Internet Service Providers' Association

Advisory 14: ISPA Member Update on RICA

Release date: 13 October, 2006
Author: Mike Silber

Disclaimer: This advisory is produced for informational purposes only to familiarize ISPA members with the main provisions of legal implications. It is not a complete analysis of the relevant law or its implications and in no way should be interpreted as legal advice offered by ISPA. ISPA, its members, and its advisors cannot be held liable for any reliance by readers on this document, its accuracy or interpretation of the law.

Regulation of Interception and Provision of Communication-related Information Act, Act 70 of 2002

For those who do not read long documents:

• workshop with Office for Interception Centres (OIC) on technical implementation issues occurred in September 2006 and the OIC appears far more practical and pragmatic than we expected;
• proposed amendments to ISP Directives, reinstates requirement to retain and hand-over communication-related information and makes implementation date subject to agreement between ISPs and OIC;
• informal acknowledgement that some or all requests for exemption from compliance with the ISP Directives will be granted, however additional information may be required from members;
• customer registration requirements remain a concern; and
• ISPs need to consider the listed equipment, which may not be bought or even in your possession according to RICA.

Resources in respect of all of these issues are in the members section of the ISPA web site.

Now for the long version:

Workshop with Office for Interception Centres (OIC)

ISPA finally held a meeting with the OIC in September 2006 (having been promised such a meeting since May 2006).

At the OICs request this meeting was reserved for first tier ISPs. ISPA attended on behalf of ISPs that do not fall within this category, as well as inviting the large ISPA members (seeing as we do not have a clear definition of first tier in South Africa), as well as Telkom and iBurst.

Some of the outcomes from such meeting:

• OIC is ready to roll out with ISPs, busy with phase 1 (target end Sept).
• Entire roll-out to be complete by the end of the year.
• Blanket exemption is going to be granted to all ISPs on a temporary basis by the Department of Justice. Problems in categorization/classification of ISPs. No clear criteria intention is to handle applications on a case-bycase basis.
• EC Act changes the field, since different service licences are going to be issued. Challenge for the OIC to determine who to issue directives to.
• Tariffs: OIC has discussed tariffs with the DoJ; R300-R500 depending on the intercept. Going to be published for comment. Telkom: No ISP tariffs have been discussed with Telkom. ISPA has given some input to DoJ, but no feedback has been forthcoming other than an acknowledgement of ISPAs input.
• Lack of clarity on data storage issues: OIC acknowledged that IP intercept is more difficult than fixed line or GSM. Envisage roll-out in phases. First phase is live intercept. Live intercept will most likely deal with 99% of cases the LEAs are interested in. Archival of data is less useful, hence the directives are deliberately unclear intention is to place no obligations on ISP unless necessary. It is felt that archiving of data will most likely be unnecessary.
• ISP Assistance Fund: ISP fund has not been set up yet.
  Major challenge: What is considered as a small ISP? Some are members of ISPA, some registered with ICASA. OIC has begun to engage the DoC and DoJ on how to classify/categorise ISPs. This is an ongoing process. The intention is that big ISPs should do interception at their own costs. Small ISPs pay into the fund and the fund will be used to purchase probes. OIC would control these probes. More may be needed if requests increase. Deployment of the probes will be the responsibility of the OIC.

Amendments to ISP Directives

The Department of Communications has proposed various amendments to the ISP Directives (as well as the fixed line and mobile cellular directives). These have not been Gazetted as yet and ISPA has submitted a response to the draft.

The two key changes are:

• The introduction of the concept of roll-out happening in accordance with a phased implementation plan to be agreed upon by ISPs in consultation with the OIC.
  
  We can only assume that this provision has been inserted to try deal with the many concerns ISPA has raised on behalf of its members regarding implementation of the ISP Directives. It does not change the 28 May 2006 compliance date, but at least gives some room for flexibility. ISPA has welcomed this approach and has even gone so far as to prepare a draft MoU and provide this to the DoC, dealing with the phased implementation plan.
• The reintroduction of the obligation to store, provide and route archived communication-related information (CRI). This requirement existed in previous versions of the ISP Directives and was dropped when the technical complexity of defining archived CRI was realised and when the DoC found out that standards for the hand-over of certain forms of CRI do not yet exist (ETSI started working on them in May 2006).
  
  The proposed amendments do not define the CRI that must be retained and ISPA has argued that that should be restricted to AAA logs ONLY (usually RADIUS logs).
  
  See the members section of the ISPA web site for the full text of the proposed amendment and the ISPA submission.

Exemption Application

ISPA submitted an application for exemption from the obligations of the ISP Directives, in terms of Section 46(1) of RICA, to the Minister of Justice, on behalf of 81 of its members. This is an unprecedented response from members and clearly indicates the concerns members have regarding implementation of the Directives. Thank you all!

