When Power Players Expose Mass Surveillance: The El-Rufai Wiretapping Saga and the Cybercrimes Paradox

A high-profile airport confrontation has pulled back the curtain on alleged warrantless surveillance apparatus, but who investigates the investigators?

The recent clash between former Kaduna State Governor Nasir El-Rufai and National Security Adviser Nuhu Ribadu has exposed a troubling double standard at the heart of the digital rights framework in Nigeria. While legal experts like Abuja-based lawyer Pelumi Olajengbesi correctly point out that phone tapping constitutes a serious criminal offense under the Cybercrimes (Prohibition, Prevention, etc.) Act, 2015, El-Rufai's counter-allegations raise a more fundamental question: what happens when the suspected perpetrator is the state itself?

The Accusations

Following his attempted arrest at Nnamdi Azikiwe International Airport in February, 2026, El-Rufai publicly admitted to listening to an intercepted phone conversation in which Ribadu allegedly ordered his detention. But he didn't stop there. In a revealing statement, the former governor declared: "The government thinks that they're the only ones that listen to calls...the government does it all the time. They listen to our calls all the time without a court order."

This isn't just political mudslinging. These words come from someone who has operated at the highest levels of governance; a former minister and two-term governor with intimate knowledge of state security operations. His allegations carry institutional weight precisely because of this is insider perspective.

The Legal Framework vs. Reality

The legal framework for electronic surveillance appears comprehensive on paper.  Section 37 of the 1999 Constitution (as amended) guarantees the right to privacy  of  citizens,  their  homes,  correspondence,  telephone conversations  and  telegraphic  communications.

Furthermore, Section 12(1) of the Cybercrimes Act, 2015 (as amended) is explicit: "Any person, who intentionally and without authorization, intercepts by technical means, non-public transmissions of computer data, content, or traffic data... commits an offence and shall be liable on conviction to imprisonment for a term of not more than 2 years or to a fine of not more than N5,000,000.00 or to both."

The law makes no exception for government officials. The prohibition applies to "any person", a deliberate choice of words that encompasses both private individuals and state actors.

The Warrant Requirement

Section 39 of the Cybercrimes Act and the Lawful Interception of Communications Regulations, 2018 establish strict conditions for lawful interception. A judge may only authorize interception "where there are reasonable grounds to suspect that the content of any electronic communication is reasonably required for the purposes of a criminal investigation or proceedings."

The Regulations further specify that a warrant is necessary except in narrowly defined emergency situations involving: immediate danger of death or serious injury, activities threatening national security and organized crime activities.

Even in these emergency circumstances, Regulation 12(4) mandates that the authorized agency "shall apply for a Warrant to the Judge within 48 hours after the interception has occurred... and where the application is not made, or denied within 48 hours, the interception shall terminate immediately and further interception shall be treated as unlawful."

Who Can Request Interception?

Under Regulation 12(1) the Office of the National Security Adviser (represented by the NSA or designee not below Assistant Commissioner rank) or the State Security Services (represented by the Director or designee of equivalent rank).

Notably, the NSA, Nuhu Ribadu himself, is one of only the few officials empowered to seek lawful interception orders. This makes El-Rufai's allegation that Ribadu ordered his surveillance particularly significant: if such interception occurred without judicial authorization, the very official charged with seeking warrants lawfully may have bypassed the legal process entirely.

The Reality: Systematic Circumvention?

Yet El-Rufai's claims that "The government does it all the time. They listen to our calls all the time without a court order", suggest a pattern of systematic circumvention, not by rogue actors, but by the very state apparatus charged with upholding these laws.

If true, this represents a fundamental breakdown of the rule of law. The regulations impose severe penalties for non-compliance: N5,000,000 fines for violations, plus N500,000 daily penalties for continuing offenses (Regulation 16). These penalties apply to "any person, Licensee or its officers" again, no carve-out for government agencies. Section 12 of the Cybercrimes Act also criminalizes unlawful interceptions of communications.

