Activities
ISOC-ZA's Response to the Electronic Communications and Transactions Bill
Version 02.05.07
Who and What is ISOC-ZA
Of all the entities in the world, only the Internet Society (ISOC) is recognised as being the "owners" of the Internet. It is a non-profit body, based in the USA, founded approximately 10 years ago when the Internet started to change character from being a research and academic network, and became a vehicle for commercial traffic. The individuals who invented and developed the Internet, e.g. Vint Cerf, were intimately involved in the founding of ISOC. The purpose of ISOC was to prevent, amongst other things, the word "Internet" from being patented or copyrighted by individuals who might have ulterior motives. Apart from such altruistic purposes, ISOC is the body that oversees the Internet Engineering Task Force (IETF), which is the body that sets the standards for the Internet, and which continues its excellent work in developing the protocols that make the Internet as useful and reliable as it is.
The Internet consists of a vast number of privately owned networks in voluntary cooperation. These networks have agreed to interconnect their networks and to carry traffic across those interconnections. All member networks have voluntarily subscribed to the relevant protocols and standards, known as "RFCs" (Request For Comment). These standards mandate the use of the TCP/IP protocol suite, amongst other issues. The Internet is self regulating and self policing, for the simple reason that any member network that fails to adhere to the appropriate standards - both technical and in terms of behaviour - finds itself "left out in the cold" since other member networks will either be unable to or will refuse to communicate with it. There is no single body that can claim ownership of the Internet as a whole, nor that can control its actions. The Internet is governed by means of a bottom-up consensus approach, which results in agreed standards. The IETF (supported and funded by ISOC) is the body that manages the editorial process for and publishes these standards.
ISOC has spawned many chapters in different countries. ISOC-ZA is the South African chapter of ISOC. Its charter is approved by ISOC, and its members are also members of ISOC. It is a non-profit organisation, and does not speak for industry or any other vested interests.
ISOC-ZA notes with pleasure that the Bill contains the concept of "selling" the benefits of Internet connectivity to the South African population at large, and regards that as one of its own purposes. ISOC-ZA will willingly partner with anyone, including government, in fulfilling this role.
Chapter I - Interpretation, Objects and Application
We feel obliged to point out some problems with some of the definitions in the Bill.
"advanced electronic signature" is a misnomer, and would be better described as "accredited electronic signature", thereby conveying more accurately what the Bill contains, and clearly still serving the purposes for Section 38.
"Authority" should be split into two, in order to give clarity. The terms "Accreditation Authority" and "Domain Name Authority" are, we feel, more appropriate, and the text of the Bill should be changed accordingly.
"browser" and "hyperlink" do not convey the correct meanings of these two terms. The definitions become unnecessary if, in Section 80, the word "hyperlink" were to be changed to "link".
"cache" does not capture accurately its meaning in an Internet context. In particular, most web caches store data on disk, and not in "high speed" memory. Although the only place in the entire bill in which the word "cache" is actually used is in the definition, this poor definition might colour the interpretation of section 78(1). Hence the definition should be removed from the Bill
"ccTLD" is not worded accurately, and we support the views of Namespace ZA in this regard.
"cryptography product" and "cryptography service" are not good nor accurate definitions. There are three distinct and separate issues associated with a data message, viz integrity, authentication and encryption. All three are necessary in some form or other for e-commerce, singly or in combination according to the circumstances. Integrity ensures that the data message has not been corrupted; authentication ensures that the author of the message can be ascertained with certainty, and encryption makes a data message unintelligible to anyone who does not have the key for decrypting the message. Some products, e.g. Pretty Good Privacy (PGP) can do some or all of these, depending how the product is invoked. So describing PGP, when it is used in its data integrity mode, as a cryptography product is incorrect, but when used in encryption mode would be correct. Similarly, Microsoft Outlook, for example, provides facilities to perform all three of these functions. This Bill could therefore be interpreted to require licensing of Microsoft Office, or even Internet Explorer, as a "cryptography product".
There are products such as
MD5 which use sophisticated algorithms of checksumming in order to
provide for integrity but not for authentication or encryption. Even
a simple word count is also an integrity product (albeit a weak one),
as is the size in bytes of a data file.
