In recent times, the rate at which business entities are investing heavily in the provision of broadband internet access has been impressive. The Glo-1 submarine cable, a multi-million dollar project from Glo Nigeria is a submarine cable of 100,000km with landing points in Nigeria, Ghana, Senegal, Mauritania, Morocco, Portugal, Spain and United Kingdom (UK) has a bandwidth capacity of about 640 gigabytes has been operational since the last quarter of 2009. Enter Main one cable system been rolled out by MainOne Ltd. is set to go live in June 2010. This 14,000km long submarine fibre optic cable stretches from Portugal to South Africa with landing points in Sexial in Portugal, Lagos in Nigeria, Accra in Ghana and South Africa will provide high speed internet capacity of 1.92 terabits. The boldest determination so far is the West Africa System (WACS) planned by a consortium of telecommunication companies. WACS will link South-Africa with UK along the western coast of Africa. The design capacity is projected to be at least 3.84 terabits.
While these ventures seem to be a welcome development as it will go a long way in not only providing high speed internet connectivity but will also increase the rate of internet penetration of a country that has been reported (internet world stats) to have 23, 982, 200 (16.1%) of its population access the internet in 2009, me continue to think in the face of this 20th century technological evolution whether Nigeria has lived up to its responsibility under the Internet Governance Forum established during the second World Summit on Information Society (WSIS) held in 2005 in Tunis.
No doubt the internet has changed the way we now live and has impacted tremendously into our lives, it has also spurn myriads of new challenges albeit issues relating to how it is used. Such issues include cybercrime, the protection of children online, internet privacy and copyright infringement amongst many others. All these issues have necessitated a proper implementation of the appropriate internet government solution to mitigate the risks associated with the use of the internet.
The WSIS proposed a working definition of internet governance as “Internet governance is the development and application by Governments, the private sector, and civil society, in their respective roles, of shared principles, norms, rules, decision-making procedures, and programmes that shape the evolution and use of the Internet” In Nigeria, the emerging issues arising from increased internet usage are:
1. Cybercrime: The ubiquitous nature of the internet has enabled communication on a global scale across computer networks. This has favoured criminals in using the internet as a tool in the perpetration of criminal offences. Prominent examples of these are fraud, identity theft and phishing scams. For a developing nation like Nigeria, finding a response strategy and solution has become fundamental in the beneficial use of the internet. In recent times, Nigeria has come under international pressure to take actions over financial scams facilitated through email services. In 2006, National White Collar Crime Center reported that losses related to the popular Nigerian email fraud averaged about 5,100 USD each. Though Nigeria in response to this challenge ratified the convention on Cybercrime but is yet to enact the Draft Bill on Computer Security and Critical Information Infrastructure Protection Bill 2005.
2. Child Protection Online: The International Telecommunications Union (ITU) has come up with a global initiative with the objectives of identifying risks and vulnerabilities of children (and minors) in cyberspace, creating awareness for these, help in the development of practical tools that will help to minimize these risks and lastly to provide a forum for knowledge sharing for best practises. The child online protection initiative will guarantee that the child is not exposed to harmful or inappropriate content which includes a wide variety of materials such as pornography, violent content and the like. It is important that Nigeria tap into this initiative and adopt strategies to protect our children who will become the leaders tomorrow.
3. Internet Privacy: According to American privacy expert Steven Rambam, “Privacy is dead-get over it”. While a number of industry expert seem to agree with him, National governments are still work to guarantee the privacy of the individual in this age of information explosion. With the proliferation of the internet and its technologies, a lot of individuals are increasingly finding it difficult to control their personal information in cyberspace or decide on whom this information should be disclosed to. In this age of information explosion, personal information if not properly protected could be misused to the detriment of the data subject, this is constantly been manifested by online social and electronic commerce platform where personal information has been mishandled and compromised by the owner of such platforms or by individuals participating on such platforms. It becomes imperative for the Nigerian government to intervene in this instance to safeguard and enforce this fundamental human right.
