Encryption law or cryptography law in South Africa

There is some encryption law or cryptography law in South Africa. None prohibit its use but cryptography providers or suppliers need to register with the Government. Users of crypto products don’t need to register. South Africa has a kind of anti-encryption law like some other countries (for example Australia). South Africa doesn’t have encryption export laws. In this article, we look at the relevant laws and help providers to get registered.

What is cryptography?

Wikipedia defines “cryptography” as “the practice and study of hiding information”. Where a document or communication has been encrypted, the act of encrypting serves several purposes? To:

establish its authenticity;
prevent its undetected modification;
prevent its repudiation and;
prevent its unauthorized use.

Is there cryptography law or encryption law in South Africa?

Historically, it has been the military who have used (and controlled) encryption hardware and software. Nowadays encryption software is readily available on the Internet (often as freeware or shareware) and it is very difficult for governments to decrypt the document or communication without access to the users private key.

There are a few laws that deal with crypto in one way or another, including the:

Armaments Development and Production Act of 1968 (for military software).
Regulation of Interception of Communications and Provision of Communication-related Information Act of 2002 (RICA).
Electronic Communications and Transactions Act of 2002 (ECT Act).

The Independent Communications Authority of South Africa (ICASA) regulates the use of encryption over telecommunications facilities.

Armaments Development and Production Act

There are no “domestic” controls on the export, import, downloading and use of encryption software in South Africa and one does not need a permit to use it. “Domestic” refers to the public’s freedom to use encryption software (as distinct from military use).

The only time a permit or licence is required is where the product is used for military purposes, or comes from a military supplier (an entity that has developed the technology specifically for sale to governments). This is in terms of the General Armaments Control Schedule of the Armaments Development and Production Act of 1968.

The ECT Act is partly an encryption law

Chapter 5 of the ECT Act requires suppliers (not users) of “cryptography” services or products to register their names and addresses, the names of their products with a brief description in a register maintained by the Department of Communications and Digital Technologies. Unless the (local or foreign) supplier has registered, they cannot provide their services or products in South Africa. In addition, failure to record the particulars in the register is a criminal offence (an unspecified fine or imprisonment for a maximum period of two years).

Registration will allow investigative authorities (such as the SAPS) to identify which organisation provided the encryption technologies intercepted by them in terms of RICA (see below). This will enable the investigative authorities to approach these service providers to assist with deciphering the encrypted messages.

Chapter 5 (a kind of cryptography law) is regarded as being one of the most contentious chapters of the ECT Act. Whilst many commentators appreciate the Government’s concern about the implications that the widespread use of cryptography may have for law enforcement in limiting the ability of the investigative authorities to understand lawfully accessed data, they argue that the provisions of the chapter do not accord with international best practice, nor do they meaningfully address security concerns.

Many also contend that the chapter is not clear, poses more questions than anything else and leaves many uncertain whether to register as a cryptography provider or not.

Monitoring law (RICA) is a kind of anti-encryption law

Investigations into criminal offences are often hampered by the discovery that material that might otherwise assist the investigation, or be used in evidence, has been encrypted. Law enforcement agencies often try to “crack” the encryption key. Although this is occasionally possible after considerable effort and expense, it is likely to become increasingly difficult – if not impossible – as technology develops.

RICA contains provisions that enable law enforcement, security and intelligence agencies to fight crime and threats to national security. In terms of the legislation, one has to apply to a Judge for a “decryption direction” in terms of which the holder of an encryption key is directed to disclose that key or provide decryption assistance in respect of encrypted information. Law enforcement should (in theory) be able to identify the holder of the key if their details (as a supplier of crypto software) have been entered in the Department of Communications and Digital Technologies‘s register of crypto suppliers. This is the link with the crypto registration provisions in the ECT Act. In many instances in practice, however, the supplier will not be able to provide the identity of the user of the crypto software.

Registration as a crypto provider

Read more about our cryptography provider registration services.

If you would like us to provide you with a quote for you to register with the DoC as a crypto provider, please complete this online questionnaire.

Encryption law or cryptography law in South Africa

What is cryptography?

Is there cryptography law or encryption law in South Africa?

Armaments Development and Production Act

The ECT Act is partly an encryption law

Monitoring law (RICA) is a kind of anti-encryption law

Registration as a crypto provider

Share This Story, Choose Your Platform!

Related Posts

Advanced Computer Software Group enforcement action | Ransomware incident

Nigerian data controller and processor registration

Guidance note on cross-border transfers to and from South Africa