The Need to Narrow the Scope of Cybercrime Laws: Lessons from Dele Farotimi's Case

 

1.0    Introduction

Cybercrime laws have become essential tools for combating crimes in the digital age, addressing issues such as hacking, identity theft, and the spread of malicious software. However, when these laws are broadened to include offenses that merely involve ICTs (information and communication technologies) as a medium rather than a direct target, they risk becoming instruments of overreach, censorship, and abuse. The recent case of Nigerian activist and lawyer Dele Farotimi, charged under the Cybercrimes (Prohibition, Prevention, etc.) Act 2015 (As Amended) for alleged bullying and harassment and disseminating false information for the purpose of causing breakdown of law and order, through his online expressions, underscores why these laws should be restricted to core cybercrimes.

This article examines the distinction between core cybercrimes and cyber-enabled offenses, the risks posed by overbroad cybercrime laws, and the implications of Farotimi's case for the future of digital rights and governance.

2.0   Understanding Core Cybercrimes

Core cybercrimes are offenses that inherently require ICT systems as both targets and tools. Without these technologies, these crimes would not exist. Examples of such crimes include spreading computer viruses, hacking a bank's servers to steal funds, or launching denial-of-service (DoS) attacks to disable websites are quintessential core cybercrimes. These activities are explicitly technological and could not occur without ICT systems. Without these technologies, these crimes would not exist. The Budapest Convention on Cybercrime, an international treaty regarded as the gold standard for defining cybercrimes, identifies five primary categories:

i. i.   Illegal Access: Gaining unauthorized access to computer systems or networks.

ii.  Illegal Interception: Eavesdropping on communications without permission.

iii. Data Interference: Altering, deleting, or damaging data without authorization.

iv.   System Interference: Disrupting the functionality of computer systems or networks.

v. Misuse of Devices: Creating or distributing tools (like malware) intended for committing cybercrimes.

3.0   Cyber-Enabled Offenses: A Different Domain

In contrast, cyber-enabled offenses are traditional crimes carried out using ICTs as a medium. Crimes like fraud, harassment, defamation, and even terrorism can occur both online and offline. For example, using social media to harass someone is a digital extension of harassment that does not require specialized cybercrime laws to address. Similarly, spreading misinformation online is akin to traditional defamation.

By conflating these offenses with core cybercrimes, many nations have crafted overly broad cybercrime laws, making it easier for authorities to exploit them for political or oppressive purposes. For example, in Turkey, provisions of its cybercrime legislation have been used to suppress online dissent and silence critics of the government under the guise of combating cyber-related threats.

4.0   Dele Farotimi: A Case in Point

Dele Farotimi faces multiple counts charge under the Cybercrimes (Prohibition, Prevention, etc.) Act 2015 (As Amended), for statements made during YouTube interviews and press conferences about his book "Nigeria and its Criminal Justice System." The charges stem from his criticisms of alleged corruption in the judiciary and his commentary on specific legal cases. Notably, these charges primarily invoke Section 24(a) and 24(1)(b) of the Cybercrimes Act, which deal with cyberstalking and false information dissemination. The charges appear to target his online statements rather than any activity that constitutes a core cybercrime.

Farotimi's case demonstrates the dangers of conflating core cybercrimes with cyber enabled crimes and the problematic expansion of cybercrime laws beyond their legitimate scope:

i.       Nature of the Activity: Farotimi's actions - expressing opinions about the judiciary and sharing his experiences - are traditional forms of speech that happen to use digital platforms. They don't constitute inherently technological offenses.

ii.         Platform vs. Crime: The only "cyber" element in these charges is the use of YouTube as a communication medium. The underlying activities (criticism, commentary, allegations of corruption) are traditional forms of expression that predate the internet.

5.0    Legal Discrepancy in Dele Farotimi's Cybercrime Charges

5.1.   The Charges as Filed

5.1.1 Section 24(a) - Bullying and Harassing

Several charges allege that Farotimi's statements were made "with the intention of bullying and harassing" named persons. These statements include: (i) comments about legal proceedings, (ii) observations about judicial conduct in specific cases, (iii) criticisms of alleged corruption in the justice system and (iv) expressions of opinion about systemic issues in the legal or justice system.

