Cryptography regulations published

As of Friday 10 March 2006, providers of cryptography products or services may not continue to operate unless they register certain information with the Department of Communications.

Failure to register could lead to fine or up to two years` imprisonment.

This is according to the cryptography regulations published in the government gazette on 10 March in terms of the Electronic Communications and Transactions Act of 2002 (ECT Act).

Organisations should carefully consider whether they qualify as cryptography providers for purposes of the Act, says Wim Mostert, a director at Mostert Opperman Goodburn Attorneys.

It is not abundantly clear, he says, whether the requirements apply only to vendors "selling" cryptography products or services to others such as Symantec, McAfee or Verisign or whether it could possibly also apply to companies "using" cryptography in the provision of services to clients.

For instance, it is not clear whether a bank should register if it provides its services to customers by means of a secure socket layer (SSL) connection, he says.

One of the objectives of the Act is to enable authorities to determine which organisations could provide them with assistance in decrypting messages that have been intercepted under the Regulation of Interception of Communications Act (RICA) or obtained by other crime prevention laws, Mostert says.

"If this is indeed the intention, it would appear that cryptography regulations apply only to those organisations that can indeed assist in this regard."

In order to qualify as a cryptography provider an organisation must own or have access to the source code, says Michael Silber, a consultant with Michalsons Attorneys. This poses a challenge to the open source movement, where code is regularly shared in order to develop programmes, he says.

Silber notes that anyone who makes available open source programmes that have cryptography facilities on their Web sites needs to register with the department as a provider. He suggests that techies involved in the open source movement register their favourite encryption software. "They should flood the department with applications for registration," he says.

This will ensure that they stay within the law as they provide cryptography downloads, while at the same time creating an annoying administrative burden for government, he says.

The minimal registration fee of R100 and the annual administration fee of R200 would not create a financial burden, he says. However, their applications would create a burden for the department, thus forcing government to reconsider its position regarding the definition of provider of cryptography service or products.

Silber says the only challenge with cryptography regulations is the provider is required to provide detailed information about its managerial staff. That provision is not in the Act and subordinate legislation should not have provisions that exceed those contained in the Act itself, he says.

He emphasises that section 29 of the Act is very clear that companies are not required to provide confidential information.

"If I was registering as a cryptography service or product provider, I would not fill in the areas that require confidential information," he says.

While reasonable security measures would be taken with the database of cryptography service providers, information could still be accessed through the Promotion of Access to Information Act, he says.

Although the regulations are a good idea, enforcement of the regulations is also going to be a challenge as there are no cyber inspectors dedicated to enforcing cyber crimes, Silber says.

What is likely to happen is while law enforcement agencies are investigating a specific incident they may find out the company is an unregistered provider of cryptography services or products. This would be added to the list of charges, he says.

Related stories:
Internet Society calls for crypto civil obedience
An open letter to Thabo Mbeki