Nigeria and the FBI Cybercrime List
Recently, Nigeria was in the news for cybercrime offences perpetrated in the United States. Following criminal complaints filed by the United States Government at the District Court for the Central District of California, 80 Nigerians were subsequently indicted by a Grand Jury in June 2019 for allegedly committing cybercrime offences, including computer fraud, mail fraud, wire fraud, bank fraud and money laundering. Some of the indicted persons are in custody of the United States government, while most of them are still at large. The United States has expressed its intention to bring the alleged cybercriminals to justice and believes that some of them are hiding in Nigeria. On the other hand, the Nigerian Government and its financial crimes agency, the Economic and Financial Crimes Commission (EFCC) has given assurances that it will cooperate with the United States in bringing the alleged cybercriminals to justice.
Apparently, such cooperation will entail the rendering of mutual legal assistance and extradition requests. This development raises issues with respect to international cooperation on the control of cybercrime especially in the African region.
Basically, Nigeria recognizes the need to promote international cooperation in tackling cybercrime and has also enshrined enabling provisions in the Nigerian Cybercrimes Act and the Extradition Act. Therefore, it may be possible for the Nigerian government to fulfill its assurance to the United States in terms of rendering mutual assistance and extraditing the alleged cybercriminals if they are located in Nigeria, or if they are located in another country that has a mutual assistance and extradition treaty with Nigeria. However, it may not be possible for Nigeria to fulfill such assurance if the alleged cybercriminals are located in an African country that does not have a mutual assistance and extradition treaty with Nigeria. This challenge will also exist if such African country does not have a mutual assistance and extradition treaty with the United States. It will also not be possible for Nigeria to fulfill its assurance for cooperation if the alleged cybercriminals are located in an African country that has not established cybercrime laws, even where such country has a mutual assistance and extradition treaty with Nigeria. This challenge will also exist even if such African country has a mutual assistance and extradition treaty with the United States without establishing cybercrime laws.
The case of the “I LOVE YOU” Virus is illustrative here. The virus was created in 2000 by Onel de Guzman (a Filipino computing student at the AMA Computer University in Manila, Philippines) and spread worldwide through the Internet – infecting over 45 million computers and causing businesses billions of dollars in losses. Many of the affected businesses were located in the United States which had already established cybercrime laws at that time. When FBI agents succeeded in identifying the creator of the virus in Philippines, it was also found that the country did not have cybercrime laws under which he could be prosecuted. Philippines had an extradition treaty with the United States. However, there was no basis to apply for Onel de Guzman’s extradition under the treaty, because Philippines had not criminalized the creation and dissemination of computer viruses at that time. Consequently, he was able to escape criminal liability for the damage caused by the spread of the “I LOVE YOU” virus. A repeat of the above scenario is a real possibility as many African countries have not established cybercrime laws.
The Africa Union of which Nigeria is a prominent member state has recognized the need to promote international cooperation on cybercrime control in Africa. On 27 June, 2014, the African Union Heads of State and Government adopted the Convention on Cyber Security and Personal Data Protection during the 23rd Ordinary Session of the African Union Assembly in Malabo, Equatorial Guinea. The Convention aims to harmonize the laws of African States on electronic commerce, data protection, cybersecurity promotion and cybercrime control. It will enter into force after it has been ratified by 15 Member States; however, as of June, only five member states (Ghana, Guinea, Mauritius, Namibia and Senegal) had ratified the Convention which indicates a slow pace towards its ratification.
Article 28 of the Convention establishes provisions to facilitate international cooperation on cybersecurity and cybercrime control. It requires African Union Member States to make use of existing channels of international cooperation (including intergovernmental or regional, or private and public partnerships arrangements) for the purpose of promoting cybersecurity and tackling cyber threats. However, the extent to which the provisions of Article 28 can effectively facilitate cooperation and mutual assistance amongst member states appears doubtful. For example, assuming that the convention has entered into force, it will not be possible for Nigeria to rely on the convention as framework for demanding mutual legal assistance or making extradition requests where any of the alleged cybercriminals on the FBI list is located in an African country that does not have an extradition treaty with Nigeria. This is because the convention appears to establish a blanket requirement for the application of the double criminality principle between state parties, without creating a legal basis on which state parties can base their extradition or mutual assistance requests in the absence of an applicable international agreement between the requesting state party and the state party to whom such request is being made to. This is further compounded by the absence of an African Union legal instrument for rendering extradition or mutual assistance requests between member states. The challenge here is that an African Union member state (such as Nigeria) may adopt and ratify the Convention into its national laws without having an extradition or mutual legal assistance treaty with another member state that is also a party to the Convention. As such, a request for extradition or mutual assistance by Nigeria to such state may not be successful even where the requirements of the double criminality principle have been fulfilled.
This challenge creates an enabling environment for forum shopping by cyber criminals within Africa, because a member state that does not have extradition or mutual assistance arrangements with all other African Union members may technically provide a safe haven for cyber criminals since an extradition or mutual assistance request cannot be successfully made to such state from another member state with which it has no existing treaty on extradition or mutual assistance.
In Europe, the Council of Europe Convention on Cybercrime (Budapest Convention) which was established in 2001 elaborately addressed the above highlighted challenges of international cooperation on cybercrime and may therefore provide examples that can be adapted in the African context. Article 24(3) of the Budapest Convention allowed state parties to adopt the Convention as a legal basis for extradition proceedings because it recognized that extradition treaties may not exist between all State parties to the Convention. Article 27 of the Budapest Convention also established a framework for a State party to render mutual assistance requests to another State party where there is an absence of applicable international agreement between them. Article 24(6) of the Convention also provides that a member state which refuses to grant an extradition request for a cybercrime offence shall prosecute the offender at request of the member state whose extradition request was refused. Therefore, the Convention enshrines the
To address the highlighted challenges of international cooperation on the control of cybercrime in Africa, it will be necessary for Nigeria can take the lead in calling for the establishment of an African Union Protocol that would create provisions enabling all state parties to the Cybersecurity Convention to adopt the protocol as a legal basis for rendering extradition and mutual assistance requests where there is an absence of applicable extradition arrangements or mutual legal assistance treaties on cybercrime. Such Protocol should also impose obligations on member states to extradite or prosecute cybercriminals hiding within their territories so as to prevent the existence of safe havens for cyber criminals who would likely engage in forum shopping to evade sanctions.
- Dr Orji, is a cybersecurity and telecommunications law expert.
You may be interested
Buhari is making a micro Mandela of Omoyele Sowore by keeping him in detention indefinitelyWebby - September 15, 2019
I know Omoyele Sowore very well. I was a syndicated columnist for his Sahara Reporters for years writing side by…
SON seals 10 illegal oil firms in KanoWebby - September 14, 2019
The Kano State Coordinator of Standard Organisation of Nigeria (SON)Alhaji Yunusa B. Mohammed on Saturday, declared that the agency would…
Immigration Service intercepts 32 illegal migrants in NigerWebby - September 14, 2019
The Niger state command of the Nigeria Immigration Service has intercepted 32 illegal Migrants in Niger state. The migrants who…