Version 27.0, February 2013
© Bert-Jaap Koops **Portions © Analog Devices, Inc. **
Licensed under Creative Commons Attribution Share Alike 4.0 International.
SPDX-License-Identifier: CC-BY-SA-4.0
[South Africa]{#sa} [Sources 1, 3, 5]
There are import and export controls for military cryptography, as regulated by the Defense Armaments Development and Protection Act 1968, No. R. 888, published May 13, 1994, and the General Armaments Control Schedule. Import of cryptography from military suppliers abroad and export of cryptography from military suppliers in South Africa are controlled (a military supplier being a company who has developed the technology specifically for sale to governments such as a government military contractor). Otherwise crypto import and export is free.
Use of encryption is free for commercial or private organizations.
The provision of cryptography products or services, however, is strictly regulated through Chapter V of the Electronic Communications and Transactions Act of 31 July 2002, in force since 30 August 2002, and the implementing Cryptography Regulations of 10 March 2006 (Government Gazette No. 28594).
The Act has a broad scope: it includes the provision of cryptography
within South Africa, but also the provision to someone who is in South
Africa when he uses it, and to a person who uses it for the purpose of a
business carried on in South Africa. Thus, it includes providing
cryptography through the Internet to South Africans, providing crypto to
foreign subsidiaries of SA companies, and providing crypto to persons
who at one time or other will visit SA from abroad if they will use the
crypto within the country. (For a further discussion of the scope, see
the
article
Decoding the ECTA Cryptography Regulations by Louw & Augustine.)
Crypto providers can only operate after they have been registered, for
which they have to provide the registration authority (the
Director-General of the Department of Communications) with the
information required (art. 29-30 Act + additional information listed in
Art. 2 Regulations, including 'detailed profiles of trusted personnel'
with 'supervisory or managerial responsibilities'), and pay an
application and annual administration fee (art. 4 Regulations). The
providers have to disclose information to relevant authorities
investigating a crime, security agencies or cyber-inspectors (art.
31(2)). Violation of the law is punishable with up to two years'
imprisonment (art. 32(2)).
A draft version of the Regulations, the 1 September 2004 Notice inviting
Comment on Proposed Cryptography Regulations, also included as
information to be provided contact details of all customers to whom a
crypto product or service was provided in the preceding 6 months (art.
2(b)(vi), but this was struck in the final Regulations.
Before the ECT Act, there were some specific regulations that may still
apply. Use or supply of telecommunications facilities or equipment must
first be approved by ICASA, the Independent
Communications Authority of South Africa (formerly SATRA), except on
explicit prescription by ICASA. This does not apply if the device is
connected between a modem or router and the computer. It is unclear
whether and to what extent "telecommunications facilities or
equipment" covers cryptography.
Use or provision of cryptography by government bodies requires approval
from the relevant agency; likewise, crypto systems approved for
government use require approval from the relevant agency to be used by
commercial or private organizations.
Apart from restricting crypto services, there is also a power for the police to demand decryption in case of encrypted telecommunications. The Regulation of Interception of Communications and Provision of Communication-Related Information Act (No. 70, 2002), published in the Government Gazette on 22 January 2003, gives the police the power to request a designated judge to give a decryption direction (art. 21). This is possible before or during interception of telecommunications according to the act. The addressee has to comply by giving the decryption key or by providing decryption assistance (art. 29). Costs for decryption can be compensated (art. 31). Failure to comply is punishable with a fine of up to 2 million Rand or imprisonment of maximum 10 years for natural persons and employees, or a fine of 5 million Rand for organisations (juristic persons) (art. 51(4)). Numerous detailed provisions and conditions apply, see articles 1, 21 and 29. (Cf. also Discussion Paper 99 by the South African Law Commission on Computer-related crime (also at 2600), which was to lead to a Computer Misuse Act, but which has in the meantime been addressed by the ECT Act and the RICPCRI Act. Section 4.5.3 under 4(b) of the report proposed search and seizure powers, including the requiring of any person concerned with a computer or computer data to provide "the reasonable assistance that may be required to facilitate the execution" of the search warrant.)
None.
Back to the Table of Contents