Page 1 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved

NK/NASS/HR/DB/HB154/1

July 15, 2009

Honourable Rabe Nas...
Page 2 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved

               GFI(GFI is a leading software developer t...
Page 3 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved

  processed    fairly   and
  lawfully     and,       in
...
Page 4 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved

rampant from of consumer abuse and extend its turf to con...
Page 5 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved

http://www.theregister.co.uk/2009/04/20/british_council_d...
Page 6 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved

                      (i)       commerce, industry;

    ...
Page 7 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved

members in any security agency of the Federation not belo...
Page 8 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved

Page 2, Line 31 – should read “enforcement of the provisi...
Page 9 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved

Page 3, Line 10 – 12 It is suggested that the list should...
Page 10 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved

None

7.   (1) Any person who without authority or in ex...
Page 11 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved

under Section 1 of the Computer Misuse Act 1990… From th...
Page 12 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved

Page 4, line 21 – discloses should replace disclose

Pag...
Page 13 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved

celebrating its 60th anniversary and inviting him to ans...
Page 14 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved

                     conferring any benefits whether for...
Page 15 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved

                     conviction to a fine of not less th...
Page 16 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved

13.   Any person who without authority or in excess of a...
Page 17 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved

       (4)   Any data retained, processed or retrieved b...
Page 18 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved

rather than giving such retention legitimacy, it is reco...
Page 19 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved

 (2) Notwithstanding the provision of subsection (1) of ...
Page 20 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved

Please see evidence of misuse of such provisions as the ...
Page 21 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved

                      (a)   authority or right; or

    ...
Page 22 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved

               (i)     attaches upon a person is life wh...
Page 23 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved

using a computer by a computer. If that is done, it is v...
Page 24 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved

               R v Whybrow (1951) 35 Cr App Rep 141 CCA...
Page 25 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved

                    (d)   procedural rules and requireme...
Page 26 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved

            (3)   for the purposes of this Bill, a perso...
Page 27 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved

                 (e)    require any person having charge...
Page 28 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved

the reliability of electronically signed records, mechan...
Page 29 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved


COMMENTS

None

34.   (1)     The court imposing senten...
Page 30 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved

None

36.   Where a person is charged with an attempt to...
Page 31 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved

                     when executed in a computer causes ...
Page 32 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved

       “intercept” includes the aural or acquisition of ...
Page 33 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved

                                             program, da...
Page 34 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved

Page 19, Line 8 - 9 The Committee may wish to take a sec...
February 22, 2005

The Director General
Consumer Protection Council
Plot 2215, Herbert Macaulay Way
P.M.B. 5077
Wuse Zone ...
PRIVACY: A BURNING CONSUMER ISSUE –
                  PRIVACY POLICY: A NATIONAL IMPERATIVE –
                       WANTE...
Niche Konsult Limited Section By Section Analysis Of Cyber Security And Information Protection Agency Bill 2008 Complete V...
Niche Konsult Limited Section By Section Analysis Of Cyber Security And Information Protection Agency Bill 2008 Complete V...
Niche Konsult Limited Section By Section Analysis Of Cyber Security And Information Protection Agency Bill 2008 Complete V...
Niche Konsult Limited Section By Section Analysis Of Cyber Security And Information Protection Agency Bill 2008 Complete V...
Niche Konsult Limited Section By Section Analysis Of Cyber Security And Information Protection Agency Bill 2008 Complete V...
Niche Konsult Limited Section By Section Analysis Of Cyber Security And Information Protection Agency Bill 2008 Complete V...
Niche Konsult Limited Section By Section Analysis Of Cyber Security And Information Protection Agency Bill 2008 Complete V...
Niche Konsult Limited Section By Section Analysis Of Cyber Security And Information Protection Agency Bill 2008 Complete V...
Niche Konsult Limited Section By Section Analysis Of Cyber Security And Information Protection Agency Bill 2008 Complete V...
Niche Konsult Limited Section By Section Analysis Of Cyber Security And Information Protection Agency Bill 2008 Complete V...
Upcoming SlideShare
Loading in …5
×

Niche Konsult Limited Section By Section Analysis Of Cyber Security And Information Protection Agency Bill 2008 Complete Versionv2

1,617 views
1,551 views

Published on

A section by section analysis of Nigeria\'s Cyber Security and Information Protection Agency Bill 2008

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,617
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Niche Konsult Limited Section By Section Analysis Of Cyber Security And Information Protection Agency Bill 2008 Complete Versionv2

