The Need to Narrow the Scope of Cybercrime Laws: Lessons from Dele Farotimi's Case

 

1.0    Introduction

Cybercrime laws have become essential tools for combating crimes in the digital age, addressing issues such as hacking, identity theft, and the spread of malicious software. However, when these laws are broadened to include offenses that merely involve ICTs (information and communication technologies) as a medium rather than a direct target, they risk becoming instruments of overreach, censorship, and abuse. The recent case of Nigerian activist and lawyer Dele Farotimi, charged under the Cybercrimes (Prohibition, Prevention, etc.) Act 2015 (As Amended) for alleged bullying and harassment and disseminating false information for the purpose of causing breakdown of law and order, through his online expressions, underscores why these laws should be restricted to core cybercrimes.

This article examines the distinction between core cybercrimes and cyber-enabled offenses, the risks posed by overbroad cybercrime laws, and the implications of Farotimi's case for the future of digital rights and governance.

2.0   Understanding Core Cybercrimes

Core cybercrimes are offenses that inherently require ICT systems as both targets and tools. Without these technologies, these crimes would not exist. Examples of such crimes include spreading computer viruses, hacking a bank's servers to steal funds, or launching denial-of-service (DoS) attacks to disable websites are quintessential core cybercrimes. These activities are explicitly technological and could not occur without ICT systems. Without these technologies, these crimes would not exist. The Budapest Convention on Cybercrime, an international treaty regarded as the gold standard for defining cybercrimes, identifies five primary categories:

i. i.   Illegal Access: Gaining unauthorized access to computer systems or networks.

ii.  Illegal Interception: Eavesdropping on communications without permission.

iii. Data Interference: Altering, deleting, or damaging data without authorization.

iv.   System Interference: Disrupting the functionality of computer systems or networks.

v. Misuse of Devices: Creating or distributing tools (like malware) intended for committing cybercrimes.

3.0   Cyber-Enabled Offenses: A Different Domain

In contrast, cyber-enabled offenses are traditional crimes carried out using ICTs as a medium. Crimes like fraud, harassment, defamation, and even terrorism can occur both online and offline. For example, using social media to harass someone is a digital extension of harassment that does not require specialized cybercrime laws to address. Similarly, spreading misinformation online is akin to traditional defamation.

By conflating these offenses with core cybercrimes, many nations have crafted overly broad cybercrime laws, making it easier for authorities to exploit them for political or oppressive purposes. For example, in Turkey, provisions of its cybercrime legislation have been used to suppress online dissent and silence critics of the government under the guise of combating cyber-related threats.

4.0   Dele Farotimi: A Case in Point

Dele Farotimi faces multiple counts charge under the Cybercrimes (Prohibition, Prevention, etc.) Act 2015 (As Amended), for statements made during YouTube interviews and press conferences about his book "Nigeria and its Criminal Justice System." The charges stem from his criticisms of alleged corruption in the judiciary and his commentary on specific legal cases. Notably, these charges primarily invoke Section 24(a) and 24(1)(b) of the Cybercrimes Act, which deal with cyberstalking and false information dissemination. The charges appear to target his online statements rather than any activity that constitutes a core cybercrime.

Farotimi's case demonstrates the dangers of conflating core cybercrimes with cyber enabled crimes and the problematic expansion of cybercrime laws beyond their legitimate scope:

i.       Nature of the Activity: Farotimi's actions - expressing opinions about the judiciary and sharing his experiences - are traditional forms of speech that happen to use digital platforms. They don't constitute inherently technological offenses.

ii.         Platform vs. Crime: The only "cyber" element in these charges is the use of YouTube as a communication medium. The underlying activities (criticism, commentary, allegations of corruption) are traditional forms of expression that predate the internet.