The Bill needs to distinguish between the way any one product is used, and should most definitely not classify any product that ensures integrity of a data message as being a "cryptography product". Were the Bill to do so, then the protocol that underlies the Internet, viz the Transmission Control Protocol (TCP) would be a "cryptography product", because TCP ensures integrity of the data being transferred.
It would be better to change the "or" of (c) to be an "and", but then a product like PGP that is capable of encrypting but is not used in encryption mode might still fall under this definition.
"data" does not convey the general meaning of this word. We are concerned that by having such a definition in one law, there might be a precedent set that causes this definition to be used in circumstances not related to the purposes of the ECT Bill/Act. We thus propose that the wording read
"data" for the purposes of this Act means …etc…
"data message" causes a problem in the definition of "web page", there being a circular definition. In "web page", it would be more accurate to replace "a data message" with "a copy of a document".
"domain name" is not a good definition, and we suggest a rephrasing, viz:-
"domain name" means a hierarchical alphanumerical designation that is registered or assigned in respect of a resource record on the Internet.
"domain name system" is not an accurate description, and we suggest a rephrasing, viz:-
"domain name system" means the system used on the Internet among other things to translate domain names into IP addresses
"electronic" is not a good definition at all. On the one hand, it excludes the field of analogue electronics, and on the other hand there are very many things that are "intangible" that are most definitely not "electronic". Given the general thrust of the Bill, we feel that a far better definition would be:-
"electronic" means in a form that can be stored or processed on a computer
"home page" is not required, the term appears in the Bill only in the definitions.
"ICANN" needs to be modified to be phrased "state of California, USA".
"information system" should not include the words "and WAP communications", as this is covered in the Internet itself.
"information system services" is not required if this is reworded, in keeping with our comments on "service provider", to read:-
"service provider" means anyone who provides connections, operates facilities for generating, sending, receiving, storing, displaying or otherwise processing data messages including the Internet, provides access to information systems, …etc…
"Internet" is not an accurate description. We suggest: -
"Internet" means the global network of interconnected networks that use the TCP/IP protocol suite.
"IP Address" should be rephrased to read
"means the number identifying the point of attachment of a computer or other device to a TCP/IP network."
"person" appears to exclude by implication all private bodies. We suggest:-
"person" includes a public or a private body.
"registry" should limit the licensing by the Authority ("of Chapter X") to second-level domains.
"sub-domain" should be rephrased to read "means any subdivision of the .za domain name space which begins at the second level domain."
One reading of this definition suggests that it covers nothing, since all domain names begin at the root domain.
Another reading has this covering any domain name with at least two components, ending in '.za'. This leads to a problem if you combine it with the likes of 68.(1), viz:-
"(1) No person may update a repository or administer a sub-domain unless such person is licensed to do so by the Authority"
This means that it will be against the law for someone in South Africa to be an unlicensed administrator of a domain such as "planet.co.za". We submit that this will lead to serious problems, given that there are already over 100,000 co.za domains alone, never mind gov.za, mil.za, ac.za and others. If this is the intent, we advise that it is highly undesirable, if it is not the intent, then clarity is required either in the definition or in places where the term is used.
"web page" -- it would be more accurate to replace "a data message" with "a copy of a document".
"World-Wide Web", as proposed in the draft bill, is worded "means an Internet hyperlinked distributed information retrieval system and INCLUDES ALL DATA MESSAGES RESIDING ON ALL COMPUTERS LINKED TO THE INTERNET." [our emphasis]
Now, given that a "web site" is defined as "any computer on the Internet containing a home page or web page", and that a "web page" is apparently "a data message on the World Wide Web" then, according to a pedantic reading of the bill, your computer will soon be a web site, even if all you do is use it for sending and storing email. This cannot be intended, so rewording is necessary.
Section 2(1) (Objects of Act)
We particularly wish to endorse clauses (2)(1)(a), (e), (m) and (p). We also wish to endorse (2)(1)(q), but disagree with the proposed implementation of 2(1)(q) in the Bill. We support the comments of Namespace ZA in this regard.