  1. 1. Page 1 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved NK/NASS/HR/DB/HB154/1 July 15, 2009 Honourable Rabe Nasir Chairman, House Committee on Drugs, Narcotics and Financial Crimes Rm. 3.11, New Wing House of Representatives National Assembly, 3 Arms Zone, Abuja Dear Sir, REVIEW OF DRAFT CYBER SECURITY AND INFORMATION PROTECTION AGENCY (ESTABLISHMENT, ETC) BILL 2008 – A SECTION-BY-SECTION ANALYSIS EXECUTIVE SUMMARY Niche Konsult Limited fully identifies with the aspirations that led the Chairman, House Committee on Drugs, Narcotics and Financial Crimes, the Deputy Chairman/sponsor of the Draft Cyber Security and Information Bill, Honourable Bassey Etim and his colleagues in the three Joint Committees of the House of Representatives assigned the enviable job of fashioning out a cyber security enactment for Nigeria that will stand the test of time to hold this public hearing. Niche Konsult Limited also appreciates the opportunity given its representative to make a brief presentation on the occasion of the holding of the public hearing on the above on July 8, 2009. Niche Konsult Limited chooses to style itself Nigeria‟s Information Technology Security Distributor and has partnership affiliations with several of the leading brands in the information technology security space including but not limited to the following:  Absolute Software (developers of the world‟s leading laptop tracking product) http://www.nichekonsult.com/Partners/AbsoluteSoftware/default.aspx  Acunetix (developers of the web application/website vulnerability assessment/management tool - Acunetix Web Vulnerability Scanner) http://www.nichekonsult.com/Partners/Acunetix/Default.aspx  Application Security Incorporated (the leading provider of database security solutions for the enterprise and the developers of DBProtect and AppDetectivePro) http://www.nichekonsult.com/Partners/ApplicationSecurityInc/Default.aspx  Alwil Software (developers of the popular antivirus software known as avast!) http://www.nichekonsult.com/Partners/Avast/default.aspx  BitDefender (a leading global provider of security solutions that satisfies the protection requirements of today‟s computing environment) http://www.bitdefender.com  Core Security (developer of strategic security solutions for Fortune 1000 corporations, government agencies and military organizations) http://www.nichekonsult.com/Partners/CoreSecurity/Default.aspx  eEye (a leading developer of network security products and an active contributor to network security research and education. eEye offers several award-winning solutions including Enterprise Vulnerability Assessment and Remediation Management. eEye products protect the networks and digital assets of thousands of corporate and government entities in over forty countries) http://www.eeye.com
  2. 2. Page 2 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved  GFI(GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs) http://www.gfi.com  Kaspersky (develops, produces and distributes information security solutions that protect customers from IT threats and allow enterprises to manage risk.) http://www.nichekonsult.com/Partners/Kaspersky/Default.aspx  McAfee (Provides anti-virus, vulnerability assessment, intrusion prevention,  and client security solutions)http://www.mcafee.com  N-Stalker (developers of the N-Stalker Web Application Security Scanner) http://www.nstalker.com  Panda (one of the world's leading creators and developers of technologies, products and services for keeping clients' IT resources free from viruses and other computer threats at the lowest possible Total Cost of Ownership) http://www.nichekonsult.com/Partners/Panda/Default.aspx  Symantec (Symantec is a global leader in infrastructure software, enabling businesses and consumers to have confidence in a connected world. The company helps customers protect their infrastructure, information, and interactions by delivering software and services that address risks to security, availability, compliance, and performance. Headquartered in Cupertino, Calif., Symantec has operations in 40 countries.) http://www.symantec.com Niche Konsult Limited has been in the information technology security business since 2002. Between then and now, Niche Konsult Limited has consulted on Information Technology security matters for two electronic cards/payment service providers, two telecommunication service providers and six of Nigeria‟s current 26 banks on Information Technology Security Solutions amongst several other clients in both the private sector and governmental circles. Niche Konsult Limited and many of our clients and potential clients are affected by the provisions of this proposed bill and so we have taken time to do as thorough a review of this bill for the benefit of the Committee, our clients and prospects. Immediately below follows our section by section analysis of the merits and demerits of the bill accompanied by suggestions/recommendations for improvement. SECTION-BY-SECTION ANALYSIS 1. (1) There is hereby established a body to be known as Cyber Security and Information Protection Agency (in this Bill referred to as “the Agency”) which shall have such functions as conferred on it by this bill. (2) The Agency: (a) shall be a body corporate with perpetual succession and a common seal; (b) may sue and be sued in its corporate have and may, for the purpose of its functions, acquire, hold or dispose of property; COMMENTS Our comprehensive study of the bill seems to indicate that there are no provisions on “Information Protection” as suggested by the title of this Bill. We consider this a very significant omission/Anomaly. For the purposes of the Committee, we wish to reproduce below the following text entitled “The Data Protection Principles” obtained from Schedule 1 to the UK Data Protection Act of 1998: 1. Personal data shall be
  3. 3. Page 3 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved processed fairly and lawfully and, in particular, shall not be processed unless- (a) at least one of the conditions in Schedule 2 is met, and (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met. 2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. 3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. 4. Personal data shall be accurate and, where necessary, kept up to date. 5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. 6. Personal data shall be processed in accordance with the rights of data subjects under this Act. 7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. 8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. We had wanted to comment extensively in our paper on the Data Protection Provisions of the Bill, but have been forced to hold back. However, we think that it would be an anomaly in fact and law for the proposed agency to be prosecutor/investigator of cybercrimes and regulator of country‟s cyber security space on the one hand and privacy/information/data protection watchdog on the other hand at the same time. It is therefore suggested that either a new Data Protection Agency modelled after that in the UK or the Act establishing the Consumer Protection Council be amended to accommodate the functions currently being carried out by the Information Commissioner in Great Britain. We are of the considered opinion that the second option would be the preferred option since it will permit and/or extend the powers of the Consumer Protection Council to cover breaches involving personally identifiable information (PII), a
  4. 4. Page 4 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved rampant from of consumer abuse and extend its turf to consumer protection matters in today‟s world of the internet and pervasive telecommunications networks, which developments the CPC Act of 1992 did not envisage nor prepare for and thus match what obtains in the United States of America in which the Federal Trade Commission (FTC) plays similar roles. We wish the committee to note that breaches of data protection laws are also considered to be violations of human rights in several countries including Austria, Canada, Denmark, France, Germany, Luxembourg, Norway, Sweden, the United Kingdom and the United States and should also be so in Nigeria. It is our wish that the Committee will recommend to the House that it adopts the attitude of the American Congress which enacted several “Special Statutes” to expand the responsibilities of the FTC with respect to Data Protection. If the House so wishes, it can maintain the current name of the CPC or change its name to Information and Consumer Protection Council (ICPC) or Information and Consumer Protection Agency (ICPA). (Please see attached some documents we sent to the CPC on these matters in February 2005.) Until Data Protection provisions are included in our laws, it will not be possible for the House of Representatives to give legal teeth and effect to Section 37 of the 1999 Constitution of Nigeria which states “The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected.” We recommend that the Committee visits the following links for more general information on Data Protection Laws and the role(s) played by Information Commissioner who heads the UK Data Protection Agency: http://www.out-law.com/page-10137 which deals with data protection watchdogs urging The European Commission to make sure that outsourcing providers who process personal data are bound by consistent rules irrespective of whether they are based inside or outside the EU http://www.out-law.com/page-10116 which deals with breaking of the Data Protection Act by the Manchester City Council when it failed to encrypt laptop computers containing data on nearly two thousand workers. The local authority has promised to ensure all mobile computers are encrypted. http://www.timesonline.co.uk/tol/news/uk/crime/article6373645.ece which discusses the court case involving Ian Kerr who maintained a constructor worker blacklist database but failed to comply with the Data Protection Act which requires that unless very simple processing is done, all organizations handling personally identifiable information (PII) must be registered with the Agency http://www.independent.co.uk/news/uk/politics/nhs-loses-thousands-of-medical- records-1690398.html The UK Information Commissioner‟s hard knocks on the National Health Service which has been involved in some 140 data security breaches in the last four months. http://www.out-law.com/page-9965 The UK Information Commissioner comments on complaints‟ and enquiries on Google‟s Street View service
  5. 5. Page 5 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved http://www.theregister.co.uk/2009/04/20/british_council_data_loss/ The UK Information Commissioner's Office comments on the loss of an unencrypted disk containing personally identifiable information on over 2,000 members of staff In closing our comments on data protection, we would like to call attention of the Committee to the distinction between a Data Protection Act and a Cyber Crime Act such as the proposed Bill. Lord HobHouse of Woodborough observed in Regina v Bow Street Metropolitan Stipendiary Magistrate and Another, ex parte Government of the United States of America 2002 2 AC 216: “As Astill J. said in Bignell's Case [1998] 1 Cr.App.R. 1, 12b, the Act of 1990 was enacted to criminalise the 'hacking' of computer systems and the Data Protection Act 1984 was enacted to criminalise improper use of data." We look forward to an opportunity to perform/conduct a Section-by-Section analysis on the Data Protection Bill as well. In respect of the controversy that arose at the public hearing on the utility of creating a new cyber security agency, I wish to draw the attention of the Committee to the following internet links which discuss the establishment of a similar agency in the UK and France: http://www.pcworld.com/article/168135/france_creates_new_national_it_security_agenc y.html http://www.ecommerce- journal.com/news/16770_france_launches_a_new_agency_to_strike_cyber_attacks http://www.ssi.gouv.fr/IMG/pdf/ANSSI_PRESS_RELEASE.pdf http://news.cnet.com/8301-1009_3-10272925- 83.html?part=rss&subj=news&tag=2547-1009_3-0-20 http://www.scmagazineuk.com/UK-cyber-security-strategy-launched/article/139033/ http://www.theregister.co.uk/2009/06/25/uk_cyber_security_strategy/ 2. (1) The Agency shall consist of: (a) the Chairman of the agency shall be the National Security Adviser; (b) Executive Vice chairman to be appointed by the president, who shall be: (i) a retired or serving member in any security agency of the Federation not below the rank of deputy commissioner of police or it’s equivalent, with cybersecurity experience (ii) a lawyer with not less than 10 years post call experience, who must be an expert in cybersecurity (iii) responsible for the day to day running of their affairs of the Agency. (c) a representative each of the following Federal Ministries.
