On 13 August 2001, bridges.org submitted the following comments on the proposed South African "Interception and Monitoring" bill:  

13 August 2001

Ms. C. Herzenberg
The Secretary to Parliament
P.O. Box 15
Cape Town
8000

Dear Advocate de Lange

Bridges.org Analysis and Commentary: Interception and Monitoring Bill

Bridges.org would like to take the opportunity afforded by the Portfolio Committee on Justice and Constitutional Development to provide written comments on the Interception and Monitoring Bill, tabled before Parliament on 18 July 2001.

Bridges.org: Who we are and why we care

Bridges.org is an international non-profit organization based in South Africa which holds that, if properly used, information and communications technology (ICT) offers huge potential to people in developing countries. ICT has the potential to empower people to overcome development obstacles, to address the most important social problems they face and to strengthen communities, democratic institutions, a free press and local economies.  Our mission is twofold: one, tackling the obstacles to ICT use at the grassroots level by helping people understand the technology and its utility, and two, working at the policy level to promote laws and policies that foster technology use.

We recognise that the South African Government needs to support the growth of the ICT industry, while concurrently protecting the rights of its citizens and guarding against crime, corruption and other threats to the well-being of the state.  We are particularly interested in the impact that this Bill will have on citizens' Constitutional rights to privacy as well as the impact on Internet service providers.

Our understanding of the current status of interception and monitoring of communications within South Africa

Our analysis and commentary, which follow, are based on our understanding of the current telecommunications policy-making environment as described below.

The Interception and Monitoring Bill, currently under consideration by the Portfolio Committee on Justice and Constitutional Development, has come about as a result of a democratic process begun over three years ago, including:

• In 1992, the Government of South Africa passed into law the Interception and Monitoring Prohibition Act No. 127 of 1992. This Act prohibited the interception and monitoring of communications without the order of a judge. It focused primarily on telephone communications, but also provides for the interception of monitoring of postal communications.
• The South African Law Commission then initiated a project in 1998 to review the existing law on the monitoring and interception of communication, from which recommendations for its reform were made (Discussion Paper 78, Project 105, November 1998).
• The current draft legislation was issued on 18 July 2001 and made available for public comments until 13 August 2001.  The Bill is slightly amended from the South African Law Commission's previous recommendations and seeks to update various definitions so that they allow the regulation of "all communications medium" including those not covered in the 1992 legislation.

The Bill currently under consideration, differs from the previous legislation in the following key respects:

• The Bill will extend the ambit of the principal Act, particularly with respect to Internet and cellular networks and communications.
• It further provides that no service provider shall provide any telecommunication service which does not have the capacity to be monitored. The service provider is responsible for decrypting any communication encrypted by a customer whose facility for encryption was provided by the service provider.
• Service providers must acquire the necessary facilities and devices to enable the monitoring of communications in terms of the Bill. The costs incurred in acquiring such equipment, the technical maintenance thereof and the continued operating costs are to be borne by the communication service provider.
• The revised Act will further strengthen the powers of law enforcement agencies with respect to combating serious crime.
• The Government will at its own cost be required to establish call-monitoring centres to enable access to communications as provided for under the Act.

The Bill therefore aims to regulate the authorized monitoring and interception of communications. It further aims to provide for the interception of postal articles and communications and for the monitoring of communications in the case of a serious offence or if national security (or other compelling national interests) are threatened. It will further prohibit the provision of telecommunication services that do not have the capacity to be monitored.

Bridges.org analysis and commentary

Bridges.org support this initiative by the Government of South Africa.  However, bridges.org believes that the following issues require further consideration and recommends that they be covered with greater clarity in the final legislation.

1. The processes required to ensure evidential integrity of intercepted information should be clearly stated.  As we understand it, the entire content of the intercepted message has to be made available to the defence if an intercepted communication is to be used as evidence in a court of law. We recommend that the systems and procedures that will be in place to ensure the integrity of the information and prevent evidential tampering be clarified. Best practices in this regard include the continual digital time-stamping of the intercepted communication.
   
   
2. Vetting procedures for staff at communication service providers and monitoring centres should be clearly stated. Technical and other staff within the service providers and the monitoring centres have access to highly sensitive information and are vulnerable to approaches by criminals and others wanting to know whether communications are being monitored and/or wanting access to the content of monitored communications.  Staff who have access to intercept-related information should undergo a vetting procedure.
   
   
3. Further consideration should be given to the requirement that service providers cover the costs incurred in allowing for the surveillance of their communication services. Significant costs can be incurred by service providers in acquiring the necessary equipment for interception, providing technical maintenance thereof and supporting the continued operating costs. This has been a contentious issue in other countries that have dealt with the same issues and is not easily resolved. 
   

