Sunday, 1 September 2024

The FBI's Exaggerated Claims of Going Dark: A Closer Look


 The FBI has often claimed that its ability to fight crime is being hampered by "going dark"—a term used to describe the challenges law enforcement faces when encrypted communications prevent them from accessing crucial evidence. According to former FBI Director James Comey on page 5 of the House Homeland Security Committee report titled: "Going Dark, Going Forward: A Primer on the Encryption Debate", “Going Dark” refers to the phenomenon in which law enforcement personnel have the “legal authority to intercept and access communications and information pursuant to court order,” but “lack the technical ability to do so.”

While encryption is an important tool for protecting privacy, the FBI's assertions of going dark have been criticized as exaggerated.

The FBI argues that encryption impedes investigations into serious criminal activities, from terrorism to child exploitation. They suggest that tech companies' refusal to create backdoors for law enforcement is creating a significant barrier to solving these crimes. This stance has fueled public debates and legislative efforts to mandate decryption capabilities.

However, critics argue that the FBI's claims are overstated. For one, there's little evidence that encryption has directly prevented major investigations. Many successful cases have been solved without requiring direct access to encrypted communications. One of such cases is the recent indictment of Seth Herrera for transportation, receiving and possession of child pornography.

According to Nate Anderson who writes for Ars Technica:

“I've never seen anyone who, when arrested, had three Samsung Galaxy phones filled with "tens of thousands of videos and images" depicting CSAM (child sexual abuse material), all of it hidden behind a secrecy-focused, password-protected app called "Calculator Photo Vault." Nor have I seen anyone arrested for CSAM having used all of the following: Potato Chat ("Use the most advanced encryption technology to ensure information security.") Enigma ("The server only stores the encrypted message, and only the users client can decrypt it.") nandbox [presumably the Messenger app] ("Free Secured Calls & Messages.") Telegram ("To this day, we have disclosed 0 bytes of user data to third parties, including governments.") TOR ("Browse Privately. Explore Freely.") Mega NZ ("We use zero-knowledge encryption.") Web-based generative AI tools/chatbots”

The indictment did not state in details exactly how Seth’s criminal activities were discovered. However, according to the indictment, Seth’s criminal conduct was finally uncovered after he tried to access a link containing apparent CSAM.  This link described CSAM  depicting  prepubescent  minor  females  around  the  same  age  as  Seth’s young daughter.

Anderson also observed that: “Presumably, this "apparent" CSAM was a government honeypot file or web-based redirect that logged the IP address and any other relevant information of anyone who clicked on it. In the end, given that fatal click, none of the "I'll hide it behind an encrypted app that looks like a calculator!" technical sophistication accomplished much.”

Despite Seth’s use of encrypted messaging applications such as Potato Chat, Enigma, nandbox, and Telegram, he was still found out by law enforcements presumably using honeypot file or web-based redirect that logged the IP address and any other relevant information of Seth Herrera when he clicked on it.

Therefore, Seth’s indictment clearly shows that in spite of the use of encryption messaging applications by criminals, there are still many other ways of unearthing their criminal activities without breaking encryption, therefore the “going dark” claim by the FBI can be said to be an exaggeration of the true state of affairs.

Also, the prosecution being cagey in the indictment, about exactly how the alleged criminal acts of Seth were discovered, reminds me of the Nigerian Police Force who, when announcing the arrest of some notorious criminals, would simply say they acted on "credible intelligence". They would rarely disclose the details of how and what was done that led to the arrest with the use of credible intelligence.

The going dark debate highlights a broader tension between national security and individual privacy. While it's crucial to support law enforcement in their efforts to combat crime, it's equally important to consider the potential risks of compromising encryption standards. Balancing these needs requires careful consideration and a nuanced approach to both technology and security policy.

Tuesday, 18 June 2024

UNITY BANK SUED FOR UNAUTHORIZED DEBIT OF N324,000

Tersugh Wuese Nelson, a customer of Unity Bank, has filed a lawsuit against the bank, alleging unauthorized debits to the tune of N324,000 from his account. On Saturday, August 26, 2023, Tersugh woke up and discovered 12 debit transactions on his account through email notifications. These debit transactions occurred in quick succession, with 10 of them happening within two minutes on Friday, August 25, 2023, at about 11:51pm, while the other two happened at about 2:49am on Saturday 26th August, 2023.

Upon discovering the debits, Tersugh immediately emailed the bank, stating that he did not initiate or authorize the transactions. After several email exchanges, Unity Bank informed him in October 2023 that their investigation revealed the disputed transactions were web-based, conducted using his ATM card details (PAN, PIN, expiry date, and CVV) via the Flutterwave platform as detailed below: 

The bank stated that the transactions were authenticated using Tersughs ATM card PIN, which only he knew, and that their review of the card activity logs did not indicate any PIN tries or changes prior to the transactions. This, the bank argued, indicated that the person conducting the transactions knew Tersugh's PIN. Unity Bank further claimed that they had reached out to Flutterwave for a possible refund, but Flutterwave declined, stating that the value was given to the cardholder.

Consequently, the bank concluded that, in accordance with CBN regulations on liability shift regarding card and PIN usage, it was not liable for the unauthorized transactions, as Tersugh's ATM card details and PIN were used to validate the transactions.

Rejecting the bank's findings, Tersugh has filed a case at the High Court of Justice in Makurdi, Benue State (Case No.: MHC/215/2024: Tersugh Wuese Nelson v. Unity Bank Plc.). He alleges that the bank was negligent in protecting his funds by failing to implement behavioral monitoring systems and robust fraud monitoring tools to detect and block suspicious transactions in real time, as required by CBN regulations.

