Cryptography and encryption presents a challenge to security conscious governments in that it allows message content to be concealed from the authorities. Therefore, the purpose of the cryptography provisions in our law is, amongst other things, to assist the investigative authorities in the event of any threat to national security by decrypting encrypted messages: they would look in the register of cryptography providers and see who provided the cryptography and then require them to help the authorities decrypt the encrypted message.
Where you provide digital signatures or digital certificates you would need to register as your products, as they clearly would assist others encrypt data.
However, it gets more difficult where the service provider merely includes an encryption component in its greater service offering which is not a pure encryption service, but rather a backup service. So we are saying that there is a difference between providing an encryption service (where the product or service assists others to encrypt data) versus an encryption element within a service.
The problem though is that the definition of a “cryptography service” or “cryptography product” in the ECT Act is so widely formulated that it catches many products or services that fall into that ‘grey area’ in the net. And the law is clear: “No person may provide cryptography services or cryptography products in the Republic until the particulars referred to in section 29 in respect of that person have been recorded in the register contemplated in section 29” (s30(2) of the ECT Act). The law also makes it clear that “[a] person who contravenes or fails to comply with a provision of this Chapter is guilty of an offence and liable on conviction to a fine or to imprisonment for a period not exceeding two years” (section 32(2) of the ECT Act). Unfortunately there have been no rulings of what falls in the net and what falls outside the net as it were.
So, if your company has a preference not to have to register with the Department of Communications (DoC), then we would suggest that we look into it deeper and prepare a memo for you advising whether you should register or not.
If your company does not mind registering, then it would make sense to do so. If you do decide to proceed, we want to point that the DoC takes a long time to furnish you with a letter confirming that your name has been entered on their register. With one client they took about 8 months, and that was after persistent badgering from month three. We now make provision in our fees for someone to literally go and “camp” outside the DoCs offices if they do not furnish the letter within two months of submission of the application to register as a crypto provider. So it will be a long process.
Against this background, you need to let us know whether you want us to provide you with a memo, or whether we can proceed straight to the quotations.