FROM CRIME TO LEGALITY: INSTITUTIONALIZING HACKING IN CAMEROON

Reference

The name of the author: Saron Messembe Obia
The year of publication: 10 January 2022
Name of the Website: Human Rights and Legal Research Centre,
The URL or link: https://hrlrc.org/2023/01/10/from-crime-to-legality-institutionalizing-hacking-in-cameroon/

The date on which you accessed the website:

Abstract

A conduct is criminal only when it is formally declared by a particular substantive law. In order to secure a computer or a system from being breached by a hacker, its necessary that the user should have basic knowledge of information and communication technology. The terminology hacker is constantly misused by society, due to a lack of standard definition of the term. This paper reveals some challenges in sanctioning cyber conducts in Cameroon. The paper equally exposes the advantages of institutionalizing hacking, by using the example of the San Bernardino case in the United States of America. It further provides recommendations on criminal activities that are punishable online, which could equally be done offline.

Keywords: Cameroon, Criminalization, Hacker, Hacking

Introduction

The incorporation of digital economy in Africa and Cameroon in particular have led to the emergence of non-conventional crimes, redefining the criminal landscape in the country. The modus of operandi of criminals continue to moderate debates with regards to the complexity of criminal law. The complexity is caused by the uncertainty created by judges in court at all levels, who sometime do not understand or adhere to fundamental principles, theories and coloration of events relating to white scholar crimes like; hacking, identity theft, identity fraud and staff dishonesty. These emerging security menace or crimes are not only challenging but frustrating when the auxiliaries of the criminal justice system are not vest with such crimes, a bad judgement could be taken.

Criminal law has been in existence since immemorial and its subject matter has mostly been of substantive in legal milieu. Despite the emergence of different types of crimes, criminal law is the only legal framework which determines what is or is not a crime. This work is not concerned with why certain conducts are considered criminal. Rather it is concerned with the offence of hacking as per Cameroon legal framework and how it can be institutionalized.

Types of hackers

The term hacker has been criminalized by auxiliary of the criminal justice system, who are not vest or don’t understand the term. Several cases like that of San Bernardino case in the U.S expose the need for hackers in security agencies. Similarly, the hack of the presidential website of Cameroon in 2015, equally appeals for new policies and actors (hackers) to secure the Cameroon cyber space. In order to understand an illness is necessary to diagnose the patient, that is the case with a hacker.

An individual with basic IT knowledge, desire to breach systems or networks, either with motivation to expose his/ her talent to local community, for a company or for money is usually considered a hacker. More so, most hacker must be patience, organize and plan their task well in order to gain access in to network or system. However, not all hackers are the same, nor have the same objectives. Below are the three category of hackers:

1. Black-hat hackers

2. White-hat hackers and

3. Gray-hat hackers.

 A black hat hacker or black hacker is a person who attempts or breach systems, by exploiting the security vulnerabilities for financial gain or other malicious reasons. This set of individuals are usually considered the criminals or bad guys.

In the past decades, there have been a shift from black hat hackers to white hat hackers. An example, is ethical hacker Kevin Mitnick, who was once a wanted by the Federal Bureau of Investigation (FBI). Today, through conference and online demos, Kevin advocacy for hacking is positive than ever before. H has been converted to an ethical hacker (white hat hacker) and now a senior consultant.

 A white-hat hacker is a computer security specialist who breach into protected systems and networks to test and assess their security. White-hat hackers or the ethical hacker use their skills to improve security of systems and networks, thereby exposing vulnerabilities which criminals (black hackers) can detect and exploit. Hacking is not limited to black and white hat. There is another type or category, which is the Gray-hat hackers.

One of the major challenges to IT professionals is that, hacking is criminalized in most Sub Saharan African countries, be it ethical or not. There is no doubt that, with the prevalence of corruption and poverty, most hackers in Africa fall under this type of hacking (gray hat hacker). A gray-hat hacker is someone who is prone to violation of ethical standards or principles, but without the Mens Rae of a black hat hackers.

