The Electronic Communications and Transactions Bill, promulgated two months ago, attracted much comment and input from the information technology sector. Last Wednesday marked the cut-off date for such input, and the Bill will be subject to further scrutiny when Parliament conducts public hearings on its provisions in two weeks’ time.
One area expected to spark off heated debate is cryptography.
Cryptography is the science that focuses on scrambling data. A program or computer user needs a digital key to unscramble the data. Anyone using Internet banking is using cryptography as communication between his computer and the bank’s is scrambled to prevent any unauthorised person from viewing his transactions.
The Bill’s concept of cryptography appears to be flawed. There are a number of issues around cryptography that are making people in the IT field jumpy, but the most glaring concern seems to be around the issue of registration with the Department of Communications. It seems that companies that use cryptography software in South Africa must be registered with the department.
This raises some questions such as: what about resellers of cryptography products – do they have to register or is it the supplier who registers? What happens if the supplier is not in South Africa? What happens if the supplier is not a company, an organisation or an entity? For example, in the open-source software movement an individual or a group of individuals that are not necessarily an entity could organise or develop a cryptography product.
With open-source one can obtain a cryptography product by simply downloading it from the Net with no supplier or vendor. There is no way to keep track of all cryptography products and it would be absurd to criminalise using non-registered cryptography products as that would make illegal what many system administrators, especially in the open-source arena, do every day as they service their clients.
For example, any company using SSH, a method for securely accessing a remote machine, will have to register. Failing this, it seems that a two-year jail sentence could be the legal outcome. In the Bill’s attempt to define cyber crime it runs the risk of drawing a fine line between the legitimate and criminal use of computer tools to secure or compromise computer systems.
Another issue of concern is that the Bill proposes that cryptography providers do not have to disclose how their cryptography works. This means that South African entities, the government or the public, cannot demand that the product is provably secure and therefore of good quality. Security experts worldwide agree that the only way to ensure that cryptography is secure is to open the implementation and methods for peer review. This does not decrease their effectiveness, but ensures that mathematically proven encryption techniques are not full of “bugs” and that there are no potential back doors that allow the provider or foreign governments unauthorised access to the data.
Sixty five percent of the world’s websites use the open-source Apache Web server that can be used to provide secure encrypted transactions. This product is not sold in South Africa but local service providers use or implement it for clients on a regular basis. This raises the issue of who registers it? The Bill implies that anyone in South Africa who implements a secure Web server using Apache will be guilty of contravening the Act unless they register as cryptographic service providers. The Bill fails to recognise that some cryptographic services may be implemented with no vendor at all, such as the installation of a Linux Web server.
Even the Linux kernel is not owned by a company, and can implement cryptography. There is no company that creates Linux, but many who contribute and assist in the development of the open-source software. It cannot be traced back to one vendor. Linus Torvalds, creator and leader of the Linux movement, is simply the project manager, but does not own the kernel or the software. This impacts on the way in which Linux and other open-source software developers would be affected by the Bill.
Another issue that has been raised is that of the cyber inspectors who, it seems, will not need to have official training or qualifications to fulfil this position. While it is good that cyber crimes will be defined for the first time, and cyber inspectors put in place to monitor activity, the qualifications and licenses of these inspectors is questionable.
There are a number of concerns around the Bill and its implementation, these just tipping the iceberg. But, as with any Bill, comments and proposed changes are welcomed by the Department of Communications. As with all proposed Bills, it is in the process of being formulated and will need some serious review before it becomes law.
Pieter Nel, development manager of Obsidian Systems, a Linux-based company in Johannesburg, sums it up: “I believe that the Bill will be received in a positive light and will benefit electronic communications and transactions in South Africa. However, certain sections such as the definitions of terms used in the Bill, and chapters dealing with cryptography providers, consumer protection, protection of critical databases and cyber inspectors must be carefully looked at and revisited, some in conjunction with the private sector.”
However, the Bill is promising in many aspects, such as e-government whereby it will be possible to conduct any transactions with government electronically; and legal certainty, which would make electronically signed documents legal. Another promising aspect is the part of the Bill that enhances the protection of personal information, defining what information is allowed to be stored and used. This means that personal information becomes one’s property. These, and other boundaries, are welcome.