Tersugh is requesting that the court order Unity Bank to refund the N324,000 debited from his account without authorization. Additionally, he is demanding N10 million in damages from the bank.

Sunday, 5 November 2023

THE FLUTTERWAVE SHENANIGANS

In February and March, 2023 it was reported that Flutterwave, a fintech was hacked and customer funds, amounting to over N2.9 billion, held in Flutterwave accounts, were illegally transferred to several bank accounts in Nigeria. Flutterwave submitted a petition to the Nigeria Police concerning the hack and illegal transfer and based on the petition, the Police brought an application to freeze accounts in 27 financial institutions in Nigeria where some of the funds were transferred to and the court granted the application. In the affidavit in support of the application to freeze accounts, the Investigating Police Officer; Inspector Adebowale Michael deposed or swore in paragraphs 1, 3 and 4 as follows:

"(1) That am the above-named person as well as the investigating police officer in a case of Conspiracy and fraudulent transfer reported by Flutterwave Technology Solution Limited through his counsel Albert Onimole, legal practitioner by virtue of which I am conversant with the fact of this case.

(3) That a case of Conspiracy and Fraudulent transfer was reported to the Police via petition written by Albert Onimole & Co. on behalf of Flutterwave Technology Solution Limited bothering on allegation of Conspiracy, stealing and fraudulent transfer over Two billion naira having hacked into the complainant account. Copy of the Petition is hereby attached and marked exhibit ‘A’.

(4) That it was revealed in the course of investigation that the suspected hackers hacked into the cyber space of the complainant and transferred over two billion naira to various accounts listed on this application. Copy of the statement of the Complainant is hereby attached and marked exhibit ‘B’."

Flutterwave in its official statement, said; “During a routine check of our transaction monitoring system, we identified an unusual trend of transactions on some users’ profiles. Our team immediately launched a review (in line with our standard operating procedure), which revealed that some users who had not activated some of our recommended security settings might have been susceptible.” However, the fintech flatly denied that any user lost any funds, as its security measures were “able to address the issue before any harm could be done to our users”.

This denial is in stark contrast to the contents of the petition and affidavit earlier mentioned. If no user funds were lost, how come there was a petition to the police and an application to freeze accounts? The denial and statement shifting blame to "some users who had not activated some of our recommended security settings" is typical of what many financial institutions in Nigeria say whenever a customer complains of unauthorised withdrawals or transfers from their accounts. In the case of Barrister Wole Abidakun v. Diamond Bank Plc.(Suit No: CV/2779/18), which involved unauthorized transfer from customer account, Justice Kutigi of the High Court of the FCT, while delivering judgement on 23 June, 2021 observed thus:

“I agree that because these facilities have security features known only to the customer  and  so  the  customer  bears  some  responsibility  to  secure  them,  once however  a  customer  makes  a  serious  complaint  of  foul  play  in  his  account,  the usual  standard  and  rather  lazy  and  lame  response  by  Defendant  Bank  that  the customer has compromised the security features will not stand or fly in the absence of a forensic investigation to determine responsibility.  There must be proper in-house  and  then  police  investigations  showing  clearly  and  positively  that  the customer  must  have  indeed  compromised  the  security  features  or  given  his  PIN numbers to a third party.  Bare and empty verbal assertions will not suffice in this age of savvy and sophisticated criminals.  

Now, if it were in the United States, where data breaches and hacks are not tolerated by the financial services regulators, Flutterwave would have been in big trouble. The regulators would have carried out investigations and Flutterwave would have been fined heavily if found wanting. Flutterwave customers would have also likely filed a class action against the fintech.

For instance, in 2020 in the US, a class action was filed against Bank of America for failing to provide sufficient protections for unemployment payment debit cards after thousands across California, fell victim to fraud. Among the issues that were raised in the case against the bank was the lack of secure microchips in unemployment debit cards, a failure to secure private account information and a sluggish response to consumer fraud reports.

Also in the United States, the Consumer Financial Protection Bureau (CFPB) in 2016, found that online payment platform Dwolla, deceived consumers about its data security practices and the safety of its online payment system and therefore ordered Dwolla to pay a $100,000 penalty and fix its security practices.

As of May 2015, Dwolla had more than 650,000 users and had transferred as much as $5 million per day. For each account, Dwolla collected personal information including the consumer’s name, address, date of birth, telephone number, Social Security number, bank account and routing numbers, a password, and a unique 4-digit PIN.

From December 2010 until 2014, Dwolla claimed to protect consumer data from unauthorized access with “safe” and “secure” transactions. On its website and in communications with consumers, Dwolla claimed its data security practices exceeded industry standards and were Payment Card Industry Data Security Standard compliant. They claimed also that they encrypted all sensitive personal information and that its mobile applications were safe and secure.

However, it was found that Dwolla’s data security practices in fact fell far short of its claims. Specifically, the CFPB found, among other issues, that Dwolla misrepresented its data-security practices by:

(1)Falsely claiming its data security practices “exceed” or “surpass” industry security standards: Contrary to its claims, Dwolla failed to employ reasonable and appropriate measures to protect data obtained from consumers from unauthorized access.

(2)Falsely claiming its “information is securely encrypted and stored”: Dwolla did not encrypt some sensitive consumer personal information, and released applications to the public before testing whether they were secure.

The above action of the CFPB in the US represents how a regulator should act in the face of continuous data breaches and/or hacks.  In 2022 it was MTN Mobile Money Bank that was hacked but it is unclear what actions, if any, the  regulators in Nigeria took or made against MTN, concerning the breach or hack. The Federal Competition and Consumer Protection Commission, the Central Bank of Nigeria, the Nigeria Deposit Insurance Corporation, and the newly created Nigeria Data Protection Commission needs to sit up and do more.