In order to be criminally liable, evidence and a complaint must be filed. The term ethics is yet to be contextualized as regard what is just or not just, so far, legal instruments relate ethics to a behavior which is not repugnant to natural justice. But if one regroups the society as one, the term ethical hacking will be complex even in the domain of national security. A phenomenal question will be; Is it ethical to spy on children “parental guidance”? However, it should be noted that hacking is a profession in the field of information and communication technology, when is ethical.

Causes of hacking

Hacking is sanctionable in Cameroon. However, is essential to know some of the reasons why people hack. Below are four reasons why hackers generally breach systems or networks:

The first reason for hacking is to collect data. The data collected varies as to what is exploited for; from business to military data which can be weaponized or for industrial espionage, to private data and public health for victimization.   

Another reason why a system or network is breach is to obtain data of a person or client (identity theft), in order to effectuate financial transaction from the bank account of the latter. It correlates with the continuous distributed denial of service (DDoS) attacks by criminals.

The third reason for hacking is link to destructive narrative. A hacker simply defaced websites. The main objective, in this case, is to make damage, terrorize and create insecurity.

The last, but not the least reason for hacking is fun. Novice in the domain derive pleasure to hack devices in order to mock, create fear, confusion and come out unnoticed. They are equally bully persons in their community for no financial returns.

Theories relating to hackers

Youths are increasingly incorporating the security milieu, particularly the domain of cyber security which is highly solicited by national security agencies and international organizations. Though hacking is still considered a criminal offence in some Sub Saharan Africa countries because of inadequate knowledge of the trade. Several theories across different disciplines have been examined to understand the rational and irrational of why hackers engage in cybercrimes.

Bandura’s social learning theory

Within the last decade African organizations are being hacked. These hackers breach systems in order to expose the vulnerabilities of these entities, for financial motives and also to alter and damage data. This correlates with Albert Bandura’s (1977) social learning theory, which links criminal behaviours to social groups or community. The general tendency is that both deviant and conforming behaviours emanates within the same high-level learning process which is linked social structure, interactions, and situations in a given community. Individuals tend to engage in criminal behaviour when they associate with criminals and adhere to their trends of life in order to justify their operations. This argument which is often advanced by local communities and international organizations when a hacker is apprehended outweighs the sanctions to be imposed to the latter (criminal).

Drawing from the 90% vulnerability rate of software used in Cameroon according to statistics of the national agency for information and communication technologies, hackers are likely to hack in to companies in order to reveal the challenges of securing these entities and as justification for their recruitment in order to develop security strategies (Rogers, 2011 and Atkinson, 2019).

According Bandura (1999), Bocij & McFarlane (2003), depersonalized obedience reduces the level of obedience yielded to social constructs and norms. More so, the general tendency is that, the depersonalization afforded by cybercrimes inspire hackers and even prompt them to perpetrate more crimes without remorse. Since cybercrimes occur within digital, non-physical, environments that are more likely also geographically distant. This is seen in hackers, who are also activists for causes or terrorists who motivate them to look beyond the impact of their actions and view victimization as a way sending a message about the vulnerability of systems and sharing their ideas. For example, the hacking of the presidential website and elections Cameroon.

The theory above provides greater insights into the prerequisite of hackers, thereby exposing the new wave of crimes in the globalization era. Notwithstanding, the paper provides a clear understanding on hackers to the judiciary in order to adopt a new concept on hacking. Thereby distinguishing who is an ethical hacker from the other groups of hackers, who can collaborate with the state, and assists in critical assessment of networks (penetration testing or Pentest) in order to limit threats.

The objective of the principle of legality of crimes and punishment

The general principle of legality of crimes and punishments is to reprimand offenders with a given number of imprisonment terms, to ensure a peaceful co-existence of the society and prevent other potential criminals from adhering to deviant behavior.

The principle which the criminal justice withhold is that; a conduct or behavior is criminal only when it is formally declared so by a particular substantive criminal law. This is a concept that has been profoundly embraced by Cameroon criminal law as provided by the Penal Code per section 9 which spells out the legality of crimes and punishment. Hence is accords with the famous Latin maxim: nullum crimen sine lege (no crime without law). This concept provides the categorical legal identity that is the minimum identification necessary to react to an intruder with the widest possible range of lawful options. An intruder’s true identity may never be known, but his legal identity which is the minimum information necessary to treat him as a hacker, terrorist, or a trespasser, or a thief may be defined in advance and uncovered rapidly in the course of an intrusion. This appeals for an immediate, appropriate, and lawful response. This simply means, no one shall be convicted for acts, except such acts are prohibited in a written law in which a punishment is prescribed.

