Posted

eNaira.gov.ng, not enaira.com, should have been used in the first place, experts say; advise need for eNaira project to be fully NDPR compliant

Introduction

Introduction

In a historic development, Nigerians witnessed the unveiling of the country’s central bank digital currency (CBDC), the eNaira, by President Muhammadu Buhari at the State House, Abuja FCT Monday 25 October 2021. With the unveiling of the eNaira, millions of Nigerians are expected to troop increasingly to the eNaira website in the days ahead. But which of the eNaira websites? eNaira.com or eNaira.gov.ng?

The new eNaira website is www.enaira.gov.ng. This .gov.ng domain has replaced the former www.enaira.com domain name which was previously advertised and promoted by the CBN. The new domain name www.enaira.gov.ng is provided in CBN’s public notice of 23 October 2021 which announced the date of the unveiling of the eNaira. 

Meanwhile, when one visits the old site www.enaira.com, it redirects to the new site www.enaira.gov.ng. At the time of writing, the CBN has not commented on or given any reason for the domain-name change.

But Nigerians may be wondering or asking questions; questions such as these: Why was the former domain name changed? Are there any cybersecurity implications involved? How secure is the new .gov.ng domain compared to the former .com domain? Should Nigerians and nonNigerians have anything to be worried about?

To get answers to these questions and more, CAB’s Founding Editor, Senator Ihenyen, ‘went to town’ to get the opinions of some stakeholders as well as experts on the matter. As you might expect, in what turned out to be an engaging and enlightening trip, we did not only get answers but also found more questions than answers along the way. Hop in; take this cab (pun intended) with us!

Redirecting or re-routing a domain name is no cause for alarm. It is "normal practice".

Adedeji Owonibi, the Senior Partner at A&D Forensics and Chief Operating Officer (COO) at Convexity, is of the opinion that CBN’s decision to redirect enaira.com to enaira.gov.ng is not expected to do any harm. According to him, “redirecting a domain is a normal practice which even renowned global brands also do, including fb.com redirecting to Facebook.com”.

Similarly, Jude Ozinegbe, Founder of Cyberchain, a blockchain & cybersecurity consulting firm, is also of the view that the domain redirection should not raise any issues. Mr. Ozinegbe believes that it is “not much of an issue because many Nigerians are not even aware of the previous website [in the first place]”. But for the Nigerians who are aware of the earlier enaira.com, Mr. Ozinegbe advised that “what they should know is that organizations can have domain name redirection and it’s not an issue in the cyberspace”.

Mr. Ozinegbe pointed out that “as a matter of fact, it’s a professional approach to redirect websites with different extensions to a primary one. For instance, a company can register, www.domain.com, www.domain.org, and www.domain.net, but point all three domains to www.domain.com, as its official primary domain. By doing this, the organization has secured its web presence having registered and redirected similar or confusing domain names for itself, thus preventing them from being bought by unauthorized persons who could unduly use such domain names for misleading unsuspecting individuals through fraudulent schemes”.

eNaira.com redirecting to eNaira.gov.ng may confuse some users, resulting in suspicion.

Without disputing what the cybersecurity experts think, Babatunde Obrimah, Chief Operating Officer (COO) at Fintech Association of Nigeria (FinTech NGR), chose to look at the eNaira domain-redirection matter from another point of view—the layman point of view. From this point of view, Dr. Obrimah thinks it may be confusing to users when they see that they are being directed from one site to another. 

In Dr. Obrimah’s words, “I am not a cybersecurity expert, but my first reaction is why have two websites? A cyber conscious person may suspect fraud when being moved from enaira.com to enaira.gov.ng. My view is that for consistency it’s better to have just one site”.

The need to avoid the unintended consequences that the inconsistency referred to by Dr. Obrimah above may result in is perhaps what HHI Olutoyin J Oloniteru pointed out when he emphasized the importance of the CBN solely maintaining a .gov.ng domain. A member of the Expert Group for Senate Committee on ICT and Cybercrime and member of the subcommittee on Nigeria Data Protection & Privacy Law Legislative Drafting for the Senate, Chief Oloniteru said that “CBN is a government entity and should stay with .gov.ng in order to guard against social engineering. In its communication to the Nigeria public, it must be stated that they should visit only the website with .gov.ng. It must be only that. So once Nigerians do not see .gov.ng there they should not even visit the site to do transactions!” Cybercrime is more prone to social engineering when unsuspecting users are avoidably exposed to phishers who create fake sites that appear to be identical to legitimate sites, Chief Oloniteru maintained.

eNaira being a government-driven project, "eNaira.com should not have happened at all".

