000,000 or to imprisonment for a term of 30 years or to both such fine and imprisonment.

(3) where the offence committed resulted in death, the offender shall be liable on conviction to imprisonment for life with no option of fine.

COMMENTS

None

27. Nothing in this Bill shall preclude the institution of a civil suit against a person liable under this Bill by any interested party.

COMMENTS

None

28. (1) The Federal High Court or state High Court shall have jurisdiction to try offender under this Bill.

(2) Notwithstanding anything to the contrary, the court shall ensure that all matter brought before it under this Bill against any person or body corporate are conducted with dispatch and given accelerated hearing.

Page 26 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved

(3) for the purposes of this Bill, a person shall be subject to prosecution in Nigeria for an offence committed while the offender is physically located either within or outside, if by the conduct of the offender or that of another acting for him;

(a) the offence is committed either wholly or partly within Nigeria;

(b) the act of the offender committed wholly outside Nigeria constitutes a conspiracy to commit an offence under this Bill within Nigeria; and an act in furtherance of the conspiracy was committed within Nigeria, either directly by the offender or at his instigation; or

(c) the act of the offender committed wholly or partly within Nigeria constitutes an attempt, solicitation or conspiracy to commit offence in another jurisdiction under the laws of both Nigeria and such other jurisdiction.

(4) For the purpose of this section:

(a) an offence or element of the offence is presumed to have been committed in Nigeria if the offence or any of its elements substantially affects person of interest in Nigeria;

(b) where any other country claims jurisdiction over an alleged offence which is subject to prosecution in Nigeria as established by this section, the Attorney General of the Federation may consult with such other country with a view to determine the most appropriate jurisdiction for prosecution.

COMMENTS

None

29. (1) Pursuant Section (2) of this section, any authorized officer entitled to

enforce any provision of this Bill shall have the power to search any premises or computer or network and arrest any person in connection with the offence.

(2) Subject to National Security Agency Act, an authorized officer of any law enforcement agency, upon a reasonable suspicion that an offence has been committed or likely to be committed by any person or body corporate, shall have power to:

(a) access and inspect or check the operation of any computer to which this act applies; or

(b) use or cause to use a computer or any device to search any data contained in or available to any computer or network; or

(c) use any technology to re-transform or decrypt any encrypted data contained in a computer into readable text or comprehensible format; or

(d) seize or take possession of any computer used in connection with an offence under this Bill, or

Page 27 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved

(e) require any person having charge of or otherwise concerned with the operation of any computer in connection with an offence to produce such computer; or

(f) require any person in possession of encrypted data to provide access to any information necessary to decrypt such data;

(g) require any person in authority to release any subscriber or traffic information or any related content; and

(h) relate with any international law enforcement agencies for the purpose of giving or receiving on information or exchanging any data or database for the purpose or investigation and prosecution under this Bill.

(i) The Agency shall have power to cause or direct investigation by any law enforcement agency.

COMMENTS

Page 14, line 11 –The term “any authorised officer” is ambiguous. It is important for

purposes of preventing ambiguity and abuse that the definition given in Section 38 (page

17, Lines 9 -10 be tightened up. Please refer to our comments on Section 17 above for reasons.

30. Any person who:

(a) willfully obstructs any law enforcement agency in the exercise of any power under this Bill; or

(b) fails to comply with any lawful inquiry or request made by any authorized officer in accordance with the provisions of this Bill, commits an offence and shall be liable on conviction to a fine of not less than N500,000 or imprisonment for a term of not less than 3 years or to both such fine and imprisonment.

COMMENTS

Page 15, Line 8 – No such word as “willfully”

31. Notwithstanding anything contained in any enactment or law in Nigeria, an information contained in any computer which is printed out on paper, stored, recorded or copied on any media, shall be deemed to be primary evidence under this Bill.

COMMENTS

Page 15, lines 15 – 18 In the light of the quote following below taken from the

document Electronic Signature Assurance the Digital Chain-of-Evidence –

Executing Legally Admissible Digitally Signed Records produced by the

Microsoft U.S. National Security Team authored by Jacques R. Francoeur, B. A.

Sc., M.A.Sc., MBA: “Electronic data also presents its own inherent risks and challenges.

Represented by a series of zeros and ones, electronic data can be volatile and unstable.

The ability of data to move between systems, applications and people can make it

difficult to differentiate between “good” (original) and “bad” (manipulated) data.