Chapter II - Maximising Benefits and Policy Framework
Section 5(3)(b) (National e-Strategy)
We are concerned about the term "every person". This is very broad indeed.
Section (5)(3)(f) (National e-Strategy)
The word "continually" will present a problem. Surveying and evaluating cannot be done "continually", although it can be done "periodically" or "regularly".
Section 8(3)(e) and (f): (Human resources development)
These are highly specialised functions, and only a handful of people will be involved. While we regard as commendable the requirement that there be a promotion of skills development in the other areas of 8(3), those other areas will involve many persons and require large-scale activities that are likely to require government intervention of some kind. This is not so for (e) and (f). Further, and in particular, (f) is not related to any other issue in the Bill. These two clauses should be excised from the Bill.
Section 10(2)(b)(iii) (Electronic transactions policy -international issues)
We wish to endorse this clause.
Chapter III - Facilitating Electronic Transactions
Section 14(2)(a) (Original)
We suggest that the word "formatting" be added towards the end. The clause will then read:-
by considering whether the information has remained complete and unaltered, except for the addition of any endorsement and any change that arises in the normal course of communication, storage, formatting and display
Section 17(1) (Production of documentation or information)
The term "electronic form" presents a potential problem, given the definition of "electronic" as proposed in the draft Bill. Literally taken, this means that a person can produce a strip of magnetic tape, or a magnetic disk in the most obscure format, and the requirements are met, such that, at the time that a data message was generated on an Apple ][ computer the conditions of 17(1)(a) and (b) are met, but in today's world one will be hard put to be able to read the disk on which the data message was stored, because of the proprietary format of the data layout on such a disk. This is true of many magnetic tape systems and character sets of mainframe computers (e.g. Burroughs, Sperry, Control Data), and in recent times 360 KB and 1.2 MB floppy disks from a PC are difficult to read. One must bear in mind that the document, in whatever form, must be readable by humans at the time that the information is required.
Chapter IV - E-Government
We note with approval that this Chapter allows public bodies to make use of electronic communications and transactions. However, we are disappointed that, contrary to the resolution taken at the last E-Law Workshop last year, no requirement has been placed on Government Departments to offer such facilities within reasonable time.
Chapter V - Cryptography Providers
General
These provisions are a dangerous step down the slippery slope to crypto regulation, and don't seem to lead to any discernable public benefit. The whole chapter should be removed.
Section 33(2) (Application of chapter and offences)
The period of imprisonment is contradicted by the provisions of section 93(1).
Chapter VI - Authentication Service Providers
General
These provisions are a dangerous step down the slippery slope to crypto regulation, and don't seem to lead to any discernable public benefit. The whole chapter should be removed.
It seems like a terrible waste of taxpayers' money to implement an entire registration mechanism to support accreditation. If a "mark of approval" is really necessary (and there's certainly an argument that one might be useful), isn't this something that, say, the SABS is much better set up to do?
In addition, the bill links "authentication" with "encryption" (section 36 of "authentication" is linked to section 31 on "cryptography"). This is an issue that is open to debate. We submit that the two are not linked. Hence, given that the deputy Authorities may "temporarily suspend or revoke the accreditation of an authentication product or service 37(1)(b)", and the accreditation is voluntary, there is the very real likelihood that no one will voluntarily submit to an accreditation process. I.e., Chapter VI does not appear to have much of a purpose. Surely the SABS can give its "mark of approval" for authentication procedures for those who wish to get such a mark?
Who should have the Powers?
We wish to point out that in section 35 there are powers given to the Director General (to act as a one-person Authority, without control). In sections 41 and 42, similar powers are given to the Minister. All of these powers relate to matters that require highly specialised skills and knowledge, and can readily be left to the SABS in the first place.
Section 37(1)(a) and (b)(Duties of Authority)
The powers given to the Authority are sweeping, so there needs to be an appeal mechanism.
Section 39. (Criteria for accreditation)
The Authority should be required to state its reasons for every non-accreditation, and there should be a mechanism to challenge those reasons.
Section 40. (Revocation or termination of accreditation)
The Authority should be required to state its reasons for every revocation or termination of accreditation, and there should be a mechanism to challenge those reasons.