ISPA also requested an undertaking from the Minister of Justice not to prosecute members who were not compliant at 28 May 2006.

To date ISPA has not even received an acknowledgement of receipt from the Ministers office. However, unofficial communication with officials in the Department of Justice has indicated that our application is being considered and that some or all members who applied will be granted the exemption. The Department of Justice seems unsure exactly how to deal with these applications and will focus on the question of size (Section 46(2)(a) indicates that an exemption may be granted where the ISP concerned carries on such a small business that he or she cannot comply with section 30(4). This means the Department of Justice will need to determine criteria for assessing what is meant by such a small business, as ISPA has been asking for several years.

Customer Registration

Customer registration remains an issue of concern for ISPA. At present all attention is focussed on customer registration by the mobile cellular operators under Section 40 of RICA. The customer registration obligations of ISPs and the fixed line operator under Section 39 remain unchanged.

These obligations relate to the registration of customers BEFORE entering into a contract to provide a service. This creates a grey area around existing customers. One view is that existing customer need not be registered and only customers, with whom contracts were entered into on 30 September 2005 and thereafter, need to be registered. The other view is that both new and existing customers need to be registered. The second option seems the better legal interpretation, though obviously the more costly and inconvenient one for ISPs.

The chief concern is that a similar grey area existed in Section 40 (which relates to customer registration by the mobile cellular operators) however an amendment to Section 40 is being pushed through Parliament which requires mobile cellular operators to register all new and existing customers and cut-off those who do not register. It also seeks to impose a daily fine of up to R100 000 on a service provider who does not register users. There is a risk that Section 39 will be the next to be brought under scrutiny.

Please note, we have set out the obligations of ISPs under Section 39 below. We are aware that these obligations are impractical, costly and will have a severe negative impact on both ISPs specifically and Internet access in South Africa generally. ISPA has written to the Deputy President and the Minister and Deputy Minister of Communications in this regard as well as actively lobbying for a change to Section 39. Add to this, the fact that the definition of ISP in RICA is badly broken makes this Section a severe danger to Internet access in South Africa. Summarising ISP obligations under Section 39 is in no way an endorsement of such obligations.

Disclaimers done, we wish to remind you of your obligations under Section 39:

• Collect information from customers, specifically
• Individuals:
• name, identity number residential and postal or business address;
• Certified copy of identity document where name, photograph and identity number appear;
• Retain the photocopy
• Verify the photo, full names and identity number against the identity document (so no faxes)
• Juristic person (Companies, CCs, Trusts etc):
• name, identity number residential and postal or business address of representative;
• name of juristic person, business address and registration number (if registered)
• Certified copy of identity document of representative, where name, photograph and identity number appear;
• Certified photocopy of the business letterhead;
• Retain the two photocopies referred to above;
• Verify the photo, full names and identity number of the representative against the identity document (so no faxes);
• Verify the juristic persons name and registration number against the business letterhead.
• Retain the information.
• Furnish such information when a directive from a judge is received.

This implies a face-to-face verification process performed in person. The references to certified photocopies is archaic and just impractical given that certification of electronic data is still not possible in terms of the ECT Act.

Good luck!

Listed Equipment

The Department of Justice has published a list of equipment that may not be manufactured, bought, sold or even possessed for the purposes of performing an unlawful interception. This list includes:

• Any instrument, device or equipment which is capable of being used to access, record, monitor or retrieve communications from a computer, without the permission of the author of the communication, including but not limited to:
• keystroke recorders; and
• software that can be installed on a computer and which has the ability to retrieve and/or store information so as to make it available to another person without the consent of the author of the communication
• Any instrument, device or equipment which is capable of being used to record, monitor or listen to a communication, including but not limited to:
• telephone wiretaps;
• long range electronic audio amplified microphones;
• miniature laser audio transmitters;
• miniature radio frequency audio transmitters;
• cellular phone intercepting devices; and
• miniature sound recording devices.
• Any instrument, device or equipment which is capable of being used to visually record, monitor or observe a communication, including but not limited to:
• miniature video cameras;
• miniature cameras; and
• night vision apparatus.
• Any instrument, device or equipment which is capable of being used to determine or monitor the geographical location of a person, vehicle or object.

Fortunately ISPs (as telecommunications service providers) are largely excluded from the operation of this list of equipment, as any instrument, device or equipment or any component thereof:

• which is furnished to a customer by a telecommunication service provider in the ordinary course of his or her business and which is used by the customer in the ordinary course of his or her business;
• which is furnished by [should read to] such customer for connection to the facilities of such telecommunication service provider and which is used in the ordinary course of his or her business; or
• which is used by a telecommunication service provider in the ordinary course of his or her business,

is not regarded as part of such listed equipment.