It is therefore, high time that the regulators in Nigeria mentioned above woke up to their responsibilities and took punitive action against erring financial institutions in Nigeria for data breaches and hacks. Perhaps the fear of sanctions will make the financial institutions to improve on their cyber security practices and better protect customer funds/deposits in their custody.

It is also recommended that there should be a quarterly or yearly report made available to the public, showing financial institutions that were sanctioned for failing to comply with relevant industry cybersecurity framework and/or data protection regulations.


 

 

Saturday, 10 June 2023

HURRAAAAY!!! NAIJA CYBERLAWYER BLOG IS 10YRS OLD

On June 3, 2023 Naija Cyberlawyer blog turned 10. The very first blog post on the blog was posted on June 3, 2013. The blog initially started as cyberlawmusings.blogspot.com but after some time I decided to change the name to naijacyberlawyer.

I had wanted to study for an LLM in International Law but along the line, I lost interest in International Law because the more closely I followed happenings in the field, the more it was dawning on me that International Law was more of politics than law, as many a times, nations that were stronger economically, politically and militarily would break International law and get away with it.

My interest then shifted to issues bothering on the intersection of law and technology such as electronic or computer generated evidence, cybercrime, etc. I started reading up blogs and websites by people in that field of law. My interest grew to a point that I wanted to study for an LLM in any course featuring a convergence or intersection of law and technology and probably end up as a tech policy analyst or a cyberlaw or techlaw guru. 

I applied to some universities like the University of Strathclyde, Glasgow, Scotland for the LLM in Internet Law and Policy and I was offered admission in 2012 and 2014 but was unable to go for studies due to lack of finances. I also applied to University of Tartu, Estonia in 2018 but was not offered admission.

In the course of researching and reading up blogs and websites relating to tech law policy and related issues, and following people who were already in the field on social media, Twitter to be specific, I came across one Adam Thierer and his post: “So You Want to Be an Internet Policy Analyst?”. In the post he advised that:

“Start a blog or start blogging with others: If you’re already doing so, that’s great. But kick it up a notch. Just find anything that interests you — an academic paper, a news report, another blog post — and write about it. Even if you just summarize that other piece and add a line or two of commentary, that’s something. It’ll help get your name out there and help you develop your own brand…”

The above advice gave me the inspiration or motivation to start my own blog so that I could put out my thoughts on tech law matters and maybe, sell myself.

While trying to set up the blog, I also stumbled upon a similar blog by Chukwuyere Ebere Izuogu; a Nigerian lawyer who had obtained an LLM degree in Information Technology and Intellectual Property Law from foreign universities. A friend; Victor Dibia, a computer science graduate, whom I met during the National Youth Service in 2009, and who was somewhat fascinated by my interest and knowledge of basic computer usage, introduced Chukwuyere's blog to me in 2012 or thereabouts.

I also came across a blog by US based, Ms Uduak Udouk, a laywer specializing in fashion and entertainment law, while trying to start my blog. Those two blogs helped me in designing the outlook and layout of my blog.

As earlier stated by Adam Thierer that a blog will help get your name out there and help you develop your own brand,  I can rightly say that the blog has helped to get my name out there. I have received several emails from strangers who got to know about me from my blog posts, soliciting for tech law related advice. I have also been approached by professional colleagues seeking for advice on tech law related issues.

Furthermore, I have also held a Whatsapp group chat on the topic: “Laws on Cyberbullying and Protection of Personal Information on the Cyberspace in Nigeria”, with law undergraduates from Bowen University. A student from the university read one of the posts on my blog, got my email from the blog and then contacted me via email. We then set up a Whatsapp chat with the law students.

On the whole, I can say that blogging about tech law and related issues, has been a worthwhile venture. However, I think that with more commitment and better focus, I would have done much better in the tech law field in Nigeria.

Below are the top five read blog posts from the past 10 years:

1)   The Dangers of the Internet of Things(IoT)

2)  LAWYER SUES FCMB & UBA OVER N8, 000.00 WRONGFULLY DEBITED FROM         HIS ACCOUNT, CLAIMS N10M DAMAGES

3) THE TAKING OF WITNESS EVIDENCE THROUGH VIDEO CONFERENCING                 UNDER NIGERIAN     LAW

4)   A GREAT DAY FOR ATM USERS IN NIGERIA

5)  Freedom of Expression and the Blogger under Nigerian Law

 

Friday, 10 September 2021

THE EFCC CHAIRMAN AND CRYPTO


Abdulrasheed Bawa, chairman of the Economic and Financial Crimes Commission (EFCC),
said that cryptocurrencies have become a preference for persons engaged in illegal financial transactions.

Meanwhile, El Salvador has become the first country to adopt Bitcoin as official currency. Also, Ukraine has legalized #bitcoin and #cryptocurrencies. Does it mean that Ecuador and Ukraine are accepting or encouraging illegal transactions by adopting and legalizing crypto currency?

The battle between privacy and security is an age-old battle. Law enforcement and intelligence agencies around the world are always looking for opportunities to do away with privacy or technologies that enhance privacy. See the FBI–Apple encryption dispute. They argue that privacy enhancing technologies, such as encryption, impede or make their work of securing lives and property difficult or impossible. So does it mean that the death of privacy will make us more secure?

In the US, the FBI has severally claimed that they are "going dark", that is to say that crime busting and investigation is being hampered by the increasing use or adoption of encryption by tech consumers. In other words, the FBI and other law enforcement and intelligence agencies have been claiming for years that the increased use of encryption by consumers is making surveillance and lawful interception much more difficult and impeding investigations.

However, recent events have shown that the claim of going dark is over exaggerated. On May 22, 2018, the Washington Post reported that the FBI repeatedly cited inflated statistics about the number of cellphones whose data it could not access because of encryption.