Section 41(1) (Accreditation of foreign products and services)
This section contains the wording "no person may provide".
We feel that clarification is required as to who this refers to, e.g. is it the inventor, manufacturer, retailer, distributor, IT techie who installs the product, and so forth. Which of these persons is required to be recorded in the register of section 30(1)?
Further, we wish to point out that a product such as Microsoft's Windows 2000 has several "cryptography products", e.g. Kerberos, Encrypted File System (EFS), IPSec, PKI and more. Therefore the question arises as to who has to be registered when using Win 2000? Is it Microsoft, GroupWise (who distribute Microsoft products in SA), Incredible Connection (a retailer), the person who installs Win 2000 on a PC, or who?
The matter does not stop there. There are public domain products, like Pretty Good Privacy (PGP), Gnu Privacy Guard (GPG), Kerberos, and more. Who has to register these products? Is it the end user who installs or uses them? That's going to make for an impossible situation.
We wish to point out that the United States has attempted to regulate cryptography. It was an ill-founded move, and was contrary to commercial interests. The US has subsequently relaxed the restrictions (e.g. 128-bit cryptography is no longer on their munitions list, restrictions on PGP were lifted). However, these restrictions contributed directly to South Africa's Thawte Consulting being bought by the US's Verisign for about R3.2 Billion, and hence Mark Shuttleworth got to travel to the International Space Station.
Chapter VII: Consumer Protection
General
While we support the concept of consumer protection, we feel that this Chapter only protects individuals and not organisations. This is particularly an issue when read with section (2).1(p) in the objects ("promote SMMEs within the electronic transactions environment"). Right now it's really easy for an SMME to set up a website and to start selling its wares. If this section passes, any little micro-enterprise is going to have to spend time, and possibly hire external advice, to ensure that its site complies with every nitpicky provision of this section
Section 43(2)(f) (Scope of application)
This should be changed to read
Where the goods or services
Section 44(1) (Information to be provided)
We wish to point out that a supplier offering goods or services by way of electronic transactions would be required in terms of this Bill to have a web site. There is no fundamental reason why goods or services cannot be sold by other types of electronic transactions, e.g. by email. Were that to happen, then the provisions of 44(1) should also apply. We suggest that the clause be worded as follows:-
A supplier offering goods or services for sale, for hire or for exchange by way of an electronic transaction must make the following information available to consumers on the web site or other medium where such goods or services are offered:
Section 44(2) (Information to be provided)
We feel that it is essential to have a provision that prevents an order from being placed by default by a consumer. E.g., by a timeout of a short period of display of a screen and the consumer did not realise that a cancel key had to be pressed. The commitment to an order done electronically must require a very clear pro-active action by the consumer, and it must be crystal clear to the consumer that s/he is placing an order by performing that action. Default action must always be to cancel the order.
Section 45 (Cooling off period)
There appears to be no obligation on the part of the consumer to return the goods.
Section 46 (1) (Unsolicited goods, services or communications)
We regard it as unnecessary to limit the provisions to "commercial" communications, and suggest that this word be removed, so that the clause reads:
Any person who sends unsolicited commercial communications to consumers, must provide the consumer …
Section 47(3) (Performance)
There is nothing to compel a supplier to notify a consumer within any particular timescale, which is a loophole that unscrupulous suppliers could exploit.
Section 48 (Applicability of foreign law):
We are concerned of the impact that this clause will have on purchases via the Internet from foreign organisations. E.g., Amazon.Com is hardly likely to comply with 44(1)(f) relating to registration information in South Africa, because by simple extension it could have to do so for every country in the world that has an e-commerce law with similar provisions. South Africans need to be able to buy from organisations like Amazon.Com, but Amazon.Com hardly needs to go to a lot of trouble for the very small percentage of its business that is generated from South Africa. A voluntary code of conduct is a far more suitable way to handle this issue.
Chapter VIII: Protection of Personal Information
General
The wording of section 51 is contradictory. 51(2) seems to say that the entire chapter is basically nothing more than a list of voluntary principles to which people may choose to subscribe, which makes it seem a little irrelevant in a piece of legislation. It is not clear whether section 52 is a statutory requirement of all data collectors, or only those that choose to adopt the principles?
