UPDATED: May 2017 | SOURCE: Vodafone Group with support from Hogan Lovells
Provision of Real-time Lawful Interception Assistance
THE REGULATION OF INTERCEPTION OF COMMUNICATIONS AND PROVISIONS OF COMMUNICATIONS-RELATED INFORMATION ACT NO. 70 OF 2002
The Regulation of Interception of Communications and Provision of Communication-Related Information Act No.70 of 2002 (RICA) states that the interception and monitoring of communications is prohibited unless:
- a directive has been granted that permits the prohibited activities;
- the party protected by RICA gives requisite consent;
- the entity engaging in the activity was also a party to those communications;
- it is to intercept, monitor or disseminate information of an employee while carrying on a business;
- it is to prevent serious bodily harm;
- it is to determine a location during an emergency; or
- if entitled to do so in terms of other legislation.
An interception direction can only be issued if a judge is satisfied that a serious offence has been or will be committed, or the gathering of information is necessary due to an actual threat to public health or safety, national security or compelling national economic interests of the Republic.
Chapter 3 of RICA sets out circumstances under which an applicant may apply for an interception and monitoring direction and entry warrants along with the manner in which such directions and entry warrants are to be executed.
Section 16 of RICA states that an applicant may apply in writing to a designated judge for an interception direction where there are reasonable grounds to believe that a serious offence has been, is being or will probably be committed, or in order to gather information concerning an actual or potential threat to public health or safety, national security or compelling national economic interests. In terms of Section 22, the applicant may simultaneously apply for an entry warrant.
Section 21 of RICA provides for the issuing of decryption directions by application to a designated judge.
Oral applications for any direction or warrant listed above may be made in terms of Section 23 of RICA.
Section 30 of RICA states that a telecommunications service provider must provide a telecommunications service which has the capability to be intercepted and store communication-related information. A directive sets out:
i. the capacity needed for interception purposes;
ii. the technical requirements of the systems to be used;
iii. the connectivity with interception centres;
iv. the manner of routing duplicate signals of indirect communications to designated interception centres; and
v. the manner of routing real-time or archived communication-related information to designated interception centres.
Disclosure of Communications Data
RICA requires a telecommunications service provider to intercept and store communication-related information which is commonly referred to as metadata.
Section 17 of RICA provides for the issuing of a real-time communication-related direction. This is required where no interception direction has been issued and only real-time communication-related information on an ongoing basis is required. An applicant may apply to a designated judge for the issuing of the direction.
Section 19 of RICA provides for the issuing of an archived communication-related direction. If only archived communication-related information is required, an applicant may apply to a high court judge, a regional court magistrate or a magistrate for the issuing of this direction.
National Security and Emergency Powers
Except as set out above, the South African government does not have any legal authority to invoke special powers in relation to access to a mobile network operator’s customer data and/or network on the grounds of national security.
Oversight of the Use of Powers
As detailed above, applications under RICA may be made to a designated judge, high court judge, regional court magistrate or magistrate as necessary. A ‘designated judge’ refers to any judge of a High Court discharged from active service under Section 3(1) of the Judges’ Remuneration and Conditions of Employment Act No. 47 of 2001 or any retired judge who is designated by the Minister of Justice to perform the functions of a designated judge for the purposes of the act.
To maintain interception capability as required under Section 30 of RICA, no judicial oversight of the requirements is issued. The cabinet member responsible for communications, together with the Minister of Justice after consultation with the Independent Communications Authority of South Africa and the telecommunications service provider/s concerned, must, on the date of the issuing of a telecommunications service licence, issue a directive as detailed above.
SHUT-DOWN OF NETWORK AND SERVICES
There is no national security legislation that empowers the government to order a blanket shut-down by network providers of their network or communications services.
However, subject to compliance with the provisions of Section 37 of the Constitution, the government may, after declaring a state of emergency, implement measures that derogate from the protection afforded under the Bill of Rights. Such measures may include derogation from the guaranteed right to receive and impart information or ideas as set out under Section 16(1)(b) of the Constitution. Moreover, such measures can include the order for the suspension of communications services. A state of emergency can only be declared through an Act of Parliament and only where the nation is threatened by war, invasion, disorder, natural disaster or other forms of public emergency, or where the declaration is necessary to restore peace and order. States of emergency are measures of last resort and can be justified only by an exceptional crisis which affects the whole population and constitutes a threat to the organised life of the population; the mere existence of disorder or unrest is not sufficient.
The Electronic Communications Act No. 36 of 2005 (the EC Act) and the Independent Communications Authority of South Africa Act No. 13 of 2002 (the ICASA Act) empower the Authority to suspend or cancel an individual network provider’s licence (such as Vodacom’s) in specific instances. Such a suspension or cancellation would mean that the affected licensee would be unable to provide its network or services – it would effectively shut them down. It can only be directed at an individual licensee due to its non-compliance with regulatory requirements; it cannot be a blanket order to all network provider licensees, even during periods of unrest or emergency.
A law enforcement authority can also, at any time, seek a court-ordered subpoena to require a network provider to shut down its network or services.
BLOCKING OF URLS & IP ADDRESSES
It is feasible that network providers (such as Vodacom) might be requested to block certain URLs or IP addresses. However, no such request has been made to date.