Furthermore, evidentiary techniques to determine the “provenance” of data, such as

time-of-creation and unchanged state, are often immature or non-existent. To establish

Page 28 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved the reliability of electronically signed records, mechanisms must be put in place to

prevent undetected manipulation of the electronic data’s content, and/or

evidence of the time and date created or modified.” (Italics Ours) We are of the

considered opinion that Section 31 as presently worded has not “put in place”

mechanisms to “prevent undetected manipulation of the electronic data‟s content and/or

evidence of the time and date created or modified.”

Michael I. Shamos, Ph.D., J.D. of the Institute for Software Research, School of

Computer Science, Carnegie Mellon University once noted that the purpose of evidence

is to “prove facts” and that “evidence makes the existence of fact that is of consequence

to the case either more or less probable than it would be without the evidence.” In other

words, from our point of view, Section 31 as presently worded raises questions in

relation to the standard of proof for electronic primary evidence.

The statement “notwithstanding anything contained in any enactment or law in Nigeria”

must primarily refer to the Evidence Act. The question that arises then is this, if the

Evidence Act is overridden to make electronic evidence admissible. Will the safeguards

such as relevancy, the direct evidence rule, circumstantial evidence rules, authentication

of evidence rules, chain of custody rules, best evidence rule, hearsay evidence rule, etc

established by the Evidence Act which was previously overridden now apply to such

electronic evidence?

We wish to draw the attention of the Committee to the following extract from the US

Federal Rules of Evidence 1001 (3): “if data are stored in a computer or similar device,

any printout or other output readable by sight, shown to reflect the data accurately, is

an „original‟.” This is known as the Computer “Best Evidence “Rule, in our considered

opinion Section 31 should be amended to accommodate this rule.

32. (1) Any person who tampers with any evidence in relation to any proceeding under this Bill by intentionally:

(a) creating, destroying, (mutilating, removing or modifying data or program or any other form of information existing within or outside a computer or network; or

(b) activating or installing or downloading or transmitting a program that is designed to create, destroy, mutilate, remove or modify data, program or any other form of information existing within or outside a computer or network; or

(c) creating, altering, or destroying a password, personal identification number, code or method used to access a computer or network.

Commits an offence and shall be liable on conviction to affine of not less than N500, 000 or to imprisonment for a term of not less than 3 years or to both such fine and imprisonment.

COMMENTS

None

33. Criminal proceedings under this Bill shall be instituted by the Agency.

Page 29 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved

COMMENTS

None

34. (1) The court imposing sentence on any person who is convicted of an

offences under this Bill may also order that the convicted person forfeits to the federal republic of Nigeria:

(a) any assets, money or property (real or personal) constituting of traceable to gross proceeds of such offence; and

(b) any computer, equipment, software or other technology used or intended to be used to commit or to facilitate the commission of such offence.

(2) Any person convicted of an offence under this Bill shall forfeit his passport or international traveling documents to the Federal Republic of Nigeria until he has paid the fines or served the sentence imposed on him

(3) Notwithstanding subsection (2) of this section, the court may;

(a) upon the grant of pardon by the president to the convicted person; or

(b) the purposes of allowing the convicted person to travel abroad for medical treatment, having made formal application before the court on that regard; or

(c) in the public interest, direct that the passport or traveling document of the convicted person be released to him.

COMMENTS

Page 16, Line 11 – Did the draftsman really mean to use the word “travelling” or did he

mean “travelling” or “travel”?

35. (1) Without prejudice to section 174 of the Constitution of the Federal Republic of Nigeria, 1999, the Attorney General may, subject to voluntary admission of the commission of the offence, compound any offence punishable under this Bill by accepting such amount specified as fine to which the offender would have been liable if he had been convicted of that offence.

(2) Notwithstanding the provision of subjection (1) of this section, the court may order the payment of compensation to any person or body corporate, who suffers damages, injury, or loss as a result of the offence committed.

COMMENTS

Page 30 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved None

36. Where a person is charged with an attempt to commit an offence under this Bill but the evidence establishes the commission of the full offence, the offender shall not be entitled to acquittal and shall be convicted for the offence and punished under the relevant penalty.

COMMENTS

None

37. The president may by order published in the Gazette make such rules and regulations as in his opinion and on the recommendation of the Agency are necessary to give full effect to the provisions of this Bill.

COMMENTS

None

38. In this Bill,

“access” includes to gain entry to, instruct, make use of any resources of a computer, computer system or network.

“Agency” means Cyber Security and Data Protection Agency.

“Authorized officer” means a person authorized by law to exercise a power this Bill

“Authority” means express or implied consent to access a computer

network, program, data or database, software.

“Computer” includes any electronic device or computational machinery

programmed instruction which has the capabilities of

storage, retrieval memory, logic, arithmetic or

communication and includes all input, output,

processing, storage, communication facilities which

are connected or related to such a device in a system

or network or control of functions by the manipulation

of signals whether electronic, magnetic or optical.

