The Minister of Communications published proposed Cryptography and Accreditation Regulations, which, among other things, will oblige providers of encryption services and products (cryptography providers) to supply highly detailed information about themselves and their services. The minister invited comment on the proposed regulations, which will be issued under the Electronic Communications and Transactions Act (ECT Act).
Cryptography can be used by the sender or recipient of electronic messages to ensure that messages are only accessed by specific persons, are authentic and have not been tampered with, and that the sender of the message can be properly identified. However, cryptography presents a challenge to security conscious governments in that it permits the concealment of message content from authorities. Therefore, chapter 5 of the ECT Act requires the department of communications’ director-general to establish and maintain a register of cryptography providers, containing information about the provider, its products or services, and other particulars. The ECT Act obliges cryptography providers to be registered as such. Failure to do so would constitute an offence. The regulations require cryptography providers to supply the following information:
- the cryptography provider's identity, location and details of its products or services;
- particulars of any person to whom services have been outsourced;
- detailed profiles of all employees considered to be ‘trusted personnel’ (ie, those involved with the management, operations and security of the cryptography products);
- data to identify and locate any person that provides encrypted bugging and debugging equipment; and
- the names, addresses and contact details of all customers to whom the products or services are sold.
Although the department of communications may not disclose this information, in terms of section 31 of the ECT Act, this requirement may well raise problems in the light of the future data protection legislation to be enacted in South Africa.
A R100 application fee will be payable on registration and an annual administrative fee of R200 will be levied for each product or service. This could signify a hefty bill for a cryptography provider that has a large suite of different products or services.
The ECT Act broadly defines a ‘cryptography provider’. It contemplates anyone who provides or proposes to provide a cryptography service or product in South Africa, irrespective of from where the service is provided. Thus, overseas cryptography providers selling their products and services into South Africa, even if they do not have business premises locally, would have to be registered. . In addition, South African businesses carrying out in-house development that includes encryption and software houses developing software with encryption, are advised to register.
Chapter 6 of the ECT Act establishes that the department of communications’ director-general will act as the accreditation authority for authentication products and services. Under section 35, only persons registered as cryptography providers may sell or provide authentication products or services. However, accreditation is entirely voluntary and authentication products or services may be provided without prior consent. Should a cryptography provider decide to apply for accreditation, it will have to satisfy the authority that the electronic signature to which its authentication products or services relate:
- is uniquely linked to the user;
- is capable of identifying that user;
- is created using means that can be maintained under the sole control of that user;
- will be linked to the data or data message to which it relates in such a manner that any subsequent change of the data or data message is detectable; and
- is based on the face-to-face identification of the user.
Cryptography providers who wish also to operate as authentication service providers must pay R20, 000 per application, an annual accreditation fee per product or service of R10, 000 and a performance guarantee of R10, 000 per product or service.
Preeta Bhagattjee is a director of the law firm, Cliffe Dekker. She specialises in IT, e-commerce law and outsourcing contracts.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.