5.1.2 Section 24(1)(b) - False Information

Other charges claim his statements "contained false information for the purpose of causing breakdown of law and order." The contested statements include: (i) claims about corruption in the judiciary, (ii) discussions of specific court cases and their handling, (iii) commentary on his personal experiences within the legal system and (iv) analysis presented in his book "Nigeria and its Criminal Justice System".

5.2. The Actual Law

Section 24(1): A person who knowingly or intentionally sends a message or other matter by means of Computer Systems or Network that-

(a) is pornographic; or

(b) he knows to be false, for the purpose of causing breakdown of law and order, posing a threat to life or causing such message to be sent: commits an offence under this Act and is liable on conviction to a fine of not more than N7,000,000.00 or imprisonment for a term of not more than 3 years or both.

(2) A Person who knowingly or Intentionally Transmits or causes the Transmission of any communication through a Computer System or Network-

(a) to bully, threaten or harass another person, where such communication places another person in fear of death, violence or bodily harm to another person;

(b) containing any threat to kidnap any person or any threat to harm the person of another, any demand or request for a ransom for the release of any kidnapped person, to extort from any person, firm, association or corporation, any money or other thing of value, or

(c) containing any threat to harm the property or reputation of the addressee or of another or the reputation of a deceased person or any threat to accuse the addressee or any other person of a crime, to extort from any person, firm, association, or corporation, any money or other thing of value, commits an offence under this Act and is liable on conviction-

(i) in the case of paragraphs (a) and (6) of this sub-section, to imprisonment for a term of 10 years or a minimum fine of N25.000,000.00 and

(ii) in the case of paragraph (c) of this subsection, to imprisonment for a term of 5 years or a minimum fine of N15,000,000.00.

5.3. Misapplication of Section 24(2)(a)

The charges cite "Section 24(a)" for harassment whereas under the Act, there is no Section 24(a). The actual Section 24(1)(a) deals with pornography. The relevant harassment provision is in Section 24(2)(a).

While there was indeed a technical error in citing "Section 24(a)" instead of the correct Section 24(2)(a) for harassment, this error does not invalidate the charge or warrant setting aside the conviction if Dele is convicted. This is because established case law holds that when an offense known to law is properly disclosed, the penalty is prescribed in existing law, and neither the accused nor counsel were misled by the incorrect citation, the conviction should stand absent any miscarriage of justice. See the case of ADONIKE v. STATE(2015) LPELR-24281(SC) Per John Inyang Okoro, JSC at Pp 20 - 21 Paras B – E.

Furthermore, Section 220 of the Administration of Criminal Justice Act, 2015 explicitly provides that such errors in stating particulars are not material unless the defendant was actually misled by the error.

Therefore, unless it can be demonstrated that the Dele Farotimi was materially misled by the incorrect section citation or suffered prejudice as a result, the technical error in citing the wrong section number should not affect the validity of the proceedings or the ultimate conviction.

6. The Risks of Overbroad Cybercrime Laws

Farotimi's case raises serious concerns about the intent and application of cybercrime laws. By prosecuting Farotimi for his expressions, the Nigeria Police Force has blurred the lines between protecting against cyber threats and stifling dissent. This misuse of cybercrime laws sets a dangerous precedent, suggesting that such laws can be weaponized against political opponents, activists, and ordinary citizens.

The overreach of cybercrime laws has far-reaching consequences, both for individuals and for society at large.

6.1. Suppression of Free Speech

Cybercrime laws with vague language can easily be used to target individuals exercising their right to free expression. Farotimi's case is just one example of how online speech can be criminalized under the guise of combating cybercrime. This trend threatens to silence dissenting voices and erode democratic principles.

6.2. Overburdening Legal Systems

Overly broad cybercrime laws place significant pressure on already strained legal and enforcement systems. When cybercrime laws expand to include offenses that are not inherently technological—such as online defamation, harassment, or even activism—it can lead to several systemic challenges: 

6.2.1. Diverted Focus from Genuine Threats

Expanding the scope of cybercrime laws forces law enforcement agencies to handle a wide range of cases, many of which do not require specialized cyber expertise. For example, prosecuting an online comment as cyber harassment requires investigative resources that could have been better directed toward identifying and mitigating core cybercrimes like hacking, unauthorized debits from customer bank accounts or ransomware attacks. This misallocation weakens the overall effectiveness of cybersecurity measures. 