  6. 6. Page 6 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved (i) commerce, industry; (ii) science and technology; (iii) justice; (d) The Executive Vice Chairman and members of the Agency, other than ex-officio shall each hold office for a period of four years and may be re-appointed for one further term. (e) a representative each from the following organizations: (i) the department of state security services; (ii) the Nigerian police force; (iii) the Nigeria communications commission; (iv) the Nigeria Security & civil Defence Corps and (2) Four persons whom: (a) two must be experts in telecommunication with not less than 10 years experience (b) two computer scientists with specialization in cyber crime with not less than 10 years experience (3) The Executive Vice Chairman and four other members of the agency shall be appointed by the president subject to confirmation by the senate. (4) The Executive Vice Chairman appointed pursuant to sub-section (1) of this section shall be the chief executive of the agency and shall be responsible for the day to day running of its affairs. COMMENTS Page 1, Line 7 - missing word after corporate “name”, then a comma after name Page 1, Line 9- should read “The Agency shall consist of the following” Page 1, Line 10 – should read “the Chairman of the Agency who shall be the National Security Adviser” Page 1, Line 14 – which did the draftsman mean “its” or “it‟s” – these two words are commonly confused Page 1, Lines 11 – 18 – What is the rationale for limiting the Office of the Executive Vice Chairman to a “retired or serving member in any security agency of the Federation”? And how do we define the phrase “with cyber security experience”? And how do we measure such experience? If this becomes law as passed, then a large pool of talent has been automatically disenfranchised from this position. That the head should be a lawyer just makes sense given the fact that this is not just about technology but how technology meets the law and vice versa, there is no objection to lines 16 and 17 as they stand. The Committee is well advised to conduct an audit of all “retired or serving
  7. 7. Page 7 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved members in any security agency of the Federation not below the rank of deputy commissioner of police or its equivalent” in order to find how many of them currently have “cyber security experience” to be assured that there will always be a pool of them to drawn from. Page 1, Line 15 – It is important to decide which is preferred “cyber security” as one word or “cyber security” as two words. Please see also Page 1, Line 1 Page 2, Line 5 – the word “members” is missing after ex-officio Page 2, Line 15 – It is important to decide which is preferred “cybercrime” as one word or “cyber security” as two words Page 2, Line 19 –replace underscore between “sub_section” with “sub-section” 3. (1) A member of the agency may at any time resign his office in writing addressed to the president and may be removed from office because of: (a) infirmity of mind or body; (b) permanent incapacity; or (c) any other reason subject to confirmation by the senate. (2) Members of the agency shall be paid such allowances as may be determined by the salary and wages Commission. COMMENTS None 4. The Agency shall be responsible for the: (a) enforcement of the provision of this bill (b) investigation of all cyber crimes (c) adoption of measures to eradicate the commission of the cyber crimes; (d) examination of all reported cases of cyber crimes with the views to identifying individuals, corporate organization involve in the commission of the crime; (e) registration and regulations of service providers in Nigeria with the views to monitor their activities; organizing and undertaking campaigns and other forms of activities as will lead to increased public awareness on the nature and forms of cyber crimes; and (g) maintaining a liaison with the office of the Attorney General of the Federation, and inspector General of police on the arrest and subsequent prosecution of the offenders. COMMENTS
  8. 8. Page 8 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved Page 2, Line 31 – should read “enforcement of the provisions of this Bill” Page 3, Line 2 – should read “…to eradicate the commission of cyber crimes” Page 3, Lines 3 – 5 – How does the House of Representatives purport to handle the conflict between the powers given to the EFCC first under the Advance Fee Fraud and other Related Offences Act No 13 of 1995 (now repealed), and the Advance Fee Fraud and other related Offences (Amendment) Act 2005 (now repealed) and now the Advance Fee Fraud and Other Related Fraud Offences Act 2006 which has placed certain obligations on banks and other financial and designated non financial institutions, telecommunications companies, internet service providers, cybercafé operators, property owners, transporters, etc and which provisions are enforced by the EFCC? Page 3, Lines 3 – 5 – In line 3 mention is made of “cyber crimes” and in line 5 “the crime”. It is suggested that lines 3 to 5 should read “examination of all reported cases of cybercrimes with a view to identifying individuals, corporate organizations (and not organization) involved (and not involve) in the commission of the crimes (and not crime) Page 3, Lines 6-9- The House of Representatives may wish to remember that the Advanced Fee Fraud and Other Related Fraud Offences Act 2006 also gave the EFCC the power to register internet service providers and cybercafés. Pursuant to the powers granted the EFCC under that Act, the EFCC held a series of meetings with stakeholders, including the Internet Service Providers Association of Nigeria (ISPAN), Association of Cybercafé and Telecentre Operators of Nigeria (ACTONigeria), Private Telecoms Operators (PTOs) and Global System for Mobile Communication (GSM) operators. Following such meetings a number of resolutions were agreed for immediate implementation: 1. All Internet Service Providers (ISPs), and cybercafé operators providing services in Nigeria must be registered with the Corporate Affairs Commission (CAC), Nigerian Communications Commission (NCC) and EFCC; 2. All upstream Internet Service Providers rendering services to Internet Service Providers and Cybercafés in Nigeria, must be physically located and be registered and licensed as Internet Services Providers (ISPs) above; 3. All users of Internet services must migrate to Internet Service Providers registered with EFCC and licensed by NCC 4. Registration with EFCC shall be online at www.efccnigeria.org/operators within the periods stated below: Internet Service Providers: July 25 September 7, 2006 Cybercafé Operators: September 8 – November 24, 2006 Source: Daily Trust, Tuesday, July 25, 2006 page 32 Bearing in mind the above and the interpretation of “service provider” in Section 38 of this bill (page 19 lines 4 to 7) virtually any organization that provides internet access is required to register. It seems to the undersigned that this provision is unnecessary as it should not be a requirement and indeed is not a required for this law to have effect or take effect. To that extent, we think that the first two words of line 6, page 3 should be expunged. Page 3, Lines 6 – 9 – the word “regulations” should be replaced with “regulation” Page 3, Line 11 – “Inspector” should replace “inspector”
  9. 9. Page 9 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved Page 3, Line 10 – 12 It is suggested that the list should be expanded to read: “Maintaining a liaison with the Office of the Attorney General of the Federation, the Inspector General of Police and the Executive Chairman of the Economic and Financial Crimes Commission on the arrest and subsequent prosecution of the offenders. The rationale for this suggestion is that until this Bill is passed into law, the EFCC has been acknowledged as the premier cybercrime fighting agency and will so be until this Bill makes the proposed “Cyber Security and Information Protection Agency” to upstage it. So this suggestion just makes sense for purposes of continuity. Finally, it is suggested a new sub-section 4(h) be included giving the proposed agency powers to oversee cyber security across the government in the manner and fashion proposed by President Obama in relation to his proposed Cyber Security Coordinator for the White House. 5. (1) In execution of its functions and powers under this Bill, the Agency may appoint: (a) persons or second officers from government security or law enforcement agencies; and (b) specialist in the area of communication, science and technology, law, which will assist the agency in the performance of its functions. (2) The agency may, make staff regulations relating generally to the conditions of service of the employees, and such regulations may provide for: (a) the appointment, promotion and disciplinary control; and (b) appeals by such employees against any disciplinary measures taken against them, shall be regulated by the provision of the civil services rules, until such regulations are made. (3) Service in the agency shall be public service for the purposes of pension Act. COMMENTS Page 3, Line 17 - specialists should replace specialist; telecommunications should replace communication Page 3, Line 26 - Pension should replace pension 6. The Agency shall maintain a fund which shall consist of: (a) money to be received from the federal government for the purposes of take off; (b) proceeds from all activities, services and operations of the Agency. (c) grants, gifts and donations made to the Agency. (d) such other sums as may accrue to the Agency. COMMENTS
  10. 10. Page 10 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved None 7. (1) Any person who without authority or in excess of his authority accesses any computer for the purpose of: (a) securing access to any program; or (b) data held in that computer; or (c) committing any act which constitute an offence under any law for time being in force in Nigeria, commits an offence and shall be liable on conviction: (i) in the case of offence in paragraph (a) of this subsection, to a fine of not less than N10,000 or imprisonment for a term of not less than 6 months or to both such fine and imprisonment. (ii) For the offence in paragraph (b), to a fine of not less N100, 000 or a term of not less than 1 year or to both such fine and imprisonment. (2) Where damage or loss is caused to any computer as a result of the commission of an offence under subsection (1) of this section, the offender shall be liable to a fine of not less than N1,000,000 or imprisonment for a term of not less than 5 years or to both such fine and imprisonment. (3) In pronouncing sentence under this section, the court shall have regard to the extent of damage or loss occasioned by the unlawful act. COMMENTS Page 4, lines 2 – 19 – Section 7 creates the offences of “access without authority” or access “in excess of his authority.” It is suggested that a new offence be created and made Section 7(3) and make the present Section 7(3) become Section 7(4). The proposed new offence is “access with authority for an unauthorised purpose.” To illustrate, imagine a Policeman using his access to police computers to obtain information on a guy who took over his girlfriend, or imagine an officer attached to the Federal Inland Revenue Service using his ”access with authority” to snoop on tax files of politically exposed personalities or of other public figures or a civil servant with access with access to personally identifiable information at the National Identity Management Commission/National Pension Commission misusing his/her “access with authority” in a similar manner. It is submitted that Section 7 as currently constituted does not provide for such a possibility. The House of Representatives is well advised to study the startling ruling in DPP v Bignell (1998) 1 Cr App R 1 and the public hue and cry that followed that ruling since it affects the issue raised above. To quote the summary of that case provided by David I Bainbridge in his book “Introduction to Computer Law” published by Longman in 2000 on pages 312 -313: “Two police officers had used the police national computer to gain access to details of motor cars which they had wanted for private purposes unconnected with their duties as police officers. They were charged with the unauthorised access to computer material offence