“computer network” includes the interconnection of computers or computer

system

“Computer program” means data or a set of instructions or statements that

Page 31 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved when executed in a computer causes computer to

perform function.

“damage” means an impairment to the integrity or availability of data,

program or network.

“data” includes a representation of information, knowledge, facts, concepts

or instructions intended to be processed, being

processed or has been processed in a network.

“database name” includes any designation or name registered with the

domain registrar as part of an electronic address.

“intellectual property rights” include any right conferred or granted under

any of the following laws or treaties to which Nigeria is

a signatory:

(a) Copyright Act, CAP 68. LFN (as amended);

(b) Patents and Designs Act CAP 344, LFN;

(c) Trade Marks Act, CAP LFN;

(d) Berne Connection;

(e) World Intellectual Property Organization (WIPO)

Treaty;

(f) Trade-Related Aspects of Intellectual Property

Rights (TRIPs);

(g) Universal Copyright Convention (UCC); and

(h) Paria Convention (Lisbon Text).

“internet” means global information system linked by a unique address

space base on the internet protocol or its subsequent

extensions.

Page 32 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved

“intercept” includes the aural or acquisition of the contents of any wire,

electronic or oral communication through the use of

technical means so as to make some or all the

contents of a communication available to a person

other than whom it was intended, and includes;

(a) monitoring of such communication by any device;

(b) viewing, examination or inspection of the

contents of any communication; and

(c) diversion of any communication from its intended

destination.

“Law enforcement” agency means any institution created by law and

charged with the responsibility of enforcing

obedience to our written law.

“loss” means any reasonable lost to a victim, including the cost of

responding to an offence, conducting a damage

assessment and restoring the data, program,

system or information to its condition prior to the

offences and any revenue lost, cost incurred

and other consequential damages incurred

because of the interruption of service.

“Minor” means a person under 18 years.

“Modification” means (a) alteration or erasure of the content of any

Page 33 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved

program, data and data base;

(b) any event which occurs to impair the normal

operation of a computer;

(c) modification is unauthorized if:

(i) the person that causes the act is not himself entitled to determine whether the modification should be made; and

(ii) he does not have consent from anybody to modify.

“Service provider” includes but not limited to;

(a) internet service provider;

(b) communications service provide; and

(c) application service provider.

“Software” includes any program, data, database, procedure and

associated documentation concerned with the operation of a computer system.

“Spamming” means unsolicited electronic mail message having false

headers, address and lines.

“Minister” means minister of information and communication.

COMMENTS

Page 17, Line 6 – 7 – replace “gain entry to, instruct, make” with gaining entry to, instructing, making

Page 17, Line 13 – 18 The Committee may wish to take a second look at the definition

of “computer”: France, Germany and the UK do not define this term in their equivalent

legislation, however the United States of America does, please see the US Computer Fraud and Abuse Act.

Page 34 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved Page 19, Line 8 - 9 The Committee may wish to take a second look at the definition of

“software.” We propose the inclusion of the words “whether in source code or object

code form immediately after program

39. This Bill may be cited as Cyber Security and Data Protection Agency (Establishment etc) Bill, 2008.

COMMENTS

None

CONCLUSION

We are available to provide further support and consulting to the House Committee on

Drugs, Narcotics and Financial Crimes in respect of our submissions above and thank you

for taking the time to go through this and for giving us a chance to participate in the

law-making process.

Yours faithfully

NICHE KONSULT LIMITED

Idara Akpan

CHIEF HACKING OFFICER/DIRECTOR (BUSINESS DEVELOPMENT)

Email:Idara@nichekonsult.com

Mobile: 234 805 547 7646

February 22, 2005

The Director General

Consumer Protection Council

Plot 2215, Herbert Macaulay Way

P.M.B. 5077

Wuse Zone 6

Abuja

Dear Madam,

CPC: A PRIVACY AGENDA - TO BE OR NOT TO BE?

It occurs to us that CPC, Nigeria’s premier consumer protection champion may need to

revisit her role in relation to securing consumer privacy in the information age in keeping

with Section 37 of the 1999 Constitution.