The legal framework is therefore, clear. The alleged practice, as described by a former governor with insider knowledge, appears to violate it systematically. This gap between law and practice transforms surveillance regulations from protective shields into paper tigers which are enforced against citizens while ignored by those in power.

The Expanding Surveillance Infrastructure

El-Rufai's allegations align disturbingly with documented evidence of growing surveillance capabilities in Nigeria. According to research from the Institute of Development Studies, Nigeria has spent billions of dollars acquiring sophisticated surveillance technology. The country has procured systems capable of monitoring communications, tracking locations, and conducting mass data collection, often with minimal transparency or oversight.

The Berkman Klein Center at Harvard University reports that Nigeria's surveillance ecosystem includes partnerships with international technology vendors and deployment of invasive monitoring tools. These systems operate in what researchers describe as a legal grey zone, where the technological capacity for surveillance far outpaces regulatory frameworks designed to protect citizens' privacy.

The Harvard research notes that authorities have acquired tools for intercepting mobile communications, monitoring internet traffic, and collecting metadata on citizens' digital activities which is precisely the kind of warrantless surveillance El-Rufai now alleges is routine practice.

The Financial and Human Cost

The scale of investment in surveillance infrastructure is staggering. As the IDS study reveals, the country has channeled billions into surveillance technologies even as critical public services remain underfunded. This spending occurs largely outside public scrutiny, with procurement processes that lack transparency and accountability mechanisms.

More troubling still, these surveillance capabilities have allegedly been deployed not primarily for national security purposes, but for monitoring political opposition, civil society activists, and journalists. The Harvard analysis documents cases where surveillance tools have been used to target dissenting voices rather than genuine security threats. A pattern consistent with El-Rufai's claims about politically motivated monitoring.

The Accountability Vacuum

Lawyer Olajengbesi has called for security agencies to investigate El-Rufai's admission of listening to intercepted communications. But this raises the paradox at the heart of this affair: Who investigates allegations against the government when the government controls the investigative machinery?

The Harvard research highlights a critical gap in Nigeria's digital rights architecture: the absence of independent oversight bodies with real power to monitor and sanction state surveillance activities. While the Cybercrimes Act and the Lawful Interception of Communications Regulations, 2018 theoretically requires judicial authorization for interception, researchers found that compliance mechanisms are weak and enforcement is selective.

If El-Rufai's broader allegations are accurate, i.e., that warrantless mass surveillance of citizens' phone calls and online activities is routine government practice, then Nigerians face a surveillance state operating outside its own legal framework. The Cybercrimes Act and the Lawful Interception of Communications Regulations, 2018, becomes merely decorative legislation, enforced selectively against citizens while the state enjoys de facto immunity.

The Technology Behind the Surveillance

According to IDS findings, the government of Nigeria has acquired sophisticated interception systems capable of real-time monitoring of telecommunications networks. These systems can capture voice calls, text messages, and internet communications without leaving traces detectable to the targets. The infrastructure includes both passive collection systems and active interception capabilities and this makes El-Rufai's claim about routine, warrantless call monitoring technically plausible.

The Berkman Klein Center's investigation notes that telecommunications providers in Nigeria are often compelled to cooperate with security agencies, sometimes through informal pressure rather than legal process. This creates a system where lawful interception procedures can be bypassed entirely, with communications accessed directly through telecoms infrastructure.

What This Means for Digital Rights

This confrontation between political heavyweights inadvertently validates long-held suspicions within the digital rights community: that citizens' communications are subject to systematic, warrantless monitoring. Civil society organizations have raised these concerns for years, often dismissed as conspiracy theories. When someone of El-Rufai's stature; with decades navigating power corridors, makes such allegations, it demands serious attention.

