Monday, 18 November 2013

Barr. Timothy Tion discusses the NCC directive to cybercafe owners and cybercrime Part 1


Recently I was on “ICT WORLD”, a radio Benue program to discuss the Nigeria Communication Commission (NCC) directive to cybercafé operators which came into effect on the 1st of November, 2013 directing all cybercafé licencees and operators in the country to maintain an up to date data base of its subscribers/users detailing information such as; full names, names of corporate body (in the case of a corporate establishment), traceable physical address, full faced passport photograph, telephone numbers, permanent residential address(not P. O. Box), evidence of registration with Corporate Affairs Commission(CAC)(applicable to corporate bodies only) and other forms of identification including international passport, driver’s licence, national identity card, etc.
According to the NCC, this database is to aid law enforcement authorities in fighting the increasing rate of cybercrime committed through cybercafés across the country.
Here is the link to download the discussion. To download; click the "download" icon in green. Listen and let me get your feedback. Thank you.

UPDATE 22 DECEMBER 2020
The above link to the discussion is dead. Here is a new link to the discussion which is divided into parts 1 and 2. Listen to part 1 here and part 2 here

Friday, 1 November 2013

PRIVACY, NIGERIA COMMUNICATIONS COMMISSION AND CYBERCAFES


On the 21st of October, 2013 Nigeria’s telecommunications regulator; the Nigeria Communications Commission (NCC), issued a public notice via its twitter handle; @NgComCommission, which came into effect on the 1st of November, 2013 directing all cybercafé licencees and operators in the country to maintain an up to date data base of its subscribers/users detailing information such as; full names, names of corporate body (in the case of a corporate establishment), traceable physical address, full faced passport photograph, telephone numbers, permanent residential address(not P. O. Box), evidence of registration with Corporate Affairs Commission(CAC)(applicable to corporate bodies only) and other forms of identification including international passport, driver’s licence, national identity card, etc.  According to the NCC, this database is to aid law enforcement authorities in fighting the increasing rate of cybercrime committed through cybercafés across the country.

It is not in doubt that cybercrime is rampant in Nigeria. A February 2010 report by the Internet Crime Complaint Centre named Nigeria the top African nation and third in the world (after USA and UK) in its global cybercrime ranking.  It has also been reported that Nigerian consumers lost a total of N1.246 trillion to cybercrime in 2012 and recently the Central Bank of Nigeria (CBN) reported that the Nigerian banking sector lost over 20billion through internet fraud. There is therefore every need to fight this cankerworm called cybercrime in Nigeria.However,the Government (NCC, law enforcement agents, etc.)must ensure that the fight against cybercrime is done within the limits of the law and must avoid infringing;without lawful justification, the constitutional right to privacy of millions of innocent Nigerians who use cyber cafes or do anything that may negatively impact on that right. It is yet to be proven by NCC that most of these crimes are committed using cybercafés. It is even debatable if these internet crimes are perpetrated using cybercafés considering the availability of faster internet on smartphones coupled with cheap internet plans been offered by the GSM service providers(for instance on 31 October 2013, Globacom slashed its blackberry internet subscription (BIS) tariffs by half.The Absolute Month platform which hitherto was N2,800 with 3GB data, now goes for N1, 000 with 3GB data) and the convenience of browsing the internet on smartphones, tablets and personal laptops which are increasingly becoming affordable.

Without conceding that cybercafés are used to commit most of the cybercrimes in Nigeria, let us assume that it is actually the case and NCC rightfully desires to step in to curb this monstrous menace of cybercrime by urging cybercafé lincencees and operators to keep an up to date data base of its subscribers/users (that is assuming the users in the case of non-corporate bodies; submit their actual data and not fictitious data). What then becomes of this huge data base of personal and sensitive information of individuals in the hands of cybercafé operators since there are no data protection laws regulating the use of such data in Nigeria? How long will such data be kept? What remedies are available for any person whose personal information has been misused? The data; for instance, phone numbers could be sold or leaked to companies who could use it to send spam or unsolicited/unwanted text messages(adverts) to people. Someone’s identity could also be stolen and used by criminals for e.g. the name, passport and phone number could be used to fabricate or produce a fake identity card and left at a crime scene. The Police on arrival at the crime scene could pick up the identity card and arrest the person whose name, picture and address appear on the card and interrogate or let’s say torture (because a times that is what their interrogation is all about) the person. In the long run it may be discovered that the identity card was fabricated and the person whose details appear on the card was not actually at the crime scene, however, such person may have suffered bodily injuries (sometimes severe) from the torture by the Police.