4. Copyright Infringement: In the words of Harvard Law Professor Lawrence Lessig, “the fear is that cyberspace will become a place where copyright can be defeated”. Copyright is granted protection under both international and national laws, the internet has made it possible for works in which copyright subsists to be easily distributed across computer networks, thereby implicating the owners right of both distribution and communication to the public. Peer-to-peer (p2p) technologies have a role in the infringement of copyright, this technology connects an individual’s computer to another computer whereby information (mostly copyright works) is easily retrieved and distributed over the internet. No doubt, the high speed internet connectivity in Nigeria plays a prominent role in this phenomenon. Because of the near impossibility of identifying the alleged infringers, National governments and copyright owners have targeted Internet Service Providers (ISP) as facilitators of copyright infringement across their network. This has resulted into laws which provides safe harbours for ISPs and defines instances in which they will be exempted from copyright infringement liability under their national laws.
The growing awareness of the social, economic and legal dynamics of the internet has impacted on the Nigerian society and has brought to the front burner the problems associated with its increased usage and has crystallized into topical issues under the internet governance forum. For broadband services to benefit the Nigerian community, the stakeholders in Nigeria (including the Government and ISPs) has a constant and continuous role to play by intervening with policy and technological solutions that will shape the way the internet will be legitimately used in Nigeria leading to the achievement of the goals set under the Internet Governance Forum.
Conclusively the statement of John and Post that “the rise of an electronic medium that disregards geographical boundaries throws the law into disarray by creating entirely new phenomena that need to become the subject of clear legal rules that cannot be governed, satisfactorily, by any current territorially based sovereign” seems to come to mind in the Nigerian case.
Saturday, May 1, 2010
DATA PROTECTION ISSUES AND LEGAL IMPLICATIONS IN NCC’S DIRECTIVE ON SIM CARD REGISTRATION
Towards the ending of year 2009, the Nigerian Telecommunications Regulator, Nigerian Communications Commission (NCC) in exercising the powers granted it under the Nigerian Communications Act (NCA) 2003 issued a directive which was published in the Thisday Newspaper of December 31, 2009 to the effect that as from the 1st of March 2010 (according to the to the online news service “Daily Independent,” this date has been postponed to May 1st 2010 ) all new Subscriber Identity Module (SIM) cards must be registered before activation, this will be followed by the subsequent registration of the SIM cards of existing SIM card holders at a later date.
This directive coming from the NCC was borne out of the need to have a credible database of SIM card holders in Nigeria that will be used to identify (for possible prosecution) criminal actors who perpetrate criminal activities through the use of mobile phones by exploiting the anonymity of an unregistered SIM Card.
This paper considers two issues; to identify & address the data protection & privacy issues that arises during the implementation of the SIM card registration process and the legal implications on the criminal model of crimes been perpetrated through the use of mobile phones. Discussing the technical framework for the implementation of this process is entirely outside the focus of this write-up.
Data Protection and the Concept of Privacy under Nigerian Law
The right to privacy is an inalienable human right that cannot be derogated from, neither can it be subsumed under any government law or policy. Though Nigeria presently has no legislative framework for Data Protection, the right to privacy can be traced to the Constitution of the Federal Republic of Nigeria (CFRN) 1999, in particular S. 37 provides “The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected.”
The broad import of this particular statutory provision is to guarantee from interference and intrusion, the private affairs of the Nigerian person. This statement finds meaning in the definition of privacy as “The right of the individual to be protected against intrusion into his personal life or affairs, or those of his family, by direct physical means or by publication of [personal] information [emphasis mine].
When this constitutional right is juxtaposed with NCC’s directive to register SIM cards, one is wont to ask the nature of privacy and or data protection issues involved in the registration of these SIM cards.
SIM cards as the name implies is used to identify subscribers to mobile telecommunications services. It is a removable card that allows the user to transfer its subscribed services to another mobile device.