The Harvard study emphasizes that unchecked surveillance powers fundamentally undermine democratic participation. When citizens cannot communicate privately, they cannot organize effectively, hold government accountable, or exercise their rights to free expression and assembly. The chilling effect of pervasive surveillance extends far beyond those directly targeted.

The Way Forward

1.   Independent oversight mechanisms for state surveillance activities with real enforcement power as recommended by researchers at IDS, including civilian oversight boards with subpoena power and security clearances to audit surveillance operations.

2. Transparency reports from telecommunications providers and security agencies about interception requests and warrants, a practice the Berkman Klein Center identifies as essential for accountability in democratic societies.

3. Judicial reforms ensuring that interception warrants are genuinely scrutinized, not rubber-stamped, with specialized courts trained in digital rights and surveillance law.

4. Legislative review of the Lawful Interception of Communications Regulations, 2018 to close loopholes enabling abuse and align the Regulation with international human rights standards.

5.  Equal application of cybercrime laws, whether the accused is a citizen or state actor.

6.  Public disclosure of surveillance procurement contracts and capabilities, as called for by civil society researchers, to enable informed democratic debate about surveillance powers.

Conclusion

The irony is stark: laws designed to protect electronic privacy may be routinely violated by those charged with enforcing it. While El-Rufai's own admission warrants investigation, his counter-allegations expose a potentially far graver systemic problem. The documented evidence of multi-billion dollar surveillance infrastructure in the country, combined with research showing weak oversight mechanisms, suggests El-Rufai may be revealing an open secret within the power elite.

Until the country establishes genuine accountability for state surveillance activities, the Cybercrimes Act and Lawful Interception of Communications Regulations, 2018 will remain what many fear they already are i.e., tools for controlling citizens rather than protecting their digital rights.

The question remains unanswered: In a democracy, when the government allegedly breaks the law on a mass scale, who investigates?

 

When the Law Gets It Wrong: A Critique of the Cybercrime Charges Against El-Rufai

The Department of State Services (DSS) recently filed a three-count cybercrime charge against former Kaduna State Governor Nasir Ahmad El-Rufai, sending political ripples across Nigeria and setting off a wave of commentary from legal observers. The charge, widely reported in the press, invokes provisions of the Cybercrimes (Prohibition, Prevention, etc.) AmendmentAct, 2024. And that is precisely where the legal problems begin.

This piece is not principally about whether El-Rufai is guilty or innocent of whatever conduct the DSS suspects him of. That is a matter for trial. What is worth examining carefully, and somewhat urgently, is whether the DSS and whoever supervised this prosecution got the law right. The short answer is: they did not. And the implications of that error go beyond procedural embarrassment.

What the DSS Actually Charged

According to media reports, the first two counts of the charge invoke Section 12(1) and Section 27(b) of the Cybercrimes (Prohibition, Prevention, etc.) Amendment Act, 2024. These references are presented as if they are straightforward provisions of the law under which El-Rufai must answer. They are not.

Here is why.

The 2024 Amendment Act Is Not a Standalone Penal Law

The Cybercrimes (Prohibition, Prevention, etc.) Amendment Act, 2024 is, as its very title makes clear, an amendment. It exists for one purpose: to amend specific provisions of the principal legislation, which is the Cybercrimes (Prohibition, Prevention, etc.) Act, 2015. An amendment act does not create an independent, self-contained body of criminal law. It modifies, inserts, deletes, or replaces sections of the parent Act. Once it has done that work, the operative legal instrument remains the principal Act, now updated with whatever changes the amendment introduced.

This is not a technicality. This is elementary legislation. Anyone who has studied law in Nigeria, or indeed any common law jurisdiction, understands that you charge a suspect under the principal Act as amended, not under the amending statute itself.

