UPDATED: January 2022 | SOURCE: Cyberlaw Clinic at Harvard Law School, Paradigm Initiative, Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic (CIPPIC), and Tomiwa Ilori

Provision of Real-time Lawful Interception Assistance

Constitution

The Constitution of the Federal Republic of Nigeria is the supreme law of Nigeria, and the current version was enacted in 1999. Section 37 of the constitution guarantees and protects the privacy of Nigerian citizens and their homes, correspondence, telephone conversations and telegraphic communications. Section 45 of the constitution clarifies that this guarantee does not invalidate laws that are reasonably justifiable in a democratic society in the interest of defence, public safety, public order, public morality or public health; or for the purpose of protecting the rights and freedom of other persons.

Nigerian Communications Act, 2003

The Nigerian Communications Act was signed into law in 2003 giving the Nigerian Communications Commission (NCC) a framework through which it operates. The NCC is the regulatory body that governs the telecommunications industry in Nigeria. Under Section 70 of the Nigerian Communications Act, the Nigerian Communications Commission (NCC), can issue regulations and guidelines on any matter where the Act makes express provision. Section 147 of the Act grants the NCC the power to determine that a communications licensee “shall implement the capability to allow authorised interception of communications and such determination may specify the technical requirements for authorised interception capability.”

The Act defines a licensee as “a person who either holds an individual licence or undertakes activities which are subject to a class licence granted under this Act. A class license is defined as “a licence for any or all persons to conduct a specified activity and may include conditions to which the conduct of that activity shall be subject.”

Lawful Interception of Communications Regulations, 2019

As noted above, section 147 of the Nigerian Communications Act gives the NCC the power to authorize interception. The Lawful Interception of Communications Regulations were issued by the NCC to further clarify and expand the government’s ability to intercept. Regulations 4 and 12 establish the Office of the National Security Adviser and the State Security Service as the agencies authorized to intercept communications services provided by a licensee in or outside of Nigeria, as provided in the regulations.

Regulation 7 details the requirements of the type of communication where a judge of the Federal High Court, as defined in Regulation 23, can issue a warrant for interception. These are:

  1. in the interest of national security;
  2. to prevent or investigate a crime;
  3. to protect the economic wellbeing of Nigerians;
  4. in the interest of public emergency or safety; or
  5. to comply with international mutual assistance agreements, in which Nigeria is a party.

The judge of the Federal High Court can only issue a warrant where there is no other lawful way to attain the information. According to Regulation 8, interception may be lawful without a warrant where one of the parties to the communication consents; it is done by a person who is a party to the communication who has sufficient reason to believe there is threat to human life and safety; and it is required to record or monitor such communication during the ordinary course of business. Section 12(4) further clarifies that an authorized agency may initiate interception without a warrant, provided that the authorized agency applies for a warrant within 48 hours after the interception has occurred, when: there is immediate danger of death or serious injury to any person; activities that threaten the national security; or activities having characteristics of organized crime. If an application is not made or is denied, it shall terminate immediately and further interception shall be treated as unlawful. The definition of authorized agency in section 23 also includes the Nigeria Police Force.

If the communication is protected or encrypted, under Regulation 9 the authorized agency can request for the disclosure of the communications as well (see more in “encryption” below).

Regulation 10 requires that all licensees of the NCC install equipment that allows for the interception of communication. Furthermore, Regulation 11 mandates that no licensee of the NCC can provide communications services that are unable to be monitored or intercepted.

Cybercrimes Act, 2015

Section 39 of this Act provides that where there are reasonable grounds to suspect that the content of any electronic communication is reasonably required for the purposes of criminal investigation or proceedings, a Judge can, on the basis of information on oath, “order a service provider, through the application of technical means to intercept” the transmission of specific communications through a computer system. Section 39 states that a judge can also authorize a law enforcement officer to collect or record such data through the application of technical means.

Terrorism (Prevention) (Amendment) Act, 2013

Under Section 1A of this Act, which amends Terrorism Prevention Act, 2011, the Office of the National Secret Adviser shall serve as coordinating body for all security and enforcement agencies under the Act.  The Attorney General of the Federation has authority for effective implementation and administration of this act, including responsibility for the “gathering of intelligence and investigation of the offences under this Act,” and effective prosecution of terrorism matters (see further responsibilities in “Oversight of the Use of Powers” below).