As there is a dearth of data protection laws in Nigeria, I intend to propose as a reference model the principles contained in the EU wide Data Protection Directive 95/46 EC, as a guide for the implementation of this SIM card registration process. Amongst other things, this directive has been internationally touted as setting the benchmark by which data protection laws are evaluated, the standards set are widely regarded as “high” and places an emphasis on human rights while its principles have been flexible in their approach.
Pursuant to this Directive, data or personal data means any information relating to an identifiable natural person (data subject), the directive also goes further in defining an identifiable natural person as one who can be identified, directly or indirectly, in particular by reference to an identification number… Therefore for data to be “personal”, two conditions must be met, first the data must relate or concern another natural person, secondly, the data must be used in the identification of the natural person. Where data does not refer to a natural person, it falls outside the scope of the EU Directive. As SIM cards contain both the unique serial and international numbers of the subscriber, it no doubt would come within the meaning of “personal data” as contemplated under the EU Directive since another individual can be able to connect the personal data to a natural person.
The capture of the subscribers photograph and biometrics (which undoubtedly is also personal data) as required under the implementation process will be deemed to be the processing and or collection of personal data. (In accordance with this EU Directive), data processing occurs when an operation or a set of operations is carried out upon personal data, whether or not by automatic means. These operations will include the collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure and destruction of personal data.
Since it is evident that due to the nature of the personal information stored in the SIM card database, accessing this database would therefore be implicating the privacy rights of SIM card holders, the question then becomes, under what circumstances will these personal data or information of Mobile telephony subscribers be collected, accessed or used legitimately? This is important in order not to run the risk of abusing stored data by those accessing it as data specifically provided for one purpose might be used entirely in a different context.
The EU Directive has a set of principles that must be adhered to when accessing the personal data of the private individual, it sets out the right of the private individual in regards to his personal data and establishes the general principles guiding the processing of personal data. These principles will be summarized below and related to the proposed SIM card registration in Nigeria:-
1. Data may only be processed where the private individual (data subject) has given consent: For SIM card holders, this consent must be specific and informed, it cannot be inferred from any circumstances nor can this consent be given on the basis of misrepresented facts.
2. Data may be processed when the processing is necessary for the entering into a contract with the private individual: This is fulfilled when the contract between potential SIM card holders and mobile telephony service providers contain clauses to the effect that their SIM cards would be registered, for the existing SIM card holders, it would be necessary to obtain their consent.
3. Data may be processed in order to comply with a legal obligation imposed on the entity in charge of processing the data: That is, the entity in charge of registering SIM cards in Nigeria must legitimately access this information only in so far as it complies with the legal obligation imposed on it.
4. Data may be processed when the processing is necessary to protect the vital interest of the private individuals: A broad meaning should be given to this paragraph in so far as the processing of the personal data would be necessary to protect the interest of SIM card holders.
5. Data may be processed when processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller or in a third party to whom the data are disclosed. To rely on this paragraph, the relevant question then becomes, would accessing the SIM card database be justified on the basis of public interest which would override the privacy rights of SIM card holders.
6. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. SIM card holders must be allowed access to this database at any time and to make the necessary correction of their personal data as contained in this database.
7. Personal data can only be processed for specified explicit and legitimate purposes and may not be processed further in a way incompatible with those purposes: This is the main thrust of any good data protection policy. What is the main purpose of registering SIM cards in Nigeria? Legitimate processing requires that uses of the personal data must be known and publicly stated at the time of registration. A 2006 decision of a German court comes to mind here, where the demand by a public prosecutor investigating a criminal case to access personal data stored on a SIM card of an on-board unit in a truck was denied by the court. The court was of the opinion that the German Federal Toll Collect Act, on which the collecting of SIM card data is based, restricts the use of toll data to only the control of toll payments. In this regard, access to the SIM card database in Nigeria must be restricted to only the purpose(s) specified by the NCC i.e. cases of criminal activities perpetrated through the use of mobile telephones, to override such a purpose would require legal justification and authorization.