5.0    Legal Discrepancy in Dele Farotimi's Cybercrime Charges

5.1.   The Charges as Filed

5.1.1 Section 24(a) - Bullying and Harassing

Several charges allege that Farotimi's statements were made "with the intention of bullying and harassing" named persons. These statements include: (i) comments about legal proceedings, (ii) observations about judicial conduct in specific cases, (iii) criticisms of alleged corruption in the justice system and (iv) expressions of opinion about systemic issues in the legal or justice system.

5.1.2 Section 24(1)(b) - False Information

Other charges claim his statements "contained false information for the purpose of causing breakdown of law and order." The contested statements include: (i) claims about corruption in the judiciary, (ii) discussions of specific court cases and their handling, (iii) commentary on his personal experiences within the legal system and (iv) analysis presented in his book "Nigeria and its Criminal Justice System".

5.2. The Actual Law

Section 24(1): A person who knowingly or intentionally sends a message or other matter by means of Computer Systems or Network that-

(a) is pornographic; or

(b) he knows to be false, for the purpose of causing breakdown of law and order, posing a threat to life or causing such message to be sent: commits an offence under this Act and is liable on conviction to a fine of not more than N7,000,000.00 or imprisonment for a term of not more than 3 years or both.

(2) A Person who knowingly or Intentionally Transmits or causes the Transmission of any communication through a Computer System or Network-

(a) to bully, threaten or harass another person, where such communication places another person in fear of death, violence or bodily harm to another person;

(b) containing any threat to kidnap any person or any threat to harm the person of another, any demand or request for a ransom for the release of any kidnapped person, to extort from any person, firm, association or corporation, any money or other thing of value, or

(c) containing any threat to harm the property or reputation of the addressee or of another or the reputation of a deceased person or any threat to accuse the addressee or any other person of a crime, to extort from any person, firm, association, or corporation, any money or other thing of value, commits an offence under this Act and is liable on conviction-

(i) in the case of paragraphs (a) and (6) of this sub-section, to imprisonment for a term of 10 years or a minimum fine of N25.000,000.00 and

(ii) in the case of paragraph (c) of this subsection, to imprisonment for a term of 5 years or a minimum fine of N15,000,000.00.

5.3. Misapplication of Section 24(2)(a)

The charges cite "Section 24(a)" for harassment whereas under the Act, there is no Section 24(a). The actual Section 24(1)(a) deals with pornography. The relevant harassment provision is in Section 24(2)(a).

While there was indeed a technical error in citing "Section 24(a)" instead of the correct Section 24(2)(a) for harassment, this error does not invalidate the charge or warrant setting aside the conviction if Dele is convicted. This is because established case law holds that when an offense known to law is properly disclosed, the penalty is prescribed in existing law, and neither the accused nor counsel were misled by the incorrect citation, the conviction should stand absent any miscarriage of justice. See the case of ADONIKE v. STATE(2015) LPELR-24281(SC) Per John Inyang Okoro, JSC at Pp 20 - 21 Paras B – E.

Furthermore, Section 220 of the Administration of Criminal Justice Act, 2015 explicitly provides that such errors in stating particulars are not material unless the defendant was actually misled by the error.

Therefore, unless it can be demonstrated that the Dele Farotimi was materially misled by the incorrect section citation or suffered prejudice as a result, the technical error in citing the wrong section number should not affect the validity of the proceedings or the ultimate conviction.

6. The Risks of Overbroad Cybercrime Laws

Farotimi's case raises serious concerns about the intent and application of cybercrime laws. By prosecuting Farotimi for his expressions, the Nigeria Police Force has blurred the lines between protecting against cyber threats and stifling dissent. This misuse of cybercrime laws sets a dangerous precedent, suggesting that such laws can be weaponized against political opponents, activists, and ordinary citizens.

The overreach of cybercrime laws has far-reaching consequences, both for individuals and for society at large.

6.1. Suppression of Free Speech

Cybercrime laws with vague language can easily be used to target individuals exercising their right to free expression. Farotimi's case is just one example of how online speech can be criminalized under the guise of combating cybercrime. This trend threatens to silence dissenting voices and erode democratic principles.