Section 29 of the Terrorism (Prevention) (Amendment) Act authorizes relevant law enforcement agencies, provided that the authorized officer obtains the necessary approvals from the Attorney General of the Federation and the Coordinator of National Security, to apply ex-parte to a judge for an order to intercept the communication, for the purpose of prevention of terrorist acts or to enhance the detection of offenses related to the preparation of terrorist act or the prosecution of offenders under this Act. The judge can order a communications service provider to intercept and retain a specified communication or communications. The judge can also authorize relevant law enforcement to install devices for the interception and retention of specific communications on a providers’ premises, and to remove and retain such a device for purposes of intelligence gathering. For purposes of this act, a communications service provider means a person who provides postal, information, or communication services, including telecommunications services. The order from the judge shall also specify the maximum period for which a provider may be required to retain communications data.

Disclosure of Communications Data

Nigerian Communications Act, 2003

Under Section 64 of the Act, the Nigerian Communications Commission (NCC) has the power to gather information from anyone subject to the Act that the Commission believes is necessary for it to “exercise its powers and functions subject to the Act or its subsidiary legislation.”

Guidelines for the Provision of Internet Service, Nigerian Communications Act

Under Section 70 of the Nigerian Communications Act, the NCC can issue regulations and guidelines on any matter where the Act makes express provision. According to the sixth guideline of the Guidelines for the Provision of Internet Service issued by the NCC, “internet service providers must provide any service related information requested by the Commission or other legal authority, including information regarding particular users and the content of their communications, subject to any other applicable laws of Nigeria.” The sixth guideline calls for general cooperation from service providers with law enforcement and regulatory agencies investigating cybercrime or other illegal activity, for ISPs to provide contact details for a representative responsible for addressing cybercrime issues, as well as to report to the NCC or appropriate authority upon becoming aware of activity indicating internet use for an offense.

Under the eighth guideline, internet service providers must retain internet service-related information, including user identification, the content of the user messages, and traffic or routing data, for a minimum period of twelve (12) months or as directed by the NCC.

Cybercrimes Act, 2015

The Cybercrimes Act of 2015 provides a legislative, regulatory, and institutional framework to fight cybercrimes and strengthen cybersecurity in Nigeria. Section 38 of the Cybercrimes Act details the duties of service providers in relation to cybercrimes. It orders service providers to keep records of traffic data, subscriber information, or related content for a period of 2 years as prescribed by the authority “responsible for the regulation of communication services in Nigeria. At the request of that authority or a law enforcement agency, the service provider must release that information to the relevant authority or agency.

Traffic data is defined as “any computer data relating to a communication by means of a computer system or network, generated by a computer system that formed a part in the chain of communication, indicating the communication’s origin, destination, route, time, date, size, duration, or type of underlying service.”

Section 39 of the Act outlines powers that a judge has in the event that the content of electronic communication is necessary to move forward with a criminal investigation. The judge can order a service provider to collect information or data transmitted via a computer system to assist authorities or give a law enforcement agent the power to collect such information or data. Article 40 (1) further clarifies that it is the duty of service providers to disclose information requested by any law enforcement agency or otherwise render assistance under the Act, and article 40(2) clarifies steps a provider may be asked to take in support of the regulation, such as assistance with identification, tracking of devices and equipment used in offenses, and freezing of services. Both articles 40(1) and (2) are subject to significant legal penalties for noncompliance, including potentially for company personnel.

Terrorism (Prevention) (Amendment) Act, 2013

Section 5(h) of the Amendment states that, subject to the provisions of the Terrorism Prevention Act, law enforcement agencies shall have the power to request or demand for, and obtain from any person, agency or organization, information, including any report or data that may be relevant to its functions.

National Security and Emergency Powers

Nigerian Communications Act, 2003

Section 146 gives the Nigerian Communications Commission (NCC) the power to ask a licensee to assist in preventing a crime or violation of Nigerian law, including in the protection of public revenue and preservation of national security, to the extent reasonably necessary to stop the action.