Legal Implication
NCC’s directive to register SIM cards will trigger some practical implications for criminals intending to sustain their desire for committing crimes through the use of mobile telephony services. Some criminals in order to sustain this desire and circumvent their identification will have to migrate to other criminal models that will continue to guarantee anonymity to them. These models will be considered under three heads in the following:
1. SIM card cloning: Occurs where the information contained in one SIM card is replicated for the purpose of making fraudulent calls, the billing for which would be incurred by the owner of the cloned SIM card rather than the perpetrator. To achieve cloning, the Electronic Serial Number (ESN) and Mobile Identification Number (MIN) has to be successfully retrieved from the target phone for transfer to the cloned phone. When this happens, calls can be made from the cloned phone as if it were the original phone. It is possible for criminal entities to exploit SIM card cloning technologies so as to beat the identification process inherent in SIM card registration.
2. Roaming services: Roaming has been defined as the ability for a cellular customer to automatically make and receive voice calls, send and receive data, or access other services, including home data services, when travelling outside the geographical coverage area of the home network, by means of using a visited network. Now consider this scenario, a criminal obtains an registered SIM card outside Nigeria from a service provider that offers roaming services within a Nigerian service provider’s network. It is obvious here that this criminal has successfully circumvented the NCC registration process by virtue of this roaming service and can still be able to perpetrate his criminal intentions through this service within Nigeria.
3. Internet/Satellite Telephony: With services like Skype and the scramble for broadband services in Nigeria, Internet telephony seems to have found a niche for itself, on the part of Satellite telephony, this particular service connects to satellites in orbit rather than terrestrial cell towers. All these services can be used to circumvent NCC’s registration process and perpetrate criminal activities.
From these criminal models, it is obvious that NCC’s intention may not be sufficient to address the purpose for registering SIM cards, the author believes that a system of identity management should be implemented in the mobile telephony sector. This will help to address issues of anonymity posed in the mobile telephony sector.
Conclusion
Even though NCC’s directive commences today May 1st 2010, it still presents some level of data protection issues that must be addressed. As national governments are becoming more aware of the importance of a good data protection framework, Nigeria must consciously strive to ensure that the personal data (in whatever form) of the Nigerian person is safeguarded. No doubt, it goes without saying that the common Nigerian person values his privacy and should not be exposed to situations where his personal data is arbitrarily processed or accessed, the glaring realities of the lack of the appropriate legislative solutions put in place to address data protection issues is already been manifested in an IT savvy Nigerian society. We need to re-engineer our legislative processes to accommodate the challenges presented by data protection, in the absence of the appropriate law, it becomes safe to place reliance on the principles enshrined under the EU model for data protection which still remains a role model for implementing data protection laws worldwide.
As per curbing the menace of criminal activities perpetrated through mobile phones, a system of identity management should be implemented and enforced in the mobile telephony sector (however this is achieved is entirely outside the scope of the author’s knowledge), this will ensure that anonymity in the mobile telephony sector is not exploited so as to commit criminal activities.
Why protect personal data? I am constrained again to reiterate that the right to privacy is inalienable, it can never be derogated from.
This directive coming from the NCC was borne out of the need to have a credible database of SIM card holders in Nigeria that will be used to identify (for possible prosecution) criminal actors who perpetrate criminal activities through the use of mobile phones by exploiting the anonymity of an unregistered SIM Card.
This paper considers two issues; to identify & address the data protection & privacy issues that arises during the implementation of the SIM card registration process and the legal implications on the criminal model of crimes been perpetrated through the use of mobile phones. Discussing the technical framework for the implementation of this process is entirely outside the focus of this write-up.
Data Protection and the Concept of Privacy under Nigerian Law
The right to privacy is an inalienable human right that cannot be derogated from, neither can it be subsumed under any government law or policy. Though Nigeria presently has no legislative framework for Data Protection, the right to privacy can be traced to the Constitution of the Federal Republic of Nigeria (CFRN) 1999, in particular S. 37 provides “The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected.”