Also in June, 2021, it was reported that for three years, the Federal Bureau of Investigation and the Australian Federal Police owned and operated a commercial encrypted phone app, called AN0M, that was used by organized crime around the world. In other words, instead of the FBI trying to break encryption or hack into devices, they created an encrypted phone app and put it out there and some criminals felt the phone app was secure and their communications were end to end encrypted, whereas, law enforcement agents had access to all their communications which were supposed to be encrypted and unreadable or inaccessible to third parties. With this, can you say the law enforcement and intelligence agencies are really going dark? See: The FBI's Anom Stunt Rattles the Encryption Debate.

In view of the above, the Chairman's claim might just be another ploy by a law enforcement agency to try chirp away at privacy and anonymity as law enforcements are wont to do, while hiding under the guise of fighting crime.

Further reading:

(1) Going Dark, Going Forward: A Primer On The Encryption Debate 

(2) US: FBI’s Encryption Statistics Inflated

(3) Rethinking Encryption

(4) Harvard Study Questions ‘Going Dark’ Cryptoproblem-

Sunday, 1 August 2021

ABBA KYARI - LEARNING INTELLIGENCE/TECH INVESTIGATION

Deputy Commissioner of Police (DCP) Abba Kyari is an acclaimed “super cop” and the head of the Inspector General of Police (IGP) Intelligence Response Unit (IRT). As the “top dog” of the Nigeria Police Force intelligence unit, one would have expected Kyari to be more circumspect or cybersecurity cautious while dealing with Ramon Olorunwa Abbas aka Huspuppi who is now a self-confessed cybercriminal. Kyari did not bother to ensure that his conversations with Huspuppi were done via encrypted channels or platforms using Whatsapp or Signal calls. A Whatsapp or Signal call to another user of Whatsapp or Signal is end-to-end encrypted, meaning that the call cannot be accessed either by Whatsapp, Signal or a third party. If Kyari and Huspuppi had communicated via Whatsapp or Signal calls, the FBI would not have found the damning evidence linking Kyari with Huspuppi’s scams, even after the arrest and search of Huspuppi’s phones. At the best, call logs from either Whatsapp or Signal, would have shown that the two communicated but the contents of the communication would not have been known.

This lack of basic cybersecurity practice or seemingly tech incompetence might be a pointer to the fact the IRT is not so intelligent when it comes to the application of ICT for the investigation of crimes. If this is not so, how then can one explain this “slip” or “falling of hand” by the “top dog” of the IGP IRT? Or could it be that Kyari thought that Hushpuppi would never be caught and his devices accessed thus revealing his (Kyari’s) alleged criminal links with Huspuppi?

To be fair to Kyari, he is not the first top security official to exhibit a lack of basic cybersecurity knowledge or to fall from the top, due to tech goofs. David Howell Petraeus is a retired US Army General and public official. He served as Director of Central Intelligence Agency (CIA) from September 6, 2011, until his resignation on November 9, 2012. Before he assumed the directorship of the CIA, Petraeus served 37 years in the US Army.

The retired four-star General was forced to resign as CIA Director when an extramarital affair with his biographer; Broadwell, was revealed by their incriminating Gmail exchanges.

 According to Bianca Bosker:

“The extramarital affair between former CIA Director David Petraeus and his biographer, Paula Broadwell, which was revealed by their incriminating Gmail exchanges, could easily have gone undetected had Petraeus and his paramour followed two simple spy tricks that date back millenia: Write in code and destroy the message after you read it. It sounds simple, and it is. That's why it's disturbing and worth noting that the man in charge of all covert intelligence operations for the United States couldn't manage to keep a secret about his personal life.”

The Wall Street Journal, reported that Petraeus and Broadwell used pseudonyms to set up separate Gmail accounts which they used to communicate in secret. Their trove of "sexually explicit emails" was discovered only by accident after Jill Kelley, an acquaintance of Petraeus, complained that she was receiving threatening emails, which led FBI investigators to Broadwell's account and, in turn, to her X-rated messages detailing the affair.

The Journal explains:

“FBI agents and federal prosecutors used the information as probable cause to seek a warrant to monitor Ms Broadwell's email accounts. They learned that Ms Broadwell and Mr Petraeus had set up private Gmail accounts to use for their communications, which included explicit details of a sexual nature, according to U.S. officials. But because Mr Petraeus used a pseudonym, agents doing the monitoring didn't immediately uncover that he was the one communicating with Ms Broadwell.”

Creating separate accounts dedicated to illicit communication was a good move, noted Graham Cluley, a senior technology consultant at Sophos, a provider of security software.

Petraeus and Broadwell made the mistake of saving their emails, rather than erasing them right away. And Cluley said they also should have communicated in code using freely available online encryption services.

As the head of the CIA, Petraeus ought to have known better that the method of communication with Broadwell was not secure. In this age of ICT, the head of an intelligence agency must also be cybersecurity intelligent.

Also read: Here's How The FBI Nailed Paula Broadwell For Harassing Jill Kelley In The Petraeus Sex Scandal  

POSTSCRIPT: The FBI says that they are investigating the Hushpuppi case as part of “Operation Top Dog.” Top dog means a "person who is successful or dominant in their field." For example; “Hushpuppi was a top dog in the cybercrime world.”

