In 2015, I was invited by the North Atlantic Treaty Organization’s Cooperative Cyber Defence Center of Excellence (NATO CCD COE) to present a paper titled: MULTILATERAL LEGAL RESPONSES TO CYBERSECURITY IN AFRICA: ANY HOPE FOR EFFECTIVE INTERNATIONAL COOPERATION?’, at the 7th International Conference on Cyber Conflict in Tallinn, Estonian. Eminent keynote speakers at the conference included His Excellency Toomas Hendrik ILVES, the President of the Republic of Estonia and Admiral Michael S. Rogers, the Commander of the United States Cyber Command and Director of the US National Security Agency.
In my paper, I argued that the African Union Convention on Cyber Security and Personal Data Protection did not provide an adequate framework for mutual assistance and international cooperation on cybercrime control amongst African States and that this state of affairs may limit international cooperation, and thereby enable cybercriminals in Africa to engage in forum shopping so as to technically evade prosecution or extradi¬tion. To address this challenge, I recommended the development of international cooperation and mutual legal assistance mechanisms within the framework of the African Union. A published version of the lecture is available for download here: https://ccdcoe.org/uploads/2018/Art-08-Multilateral_Legal-Responses-to-Cyber-Security-in-Africa-Any-Hope-for-Effective-International-Cooperation.pdf
Recently, Nigeria has been in the news for cybercrime offences perpetrated in the United States. Following criminal complaints filed by the United States Government at the District Court for the Central District of California, 80 Nigerians were subsequently indicted by a Grand Jury in June 2019 for allegedly committing cybercrime offences, including computer fraud, mail fraud, wire fraud, bank fraud and money laundering. Some of the indicted persons are in custody of the United States Government, while most of them are still at large. The United States has expressed its intention to bring the alleged cybercriminals to justice and believes that some of them are hiding in Nigeria. On the other hand, the Nigerian Government and its financial crimes agency, the Economic and Financial Crimes Commission (EFCC) has given assurances that it will cooperate with the United States in bringing the alleged cybercriminals to justice. Apparently, such cooperation will entail the rendering of mutual legal assistance and extradition requests. This development raises issues with respect to international cooperation on the control of cybercrime especially in the African region and leads me to revisit some of the key takeaways of my lecture at the International Conference on Cyber Conflict.
Nigeria and International Cooperation on Cybercrime
Basically, Nigeria recognizes the need to promote international cooperation in tackling cybercrime and has also enshrined enabling provisions in the Nigerian Cybercrimes Act and the Extradition Act. Therefore, it may be possible for the Nigerian Government to fulfill its assurance to the United States in terms of rendering mutual assistance and extraditing the alleged cybercriminals if they are located in Nigeria, or if they are located in another country that has a mutual assistance and extradition treaty with Nigeria. However, it may not be possible for Nigeria to fulfill such assurance if the alleged cybercriminals are located in an African country that does not have a mutual assistance and extradition treaty with Nigeria. This challenge will also exist if such African country does not have a mutual assistance and extradition treaty with the United States. It will also not be possible for Nigeria to fulfill its assurance for cooperation if the alleged cybercriminals are located in an African country that has not established cybercrime laws, even where such country has a mutual assistance and extradition treaty with Nigeria. This challenge will also exist even if such African country has a mutual assistance and extradition treaty with the United States without establishing cybercrime laws.
The case of the “I LOVE YOU” Virus is illustrative here. The virus was created in 2000 by Onel de Guzman (a Filipino computing student at the AMA Computer University in Manila, Philippines) and spread worldwide through the Internet – infecting over 45 million computers and causing businesses billions of dollars in losses. Many of the affected businesses were located in the United States which had already established cybercrime laws at that time. When FBI agents succeeded in identifying the creator of the virus in Philippines, it was also found that the country did not have cybercrime laws under which he could be prosecuted. Philippines had an extradition treaty with the United States. However, there was no basis to apply for Onel de Guzman’s extradition under the treaty, because Philippines had not criminalized the creation and dissemination of computer viruses at that time. Consequently, he was able to escape criminal liability for the damage caused by the spread of the “I LOVE YOU” virus. A repeat of the above scenario is a real possibility as many African countries have not established cybercrime laws.
Limits of International Cooperation under the African Union Cybersecurity Convention
The Africa Union of which Nigeria is a prominent Member State has recognized the need to promote international cooperation on cybercrime control in Africa. On 27 June, 2014, the African Union Heads of State and Government adopted the Convention on Cyber Security and Personal Data Protection during the 23rd Ordinary Session of the African Union Assembly in Malabo, Equatorial Guinea. The Convention aims to harmonize the laws of African States on electronic commerce, data protection, cybersecurity promotion and cybercrime control. It will enter into force after it has been ratified by 15 Member States, however, as of June 2019, only 5 Member States (Ghana, Guinea, Mauritius, Namibia and Senegal) had ratified the Convention which indicates a slow pace towards its ratification.