The applicability of the concept of legality of crimes and punishment

The Cameroonian law relating to cyber security and cyber criminality is not only complex but have limited details on technologies responsible for protecting systems of critical importance. White collar crimes are complex because of anonymity over the cyber space, which is a challenging factor for investigators and the criminal justice system.

Though the Cameroon Penal Code was substantial in the famous 2009 case of the People of Cameroon v. Tita Kevin N., there are still several challenges in relation to online misconduct like the hacking of the presidential website. The Cameroonian legislator introduced Bill no 989/PJL/AN of 2016 amending certain section to the Penal Code provides hope by stating that significant developments have taken place in the country which have led to changing of the legislature’s mind-set, and that behavioural changes inspired or amplified by new information and communication technologies have been noted among the people, including the fact that Cameroon has made some international commitments with regards to ICTs which it must honour.

Accordingly, Law no 2010/012 and 2010/013 of Dec.2010 does not only serve as the pioneer legal framework outlawing illegal activities against electronic and network infrastructure, but the main legislations which criminalizes unauthorised activities in Cameroon’s cyberspace.

CHAPTER IX of the 2010/012 law focuses on the protection of electronic communication networks, information systems and personal privacy in IV which appeals for the protection of privacy as per Section 44. (1)  which states: It shall be forbidden for any natural person or corporate body to listen, intercept and store communications and the traffic data related thereto, or to subject them to any other means of interception or monitoring without the consent of the users concerned, save where such person is so authorized legally.

Chapter II of LAW N° 2010/012 OF 21 DECEMBER 2010 relating to cybersecurity and cybercriminality in Cameroon focuses on offences and penalties as per section 64, 65, 66, and 67:

As per section 64; (1) Corporate bodies shall be criminally liable for offences committed on their account by their management structures.

(2) The criminal liability of corporate bodies shall not preclude that of natural persons who commit such offences or are accomplices.

(4) The penalties provided for in Subsection 3 above, notwithstanding one of the following other penalties may equally be meted out on corporate bodies:

– dissolution in case of a crime or felony punishable with respect to natural persons with imprisonment of 03 (three) years and above and where the corporate body has departed from its declared object to aid and abet the incriminating acts;

– definitive prohibition or temporary prohibition for a period not less than 05 (five) years, from directly or indirectly carrying out one or more professional or corporate activities;

– temporary closure for a period of not less than 05 (five) years under the conditions laid down in Section 34 of the Penal Code of the establishments or one or more establishments of the company that was used to commit the incriminating acts;

– barring from bidding for public contracts either definitively or for a period of not less than 05 (five) years;

– barring from offering for public issues either definitively or for a period of not less than 05 (five) years;

– prohibition for a period of not less than 05 (five) years from issuing cheques other than those to be used by the drawer to withdraw money from the drawer or certified checks or from using payment cards;

– seizure of the device used or intended to be used in committing the offence or the proceeds of the offence;

– publication or dissemination of the decision taken either through the print media or through any electronic means of communication to the public.

Section 65. (1) Whoever, without any right or authorization, proceeds by electronic means to intercept or not during transmission, intended for, whether or not within an electronic communication network, an information system or a terminal device shall be punished with imprisonment for from 05 (five) to 10 (ten) years or a fine of from 5.000.000 (five million) to 10.000.000 (ten million) CFA francs or both such fine and imprisonment.

(2) Any unauthorized access to all or part of an electronic communication network or an information system or a terminal device shall be liable to the same sanctions in accordance with Subsection 1 above.

(4) Whoever, without any right, allows access to an electronic communication network or an information system as an intellectual challenge shall be punished in accordance with Subsection 1 above.

Section 66. (1) Whoever causes disturbance or disruption of the functioning of an electronic communication network or a terminal device by introducing, transmitting, destroying, erasing, deteriorating, altering, deleting data or rendering data inaccessible shall be punished with imprisonment for from 02 (two) to 05 (five) years or a fine of from 1.000.000 (one million) to 2.000.000 (two million) CFA francs or both of such fine an imprisonment.