  11. 11. Page 11 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved under Section 1 of the Computer Misuse Act 1990… From the reported facts of the case, it would seem beyond doubt that the accused police officers had consciously and deliberately misbehaved … by using the police national computer to gain access to information to be used for their own private purposes.” (Italics Ours) This is very important because insiders have time again been proved to be the greatest security threat an organization can face. In the alternative, an entirely new Section should be created for the offence of “access with authority for an unauthorised purpose.” Page 4, line 6 – constitutes should replace constitute Page 4, line 10 – did the draftsman mean M10, 000.00 or 10,000 Naira Page 4, line 14 – Since the value of a computer is not so much in the hardware but in the software and data resident therein, it is suggested that the words “or its contents” immediately after computer 8. (1) Any person who, knowingly and without authority or in excess of authority, disclose any: (a) password; (b) access code; or (c) any other means of gaining access to any program data or database held in any computer for any unlawful purpose or gain, commits an offence and shall be liable on conviction to a fine of not less than N500,000 or to imprisonment for a term of not less than 3 years or to both such find and imprisonment, and in the case of a second or subsequent conviction, to a fine not exceeding N1,000,000 or to imprisonment for a term of not less than 5 years or both such fine and imprisonment. (2) Where the offence under subsection (1) results in damage or loss, the offender shall be liable to a fine of not less than N1,000,000 or imprisonment for a term of not less than 5years or both such fine and imprisonment. (3) Any person who with intent to commit any offence under this Act uses any automated means or device or any computer program or software to: (a) retrieve; (b) collect; and (c) store password, access code; or any means of gaining access to any program, date or database held in any computer, commits an offence and shall be liable on conviction to a fine of N1, 000,000 or to imprisonment for a term of 5 years or to both such fine and imprisonment. COMMENTS
  12. 12. Page 12 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved Page 4, line 21 – discloses should replace disclose Page 4, line 24 – “any other means of gaining access to any program data or database” should instead read “any other means of gaining access to any program, data, or database” 9. (1) Any person who with intent to defraud send electronic mail message to a recipient, where such electronic mail message materially misrepresents any fact or set of facts upon which reliance the recipient or another person is caused to suffer any damage or loss, commits an offence and shall be liable on conviction to a fine of not less than 5 years or to both such fine and imprisonments. (2) It shall not operate as a defense for any person charged with an offence under subsection (1) of this section to claim that: (a) he could not have carried out his intended act; or (b) it is impossible to execute the ultimate purpose of his intention; or (c) the object of his deceit is non-existent. (3) Any person spamming electronic mail messages to receipts with whom he has no previous commercial or transactional relationship commits an offence and shall be liable on conviction to a fine not less than N500, 000 or imprisonment for a term of not less than 3 years or to both such fine and imprisonment. (4) Any person who with intent to commit any offence under this Bill; (a) uses any automated means, device; or (b) any computer program, software; to collect or store electronic mail addresses from any sources whatsoever, commits an offence and shall be liable on conviction to a fine not less than N1,000,000 or to imprisonment for a term not below 5 years or both such fine and imprisonment. COMMENTS Page 5, Lines 12 – 31 Does the wording of Section 9 (1) as presently constituted cover the unsolicited delivery of advertisements via mobile text messages, e-mail, fax and automatic dialling systems or just emails? Especially when read with the definition of the word “Spamming” as contained in Section 38 under Interpretation (page 19, lines 10 – 11) The use of the words “materially misrepresents any fact or set of facts” is very limiting because an email may not materially misrepresent any fact or sets of facts and yet be spam although not fraudulent. It is suggested that Section 9 be re-drafted to cover both fraudulent and non-fraudulent spam, and to extent to unsolicited communication irrespective of channel such as text messages, email, fax, and automate dialling systems. This is the position adopted by the Amendment 40 to the Communications Law of Israel. To illustrate that it is necessary to expand the definition of spam, between the date of the public hearing and date, the undersigned has received 12 messages with identical content from a very well know beer brand in Nigeria
  13. 13. Page 13 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved celebrating its 60th anniversary and inviting him to answer 3 questions correctly to win a chance to be a part of the celebration. Finally, the Bill as presently worded does not make blackmail via email a crime, the Committee would do well to look into this matter with a view to including it in the proposed legislation. Section 9 (3) is unduly restrictive. This is the case because it is not just Advance Fee Fraud Practitioners that need to reach out to potential targets through the medium of electronic mail messages, even legitimate advertisers often have course. The House of Representatives may wish to take a cue from the “Amendment 40 to the Communications Law of Israel” which permits an advertiser to contact a business recipient just once per recipient with the question whether they agree to receive advertisements from that advertiser. The law also permits an advertiser to send advertisements to the recipient even if they were not explicitly solicited, in cases when prior business relations have existed between the advertiser and the recipient and the recipient is the one who provided his/her mailing/messaging details to the advertiser. But even then – as well as for any case where the recipient has given consent to receiving advertisements – still the recipient has the right, under the law, to inform the advertiser of his refusal to receive any more advertisements. Such refusal notice will cancel the validity of the previous consent. For more information, the committee may wish to refer to http://www.moc.gov.il/sip_storage/FILES/5/1545.pdf The Israeli law also requires advertisers to include in a commercial message the word "advertisement" and the advertiser's name, address and contact information, including an email address that recipients may use to opt out. The Israeli law enforces the prior consent requirement which may be in writing or a recorded call to receive electronic mail messages The modifications suggested above are required for the law to balance the need to protect citizens and strike a balance with respect to the requirements of legitimate business concerns to advertise. 10. (1) Any person who, with the intent to commit an offence, uses any computer program or software to deliberately block being traced or avoid detection, commits an offence and shall be liable on conviction to a fine of not less than N500,000 or imprisonment for a term of not less than 3 years or both such find and imprisonment. (2) Any person who knowingly accesses any computer and inputs, alters, deletes or suppresses any data resulting in unauthentic data with the intention that such inauthentic data be considered or acted upon as if it were authentic or genuine, whether or not such data is readable or intelligible, commits an offence and shall be liable on conviction to a fine of not less than N500,000 or imprisonment for a term of not less than 3 years or both such fine and imprisonment. (3) Any person who knowingly and without right causes any loss of property to another by altering, erasing, inputting or suppressing any data held in any computer for the purpose of
  14. 14. Page 14 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved conferring any benefits whether for himself or another person, commits an offence and shall be liable on conviction to a fine of not less than N500, 000 or imprisonment for a term of not less than 3 years or both such fine and imprisonment. COMMENTS Page 6, Lines 1 – 2 The side note accompanying these lines are most deceptive. It is submitted that it should be renamed/replaced with “Illegitimate/ Illegal use of proxies.” Page 6, Lines 6, 7- The side note that is currently situated at Lines 1 and 2 should be moved to Lines 6 and 7. Page 6, Lines 6 – 12 -The House of Representatives may wish to note that David I Bainbridge in the Fourth Edition of his book “Introduction to Computer Law” observed “The phrase „computer fraud‟ is used to describe stealing money or property by means of a computer; that is, using a computer to obtain dishonestly, property (including money and cheques) or credit or services or to evade dishonestly some debt or liability.” In the light of the above description, it is obvious that there is an overlap between the Offences which can be committed under the Advance Fee Fraud and Other Fraud Related Offences Act 2006. In other words, what happens if the offence of obtaining property be false pretence is committed using the computer, the question then arises: „Which agency investigates‟? Which agency prosecutes? Is it the Economic and Financial Crimes Commission? Or the proposed “Cyber Security and Information Protection Agency”? Or both? If both, which agency will act as the lead? This is an area of potential conflict and unwarranted and wasteful duplication of resources which the House of Representatives may which to address. In doing so, we recommend studying the provisions of the following UK Acts and cases:  The Theft Act  Finance Act 1972  DPP v Ray (1974) AC 370  Davies v Flackett (1973) RTR 8  R v Preddy (1996) AC 815  Criminal Law Act 1977  Criminal Attempts Act 1981  Scott v Metropolitan Police Commissioner (1975) AC 819  R v Lloyd (1985) 2 All ER 661  R v Ghosh (1982) QB 1053  Chan Man-sin v Attorney-General for Hong Kong (1988) 1 All ER 1  R v Morris (1984) AC 320  Lawrence v Metropolitan Police Commissioner (1972) AC 626  R v Mavji (1987) 2 All ER 758  Computer Misuse Act 1990  and the equivalent Nigerian Acts 11. (1) Any person who without authority or in excess of authority interferes with any computer network in such a manner as to cause any data or program or software held in any computer within the network to be modified, damaged, suppressed, destroyed, deteriorated or otherwise rendered ineffective, commits an offence and shall be liable on