Article 28 of the Convention establishes provisions to facilitate international cooperation on cybersecurity and cybercrime control. It requires African Union Member States to make use of existing channels of international cooperation (including intergovernmental or regional, or private and public partnerships arrangements) for the purpose of promoting cybersecurity and tackling cyber threats. However, the extent to which the provisions of Article 28 can effectively facilitate cooperation and mutual assistance amongst Member States appears doubtful. For example, assuming that the Convention has entered into force, it will not be possible for Nigeria to rely on the Convention as framework for demanding mutual legal assistance or making extradition requests where any of the alleged cybercriminals on the FBI list is located in an African country that does not have an extradition treaty with Nigeria. This is because the Convention appears to establish a blanket requirement for the application of the double criminality principle between State parties, without creating a legal basis on which State parties can base their extradition or mutual assistance requests in the absence of an applicable international agreement between the requesting State party and the State party to whom such request is being made to. This is further compounded by the absence of an African Union legal instrument for rendering extradition or mutual assistance requests between Member States. The challenge here is that an African Union Member State (such as Nigeria) may adopt and ratify the Convention into its national laws without having an extradition or mutual legal assistance treaty with another Member State that is also a party to the Convention. As such, a request for extradition or mutual assistance by Nigeria to such State may not be successful even where the requirements of the double criminality principle have been fulfilled. Therefore, under the Convention, Nigeria would only be able to obtain a regional African wide guarantee for mutual assistance and extradition where it has entered into extradition or mutual legal assistance arrangements with all the 54 other sovereign states within the African Union.
This challenge however creates an enabling environment for forum shopping by cyber criminals within Africa, because a Member State that does not have extradition or mutual assistance arrangements with all other African Union Members may technically provide a safe haven for cyber criminals since an extradition or mutual assistance request cannot be successfully made to such State from another Member State with which it has no existing treaty on extradition or mutual assistance. For example, an alleged cybercriminal on the FBI list can flee to an African country that does not have an extradition treaty with Nigeria or the United States. This challenge would further be compounded where such African country does not have capacity to investigate or prosecute cybercrime, or where it appears reluctant to prosecute. In both situations, the African country where the alleged cybercriminal is located may not even prosecute because there is no obligation to extradite or prosecute under the Convention. As such the doctrine of “aut dedere aut judicare” (extradite or prosecute) does not exist under the Convention. The above state of affairs impedes international cooperation on cybercrime control in the African region.
The example of the Budapest convention
In Europe, the Council of Europe Convention on Cybercrime (Budapest Convention) which was established in 2001 elaborately addressed the above highlighted challenges of international cooperation on cybercrime and may therefore provide examples that can be adapted in the African context. Article 24(3) of the Budapest Convention allowed State parties to adopt the Convention as a legal basis for extradition proceedings because it recognized that extradition treaties may not exist between all State parties to the Convention. Article 27 of the Budapest Convention also established a framework for a State party to render mutual assistance requests to another State party where there is an absence of applicable international agreement between them. Article 24(6) of the Convention also provides that a Member State which refuses to grant an extradition request for a cybercrime offence shall prosecute the offender at request of the Member State whose extradition request was refused. Therefore, the Convention enshrines the doctrine of “aut dedere aut judicare” (extradite or prosecute).
A Case for Nigeria to Promote International Cooperation under the African Union Cybersecurity Convention
To address the highlighted challenges of international cooperation on the control of cybercrime in Africa, it will be necessary for Nigeria can take the lead in calling for the establishment of an African Union Protocol that would create provisions enabling all State parties to the Cybersecurity Convention to adopt the Protocol as a legal basis for rendering extradition and mutual assistance requests where there is an absence of applicable extradition arrangements or mutual legal assistance treaties on cybercrime. Such Protocol should also impose obligations on Member States to extradite or prosecute cybercriminals hiding within their territories so as to prevent the existence of safe havens for cyber criminals who would likely engage in forum shopping to evade sanctions.
The need for Nigeria to lead the call for the establishment of the proposed African Union Protocol is not far-fetched. Nigeria currently has the largest population of internet users in Africa, with over 100 million internet subscribers according to data released by the Nigerian Communications Commission (NCC) in 2019. This makes Nigeria one of the largest populations of internet subscribers in the world. Already, increasing internet penetration in Nigeria is having implications on the rise of cybercrime in the country. Many individuals in Nigeria, as well as commercial and non-commercial organizations in Nigeria have been victims of cybercrime whether emanating from within or outside country. In particular, the Nigerian banking and financial services sector as well as their customers have repeatedly been targets of cybercrime activi¬ties with losses running into billions of Naira. Cybercriminals operating in Nigeria have also targeted individuals and institutions located in other countries with severe and unquantifiable reputational damage for the entirety of Nigerians. This in turn results to several lost business opportunities for law abiding Nigerians within and outside the country, as the fear of cybercrime actually discourages foreigners from engaging in business ventures with Nigerians.
Also as a developing country with a huge population and high poverty index, Nigeria needs to ensure that cybercrime does impede the adoption of ICTs in critical economic sectors in order to effectively harness ICTs to leapfrog national development. Therefore, whichever way one looks at it, the effects of cybercrime limits Nigeria’s potential in the world. This therefore underscores the need for the Nigerian government to ensure that cybercrime offences that have significant link with Nigeria are sanctioned, wherever the perpetrators may be located. Although, the African Union has established a Cybersecurity Convention, however, the Convention’s international cooperation regime appears weak and allows for forum shopping by cyber criminals. There is a real possibility that the efforts of the Nigerian government to tackle cybercrimes and render international assistance in tracking and extraditing cybercriminals (including those on the infamous FBI list) can be limited by the Convention’s weak international cooperation regime. Therefore, it will be great step in the right direction if Nigeria leads the call for the establishment of the proposed African Union Protocol to enhance international cooperation on cybercrime control in Africa.
Orji is a fellow of the African Center for Cyber Law and Cybercrime Prevention (ACCP) at the United Nations African Institute for the Prevention of Crime in Kampala, Uganda. He can be reached via email at: jeromuch@yahoo.com
END
Be the first to comment