6.2. Overburdening Legal Systems

Overly broad cybercrime laws place significant pressure on already strained legal and enforcement systems. When cybercrime laws expand to include offenses that are not inherently technological—such as online defamation, harassment, or even activism—it can lead to several systemic challenges: 

6.2.1. Diverted Focus from Genuine Threats

Expanding the scope of cybercrime laws forces law enforcement agencies to handle a wide range of cases, many of which do not require specialized cyber expertise. For example, prosecuting an online comment as cyber harassment requires investigative resources that could have been better directed toward identifying and mitigating core cybercrimes like hacking, unauthorized debits from customer bank accounts or ransomware attacks. This misallocation weakens the overall effectiveness of cybersecurity measures. 

6.2.2. Complexity of Digital Investigations

Investigating cyber-related offenses requires significant expertise, advanced tools, and collaboration with international entities. When law enforcement is forced to deal with a high volume of cases, many of which may involve non-criminal online behaviour, they risk becoming bogged down in cases that do not contribute to cybersecurity. This inefficiency not only overburdens legal systems but also reduces public trust in their ability to address critical digital threats. 

6.2.3. Erosion of Trust Between Law Enforcement and the Public

When the Nigeria Police Force uses the Cybercrime Act to prosecute individuals for online speech or activism, it creates an impression of the Police being complicit in political suppression or subjugation. This perceived misuse of resources can undermine public trust in the justice system and foster resentment against the Police. 

Here are some recent examples of cybercrime incidents in Nigeria that underscore the importance of focusing cybercrime laws on core offenses:

Nigerian banks reported a series of fraud-related cybercrimes over the years, with billions lost to hacking and phishing schemes. For instance, a 2022 report detailed how N523 million was stolen from a single account through a coordinated cyber-attack that funnelled money across hundreds of bank accounts.

In 2024, Hope Payment Service Bank reported a massive cyberattack resulting in a loss of over ₦10 billion. The funds were transferred across multiple accounts, prompting an investigation and court orders to freeze over 800 implicated accounts. This highlights the need for law enforcement to prioritize complex cyber fraud cases over less critical cyber-enabled offenses.

Similarly, Guaranty Trust Bank (GTBank) faced a significant security breach in August 2024, where its website was compromised by hackers. This incident raised fears of customer data theft and caused major disruptions in online banking operations.

In another case, a syndicate hacked into a bank's server to create fictitious credits worth N1.87 billion. This demonstrates the advanced techniques used by cybercriminals and the necessity of robust cybersecurity measures.

These examples show the increasing sophistication of core cybercrimes in Nigeria, and why the Nigeria Police Force should focus its resources and expertise towards preventing, detecting, investigating and prosecuting such crimes using the Cybercrimes Act instead of prosecuting online criticism or defamation using the Cybercrimes Act.

6.3. Chilling Effect on Digital Activity 

The "chilling effect" refers to the discouragement of legitimate online behaviour due to fear of legal repercussions. When cybercrime laws are overly broad or ambiguously defined, they create uncertainty about what constitutes criminal behaviour, leading to self-censorship and reduced participation in digital spaces. 

6.3.1. Impact on Free Expression

People may refrain from posting opinions, criticisms, or controversial content online, fearing that their statements might be interpreted as cyber harassment, defamation, or other offenses. In environments where authorities use cybercrime laws to target dissent, individuals are less likely to engage in public debates, reducing the vibrancy and diversity of digital discourse. 

6.3.2. Stifling Activism and Advocacy

Activists and advocates who rely on digital platforms to organize campaigns, raise awareness, or criticize policies are particularly vulnerable to chilling effects. If they perceive a risk of prosecution under cybercrime laws, they may avoid using these platforms, weakening their impact and ability to mobilize support. 

