Strong encryption in SA: is it legal?

There are no domestic controls on either the importation (or downloading) or use of encryption software or hardware in South Africa. However, the ECT Act poses a number of unanswered questions about the use cryptography in electronic communications insofar as exactly who has to register with the Department of Communications (DoC).

This is according to Lance Michalson, an information and communications technology (ICT) lawyer from Michalsons Attorneys.

In an article on the firm’s website, Michalson explains that “domestic” controls refer to the public’s freedom to use encryption software.

There are several laws which deal with cryptography in some way, Michalson said, which include:

  • The Armaments Development and Production Act of 1968 (for military software);
  • the Regulation of Interception of Communications and Provision of Communication-related Information Act of 2002 (RICA); and
  • the Electronic Communications and Transactions Act of 2002 (ECT Act).

The (Open) Source of Shuttleworth’s wealth

It is interesting to look at South Africa’s crypto laws in the context of Mark Shuttleworth’s success with Thawte, a business that sold the certificates used for encryption on the Internet.

VeriSign agreed to acquire Thawte towards the end of 1999 for about $575 million (USD) in stock, with the deal going through in 2000.

In an interview on the television series Go Open, which was developed with the sponsorship of Shuttleworth, the Internet millionaire explained that he was able to build Thawte because South Africa’s legal landscape was more conducive to the export of cryptography.

However, RICA and the ECT Act came into affect after VeriSign agreed to buy Thawte, raising the question of whether Shuttleworth would’ve been able to set up Thawte in the current legal environment.

No domestic crypto controls

Michalson explained in his article that, historically, it has been the military who have used (and controlled) encryption hardware and software.

Nowadays, encryption software is readily available on the Internet and it is very difficult for governments to decrypt the document or communication without access to a user’s private key.

While there are no domestic controls on the export, import, downloading and use of encryption software in South Africa, a permit or licence is required where the product is used for military purposes, or comes from a military supplier.

A “military supplier”, Michalson said, is an entity which has developed the technology specifically for sale to governments. Michalson said that this is in terms of the General Armaments Control Schedule of the Armaments Development and Production Act of 1968.

The E-commerce legislation

Lance Michalson
Lance Michalson

Another piece of legislation that addresses encryption, Michalson said, is the Electronic Communications and Transactions (ECT) Act.

Chapter 5 of the ECT Act deals with “cryptography providers”, and the explanatory memorandum to the ECT Bill indicates that the purpose of the chapter is to also address government’s security concerns.

According to Michalson, Chapter 5 is regarded as being one of the most contentious chapters of the ECT Act.

“Whilst many commentators appreciate the Government’s concern about the implications that the widespread use of cryptography may have for law enforcement in limiting the ability of the investigative authorities to understand lawfully accessed data,” Michalson wrote, “they argue that the provisions of the chapter do not accord with international best practice, nor do they meaningfully address security concerns.”

The Act states that no person can provide cryptography services or cryptography products “in the Republic” until its particulars have been recorded in a register held by the Department of Communications.

Failure to record the particulars in the register is a criminal offence, Michalson said, which carries the penalty of an unspecified fine or imprisonment for a maximum of two years.

However, Michalson points out that many commentators contend that the chapter is not clear and poses more questions than anything else:

Who is a “cryptography provider”? What is a “cryptography service”? What is a “cryptography product”? When is it provided “in the Republic”?

As for Shuttleworth’s millions: despite the questions raised by the ECT Act, Michalson said he doesn’t believe that either RICA or the ECT Act would have hindered Thawte operating from South Africa.

Hackers see unprotected data as fair game

Beware free public Wi-Fi: Kaspersky

BBM safe for now: Minister of Communications

Latest news

Partner Content

Show comments


Share this article
Strong encryption in SA: is it legal?