6.2.2. Complexity of Digital Investigations

Investigating cyber-related offenses requires significant expertise, advanced tools, and collaboration with international entities. When law enforcement is forced to deal with a high volume of cases, many of which may involve non-criminal online behaviour, they risk becoming bogged down in cases that do not contribute to cybersecurity. This inefficiency not only overburdens legal systems but also reduces public trust in their ability to address critical digital threats. 

6.2.3. Erosion of Trust Between Law Enforcement and the Public

When the Nigeria Police Force uses the Cybercrime Act to prosecute individuals for online speech or activism, it creates an impression of the Police being complicit in political suppression or subjugation. This perceived misuse of resources can undermine public trust in the justice system and foster resentment against the Police. 

Here are some recent examples of cybercrime incidents in Nigeria that underscore the importance of focusing cybercrime laws on core offenses:

Nigerian banks reported a series of fraud-related cybercrimes over the years, with billions lost to hacking and phishing schemes. For instance, a 2022 report detailed how N523 million was stolen from a single account through a coordinated cyber-attack that funnelled money across hundreds of bank accounts.

In 2024, Hope Payment Service Bank reported a massive cyberattack resulting in a loss of over ₦10 billion. The funds were transferred across multiple accounts, prompting an investigation and court orders to freeze over 800 implicated accounts. This highlights the need for law enforcement to prioritize complex cyber fraud cases over less critical cyber-enabled offenses.

Similarly, Guaranty Trust Bank (GTBank) faced a significant security breach in August 2024, where its website was compromised by hackers. This incident raised fears of customer data theft and caused major disruptions in online banking operations.

In another case, a syndicate hacked into a bank's server to create fictitious credits worth N1.87 billion. This demonstrates the advanced techniques used by cybercriminals and the necessity of robust cybersecurity measures.

These examples show the increasing sophistication of core cybercrimes in Nigeria, and why the Nigeria Police Force should focus its resources and expertise towards preventing, detecting, investigating and prosecuting such crimes using the Cybercrimes Act instead of prosecuting online criticism or defamation using the Cybercrimes Act.

6.3. Chilling Effect on Digital Activity 

The "chilling effect" refers to the discouragement of legitimate online behaviour due to fear of legal repercussions. When cybercrime laws are overly broad or ambiguously defined, they create uncertainty about what constitutes criminal behaviour, leading to self-censorship and reduced participation in digital spaces. 

6.3.1. Impact on Free Expression

People may refrain from posting opinions, criticisms, or controversial content online, fearing that their statements might be interpreted as cyber harassment, defamation, or other offenses. In environments where authorities use cybercrime laws to target dissent, individuals are less likely to engage in public debates, reducing the vibrancy and diversity of digital discourse. 

6.3.2. Stifling Activism and Advocacy

Activists and advocates who rely on digital platforms to organize campaigns, raise awareness, or criticize policies are particularly vulnerable to chilling effects. If they perceive a risk of prosecution under cybercrime laws, they may avoid using these platforms, weakening their impact and ability to mobilize support. 

6.3.3. Hindering Journalism

Journalists such as Fisayo Soyombo, often use digital tools to investigate and publish stories on issues of public interest. However, the threat of cybercrime charges for reporting on sensitive topics can lead to self-censorship. For example, journalists may avoid exposing corruption or misconduct if they fear being accused of spreading false information or defaming individuals under Cybercrimes Act. 

6.3.4. Economic Consequences

The chilling effect can also impact businesses and entrepreneurs. Startups and companies that depend on open digital communication may face challenges if their employees or users are hesitant to engage freely online. This hesitation can stifle growth, collaboration, and the sharing of ideas, ultimately hindering economic progress in the digital space. 

The combined effect of overburdening legal systems and creating a chilling effect on digital activity is a weakened digital ecosystem. Legal systems are less effective in addressing real cyber threats, while individuals and organizations become less willing to engage in online activities that drive progress, innovation, and civic engagement. 