   One approach is to make the service provider responsible for the monitoring of information on its communication networks, including covering the costs.  Some argue that this brings exorbitant and unfair expenses to the Internet and telecommunications industries, and at a time when the international economy is undergoing a down-turn in these sectors. The Netherlands offers an example to illustrate the point.  The Netherlands Telecommunications Act placed the responsibility for the cost of acquiring and maintaining interception technologies on the service providers.  In February 2001, up to a third of Dutch Internet Service Providers (ISPs) are facing bankruptcy due to the high costs of mandatory Internet traffic interception[1] and due to the technical difficulties and the high costs involved, ISPs were unable to make their systems interceptable by the deadline date of 15 April 2001.
   
   Others argue that the current software utilised by many of the larger service providers already has the routing capabilities required for interception. Smaller service providers would incur costs, but there are appropriate solutions to help them defray the expense.  For example, British legislation holds that the Government will cover "reasonable costs" incurred by the smaller ISPs in ensuring that their services are brought in line with the legislation[2]. 
   
   We are sensitive to whether the proposed Bill will place onerous demands on smaller ISPs and that the growth of the industry will be affected at a time when access to communication services needs to be actively expanded. The demise of smaller service providers can have a detrimental effect on the overall economy and the integration of ICTs into society, especially within a developing country context.

4. An individual's right to privacy must be clearly stated, as must the exceptions under which the draft Bill will apply.  Section 14(d) of the Constitution outlines the right to privacy, including the right to be free from intrusions and interference by the state and individuals, and explicitly states the right to "the privacy of communications."  The existing legislation provides for the limitation of this right in certain circumstances, and there is an existing body of case law on the issue of privacy rights and surveillance.  The courts have dealt with this issue depending on the facts of the case, i.e. whether it was an intrusion of the right between private parties, or whether the intrusion was between the state and an individual. The critical issue is whether the alleged monitoring of communications constitutes a breach of the right to privacy, and whether or not the manner in which the evidence was obtained would affect its admissibility.
   

   The Bill should make it explicitly clear that individuals' rights to privacy will be respected, and will only be infringed under specific and compelling circumstances which are clearly stated in advance.

5. A clear definition of "national security" should be included in the legislation.  Without a definition of what constitutes a threat to "national security" within the Bill, it is open to interpretation by applicants for interception warrants.  Including a clear definition will minimize the potential for abuse and ensure a universal threshold for obtaining a warrant.  
   
   
6. Service providers should be required to publish a "privacy policy".  The Bill requires that telecommunications and Internet access companies positively identify and keep proper records (including identities and addresses) of all clients to whom a telecommunication services is provided. This information will further be made available to the relevant law enforcement officials, when required. Criminal sanctions will apply for failing to comply with the provisions of the proposed Act.  There will need to be a strict adherence to procedure when dealing with the detailed personal information held by telecommunication and Internet access companies, in order to avoid claims of privacy infringement by the customers.  No service provider should make information of this nature available without having the necessary documentation and applications presented by law enforcement officials.
   

   We support the view that service providers develop "privacy policies" that clearly state to their customers under what conditions their informational privacy rights will be violated (i.e. in the case of criminal investigation or matters of a like nature), providing that the necessary documentation and procedures are complied with. Under such circumstances where an individual intercepts or monitors a communication in accordance with a directive issued under the Act, he/she is not guilty of an offence and should be indemnified from any action undertaken by a customer against it.
   

7. There should be oversight of procedures for handling intercepted material.  Section 8(3) of the Bill states that "Duplicate signals of communications authorized to be monitored on terms of this Act, must be routed by the service provider concerned to the designated central monitoring centre concerned". Systems and procedures need to be specified to ensure that the service providers carry out this task thoroughly to ensure that all communications of the suspect are intercepted, while also ensuring that communications of other users are not intercepted.
   
   
8. Procedures for dealing with encryption and decryption should be clearly stated.  It is unclear whether service providers will be required to provide decryption keys, and the mechanisms for redress in cases where such keys fall into the wrong hands or get abused.  These matters should be clarified.  For example, the UK Government allows for the provision of hard-copy data instead of encryption keys in certain circumstances.  Furthermore, in the UK the recipients of the decryption keys are legally liable for their safe-keeping.
   
   
9. Consideration should be given to establishing a national interception standard.  A standard would make it easier (and possibly cheaper) for service providers to select interception technology. The Bill does not cover any provisions for whether or how a standard would be selected.  Again, there are many examples of countries that have developed a standard (e.g. the European Union). We believe it would be better to consult rather than to impose a decision on stakeholders regarding the interception protocol to be used; in particular it should not slow down information originating from high-speed services (such as broadband switching and transmission technologies, digital subscriber lines, etc).
   
   
10. An  independent commission should be established to oversee all monitoring and interception activities.  An independent commission has been established in many nations that have implemented surveillance laws, such as Australia, New Zealand and Britain. The commission ensures that only the communications of the suspect are intercepted and sent through to the monitoring centres, and that communications of a suspected party are methodically intercepted and time-stamped to ensure evidential integrity.  The commission undertakes a full and public reporting process; the report can be presented in such a way as to not compromise the information. 
    

    The need for such a commission is especially critical in a developing country context where people have concerns about trusting government. It will also curb the potential for abuse within the communication monitoring centres, and ensure that accidental interceptions of unwarranted communications are reported and minimised.