  15. 15. Page 15 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved conviction to a fine of not less than N1, 000,000 or imprisonment for a term of not less than 5 years or to both such fine and imprisonment. COMMENTS Page 6, Line 22 – It is suggested that the word “Deteriorated” is out of place and should be deleted. While the word “ineffective” should be replaced with “unusable” 12. Any person who unlawfully produces, adapts or procures for use, distributes, offers for sale, possesses or uses any devices, including a computer program or a component or performs any of those acts relating to a password, access code or any other similar kind of data, which is designed primarily to overcome security measures with the intent that the devices be utilized for the purpose of violating any provision of this Bill, commits an offence and is liable to a fine of not less than N1,000,000 or imprisonment for a term of not less than 5 years or to both such fine and imprisonment. COMMENTS Page 6, Lines 26 – 31, Page 7,lines 1 – 2 – It is submitted that the House of Representatives should re-consider the text of Section 12 with a view to making a very clear distinction between things that can be used to overcome security measures but which have legitimate uses and things specifically designed to overcome security measures. The following cases are quite instructive in that regard: Amstrad Consumer Electronics PLC v the British Phonograph Industry Limited (1986) FSR 159, CBS Songs Limited v Amstrad Consumer Electronics PLC (1988) 2 WLR 1191 To illustrate practically what is meant by the above, Niche Konsult Limited conducts penetration testing as well as offers for sale software and hardware capable of being used to violate some provisions of this Bill, but such software was not “designed primarily to overcome security measures with the intent that the devices be utilized for the purpose of violating any provision of this Bill.” On the other hand, the same software/hardware is being legitimately employed by transportation, healthcare, financial institutions, information technology security consultants, payment processors, telecommunication firms, large enterprises, state governments, educational institutions, military academies within and outside Nigeria to conduct comprehensive penetration testing across their infrastructure and applications. One such solution goes by the name Core Impact Pro and can be used to perform penetration testing* which tells organizations using it:  what an attacker can definitely do to their network  by exploiting identified vulnerabilities, just as a hacker would  leaving little doubt as to what a hacker can do or cannot do and thus eliminating the guesswork involved in protecting their network by providing them with the information they need to effectively prioritize their vulnerabilities. * Penetration testing is a localized, time-constrained, and authorized attempt to breach the security of a system using attacker techniques. During a penetration test, organizations actually try to replicate in a controlled manner, the kinds of access an intruder or worm could achieve. With a penetration test, network managers can identify what resources are exposed and determine if their current security investments are detecting and preventing attacks.
  16. 16. Page 16 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved 13. Any person who without authority or in excess of authority intentionally interferes with access to any computer or network so as prevent any: (a) part of the computer from functioning; or (b) denying or partially denying any legitimate user of any service of such computer or network; commits an offence and shall be liable on conviction to a fine of not less than N2,000,000 or imprisonment for a term of not less than 7 years or to both such fine and imprisonment. COMMENTS Page 7, lines 3 – 9 It is suggested that a new Head Note to be called “Denial of Service/Distributed Denial of Service Attack(s)” Page 7, line 5 – It is suggested that the words “or network” be inserted immediately after computer 14. Any person who with the intent to deceive or defraud, accesses any computer or network and uses or assumes the identity of another person, commits an offence and shall be liable on conviction to a fine of not less than N500, 000 or imprisonment for a term of not less than 3 years or to both such fine and imprisonment. COMMENTS Page 7, Lines 10 – 14 - The Houses of Representatives may wish to compare and contrast the wordings of Section 14 of this Bill with the wordings of Section 202 of the Norwegian Criminal Law (2008 – 2009) which when translated states: “With a fine or imprisonment not exceeding 2 years shall whoever be punished, that without authority possesses of a means of identity of another, or acts with the identity of another or with an identity that easily may be confused with the identity of another person with the intent of (a) procuring an economic benefit for oneself or for another, or (b) causing a loss of property or inconvenience to another person.” Source: http://www.cybercrimelaw.net 15. (1) Every service provider shall keep all traffic, subscriber information or any specific content on its computer or network for such period of time as the Agency may require. (2) Every service provider shall, at the request of any law enforcement agency: (a) provide the law enforcement agency with any traffic of subscriber information required to be kept under subsection (1) of this section; or (b) preserve, hold or retain any related content. (3) Any law enforcement agency may with warrant issued by a court of competent jurisdiction, request for the release of any information in respect of subsection (2) (b) of this section and it shall be the duty of the service provider to comply.
  17. 17. Page 17 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved (4) Any data retained, processed or retrieved by the service provider for the law enforcement agency under this Bill, shall not be utilized except for legitimate purposes either with the consent of individuals to whom the data applies or if authorized by a court of competent jurisdiction. (5) A person exercising any function under this section shall have due regard to the individual right to privacy under the constitution of the Federal Republic of Nigeria 1999 and shall take appropriate technological and organizational measure to safeguard the confidentiality of the data retained, processed or retrieved for the purpose of law enforcement. (6) A person or service provider, body corporate who willfully contravenes the provisions of this section commits an offence and shall be liable on conviction to a fine of not less than N500,000 or imprisonment for a term not less than 3 years or both fine and imprisonment. COMMENTS Page 7, Lines 15 – 17 – There should be a side note “Records Retention for law enforcement”. This also raises the question “who bears the cost?” The service provider or the government? This issue is very important because given the cost of the devices required to fulfil the requirements of this section, small players may be edged out of business. Neither does it make sense in a time of economic gloom such as this to pass on such costs to the end-user. It is also suggested that the words “for such period of time as the Agency may require” be replaced by the words “for two years.” This will be in line with a Directive issued by the European Union on data retention which although not binding on Nigeria is evidence of best practice. That Directive requires retaining such records for a minimum of six months and a maximum of two years. Page 7, Line 19 – The words “and backed with a warrant issued by a court of competent jurisdiction which shall be issued when there is compelling evidence that a crime is imminent” should be introduced immediately after agency. This is required for uniformity of Section 15 (2) (a) with Section 15 (2) (b). This is required to keep with international best practice. The House of Representatives may wish to recall the hue and cry over the high-handedness of the EFCC in the recent past, which was made possible by provisions such as the below which was contained in the Advance Fee Fraud and Other Offences Act 2006, under duties of telecommunications and internet service providers and internet cafes we have the following provision: “Any person whose normal course of business involves the provision of non-fixed line or Global System of Mobile Communications (GSM) or is in the management of any such services, shall submit on demand to the Commission such data and information as are necessary or expedient for giving full effect to the performance of the functions of the Commission under this Act. Inserting the above will provide for much needed checks and balances on the power of the Executive as represented by the proposed agency. The House of Representative may also which to consider amending the above provision in the Advance Fee Fraud and Other Offences Act 2006 as well to allow of checks on the power of the agency by the judicial arm of the government. Page 7, Line 22 – It is suggested that the words “preserve, hold or retain any related content” be expunged from this bill. What this means in practice is that service providers would be required to keep a copy of every email sent/received, every instant message, every text message, every call made, every web page viewed to mention but a few. Of course, it is not in doubt that service providers already have this information. However,
  18. 18. Page 18 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved rather than giving such retention legitimacy, it is recommended that the Committee should consider this an opportunity to enact an electronic communications/email archival legislation which always places the obligation of such archival on the organization sending or receiving the email and not on the service provider, and limit the service provider to retaining only to traffic and subscriber information. This will distribute the cost of such data retention much more evenly and reduce the likelihood of the general public thinking that Nigeria‟s government is desirous of creating a police state. The Committee would also like to note that the UK Communications Bill currently under consideration which proposes to amend the UK Regulation of Investigatory Powers Act (RIPA) does not propose the retention of content by service providers. It is suggested that the Committee should expunge this provision. Please see http://www.examiner.ie/ireland/retention-period-for-phone-data-to-be-cut-96213.html http://www.siliconrepublic.com/news/article/13407/government/irish-govt-to-retain-all- web-text-and-phone-data-for-two-years http://www.examiner.ie/ireland/watchdog-concern-at-revenue-data-access-96329.html http://www.scmagazineuk.com/Government-lines-up-central-database-of-phone-and- internet-records/article/110337/ http://news.bbc.co.uk/2/hi/technology/7410885.stm The Committee might also like to make very clear with it means by traffic information. The UK Communications Bill and Data Retention Directive help here because they define traffic information to include the initiator of the communication, the recipient of the information, the time of the communication, the duration of the communication, the location of the initiator and the recipient, the type of communication. Page 7, Line 27 – 30 – It is suggested that the wordings of Section 15 (4) be revisited. In particular the words “…shall not be utilized except for legitimate purposes either with the consent of individuals to whom the data applies or if authorized by a court of competent jurisdiction.” Page 7, Line 31 – The words “or organization” should be inserted immediately after “person” Page 8, Line 5 – No such word as “willfully”, but there is a word “wilfully” 16. (1) A person who intentionally, without authority or in excess of authority intercepts any communication originated, terminated or directed from, at or to any equipment, facilities or services in Nigeria, commits an offence and shall be liable on conviction to; (a) a fine of not less than N500, 000; (b) imprisonment for a term of not less than 10 years; or (c) both such fine and imprisonment.