Below is an excerpt from the Criminal Complaint filed in the United States District Court for the Central District of California in the case of the United States of America v. RAMON OLORUNWA ABBAS, ABBA KYARI & Ors which discloses the allegations against Abba Kyari

AFTER CONSULTING WITH JUMA, ABBAS ARRANGED TO HAVE ABBA KYARI IMPRISON CHIBUZO IN NIGERIA IN RETALIATION FOR, AND TO PREVENT HIM FROM, TRYING TO CO-OPT THE VICTIM BUSINESSPERSON

 129. As discussed in paragraph 120, JUMA and ABBAS had a falling out with CHIBUZO after CHIBUZO felt that he was being underpaid (or had not been paid) for work on the fake Wells Fargo website, and then contacted the Victim Business person directly. ABBAS then arranged to have KYARI arrest and imprison CHIBUZO in Nigeria for attempting to redirect fraudulent proceeds intended for ABBAS and JUMA to himself, to keep CHIBUZO from interfering with the scheme. This section discusses those events and KYARI’s involvement in the conspiracy.

 

130. On January l3, 2020, the Victim Businessperson contacted JUMA about a person who had contacted the Victim Businessperson about the loan, stating “This number is calling me but I didn’t answer.” The Victim Businessperson also provided JUMA a screenshot of and forwarded additional conversations between the Victim Businessperson and CHIBUZO, who was using the U.S. phone number 3054405586. That phone number was the same phone number used by CHIBUZO to send ABBAS information about the fake Wells Fargo website described earlier. In the messages, CHIBUZO sent the Victim Businessperson’s passport, and claimed to be “trying to help” the Victim Businessperson.

 

131. JUMA forwarded these messages from the Victim Businessperson to

ABBAS, who responded, “I will deal with him.” At approximately the same time, ABBAS asked CHIBUZO for a phone number on which to call him. Two minutes later, ABBAS sent the phone number on which he contacted CHIBUZO (which CHIBUZO had previously also sent to ABBAS) to KYARI without providing any additional context. Just before forwarding the phone number to KYARI, ABBAS placed a nearly five-minute call to KYARI, using the phone number described in paragraph 136.

 

132. A short time later, ABBAS told JUMA, “setting him up already [1]] He will learn.” JUMA replied, “He almost messed it up bro,” to which ABBAS responded, “They are working on it already.”

 

133. Approximately an hour later, CHIBUZO responded to ABBAS’ message requesting his phone number by providing another phone number. ABBAS also sent this number to KYARI without providing any additional context in the message.

 

134. On January l5, 2020, this time using WhatsApp, ABBAS sent an audio recording to KYARI, stating, essentially, that he wanted to remind KYARI about what they discussed earlier.

 

135. On January 16, 2020, ABBAS sent the following threats to CHIBUZO: I dey always tell people to think well before they offend me and make them make sure they fit stand the consequences when the time comes. I won’t say more than that but very soon, very very soon, the wrath of my hands shall find you and when it does, it will damage you forever At this point I no get discussion with you, u have committed a crime that won’t be forgiven, that is punishable and you shall receive die punishment in due time I swear with my life you will regret messing with me, you will even wish you died before my hands will touch you.

 

136. Also on January 16, 2020, ABBAS sent a message to KYARI on WhatsApp, and then placed five calls to another phone number (+2348060733588) that was listed as “ABBA KYARI.” Call records show that the last three of the calls were answered and that one ofthe calls lasted more than two minutes. Shortly after that, ABBAS received a message from KYARI, confirming “We would pick him today or tomorrow.” ABBAS wrote, “I will take care of the team also after they pick him up.” KYARI confirmed “Yes ooo.”

 

a. Based on the conversation described in paragraphs 143 to 145, ABBAS planned to pay the Nigeria Police Force officers who arrested CHIBUZO for that service.

b. This was not the only time that ABBAS arranged payments with KYARI. On May 20, 2020, ABBAS sent KYARI transaction receipts for two transactions from accounts at Nigerian banks (GTBank and Zenith Bank) of a person ABBAS knew in the U.A.E.—a person also arrested with ABBAS in ABBAS’ apartment in the U.A.E. by Dubai Police on June 9, 2020—to the Nigerian bank accounts of another person in Nigeria. The amounts on the transaction receipts totalled 8 million Nigerian Naira, which was approximately $20,600 based on publicly available exchange rate information.

 

137. Attempting to reason with ABBAS, on January 18, 2020, CHIBUZO recounted for ABBAS all the assistance he had provided in the scheme to victimize the Victim Businessperson, including creating the “power of attorney” document (paragraphs 67-68), devising a story to tell the Victim Businessperson (paragraph 117), and facilitating the creation of the “telephone banking” number (paragraphs 109-116) and fake Wells Fargo website (paragraph 117).

 

138. As discussed in paragraph 32.b, on January 20, 2020, KYARI sent to ABBAS biographical, identifying information for CHIBUZO, along with a photograph of him. In a conversation immediately following, ABBAS confirmed “that is him sir.” KYARI stated, “We have arrested the guy . . . He is in my Cell now [II] This is his picture after we arrested him today.” (The below image is a cropped version of the photograph that KYARI sent to ABBAS.)

 

139. KYARI sent the biographical information about, and photograph of, CHIBUZO to ABBAS using two different WhatsApp numbers—the second of which KYARI said was his “private number.” From that point on, KYARI and ABBAS primarily discussed the arrest and detention of KYARI through WhatsApp on this “private number.”

 

140. After receiving the photograph of CHIBUZO, ABBAS stated, “I want him to go through serious beating of his life.” KYARI responded, “Hahahaha,” and ABBAS replied, “Seriously sir.” KYARI then asked for details about what CHIBUZO did “on audio,” which KYARI said was “So that we will know what to do.”