In Section 148, the Act establishes how the Commission can act on the occurrence of any public emergency or in the interest of public safety. In such circumstances, the NCC can suspend the license of the licensee and take temporary control of their service or network facilities as the Commission deems necessary. The NCC also has the power to take away “the use of any service or network facilities from any licensee, person or the general public.” The Act defines network facilities as “any element or combination of elements of physical infrastructure used principally for or in connection with the provision of services but does not include customer equipment.” Furthermore, the Commission can order that any communications to or from the licensee, or anyone else, can be intercepted and restricted. Such communications and records of communications must be disclosed to an authorized officer. Lastly, the Commission can confiscate any customer equipment under this provision. Section 149 of the Act details that the NCC may direct a licensee or class of licensees to develop “a disaster plan for the survivability and recovery of any services or network facilities in case of a disaster, crisis or civil emergency.”

Cybercrimes Act 2015

Section 3 of the Cybercrimes Act gives the President the power to declare certain computer systems and networks as being critical to the national security of Nigeria or economic and social wellbeing of Nigerian citizens through the designation of Critical National Information Infrastructure. Critical infrastructure in the law refers to “systems and assets which are so vital to the country that the destruction of such systems and assets would have an impact on the security, national economic security, national public health and safety of the country.”

Section 21 addresses the reporting of cyber threats. It mandates that any person or institution must inform the National Computer Emergency Response Team (CERT) Coordination Center “of any attacks, intrusions and other disruptions liable to hinder the function of another computer system or network” to allow CERT to respond appropriately.

Oversight of the Use of Powers

Constitution

Section 36 of the Nigerian Constitution establishes the right to a “fair hearing within a reasonable time by a court or other tribunal established by law and constituted in such a manner as to secure its independence and impartiality.” Under Section 233, the Supreme Court of Nigeria, the highest court in the country, can hear appeals from the Court of Appeals about “decisions in any civil or criminal proceedings on questions as to the interpretation or application of the constitution.”

Nigeria Data Protection Regulation (NDPR) 2019

The NDPR protects the data privacy rights of natural persons residing in Nigeria and natural persons who are Nigerian citizens but not residing in Nigeria.

Lawful Interception of Communications Regulations, 2019

Under Regulation 6 of these Regulations, “the Authorised Agency shall store any intercepted communication retrieved from a licensee for the period of their investigation and shall be destroyed upon completion of such investigation. Once a piece of intercepted communication is admitted in evidence by a court of competent jurisdiction, all other copies of that intercepted communication shall be destroyed by the Authorised Agency” that gained access to the information.

Regulation 18 clarifies that no authorized agency or other person involved in the interception can disclose information obtained via interception, except for purposes required in carrying out the functions called for in these regulations or the National Communications Act, or when such evidence is required for evidence in a court of law or when a competent authority requires it for criminal investigation or prosecution. Regulation 19 clarifies that all agencies shall keep logbooks of interceptions they carry out. In addition, every authorized agency shall prepare a report on all concluded interception cases carried out annually to be presented to the Attorney General of the Federation, which includes details on warrants requested and executed, the number of interceptions made, a general assessment of the importance of interception for addressing crimes in Nigeria, and complaints received.

Under Regulation 20, any person or licensee who is aggrieved by any interception activity shall in writing notify the NCC and may make a formal application to a judge from the Federal High Court for a judicial review. Every decision or direction on interception of communications shall subsist and remain in force until it is set aside by a court of competent jurisdiction in a final decision of the court.

Terrorism (Prevention) (Amendment) Act 2013

According to section 1A of the amendment, the Attorney General of the Federation shall be the authority for the effective implementation and administration of this Act. They shall strengthen and enhance the existing legal framework to ensure conformity of Nigeria’s counter-terrorism laws and policies with international standards and United Nations Conventions on Terrorism, to maintain international co-operation required for preventing and combating international acts of terrorism, and to ensure the effective prosecution of terrorism matters.

Censorship-related Powers

Constitution

In Section 39, the Constitution establishes the freedom of expression, including holding opinions and receiving and imparting ideas and information without interference. Additionally, the section maintains that each person can disseminate information, ideas, and opinions. Section 22 also protects the freedom of “press, radio, television and other mass media.”