Now, let us look at what Section 12(1) of the 2024 Amendment Act actually says. It reads, in its entirety: "Section 48 of the Principal Act is amended by deleting subsection (4)." That is it. Section 12 of the 2024 Amendment Act is a housekeeping provision. It performs a narrow editorial function. It deletes a subsection from Section 48 of the 2015 Act. It creates no offence, prescribes no penalty, and defines no criminal conduct whatsoever. Charging anyone under Section 12(1) of the 2024 Amendment Act as if it were a substantive criminal provision is legally incoherent.

Similarly, Section 27(b) of the 2024 Amendment Act simply does not exist. The entire Amendment Act has only 12 sections!

The Correct Provisions Are in the 2015 Act

The actual substantive offences that the DSS appears to have intended to charge El-Rufai with are clearly found in the Cybercrimes (Prohibition,Prevention, etc.) Act, 2015 as amended. Two provisions in particular stand out as the appropriate basis for the first two counts.

The first is Section 12(1) of the 2015 Act, which provides:

"A person, who intentionally and without authorization, intercepts by technical means, non-public transmissions of Computer Data, content, or traffic data, including electromagnetic emissions or signals from a Computer, Computer System or Network carrying or emitting signals, to or from a Computer, Computer System or connected system or network, commits an offence and is liable on conviction to a term of imprisonment of not more than 2 years or to a fine of not more than ₦5,000,000.00 or both."

That is the unlawful interception provision. It targets the deliberate, unauthorized interception of electronic communications. If the DSS believes that El-Rufai or persons connected to him engaged in unauthorized interception of digital communications, this is the provision they should have cited. It is clear, it creates a specific offence, it has a defined penalty, and it sits properly in the principal Act.

The second relevant provision is Section 27(1)(b) of the 2015 Act, which provides:

"A person who aids, abets, conspires, counsels or procures another person to commit any offence under this Act, commits an offence and is liable on conviction to the punishment provided for the principal offence under this Act."

This is the conspiracy and abetting provision under the Cybercrimes Act. It is the appropriate section to charge someone who did not personally carry out the alleged cyber conduct but who may have facilitated, assisted, or procured another person to do so. Again, it is in the 2015 Act, not the 2024 Amendment Act.

The charges should have read: "Count 1: Contrary to Section 12(1) of the Cybercrimes (Prohibition, Prevention, etc.) Act, 2015 as amended" and "Count 2: Contrary to Section 27(1)(b) of the Cybercrimes (Prohibition, Prevention, etc.) Act, 2015 as amended." The failure to frame it this way is not a minor drafting infelicity. It is a substantive legal error that, depending on how the trial court views it, could affect the validity of the charge or at the very least embarrass the prosecution.

Why This Matters: The Consequences of Charging Under the Wrong Law

Some might argue that this is a technicality and that the court will simply look through to the underlying facts. The courts do have some latitude in treating errors in charge drafting, and the prosecution may seek to amend the charge. But that argument misses the broader point. In criminal proceedings, precision matters. The defendant is entitled to know exactly what law they are said to have violated. A charge that cites a non-existent substantive provision denies the accused a fair opportunity to understand and challenge the case against them. It also exposes the prosecution to objections at every stage of proceedings, from arraignment to trial.

More practically, prosecutorial credibility matters. When the agency bringing the charge cannot correctly identify the statute it is relying on, it raises legitimate questions about the quality of the investigation and the legal supervision of the case. It makes it harder for courts, the public, and legal observers to take the prosecution seriously on its merits.

The Rules of Professional Conduct for Legal Practitioners, 2023 speak directly to this. Rule 37(4) states that "the primary duty of a lawyer engaged in public prosecution is not to convict but to see that justice is done." Rule 37(5) goes further and is even more pointed: "A public prosecutor shall not institute or cause to be instituted a criminal charge, if he knows or ought reasonably to know that the charge is not supported by the probable evidence." Read together, these provisions draw a clear boundary. A public prosecutor is not an instrument of political will. They carry an independent professional duty to ensure that charges are legally sound before they are filed. Filing a charge under provisions that either do not exist or carry no substantive criminal content is not a clerical slip. It is a departure from that duty, and the Rules make no allowance for institutional pressure as an excuse.