 

141. In response to KYARI’s question about what CHIBUZO had done to ABBAS, ABBAS sent KYARI an audio message, which is transcribed here, describing how CHIBUZO had tried to steal away a fraud victim (i.e., “the job”) from him:

What he did is, I have one job. The job want to pay me 500, umm, 75,000 dollars [i.e., $575,000]. He went to message the job behind me because I told him to help me make one document for me to give the job. Then he went—he has a—I gave him the details. Then he went to message the job behind my back and try to divert the money and in this process he tell the job because of the documents he gave me that I gave the job, he tell the job, “These document they sent to you before. These people are fake. This money—is me who can help you to get it. Come to me le—bring this money you want to pay these people to me. I’m the only one who can help you,” and all these things to divert the job for himself.

 

142. After listening to the message, KYARI wrote, “Ok I understand [1]]

But he has not succeeded.” ABBAS claimed CHIBUZO had taken some money, and provided KYARI with two screenshots, one of which contained the phone number 3054405586 (the phone number CHIBUZO used to contact the Victim Businessperson). The screenshots showed a person contacting the Victim Businessperson and stating that he was providing information to try to “help[]” the Victim Businessperson. KYARI responded, “Yeah I understand.” KYARI did not request other information or evidence relating to CHIBUZO’s role in the scheme, ask questions about the nature of the transaction, or ask about why CHIBUZO told the Victim Businessperson that ABBAS was “fake.”

 

143. ABBAS then told KYARI, “Now the [Victim Businessperson] was skeptic to pay me the money cos he keep attacking the [Victim Businessperson] from his end. Now I can handle the [Victim Businessperson] correctly.” ABBAS further told KYARI that he wanted to pay money to send CHIBUZO to jail for a long time, stating “Please sir I want to spend money to send this boy to jail, let him go for a very long time.” KYARI responded, “Ok bro [1]] I understand [1]] I will discuss with my team who arrested him . . . And handling the case [1]] We will do something about it.”

 

144. ABBAS responded, “Let me know how I can send money to the team sir[.] let them deal with him like armed robber.” KYARI responded, “OK I will send their account details to u.” ABBAS further wrote, “He betray me and try to take food out my mouth, this is great punishable sin,” and KYARI responded, “Yeah bro.” ABBAS then continued, “I want him to suffer for many years.” KYARI responded, “Hahahaha [1]] Hahahaha.”

 

145. Approximately six minutes later, KYARI provided the account information for a bank account at a Nigerian bank, Zenith Bank, in the name of a person other than KYARI himself. ABBAS responded “Ok sir, tomorrow by noon,” indicating that he would make the payment to KYARI’s team by the next day.

 

146. On the same day, ABBAS sent JUMA the photograph of CHIBUZO in custody, which KYARI had sent.

 

147. Approximately a month later, on February 19, 2020, KYARI sent a message to ABBAS, saying, “Hello hush with [sic] need to talk about the subject under detention with me.” ABBAS asked “Should I call u on this number sir?” to which KYARI replied “Yes call me.”

 

148. The following day, KYARI sent ABBAS multiple photographs of CHIBUZO to ABBAS, including close-up photographs showing a rash or skin disease on CHIBUZO’s torso and arms. ABBAS responded, “I don pity am, make them leave am from Tuesday.” KYARI wrote, “Ok bro, they just brought him from hospital. The fever and the rashes is giving him serious Wahala [1]] He got the disease from other suspects in the cell.” ABBAS responded, “I see am, I no too pity am [1]] That’s what people like him deserve but I go forgive am for God sake.” In other words, based on my training and experience with Nigerian Pidgin, ABBAS was essentially stating, in part, “I don’t pity him. That’s what people like him deserve, but I will forgive him for God’s sake.”

 

a. Based on the date of the messages and later discussion described in paragraph 150, ABBAS was—on Thursday, February 20, 2020— requesting that KYARI not to release CHIBUZO until Tuesday, February 25, 2020.

 

149. ABBAS then told KYARI that CHIBUZO’s girlfriend messaged him, trying to raise one million Naira to secure CHIBUZO’s release, and said ABBAS promised to contribute 100,000 Naira. KYARI stated “They were thinking it’s normal arrest that is why they think money can remove him . . . No money can remove him here [1]] Hahahaha.” ABBAS added, “But it’s better for them to think that way, I like it like that,” and KYARI responded, “Yeah.”

 

150. ABBAS then said, “No problem sir from Tuesday he can go,” apparently giving KYARI his blessing to release CHIBUZO from custody. KYARI responded, “Ok bro [1]] We will also keep his phone and other gadgets for some weeks.” ABBAS responded, “Yes those ones they should not give him again, those ones are gone . . . Make he no see those ones again for life,” instructing KYARI not to return CHIBUZO’s electronic devices. KYARI responded, “Yes he will not see it [1]] Again,” indicating that he would accede to ABBAS’ request.


Wednesday, 30 December 2020

THIRD ALTERATION TO THE 1999 CFRN: THE GAME CHANGER IN NIGERIAN LABOUR LAW


1.   INTRODUCTION

It appears that many lawyers in Nigeria are  yet to come to terms with the new  reality of the game changing status of the Third Alteration to the 1999 Constitution of the Federal Republic of Nigeria (CRFN(as amended)). The aim of this article therefore, is to demonstrate to such lawyers, how the Third Alteration to 1999 CFRN has displaced hitherto established common law principles applicable to labour law in Nigeria.

The article will use the cases of SAHARA ENERGY RESOURCES LIMITED v. MRS OLAWUNMI OYEBOLA (2020) LPELR-51806(CA) leading judgement delivered by UGOCHUKWU ANTHONY OGAKWU, JCA on 3rd December, 2020 and AERO CONTRACTORS CO. OF NIGERIA LIMITED V. NATIONAL ASSOCIATION OF AIRCRAFTS PILOTS AND ENGINEERS (NAAPE) & ORS (unreported) Suit No. NICN/LA/120/2013, judgement delivered by HON. JUSTICE B. B. KANYIP on February 4, 2014 to lucidly demonstrate how the Third Alteration has changed the game.

