Electronic Communications & Transactions Bill

Meeting report

COMMUNICATIONS PORTFOLIO COMMITTEE
23 March 2002
ELECTRONIC COMMUNICATIONS AND TRANSACTIONS BILL

Chairperson: Mr N Kekana (ANC)

Relevant Documents
Electronic Communications and Transactions Bill [B8-2002]
Summary of Submissions

SUMMARY
Chapters Five and Six were dealt with during this session. The following main concerns were raised:
- Whether the ECT Bill was duplicating the work done by the Justice Portfolio Committee on the Interception and Monitoring Bill;
- That the decision of an accreditation authority deciding to be registered was not voluntary, as without accreditation the advanced electronic signatures would not be recognised in South Africa;
- That a cryptography service provider register would be useless and ineffective;
- That a cryptography service provider register would discourage local industry growth;
- That a cryptography service provider register would be impractical as it would require registration by companies outside of South Africa's jurisdiction;
- That the accreditation of authentication service providers would unduly restrict the market;
- That the provision of cryptography keys to law enforcement may lead to the invasion of the privacy of the individual;
- The overbroad definitions of "cryptography" and "cryptography service providers".

The following points were clarified:
- Cryptography in general.

MINUTES
Prior to the start of deliberations, the Chair noted that the Committee had received submissions from Potchefstroom University (AG Vorster), the British Chamber of Business, COSATU / Communication Workers Union.

Chapter 5: Cryptography Providers
Clause 30 Register of cryptography providers
Ms M Smuts (DP) said that the justifiable reason for requiring registration for cryptography providers is for security services to be able to fight crime. Revealing personal information such as an encryption key has always been done in terms of a court order. She stated that the committee needs to determine whether a court order is still required or if this Bill intends to start a mandatory register and therefore to impose a de facto import control.

Ms Mack (MIH) submitted that encryption is already dealt with in an armaments act. Furthermore there is no indication of the procedure that should be used to gain access to cryptography keys - the Bill simply gives access, and in particular blanket access to security services.

Mr V Gore (DP) wanted to highlight the de facto import control. He used as an example Microsoft, and asked if they would have to register if they had cryptography in their programs. He also wanted clarification about the downloading of cryptographic products especially if they originated from a foreign jurisdiction.

Ms Vos (IFP) said that there is a cryptographic company called PGP that was taken to court by the American government. In the end the company gave their cryptographic method to the entire world rather than be forced to disclose it and have it taken over by the American government. She said that the IFP does not support this approach, and has reservations about the government being able to open people's mail.

An ANC member called to repeat the debate of yesterday. He put forward the point that there were people who had vested interests in this section, and that the committee would benefit from more debate.

The Chair referred to the KPMG Submission and said that while we have to ensure that law enforcement is enabled, in other jurisdictions provisions assisting law enforcement officials are contained in separate Bills. The Chair expressed concern that if the registration clauses remain it should be considered that cryptography providers should not be dissuaded from entering the SA market.

The Chair referred to the Banking Council submission where they stated that they presume that the council (and registration) is purely administrative. Furthermore they note that cryptography applies only to data messages and not to voice etc. The question is whether cryptography providers should register or not register? If the Committee considers the definition of cryptography they need to know how cryptography works. If someone says that they do not want to register, what compels the state to register the provider?

The Chair pointed out that the position of "if it ain't broke, don't fix it" is a myopic approach to the problem. Why cannot cryptography providers register if it is purely an administrative thing?

Ms Vos said that this cryptography service is regarded as being provided from South Africa if a South African uses it. In other words as soon as you download a cryptography product,you need to register.

Mr Alan Barrett (Cequrux Technologies) said that the definition of cryptography in the Bill is very broad. For example anyone who helps someone use a cryptographic device would then become a cryptography service provider. For what reason does the state think that it would be useful to have a register of cryptography providers? He suggested that question is not why not, but why?