Therefore, restricting cybercrime laws to core offenses ensures that law enforcement can focus on genuine cyber threats, while the public can participate freely in digital spaces without fear of unwarranted prosecution. By refining these laws, governments can strike a balance between maintaining cybersecurity and protecting fundamental rights, preserving the integrity of the legal system and the vibrancy of the digital age.

7. International Perspectives on Cybercrime Laws

The global debate over cybercrime laws highlights the importance of specificity and restraint. The draft UN Cybercrime Convention has been criticized for its overly broad scope. Advocacy groups like the Electronic Frontier Foundation (EFF) and CIVICUS, a global alliance dedicated to strengthening civil society, argue that the convention risks criminalizing acts that are not inherently harmful, such as security research or whistleblowing.

In their critique, the organizations emphasize that cybercrime laws should focus exclusively on core cybercrimes. Core cybercrimes comprise offenses in which ICTs are the direct objects as well as instruments of the crimes; these crimes could not exist at all without the ICT systems. A useful reference for the types of crimes that are inherently ICT crimes can be found in Articles 2-6 of the Budapest Convention: illegal access to computing systems, illegal interception of communications, data interference, system interference, and misuse of devices. For example, spreading a computer virus in the wild; using a password logger to steal someone else's password and access their email or photos; breaking into the computer system of a bank to steal money; using malicious software to delete all the data of a former employer's systems.

8. Lessons for Nigeria and Beyond

Farotimi's case offers a crucial lesson for policymakers in Nigeria and other nations: the need to align cybercrime laws with international best practices and democratic values. This includes:

8.1. Restricting Cybercrime Laws to Core Offenses

Cybercrime laws should address crimes that directly target ICT systems, such as hacking, malware distribution, and data breaches. Cyber-enabled offenses should be handled under existing laws for fraud, harassment, or defamation.

8.2. Safeguarding Free Expression

Cybercrime laws should explicitly protect freedom of expression. Activists, journalists, and ordinary citizens should not face legal repercussions for sharing opinions or engaging in peaceful dissent online.

8.3. Building Capacity to Address Genuine Threats

Law enforcement agencies should focus on developing expertise to combat core cybercrimes effectively. This includes training, resources, and partnerships with international organizations.

9. Conclusion

The case against Dele Farotimi is a stark reminder of the dangers posed by overly broad cybercrime laws. It highlights the need for policymakers to draw a clear line between core cybercrimes and cyber-enabled offenses, focusing on crimes that inherently involve ICT systems.

By refining cybercrime laws to be specific, narrow, and proportional, nations can uphold justice, protect freedoms, and create a safer digital environment. Farotimi's case should serve as a wake-up call, prompting governments worldwide to reconsider the scope and application of their cybercrime frameworks. In doing so, they can strike a balance between security and liberty, ensuring that the digital age remains a space for innovation, expression, and democratic engagement and  cybercrime laws serve their intended purpose, i.e. enhancing cybersecurity, without compromising fundamental rights..

The FBI's Exaggerated Claims of Going Dark: A Closer Look

 The FBI has often claimed that its ability to fight crime is being hampered by "going dark"—a term used to describe the challenges law enforcement faces when encrypted communications prevent them from accessing crucial evidence. According to former FBI Director James Comey on page 5 of the House Homeland Security Committee report titled: "Going Dark, Going Forward: A Primer on the Encryption Debate", “Going Dark” refers to the phenomenon in which law enforcement personnel have the “legal authority to intercept and access communications and information pursuant to court order,” but “lack the technical ability to do so.”

While encryption is an important tool for protecting privacy, the FBI's assertions of going dark have been criticized as exaggerated.

The FBI argues that encryption impedes investigations into serious criminal activities, from terrorism to child exploitation. They suggest that tech companies' refusal to create backdoors for law enforcement is creating a significant barrier to solving these crimes. This stance has fueled public debates and legislative efforts to mandate decryption capabilities.

However, critics argue that the FBI's claims are overstated. For one, there's little evidence that encryption has directly prevented major investigations. Many successful cases have been solved without requiring direct access to encrypted communications. One of such cases is the recent indictment of Seth Herrera for transportation, receiving and possession of child pornography.