If it is voluntary, section 51(3) seems to say that if you subscribe to one of the principles, you've got to subscribe to the lot. So it's therefore lawful not to offer any protection at all, but not lawful to offer some protections, but not all of them?
In short, clarification on the voluntary (or otherwise) nature of this chapter is required.
There's something vaguely contradictory in some of the principles of section 52. If a data controller collects some data in January, which becomes obsolete in June, then must he delete the obsolete data in that June, as section 52.(8) requires him to do, or must he retain it another twelve months, as section 52.(5) requires him to do?
Section 52(7) (Principles for electronically collecting personal information)
"Keeping a record of any third party to whom the personal information was disclosed" presents an impossible situation in the case of a number of Internet services. E.g., the "whois" service that allows anyone to find out essential information about another party will not allow such information to be determined. The whois information provides contact information of another party at a time when one's network is under attack from a hacker. The whois service relies on the UDP protocol of the TCP/IP protocol suite. At best, someone who provides a whois service can record the date and the supposed IP address (which might not be at all correct), but that does not meet the requirements of this section. In particular, the identity of the requestor is not known for a whole range of Internet services.
In addition, the clause requires that the data controller keep a record of the purposes for which the information was disclosed. This is impossible, the data controller of a whois service has not the slightest idea as to why the information was requested (and hence disclosed),
The law should not result in all whois servers in South Africa being closed down. The disruptive effect to the Internet would be severe, particularly if there were to be a major attack on the Internet such as another "Morris Worm".
There are other services as well, for which no record can be kept. for example, the domain name system is capable of storing personal information in TXT records, and it also uses the UDP protocol - hence no accurate record can be kept.
Chapter IX Protection of Critical Databases
Section 54. (Identification of critical data and critical databases)
The Minister is given sweeping powers, and therefore there needs to be an appeal procedure.
Section 54(a). (Identification of critical data and critical databases)
The phrase "or the economic and social well-being of its citizens" is extremely broad, and hence makes for dangerous legislation that a future government could all too easily abuse.
Section 56(1) (Management of critical databases)
There should be an obligation on the Minister to consult with persons who have expert knowledge of the particular critical databases in question, as well as with concerned parties.
Section 57(1) (Restrictions on disclosure of information)
This clause appears to restrict information that is both in the register of critical databases and in the public domain from being disclosed. Presumably the intent is that information may not be disclosed directly from the register, or similar wording.
Section 58 (Right of inspection) and Section 59 (Non-compliance with Chapter)
We don't believe that it is appropriate to give such powers to a Director General, who is not accountable to the electorate, and we feel that a Minister should be involved. This is not to say that we agree that the Minister of Communications is the appropriate Minister for this subject matter, the Minister of Trade and Industries would be more appropriate.
Both of these sections require an appeal mechanism to prevent abuse.
Section 58(2) (Right of inspection)
There needs to be a constraint of "reasonableness" and a requirement of "competency".
Chapter X - Domain Name Authority and Administration
General
Our comments on matters of principle are as follows: -
Appointment of all zaDNA board members by the Minister is a gross violation of democracy. We are concerned that an excessive desire for control on the part of the DoC will not benefit the industry or the country
The basis on which Board members are proposed to be chosen does not provide for adequate representation of affected parties, nor does it provide for sufficient technical expertise on the Board to ensure that informed decision are made.
We fail to understand why the Department of Communications in particular feels that it has a better "claim" on the administration of the .za name space than any other Government department, or for that matter the private sector. The private sector has administered this area since its inception in SA in 1991. To our knowledge, there is not a single poor, disadvantaged or disabled person who has had difficulty in registering an .x.y.ZA domain, and who would have had less trouble registering such a domain if dealing if a parastatal bureaucracy. Witness the joys of registering a company at Zanza House. Imagine the difficulties a wheelchair bound person experiences in trying to reach across the counter…
The provisions in parts 1, 2 and 3 of this Chapter are in direct contradiction of objectives (d), (i), (k), (m), (o), (p) and (q) of Clause 2 - Objects of the Act.
