The new Regulations of Interception of Communications and Provision of Communication-Related Information Act could prove problematic for crypto providers, who face fines of up to R5 million if they fail to co-operate with the government.
The new Act - which is not available to the public despite becoming law at the end of December - makes provision for stiff penalties for "decryption key holders" who fail to comply with a decryption order. These include 10-year jail sentences and R2 million fines for individuals, and fines of up to R5 million for companies.
A decryption order can be issued to anyone thought to be able to assist in decrypting a message, such as an e-mail, intercepted under the Act. Thanks to a broad definition of a decryption key, which includes any algorithm, code or password that can put a message in intelligible form, such an order could also be issued to the companies that make or distribute crypto software.
Once a decryption order has been issued, the recipient is obliged to provide any information or assistance possible to help in the decryption. Failure to do so, or obstructing or interfering with the decryption attempt, could invoke the same penalties as a flat-out refusal to comply.
Anyone who receives a decryption order is also effectively gagged and may not reveal the existence of such an order. Employees continue to be gagged even after they have left a company slapped with an order and even if they were not directly involved in the decryption process.
Perhaps most difficult for anyone faced with a decryption order is deciding what not to disclose. The Act makes it clear that anyone rendering assistance may provide only the information specified in the decryption order. Disclosing anything more, even information about the same customer, also carries million-rand fines or jail time.
While challenging them seems nearly impossible, decryption orders are likely to be rare as they may only be issued in cases where permission to intercept communication has already been granted. Such permission is possible only if a designated judge is certain that a serious crime has been or will be committed.
It is also possible that those helping with decryption could be paid for their time according to a fee structure to be determined by the Department of Justice.
The battle against crypto
These provisions, contained in the final version of the Bill before it was signed into law, have puzzled many involved in the field of encryption. Encryption keys are seldom held by anyone other than the person using them, raising questions as to what kind of assistance law enforcement agencies can be given.
Security consultant Ian Melamed, who is currently involved with a Post Office project to establish digital signatures using strong cryptography, believes the provisions may be aimed at making brute-force attacks on encrypted messages easier. If the government tries to break an encryption key it will need all the help it can get, he says.
"If you request assistance from the people who helped generate the second or third level of keys and you have an understanding of the structure, it makes decryption more practical," he says, but points out that great difficulties still remain.
The decryption provisions could also be used to force a suspect into revealing his own keys, although since interception orders are inherently secret it is not clear that such an application would be practical.
However, the law does show the South African government`s continuing struggle with the issue of cryptography. While it has clearly acknowledged the need for cryptography in order to drive online commerce and therefore economic growth, it shares the concerns of most governments that criminals and terrorists now have a nearly untappable medium for communication.
Balancing the need for commercial cryptography with the dangers of criminal use has not proven easy. At one stage in the discussions around the recent Electronic Communications and Transactions (ECT) Act, compulsory key escrow was mooted but soon abandoned. Some likened escrow to giving the local police station a copy of the key to your house, something unlikely to be popular.
Related stories:
New law states cellphone users must register
Lock up your SIM cards
Interception Bill changed, delayed
Who watches the watchers?
Share