And to that end, AIIA is interested in working with CPC to create a pro-active privacy

protection agenda to meet the needs of Nigerians. Possible pro-privacy agenda initiatives

include:

• Creating a Privacy Task Force to develop and implement the Director General’s

Privacy Agenda

• Developing a National Privacy Policy

• The need for privacy awareness campaigns to enlighten the consumer as to what is at

stake and why and of what CPC is doing in that regard

• The Task Force should among other things spearhead the drafting of appropriate

legislation requiring the following:

o that organizations collecting personal information (whether online or offline)

to create a privacy policy in line with the National Privacy Policy,

o that a copy of such privacy policy be lodged with the CPC for its necessary

action,

o that such privacy policy state clearly what information is being collected, how

it is stored, where it is stored (whether in Nigeria or elsewhere), how long it is

stored, how it is intended to be used, and how it is actually used, whether or

not such information is shared with third parties and on what basis/terms and

how the information is ultimately disposed of

o a comprehensive list of privacy breaches and appropriate fines

Thank you for taking matters a step further in our behalf.

Yours faithfully,

A.I.I. ASSOLCIATES

Barr. Ime Akpan

PRINCIPAL

© December 20, 2004. All Rights Reserved. AII Associates. Private and Confidential. Distribution Restricted

PRIVACY: A BURNING CONSUMER ISSUE – PRIVACY POLICY: A NATIONAL IMPERATIVE –

WANTED: A PRIVACY WATCHDOG

Definition of Privacy The quality or state of being apart from company or observation. Privacy is closely related to secrecy, that is, the condition of being concealed or hidden. Definition of Policy A definite course or method of action selected from among alternatives and in light of given conditions to guide and determine present and future decisions. A high-level overall plan embracing the general goals and acceptable procedure especially of a governmental body Definition of Privacy Policy A high-level overall plan that lists both the goals of and acceptable procedures for the collection, maintenance, use and disposal of personally identifiable customer information in the normal course of business. Two sides of the same coin: “Privacy as Secrecy” or Privacy as Control” Privacy as secrecy Private meaning personal, i.e., known only to ourselves and selected others Privacy as control Private meaning control, i.e., known to several others (businesses, governments, and individuals) but usage is based on the user’s preferences and the user has control over how his/her information is used Why Privacy as Secrecy is giving way to Privacy as Control “You have zero privacy anyway. Get over it.”

- An Information Technology industry CEO to a group of reporters The internet is like a spider web. It connects all countries, all governments, all cities, all homes and all peoples. Information Technology in general and the internet in particular is creating a “world without secrets” for individuals, enterprises and governments. In this world, enormous amounts of structured information (transactions) and unstructured information (audio, video, and narrative text) are gathered and shared globally by and among businesses, governments, and individuals. Many of us are familiar with Orwell’s novel 1984, however, unlike in Orwell’s totalitarian nightmare scenario, the monster is not Big Brother because government has no monopoly on technology.

© December 20, 2004. All Rights Reserved. AII Associates. Private and Confidential. Distribution Restricted

It is that we are living in a world that is radically different from that which we are used to. Mainframe computers have given way to desktop computers. These desktop computers are linked to other office computers via networks and then to the Internet. Thus data that was thus carefully hidden away may be only a few keystrokes away. Telecommunications firms collect what is called Customer Proprietary Network Information (CPNI). CPNI is the data collected by telecommunications corporations about a consumer’s telephone calls including the time, date, duration and destination number of each call, the type of network a consumer subscribes to, who you are, your number or numbers, your location, those you call, how much airtime you spend and any other information that appears on the consumer’s telephone bill. Since there is no Father Christmas in business, the telecommunications firms have to offset the cost of storing this information and that’s why this data is often sold. Why Privacy is an issue worth tackling “Information is the currency of value in many organizations.” - Peter Cullen, Chief Privacy Strategist, Microsoft, Formerly Chief Privacy Strategist, Royal Bank of Canada “Privacy-as-Control is at the heart of the European Union’s Data Protection Directive, the Act initiated in 1995 with the goal of allowing consumers to control how their personal information is collected and used….By law or by commercial agreement; something like the European Union’s Data Protection Directive will be the rule for legitimate business worldwide within a decade. It will be a good thing for smart businesses.” - Richard Hunter, Vice President, Executive Programs and Gartner Fellow at Stamford, Conn.-based Gartner Inc.

Privacy Breaches Around the World (December 2003 – December 2004)

• 5 December 2003 The Federal Trade Commission (FTC) is investigating security and privacy practices at PetCo after an “independent programmer” discovered the company’s web site was vulnerable to an SQL injection attack that could reveal the contents of a database containing 500,000 customer credit card numbers.

• 21 December 2003 Privacy policies are going to land many website operators on the wrong side of the law come July 1, 2004. That is when California’s Online Privacy Protection Act will become effective. You don’t have to live in California. If you collect information from a single California resident, you are required to be compliant with the new online privacy law. This law centers on website privacy policies requiring, among other things, that the policy be prominently posted on the website, must disclose categories of personally identifiable information collected from

© December 20, 2004. All Rights Reserved. AII Associates. Private and Confidential. Distribution Restricted

consumers and the types of third parties with whom the information will be shared.

