What is cryptography?
Wikipedia defines “cryptography” as “the practice and study of hiding information”. Where a document or communication has been encrypted, the act of encrypting serves several purposes? To:
- establish its authenticity;
- prevent its undetected modification;
- prevent its repudiation and;
- prevent its unauthorized use.
Is there a law in South Africa which deals with cryptography?
Historically, it has been the military who have used (and controlled) encryption hardware and software. Nowadays encryption software is readily available on the Internet (often as freeware or shareware) and it is very difficult for governments to decrypt the document or communication without access to the users private key.
There are several laws which deal with crypto in one way or another, including the Armaments Development and Production Act of 1968 (for military software), the Regulation of Interception of Communications and Provision of Communication-related Information Act of 2002 (RICA) and the Electronic Communications and Transactions Act of 2002 (ECT Act). The Independent Communications Authority of South Africa (ICASA) regulates the use of encryption over telecommunications facilities.
Armaments Development and Production Act
There are no “domestic” controls on the export, import, downloading and use of encryption software in South Africa and one does not need a permit to use it. “Domestic” refers to the public’s freedom to use encryption software (as distinct from military use).
The only time a permit or licence is required is where the product is used for military purposes, or comes from a military supplier (an entity which has developed the technology specifically for sale to governments). This is in terms of the General Armaments Control Schedule of the Armaments Development and Production Act of 1968.
The ECT Act
Chapter 5 of the ECT Act requires suppliers (not users) of “cryptography” services or products to register their names and addresses, the names of their products with a brief description in a register maintained by the Department of Communications. Unless the (local or foreign) supplier has registered, they cannot provide their services or products in South Africa. In addition, failure to record the particulars in the register is a criminal offence (an unspecified fine or imprisonment for a maximum period of two years).
Registration will allow investigative authorities such as the SAPS, to identify which organisation provided the encryption technologies intercepted by them in terms of RICA (see below). This will enable the investigative authorities to approach these service providers to assist with deciphering the encrypted messages.
Chapter 5 is regarded as being one of the most contentious chapters of the ECT Act. Whilst many commentators appreciate the Government’s concern about the implications that the widespread use of cryptography may have for law enforcement in limiting the ability of the investigative authorities to understand lawfully accessed data, they argue that the provisions of the chapter do not accord with international best practice, nor do they meaningfully address security concerns.
Many also contend that the chapter is not clear, poses more questions than anything else and leaves many uncertain whether to register as a cryptography provider or not.
Monitoring law (RICA)
Investigations into criminal offences are often hampered by the discovery that material that might otherwise assist the investigation, or be used in evidence, has been encrypted. Law enforcement agencies often try to “crack” the encryption key. Although this is occasionally possible after considerable effort and expense, it is likely to become increasingly difficult – if not impossible – as technology develops.
RICA contains provisions which enables the law enforcement, security and intelligence agencies to fight crime and threats to national security. In terms of the legislation, one has to apply to a Judge for a “decryption direction” in terms of which the holder of an encryption key is directed to disclose that key or provide decryption assistance in respect of encrypted information. Law enforcement should (in theory) be able to identify the holder of the key if their details (as a supplier of crypto software) have been entered in the DoC’s register of crypto suppliers. This is the link with the crypto registration provisions in the ECT Act. In many instances in practice, however, the supplier will not be able to provide the identity of the user of the crypto software.
Registration as a crypto provider
For information on our cryptography provider registration services, click here.
If you would like us to provide you with a quote for you to register with the DoC as a crypto provider, please complete this online questionnaire.