  19. 19. Page 19 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved (2) Notwithstanding the provision of subsection (1) of this section, any service provider, its employee or duly authorized agent may, in the normal course of work, carryout the activity mentioned in section 16 of this Bill. COMMENTS None 17. Every service provider shall ensure that any of its equipment, facilities or services that provides a communication is capable of: (a) enabling a law enforcement agency to intercept all communications on its network for the purpose of investigation and prosecution; (b) accessing call data or traffic record; (c) delivering intercepted communications and call data or traffic record in such a format that they may be transmitted by means of equipment, facility or service procured by any law enforcement agency to a location other than the premises of the service provider; and (d) facilitating authorized communications interceptions and access to call data or traffic records unobtrusively with minimum interference with any subscriber’s communication service and in a manner that protects: (i) the privacy and security of communications and call data or traffic records not authorized to be intercepted. (ii) information regarding the interception. (2) A service provider who contravenes the provision of subsection (1) of this section, commits an offence and shall be liable on conviction, in case of; (a) service provider, a fine of not less than N100, 000; and (b) director, manager or officer of the service provider, a fine of not less than N500,000 or imprisonment for a term of not less than 3 years or to both such fine and imprisonment. COMMENTS We appreciate the need to ensure that the equipment deployed by service providers have on-going intercept capabilities, as well as the obligations placed on service providers to enable/facilitate lawful interception and to deliver intercepted communications in the course of a lawful investigation. The provisions of Section 17 as presently constituted and Section 17(d)(i) and Section 17(d)(ii) notwithstanding, it is sad that the House of Representatives is giving the proposed agency what may be likened to a blank cheque. We are not against lawful interception, but we strongly urge the insertion of the following “such interception to be carried out by the Agency shall be lawful if accompanied by a warrant issued by a judge of a Federal or State High Court. Please compare with the UK Regulation of Investigatory Powers Act 2000, Section 2 Interception of Communications Act 1985, Malone v United Kingdom (1984) 7 EHRR 14
  20. 20. Page 20 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved Please see evidence of misuse of such provisions as the above in the UK, the Committee may wish to ensure that the bill does not make this a possibility in Nigeria: http://news.bbc.co.uk/1/hi/england/dorset/7341179.stm http://www.theregister.co.uk/2008/04/11/poole_council_ripa/ http://news.bbc.co.uk/1/hi/england/dorset/7343445.stm http://www.schneier.com/blog/archives/2007/11/animal_rights_a.html http://www.out-law.com/page-9956 http://www.vnunet.com/computing/news/2240543/government-announces-review http://nds.coi.gov.uk/Content/Detail.asp?ReleaseID=398807&NewsAreaID=2 The Committee may which to compare and contrast the provisions of this Section with the provisions of Sections 165 – 176 of the Evidence Act dealing with Official and Privileged Communications to ensure that there is no conflict. 18. (1) It shall be the duty of every service provider at the request of any law enforcement agency or at the initiative of the service provider, to provide assistance towards the: (a) identification, arrest and prosecution of offenders; or (b) identification, tracing and confiscation of proceeds or any offence or any property, equipment or device used in the commission of any offence; or (c) freezing, removal, erasure or cancellation of the services of the offender which enables the offender to either commit the offence or hide, preserve the proceeds of any offence or any property, equipment or device used in the commission of the offence. (2) Any service provider who contravenes the provisions of subsection (1) of this section, commits an offence and shall be liable on conviction, in the case of (a) service provider, a fine of not less than N5, 000, 00; and (b) director, manager or officer of the service provider, a fine of not less than N500,000 or imprisonment for a term of not less than 3 years or to both such fine and imprisonment. COMMENTS Page 9, Line13 – “of” should replace “or” 19. (1) Any person who on the internet, intentionally takes or makes use of a name, business name, trademark, domain name or other word of phrase registered, owned or in use by any individual, body corporate or belonging to either the Federal, state or local government without:
  21. 21. Page 21 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved (a) authority or right; or (b) for the purpose of interfering with their use in the internet by the owner; commits an offence under this Bill and shall be liable on conviction to a fine of not less than N100, 000 or imprisonment for a term of not less than 1 year or to both such fine and imprisonment. (2) In the determination of the case against an offender, a court shall have regard to: (a) a refusal by the offender to relinquish, upon formal request by the rightful owner of the name, trademark, words or phrase; or (b) an attempt by the offender to obtain compensation in any form for the release to the rightful owner for use in the internet, of the name, business name, trade mark, or words or phrase registered, owned or in use by any individual, body corporate or belonging to either the Federal, State or Local Government of Nigeria. (3) In addition to the penalty specified under this section, the court shall make an order directing the offender to relinquish to the rightful owner. COMMENTS Page 9, Line 27 – “or” should replace “of” Page 9, Line 29 – should it be limited to Nigerian entities alone, what of Nigeria‟s obligations under international property treaties Page 10, Line 14 – should read “make an order directing the offender to relinquish it or them to the rightful owner 20. (1) Any person, group or organization that intentionally accesses any computer or network for purposes of terrorism, commits an offence and shall be liable on conviction to a fine of not less than N10, 000,000 or a term of imprisonment of not less than 20 years of to both such fine and imprisonment. (2) For the purpose of this section, terrorism means any act which: (a) may seriously damage a country or an international organization; or (b) is intended or can reasonably be regarded as having been intended to: (i) intimidate a population; (ii) compel a government or international organization to performance abstain from performing any act; (iii) destabilize or destroy the fundamental political, constitutional; economic or social structures of a country or any internal organization, or; (iv) otherwise influence such government or international organization. (c) Involves or causes, as the case may be to:
  22. 22. Page 22 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved (i) attaches upon a person is life which may cause death, (ii) attacks upon the integrity of a person; (iii) kidnapping of a person, (iv) destruction of a Government or public facility, including; an information system, private property, likely to endanger human life or result in major economic loss. (v) the manufacture, possession, acquisition, transport, supply, or use of weapons, explosive nuclear, biological or chemical as well as research into their development without lawful authority; (vi) the release of dangerous substance or causing of fires, explosions of flood the effect of which is to endanger human life; (vii) interference with or disruption of the supply of water, power or any other fundamental natural resource, the effect of which is to endanger life; or (viii) propagation of information or information materials whether true or false, calculated to cause immediate panic, evolve violence. COMMENTS Page 10, Lines 23 – 24 – compel a government or international organization to perform or abstain from performing any act Page 10, Line 30 – clarification of the statement in this line is sort 21. Any person who uses any computer to violate any intellectual property rights protected under any law or treaty applicable in Nigeria, commits an offence under this Bill and shall be liable on conviction to a fine of not less than N1, 000,000 or imprisonment for a term of not less than 5 years or to both such fine and imprisonment, in addition to any penalty or relief provided under laws. COMMENTS Page 11, Line 15 - The words “any intellectual property rights” is considered to be too wide. It is also submitted that the penalty should not be uniform for all types of intellectual property rights but should depend on the type of right infringed. Intellectual property rights consist of but are not limited to copyrights, patents, designs, industrial designs, semiconductor design, trade secrets and business know-how, cable retransmission rights, satellite broadcasting rights, lending rights and rental rights. It is suggested that the House Committee(s) seriously consider strengthening the existing intellectual property laws especially the Nigerian Copyright Act. According to David BainBridge, “The Copyright, Designs and Patents Act 1988 has been used increasingly to prosecute computer software pirates and magistrates and judges are at last taking this form of crime seriously, using custodial sentences in some cases.” The point we wish to make from this quotation is that it is not wrong to strengthen the Nigerian Copyright Act to make for prosecution of intellectual property rights violated
  23. 23. Page 23 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved using a computer by a computer. If that is done, it is very important that Nigeria upgrade its laws on database rights to meet what obtains in other climes. 22. Any person who use any computer to: (a) engage or solicits or entices or compels any minor in any sexual or related act; or (b) engage in, or facilitates any indecent exposure of a minor or creates, possesses or distributes child pornography; or (c) facilitates the commission of a sexual or related act which constitutes an offence under any law for the time being in force in Nigeria, commits an offence and shall be liable on conviction: (i) in case of paragraph (a), to a time of not less than N3,000,000 or imprisonment for a term of not less than 7 years or to both such fine and imprisonment. (ii) in case of paragraph ( b, and (c), to a fine of not less than N1,000,000 or imprisonment for a term of not less than 5 years or both such fine and imprisonment. COMMENTS Page 11, Line 28 – fine should replace time 23. Any person who: (a) attempts to commit any offence under this Bill; or (b) does any act preparatory to or in furtherance of the commission of an offence under this Bill; and (c) abets or engages in a conspiracy to commit any offence, commits an offence and shall be liable on conviction to the punishment provided for such an offence, under this Bill. COMMENTS Page 12, Lines 4 – 5 – It is unnecessary to split/attempt to differentiate between “attempts to commit any offence under this Bill” and “does any act preparatory to or in furtherance of the commission of an offence under this Bill.” Case law does not support that distinction. Case law seems to indicate that both Section 23(a) and Section 23(b) are talking about one and the same thing. Please refer to the following cases and statutes:  R v Eagleton (1855) Dears CC 515,  Section 4 Criminal Code,  Section 508 Criminal Code,  Section 95 Penal Code,