Mr Calvin Browne (Uniforum SA) said that he was, at that moment, using PGP, a cryptographic program. The program had a file that cites the authors of the cryptography software. The authors were from a large and eclectic number of countries. Thus he questioned whether South African law wants there to be mandatory registering of every person who deals with cryptographic devices? He mentioned that the program he is currently using is used to encrypt a message so that only the person with the key on the other end will be able to decrypt it. He stated that there is no "back door" to this type of cryptography and that the "genie (was) out of the bottle".

Ms Vos then said the American government had tried but failed to set up a mandatory register for cryptography providers.

Mr Dury (Linux Professionals Association) said that there is a misunderstanding about cryptography. During the time that it is being transmitted, no-one else can use it. The purpose of registering as a cryptographic provider would be to enable law enforcement to decrypt the message. However even if South Africa had a list of cryptography providers, because of the nature of cryptography the only way to decrypt the message would be for the criminal to provide the key. Trying every single key to decrypt the message (the "brute force method") would take a thousand years. The intention of this clause is that we would be able to trap criminals. However, the reality is that we are not going to be able to do so even if the register is required.

Mr Gore raised the issue of the Interception and Monitoring Bill currently being deliberated in the Justice Portfolio Committee. In this Bill they define cryptography as having four requirements. He asked why the definition of cryptography in that Bill was not the same as in this Bill?

An ANC member noted that his understanding of cryptography is small since his research had been conducted mainly around the Bill. However, his understanding is that cryptography is connected to digital signatures. Registered providers would be the people who would provide the advanced digital signatures. He added that it would not help for the Committee to consider the USA or UK model. The Committee must consider the bill before it at the moment.

Mr Wim Mostert (part of the drafting team; Senior Manager: Deloitte e-law) said that the purpose of a registry of cryptography providers is that the authorities will be able to go to the organisation and ask for the decryption key in terms of the Interception and Monitoring Bill. He pointed out that if this were to have no effect on cryptography providers themselves, why are they objecting?

The Chair stated that there was still a need to explain the concept of cryptography in as far as data messages are concerned. He wanted to focus on the register. The American government is saying that, while they appreciate they need to know what products are sold within South African borders, they are concerned that the Bill is overbroad.

Ms Mack (MIH) said that the problem is that local players would be disadvantaged by the Bill. Furthermore if MIH were to operate from Botswana it would have to register to provide a cryptographic product in South Africa. MIH pointed out that it is difficult to act against a person that is outside the country. In fact, the cryptography provider might not even know that they ought to register as a cryptography provider. Secondly, there is potential for conflict with the government. If there is a dispute as to what is a trade secret in terms of a cryptographic product then this must be resolved by the courts. There is already regulation about the exportation of cryptography and this is contained in the armaments legislation that is in line with international treaties.

Mr Dury reiterated that the idea of making a register is basically that you can trace the person back to the cryptography provider. He pointed out that the Bill as it currently stands would be prohibitive for Linux. He noted that it is impossible to register every cryptographic provider since cryptographic keys can be downloaded for free from an overseas provider. Furthermore it is by no means clear who the person(s) were who created the cryptography products. Taking this point to its logical conclusion, any person who provides or proposes to provide cryptography products in any form whatsoever would have to register as a cryptography provider.

An ANC member pointed out that the argument that says that if you register cryptography providers they will be unable to compete internationally is not a good enough reason not to legislate. He said that he was convinced that there is something deeper about cryptography that the public at the hearing did not want to talk about. He said complete secrecy is not desirable - he would want to be able to decrypt the information. He questioned what it was that people were hiding?

The Chair then noted again the link to the Interception and Monitoring Bill. He would talk to the Chair of the Justice Portfolio Committee so that whatever is done with the Interception and Monitoring Bill is consistent with the ECT Bill. He said that he did not understand why people had a problem with the register of cryptography service providers aside from it being impossible to be done?