But if the opinion of Chief Oloniteru is anything to go by, Dr. Obrimah’s description of what users’ reactions would be when directed to a new eNaira domain may be an understatement. A blockchain technology and information security expert and cofounder of Data Analytics Privacy Technology Ltd (DAPT), a licensed Data Protection Compliance Organization (DPCO) in Nigeria and DAPT UK, Chief Oloniteru does not only think that the CBN should not have housed the eNaira on a .com top level domain (TLD) but also believes that the eNaira may not be compliant with the Nigeria Data Protection Regulation (NDPR).

“ENaira.com should not have happened at all”, Chief Oloniteru said. “It was wrong for the eNaira to be under .com in the first place” as “it is a form of breach to have the personal data of Nigerians processed in a foreign domain site when Nigeria can have .gov.ng ab initio“. 

Similarly, Chimezie Chuta, Founder of Blockchain Nigeria User Group (BNUG) and Vice Chairman of Blockchain Industry Coordinating Committee of Nigeria (BICCoN), thinks that considering that the eNaira project is a government-driven project, registering the domain name under .gov.ng was the appropriate thing to do in the first place. So re-rerouting the .com domain to the .gov.ng domain is a welcome development. In his words, “I think the original domain of the eNaira project ought to have been the ‘dot gov dot ng’ domain extension seeing that this is a government initiative. By re-routing the ‘dot com’ extension, users can have confidence that it’s indeed a government-driven project instead of a private company as may have been initially insinuated. Again it shows the level of preparedness of the CBN for the launch of its CBDC”.

Raising more questions than answers, eNaira's compliance or otherwise with applicable data protection and privacy regulation comes to the fore.

Raising questions for the CBN and Nigerians to think about, Chief Oloniteru wondered whether applicable data protection and privacy requirements had been met by the CBN in its eNaira project before the eNaira launch. 

As if rhetorically, Chief Oloniteru asked, “Is CBN’s technology provider from Barbados NDPR compliant? Has all the firm’s staff been trained on NDPR in compliance with the regulation? Has the eNaira product been evaluated by the National Information Technology Development Agency (NITDA) and confirmed sound in terms of Software Reliability Testing? We are in a data-digital economy. So NDPR compliance is mandatory”.

Perhaps Mr. Owonibi’s take on whether CBN’s decision to redirect www.enaira.com to www.enaira.gov.ng has any cybersecurity implications demonstrates the need for CBN to ensure that its cybersecurity shield is not only strong but also comprehensive and proactive. “There may be two cybersecurity concerns to look at”, points out Mr. Owonibi. “First, looking at it from the security angle, if CBN’s open redirect is not properly done, it may be possible for an intruder to redirect the www.enaira.com domain to a misleading or fraudulent one via a phishing attack. For instance, if the referrer checks implementation mechanism is a simple Cross Site Request Forgery (CSRF) or get requests that are state-changing, malicious actors can gain access”.

“I would even advise that all possible Top Level Domain names (TLDs) like ‘.com’, ‘org’, ‘.net’, and their ‘.ng’ extensions be bought and redirected to the new official primary one: eNaira.gov.ng”, suggested Mr. Ozinegbe, whose current preoccupation with organizing a major blockchain & cybersecurity conference coming up in November did not prevent him from responding to the questions raised.

But “[w]hat is the assurance that there is effective data security with respect to the mapping of enaira.com to enaira.gov.ng?”, asks Chief Oloniteru, a former Director General, ICT – Government of Ekiti State, Nigeria and former member of the National Council on Communication Technology (NCCT). “By this I mean the data in transition in the course of the mapping”. While considering that the mapping may be technically fine, Chief Oloniteru considers it “a misnomer brand-equity wise” for the CBN to have initially registered and maintained www.enaira.com as the primary domain for the eNaira, a national infrastructure.

Mr. Owonibi believes that “the domain redirect may be fine if CBN owns the trademark of the two domain names in use, otherwise it may give rise to possible trademark infringement of the rightful owner”. 

