Print Print

Cryptography and the ECT Act

September 4, 2009 – 8:01 pm by Lance Michalson

What is cryptography?

Wikipedia defines “cryptography” as “the practice and study of hiding information”. What purpose does this serve? To:

  • establish its authenticity;
  • prevent its undetected modification;
  • prevent its repudiation and;
  • prevent its unauthorized use.

In terms of South Africa’s monitoring law, RICA, “encrypted information” means “any electronic data which, without the decryption key to that data-(a) cannot, or cannot readily, be accessed; or (b) cannot, or cannot readily, be put into an intelligible form”.

Is there a law in South Africa which deals with cryptography?

There are several laws which deal with crypto in one way or another (the import and export control laws, the monitoring and interception law and the e-commerce law).

Import and Export Controls

There are no domestic controls on the use of encryption in South Africa and encryption software is free to be used by commercial or private organizations (i.e. one does not need a permit from the relevant governmental department to use it).

In terms of South African law, the South African Government controls encryption as a dual-use system on the General Armaments Control Schedule.  A valid permit is required for the import or transportation of “cryptographic equipment or software”.

Previously, the South African Telecommunications Regulation Authority (SATRA), now the Independent Communications Authority of South Africa (ICASA) with effect from July 2000, regulates the use of encryption over telecommunications facilities, but not for internal computer systems.

Law Enforcement Interests in Cryptography

Cryptography provides clear benefits to commerce, industry and individuals.  It also helps to prevent crime.  For example, cryptography can make it more difficult to defraud companies and individuals and can also be used to protect intellectual property.  However, criminals are quick to take advantage of new technologies and there is no doubt that serious criminals (e.g. drug traffickers, terrorists and paedophiles) will exploit encryption in an effort to defeat the work of law enforcement agencies.  Government therefore has the dual responsibility of promoting and facilitating the lawful use encryption by business and others on the one hand, and making it as difficult as possible for criminals to exploit it for their own purposes, on the other hand.

Investigations into criminal offences are often hampered by the discovery that material that might otherwise assist the investigation, or be used in evidence, has been encrypted.  Law enforcement agencies often try to “crack” the encryption key.  Although this is occasionally possible after considerable effort and expense, it is likely to become increasingly difficult - if not impossible - as technology develops.

South Africa’s monitoring law, RICA, contains provisions which enables the law enforcement, security and intelligence agencies to fight crime and threats to national security.  In terms of the legislation, one has to apply to a Judge for a “decryption direction” in terms of which the holder of an encryption key is directed to disclose that key or provide decryption assistance in respect of encrypted information.

The E-commerce legislation

Chapter 5 of the Electronic Communications and Transactions Act (the ECT Act) deals with “cryptography providers”.  The explanatory memorandum to the ECT Bill indicates that the purpose of the chapter is to also address Government’s security concerns.

In terms of the Chapter 5, no person can provide cryptography services or cryptography products in the Republic until its particulars have been recorded in a register held by the Department of Communications.  Failure to record the particulars in the register is a criminal offence (an unspecified fine or imprisonment for a maximum period of two years).

Chapter 5 is regarded as being one of the most contentious chapters of the ECT Act.  Whilst many commentators appreciate the Government’s concern about the implications that the widespread use of cryptography may have for law enforcement in limiting the ability of the investigative authorities to understand lawfully accessed data, they argue that the provisions of the chapter do not accord with international best practice, nor do they meaningfully address security concerns.

Many also contend that the chapter is not clear and poses more questions than anything else.  Who is a “cryptography provider”?  What is a “cryptography service”?  What is a “cryptography product”?  When is it provided “in the Republic”?

Similar:

  • Share/Bookmark

Sorry, comments for this entry are closed at this time.

Copyright 2002 - 2010 Lematics. All Rights Reserved. Entries (RSS), Comments (RSS) and XML Sitemap. Designed by Bob