The Uncomfortable Question: Was This Prosecution Rushed?

There is an uncomfortable dimension to all of this that cannot be avoided. The DSS is the country's secret police. It operates under the direct supervision of the Presidency. El-Rufai, since leaving government, has become an increasingly vocal and uncomfortable presence in opposition circles. The timing of the charges, and now the elementary legal error embedded in them, raises a question that serious observers cannot simply dismiss: was this prosecution properly prepared, or was it rushed to court to satisfy political pressure from above?

Cybercrime investigations, when done properly, take time. They require forensic analysis of devices and networks, the establishment of chains of digital evidence, careful assessment of the relevant statutory provisions, and thorough legal review before charges are filed. None of that is quick work. When charges are filed that cite provisions of an amendment act as if they were substantive offences, when those provisions turn out to be mere housekeeping clauses or simply non-existent as criminal provisions, one is entitled to wonder whether any serious legal review happened at all.

It is hard not to reach for an explanation. And the most obvious one is that someone in the DSS, under pressure to produce a result quickly, drafted and filed these charges without adequate scrutiny. The error is the kind that a law student should catch. That it appeared in a charge filed by a national security agency suggests either that the legal review was cursory or that no meaningful legal review happened at all.

The Pressure Cooker: Government Lawyers and Their Political Bosses

This brings us to a pattern that is unfortunately familiar in public law practice. Lawyers who work for government agencies, security services, and state institutions operate in an environment that is structurally different from private practice. They have clients, yes, but their clients are institutions that are themselves answerable to political principals. The Attorney-General's office, the DSS legal directorate, the Nigeria Police Force legal directorate, the Nigeria Army legal directorate and similar bodies do not exist in a professional vacuum. They operate within a chain of authority that runs, ultimately, to political appointees and to elected or appointed officials with agendas and timelines.

The foundation of the profession, however, does not shift with that chain of command. Rule 1 of the Rules of Professional Conduct for Legal Practitioners, 2023 is unambiguous on this: "A lawyer shall uphold and observe the rule of law, promote, and foster the course of justice, maintain a high standard of professional conduct, and shall not engage in any conduct which is unbecoming of a legal practitioner." That obligation does not have a carve-out for government lawyers. It does not say "except when your boss is in a hurry" or "unless the agency director wants results by Friday." It is absolute. It applies to the lawyer in private practice and equally to the lawyer sitting in the legal directorate of a security service drafting charges at the instruction of a political superior.

The pressure to file quickly, to show results, to demonstrate that the agency is active and effective, is real and pervasive. A political boss who wants a charge filed will not always appreciate being told that the forensic work is incomplete or that the legal drafting needs another week of review. Junior lawyers and even senior ones know that pushing back on a political boss carries professional risk. The path of least resistance is to file what you have, fix it later, and hope the court is tolerant.

The problem, of course, is that this approach does a disservice to everyone. It harms the prosecution's case. It potentially harms the defendant, who must navigate proceedings built on faulty foundations. It undermines public confidence in the justice system. And it harms the lawyers themselves, who are identifiable in the public record as the authors of a flawed charge.

It appears that government lawyers everywhere navigate the tension between professional duty and institutional loyalty. But the tension is particularly acute in environments where security agencies operate with limited independent oversight, where political pressure on prosecutorial decisions is normalized, and where the consequences of being seen as obstructive to the boss's agenda are swift and severe.

A Word to In-House Counsel Under Political Pressure

If you are a lawyer working within a government agency or under the supervision of a politically appointed superior, this case should serve as a sobering reminder of something you already know but perhaps find difficult to act on.