• 17 March 2004 Equifax Canada has informed more than 1,400 people that the security of their credit files was compromised; the breach apparently narrowly targeted a specific geographic area, raising concerns that the attackers were well-funded, otherwise all of Equifax Canada’s database would have been compromised

• 30 April 2004 New York State attorney general Eliot Spitzer has reached a settlement with New York-based on-line book seller Barnes & Noble.com. The book company had a security flaw on its website that exposed sensitive customer data including names, billing addresses and account information. Barnes & Noble.com has agreed to pay a $60,000.00 fine and to establish an information security program.

• 30 April 2004 following the arrest of executives of Ulsales International Marketing Company, who had collected and resold personal data of 15 million people in Taiwan, the ROC Consumers Foundation demanded that all financial institutions and phone companies conduct sweeping inspections to ensure that their customers’ personal data was not being abused. Hsieh Tien-jen, deputy secretary general of the consumers’ foundation, asserted that government agencies should inform consumers if they are on one of Ulsales’ data lists so as to enable them to take precautions.

• 4 May 2004 Secret details of an investigation into alleged corruption in Philadelphia were inadvertently disclosed on a court website in an annual public report on government surveillance. The investigation came to light in October, when an FBI bug had been discovered in the City Hall office of Major John F. Street. It was subsequently learned that federal agents had also tapped the phones of the city’s treasurer, an administrator of Philadelphia International Airport, an attorney who raised money for Street’s campaign. The website report gave the names of federal judges who had authorized wiretaps, and the dates they were placed. A revised report, without the confidential information, was subsequently released.

• 5 May 2004 Child Youth and Family (CYF) Services Minister Ruth Dyson has offered an “unreserved apology” for inadvertently releasing the names, ages and locations of 1,354 children in the care of CYF, as well as their caregiver’s name, in an Excel attachment to an e-mail sent out in response to a question by Katherine Rich, social welfare spokesman, asking how many CYF children had been in three or more foster homes in the past year. While Rich maintains that the incident was a gross breach of privacy,” Prime Minister Helen Clark told Parliament she had faith in Ms. Dyson.

• 5 May 2004 Tower Records has agreed to enter into a consent order with the Federal Trade Commission (FTC) as a result of a security flaw introduced into its re-designed web site that for a period of eight days made the names, addresses, phone numbers and purchase details for approximately 5, 225 customers available for viewing. Tower Records has agreed to a variety of enforcement provisions mandated by the FTC. These provisions require the company: to refrain from misrepresenting the extent to which it maintains

© December 20, 2004. All Rights Reserved. AII Associates. Private and Confidential. Distribution Restricted

and protects privacy, to establish a comprehensive information security program that is reasonably designed to protect the security, confidentiality and integrity of personable information; to obtain an assessment and report from a qualified, objective, third-party professional within 180 days of the order and biannually for 10 years; to make available to the FTC upon request, for the next five years, a sample copy of any document containing any representation regarding the company’s online collection, use and security of personal information; to submit a report within 180 days of the FTC order, or at any other time as required by the FTC, and setting forth in detail how the company has complied with the order

• 6 May 2004 The University of California San Diego is informing approximately 380,000 students, alumni, applicants, faculty and staff that their personal details may have been compromised. Four computers at the school’s Business and Financial Services Department experienced security breaches. The case is being investigated by campus police and other law enforcement agencies

• 6 May 2004 National Consumer Council, Inc., a California-based consumer credit counseling firm, has become the first firm subjected to a Federal Trade Commission (FTC) enforcement action involving the national Do-Not-Call registry. In addition to violating the Do-Not-Call registry, the company is charged with misleading consumers with an offer of a credit card debt-relief program in which the consumer ended up paying large fees to the company as well as, ending up more in debt. The FTC has announced it will not seek monetary penalties for the Do-Not-Call violations but rather, will seek compensation under anti-fraud regulations. This approach will allow money collected to be used to repay victims.

• 7 May 2004 Senator Hillary Rodham Clinton has proposed a bill called the Safeguarding Americans from Exporting Identification Data Act as an amendment to the Foreign Sales Corporation/Extraterritorial Income Act Legislation. The impetus for the amendment is seen as a result of the growing privacy concerns related to financial and health care information being sent offshore to be processed by non-Americans. If passed, SAFE-ID would provide a set of privacy-related requirements US companies must adhere to when transmitting personally identifiable information to a foreign affiliate or subcontractor. Companies would be required to obtain the consent of individuals to send identifiable data to any country that is unable to meet the Federal Trade Commissions requirement calling for a legal system that provides “adequate privacy protection” as deemed acceptable by the FTC.