6.3.3. Hindering Journalism

Journalists such as Fisayo Soyombo, often use digital tools to investigate and publish stories on issues of public interest. However, the threat of cybercrime charges for reporting on sensitive topics can lead to self-censorship. For example, journalists may avoid exposing corruption or misconduct if they fear being accused of spreading false information or defaming individuals under Cybercrimes Act. 

6.3.4. Economic Consequences

The chilling effect can also impact businesses and entrepreneurs. Startups and companies that depend on open digital communication may face challenges if their employees or users are hesitant to engage freely online. This hesitation can stifle growth, collaboration, and the sharing of ideas, ultimately hindering economic progress in the digital space. 

The combined effect of overburdening legal systems and creating a chilling effect on digital activity is a weakened digital ecosystem. Legal systems are less effective in addressing real cyber threats, while individuals and organizations become less willing to engage in online activities that drive progress, innovation, and civic engagement. 

Therefore, restricting cybercrime laws to core offenses ensures that law enforcement can focus on genuine cyber threats, while the public can participate freely in digital spaces without fear of unwarranted prosecution. By refining these laws, governments can strike a balance between maintaining cybersecurity and protecting fundamental rights, preserving the integrity of the legal system and the vibrancy of the digital age.

7. International Perspectives on Cybercrime Laws

The global debate over cybercrime laws highlights the importance of specificity and restraint. The draft UN Cybercrime Convention has been criticized for its overly broad scope. Advocacy groups like the Electronic Frontier Foundation (EFF) and CIVICUS, a global alliance dedicated to strengthening civil society, argue that the convention risks criminalizing acts that are not inherently harmful, such as security research or whistleblowing.

In their critique, the organizations emphasize that cybercrime laws should focus exclusively on core cybercrimes. Core cybercrimes comprise offenses in which ICTs are the direct objects as well as instruments of the crimes; these crimes could not exist at all without the ICT systems. A useful reference for the types of crimes that are inherently ICT crimes can be found in Articles 2-6 of the Budapest Convention: illegal access to computing systems, illegal interception of communications, data interference, system interference, and misuse of devices. For example, spreading a computer virus in the wild; using a password logger to steal someone else's password and access their email or photos; breaking into the computer system of a bank to steal money; using malicious software to delete all the data of a former employer's systems.

8. Lessons for Nigeria and Beyond

Farotimi's case offers a crucial lesson for policymakers in Nigeria and other nations: the need to align cybercrime laws with international best practices and democratic values. This includes:

8.1. Restricting Cybercrime Laws to Core Offenses

Cybercrime laws should address crimes that directly target ICT systems, such as hacking, malware distribution, and data breaches. Cyber-enabled offenses should be handled under existing laws for fraud, harassment, or defamation.

8.2. Safeguarding Free Expression

Cybercrime laws should explicitly protect freedom of expression. Activists, journalists, and ordinary citizens should not face legal repercussions for sharing opinions or engaging in peaceful dissent online.

8.3. Building Capacity to Address Genuine Threats

Law enforcement agencies should focus on developing expertise to combat core cybercrimes effectively. This includes training, resources, and partnerships with international organizations.

9. Conclusion

The case against Dele Farotimi is a stark reminder of the dangers posed by overly broad cybercrime laws. It highlights the need for policymakers to draw a clear line between core cybercrimes and cyber-enabled offenses, focusing on crimes that inherently involve ICT systems.

By refining cybercrime laws to be specific, narrow, and proportional, nations can uphold justice, protect freedoms, and create a safer digital environment. Farotimi's case should serve as a wake-up call, prompting governments worldwide to reconsider the scope and application of their cybercrime frameworks. In doing so, they can strike a balance between security and liberty, ensuring that the digital age remains a space for innovation, expression, and democratic engagement and  cybercrime laws serve their intended purpose, i.e. enhancing cybersecurity, without compromising fundamental rights..