These concerns and issues raised above could be addressed to a large extent with a data protection law. In recent times many subscribers of the GSM providers in Nigeria have been flooded with promotional or commercial messages. These messages sometimes are unwanted text messages including commercial messages otherwise known as spam which could be annoying and intrusive. In the United States, two laws– the Telephone Consumer Protection Act (TCPA) and the Controlling the Assault of Non- Solicited Pornography and Marketing (CAN- SPAM) Act – have been enacted to address spam. The TCPA and the Federal Communications Commission’s (FCC) rules ban many text messages sent to a mobile phone using an auto dialer(auto dialer; according to Wikipedia, is an electronic device or software that automatically dials telephone numbers. Once the call has been answered, the auto dialer either plays a recorded message or connects the call to a live person). These texts are banned unless (1) you previously gave consent to receive the message or (2) the message is sent for emergency purposes.In the UK, the Privacy and Electronic Communications Regulations 2003 cover the way organisations send direct marketing by electronic means, including by text message (SMS). Organisations cannot send you marketing text messages you didn’t agree to receive, unless: (a) the sender has obtained your details through a sale or negotiations for a sale; (b) the messages are about similar products or services offered by the sender; and (c) you were given an opportunity to refuse the texts when your details were collected and, if you did not refuse, you were given a simple way to opt out in all the text messages you received.

China too is not left out in the legislative efforts to curb spam and protect personal data thus on October 25, 2013, the Chinese Congress passed an amendment to the Peoples’ Republic of China Law on the Protection of Consumer Rights and Interests (the “Amendment”);to address growing problems related to the misuse of consumers’ personal information in contemporary China.The Amendment establishes strict rules on how business operators should collect and use personal information, and how offenders may be punished. The Amendment emphasizes that the personal information collected by a business operator and its staff must be kept strictly confidential. It also prohibits business operators from leaking, selling or illegally providing such information to others, and requires operators to adopt appropriate technical measures to safeguard the information. At the same time, business operators may not send commercial messages to a consumer unless the consumer has provided consent or requested the information.

Apart from those countries mentioned above, many other countries have a law or laws aimed at protecting personal information or data. In South Africa, the Protection of Personal Information Act has been passed by parliament and is awaiting assent by the President; and in Mauritius the Data Protection Act 2004 (the “MU DPA”) was enacted for the protection of the privacy rights of individuals in response to the developments in the techniques used to capture, transmit, manipulate, record or store data relating to individuals. The MU DPA came into operation in February 2009. Data Protection Regulations were issued in 2009 by the Data Protection Office. It is also responsible for ensuring compliance with the Data Protection Act and bringing enforcement actions.

Furthermore, in the UK they have the Data Protection Act;while in Mexico they have the Federal Data Protection Act. Also, in Japan they have the Personal Data Protection Act while in Canada they have the Personal Information Protection and Electronic Documents Act (PIPEDA).

In the United States they have a host of laws aimed at protecting personal information or data some of which include the Right to Financial Privacy Act of 1978whichrequires a  subpoena  or  search  warrant  for  law  enforcement  ocials  to  obtain nancial records, the Telephone Consumer Protection Act of 1991whichprovides certain remedies from repeat telephone calls by telemarketers; and the Driver’s Privacy Protection Act of 1994, which restricts the states from disclosing or selling personal information in their motor vehicle records.

It would therefore be of great help if NCC (as a regulator with so much of our data) and other stakeholders could push for data protection laws as is the case in other countries mentioned above.

Moreover, it is even doubtful if this directive by the NCC would be of much assistance in investigating cybercrime cases as by merely maintaining a database of subscribers/users one cannot tell which user browsed the internet for a fraudulent purpose.