• 7 May 2004 Pennsylvania US Attorney Mary Beth Buchanan became a victim of identity theft while in San Francisco giving a speech to corporate attorneys about fraud. Postal Inspector Andrew Richards of Pittsburgh, who is working on the case with federal authorities in San Francisco, believes her credit card number was stolen while lunching at a San Francisco restaurant. He notes that she was extremely lucky that her credit card company was able to alert her about suspicious activities on her card before the thief could run up

© December 20, 2004. All Rights Reserved. AII Associates. Private and Confidential. Distribution Restricted

a large number of purchases. Buchanan admits she violated one of the cardinal rules she tries to emphasize when giving identity theft prevention talks. According to Buchanan, “one of the things I tell you is that you don’t have to give the card to your waiter or waitress you can take it to the counter yourself while your bill is processed.

• 7 May 2004 two alleged spammers, Brian D. Westby of Missouri and Martin P. Bevelander, a Netherlands resident, have settled charges with the US Federal Trade Commission, which accused them of using “deceptively bland subject line,” as well as other methods of introducing consumers to sexually explicit material. The two spammers are barred from using false subject lines and false header information in e-mails and are required to give up $112,500 earned from their spamming efforts.

• 8 May 2004 A Sumitomo Trust & Banking Co. official has extended an apology to the forty-one customers whose data, stored in a bag, was inadvertently left on a luggage rack of the JR Chuo Line train. An employee, planning on visiting the customers the next day, had taken the data, which included names, addresses, phone numbers and account balances, with him when he left for home. When he disembarked the train, he failed to take his bag with them.

• 21 June 2004 The Federal Trade Commission (FTC) is planning to host a public workshop that will explore the current and anticipated uses, efficiencies, impact on the marketplace, and implications for consumers associated with radio frequency identification (RFID) technology.

• 21 October 2004 The European Court of Justice has ruled that Austria failed to ensure its citizens received sufficiently itemized bills for the use of the fixed telephone network. It ruled that the bills should provide enough information to allow users to check individual calls. Its ruling rejected Austria's argument that bills more itemized than those currently in use would violate data protection legislation.

• 23 October 2004 A complaint was filed with the New Zealand Privacy Commissioner regarding the legality of multinational companies applying other countries' terrorist laws in New Zealand by sending their data overseas to verify they are not terrorists. The complaint results from an investigation into Western Union, an American money-transfer company, which froze money being sent to India by a permanent New Zealand resident because his name was on a U.S. terrorist list. The money being wired was to help pay for his dying uncle's kidney transplant. According to Gehan Gunasekara, senior lecturer in commercial law at the University of Auckland, "Companies who checked personal information with overseas agencies without the knowledge of the customer were probably in violation of the Privacy Act." The Western Union customer was not notified that his personal information was being sent to the U.S. for verification until several days after his money was frozen.

• 15 November 2004 The Federal Trade Commission (FTC) is planning to host a public workshop, Peer-to-Peer (P2P) File-Sharing Technology: Consumer Protection and Competition Issues. The FTC has developed a brochure to provide consumers with information about the risks associated with P2P file-sharing software, "File-Sharing: A Fair Share? Maybe Not." The workshop is intended to provide an opportunity to learn how P2P file-sharing works and to discuss current and future applications of the technology. It will discuss the risks to consumers

© December 20, 2004. All Rights Reserved. AII Associates. Private and Confidential. Distribution Restricted

related to file-sharing activities. The workshop also will address self-regulatory initiatives, technological efforts, and legislative proposals. Among the topics to be covered are: Use of P2P File-Sharing Technology; The Role of P2P File-Sharing Technology in the Economy; Identification of P2P File-Sharing Software Program Risks; Disclosure of P2P File-Sharing Software Program Risks; Technological Solutions To Protect Consumers From Risks Associated With P2P File-Sharing Software Programs; P2P File-Sharing and Music Distribution; and P2P File-Sharing and Its Impact on Copyright Holders. The workshop was held on the 15/16 of December 2004

• 06 December 2004 The 2005 ominibus spending bill includes several privacy provisions including a provision prohibiting federal agencies from monitoring individuals' Internet use. Perhaps the most important provision of all is that which requires each government entity to hire chief privacy officers to oversee system privacy, ensure that any data collected is legal, and secure and evaluate the disclosure of personal information by the government.