It would be recalled that just a few days to the earlier date scheduled for the unveiling of the eNaira, a private company claimed ownership of the trademark “ENaira”, and sued CBN at the Federal High Court. It is still believed in some quarters that this trademark suit may in fact be one of the reasons the unveiling of the eNaira was initially postponed indefinitely.

Olumide Babalola, a data protection and privacy lawyer who has just had two of his articles published in two international data protection & privacy journals, spared some of his time to contribute to the issue. “Normally”, Mr. Babalola started, “CBN’s privacy notice on the eNaira website should reflect any transfer or sharing between enaira.com and enaira.gov.ng domains”.

In any case, Mr. Owonibi observed that since the enaira website “seems to be just informational as the main eNaira wallet infrastructure has nothing to do with this redirect”, there should be no issues. Besides, he is “pretty sure the CBN is on top of this and will not joke with a national infrastructure such as this eNaira project”.

But from a data protection and privacy perspective, Chief Oloniteru thinks that it is not just the enaira website that Nigerians should be concerned about but also the entire eNaira infrastructure. According to Chief Oloniteru, the way the CBN could really be on top of the situation—if it is not already—is for the CBN to first of all comply with the NDPR and the Implementation Framework. Buttressing his point, Chief Oloniteru observed that “[t]here is no privacy notice and cookies policy on the eNaira website. So currently it is not NDPR 2019 Compliant!” Advisedly, Mr. Oloniteru thinks that the CBN should conduct a Data Protection/Privacy Impact Assessment (DPIA) on the entire eNaira project. “It is not just the eNaira website alone but the Speed Wallet, and other aspects. It is not enough that they work technically but they must also meet regulatory requirements”, said Chief Oloniteru, the Ajiroba of Igogo-Ekiti Kingdom.

Though not conspicuous on any menu pages or other items on both the enaira.com and enaira.gov.ng websites, there is in fact a ‘Wallet Privacy Policy’ published on both websites. But the manner the privacy policy is currently published, users will most likely miss the privacy policy. It is at the point users attempt to sign up for an eNaira Speed Wallet after installing the app that they can get to notice a link provided at the bottom of the sign-up page. At the time of writing, the link points to the former domain https://enaira.com/wallet/privacy-policy. When one uses the same link pattern on enaira.gov.ng, one discovers that the privacy policy is also published there. CBN needs to make its privacy policy conspicuous. In fact, making a privacy policy conspicuous on any medium it is published is a requirement under the NDPR Implementation Framework.

Further, it is vital that CBN’s foreign technical partners and other third parties that are involved or will be involved in the eNaira project are NDPR compliant. Each party must have conducted a DPIA on its engagement in respect of the eNaira project. Such engagement will typically result in system change, upgrade/updates, and of course impacts on rights of data subjects of all partners and collaborators with CBN on the eNaira project.

Moreover, although blockchain has been described as a trustless technology that can improve transparency and security in transactions, its digital-currency application particularly exposes users to certain security risks, if not properly managed. As a digital currency, the eNaira is no exception, regardless of its control by a central bank. Cybersecurity is critical. This is why both CBN’s eNaira platform and the eNaira project partners are expected to undergo penetration testing (ethical hacking), if not already completed. This should be conducted by local firms in Nigeria. According to Chief Oloniteru who is a member of the Board of Directors, International Centre for Emerging Technology (ICET), Federal University of Technology Minna (FUT Minna), Niger State, the practice is that if such penetration test were conducted by foreign firms, employees of these firms are required to then undergo what is called security clearance in Nigeria.

The CBN as the driver of the eNaira project—to borrow Mr. Owonibi’s words—must be on top of this.

More education about CBDCs and the eNaira is critical to adoption.

Perhaps Mr. Ozinegbe’s words below would be the befitting closing words: “CBDC is not a demand from the people. Therefore it requires a concerted effort by all stakeholders to disseminate information and educate people from multiple avenues. It requires what I call a knowledge push rather than a demand pull. The CBN should liaise with relevant agencies, including the National Orientation Agency (NOA)—which I believe is a subset of the Federal Ministry of Information—to assist with the much-needed knowledge push to every Nigerian, far and wide. The commercial banks who are also major stakeholders and players in the eNaira project should leverage their existing communication channels to educate and engage their customers. FinTechs also have a significant role to play. We all need Nigeria to work in all facets, so we desire a positive outcome. As we watch how this unfolds, we can only hope for the best”.