Subscribe
About
  • Home
  • /
  • Security
  • /
  • Internet Society calls for crypto civil obedience

Internet Society calls for crypto civil obedience

By Phillip de Wet, ,
Johannesburg, 18 Jun 2002

The issue of control over the .za domain space may be hogging the limelight, but the Electronic Communications and Transactions (ECT) Bill which triggered the dispute contains other provisions more worrying to many IT experts.

Among these is a requirement that all providers of cryptography products and services provided in SA or to South Africans be registered in a government database. Many are worried about the broad wording of the clause and the jail term that non-compliance carries.

"The requirements to register 'cryptography providers` seems innocuous on the surface," says William Stucke, head of the local chapter of the Internet Society, in a summary of the Bill. "However, the reality is that once the Bill is signed into law by the president it will become an offence, carrying up to a two-year prison term, for anyone to sell a computer in SA."

Stucke says there are few areas of IT, and few practitioners in the market, that cannot be seen as providing crypto. Virtually all operating systems have modules for cryptography, as do all Web browsers. All secure online shopping sites provide encrypted information to customers. And .za administrator Mike Lawrie, who is locked in a battle with government over other provisions in the Bill, says even the TCP/IP protocol on which the Internet runs can be seen as a form of encryption.

"My view is that a public library with books on cryptography that they lend to the public must be registered [as a provider]," says Ant Brooks, chairman of the regulatory committee of the Internet Service Providers Association.

The reasoning behind requiring registration has also been questioned. Most see it as an attempt by the government to enable it to decrypt messages for intelligence purposes, yet it does not serve that purpose.

"It would appear that the [Department of Communication] has included this chapter under the misapprehension that knowing who supplied a cryptography product is of assistance in 'cracking` the encryption," says Stucke in his summary of the Bill. "Unfortunately, this isn`t true at all. No one is foolish enough to buy cryptography where a third-party knows the keys."

In all forms of encryption currently in general use, a secret key consisting of a long string of numbers is used to decrypt information, and without the key, decryption is impossible.

The critics are unanimous that the provisions will be impossible to implement, but say the provision must be protested as a matter of principle.

Stucke has some ideas as to how to achieve this. Lawrie has vowed to use civil disobedience in his fight against the Bill, but Stucke advocates the opposite for the cryptography provisions.

"Everyone should register," he says. By everyone, he means every Internet user in the country, every call centre staffer that helps Internet banking clients over the phone, every Linux enthusiast that provides copies of the operating system to his friends, and every individual at every IT department in the country who installs or manages software on company computers.

He believes that when the government has to employ a full team to manage a database that suddenly consists of hundreds of thousands of entries, while the database is of no possible use, it will realise its error.

The method for registration has not yet been determined.

The ECT Bill is due to be voted on by the National Council of Provinces at the end of this week, in the last step before it goes to the president for approval and to be signed into law.

A number of protest movements have sprung up around it, with petitions being drafted by at least two bodies and Web sites such as the new www.ectbill.co.za being established to act as a central point of information.

Correction: William Stucke is the outgoing head of the local chapter of the Internet Society. Rosi Stevenson was elected chairman of the body last year. ITWeb regrets the error.

Share