Your professional obligation runs to the law first. Not to your boss, not to the agency, not to the political agenda of the moment. Rule 1 of the Rules of Professional Conduct has already stated this plainly, and Rule 37 has sharpened it in the specific context of criminal prosecution. A public prosecutor who files a legally defective charge is not just making a technical error. They are, on the plain reading of those rules, failing in their primary professional duty. When a superior directs you to file a charge that you know is legally defective, you are not merely being asked to take a professional risk. You are being asked to participate in a process that may ultimately embarrass the institution you serve and, more importantly, undermine justice.

The practical advice here is straightforward, even if it is not always easy to follow. Push back in writing. Document your legal concerns in a memorandum. If you believe the charges as drafted cite the wrong legislation, say so clearly and in a format that creates a record. You may be overruled, and that is a reality of institutional practice. But you will have discharged your professional duty, and you will have evidence that you raised the issue. That documentation matters, both professionally and ethically.

If you are overruled and the defective charge is filed anyway, at the very least ensure that the record reflects the correct statutory basis for any subsequent amendment. Do not compound the initial error by defending it as if it were correct. Courts, opposing counsel, and the public are watching. And in the age of legal commentary, public analysis, and digital archives, elementary legal errors in high-profile cases do not disappear quietly.

More broadly, think carefully about the long game. A prosecution that collapses because it was built on a wrong statutory foundation does not serve the political boss who ordered it. It does not serve the agency that filed it. It certainly does not serve justice. The lawyer who stood up early and said "we need to get the law right before we file" is ultimately serving everyone better, even if that is not how it feels in the moment of political pressure.

The El-Rufai case, whatever its ultimate outcome, is an object lesson in what happens when the rush to please the boss overrides the duty to get the law right. The charges may be amended. The prosecution may proceed. But the elementary error is now on the public record. And that, for any lawyer worth their call to bar, should be reason enough to slow down next time, check the statute carefully, and file correctly the first time.

 

This article is written for legal commentary purposes and does not constitute legal advice. The author examined the publicly reported charges and the relevant statutory provisions on the basis of publicly available legal texts.

 

A Decade of the Cybercrimes Act: Assessing the Nation’s Legal Framework Against Digital Threats (2015–2025)

Introduction

On May 15, 2015, the nation made a decisive move in addressing the growing threat of cybercrime by enacting the Cybercrimes (Prohibition, Prevention, etc.) Act. Ten years later, the law remains central to the country’s cybersecurity framework, offering legal definitions, prosecutorial mechanisms, and institutional frameworks to combat digital threats. As we mark this decade-long journey, it is time to assess the Act's major impacts, its 2024 amendments, its misuses, and what must change in the future to safeguard security and civil liberties.

1.     The Country’s First Comprehensive Legal Framework on Cybercrime

Prior to 2015, the legal environment addressing cybercrime in the nation was fragmented. Offenses were prosecuted under laws like the Advanced Fee Fraud Act, which did not fully capture the nature of modern digital threats. The 2015 Act changed that by clearly defining crimes such as hacking, identity theft, cyberterrorism, online fraud, and child pornography. It introduced penalties that enabled structured prosecution. The result has been a series of high-profile convictions, including notorious syndicates involved in ATM cards, phishing scams, etc.

2.     Creation of the Cybercrime Advisory Council

The Act provided for the establishment of the Cybercrime Advisory Council under the leadership of the National Security Adviser (NSA). Comprising stakeholders from public and private sectors, the Council was tasked with coordinating national cybersecurity policy. Although the Council has faced criticism for slow bureaucratic response, it has enabled strategic partnerships with international agencies like INTERPOL and the UK National Crime Agency.

3.     Protection of Critical National Infrastructure (CNII)

A notable provision of the Act was the designation of key sectors such as banking, energy, and telecommunications as Critical National Information Infrastructure (CNII). These sectors were mandated to implement enhanced cybersecurity protocols. Although large institutions have complied, enforcement remains inconsistent, especially among smaller banks and regional service providers.

