Million-rand bill for ISPs

I dont see the point of the bill tho ... the SA laws have made cryptography illegal and you have to register with DOC if you are a cryptographer. ... besides, what is stopping me from getting a Satellite internet link from outside of SA! nothing!
 
Technology is moving to fast for our DoC.
Who knows, maybe in '06 everything grind to a halt and then we will be able to catch up.

Maybe slightly OT, but did anyone read the article in Noseweek about SMS records, No.75 pg31? rather interesting.
 
RichardP said:
the SA laws have made cryptography illegal and you have to register with DOC if you are a cryptographer.

Do you maybe please have more detail on this? What would they define as a cryptographer?

Also, is the new law now going to require that my ISP (basically Telkom ADSL bought via an ISP) store my gigs of internet traffic, or what does this law say? (And a lot of my traffic is VPN, so as far as I know pretty hard to break and also impossible to store in compressed form.)

Sorry, I have not been following this one, so now wonder what is going on.
 
gkm said:
Do you maybe please have more detail on this? What would they define as a cryptographer?

Also, is the new law now going to require that my ISP (basically Telkom ADSL bought via an ISP) store my gigs of internet traffic, or what does this law say? (And a lot of my traffic is VPN, so as far as I know pretty hard to break and also impossible to store in compressed form.)

Sorry, I have not been following this one, so now wonder what is going on.


Somewhere (cant remember) it states you are guilty of an offence if you use a method that prevents the DOC from intercepting your data....
-----------------
http://www.polity.org.za/html/govdocs/legislation/2002/act25.html?rebookmark=1

CRYPTOGRAPHY PROVIDERS
Register of cryptography providers

29. (1) The Director-General must establish and maintain a register of cryptography providers.

(2) The Director-General must record the following particulars in respect of a cryptography provider in that register:

1. The name and address of the cryptography provider;
2. a description of the type of cryptography service or cryptography product being provided; and
3. such other particulars as may be prescribed to identify and locate the cryptography provider or its products or services adequately.

(3) A cryptography provider is not required to disclose confidential information or trade secrets in respect of its cryptography products or services.

Registration with Department

30. (1) No person may provide cryptography services or cryptography products in the Republic until the particulars referred to in section 29 in respect of that person have been recorded in the register contemplated in section 29.

(2) A cryptography provider must in the prescribed manner furnish the DirectorGeneral with the information required and pay the prescribed administrative fee.

(3) A cryptography service or cryptography product is regarded as being provided in the Republic if it is provided-

1. from premises in the Republic;
2. to a person who is present in the Republic when that person makes use of the service or product; or
3. to a person who uses the service or product for the purposes of a business carried on in the Republic or from premises in the Republic.

Restrictions on disclosure of information

31. (1) Information contained in the register provided for in section 29 must not be disclosed to any person other than to employees of the Department who are responsible for the keeping of the register.

(2) Subsection (I) does not apply in respect of information which is disclosed-

1. to a relevant authority which investigates a criminal offence or for the purposes of any criminal proceedings;
2. to government agencies responsible for safety and security in the Republic, pursuant to an official request;
3. to a cyber inspector;
4. pursuant to section 11or 30 of the Promotion of Access to Information Act, (Act No.2 of 2000); or
5. for the purposes of any civil proceedings which relate to the provision of cryptography services or cryptography products and to which a cryptography provider is a party.

Application of Chapter and offences

32. (1) The provisions of this Chapter do not apply to the National Intelligence Agency established in terms of section 3 of the Intelligence Services Act, 1994 (Act No. 38 of 1994).

(2) A person who contravenes or fails to comply with a provision of this Chapter is guilty of an offence and liable on conviction to a fine or to imprisonment for a period not exceeding two years.
 
Last edited:
the beast was signed into law in 2002 and only into force in the last few weeks during which time there have been extensive consultations about implementation

a number of isps and other commentators have been predicting this utter mess for 3 years now

/as i recall certain data has to be retained for up to 5 years
/gales of hysterical laughter - they have been grappling with this in the EU for years without getting anywhere
 
This was posted on the ISPA mailing list today:

From: [email protected] [mailto:o[email protected]] On Behalf Of Elaine Zinn
Sent: 17 January 2006 09:34 AM
To: [email protected]
Subject: [ISPA] Invitation to interception presentations

Dear members

At the general meeting held on 24 November 2005 a brief discussion was held regarding requirements in terms of the Regulation of Interception of Communications (RICA).

One of our members has looked into the matter and a commercial company Nice Systems, will be presenting their NICETRACK lawful interception solutions which provides a range of solutions to the interception requirements.

This will be followed by a presentation from Greg Massel offering his particular solutions.

ISPA is in no way prejudiced towards any organisation or solution and other companies offering similar products may well be approached.

The presentation will be hosted by Fujitsu Services on Monday, 23 January at 13:00

Address: The Conference Park
43 Homestead Road
Rivonia
Map = http://www.theconferencepark.co.za/images/Rivonia.ppt

Please confirm your attendance with the undersigned as soon as possible.