(2) Whoever uses the deceptive or undesirable software to carry out operations on a user’s terminal device without first informing the latter of the true character of the operation which the said software is likely to damage shall be punishable with the same penalties.

(3) Whoever uses potentially undesirable software to collect, try to collect or facilitate any of such operations in order to access information of the operator or supplier of an electronic network or services and commit a crime shall be punishable in accordance with subsection 1 above.

Section 67. Causing serious disturbance or disruption of the functioning of an electronic communication network or terminal equipment by introducing, transmitting, changing, deleting or altering data shall constitute a breach of the integrity of an electronic communication network or an information system and shall be punishable in accordance with Section 66 above.

Law enforcement officers

The 2010/012 law in its Chapter IX which focuses on the protection of electronic communication networks, information systems and personal privacy in its sub V which has to deal with the interception of electronic communication as per Section 49. However, the provisions of the Criminal Procedure Code provide that in case of crimes or offences provided for hereunder, criminal investigation officers may intercept record or transcribe any electronic communication.

Drawing from part III of cyber security and cyber criminality law in its chapter 1 on procedural law provisions as per Section 53. (1) Cybercriminal-related searches may concern data. Such data may be physical material or copies made in the presence of persons taking part in the search.

(2) When a copy of seized data is made, it may, for security reasons be destroyed on the instruction of the State Counsel.

(3) On the approval of State Counsel, only objects, documents and data used as evidence may be kept under seal.

(4) Persons present during searches may be requested to provide information on any seized objects, document and data.

Section 54. Searches and seizures shall be carried out in accordance with the provisions of the Criminal Procedure Code, taking into account the loss of validity of evidence.

Section 56. The request provided for in Section 50 above may be made to any expert. In such case, it shall conform with the provisions of the Criminal Procedure Code relating to the commissioning of an expert.

One of the major challenges in Sub Saharan Africa is that, most of the law enforcement officers entrusted to investigate white collar crimes have little or no expertise in this domain. Its necessary to highlight the fact that, if hacking is prohibited and the security officer does not have adequate knowledge of the modus operandi of these criminals, upon search it is normal that critical devices will even be left in the suspects base.

More so, the criminal procedure code evokes the role of an expert when policing cybercrimes in Cameroon. However, this is challenging in Sub Saharan African countries, as most recruitment is based on relationship. Hackers have the ability to operate from distant zones, crimes are often linked to different identities. Though challenging for law enforcement officers in the country, the mutual security assistance with international security organizations like Interpol is yielding fruits, as African countries are gradually understanding the game.

Criminal Justice System

The 2010/012 law in its PART III on cyber criminality, Chapter 1 focuses on procedural law provisions, while Chapter II on offences and penalties to be implemented by the criminal justice system as per section 71, 72, and 73 (1) and (2).

Section 71. Whoever without permission, introduces data into an information system or an electronic communication network in order to delete or change the data contained therein, shall be punished with imprisonment for from 02 (two) to 05 (five) years and a fine of from 1 000 000 (one million) to 25 000 000 (twenty five million) FCFA francs.

Section 72. Whoever without authorization and for financial gain, uses any means to introduce, alter, erase or delete electronic data such as to cause damage to someone else’s property shall be punished with the penalties provided for in Section 66 above.

Section 73. (1) Whoever uses an information system or a counterfeit communication network to falsify payment, credit or cash withdrawal card or uses or attempts to use, in full knowledge of the facts, a counterfeit or falsified payment, credit or withdrawal card shall be punished with imprisonment for from 02 (two) to 10 (ten) years and a fine of from 25,000,000 (twenty five million) to 50 000 000 (fifty million) CFA francs or both of such fine and imprisonment.

(2) Whoever deliberately accepts to receive electronic communications payment using a forged or falsified payment, credit or cash withdrawal card shall be punished in accordance with Subsection 1 above.

The criminal justice system demurs a major machinery in the fight against non-conventional crimes, corruption and money laundering. As such, is necessary for the different auxiliaries of the bench to have an insight or clear bearing of the patterns of hackers, the chain or members of the group (dishonest staff in banks, mobile operating companies and even government entities) who facilitate the perpetration of these crimes.