4.     Reforming Section 24: From Overreach to Targeted Protection

Originally, Section 24 criminalized messages deemed "grossly offensive" or causing "needless anxiety." This provision was vague and became a tool for silencing journalists and critics. The 2024 amendment narrowed its scope, now targeting child pornography and false information likely to incite violence. This change followed the ECOWAS Court's 2020 judgment, which found the original section unconstitutional. Still, enforcement remains uneven and politically influenced.

Notable Misuse Cases:

·       Omoyele Sowore (January 2025). Charged with 16 counts under the Cybercrime Act based on his social media posts referring to the Inspector General of Police as an “illegal IGP.”

·         Agba Jalingo (2022): Prosecuted over Facebook posts alleging corruption.

The Erisco Tomato Paste Review Case – A Cautionary Tale

In 2023, Chioma Okoli, a national consumer, posted a Facebook review stating that she found Nagiko Tomato Mix, a product of Erisco Foods Limited, to be sugary. Erisco Foods Limited refuted her claim as untrue and unfounded. Subsequently, Okoli was arrested by the police following a petition by the company's President and CEO, Eric Umeofia. The police obtained an arrest warrant and remand order from a magistrate court in Masaka, Nasarawa State, leading to her detention. She was later arraigned at the Federal High Court in Abuja, where she pleaded not guilty to two counts of conspiracy and cyberstalking. Amid the legal proceedings, Okoli suffered a miscarriage. Her arrest and detention sparked public outrage, with many citizens calling for her release.

Displeased with the remand order, Okoli's counsel, Inibehe Effiong, petitioned the Nasarawa State Judicial Commission. He argued that it was improper for the magistrate to issue arrest and remand warrants against his client, who neither resided in Nasarawa State nor had ever visited it. Effiong contended that the alleged offences were not committed in Nasarawa State and that cybercrime is a federal offence under the Cybercrimes (Prohibition, Prevention, etc.) Act, 2015, which grants exclusive jurisdiction to the Federal High Court for such matters.

Following the petition, the Nasarawa State Judicial Commission investigated the matter and, in a letter dated January 6, 2025, informed Effiong that Chief Magistrate Emmanuel A. Jatau had been demoted from Chief Magistrate II (Grade Level 15) to Senior Magistrate I (Grade Level 14) and stripped of his magisterial duties. The commission cited misconduct in the handling of Okoli's case as the reason for the disciplinary action.

This case underscores the importance of adhering to proper jurisdictional procedures and the potential consequences of misapplying legal authority, particularly in matters involving federal offences such as cybercrime. It further highlights how cybercrime laws can be misapplied to suppress consumer rights and free expression, exemplifying a growing trend of using criminal prosecution to settle what are fundamentally civil disputes.

5.     International Collaboration and Extradition Challenges

The country’s endorsement of the Budapest Convention significantly improved its ability to cooperate on international cybercrime investigations. Countries such as the UK, South Africa, and Japan have partnered with the nation to track and extradite suspects. However, the process remains hampered by slow bureaucratic procedures and lack of mutual legal assistance frameworks with some jurisdictions.

6.     Introduction of the Cybersecurity Levy

A major provision in the 2024 amendment was the introduction of a 0.5% cybersecurity levy on electronic transactions, administered by the NSA. While aimed at funding national cyber defense infrastructure, the policy attracted strong public opposition, prompting government reviews and clarifications. Critics argue the levy disproportionately affects small businesses and low-income earners.

7.     Law Enforcement and Free Speech: A Fragile Balance

Even after the amendment, Section 24 continues to be used against journalists and whistleblowers. In 2024, journalist Daniel Ojukwu was detained for publishing corruption-related stories. In 2023, lawyer Chike Ibezim was charged over tweets criticizing a politician. Legal advocacy groups like SERAP and the Nigerian Union of Journalists (NUJ) have consistently called for more robust protections for free speech.