We do not understand why the DoC proposes legislation that binds South Africa unconditionally to the whims of ICANN, whereas all other countries that we are aware of are negotiating their terms of contract with ICANN.
In our opinion, the country would be best served by the deletion of parts 1, 2 and 3 of this chapter in their entirety. They should be replaced by recognition of an external, private sector body, such as was recently constituted. This body should be charged with the administration and oversight of the .ZA name space and be given due legal recognition. It would be appropriate for some arm (perhaps consisting of DoC and / or DTI representatives) of the Government to retain the legislative right to withdraw its support from such an administrative body if it was to act in a manner grossly prejudicial to the interests of South Africa and its Internet stakeholders.
The recent example of the transfer of the .AU domain administration is illustrative and highly parallel. As in SA, the .AU ccTLD was administered by one of the early Internet pioneers in that country, in his personal capacity and at no cost. As in SA, it became appropriate for this responsibility to be transferred to an open and representative private sector body. In Australia, this body (called auDA) has been recognised by and given support by the Australian Government. See http://www.icann.org/montevideo/au-agreement-topic.htm ICANN fully supports this transition. The Australian Government has passed supportive legislation, which allows for a similar withdrawal of support and possible future redelegation in the event of malfeasance. We would respectfully suggest that the South Africa Government provide similar support and recognition to NameSpace ZA, an equivalent body formed on 31st August 2001, with broad support from the ISP, Registrar, Registrant, Academic, NGO, Legal, civil society and end user communities.
This legislation can assist the domain registration process by giving clarity to trademarks and related issues, and how these relate to domain names. Part 8 of this chapter is a good start in this respect.
We are rather confused by the specific inclusion here of representation for disabled persons. We do not see this as an issue relating specifically to domain names. However, it is important that provision is made for disabled persons in terms of web access and in particular HTML coding. We respectfully refer you to the US example of Section 508 of the Rehabilitation Act: Electronic and Information Technology Accessibility Standards. See http://www.access-board.gov/508.htm
We wish to endorse the comments on this chapter as submitted by Namespace ZA.
Chapter XI: Limitation of Liability of Service Providers
Most of this section is very good: the idea of limitation of liability for innocent common carriers is an excellent one. The idea of requiring providers to belong to an accredited body to benefit from this protection is an awful one, however. Why should a provider be forced to join an accredited body in order to benefit from basic, sensible legal protections? Worse, who is to say that a body such as the Internet Service Providers Association (ISPA) will be the/an accredited body? That's likely (but not certain) to be the case now, but it's possible to imagine a less friendly future government deciding to revoke ISPA's accreditation and to accredit the AIFM (Association of ISPs Friendly to the Minister) instead. Even if that doesn't happen, the links between legal protection and accreditation provides a wonderful stick for governments to beat ISPs over the head with ("if ISPA doesn't do X [allow Telkom to buy all its members up, donate 15% of its members' gross income to the universal service fund, whatever], we'll revoke its accreditation...")
Much better would be to have a straightforward, objective, relatively unambiguous definition of a service provider, and to allow any entity that meets that criterion to enjoy equal protection under the law.
Section 77(1)(d) (Mere conduit)
Reword to read
does not modify the data contained in the transmission except as provided for in clause 14(2)(a)
Section 78(1)(a) (Caching)
Reword to read
does not modify the data except as provided for in clause 14(2)(a)
Section 79. (Hosting)
We wish to see a clause that conveys this sentiment: -
A service provider shall remain not liable for damages if he maintains the status quo during any dispute unless instructed otherwise by a competent authority.
Section 80. (Information location tools)
Change "hyperlink" to "link", so that the opening clause reads:
A service provider is not liable for damages incurred by a person if the service provider refers or links users to a web page containing an infringing data message or infringing activity, by using information location tools, including a directory, index, reference, pointer, or hyperlink, where the service provider …
Section 82(1) (No general obligation to monitor)
We give this clause our very strong support.
Section 82(2) (No general obligation to monitor)
We find it odd that it is necessary to state in any Act that a clause in the Act is subject to the Constitution.