More so, in term of decision or rendering judgment, auxiliaries of the criminal justice system need not only to focus on the legislation but also try to understand the Mens Rae of the latter. The fact that hacking is sanctionable as per law 2010/012 in Cameroon, the judge need to review the terminology in order to adapt to new security dynamics in an emerging country, as discussed below based on hacking.

A scenario of Inchoate Crimes

With the emergence of hackers in Cameroon, those who obtain certifications by paying others to take an exam for them or those that have the mastery of the art and are purely ethical, pose a pertinent challenge on issues relating to aiding and abetting cybercrimes. Criminal liability for aiding and abetting in Cameroon requires Mens Rae, in order for one to be criminally liable.

Inchoate liability represents a middle ground in a criminal continuum: at one extreme, they are mere thoughts. Criminal law does not, as a matter of general principle, punish people for their thoughts alone, however heinous or immoral those thoughts might be. At the other extreme there is the completed crime which is the legitimate target of criminal law. Inchoate offences simply represent a manifestation of the thoughts through some positive act (in the form of an agreement or an attempt) and yet a step from the completed offence. There are several justifications relating to sanction of inchoate offences, but there are two most argued aspects:

Firstly, it has been argued that in terms of moral culpability there is no difference between a person who successfully commits an offence and another who agreed with others to commit an offence or even attempted to commit that offence. They are equally culpable or blameworthy. As Ashworth puts it, there is “no relevant moral difference between an attempter and a substantive offender and they all need to be subjected to the same punitive process” (Patricia Asongwe, 2019). This correlates with the fact that, when novice commit a crime and are assisted by dishonest staff in financial institution, they must be equally apprehended and sanctioned. This is because these dishonest staff have percentage in every criminal act, and if no sanction imposed, then it leads to continuity.

The second aspect is that of sanctions of inchoate offences is justifiable on preventive grounds. People who show a firm intent to cause a substantive harm by agreeing with others to commit a crime or attempt to commit that crime, or incite others to commit a crime pose the same danger to the society as those who succeed. They all create genuine fear and concern in the community and should be equally prevented. Insider threat is not a new term in the security milieu, as staff dishonesty leads to reputational damage of the entities, and other security challenges during criminal investigations, as most alter, fabricate and delete data to secure the suspect upon a special package.

Section73. (1) of the Cyber Code expressly punishes inchoate liability with an imprisonment for from 02 (two) to 10 (ten) years and a fine of from 25,000,000 (twenty-five million) to 50 000 000 (fifty million) CFA francs or both of such fine and Imprisonment.”

There is no doubt that the 2010/012 law and Penal Code limits sanctions in relation to inchoate offences. The two laws adopt the same sanctions as a person who attempts to commit any offence under the law is liable to the same penalty applicable to the completed offence.

Corporate Liability as per Cameroon norms

Legal persons are criminally liable under law 2010/012. Having spelt out the obligations of legal persons in sections 26 to 32, the law goes on to impose sanctions on corporate bodies. Specifically as per  section 64, which states that; corporate bodies shall be criminally liable for offences committed on their account by their management structures, that the criminal liability of corporate bodies shall not preclude that of natural persons who commit such offences or are accomplices, the penalties to be meted out on defaulting corporate bodies shall be fines of from 5000000 (five million) to 50 000 000 (fifty million) CFA francs and that the penalties provided, notwithstanding one of the following other penalties may equally be meted out on corporate bodies. Sanctions provided for corporate bodies include;

-dissolution in case of a crime or felony punishable with respect to natural persons with imprisonment of 03 (three) years and above and where the corporate body has departed from its declared object to aid and abet the incriminating acts; -definitive prohibition or temporary prohibition for a period not less than 05 (five) years, from directly or indirectly carrying out one or more professional or corporate activities;

-temporary closure for a period of not less than 05 (five) years under the conditions laid down in Section 34 of the Penal Code of the establishments or one or more establishments of the company that was used to commit the incriminating acts;

-prohibition for a period of not less than 05 (five) years from issuing cheques other than those to be used by the drawer to withdraw money from the drawer or certified checks or from using payment cards;

-seizure of the device used or intended to be used in committing the offence or the proceeds of the offence;

-publication or dissemination of the decision taken either through the print media or through any electronic means of communication to the public.