Mr Mike Silber (NamespaceZA) attempted to clarify the issues. He said that even having a register for cryptography providers is irrelevant. This will still not be able deal with the problem of being able to decrypt the message. Thus the Department of Communications will have to run the register for no apparent reason. He pointed out that if a person does anything with technology they will have to register as a cryptography provider. If the register of cryptography providers would enable law enforcement to break the code then the register would be a "great idea". However the register would not accomplish this purpose. Therefore having a register is irrelevant. In an alternative to this point, he said that it is necessary to improve the definition of how far that register has to go when registering "cryptography providers".

Ms Vos then used the example of cryptography being provided to people who are going to use pipe bombs. Could law enforcement officials force the cryptography providers to produce all the secret keys so that you can get the message regarding the pipe bomb suspects?

Ms Smuts replied that if the pipe bombers used a foreign cryptography provider then there would be no way to decrypt the message anyway. She recommended that the problem be sent to Justice so that they could deal with it. She said that the only way to justify the register is for it to be in terms of safety and security. In short, Ms Smuts averred, a register will get you "exactly nowhere".

Mr R Pieterse (ANC) asked whether the register was implementable. He said that if the register cannot be implemented, why bother? He noted that if the register was not to the benefit of South Africans, then why would we prejudice our own citizens? Is the register like a directory and nothing more than that?

An ANC member said that few people would have access to that sort of technology. He alluded to the fact that few people object to their fingerprints being stored in Pretoria. Why then would they object to a register of cryptographic service providers?

Mr Gore stated that it is difficult to register since cryptographic products are available over the Internet. He pointed out that a criminal is unlikely to use a product that he knows that the security forces can decrypt.

Mr J Dowry (NNP) put forward that the definition of cryptography was too wide. He suggested that Chapter 5 might belong in the Interception and Monitoring Bill?

The Chair attempted to clarify the discussion by asking whether the concept was intellectual property. He gave an example of pharmaceutical products being introduced into South Africa and the need to regulate those products into South Africa. Furthermore he asked how the "I love you" virus was traced to the Philippines? In short the Chair wanted to know why it would be impossible for the register to have the intended effect of allowing access to all messages.

Mr Ant Brooks (Internet Service Providers Association) suggested that this committee should speak to the Justice Portfolio Committee. Existing cryptography providers would not have a problem with the law as it stands, but that it might discourage SMMEs. He also said that there were very few companies that actually regarded themselves as cryptographer providers.

Thereafter there was some debate about who exactly cryptography providers were.

The Post Office said that Prism and Thawte are examples of cryptography providers.

The ISPA denied that Thawte was a cryptography provider.

Ms Vos asked who then was the person who is being forced to register?

Mr Alan Barrett stepped in to define the concept of cryptography. He said that a provider does not provide the algorithms. Cryptography is a branch of mathematics. Every message can be reduced to a numeric form. Cryptography uses mathematics to perform transformations of the message to a different form. One uses the message and the key and arrives at a result. The recipient gets the result and the key and uses them together to arrive at the original message. There are some types of cryptography where the same key is used to encrypt and decrypt the message. Other types of cryptography will use two different types of keys. Most important the supplier does not have the key, and even he cannot decrypt the product of the message unless he has the key.

An ANC member asked Mr Barrett whether he agreed that there are people who do make the cryptography product available and they should be part of the register?

The Chair asked what does a hacker do? Who bought Shuttleworth's system? It was said that Verisign, a large US company, bought Shuttleworth's system (Thawte).

Mr Barrett noted that he was part of a security company called Cequrux Technologies. He said that if there were to be a register and companies were forced to register, they would not have a problem with that, aside from the fact that it was pointless. However as the Bill stands, it requires millions of people to register as cryptography service providers. He pointed out that registering placed a burden on the state for no good reason.

The Chair said that they intended to pass the chapter, but that it will be made "friendly" so that it does not stifle the entrepreneur from entering the market. He made a distinction between a company that provides a cryptography service and the person that provides it within the company. The Chair was further concerned with the deletion of the chapter insofar as it affects the rest of the Bill, and what the effects of this might be.

Chapter 6: Authentication Service Providers
Mr Lance Michalson, representing the South African Post Office (SAPO), indicated that SAPO wish to be the preferred accreditation service provider.