According to Nate Anderson who writes for Ars Technica:

“I've never seen anyone who, when arrested, had three Samsung Galaxy phones filled with "tens of thousands of videos and images" depicting CSAM (child sexual abuse material), all of it hidden behind a secrecy-focused, password-protected app called "Calculator Photo Vault." Nor have I seen anyone arrested for CSAM having used all of the following: Potato Chat ("Use the most advanced encryption technology to ensure information security.") Enigma ("The server only stores the encrypted message, and only the users client can decrypt it.") nandbox [presumably the Messenger app] ("Free Secured Calls & Messages.") Telegram ("To this day, we have disclosed 0 bytes of user data to third parties, including governments.") TOR ("Browse Privately. Explore Freely.") Mega NZ ("We use zero-knowledge encryption.") Web-based generative AI tools/chatbots”

The indictment did not state in details exactly how Seth’s criminal activities were discovered. However, according to the indictment, Seth’s criminal conduct was finally uncovered after he tried to access a link containing apparent CSAM.  This link described CSAM  depicting  prepubescent  minor  females  around  the  same  age  as  Seth’s young daughter.

Anderson also observed that: “Presumably, this "apparent" CSAM was a government honeypot file or web-based redirect that logged the IP address and any other relevant information of anyone who clicked on it. In the end, given that fatal click, none of the "I'll hide it behind an encrypted app that looks like a calculator!" technical sophistication accomplished much.”

Despite Seth’s use of encrypted messaging applications such as Potato Chat, Enigma, nandbox, and Telegram, he was still found out by law enforcements presumably using honeypot file or web-based redirect that logged the IP address and any other relevant information of Seth Herrera when he clicked on it.

Therefore, Seth’s indictment clearly shows that in spite of the use of encryption messaging applications by criminals, there are still many other ways of unearthing their criminal activities without breaking encryption, therefore the “going dark” claim by the FBI can be said to be an exaggeration of the true state of affairs.

Also, the prosecution being cagey in the indictment, about exactly how the alleged criminal acts of Seth were discovered, reminds me of the Nigerian Police Force who, when announcing the arrest of some notorious criminals, would simply say they acted on "credible intelligence". They would rarely disclose the details of how and what was done that led to the arrest with the use of credible intelligence.

The going dark debate highlights a broader tension between national security and individual privacy. While it's crucial to support law enforcement in their efforts to combat crime, it's equally important to consider the potential risks of compromising encryption standards. Balancing these needs requires careful consideration and a nuanced approach to both technology and security policy.

UNITY BANK SUED FOR UNAUTHORIZED DEBIT OF N324,000

Tersugh Wuese Nelson, a customer of Unity Bank, has filed a lawsuit against the bank, alleging unauthorized debits to the tune of N324,000 from his account. On Saturday, August 26, 2023, Tersugh woke up and discovered 12 debit transactions on his account through email notifications. These debit transactions occurred in quick succession, with 10 of them happening within two minutes on Friday, August 25, 2023, at about 11:51pm, while the other two happened at about 2:49am on Saturday 26^th August, 2023.

Upon discovering the debits, Tersugh immediately emailed the bank, stating that he did not initiate or authorize the transactions. After several email exchanges, Unity Bank informed him in October 2023 that their investigation revealed the disputed transactions were web-based, conducted using his ATM card details (PAN, PIN, expiry date, and CVV) via the Flutterwave platform as detailed below: 

The bank stated that the transactions were authenticated using Tersugh’s ATM card PIN, which only he knew, and that their review of the card activity logs did not indicate any PIN tries or changes prior to the transactions. This, the bank argued, indicated that the person conducting the transactions knew Tersugh's PIN. Unity Bank further claimed that they had reached out to Flutterwave for a possible refund, but Flutterwave declined, stating that the value was given to the cardholder.

Consequently, the bank concluded that, in accordance with CBN regulations on liability shift regarding card and PIN usage, it was not liable for the unauthorized transactions, as Tersugh's ATM card details and PIN were used to validate the transactions.

Rejecting the bank's findings, Tersugh has filed a case at the High Court of Justice in Makurdi, Benue State (Case No.: MHC/215/2024: Tersugh Wuese Nelson v. Unity Bank Plc.). He alleges that the bank was negligent in protecting his funds by failing to implement behavioral monitoring systems and robust fraud monitoring tools to detect and block suspicious transactions in real time, as required by CBN regulations.

Tersugh is requesting that the court order Unity Bank to refund the N324,000 debited from his account without authorization. Additionally, he is demanding N10 million in damages from the bank.

THE FLUTTERWAVE SHENANIGANS

In February and March, 2023 it was reported that Flutterwave, a fintech was hacked and customer funds, amounting to over N2.9 billion, held in Flutterwave accounts, were illegally transferred to several bank accounts in Nigeria. Flutterwave submitted a petition to the Nigeria Police concerning the hack and illegal transfer and based on the petition, the Police brought an application to freeze accounts in 27 financial institutions in Nigeria where some of the funds were transferred to and the court granted the application. In the affidavit in support of the application to freeze accounts, the Investigating Police Officer; Inspector Adebowale Michael deposed or swore in paragraphs 1, 3 and 4 as follows:

"(1) That am the above-named person as well as the investigating police officer in a case of Conspiracy and fraudulent transfer reported by Flutterwave Technology Solution Limited through his counsel Albert Onimole, legal practitioner by virtue of which I am conversant with the fact of this case.

(3) That a case of Conspiracy and Fraudulent transfer was reported to the Police via petition written by Albert Onimole & Co. on behalf of Flutterwave Technology Solution Limited bothering on allegation of Conspiracy, stealing and fraudulent transfer over Two billion naira having hacked into the complainant account. Copy of the Petition is hereby attached and marked exhibit ‘A’.

(4) That it was revealed in the course of investigation that the suspected hackers hacked into the cyber space of the complainant and transferred over two billion naira to various accounts listed on this application. Copy of the statement of the Complainant is hereby attached and marked exhibit ‘B’."

Flutterwave in its official statement, said; “During a routine check of our transaction monitoring system, we identified an unusual trend of transactions on some users’ profiles. Our team immediately launched a review (in line with our standard operating procedure), which revealed that some users who had not activated some of our recommended security settings might have been susceptible.” However, the fintech flatly denied that any user lost any funds, as its security measures were “able to address the issue before any harm could be done to our users”.

This denial is in stark contrast to the contents of the petition and affidavit earlier mentioned. If no user funds were lost, how come there was a petition to the police and an application to freeze accounts? The denial and statement shifting blame to "some users who had not activated some of our recommended security settings" is typical of what many financial institutions in Nigeria say whenever a customer complains of unauthorised withdrawals or transfers from their accounts. In the case of Barrister Wole Abidakun v. Diamond Bank Plc.(Suit No: CV/2779/18), which involved unauthorized transfer from customer account, Justice Kutigi of the High Court of the FCT, while delivering judgement on 23 June, 2021 observed thus:

“I agree that because these facilities have security features known only to the customer  and  so  the  customer  bears  some  responsibility  to  secure  them,  once however  a  customer  makes  a  serious  complaint  of  foul  play  in  his  account,  the usual  standard  and  rather  lazy  and  lame  response  by  Defendant  Bank  that  the customer has compromised the security features will not stand or fly in the absence of a forensic investigation to determine responsibility.  There must be proper in-house  and  then  police  investigations  showing  clearly  and  positively  that  the customer  must  have  indeed  compromised  the  security  features  or  given  his  PIN numbers to a third party.  Bare and empty verbal assertions will not suffice in this age of savvy and sophisticated criminals.”  

Now, if it were in the United States, where data breaches and hacks are not tolerated by the financial services regulators, Flutterwave would have been in big trouble. The regulators would have carried out investigations and Flutterwave would have been fined heavily if found wanting. Flutterwave customers would have also likely filed a class action against the fintech.

For instance, in 2020 in the US, a class action was filed against Bank of America for failing to provide sufficient protections for unemployment payment debit cards after thousands across California, fell victim to fraud. Among the issues that were raised in the case against the bank was the lack of secure microchips in unemployment debit cards, a failure to secure private account information and a sluggish response to consumer fraud reports.

Also in the United States, the Consumer Financial Protection Bureau (CFPB) in 2016, found that online payment platform Dwolla, deceived consumers about its data security practices and the safety of its online payment system and therefore ordered Dwolla to pay a $100,000 penalty and fix its security practices.

As of May 2015, Dwolla had more than 650,000 users and had transferred as much as $5 million per day. For each account, Dwolla collected personal information including the consumer’s name, address, date of birth, telephone number, Social Security number, bank account and routing numbers, a password, and a unique 4-digit PIN.

From December 2010 until 2014, Dwolla claimed to protect consumer data from unauthorized access with “safe” and “secure” transactions. On its website and in communications with consumers, Dwolla claimed its data security practices exceeded industry standards and were Payment Card Industry Data Security Standard compliant. They claimed also that they encrypted all sensitive personal information and that its mobile applications were safe and secure.

However, it was found that Dwolla’s data security practices in fact fell far short of its claims. Specifically, the CFPB found, among other issues, that Dwolla misrepresented its data-security practices by:

(1)Falsely claiming its data security practices “exceed” or “surpass” industry security standards: Contrary to its claims, Dwolla failed to employ reasonable and appropriate measures to protect data obtained from consumers from unauthorized access.

(2)Falsely claiming its “information is securely encrypted and stored”: Dwolla did not encrypt some sensitive consumer personal information, and released applications to the public before testing whether they were secure.

The above action of the CFPB in the US represents how a regulator should act in the face of continuous data breaches and/or hacks.  In 2022 it was MTN Mobile Money Bank that was hacked but it is unclear what actions, if any, the  regulators in Nigeria took or made against MTN, concerning the breach or hack. The Federal Competition and Consumer Protection Commission, the Central Bank of Nigeria, the Nigeria Deposit Insurance Corporation, and the newly created Nigeria Data Protection Commission needs to sit up and do more.

It is therefore, high time that the regulators in Nigeria mentioned above woke up to their responsibilities and took punitive action against erring financial institutions in Nigeria for data breaches and hacks. Perhaps the fear of sanctions will make the financial institutions to improve on their cyber security practices and better protect customer funds/deposits in their custody.

It is also recommended that there should be a quarterly or yearly report made available to the public, showing financial institutions that were sanctioned for failing to comply with relevant industry cybersecurity framework and/or data protection regulations.

 

 

HURRAAAAY!!! NAIJA CYBERLAWYER BLOG IS 10YRS OLD

On June 3, 2023 Naija Cyberlawyer blog turned 10. The very first blog post on the blog was posted on June 3, 2013. The blog initially started as cyberlawmusings.blogspot.com but after some time I decided to change the name to naijacyberlawyer.

I had wanted to study for an LLM in International Law but along the line, I lost interest in International Law because the more closely I followed happenings in the field, the more it was dawning on me that International Law was more of politics than law, as many a times, nations that were stronger economically, politically and militarily would break International law and get away with it.

My interest then shifted to issues bothering on the intersection of law and technology such as electronic or computer generated evidence, cybercrime, etc. I started reading up blogs and websites by people in that field of law. My interest grew to a point that I wanted to study for an LLM in any course featuring a convergence or intersection of law and technology and probably end up as a tech policy analyst or a cyberlaw or techlaw guru. 

I applied to some universities like the University of Strathclyde, Glasgow, Scotland for the LLM in Internet Law and Policy and I was offered admission in 2012 and 2014 but was unable to go for studies due to lack of finances. I also applied to University of Tartu, Estonia in 2018 but was not offered admission.

In the course of researching and reading up blogs and websites relating to tech law policy and related issues, and following people who were already in the field on social media, Twitter to be specific, I came across one Adam Thierer and his post: “So You Want to Be an Internet Policy Analyst?”. In the post he advised that:

“Start a blog or start blogging with others: If you’re already doing so, that’s great. But kick it up a notch. Just find anything that interests you — an academic paper, a news report, another blog post — and write about it. Even if you just summarize that other piece and add a line or two of commentary, that’s something. It’ll help get your name out there and help you develop your own brand…”

The above advice gave me the inspiration or motivation to start my own blog so that I could put out my thoughts on tech law matters and maybe, sell myself.

While trying to set up the blog, I also stumbled upon a similar blog by Chukwuyere Ebere Izuogu; a Nigerian lawyer who had obtained an LLM degree in Information Technology and Intellectual Property Law from foreign universities. A friend; Victor Dibia, a computer science graduate, whom I met during the National Youth Service in 2009, and who was somewhat fascinated by my interest and knowledge of basic computer usage, introduced Chukwuyere's blog to me in 2012 or thereabouts.

I also came across a blog by US based, Ms Uduak Udouk, a laywer specializing in fashion and entertainment law, while trying to start my blog. Those two blogs helped me in designing the outlook and layout of my blog.

As earlier stated by Adam Thierer that a blog will help get your name out there and help you develop your own brand,  I can rightly say that the blog has helped to get my name out there. I have received several emails from strangers who got to know about me from my blog posts, soliciting for tech law related advice. I have also been approached by professional colleagues seeking for advice on tech law related issues.

Furthermore, I have also held a Whatsapp group chat on the topic: “Laws on Cyberbullying and Protection of Personal Information on the Cyberspace in Nigeria”, with law undergraduates from Bowen University. A student from the university read one of the posts on my blog, got my email from the blog and then contacted me via email. We then set up a Whatsapp chat with the law students.

On the whole, I can say that blogging about tech law and related issues, has been a worthwhile venture. However, I think that with more commitment and better focus, I would have done much better in the tech law field in Nigeria.

Below are the top five read blog posts from the past 10 years:

1)   The Dangers of the Internet of Things(IoT)

2)  LAWYER SUES FCMB & UBA OVER N8, 000.00 WRONGFULLY DEBITED FROM         HIS ACCOUNT, CLAIMS N10M DAMAGES

3) THE TAKING OF WITNESS EVIDENCE THROUGH VIDEO CONFERENCING                 UNDER NIGERIAN     LAW

4)   A GREAT DAY FOR ATM USERS IN NIGERIA

5)  Freedom of Expression and the Blogger under Nigerian Law

 

THE EFCC CHAIRMAN AND CRYPTO

Abdulrasheed Bawa, chairman of the Economic and Financial Crimes Commission (EFCC), said that cryptocurrencies have become a preference for persons engaged in illegal financial transactions.

Meanwhile, El Salvador has become the first country to adopt Bitcoin as official currency. Also, Ukraine has legalized #bitcoin and #cryptocurrencies. Does it mean that Ecuador and Ukraine are accepting or encouraging illegal transactions by adopting and legalizing crypto currency?

The battle between privacy and security is an age-old battle. Law enforcement and intelligence agencies around the world are always looking for opportunities to do away with privacy or technologies that enhance privacy. See the FBI–Apple encryption dispute. They argue that privacy enhancing technologies, such as encryption, impede or make their work of securing lives and property difficult or impossible. So does it mean that the death of privacy will make us more secure?

In the US, the FBI has severally claimed that they are "going dark", that is to say that crime busting and investigation is being hampered by the increasing use or adoption of encryption by tech consumers. In other words, the FBI and other law enforcement and intelligence agencies have been claiming for years that the increased use of encryption by consumers is making surveillance and lawful interception much more difficult and impeding investigations.

However, recent events have shown that the claim of going dark is over exaggerated. On May 22, 2018, the Washington Post reported that the FBI repeatedly cited inflated statistics about the number of cellphones whose data it could not access because of encryption.

Also in June, 2021, it was reported that for three years, the Federal Bureau of Investigation and the Australian Federal Police owned and operated a commercial encrypted phone app, called AN0M, that was used by organized crime around the world. In other words, instead of the FBI trying to break encryption or hack into devices, they created an encrypted phone app and put it out there and some criminals felt the phone app was secure and their communications were end to end encrypted, whereas, law enforcement agents had access to all their communications which were supposed to be encrypted and unreadable or inaccessible to third parties. With this, can you say the law enforcement and intelligence agencies are really going dark? See: The FBI's Anom Stunt Rattles the Encryption Debate.

In view of the above, the Chairman's claim might just be another ploy by a law enforcement agency to try chirp away at privacy and anonymity as law enforcements are wont to do, while hiding under the guise of fighting crime.

Further reading:

(1) Going Dark, Going Forward: A Primer On The Encryption Debate 

(2) US: FBI’s Encryption Statistics Inflated

(3) Rethinking Encryption

(4) Harvard Study Questions ‘Going Dark’ Cryptoproblem-