• 10 December 2004 High profile Canadian lawyer Tom Engel has filed complaints with the Alberta and the Canadian federal privacy commissioners, wanting to know how the tax-file data of him, his partner and their wives ended up in an U.S.Immigration file given to Daniel Sims, who is being held in an U.S. jail and fighting his deportation back to Canada. Engel, who is considering suing both American and Canadian authorities if the privacy commissioners do not solve the mystery, stated, "I'm beyond shocked. This is very serious, and I can promise everyone this is not going to go away."

The Federal Trade Commission (FTC) is requesting comments regarding a pilot study intended to aid FTC staff in conducting a study of the accuracy and completeness of consumer reports, pursuant to the Fair and Accurate Credit Transaction Act of 2003 (FACT Act). The purpose of the current pilot study is to evaluate the feasibility of a methodology that involves direct review by consumers of the information reported in their consumer reports. Comments due 20 December 2004.

NOTE

The Federal Trade Commission is a member of the Task Force on the Awareness for Home Users and Small Businesses charged with sharing perspectives on best practices in education and awareness and to offer suggestions for how a public/private national outreach awareness program can reach 50 million home users and small businesses within one year, using paid and earned media, ISPs, security vendors, and other outlets.

IS A PRIVACY LAW COMPATIBLE WITH A FREEDOM OF INFORMATION ACT OR DOES IT CONFLICT?

Compatible not conflicting. Freedom of Information Act is intended to make information of a public nature accessible to the public. On the other hand, a Privacy Act, where one exists, goes to the privacy as control, not privacy as secrecy, of individual consumer proprietary information, obtained in the ordinary course of business by banks, GSM operators and the like, ostensibly for one purpose, but used for a different purpose, often turned to account, for the benefit of the collecting organization and altogether without the knowledge or consent of the individual

© December 20, 2004. All Rights Reserved. AII Associates. Private and Confidential. Distribution Restricted

concerned. Had he not provided the information in the first instance, the consumer would have had to be denied the service in question. CONCLUSION Nigerian banks, insurance companies, credit counseling firms, stock brokerage firms, other financial institutions, phone companies, universities, other educational institutions, immigration counseling firms, employment agencies, etc all collect personally identifiable customer information in the normal course of their daily business. Nigerian individuals and companies operating websites equally do the same. There’s no knowing what other use can be made of such information. CPC can take upon itself the challenge of ensuring that such information is neither compromised nor abused to forestall another federal agency being created to derogate from its powers as the lead consumer interest protection agency. AIIA is offering to partner to see it pioneer privacy protection initiatives in Nigeria.

© December 20, 2004. All Rights Reserved. AII Associates. Private and Confidential. Distribution Restricted

WHY THE CPC LAW SHOULD BE REVIEWED 1. A CASE STUDY OF THE FEDERAL TRADE COMMISSION After the Supreme Court announced the “Rule of Reason” in Standard Oil Co. v United States, 221 U.S. 1(1911), the questions of trusts and antitrust dominated the 1912 election. The national debate culminated in 1914, with Woodrow Wilson signing the Federal Trade Commission Act on September 26 and the Clayton Act on October 15.The FTC opened its doors on March 16, 1915. The independent agency absorbed the work and staff of the Commerce Department’s Bureau of Corporations, which had been created in 1903 at Theodore Roosevelt’s request. Like the Bureau of Corporations, the FTC could conduct investigations, gather information, and publish reports. The early Commission reported on export trade, resale price maintenance, and other general issues, as well as meat packing and other specific industries. Unlike the Bureau, though, the Commission could also bring administrative cases. It could challenge “unfair methods of competition” under Section 5 of the FTC Act, and it could enforce the Clayton Act’s more specific prohibitions against certain price discriminations, vertical arrangements, interlocking directorships, and stock acquisitions. Acting under its Section 5 authority, moreover, the FTC soon ventured beyond antitrust. After an association of advertising agencies implored it to challenge misrepresentations, the agency’s first three complaints alleged deception. In its first major “sweep,” 39 complaints issued on February 19, 1918, it alleged commercial bribery in each complaint. The FTC’s powers were soon supplemented with authority under other laws. The Commission administered the Trading with the Enemy Act, which regulated use of patents held by hostile powers, during and after World War I. In 1918, it administered the Webb-Pomerene Act. That law, which the commission asked Congress to pass, created a limited antitrust exemption for export trade associations that registered with the Commission. With the FTC playing a major role, Congress passed the Securities Act of 1933. The FTC originally enforced the Securities Act, although enforcement of that Act shifted to the Securities and Exchange Commission after that agency was created by the Securities Exchange Act of 1934. While SEC Act had (mostly) a short-term effects on the Commission, laws from the later 1930s had more lasting impact. The 1938 Wheeler-Lea Act contained the first major amendments to the FTC Act. It provided civil penalties for violations of Section 5 orders. (Civil penalties were not available under the Clayton Act until 1959). The 1936 Robinson- Patman Act amended the Clayton Act’s price discrimination provision, and the 1939 Wool Products Labeling Act – later followed by the 1951 Fur Products Labeling Act and the 1958 Textile Fiber Products Identification Act – expanded the FTC’s authority over product labeling. In 1950 the Celler-Kefauver Act took the initial step toward modern merger enforcement. It amended the Clayton Act’s merger provision and, among other changes, closed the loophole for asset acquisitions. Second, acting under a 1949 law, President Harry S