Ms Vos referred to the MIH submission and said that the bill provides for authentication service products which are products designed to identify the holder. She referred back to clause 13(1) of the Bill that states that where a signature is required, this requirement is only met where an advanced signature is used. The net effect is that accreditation becomes compulsory if an accreditation service wants to be taken seriously.

Ms Smuts asked whether clause 13(1) was intended to apply to other legislation, and whether there is agreement that an advanced electronic signature will have to be used to sign a document? She asked if advanced electronic signatures will only be those that have been accredited? She pointed out that the accreditation is not on a voluntary basis. The only intention is to provide a standard for the electronic signatures. She referred to the MIH submission that stated it was wise to move with caution. Ms Smuts cited numerous examples of countries (such as Canada and Australia) that said that you should not have a minimum standard for digital signatures.

Mr Michalson said that authentication is not entirely based on public key cryptography. He gave the example of a pin number, or the challenge and response over the Internet. The decision as to which an authentication service provider must be used is a decision that is made on a risk basis depending on the type of contract. The more important the contract, the more secure the authentication. He pointed out that a certification authority is the most popular way of doing this. The fact that this is linked to advanced electronic signatures does not do away with the need for looking at other forms of authentication. The Post Office suggested that there should be face to face accreditation in terms of the Bill.

Ms Smuts asked whether South Africans want to have this section. She said that it was her suspicion that Government wanted to "have a piece of the action".

The Chair asked if there are any other points aside from the fact that the Director General of Communications should not be part of the system of accreditation?

Ms Versveld referred to clause 34 asking what "recognition" meant? Did it mean registration? Furthermore she wanted to know what happened if the accreditation authority closed down? It was suggested that a provision should be made for the takeover of an accreditation authority.

Mr Michalson referred to their submission that SAPO be the preferred ASP, as would be able to allow for the availability of accreditation authorities to all people, from whatever their background may be. They said that they were "talking about the real implications for people on the ground".

Mr Gore pointed out that the intention of the legislation was to increase the level of trust in a third party to a transaction. If that is the purpose of the clause why are we trying to replicate the market provisions? Verisign and Thawte are an authentication authority already. Perhaps government can promote the accreditation in another way.

Mr Barrett commented on the submission that the Post Office be the preferred Accreditation authority. He mentioned that he saw no provision that the Post Office is a preferred ASP. He asked whether that was an amendment? Should the Post Office not apply for registration like anyone else? He also asked whether a preferred accreditation service would then exclude other accreditation services?

The Chair said that the committee must ensure that whatever system is set up it must stand before a court of law. He made it clear that there must be a legal framework. It was not the intention of the committee to stifle technology or direct technology. The committee would support a technology-neutral approach.

Ms Smuts asked why the South African government wanted to create a government department when every other country has no similar department?

Ms Vos referred to the provisions on cybercops which would be created "with all our amazing people" who would know everything about technology and who would decide on accreditation. Ms Vos argued that this will stifle entrepreneurship.

Ms Smuts asked why the South African government is spending money on something that the SABS can do?

The Chair made it clear that if Ms Smuts wanted to delete the chapter out of the law then there is no reason for discussion about the provisions. The Chair went so far as to indicate that accreditation service providers (ASPs) will exist.

Mr Silber commented that the government should be involved, but perhaps someone else should help. He mentioned that there is a problem that the department "may" accredit and that it would not be a satisfactory situation if no company was accredited? He also suggested that to avoid confusion the ASP should be called the "accreditation authority" and the domain name authority should be called the "domain name authority".

Ms Smuts again asked where the idea originated that people must use the government? From where did the idea come that people must be accredited?

Mr Mostert pointed out that an accredited signature is a result of an administrative decision, and it is vital to note that the government would not be liable if the signature is not valid. This was an essential element of accreditation.

Finally the Chair said that aside from the Post Office, Telkom has also offered to be the preferred ASP.

The meeting will reconvene on Friday, 24 May.