2.   SAHARA ENERGY RESOURCES LIMITED v. MRS OLAWUNMI OYEBOLA

In Sahara’s case one of the issues for determination was whether the National Industrial Court (NIC) correctly assessed the quantum of damages by awarding two years’ salary as damages and compensation for the unlawful dismissal of the respondent. Ogakwu JCA at pp29-30 and pp35-36 had this to say on the issue of quantum of damages:

“By all odds, the law has become ensconced that in employment relationships without statutory flavour, where there has been wrongful/unlawful termination or dismissal, the measure of damages is payment of what the employee would have earned over the period of notice.  The Appellant  has  referred  to  some  of  the authorities in this regard. But as ensconced as the legal position may have become, has it become like the Rock of Gibraltar which cannot be moved? While the doctrine of  stare  decisis  or  binding  judicial  precedent  enjoins  the  courts  to  follow  the decisions  of  superior  courts,  it  has  to  be  remembered  that  what  the  earlier decisions establish is only a principle, not a rule. Rules operate in an all or nothing dimension. Principles do not. Principles merely incline decisions one way or the other. They form a principium or a starting point. Where one ultimately lands from that starting point will largely depend on the peculiar facts and circumstances of the case in hand: FAWEHINMI vs. NBA (NO. 2) (1989) 2 NWLR (PT 105) 558 at 650. It is in this wise that it becomes necessary to interrogate whether, in the light of the Third Alteration to the 1999 Constitution, wherein the National Industrial Court was fully structured into the Nigerian Judiciary as a superior court of record and a new labour jurisprudence emanated; the principle established in the cases prior to the said Third Alteration on the measure or quantum of damages to be awarded in cases of wrongful/unlawful termination or dismissal still remains the regnant law in  the  diacritical  circumstances,  or  whether  indeed  a  new  legal  regime  that demands a departure from the principle as it existed has been introduced in our corpus juris in employment and labour related litigations.”

“…in circumstances  where  the  employee  is  unlawfully  dismissed,  it  should  attract substantial damages, where claimed, in line with international best practices and not  based  on  the  hitherto  existing  principles  that  pre-date  the  advent  of  the innovative provisions of the Third Alteration to the 1999 Constitution. Section 254C (1) (f) and (h) and (2) of the 1999 Constitution empowers the lower  court  to  apply  international  best  practices  in  labour,  and  conventions, treaties, recommendations and protocols ratified by Nigeria. The High Courts were not so empowered in exercise of jurisdiction in labour matters which culminated in the principle of the superior courts on the measure of damages… the innovative provisions necessarily demand a rethink of the principle in the light of changed  circumstances  in  law.  Accordingly,  I  will  be  deferential  to  the  general damages  awarded  by  the  lower  court  in  exercise  of  its  jurisdiction  to  apply international best practices… I therefore uphold  the  award  by  the  lower  court  of  the  equivalent of  two  years’  salary  as general  damages  for  the  unlawful  dismissal  of  the  Respondent” 

3.  AERO CONTRACTORS CO. OF NIGERIA LIMITED V. NATIONAL ASSOCIATION OF AIRCRAFTS PILOTS AND ENGINEERS (NAAPE) & ORS

In Aero Contractorscase, Kanyip J. in deciding on the issue of the applicability of ILO Conventions and treaties which Nigeria has ratified but not yet domesticated held at pp13-15 thus:

“…I need resolve an issue raised by the claimant as to the application of ILO Conventions and jurisprudence in this Court. The defendants, making submissions in that regard, had called on this Court to take cognisance of the relevant ILO Conventions 87 and 98 and their accompanying jurisprudence. In its reply on points of law, therefore, the claimant submitted that this Court cannot apply the said ILO Conventions and jurisprudence to this case. To the claimant, Nigeria may be a signatory to ILO Conventions, the law in Nigeria on the applicability of international treaties is that such treaties cannot have the force of law unless they have been enacted into law by the National Assembly, citing Nnaji v. NFA [2010] 11 NWLR (Pt. 1206) 438 at 454 H – A and Abacha v. Fawehinmi [2000] 6 NWLR (Pt. 660) 228 at 247.

I must first of all state that the causes of action in Nnaji v. NFA and Abacha v. Fawehinmi all arose before the coming into effect of the Third Alteration to the 1999 Constitution. So the cases do not cover the issues raised by the Third Alteration to the 1999 Constitution. It is section 12 of the 1999 Constitution, as amended, dealing with implementation of treaties that Nnaji v. NFA and Abacha v. Fawehinmi interpreted and applied. The said section 12 provides –

(1)  No treaty between the Federation and any other country shall have the force of law except to the extent to which any such treaty has been enacted into law by the National Assembly.

(2)  The National Assembly may make laws for the Federation or any part thereof with respect to matters not included in the Exclusive Legislative List for the purpose of implementing a treaty.

(3)  A bill for an Act of the National Assembly passed pursuant to the provisions of subsection (2) of this section shall not be presented to the President for assent, and shall not be enacted unless it is ratified by a majority of all the Houses of Assembly in the Federation.

The thing with section 12 of the 1999 Constitution, as amended, is that a treaty as such shall not have the force of law in Nigeria unless such treaty has been enacted into law by the National Assembly and that law has been ratified by a majority of all Houses of Assembly in the country.