The broad import of this particular statutory provision is to guarantee from interference and intrusion, the private affairs of the Nigerian person. This statement finds meaning in the definition of privacy as “The right of the individual to be protected against intrusion into his personal life or affairs, or those of his family, by direct physical means or by publication of [personal] information [emphasis mine].
When this constitutional right is juxtaposed with NCC’s directive to register SIM cards, one is wont to ask the nature of privacy and or data protection issues involved in the registration of these SIM cards.
SIM cards as the name implies is used to identify subscribers to mobile telecommunications services. It is a removable card that allows the user to transfer its subscribed services to another mobile device.
As there is a dearth of data protection laws in Nigeria, I intend to propose as a reference model the principles contained in the EU wide Data Protection Directive 95/46 EC, as a guide for the implementation of this SIM card registration process. Amongst other things, this directive has been internationally touted as setting the benchmark by which data protection laws are evaluated, the standards set are widely regarded as “high” and places an emphasis on human rights while its principles have been flexible in their approach.
Pursuant to this Directive, data or personal data means any information relating to an identifiable natural person (data subject), the directive also goes further in defining an identifiable natural person as one who can be identified, directly or indirectly, in particular by reference to an identification number… Therefore for data to be “personal”, two conditions must be met, first the data must relate or concern another natural person, secondly, the data must be used in the identification of the natural person. Where data does not refer to a natural person, it falls outside the scope of the EU Directive. As SIM cards contain both the unique serial and international numbers of the subscriber, it no doubt would come within the meaning of “personal data” as contemplated under the EU Directive since another individual can be able to connect the personal data to a natural person.
The capture of the subscribers photograph and biometrics (which undoubtedly is also personal data) as required under the implementation process will be deemed to be the processing and or collection of personal data. (In accordance with this EU Directive), data processing occurs when an operation or a set of operations is carried out upon personal data, whether or not by automatic means. These operations will include the collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure and destruction of personal data.
Since it is evident that due to the nature of the personal information stored in the SIM card database, accessing this database would therefore be implicating the privacy rights of SIM card holders, the question then becomes, under what circumstances will these personal data or information of Mobile telephony subscribers be collected, accessed or used legitimately? This is important in order not to run the risk of abusing stored data by those accessing it as data specifically provided for one purpose might be used entirely in a different context.
The EU Directive has a set of principles that must be adhered to when accessing the personal data of the private individual, it sets out the right of the private individual in regards to his personal data and establishes the general principles guiding the processing of personal data. These principles will be summarized below and related to the proposed SIM card registration in Nigeria:-
1. Data may only be processed where the private individual (data subject) has given consent: For SIM card holders, this consent must be specific and informed, it cannot be inferred from any circumstances nor can this consent be given on the basis of misrepresented facts.
2. Data may be processed when the processing is necessary for the entering into a contract with the private individual: This is fulfilled when the contract between potential SIM card holders and mobile telephony service providers contain clauses to the effect that their SIM cards would be registered, for the existing SIM card holders, it would be necessary to obtain their consent.
3. Data may be processed in order to comply with a legal obligation imposed on the entity in charge of processing the data: That is, the entity in charge of registering SIM cards in Nigeria must legitimately access this information only in so far as it complies with the legal obligation imposed on it.
4. Data may be processed when the processing is necessary to protect the vital interest of the private individuals: A broad meaning should be given to this paragraph in so far as the processing of the personal data would be necessary to protect the interest of SIM card holders.
5. Data may be processed when processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller or in a third party to whom the data are disclosed. To rely on this paragraph, the relevant question then becomes, would accessing the SIM card database be justified on the basis of public interest which would override the privacy rights of SIM card holders.
6. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. SIM card holders must be allowed access to this database at any time and to make the necessary correction of their personal data as contained in this database.