  24. 24. Page 24 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved  R v Whybrow (1951) 35 Cr App Rep 141 CCA,  R v Robinson (1915) 2 KB 342,  Orija v ICP 1957 NRNLR 189,  DPP v Stonehouse 1977 2 All ER 909,  R v Offiong 1936 3 WACA 83,  Jones v Brooks & Brooks 1968 52 Cr App R 614. Page 12, Line 7 - 9 – Section 23(c ) should read „aids or abets‟ the commission of an offence, and should become Section 23 (b). According to National Coal Board v Gamble (1959) 1 QB 11, “a person who supplies the instrument for a crime or anything essential to its commission aids in the commission of it; if he does so knowingly and with intent to aid, he abets it as well and is guilty of aiding and abetting. Attorney General’s Reference (No.1 of 1975) 1975 2 All ER 684 noted that “Aiding and abetting almost inevitably involves a situation in which the secondary party and the main offender are together at some stage discussing the plans which they may be making in respect of the alleged offence, and are in contact so that each know what is passing through the mind of the other.” The portion of this Section on conspiracy should be separated to form a new Section 23(c) dealing with conspiracy only. This is very important because case law treats aiding and abetting as a separate crime from conspiracy. Additionally, the bill as presently worded does not clearly answer the following questions raised in the book “Criminal Law Cases and Materials” published by Smith and Hogan:  Must a principal conspirator intend to play some part in the agreed course of conduct? And what if he doesn‟t?  Is “the mere fact of agreement” without intent to carry out the agreement enough? This is relevant when law enforcement sets up traps for an accused.  What if the agreement was to be carried out by not a party to the agreement but by a third party? Please see R v Hollinshead 1985 2 All ER 701 We consider this a very relevant issue because according to the same book, the common law position is that: “an agreement will amount to a conspiracy only if carrying it out will necessarily amount to or involve a commission of an offence by one or more of the parties to the crime.” 24. (1) The president may on the recommendation of the Agency, by order published in the Federal Gazette, designate certain computer systems, networks and information infrastructure vital to the national security of Nigeria of the economic and social well being of its citizens, as constituting critical information infrastructure. (2) The president order in subsection (1) of this section may prescribe standards, guidelines, rules or procedures in respect of: (a) the registration, protection or presentation of critical information infrastructure; (b) the general management of critical information infrastructure; (c) access to, transfer and control of data in any critical information infrastructure;
  25. 25. Page 25 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved (d) procedural rules and requirements for securing the integrity and authenticity of data or information contained in any of the information; (e) procedures or methods to be used in the storage of data or information in critical information infrastructure; (f) disaster recovery plans in the event of loss of the critical information infrastructure or any part thereof; and (g) any other matter required for the adequate protection, management and control of data and other resources in any critical information infrastructure. COMMENTS None 25. The president order in section 23 of this Bill may require audits and inspection to be carried out on any critical information infrastructure to evaluate compliance with the provisions of this Bill. COMMENTS None 26. (1) Any person who violates any provision as to the critical information infrastructure designated under section 23 of this Bill, commits an offence and shall be liable on conviction to a fine of not less than N15,000,000 or imprisonment of a term of not less than 25 years or both such find and imprisonment. (2) where the offence committed under subsection (1) of this section results in serious bodily injury, the offender shall be liable on conviction to a fine of not less than N20, 000,000 or to imprisonment for a term of 30 years or to both such fine and imprisonment. (3) where the offence committed resulted in death, the offender shall be liable on conviction to imprisonment for life with no option of fine. COMMENTS None 27. Nothing in this Bill shall preclude the institution of a civil suit against a person liable under this Bill by any interested party. COMMENTS None 28. (1) The Federal High Court or state High Court shall have jurisdiction to try offender under this Bill. (2) Notwithstanding anything to the contrary, the court shall ensure that all matter brought before it under this Bill against any person or body corporate are conducted with dispatch and given accelerated hearing.
  26. 26. Page 26 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved (3) for the purposes of this Bill, a person shall be subject to prosecution in Nigeria for an offence committed while the offender is physically located either within or outside, if by the conduct of the offender or that of another acting for him; (a) the offence is committed either wholly or partly within Nigeria; (b) the act of the offender committed wholly outside Nigeria constitutes a conspiracy to commit an offence under this Bill within Nigeria; and an act in furtherance of the conspiracy was committed within Nigeria, either directly by the offender or at his instigation; or (c) the act of the offender committed wholly or partly within Nigeria constitutes an attempt, solicitation or conspiracy to commit offence in another jurisdiction under the laws of both Nigeria and such other jurisdiction. (4) For the purpose of this section: (a) an offence or element of the offence is presumed to have been committed in Nigeria if the offence or any of its elements substantially affects person of interest in Nigeria; (b) where any other country claims jurisdiction over an alleged offence which is subject to prosecution in Nigeria as established by this section, the Attorney General of the Federation may consult with such other country with a view to determine the most appropriate jurisdiction for prosecution. COMMENTS None 29. (1) Pursuant Section (2) of this section, any authorized officer entitled to enforce any provision of this Bill shall have the power to search any premises or computer or network and arrest any person in connection with the offence. (2) Subject to National Security Agency Act, an authorized officer of any law enforcement agency, upon a reasonable suspicion that an offence has been committed or likely to be committed by any person or body corporate, shall have power to: (a) access and inspect or check the operation of any computer to which this act applies; or (b) use or cause to use a computer or any device to search any data contained in or available to any computer or network; or (c) use any technology to re-transform or decrypt any encrypted data contained in a computer into readable text or comprehensible format; or (d) seize or take possession of any computer used in connection with an offence under this Bill, or
  27. 27. Page 27 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved (e) require any person having charge of or otherwise concerned with the operation of any computer in connection with an offence to produce such computer; or (f) require any person in possession of encrypted data to provide access to any information necessary to decrypt such data; (g) require any person in authority to release any subscriber or traffic information or any related content; and (h) relate with any international law enforcement agencies for the purpose of giving or receiving on information or exchanging any data or database for the purpose or investigation and prosecution under this Bill. (i) The Agency shall have power to cause or direct investigation by any law enforcement agency. COMMENTS Page 14, line 11 –The term “any authorised officer” is ambiguous. It is important for purposes of preventing ambiguity and abuse that the definition given in Section 38 (page 17, Lines 9 -10 be tightened up. Please refer to our comments on Section 17 above for reasons. 30. Any person who: (a) willfully obstructs any law enforcement agency in the exercise of any power under this Bill; or (b) fails to comply with any lawful inquiry or request made by any authorized officer in accordance with the provisions of this Bill, commits an offence and shall be liable on conviction to a fine of not less than N500,000 or imprisonment for a term of not less than 3 years or to both such fine and imprisonment. COMMENTS Page 15, Line 8 – No such word as “willfully” 31. Notwithstanding anything contained in any enactment or law in Nigeria, an information contained in any computer which is printed out on paper, stored, recorded or copied on any media, shall be deemed to be primary evidence under this Bill. COMMENTS Page 15, lines 15 – 18 In the light of the quote following below taken from the document Electronic Signature Assurance the Digital Chain-of-Evidence – Executing Legally Admissible Digitally Signed Records produced by the Microsoft U.S. National Security Team authored by Jacques R. Francoeur, B. A. Sc., M.A.Sc., MBA: “Electronic data also presents its own inherent risks and challenges. Represented by a series of zeros and ones, electronic data can be volatile and unstable. The ability of data to move between systems, applications and people can make it difficult to differentiate between “good” (original) and “bad” (manipulated) data. Furthermore, evidentiary techniques to determine the “provenance” of data, such as time-of-creation and unchanged state, are often immature or non-existent. To establish
  28. 28. Page 28 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved the reliability of electronically signed records, mechanisms must be put in place to prevent undetected manipulation of the electronic data’s content, and/or evidence of the time and date created or modified.” (Italics Ours) We are of the considered opinion that Section 31 as presently worded has not “put in place” mechanisms to “prevent undetected manipulation of the electronic data‟s content and/or evidence of the time and date created or modified.” Michael I. Shamos, Ph.D., J.D. of the Institute for Software Research, School of Computer Science, Carnegie Mellon University once noted that the purpose of evidence is to “prove facts” and that “evidence makes the existence of fact that is of consequence to the case either more or less probable than it would be without the evidence.” In other words, from our point of view, Section 31 as presently worded raises questions in relation to the standard of proof for electronic primary evidence. The statement “notwithstanding anything contained in any enactment or law in Nigeria” must primarily refer to the Evidence Act. The question that arises then is this, if the Evidence Act is overridden to make electronic evidence admissible. Will the safeguards such as relevancy, the direct evidence rule, circumstantial evidence rules, authentication of evidence rules, chain of custody rules, best evidence rule, hearsay evidence rule, etc established by the Evidence Act which was previously overridden now apply to such electronic evidence? We wish to draw the attention of the Committee to the following extract from the US Federal Rules of Evidence 1001 (3): “if data are stored in a computer or similar device, any printout or other output readable by sight, shown to reflect the data accurately, is an „original‟.” This is known as the Computer “Best Evidence “Rule, in our considered opinion Section 31 should be amended to accommodate this rule. 32. (1) Any person who tampers with any evidence in relation to any proceeding under this Bill by intentionally: (a) creating, destroying, (mutilating, removing or modifying data or program or any other form of information existing within or outside a computer or network; or (b) activating or installing or downloading or transmitting a program that is designed to create, destroy, mutilate, remove or modify data, program or any other form of information existing within or outside a computer or network; or (c) creating, altering, or destroying a password, personal identification number, code or method used to access a computer or network. Commits an offence and shall be liable on conviction to affine of not less than N500, 000 or to imprisonment for a term of not less than 3 years or to both such fine and imprisonment. COMMENTS None 33. Criminal proceedings under this Bill shall be instituted by the Agency.