Now section 254C of the 1999 Constitution, as inserted by the Constitution (Third Alteration) Act 2010, deals with the jurisdiction of this Court. Its relevant provisions for present purposes are subsections (1)(f) and (h), and (2), which provide as follows –

(1) Notwithstanding the provisions of sections 251, 257, 272 and anything contained in this Constitution and in addition to such other jurisdiction  as may be conferred upon it by an Act of the National Assembly, the National Industrial Court shall have and exercise jurisdiction to the exclusion of any other court in civil causes and matters:–

(f) relating to or connected with unfair labour practice or international best practices in labour, employment  and industrial relation matters;

(h) relating to, connected with or pertaining to the application or interpretation of international labour standards;

(2) Notwithstanding anything to the contrary in this Constitution, the National Industrial Court shall have the jurisdiction and power to deal with any matter connected with or pertaining to the application of any international convention, treaty or protocol of which Nigeria has ratified to labour, employment, workplace, industrial relations or matters connected therewith.

There are two ways of approaching the issue at hand. The first is the question whether the Constitution (Third Alteration) Act 2010, which inserted section 254C(1)(f) and (h) and especially (2) is not the domestication demanded by 12 of the 1999 Constitution itself. I think it is. The Constitution (Third Alteration) Act 2010 amended the 1999 Constitution. Before it was passed and assented to by the Preisident of the country, it was sent to all the “Houses of Assembly in the Federation” and was ratified by majority of the Houses of Assembly, hence the alteration of the 1999 Constitution itself. This effectively means that the requirements of section 12 of the 1999 Constitution were and have been met when section 254C(1)(f) and (h) and (2) was enacted as per the Constitution (Third Alteration) Act 2010.

Even if the first approach were not to be the case, the second approach at treating the issue is that both subsections (1) and (2) of section 254C of the 1999 Constitution, as amended, commence with the word “Notwithstanding”. In subsection (1) it is “Notwithstanding the provisions of sections 251, 257, 272 and anything contained in this Constitution…” and in subsection (2), it is “Notwithstanding anything to the contrary in this Constitution….” Section 12 qualifies as both “anything contained in this Constitution” in subsection (1) and “anything to the contrary in this Constitution” of subsection (2). The use of the word ‘notwithstanding’ in any statutory instrument has been judicially considered by the Supreme Court. In Peter Obi v. INEC & ors [2007] 11 NWLR (Pt. 1046) 565 at 636 – 634 per Aderemi, JSC, the Supreme Court cited NDIC v. Okem Ltd and anor [2004] 10 NWLR (Pt. 880) 107 at 182/182 with approval where it held as follows –

When the term “notwithstanding” is used in a section of a statute it is meant to exclude an impinging or impending effect of any other provision of the statute or other subordinate legislation so that the said section may fulfill itself.

In like manner the use of the word ‘notwithstanding’ in section 254C(1)(f) and (h) and (2) of the 1999 Constitution, as amended, is meant to exclude the impending effect of section 12 or any other section of the 1999 Constitution. It follows that as used in section 254C(1)(f) and (h) and (2) of the 1999 Constitution, as amended, no provision of the Constitution shall be capable of undermining the said section 254C(1)(f) and (h) and (2); and I so find and hold.

So, whichever of the two approaches is adopted (or even if both approaches are adopted), I have no hesitation whatsoever in finding and holding that this Court has the jurisdiction and power to apply “any international convention, treaty or protocol of which Nigeria has ratified”; and ILO Conventions 87 and 98 and the ILO jurisprudence that goes with them can be so applied in view of their ratification by Nigeria.”

4.     CONCLUSION

From the above it is crystal clear that the Third Alteration to the 1999 Constitution is a huge game changer when it comes to labour issues in Nigeria. The hitherto entrenched common law position in labour jurisprudence may no longer be applicable in Nigeria most especially because of the Third Alteration to the 1999 Constitution and sections 7(6), 12, 13, 14 and 15 of the National Industrial Court Act, 2006.

The Court of Appeal in Sahara’s case applied international best practices to uphold the quantum of damages awarded by the NIC. It is therefore not out of place to conclude that the Court of Appeal will also uphold the decision in BELLO IBRAHIM v. ECOBANK PLC (unreported) Suit No. NICN/ABJ/144/2018 judgement delivered December 17, 2019, where the NIC also applied international best practices and ILO conventions to hold that an employer of labour cannot fire at will without giving reasons. Kado J, noted in Bello’s case thus:

"The law, for long, has been that an employer needs not give reason to terminate a contract of  employment;  he  only  needs  to  comply  with  the  terms  and  conditions  of  employment. Employers are at liberty to terminate for good, bad reason or no reason at all. This general trite position of the common law rule is however considered not be in tune with modern day global labour law best practices… From the evidence and circumstances of this case, there was nothing to cast doubt on the claimant's capacity in terms of performance of his job. To my mind, in view of Article 4 of convention No. 158 of ILO and recommendation 166 of the said convention, it will not be fair to terminate contract of employment for no reason whether good or bad"

In view of the Court of Appeal’s decision in Sahara’s case, it appears that it may not be right to contend, as one of my learned friends did, that “Until the Superior courts pronounce on this judgement (in Bello Ibrahim v. Ecobank Plc), anyone who carries the judgement to town to celebrate is standing on a banana peel with the tendency to slip any moment”.

It is interesting to note that although the author of the article: “Bello v. Ecobank: A New Sherriff is in Town,” hailed the judgement in Bello’s case as a landmark, “which turned the tides and completely changed the tenure of determining employments at will, or servant holding an office at pleasure, or master servant relationship type of employments in Nigeria”,  the real landmark is the decision of the NIC delivered over a decade ago in PENGASSAN v. SCHLUMBERGER ANADRILL NIGERIA LIMITED [2008] 11 Nigeria Labour Law Reports (NLLR) (Pt. 29) 164, that, irrespective of the employer’s right to hire and fire for any or no reason, it is no longer globally fashionable in industrial relations law and practice to terminate an employment relationship without adducing any valid reason for such a termination.