8.     Sectoral CERTs and Faster Incident Reporting

The 2024 reforms also created Sectoral Computer Emergency Response Teams (CERTs) to improve the handling of cyber incidents. Financial institutions, for example, must now report security breaches within 72 hours, a significant improvement over the previous 7-day period. This has improved real-time threat analysis and response mechanisms.

9.     Mandatory NIN for Electronic Transactions

To combat identity fraud, the amendment now mandates the use of National Identity Numbers (NIN) for all electronic transactions. While this policy has had a positive impact in reducing the number of fraudulent accounts, implementation remains difficult due to infrastructure gaps in the National Identity Management Commission (NIMC).

10.    Strengthening Law Enforcement Capacity

The Act led to the establishment of cybercrime units within agencies like the EFCC, the Nigeria Police Force, and the Nigerian Financial Intelligence Unit (NFIU). These units have recorded success in cracking complex cyber fraudcases. However, underfunding, skill shortages and accessibility outside Abuja and Lagos still limit their effectiveness. 

Judicial Warning Against Misuse of Criminal Law for Civil Disputes

The Supreme Court of the country, in Aviomoh v. C.O.P & Anor (2021) LPELR-55203(SC), offered a stark warning. Justice Helen Moronkeji Ogunwumiju held:

"My Lords, the misuse of the criminal law machinery for getting reliefs in disputes that are civil in nature, by using the instruments of State has become dangerously rampant in recent times... Criminal Courts should ensure that proceedings before it are not used for settling scores or to pressurize parties to settle civil disputes."

This principle must guide the application of the Cybercrimes Act, particularly Section 24, to prevent the criminalization of civil disagreements or dissenting opinions.

The Way Forward

1. Judicial Training:

Introduce mandatory training on digital rights and cybercrime legislation for magistrates and judges. The mishandling of the Erisco case underscores the urgent need for judicial officers to understand jurisdictional limits and the civil liberties at stake in cybercrime prosecutions.

2. Expansion of Forensic Infrastructure:

Establish well-equipped cybercrime forensic laboratories in each of the six geopolitical zones to improve digital evidence collection and analysis.

Deploy Cybercrime Units of the Nigeria Police Force across all 36 state commands. These units should be equipped with modern tools, including digital forensic software and blockchain analysis systems. Replicating such capacity nationwide will help reduce investigative delays, particularly in underserved rural areas.

3. Capacity Building:

Invest in the continuous training of law enforcement personnel in areas such as ethical hacking, cryptocurrency tracking, and dark web surveillance. Partnerships with institutions like the UK's National Cyber Security Centre (NCSC)  will ensure officers remain adept at handling sophisticated cyber threats.

4. Whistleblower Protection:

Enact legal safeguards to protect journalists, whistleblowers, and concerned citizens from retaliatory prosecutions under the Act. Such protection is crucial to fostering accountability and trust in public institutions.

5. Transparency and Accountability:

Mandate the publication of annual reports on cybercrime-related arrests, charges, and convictions. These reports should include disaggregated data to help identify patterns of misuse and support evidence-based reform.

Conclusion

In its first decade, the Cybercrimes Act has become a vital component of the national security framework. Yet, high-profile cases like Erisco and the detention of journalist Daniel Ojukwu expose persistent vulnerabilities in its application. As Justice Helen Ogunwumiju cautioned in Aviomoh v. C.O.P, criminal law must not be wielded as a tool for settling civil grievances or suppressing legitimate dissent.

To uphold both security and civil liberties in the digital age, the next phase must focus on legislative precision, institutional accountability, and infrastructural development. Decentralizing cybercrime units, expanding forensic capabilities, and ensuring judicial understanding of digital rights will help realign the Act with its original purpose: to protect citizens from genuine digital threats—not to punish lawful expression.

Without equipping all regions of the country to detect and respond to cybercrime effectively, the nation risks falling behind in its fight against increasingly complex digital criminality. Reform is no longer optional—it is imperative.