Chapter XII: Cyber Inspectors
General
We feel very strongly that the contents of this chapter are a matter for the Department of Justice and NOT for the Department of Communications.
The provision for "Cyber-Inspectors" is interesting. We understand the public relations value such persons might have. We also understand the possible value in having experts available to law enforcement agencies on "cyber matters". We would caution, however, that there is considerable potential for damage if these persons are not adequately trained and skilled. Imagine the scenario where a "Cyber-Inspector" has received an erroneous complaint. He could cost a business many hours, if not days, of lost time in explaining to him / her where his / her understanding of the facts is faulty.
We suggest that these "Cyber-Inspectors" should be comprehensively trained, with a more than working knowledge of all common desktop operating systems, server operating systems, application packages as well as a basic understanding of networking and routing issues. Such skills are relatively rare, and are certainly expensive.
Section 84(1) (Appointment of cyber inspectors)
A cyber inspector should most certainly NOT be "any" employee (e.g. a janitor), but rather a "suitably qualified" employee (who would have to have both expert IT and legal skills as well as detailed experience of how to gather forensic evidence)
Section 85 (1) (Powers of cyber inspectors)
A cyber inspector may: -
"(a) monitor and inspect any web site or activity on an information system in the public domain;"
So, according to our reading, should the Bill pass, the South African taxpayer will soon be supporting an elite corps of "Cyber Inspectors", one of whose primary duties will be web surfing anywhere on the Internet?
Section 85(1)(c)(ii) (Powers of cyber inspectors)
Add the word "allegedly" so that this reads: -
investigate the activities of an authentication service provider allegedly falsely holding itself, its products or services out as having been accredited by the Authority or recognised by the Minister as provided for in Chapter VI; and
Chapter XIII - Cyber Crime
Section 90(3) (Unauthorised access to, interception of or interference with data)
What is meant by "unlawful" in this context? We feel that some clarification is needed.
"A person who unlawfully produces, sells, offers to sell, procures for use, designs, adapts for use, distributes or possesses any device, including a computer program, which is designed primarily to overcome security measures for the protection of data..."
If someone offers a "snooping" program like nmap on his web site for you to download in order for you to test your own system's security, is that lawful? It SHOULD be. If, on the other hand, someone offers nmap on his web site for Joe Hacker to download in order to crack someone else's network, is that lawful? It should NOT be. Problem: how do we tell which is which?
In addition, it is essential that the country develops and encourages network security expertise. We hope that there will never be a major attack on the Internet, but when it comes, the country must be ready. So, persons who might develop such expertise need to be allowed to possess and use such programs, or these skills will never be developed.
There is an analogy with keys. A manager of a hotel should have duplicate keys (in a secure place) so that in case of fire or other emergency his staff can assist with the evacuation of persons who might be locked in their rooms. But Joe Criminal should not have those duplicate keys, yet there need to be locksmith skills in the country in order to produce duplicate keys and to unpick locks under certain conditions.
There are also issues of
"fair use", where the legal owner of a legitimately purchased
product should be entitled to break the copy protection scheme of that
product for his own personal and fair use. For example,
accessing a Digital Video Disk (DVD) using a Linux open source program
known as DeCSS could easily be defined as an act of bypassing security
measures, because the program was not licensed by any authority. The
Motion Pictures Association could easily claim that this use is unauthorised
and hold the perpetrator liable, even though the perpetrator was conducting
a fair use act to use the disk on any operating system he desires. Of
course, by the same token, distributing this program could be considered
illegal.
We don't want to end up in a situation where corporations can use this law to completely restrict our access to data that we already own.
Summary
ISOC-ZA welcomes the introduction of legal certainty in to the Internet world. We particularly support the introduction of Chapter III, which gives legal eight to electronic communications and agreements. However, we feel that some of the provisions in this Bill are ill conceived. Indeed, several Chapters could be excised in their entirety without any harm to the country.
ISOC-ZA wishes to make itself
available to the PPCC for any consultation or assistance that we might
be in a position to provide during its deliberations or at any other
time. Furthermore, we wish to place on record our willingness to assist
with and participate in any measures implemented to extend the reach
of the Internet in South Africa.