SA networks snoopable by design
Telecommunications services in South Africa must be built with the capability to have communications intercepted and store communication-related information.
Those familiar with the South African Act referred to as “RICA” won’t find this information surprising, but what is interesting is how local requirements compare to the 29 other countries in which Vodafone operates.
Vodafone recently released a Law Enforcement Disclosure Report in which it detailed the extent of wire-tapping in the countries where it operates (where it was able), and summarised the legal powers for communications interception available to governments in each country.
South Africa is not unique in requiring networks to provide governments with the ability to snoop on calls (and other network traffic), but as The Guardian reports it is one of only 9 countries covered by the report where it is illegal to disclose the extent of the interception.
The other 8 are: Albania, Egypt, Hungary, India, Malta, Qatar, Romania, and Turkey.
While this is of some concern, South Africans are also better off than some other countries where governments seem to be legally able to intercept calls at will.
The Regulation of Interception of Communications and Provision of Communication-Related Information Act no.70 of 2002 (RICA) makes interception and monitoring of communications illegal unless:
- a directive has been granted that permits the prohibited activities;
- the party protected by RICA gives requisite consent;
- the entity engaging in the above activity was also a party to those communications;
- intercepting, monitoring or disseminating information of an employee while carrying on a business;
- interception to prevent serious bodily harm;
- interception to determine a location during an emergency; or
- when entitled to do so in terms of other legislation.
An “interception direction” can only be issued in the event that a judge is satisfied that a serious offence has been or will be committed; or the gathering of information is necessary concerning an actual threat to the public health or safety, national security or compelling national economic interests of the Republic.
Keep in mind that “judge” in South Africa does not refer to magistrates of our lower courts, but High Court judges.
A directive prescribes the:
- capacity needed for interception purposes;
- technical requirements of the systems to be used;
- connectivity with interception centres;
- manner of routing duplicate signals of indirect communications to designated interception centres; and
- manner of routing real-time or archived communication- related information to designated interception centres.
If the intercepted communications are encrypted, Section 21 of RICA provides for the issuing of decryption directions by application to a designated judge.
Should you be in possession of the decryption key or password and refuse to disclose it, you could face a fine of up to R2-million or prison time for up to 10 years.
RICA also makes provision for the issuing of other types of directions, such as a real-time communication-related direction and an archived communication-related direction.
Section 17 of RICA covers the issuing of a real-time communication-related direction. This is required where no interception direction has been issued and only real-time metadata on an ongoing basis is required. Such a direction must also be issued by a judge.
Storing communications-related information
While RICA does not require that networks store calls or other communications, it does require that communication-related information, or metadata, be stored for a period.
Section 19 of RICA provides for the issuing of an archived communication-related direction. For this law enforcers may apply to a judge of a High Court, a regional court magistrate, or a magistrate to issue the direction.
Related privacy and security articles
Reset the Net: take back your online privacy
Who sends e-mail securely in SA?
Hacking Android, iOS: B-Sides Cape Town security conference
Cryptography and jailtime in SA