  29. 29. Page 29 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved COMMENTS None 34. (1) The court imposing sentence on any person who is convicted of an offences under this Bill may also order that the convicted person forfeits to the federal republic of Nigeria: (a) any assets, money or property (real or personal) constituting of traceable to gross proceeds of such offence; and (b) any computer, equipment, software or other technology used or intended to be used to commit or to facilitate the commission of such offence. (2) Any person convicted of an offence under this Bill shall forfeit his passport or international traveling documents to the Federal Republic of Nigeria until he has paid the fines or served the sentence imposed on him (3) Notwithstanding subsection (2) of this section, the court may; (a) upon the grant of pardon by the president to the convicted person; or (b) the purposes of allowing the convicted person to travel abroad for medical treatment, having made formal application before the court on that regard; or (c) in the public interest, direct that the passport or traveling document of the convicted person be released to him. COMMENTS Page 16, Line 11 – Did the draftsman really mean to use the word “travelling” or did he mean “travelling” or “travel”? 35. (1) Without prejudice to section 174 of the Constitution of the Federal Republic of Nigeria, 1999, the Attorney General may, subject to voluntary admission of the commission of the offence, compound any offence punishable under this Bill by accepting such amount specified as fine to which the offender would have been liable if he had been convicted of that offence. (2) Notwithstanding the provision of subjection (1) of this section, the court may order the payment of compensation to any person or body corporate, who suffers damages, injury, or loss as a result of the offence committed. COMMENTS
  30. 30. Page 30 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved None 36. Where a person is charged with an attempt to commit an offence under this Bill but the evidence establishes the commission of the full offence, the offender shall not be entitled to acquittal and shall be convicted for the offence and punished under the relevant penalty. COMMENTS None 37. The president may by order published in the Gazette make such rules and regulations as in his opinion and on the recommendation of the Agency are necessary to give full effect to the provisions of this Bill. COMMENTS None 38. In this Bill, “access” includes to gain entry to, instruct, make use of any resources of a computer, computer system or network. “Agency” means Cyber Security and Data Protection Agency. “Authorized officer” means a person authorized by law to exercise a power this Bill “Authority” means express or implied consent to access a computer network, program, data or database, software. “Computer” includes any electronic device or computational machinery programmed instruction which has the capabilities of storage, retrieval memory, logic, arithmetic or communication and includes all input, output, processing, storage, communication facilities which are connected or related to such a device in a system or network or control of functions by the manipulation of signals whether electronic, magnetic or optical. “computer network” includes the interconnection of computers or computer system “Computer program” means data or a set of instructions or statements that
  31. 31. Page 31 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved when executed in a computer causes computer to perform function. “damage” means an impairment to the integrity or availability of data, program or network. “data” includes a representation of information, knowledge, facts, concepts or instructions intended to be processed, being processed or has been processed in a network. “database name” includes any designation or name registered with the domain registrar as part of an electronic address. “intellectual property rights” include any right conferred or granted under any of the following laws or treaties to which Nigeria is a signatory: (a) Copyright Act, CAP 68. LFN (as amended); (b) Patents and Designs Act CAP 344, LFN; (c) Trade Marks Act, CAP LFN; (d) Berne Connection; (e) World Intellectual Property Organization (WIPO) Treaty; (f) Trade-Related Aspects of Intellectual Property Rights (TRIPs); (g) Universal Copyright Convention (UCC); and (h) Paria Convention (Lisbon Text). “internet” means global information system linked by a unique address space base on the internet protocol or its subsequent extensions.
  32. 32. Page 32 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved “intercept” includes the aural or acquisition of the contents of any wire, electronic or oral communication through the use of technical means so as to make some or all the contents of a communication available to a person other than whom it was intended, and includes; (a) monitoring of such communication by any device; (b) viewing, examination or inspection of the contents of any communication; and (c) diversion of any communication from its intended destination. “Law enforcement” agency means any institution created by law and charged with the responsibility of enforcing obedience to our written law. “loss” means any reasonable lost to a victim, including the cost of responding to an offence, conducting a damage assessment and restoring the data, program, system or information to its condition prior to the offences and any revenue lost, cost incurred and other consequential damages incurred because of the interruption of service. “Minor” means a person under 18 years. “Modification” means (a) alteration or erasure of the content of any
  33. 33. Page 33 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved program, data and data base; (b) any event which occurs to impair the normal operation of a computer; (c) modification is unauthorized if: (i) the person that causes the act is not himself entitled to determine whether the modification should be made; and (ii) he does not have consent from anybody to modify. “Service provider” includes but not limited to; (a) internet service provider; (b) communications service provide; and (c) application service provider. “Software” includes any program, data, database, procedure and associated documentation concerned with the operation of a computer system. “Spamming” means unsolicited electronic mail message having false headers, address and lines. “Minister” means minister of information and communication. COMMENTS Page 17, Line 6 – 7 – replace “gain entry to, instruct, make” with gaining entry to, instructing, making Page 17, Line 13 – 18 The Committee may wish to take a second look at the definition of “computer”: France, Germany and the UK do not define this term in their equivalent legislation, however the United States of America does, please see the US Computer Fraud and Abuse Act.
  34. 34. Page 34 of 34 © 2009 –Niche Konsult Limited. All Rights Reserved Page 19, Line 8 - 9 The Committee may wish to take a second look at the definition of “software.” We propose the inclusion of the words “whether in source code or object code form immediately after program 39. This Bill may be cited as Cyber Security and Data Protection Agency (Establishment etc) Bill, 2008. COMMENTS None CONCLUSION We are available to provide further support and consulting to the House Committee on Drugs, Narcotics and Financial Crimes in respect of our submissions above and thank you for taking the time to go through this and for giving us a chance to participate in the law-making process. Yours faithfully NICHE KONSULT LIMITED Idara Akpan CHIEF HACKING OFFICER/DIRECTOR (BUSINESS DEVELOPMENT) Email:Idara@nichekonsult.com Mobile: 234 805 547 7646
  35. 35. February 22, 2005 The Director General Consumer Protection Council Plot 2215, Herbert Macaulay Way P.M.B. 5077 Wuse Zone 6 Abuja Dear Madam, CPC: A PRIVACY AGENDA - TO BE OR NOT TO BE? It occurs to us that CPC, Nigeria’s premier consumer protection champion may need to revisit her role in relation to securing consumer privacy in the information age in keeping with Section 37 of the 1999 Constitution. And to that end, AIIA is interested in working with CPC to create a pro-active privacy protection agenda to meet the needs of Nigerians. Possible pro-privacy agenda initiatives include: • Creating a Privacy Task Force to develop and implement the Director General’s Privacy Agenda • Developing a National Privacy Policy • The need for privacy awareness campaigns to enlighten the consumer as to what is at stake and why and of what CPC is doing in that regard • The Task Force should among other things spearhead the drafting of appropriate legislation requiring the following: o that organizations collecting personal information (whether online or offline) to create a privacy policy in line with the National Privacy Policy, o that a copy of such privacy policy be lodged with the CPC for its necessary action, o that such privacy policy state clearly what information is being collected, how it is stored, where it is stored (whether in Nigeria or elsewhere), how long it is stored, how it is intended to be used, and how it is actually used, whether or not such information is shared with third parties and on what basis/terms and how the information is ultimately disposed of o a comprehensive list of privacy breaches and appropriate fines Thank you for taking matters a step further in our behalf. Yours faithfully, A.I.I. ASSOLCIATES Barr. Ime Akpan PRINCIPAL
  36. 36. PRIVACY: A BURNING CONSUMER ISSUE – PRIVACY POLICY: A NATIONAL IMPERATIVE – WANTED: A PRIVACY WATCHDOG Definition of Privacy The quality or state of being apart from company or observation. Privacy is closely related to secrecy, that is, the condition of being concealed or hidden. Definition of Policy A definite course or method of action selected from among alternatives and in light of given conditions to guide and determine present and future decisions. A high-level overall plan embracing the general goals and acceptable procedure especially of a governmental body Definition of Privacy Policy A high-level overall plan that lists both the goals of and acceptable procedures for the collection, maintenance, use and disposal of personally identifiable customer information in the normal course of business. Two sides of the same coin: “Privacy as Secrecy” or Privacy as Control” Privacy as secrecy Private meaning personal, i.e., known only to ourselves and selected others Privacy as control Private meaning control, i.e., known to several others (businesses, governments, and individuals) but usage is based on the user’s preferences and the user has control over how his/her information is used Why Privacy as Secrecy is giving way to Privacy as Control “You have zero privacy anyway. Get over it.” - An Information Technology industry CEO to a group of reporters The internet is like a spider web. It connects all countries, all governments, all cities, all homes and all peoples. Information Technology in general and the internet in particular is creating a “world without secrets” for individuals, enterprises and governments. In this world, enormous amounts of structured information (transactions) and unstructured information (audio, video, and narrative text) are gathered and shared globally by and among businesses, governments, and individuals. Many of us are familiar with Orwell’s novel 1984, however, unlike in Orwell’s totalitarian nightmare scenario, the monster is not Big Brother because government has no monopoly on technology. © December 20, 2004. All Rights Reserved. AII Associates. Private and Confidential. Distribution Restricted

×