Recent reports of the extent of communications spying by the United States government have shocked people around the world; South Africans also have reason to ask questions about online communications interception.
A recent article by the Mail & Guardian stated that the situation is far worse in South Africa than in the United States.
Telecoms legal expert Mike Silber said that RICA (the Regulation of Interception of Communications and Provision of Communication-Related Information Act) paved the way to widespread spying on SA citizens by government.
“One element of lawful interception is so-called ‘live’ interception. This is where calls, e-mails, web sessions and other communication are forwarded to the Office of Interception Centres pursuant to a warrant so that the content of the communication is available,” said Silber.
This raises the question of how widespread communications interception requests are when it comes to Internet services.
MyBroadband asked South Africa’s prominent Internet Service Providers (ISPs) how many requests they are receiving to intercept the communications of their subscribers.
“We only do interception in accordance with the RICA regulations. Such an order can only be issued by a judge, on request of law enforcement,” said Hershaw.
He added that he could not disclose how many of these orders MWEB has received over the last 12 months.
South Africa’s largest web host, Hetzner, said that it has received one court order to intercept communication in the last 12 months.
“A court order is the only way that Hetzner will allow access to customer data. Hetzner deals directly with the SAPS cybercrime unit,” said Athena Turner, Hetzner’s marketing and communications manager.
“The unit conducts a thorough investigation before approaching Hetzner with a court order. They would then be given access to the information as dictated by the court order,” said Turner.
“Afrihost would obviously comply with an official court order should we be required to do so,” said Payne.
Wyatt-Gunning said that all of the subpoenas were from the South African Police Service (SAPS) in connection with criminal cases.
He explained that the only information requested by the police is to link an IP address and time stamp to a subscriber and provide contact information on the subscriber.
Wyatt-Gunning added that they always require a subpoena before disclosing any information about their subscribers.
Cybersmart CEO Laurie Fialkov said that they have not received any requests to intercept information yet. However, they have received many requests in relation to the PAIA (Promotion of Access to Information Act).
The PAIA requests for subscriber information related to spamming, copyright infringement (because of torrents), and hacking attempts. Only one of these requests was from a government organisation.
Fialkov added that a court order is the only way in which an organisation can gain access to a Cybersmart subscriber’s information. “The process is well defined in terms of RICA,” said Fialkov.
Fialkov said RICA states that an ISP needs to be able to redirect all traffic to an interception centre, without the user’s knowledge.
“However, in practice this is not possible because there are no interception centres,” said Fialkov.
Fialkov added that encrypted correspondence can easily bypass the system and make it challenging for government to monitor electronic communication.
“There have been other requests for information from civilians via the Promotion of Access to Information Act, but they either did not comply with the relevant requirements or were requesting information of a confidential nature that we were not at liberty to disclose to them,” said Steyn.
Steyn said that apart from a court order, they are allowed to release information in certain exceptional emergency circumstances, which are very specifically defined.
This includes cases where someone’s life is being threatened and or endangered and the location of that person is unknown to a law enforcement officer.
“In those circumstances, it is only the location of the person that can be disclosed,” said Steyn.
Marc Furman, legal manager at Internet Solutions (IS), said that they have received a single formal “lawful intercept” directive in terms of RICA since the promulgation of the legislation.
“No directive had been received in the last 12 months. A RICA directive can only come from the defined lawful intercept authorities in terms of legislation, and not from private companies,” said Furman.
Furman explained that IS only grants access to law enforcement authorities to customer information on the basis of lawfully issued subpoenas under section 205 of the Criminal Procedure Act.
“This is the prevalent means of accessing customer information in the context of criminal investigations. The subpoenaed information pertains to the identity of the sender of the communication and does not require IS to intercept actual communications,” said Furman.