7. Personal data can only be processed for specified explicit and legitimate purposes and may not be processed further in a way incompatible with those purposes: This is the main thrust of any good data protection policy. What is the main purpose of registering SIM cards in Nigeria? Legitimate processing requires that uses of the personal data must be known and publicly stated at the time of registration. A 2006 decision of a German court comes to mind here, where the demand by a public prosecutor investigating a criminal case to access personal data stored on a SIM card of an on-board unit in a truck was denied by the court. The court was of the opinion that the German Federal Toll Collect Act, on which the collecting of SIM card data is based, restricts the use of toll data to only the control of toll payments. In this regard, access to the SIM card database in Nigeria must be restricted to only the purpose(s) specified by the NCC i.e. cases of criminal activities perpetrated through the use of mobile telephones, to override such a purpose would require legal justification and authorization.
Legal Implication
NCC’s directive to register SIM cards will trigger some practical implications for criminals intending to sustain their desire for committing crimes through the use of mobile telephony services. Some criminals in order to sustain this desire and circumvent their identification will have to migrate to other criminal models that will continue to guarantee anonymity to them. These models will be considered under three heads in the following:
1. SIM card cloning: Occurs where the information contained in one SIM card is replicated for the purpose of making fraudulent calls, the billing for which would be incurred by the owner of the cloned SIM card rather than the perpetrator. To achieve cloning, the Electronic Serial Number (ESN) and Mobile Identification Number (MIN) has to be successfully retrieved from the target phone for transfer to the cloned phone. When this happens, calls can be made from the cloned phone as if it were the original phone. It is possible for criminal entities to exploit SIM card cloning technologies so as to beat the identification process inherent in SIM card registration.
2. Roaming services: Roaming has been defined as the ability for a cellular customer to automatically make and receive voice calls, send and receive data, or access other services, including home data services, when travelling outside the geographical coverage area of the home network, by means of using a visited network. Now consider this scenario, a criminal obtains an registered SIM card outside Nigeria from a service provider that offers roaming services within a Nigerian service provider’s network. It is obvious here that this criminal has successfully circumvented the NCC registration process by virtue of this roaming service and can still be able to perpetrate his criminal intentions through this service within Nigeria.
3. Internet/Satellite Telephony: With services like Skype and the scramble for broadband services in Nigeria, Internet telephony seems to have found a niche for itself, on the part of Satellite telephony, this particular service connects to satellites in orbit rather than terrestrial cell towers. All these services can be used to circumvent NCC’s registration process and perpetrate criminal activities.
From these criminal models, it is obvious that NCC’s intention may not be sufficient to address the purpose for registering SIM cards, the author believes that a system of identity management should be implemented in the mobile telephony sector. This will help to address issues of anonymity posed in the mobile telephony sector.
Conclusion
Even though NCC’s directive commences today May 1st 2010, it still presents some level of data protection issues that must be addressed. As national governments are becoming more aware of the importance of a good data protection framework, Nigeria must consciously strive to ensure that the personal data (in whatever form) of the Nigerian person is safeguarded. No doubt, it goes without saying that the common Nigerian person values his privacy and should not be exposed to situations where his personal data is arbitrarily processed or accessed, the glaring realities of the lack of the appropriate legislative solutions put in place to address data protection issues is already been manifested in an IT savvy Nigerian society. We need to re-engineer our legislative processes to accommodate the challenges presented by data protection, in the absence of the appropriate law, it becomes safe to place reliance on the principles enshrined under the EU model for data protection which still remains a role model for implementing data protection laws worldwide.
As per curbing the menace of criminal activities perpetrated through mobile phones, a system of identity management should be implemented and enforced in the mobile telephony sector (however this is achieved is entirely outside the scope of the author’s knowledge), this will ensure that anonymity in the mobile telephony sector is not exploited so as to commit criminal activities.
Why protect personal data? I am constrained again to reiterate that the right to privacy is inalienable, it can never be derogated from.
Subscribe to:
Posts (Atom)