© December 20, 2004. All Rights Reserved. AII Associates. Private and Confidential. Distribution Restricted

Truman issued a plan that fundamentally altered the FTC’s chairmanship. Before this law and Reorganization Plan, the Commissioners chose their own Chairman. Under a resolution first passed in 1916, they elected to rotate the position annually and to deny the Chairman any special administrative responsibilities. Since 1950, for Chairs from James Mead to Deborah Platt Majoras, the President has designated a Chairman from among the Commissioners, and the Chairman has been the agency’s executive and administrative head. Against this backdrop, the Commission engaged in significant efforts, through litigation and otherwise, to shape commercial law and policy. From its inception, the FTC developed Federal consumer protection law. Its “blue sky” cases, predating the Securities Act, were the start of Federal securities regulation. In the 1920s and 1930s, the Commission conducted a highly regarded public investigation of the utilities industry. That effort supplied an important foundation for the Public Utility Holding Company Act of 1935. Highlights of the 1940s and 1950s included reports on antibiotics pricing and on international cartels, including the petroleum cartel. The Cigarette Rule was a highlight of the 1960s. Since 1969, several important laws have amended the FTC and Clayton Acts. In 1973, Congress broadened FTC authority to seek preliminary injunctions and authorized it to seek permanent injunctions. The 1975 Federal Trade Commission Improvement Act included an array of new remedies, including civil penalties for violations of trade regulation rules. The 1976 Hart-Scott-Rodino Act, building on the changes to merger law in the Celler-Kefauver Act, imposed a statutory premerger notification requirement and a waiting period before covered mergers could be consummated. That law greatly expanded the antitrust agencies’ ability to fashion effective relief to maintain competition in merger challenges. Additionally, “special statutes” have continued to expand the FTC’s responsibilities. For example, the Commission now enforces an array of credit laws, including the Fair Credit Reporting Act and the Fair Debt Collection Practices Act. Several laws from the 1990s addressed specific problems, often authorizing the Commission to address those problems through notice and comment rulemaking. These laws include the 1994 Telemarketing and Consumer Fraud and Abuse Prevention Act, which was the original basis for the National Do Not Call Registry. For the general public, the FTC today is perhaps best known for the National Do Not Call Registry, which has visibly (and audibly) impacted tens of millions of Americans. For those who follow the agency more closely, it is known as well for cutting-edge litigation, aggressive competition advocacy, and far-reaching hearings that tackle such topics as global competition and consumer protection, competition and health care, and competition and patent law and policy. It has taken the lead on emerging issues such as Internet fraud and privacy. It has promoted international competition and consumer protection enforcement, and is seeking legislation to facilitate even greater international cooperation in consumer protection matters. A decade from its centennial, the FTC has come of age.

© December 20, 2004. All Rights Reserved. AII Associates. Private and Confidential. Distribution Restricted

2. THE CASE FOR THE REVISION OF DECREE NO 66 OF 1992

Our comprehensive study of the Federal Trade Commission indicated that the law backing the FTC was often amended, and that new laws expanding its responsibilities were often enacted. Please see below for details:

PERIOD COVERED FRESH LAW(S) MADE OR AMENDMENTS EFFECTED

1914 - 1924 3 1925 - 1934 9 1935 - 1944 7

1945 - 1954 3 1955 - 1964 2 1965 - 1974 1 1975 - 1984 2 1984 - 2004 Several

1914 – 2004 (90 years) Over 27*

* An average of three laws/amendments per decade The late US President, John F. Kennedy once said: “Change is the law of life, and those who look only to the past or to the present, are certain to miss the future” The FTC has always ensured it moved in line with the times, the CPC may wish to take a cue from it. A law crafted in 1992 (in the 20th century under a military regime) definitely needs to be fine-tuned to meet the challenges of the 21st century. AIIA is thus offering to partner with the CPC to take it into the future and keep it there.