POWER TO TAKE CONTROL OF VODACOM’S NETWORK
The government does not have the legal authority to take control of Vodacom’s network. It is hypothetically possible that the powers exercised by the government during a state of emergency might amount to taking control of a network provider’s network, but this is without precedent.
Oversight of the Use of Powers (Censorship-related)
A network provider may submit a complaint about a request made to it by the government or a law enforcement authority, including during a state of emergency, to the Inspector General of Intelligence. The Inspector General of Intelligence oversees the activities of law enforcement authorities, such as intelligence agencies and the police. Upon a complaint being made by a network provider, the Inspector General would investigate and provide an opinion as to whether that network provider should comply with the request or not.
Each court-ordered subpoena contains a date at which a court hearing will take place. Should the network provider subject to the court order decide to challenge the subpoena (including the obligation to comply with it), it can do so at the scheduled court hearing.
Encryption and Law Enforcement Assistance
1. Does the government have the legal authority to require a telecommunications operator to decrypt communications data where the encryption in question has been applied by that operator and the operator holds the key?
The Regulation of Interception of Communications and Provision of Communication-Related Information Act No. 70 of 2002 (RICA) requires a telecommunications service provider to decrypt encrypted communication in limited circumstances. Section 21 of RICA states that an applicant may apply to a designated judge for the issuing of a decryption direction during, or at any stage after, the issuing of the interception direction. A ‘designated judge’ refers to any high court judge discharged from active service under Section 3(1) of the Judges’ Remuneration and Conditions of Employment Act No. 47 of 2001 or any retired judge who is designated by the Minister of Justice to perform the functions of a designated judge for the purposes of the act.
The government can require the telecommunications operator to decrypt communications data where the telecommunications operator has applied the encryption under RICA.
Section 16(1) of RICA provides that ‘An applicant may apply to a designated judge for the issuing of an interception direction…’.
Section 21(1) of RICA provides that ‘An applicant who:
a. makes an application referred to in Section 16 (1) may in his or her application also apply for the issuing of a decryption direction; or
b. made an application referred to in Section 16 (1) … may … apply to a designated judge for the issuing of a decryption direction….’.
Section 21(2) provides that ‘… an application referred to in subsection (1) must be in writing and must:
a. indicate the identity of the
ii. decryption key holder to whom the decryption direction must be addressed’.
A decryption key holder is defined as ‘any person who is in possession of a decryption key for purposes of subsequent decryption of encrypted information relating to indirect communications’.
Note that a decryption order can only be sought in certain circumstances – broadly they would be those set out earlier in this chapter where law enforcement assistance is required.
2. Does the government have the legal authority to require a telecommunications operator to decrypt data carried across its networks (as part of a telecommunications service or otherwise) where the encryption has been applied by a third party?
Where the telecommunications operator is not the decryption key holder, but has the technological ability to ‘unlock’ the communications data, then the government may make an application in terms of Section 21(2) of RICA which provides that:
‘(c)…, an application referred to in subsection (1) must be in writing and must specify the:
i. decryption key, if known, which must be disclosed; or
ii. decryption assistance which must be provided, and the form and manner in which it must be provided’.
Decryption assistance is defined in RICA as meaning to:
‘(a) allow access, to the extent possible, to encrypted information; or
(b) facilitate the putting of encrypted information into an intelligible form;…’.
Where the telecommunications operator is the decryption key holder, the government may follow the process in Section 21(1) of RICA, as discussed in the answer to Question 1 above.
3. Can a telecommunications operator lawfully offer end-to-end encryption on its communications services when it cannot break that encryption and therefore could not supply a law enforcement agency with access to cleartext metadata and the content of the communication on receipt of a lawful demand?
Yes, a telecommunications operator can offer end-to-end encryption software on its communication services, even if it has not been able to decrypt the encrypted communication data.
Section 30 of RICA, as mentioned above in Question 2, imposes on a telecommunications operator only the obligation to provide a telecommunications service that is capable of interception, and interception does not impose an obligation to decrypt communications data.
In such a case, the holder of the decryption keys would be the customer and not the telecommunications operator. In terms of Section 29(1) of RICA, the government may, in the execution of the decryption direction, obtain assistance from the decryption key holder who is not a telecommunications service provider to decrypt communications data. Therefore, application for a decryption direction can be made in relation to the customer directly.
The answer would not differ if the question applied to the provision of ‘business as usual’ communication services (where the communication routes over the network as a data packet) or ‘over the top’ communication services (where the delivery of a communication is made via Internet Protocol (IP) over the network) by the telecommunications operator.
4. Please provide examples in this jurisdiction where legislation which predated the advent of commercial encryption (which Vodafone estimates to be circa 1990) has been applied to contemporary cases involving encryption.
In South Africa, prior to the promulgation of RICA, interception of communications was governed by the Interception and Monitoring of Prohibition Act 127 of 1992 (IMP Act). The IMP Act has been repealed by RICA.
The case law determined under, and which was reliant upon, the IMP Act cannot be used as a foundation for any judgment today as the enabling legislation has been repealed. In any event, many provisions of the IMP Act would be found to be unconstitutional post-1994 and therefore unlawful.