[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: South African Law on Crypto Providers

On Tue, 2002-10-01 at 21:20, Lukas Geyer wrote:
> The South African government passed a law (apparently two
> month ago) which requires all crypto providers to register with the
> government for some fee. The law can be found under
> http://co.za/ect/a25-02.pdf (this is ridiculously large, seems to be a
> bitmap of some scanned-in document or such). The critical section is
> Chapter V, on pages 18 and 19 of said pdf. Specifically the law does
> not require that the provider resides in South Africa, it is enough to
> provide it to persons present in South Africa.

(Analysis is at the end of the message, for those familiar with the
legislation.  Typos are likely my fault except where noted; this PDF is
a bitmap and cannot be cut-and-pasted, so I am transcribing it.)

Specifically, the law provides for a cryptography provider registry, and
then places the following restrictions:

30. (1) No person may provide cryptography services or cryptography
products in the Republic until the particulars referred to in section 29
in respect of that person have been recorded in the register
contemplated in section 29.

(2) A cryptography provider must in the prescribed manner furnish the
Director-General with the information required and pay the prescribed
administrative fee.

(3) A cryptography service or cryptography product is regarded as being
provided in the Republic if it is provided--

(a) from premises in the Republic;
(b) to a person who is present in the Republic when that person makes
use of the service or product; or
(c) to a person who uses the service or product for the purposes of a
business carried on in the Republic or from premises in the Republic.

The penalties for violating this section of the law are described as

32. (1) The provisions of this Chapter do not apply to the National
Intelligence Agency established in terms of section 3 of the
Intelligence Services Act. 1994 (Act No. 38 of 1994).

(2) A person who contravenes or fails to comply with a provision of this
Chapter is guilty of an offence and liable on conviction to a fine or to
imprisonment for a period not exceeding two years.

There is a definitions section, in which we find:

"cryptography product" means any product that makes use of cryptographic
techniques and is used by a sender or recipient of data messages for the
purposes of ensuring--
(a) that such data can be accessed only by relevant persons;
(b) the authenticity of the data;
(c) the integrity of the data; or
(d) that the source of the data can be correctly ascertained;
"cryptography provider" means any person who provides or who proposes to
provide cryptography services or products in the Republic;
"cryptography service" means any service which is provided to a sender
or a recipient of a data message or to anyone storing a data message,
and which is designed to facilitate the use of cryptographic techniques
for the purpose of ensuring--
(a) that such data or data message can be accessed or can be put into an
intelligible form only by certain persons;
(b) that the authenticity or integrity of such data or data message is
capable of being ascertained;
(c) the integrity of the data or date message; or
(d) that the source of the data or data message can be correctly

> I am neither familiar
> with international law nor with South African law, so could some
> clueful people please comment on how this will affect Debian? Is
> providing crypto software on the internet already subject to this law
> or does it only apply if one ships CDs? Do we have any South African
> developers or what would be the consequences for the Debian project,
> i.e. would we risk to be arrested when traveling to South Africa?

I am not a lawyer in any jurisdiction, so the standard disclaimers

First of all, it seems clear that distribution of free cryptography
software is not allowed without registering with the government.  Our
official CD images, therefore, cannot be distributed to any South
African business doing business anywhere in the world (for example, the
De Beers New York office) or any person of any nationality in South
Africa; neither can any packages containing crypto.  Note that "crypto"
is defined to include data authenticity and integrity algorithms as
well, so md5sum is likely in the same boat as gpg or openssl in this

Furthermore, providing cryptography services is not allowed.  This
appears to be limited to the act of encrypting or decrypting; relaying
previously encrypted data appears to be OK.  Again, the data
integrity/authenticity clauses affect this; something as innocuous as
signing a ZA developer's key could be construed as an "encryption

Since services are considered provided "when that person makes use of
the service or product" (30(3)(b)), this may also affect our provision
of services such as online apt repositories.  The fact that MD5
checksums of various files are precalculated and stored in static files
without reference to any South Africans may not help, since someone in
ZA who types "apt-get update" will be comparing locally-calculated
checksums with downloaded values.  Besides the fact that apt is a
"cryptography product" (since it calculates MD5 checksums), we are
providing apt with input used in a cryptographic protocol, which sounds
like a cryptography service under the definition.

What's more, registration with the government does not end our
problems.  The GPL states:

  7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License.  If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all.  For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.

The restrictions imposed by this law may be analogous to patent
restrictions.  The implication of this paragraph is that you must grant
distribution rights to all recipients of a GPLed program you distribute,
and that no other law (patent, court judgment, contract, or otherwise)
may supersede that requirement.  Granting such rights under this law
would be impossible for cryptography software, as you could not grant
distribution rights to recipients that were not registered.  Therefore,
it is possible that GPLed software that qualifies as a cryptography
product cannot be legally distributed in South Africa, even by people
who are registered.

Again, I should point out that this is a lay opinion.  I may be
interpreting the ZA law too tightly; there may be other information that
affects the interpretation of the law that I don't know.  I'd love to be
wrong in this case.

Reply to: