Comments regarding the Republic of South Africa Interception and Monitoring Bill
10 August 2001
UUNET (SA) (Proprietary) Limited ("UUNET SA"), welcomes this opportunity to comment on the Republic of South Africa’s Interception and Monitoring Bill ("Bill") recently published by the Ministry of Justice. UUNET SA is one of South Africa’s leading Internet Service Providers ("ISP"). UUNET SA is playing a key role in bringing Internet and other value-added services to the South African marketplace as well as to other African countries. Accordingly, UUNET SA supports the objectives of law enforcement in investigating and prosecuting individuals, who through directly attributable activities, infringe upon the rights of consumers and service providers. All stakeholders will be impacted negatively if computer-related crime continues at its current pace. However, as recognised in various international fora over the past year, a delicate balance must be struck among the interests of law enforcement, industry, consumer rights and fundamental human rights in addressing computer-related crime investigation, prosecution and prevention. These concerns are summarised by the following general points:
The state of existing technology is such that the required surveillance will not be substantially effective. Given the technical inability to packet-sniff transmitted data with full and complete reliability, even basic Internet communications could run afoul of the Bill’s requirement in Section 7(1) that "no service provider may provide any telecommunication service which does not have the capacity to be monitored."
Traditional interception capabilities employed today were developed to apply to the opening of letters and tapping of telephones. However, the Internet is a protocol stack, and interception must, to be successful, occur in different layers of the stack. This requires placing "sniffers" in certain areas of the network, processing the data for the correct target IP addresses and making it available to the appropriate law enforcement authority pursuant to court order. Packet delivery includes a mixture of communications services and transportation methods, and a solution facilitating the lawful interception of IP-traffic is both very different from anything experienced to date in the circuit-switched environment and often inefficient. Communications in packet streams will also frequently need de-encrypting to be monitored, adding significantly to the cost and complexity of what is already an inefficient proposition.
Further, there are substantial differences between the interception of stored e-mail and the interception of communications in raw data streams. If ISPs are expected to provide interception of e-mail a number of potential problems exist. Although interception of incoming e-mail that is stored and forwarded by an ISP is straightforward, senders can easily falsify return addresses and it is frequently impossible to prove who sent the e-mail. A customer may also, with little technical ability, send e-mail through a distant server located anywhere in the world. Further, customers also have the ability to operate their own mail services, and in this case, the service provider neither has access to the e-mail nor would it be reasonable for it to facilitate lawful interception.
Lack of Standards
To-date, nationally developed standards for interception of communications have not proven to be satisfactory in today’s global communications environment. In this regard, the European Technical Standards Institute ("ETSI") developed a standard in 1999 for the interception of traffic from network operators, telecom providers and access providers. This standard is being adopted in a number of countries around the world and provides a clear mechanism for intercepting circuit-switched communications.
By contrast, ETSI is also addressing packet-switched communications, but acceptance of a relevant standard is still an open issue. It is recommended that governments do not introduce any national standards for lawful interception as they are difficult to maintain, difficult to implement and are frequently not supported by manufacturers of the necessary equipment.
Cost Reimbursement Issues
Apart from the technical uncertainties associated with Internet surveillance, ISPs should not alone bear the cost of assisting law enforcement in combating computer-related crime. Presently, Section 7(2) of the Bill requires service providers to solely incur the costs associated with acquiring the facilities and devices to enable the monitoring of communications. Similarly, Section 6(4) denies that any remuneration would be applicable to the mandated purchase of monitoring facilities and devices.
Any proposed legislation should include provision for reimbursement of costs involved with data interception or other activities mandated by order of law enforcement. Similar language was employed in the European Union’s Mutual Legal Assistance ("MLA") Convention, requiring that member countries bear the costs that telecommunications operators incurred during the process of executing orders for interception pursuant to MLA Article 18. Article 21 of the MLA Convention provides:
Costs which are incurred by telecommunications operators or service providers in executing requests pursuant to Article 18 shall be borne by the requesting Member State.
Without a legislative mechanism for facilities and equipment reimbursement, the cost burden of complex search and seizure requirements could cause smaller ISPs to fold. However, this reality should not simply result in a means-tested assessment of costs to an ISP for information retrieval and storage orders. Apart from the direct costs attributable to compliance with an information retrieval demand, all ISPs would also incur the opportunity cost of having to divert resources and technical expertise from further development and improvement of services. This, in turn, would lead to both higher cost Internet services and decreased availability of innovative services to the public at large.
One country that has attempted to address the real-time interception of e-mail and data to users, similarly without implementing some form of facilities cost-reimbursement to ISPs, is the Netherlands. In the Netherlands, as with information retrieved pursuant to Bill, intercepted information has to be accompanied by call associated data such as IP addresses and timestamps, must be converted to a secure format, and then must be transferred to law enforcement. In the Netherlands, WorldCom has determined that, regardless of the company employed and equipment purchased, the cost will run into several hundred thousand US dollars. ISPs neither have the capability or time to build the equipment required, nor would the government likely approve of the opportunity cost to service provision for service providers to do so.
For instance, the Association of Netherlands Internet Providers ("NLIP") has stated, to come into possible compliance, it estimates that the total financial burden on the Dutch ISP market would be approximately Euro 30 million. This would mean that, in many cases, smaller ISPs will have to invest more in interception equipment than they would for ISP-functional hardware. According to the NLIP, 25% of Dutch ISPs cannot afford this burden and are facing a loss for many years to come.
UUNET SA recognises that some governments, such as the United Kingdom and the Netherlands, have introduced laws concerning lawful interception of ISP traffic. However we are unaware of any country that has been able to fully implement such lawful interception due to costs and unfeasibility concerns. Recognising this, on December 20, 2000, the French Constitutional Council concluded that it would be unconstitutional for telecom operators to directly bear the costs of interception (including both installation of equipment and the administrative cost to answer the requests of law enforcement agencies) as such interceptions contribute to maintain public security and the general welfare of the population.
Apart from pure cost issues, reimbursement would also serve to safeguard the privacy rights of individuals. If law enforcement agencies are held accountable for the costs of interception and investigation, it is likely that they will be deterred from abusing investigative requests (seeking over-inclusive requests or targeting individuals inappropriately). The protection of industry and fundamental human rights are uniquely linked in this instance. Such a safeguard will protect the fundamental rights of all South Africans.
The Bill provides in Section 9, in certain circumstances, that designated persons, including a police officer or a major general in the defence force, may request a service provider to supply call-related information about a customer. Such requests may be made without first applying to and obtaining authorisation from a High Court judge. It would be difficult for a service provider to rely on anything less than a court order when intercepting communications for law enforcement. Service providers have a stake in assisting law enforcement to keep the Internet a secure place to conduct business. However, without the pertinent detail and authority of a clear court order, the Bill would presently subject Internet users to surveillance of their communications based upon varying levels of substantiation, eroding South African consumer confidence in the Internet as an economic and social communications medium. In the European Union, this issue was addressed in Article 18 of the MLA, which specifically provides that any interception request shall include:
With the parameters of the MLA, as set forth above in the form of a court order, there will exist the added assurance that user rights have been appropriately safeguarded through due process restraints.
Further, apart from due process issues, without the pertinent detail and authority of a clear court order, service providers would expose themselves to potential liability for the results of such interception requests, whether legitimate or not. To this end, service providers and other private parties should also be exempted from liability to third parties when they have relied in good faith upon a legal order for assistance, such as for a search, interception, or seizure of data. Likewise, it will be important that the Bill include language, similar to that found in the EU’s E-Commerce Directive, to limit the liability of service providers with regard to acts over which they have no knowledge or control. It is foreseeable that lack of such language would drive many smaller companies out of the market, to the detriment of all e-commerce stakeholders.
Finally, there are two particular definitional issues in the Bill that should be addressed. First, in several sections of the Bill, it is stated that "where there are reasonable grounds to suspect that a serious offense has or will be committed or that national security or other ‘compelling national interest is threatened,’" a justice of the High Court may direct an interception or monitoring order. "Compelling national interest" has not been defined in the Bill. Its inclusion without definition significantly broadens the potential grounds upon which the government could be authorised to intercept and/or monitor private communications, and this should be addressed to safeguard individual rights. This open-ended definition is particularly problematic when juxtaposed with a constitutionally entrenched freedom of expression.
Second, among the Section 1 definitions, it is stated that "customer" is "any person or any body …" which has entered into a contract with a service provider. This correlation between "customer" and necessary "contract" is again referenced in Section 11(3)(a) of the Bill. The number, quality and length of the service provided will at times necessitate such type of business relationship. However there are circumstances under which the provision of services will be made to a customer without the need for a formal contract. The "customer" definition and its further reference in the Bill should be amended to reflect this reality of doing business in a global and fast-paced technological environment.
UUNet SA appreciates your consideration of our comments and looks forward to participating in a constructive dialogue in conjunction with this Bill. We welcome the opportunity to continue a longstanding co-operation with law enforcement. The information society has given criminals new technical means to use in the commission of crimes, in addition to the vast economic and social benefits being reaped by honest users. In course, the development of this society also provides law enforcement and prosecutors with dramatically expanded tools to be used in the prosecution of both on- and off-line crime.
This Bill should include provision for reimbursement of costs involved with data interception as the cost burden of complex search and seizure requirements could cause smaller ISPs to fold. The costs are particularly onerous when considering the South African government’s recent request that ISPs cut the cost of service provision to public schools by 50% to foster increased use of the Internet. In this regard, the conflicting demands made by government of ISPs, while attempting to address legitimate socio-economic goals, may be decreasing the economic viability of developing services.
While networks may eventually be designed so that lawful interception capability can be certain and largely successful, the industry can only presently make a best effort. As presently drafted, the Bill denies the technical abilities of ISPs in dictating that a "best effort" simply would not be enough. For each Network Operator, Access Provider and Service Provider, legislators should seek to determine and then define what is technically possible and sensible to provide for lawful interception.
Nevertheless, UUNet SA recognises that, in certain specific circumstances and with legally recognised due process constraints, there may be justification for the interception of communication. In circumstances where UUNet SA is required by law to intercept a communication, there should be no additional liability imposed on UUNet SA for carrying out such requirement. The Draft Bill in its current form imposes substantial risk on the Service Provider Industry as a whole, not only insofar as the cost of satisfying requirements are concerned, but also extended liability through potential inappropriate or abusive exertion of the rights and powers conferred upon the authorities by this legislation.
The interests of law enforcement in investigating and prosecuting crime are deeply shared by UUNet SA. Put very simply, crime is bad for business. However, the impact on ISPs should be given great weight in developing any surveillance obligations, and UUNet SA welcomes the opportunity to comment on this Bill.
UUNET SOUTH AFRICA'S SUGGESTED AMENDMENTS TO THE DRAFTING OF THE INTERCEPTION AND MONITORING BILL OF 2001 [B20011]
Section 1 : Definitions
DELETE reference to "and any retired judge"
"monitoring device" :
INSERT "view" as follows: "… to listen to, view or record any communication…"
"serious offence" :
INSERT at paragraph (a) after reference to the Criminal Procedure Act, 177 (Act No. 51 of 1977) : "provided that the offence has not been declared inconsistent with the Constitution of the Republic of South Africa, 1996 (Act No. 108 of 1996) or is likely to be so declared by any court of competent jurisdiction and provided further that-…"
DELETE entire sub-paragraph (a)(iii) beginning: "that offence may cause harm to the economy or other compelling national interest of the Republic"
DELETE the word "national" at sub-paragraph (g) and REPLACE with the word "defence" to read as follows:
"any offence threatening the security or other compelling defence interests of the Republic"
new definitions :
There may be a need to define the meaning of "intercept" so as to cover the act of interception, including any further retransmission of any intercepted communication.
If the suggestions below regarding the role of ICASA are accepted, it may be useful to define "the Authority" as the Independent Communications Authority of South Africa, established by section 3 of the Independent Communications Authority of South Africa Act, 2000 (Act No. 13 of 200).
Section 2 : Interception and Monitoring
INSERT at sub-section (1)(a) the words "or receiver" and AMEND sub-section (1)(a) to read as follows
"intentionally and without the knowledge and permission of the dispatcher or receiver..."
DELETE at sub-section (1)(b) the word "confidential" and REPLACE with "any", to read as follows:
"…so as to gather any information…"
Section 3: Application for direction
INSERT after reference to "full particulars" in sub-section (2) : "in accordance with any directives regarding the manner and procedure of applications issued by the Judges-President of the High Court in terms of section 12 of [the Act]"
DELETE at sub-section (6) "may disclose information that may contribute to the perpetration of a serious offence" and REPLACE with:
"is reasonably necessary, having regard to all the relevant facts and circumstances of the investigation, to prevent the perpetration of a serious offence and cannot be obtained by any other appropriate means."
Section 4: Issue of direction
At sub-section 2(b) DELETE all references to "compelling national interests" and REPLACE with "compelling national defence interests" throughout and after reference to "threatened" REPLACE "or" with "and" to read as follows:
"…compelling national defence interests of the Republic and that the gathering of information concerning …"
Section 5: Execution of directions
DELETE reference to "or any other person" throughout this section.
DELETE all references to "compelling national interests" and REPLACE with "compelling national defence interests" throughout this section.
INSERT at the end of sub-section (4): "provided that, wherever possible, reasonable notice shall be given to the [designated liaison officer referred to in section 14 of this Act or] owner, or failing which, the person in possession of the relevant property,…"
Section 6 : Assistance at execution of direction by service providers
DELETE reference to "or any other person" throughout this section.
DELETE at sub-section 1(b) the reference to "the necessary facilities and devices and " and REPLACE with "make available any assistance, facilities and devices reasonably necessary to enable the member..."
New section to be inserted in order to ensure that the provisions in section 6 regarding remuneration and compensation are applied mutatis mutandis to the actual capital costs, including investment, technical and maintenance costs, incurred by service providers in establishing monitoring devices and any other facilities or equipment installed by service provides pursuant to this [Act], which facilities or equipment would not have been installed but for the provisions of this [Act].
Section 7: Prohibition on services (sample amendments)
INSERT at beginning of sub-section (1): "Unless specifically exempted by the Independent Communication Authority of South Africa, in consultation with the Minister of Justice, and [n]otwithstanding any other law…"
DELETE sub-sections (2) and (3) in their entirety and REPLACE with the following:
"Any costs of whatever nature incurred by a service provider in complying with a directive referred to in sub-section [(4)] of this section, including any capital investment, technical, maintenance and service costs, shall be paid for by the state, subject compensation procedure set out in section [__] of this Act."
DELETE at subsection (4) reference to "the Minister of Communications" and replace with "the Independent Communications Authority of South Africa, in concurrence with the Minister of Communications,"
Section 9 : Call-related information
The provisions of sections 3, 4 and 12 should be made to apply mutatis mutandis to call-related information as defined. Alternatively, in respect of circuit switched or other forms of facsimile or voice communications (but specifically excluding packet switched Internet communications) there should be provision for judicial certification of a decision made by any officer, member or official referred to sub-section (1) of this section, in respect of any written request to a service provider to provide any call-related information. See for example, the so-called "Pen Register Statutes" in the United States of America.
Further, there should be express provision for duration and time periods, and the time period limitations implied in the provisions dealing with supplementary judicial directions in section 10(1)(a) of the Bill (see reference to the "specified durations"), should be applied mutatis mutandis in respect of call-related information directives.
Section 12 : Directions regarding applications
DELETE the word "may" in subsection (1) and REPLACE with the words "shall, within three months of commencement of this Act,"
Section 13: Use of information in criminal proceedings
The provisions of sections 153 and 154 of the Criminal Procedure Act 1977 (Act No. 51 of 1977) should be amended to insert new sub-sections providing for in camera hearings and the prohibition of publication of certain information relating to criminal proceedings to cater for information provided by service providers and where necessary to protect the identity of service provider employees and the nature of any facilities, devices and equipment employed by service providers in the fulfilment of their statutory obligations under this Act.
Section 14: Secrecy
INSERT a new sub-section (3) as follows:
"Every service provider shall designate a special liaison officer, including an alternate special liaison officer, for the purposes of ensuring compliance with the provisions of this Act, whose full name, particulars and contact details shall be filed and recorded in a register to be established for this purpose at the Independent Communication Authority of South Africa, and which shall be updated to reflect any changes from time to time: provided that in respect of any service provider having less than 25 employees, the chief executive officer of such service provider shall be registered as the special liaison officer."
A special indemnity provision for service providers should be inserted in this Act so that service providers are properly indemnified by the state for any costs, losses, claims or other liabilities arising out of the good faith execution of any of their statutory obligations pursuant to this law. The indemnity must cover both third party civil claims, claims from the state itself and any form of criminal liability, where the service providers, there employees or agents act in good faith pursuant to their obligation under this Act.
Section 16: Revoking of licence to provide telecommunication service
DELETE reference to "the Minister of Communications" and REPLACE with "the Independent Communications Authority of South Africa"
INSERT at the end of this section: "subject to due investigation and adjudication in terms of the procedure provided for in section 100 of that Act."
Section 17: Amendment of section 205, … and sections 153 and 154 of Act 51 of 1977
Insert a new section to amend sections 153 and 154 of the Criminal Procedure Act, 1977, in order to expressly provide for magisterial and judicial discretion to protect during the course of criminal proceedings the identity of any service provider witness testifying, and evidence relating to the nature of any telecommunication systems, facilities, devices and related equipment used by service providers, in compliance with their obligations under this Act.