Accordingly, legal persons are liable for activities committed by physical persons acting for and with the authority of the legal persons. However, some conditions must be met, which are, but not limited to:

-the offence must have been committed for the legal person’s benefit;

-a person in a leading position must have been committed the offence (including aiding and abetting); -and the person in a leading person must have acted based on: the legal person’s power of representation;

-have the authority to take decisions on behalf of the legal person; or an authority to exercise control within the legal person.

More so, the law attaches liability to a person in a leading position failing to supervise an employee or the legal person’s agent, with the failure facilitating the employees who engage in cybercrime. Failure to supervise must be interpreted to include failure to take appropriate and reasonable measures to prevent employees or agents from committing an offence on the legal person’s behalf. As such appropriate and reasonable measures should be based the business type, its size, the standards or the established business best practices, and others. In Cameroonian, criminal, civil or administrative liability is only linked to a legal person. However, such liability must not prejudice the natural person’s liability for committing an offence.

Conclusion

Cameroon is gradually becoming a safe haven for cybercriminals. Inadequate expertise, staff dishonesty and the emergence of new technological tools available in the dark market are challenging factors in policing cybercrimes.  More so, the principle of offline/online crimes pose a challenging debate, as to sanctions to be imposed to crimes committed online and offline.

According to Patricia Asongwe (2019), in order to understand offline/online principle, punishment for the commission of an illegality should not be based only on the medium, because they exist several patterns of crimes. She equally argued that, focusing on a single pattern (online) will lead to the emergence of other pattern (offline) of crimes, which will make the law less effective.  

Despite the increasing rate of cyber criminality in Sub Saharan Africa, the internet is continuously exploited by the society to business, social connectivity (online dating) and security of data. Yet majority of users rarely recognize attacks, and those who (administrators in public and private entities) identify have little or no expertise to adopt adequate security measures. The purpose of a hacker (ethical hacker or white hacker) is to help prevent illegal activities on the internet against institutions and corporate entities.

A hacker is therefore valuable for the management of systems of local and international entities, as the latter would help develop recovery methods when systems are compromised. A hacker would equally help test the level of security of programs or software require to run operations in companies and acquisition of evidence during criminal investigations. An example is the Saint Bernardino Case in the U.S, which gave a clear bearing to the Federal Bureau of Investigation (FBI), when the organization had to hire an external hacker to unlock a terrorist IPhone.

References

Bandura, A. (1977). Social learning theory. Englewood Cliffs, NJ: Prentice Hall.

Bandura, A. (1999). Social cognitive theory of personality. Handbook of Personality, 2, 154–196.

Bandura, A. (2014). Moral disengagement in the perpetration of inhumanities. In Perspectives on evil and violence (pp. 193–209). Psychology Press.

Barber. (2001). Hackers profiled: Who are they and what are their motivations? Computer Fraud & Security, 2001(2), 14–17.

Bocij, P., & McFarlane, L. (2003). Cyberstalking: The technology of hate. Police Journal,76(3), 204–221.

Cekerevac, Z. et al. Hacking, Protection And The Consequences Of Hacking. Komunikacie · June 2018

Eric Akuta E , Ong’oa M and Chanika R.J ‘’Combating Cyber Crime in Sub-Sahara Africa; A Discourse on Law, Policy and Practice’’ Journal of Research in Peace, Gender and Development Vol. 1(4) (2011) at 113

Patricia Asongwe (2019). The Principle of Legality of Crimes and Punishment Migrates to Cyberspace: An Appraisal of the Cameroonian Experience. South Asian Law Review Journal. Volume 5 -2019

S. Chng et al. Hacker types, motivations and strategies: A comprehensive framework. Computers in Human Behavior Reports 5 (2022) 100167

https://ictpolicyafrica.org/fr/document/2xyan42talo?page=9

https://www.cameroun.cc/cyber-criminality-law-in-cameroon/

https://dokumen.tips/documents/textesparusendecembre2010-11.html

https://www.theguardian.com/technology/2016/mar/28/apple-fbi-case-dropped-san-bernardino-iphone