Section 45 of the Constitution shall restrict or override Section 39 in certain circumstances, for instance, “in the interest of defence, public safety, public order, morality or public health;” or “for the purpose of protecting the rights and freedom of other persons.”

Nigerian Communications Act, 2003

Section 146 gives the Nigerian Communications Commission the power to ask a licensee to assist in preventing a crime or violation of Nigerian law including in preserving national security to the extent reasonably necessary to stop the action. There have been reported instances where the Nigerian government has utilized this provision to order internet service providers to censor and block websites.[1][2][3] As detailed above in “National Security and Emergency” powers, the NCC can order restrictions on communications in the occurrence of any public emergency or in the interest of public safety.

Guidelines for the Provision of Internet Service, Nigerian Communications Act

According to Section 7 of the Guidelines, issued by the NCC under the authorities in the Nigerian Communications Act, ISPs must include a provision in their service agreements that permits the immediate disconnection or suspension of a user’s account, and the termination of their service agreement, when the ISP becomes aware that any of its services are being used by the user contrary to the requirements of these Guidelines or other applicable laws or regulation.

Cybercrimes Act 2015

As detailed above in “Provision of Real-time Lawful Interception Assistance”, the Cybercrimes Act details various duties of service providers in relation to cybercrime. Section 40(1) clarifies that this responsibility includes “rendering assistance howsoever in any inquiry or proceedings under this Act.” Section 40(2)(c) of the act further clarifies that a service provider “shall, at the request of any law enforcement agency in Nigeria or at its own initiative, provide assistance towards . . . the freezing, removal, erasure or cancellation of the services of the offender which enables the offender to either commit the offence, hide or preserve the proceeds of any offence or any property, equipment or device used in the commission of the offence.”

[1] Nigeria Factsheet. https://cipesa.org/?wpfb_dl=310.

[2] Censorship Archives. http://paradigmhq.org/tag/censorship/.

[3] Tightening the Noose on Freedom of Expression. https://ooni.org/documents/nigeria-report.pdf.

Oversight of the Use of Powers (Censorship-related)

Constitution

Section 36 of the Nigerian Constitution establishes the right to a “fair hearing within a reasonable time by a court or other tribunal established by law and constituted in such manner as to secure its independence and impartiality.”

Publication of Laws and Aggregate Data

Freedom of Information Act

Section 1 of the Freedom of Information Act allows any Nigerian citizen to request information possessed by any “public official, agency or institution.” Also, the applicant does not need to “demonstrate any specific interest in the information being applied for.” The applicant can file in court to compel a public entity to bring forth the information.

In the event that a public institution denies an application for information, Section 25 of the Act allows the Federal High Court to order the institution to disclose the information if:

    1. “the Court determined that the institution is not authorized to deny the application for information;
    2. where the institution is so authorized, but the Court nevertheless determines that the institution does not have reasonable grounds on which to deny the application; or
    3. where the Court makes a finding that the interest of the public in having the record being made available is greater and more vital than the interest being served if the application is denied, in whatever circumstance.”

Article 11 outlines how disclosure of information can be denied if that disclosure would be harmful to the international affairs and defense of the country. However, if it is found that the public interest in the disclosure of the information would outweigh the harm, then the application for information shall not be denied.

Section 12 allows a public institution to deny an application for any information which constitutes an invasion of personal privacy under Section 15 of this Act. Where the interest of the public would be better served by having such a record being made available, this exemption to disclosure shall not apply.

Encryption and Law Enforcement Assistance

Lawful Interception of Communications Regulations

If a communication is protected or encrypted, under Regulation 9 the authorized agency (e.g. National Security Adviser and State Security Services) can request for the key or code to enable the disclosure of the communications. If the licensee does not have the key or code, the authorized agency can then request the “custodian of the key or code to disclose the key or code. Also, the authorized agency “may seek assistance from a foreign authority in accordance with any international mutual assistance agreement where the key or code is in the possession of any person outside its jurisdiction.”

Cybercrimes Act 2015

Section 45 provides that a Judge can issue a warrant and authorize a law enforcement officer to “use any technology to decode or decrypt any coded or encrypted data contained in a computer into readable text or comprehensible format.”