The Cryptography Regulations issued in terms of the Electronic Communications and Transaction Act of 2002 (ECT Act), which came into effect on 10 March 2006, have not clarified the uncertainty over whether or not users of cryptography software would also be considered cryptography providers and should be registered as such.
Simplistically, cryptography technology ensures that only specific persons can access messages, that the electronic messages are authentic and have not been tampered with, and that the addressor of the message can be properly identified.
However, cryptography presents a challenge to security conscious governments in that it allows message content to be concealed from the authorities. Hence, the ECT Act contains provisions that permit state authorities access to the private key of cryptography users. Such access allows the authorities to decrypt electronic communications where national security and public interest considerations exist. Consequently, the Department of Communications must maintain a register in which all cryptography providers must be registered in order to operate within South Africa.
The Department did not heed the comments and criticisms levelled by various industry stakeholders when the draft regulations were published for comment in 2004 and many of the same provisions have been included in the final regulations.
The wide definition of a cryptography provider creates further confusion. It includes "any person who provides or who proposes to provide cryptography services or products in the Republic". The definition of a cryptography product is also very broadly formulated and catches within its ambit all PCs, operating systems such as Microsoft Windows, software, which includes encryption and even mobile phones using encryption technology.
While it is unlikely that the legislation intended to require the registration of all persons who indirectly use encryption products to provide services, a strict interpretation of the definition would include all software distributors, PC suppliers and overseas cryptography providers selling their products and services into South Africa (even if they do not have business premises locally). It would also include persons who carry out in-house development that includes encryption.
Disobeying these provisions constitutes a criminal offence. Businesses could adopt a conservative approach and register as a precautionary measure. Alternatively, they could ask the Department to clarify, in writing, whether or not they are required to be registered.
Under the regulations, cryptography providers are obliged to supply a considerable amount of information, whereas the ECT Act specifies only the name and address, description of the type of service or product being provided, and other particulars as may be prescribed to identify and locate the cryptography provider or its products or services adequately.
The ECT Act also specifically provides that a "cryptography provider is not required to disclose confidential information or trade secrets in respect of its cryptography products or services". The regulations appear to contradict this section in that the information that it requires may be considered confidential information. Accordingly, disclosure of the requested information should be carefully considered and only information that is not confidential or a trade secret should be provided when registering.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.