Kind regards
Elaine
[email protected]
[email protected]
Tel: +27 11 314 7751
Mobile: +27 83 327 4806
www.ispa.org.za

CONFIRMATION OF ATTENDANCE
[ ] I will attend
[ ] I tender my apologies
 
Yes, at 100 000 customers, that is 8 400 000 GB which is 8.4 petabytes of data and that is just for ADSL.

I find the act quoted above bizzare, but I guess I am not the only one. Crypto services are pretty common these days. It is a basic cornerstone of computer security. SSL used to secure web sites is just one and I could quickly list a lot more. And I have downloaded Firefox myself, so as far as I can see I am contravening section 30 above. And I have transgressed the act in a couple of other ways just today. So lets put all internet users in SA in jail for 2 years.
 
At the end of the day, a criminal will find a way to do what they intend, snooping or not.
 
Yes, it is a bit of a joke. Encryption is very easy to do.

Searching the petabytes of data stored for the relevant bits is already nearly impossible. And then spending a couple of years decrypting it, by which time everybody has forgotten about the case.
 
gkm said:
Yes, it is a bit of a joke. Encryption is very easy to do.

Searching the petabytes of data stored for the relevant bits is already nearly impossible. And then spending a couple of years decrypting it, by which time everybody has forgotten about the case.

Anyone who thinks that data can be monitored effectively needs a lesson in the theory of large numbers. A simple 1meg executable file contains 1^24 bytes (my mind is old - is this the right figure :) ). Anyway, that leaves ample space for a message like "meet me on Friday at the waterfront". This can be easily hidden in the code in places that are never executed, and encrypted there to boot. The hiding place can be anywhere that is previously agreed upon. Tell me how anyone will ever find this - especially if the message also contains the location of the next message in the next file. The message need not even be all in one place, but spread out over the file.
 
Moederloos said:
A simple 1meg executable file contains 1^24 bytes (my mind is old - is this the right figure :) ).

1 ^ 24 = 1 :p
2 ^ 20 = 1MB :)

Yes, I agree completely with what you say.
 
In terms of the Act, ISPs and telecommunication providers must have equipment capable of recording, monitoring and storing all electronic communications transmitted via their services.

This doesn't say anything about playing it back, so if one stored all the traffic in a single bit ....:D
 
What a bunch of toss. So basically government is saying you can NOT encrypt traffic just so they can intercept it - pathetic. This is the South African version of the NSA.

What will happen to VPNs, Skype (isn't traffic encrypted? If not should be relatively easy to block by providers - that'll suck. B/c then they can charge us anything for their VOIP "solutions"), encrypted IMs, encrypted mail, SSL shopping, secure banking etc? What falls into the encrypted category that isn't allowed?

This is just wasted money that can be spent on liberalization. Is this a means of basically crippling ISPs from self-providing when/if LLU happens? "They" should spend more time liberalising the telecom landscape than come up with more ways to cripple it.

Can't we please vote for a new party in government? It's not a black vs white thing, it's us people vs the government.
 
Peter7 said:
What a bunch of toss. So basically government is saying you can NOT encrypt traffic just so they can intercept it - pathetic. This is the South African version of the NSA.

What will happen to VPNs, Skype (isn't traffic encrypted? If not should be relatively easy to block by providers - that'll suck. B/c then they can charge us anything for their VOIP "solutions"), encrypted IMs, encrypted mail, SSL shopping, secure banking etc? What falls into the encrypted category that isn't allowed?

This is just wasted money that can be spent on liberalization. Is this a means of basically crippling ISPs from self-providing when/if LLU happens? "They" should spend more time liberalising the telecom landscape than come up with more ways to cripple it.

Can't we please vote for a new party in government? It's not a black vs white thing, it's us people vs the government.

This encryption story is not just isoldated to SA. The USA has for ages had this problem, and 128bit encyption technology is still not exportable to certain countries.
Also, it is not said that we cannot have encryption, but that we must use encryption the government can break - once again I do not see this as just being an SA thing.

It comes down to a double edged sword - how do we protect the rights of individuals (both of privacy and safety) by not restricting some of those rights (or - how can we catch the bad guys, without infringeing on the good guy's right to privacy).
 
IC makes some good points.

If we are monitoring for terrorist activities, and happen to come across information about a drug shipment, that is all good and fine. Also, if a crime was committed in a certain area at a certain time, an investigation of cellphone calls in that area at that time would be useful.

All in all though, I have a hard enough time finding an email I sent last week on my own PC - so good luck to anyone sifting through gazillions of GB of raw data.
 
Moederloos said:
It comes down to a double edged sword - how do we protect the rights of individuals (both of privacy and safety) by not restricting some of those rights (or - how can we catch the bad guys, without infringeing on the good guy's right to privacy).

I am still trying to figure out exactly who these bad guys are that they hope to catch. My general feeling is that bad guys are not going to care about the law and will use encryption anyway.

First place that needs this equipment installed is the Gov I think, of all the people in South Africa it is the government people seem to stand out in my mind as the least likely to be smart enough to use encryption and the most likely to be doing bad things.
 
Top
Sign up to the MyBroadband newsletter
X