Slashdot Mirror
SA Government's Crypto Registration Up And Running
orange writes "Anyone who supplies crypto products to South Africans (and the government defines crypto as almost anything) has to register with the appropriate agency and pay a ZAR2000 fee (US$200). Failure to supply South Africans without being registered means potential jail time (How they're gonna get you unless you come to South Africa is another story). A copy of the legislation can be found can be found online."
There are these things called 'extradition treaties'. I have no idea what the nature of one (if any) between {US|CA|UK|DE|etc.} and SA is, but it might exist.
Jesus was all right but his disciples were thick and ordinary. -John Lennon
Let's get a collection to send Theo to South Africa on vacation!
I just double-checked my logs and it looks like I'll be canceling my winter vacation. Jailtime doesn't appeal to me.
HURD - Hurd's Under Research & Development
Of course, if you don't supply them with the key, how are they going to proove it's YOUR product that did the encryption in the first place?
Failure to supply South Africans without being registered means potential jail time
OK, I fully expect to fail to supply South Africans with any kind of crypto technology. I also don't expect to be registered. And you're saying I'll go to jail for this? That's crazy!
--
Will I be Boered?
I have no special gift, I am only passionately curious. --Albert Einstein
Rule #1 of slashdot etiquette
If you begin to get hammered, point your cname to someone elses machine.
And do it FAST!
HURD - Hurd's Under Research & Development
Yeah, because $200 is going to really break the MPAA and RIAA.
Even if it were $200 per title, they would still make it up by selling 20 or so discs. I strongly doubt it's going to be interpretted as $200 per individual copy of a disc.
It is more productive to voice thoughtful opinions (reply) than to judge (moderate) others.
Uhm. Yo. It's South Africa, not South America.
Failure to supply South Africans without being registered means potential jail time
I don't think that sentence means what the poster intended it to mean.
Ian Peters
itp at ximian dot com
The obvious intent of all this is to make people pay the registration fee for every browser they may have on any machine. Otherwise, if you even accidentally download an encrypted page, i.e., you make a credit-card purchase over the web, you are risking a jail term.
Of course, the obvious thing is for vendors to supply Windows machines that don't have any encryption installed, so that the vendors don't have to pay the registration fee for every sale. This is likely to lead to a situation where credit-card orders are sent unencrypted. The SA spammers will love this.
People keep talking like encryption is some military or law-enforcement topic. But the main use of encryption these days is to prevent the interception of commercial information. The fact that restrictions on encryption will make financial data easily available is not necessarily accidental. The goal could very easily be a desire on the part of the government to have easy access to everyone's financial transactions. Such information has a lot of political uses.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
Hrmm... I knew investing in those slave-trade stocks was safer than investing in .bombs. This only reinforces that belief.
To make laws that man cannot, and will not obey, serves to bring all law into contempt.
--E.C. Stanton
given the strained relations SA had with the US/UN/world at large (killing your majority black citizens with police raids has the habit of turning people against ya...) - I highly doubt any extradition treaty exists...
besides, if there were, we'd just extradite all lawbreakers instead of waiting for them to come to the US (like Dimitry) -
dumbasses...taking a page from the early 90's again.
RB
----------
ah honey, we're all resplendent - Bill Mallonee
Registration form.
I think I'll register my Wheaties Secret Code ring..
So long, and thanks for all the Phish
JOHANNERGURG (Rueters) - Bazooka Joe was arrested and being held without bail for posession of decoder rings with intent to encrypt.
__ Someday, but not this morning, I'll finally learn to use the preview button.
More over-zealous governments that think cryptography is the tool of the devil... thats exactly what the world needs right now. Isnt Crypto export tough enough already? (from the U.S. that is)
What exactly constitutes 'supplying'..
For example, would hosting a program on a website accessible to someone in South Africa count as supplying? What if someone in South Africa hacks into an ftp and downloads the program?
This is excellent news! Here's another country imposing it's laws upon the whole Internet. And personally I can't think of a good way to stop them. :-( Or maybe we could just gather email addresses of those responsible and post them on /. ?
I personally feel that countries extending their jurisdiction over the Internet should be violating some kind of international treaty. After all, SA is restricting the freedom of all people here, not just their own. Perhaps we could convince G.W.O[fficeholder] to fight netwide oppression instead of perceived terrorism?
Please correct me if I got my facts wrong.
I've added some nifty features to ROT13 and don't want to end up in a South African jail...
Trolling is a art,
Who else feels like sending some crypto to postmaster@aspa.co.za?
Anyone who supplies my house with information owes me $1000/byte.
... is the additional requirement to register all "critical databases":
"The protection of sensitive data is essential for a functioning of a modern society. As stated in the Electronic Communications and Transaction Act, the information that is of importance to the protection of the national security of the country or the economic and social well-being will be declared as critical. All critical databases will be identified and registered with the Department of Communications which includes the details of the database administrator, the location of the database and the general description of the categories or types of information stored in the critical database.The registered information will be treated as confidential. The protection, management and control of critical databases must comply with the minimum standards that might be prescribed by the Minister. The audit will be performed, from time to time either by Cyber Inspectors or an independent auditor to evaluate the compliance."
Given such vague standards for "critical" almost *any* commercial database could be deemed "of importance to the protection of the national security of the country or the economic and social well-being." Amazon.com's database contains names and addresses of persons purchasing "how-to" books on terrorism and building bombs? It's critical! A Pr0n site has kept track of all visitors? Some of them *might* be criminals and dangerous to "social well-being."
Yes, there's also issues with persons living in SA downloading crypto software from foreign companies that haven't registered (are they liable or not?), but most of that is easily bypassed. Just have a visitor bring the "protected" code in on a floppy and distribute it internally.
The database restrictions have much more serious implications...
the south african government:
People fear that which they don't understand.
Sent from your iPad.
that a foreign government can't get you if they really want to.
I'd advise everyone to do a little reading on a man called Gerhard Lauck.
He was/is an avowed neo-nazi who published material relating to his distasteful belief system in the United States (where it is of course perfectly legal, if considered bad form). He exported some of this material to Germany, where it is considered a serious crime.
Obviously the U.S. wouldn't extradite him, because freedom of the press is so important, but unfortunately for him while travelling in another country he was picked up by German authorities and pretty much smuggled acrossed the border to Germany, where he spent several years in prison.
One of the signs an economy is in free-fall.
The Raven
The Raven
When you think of all the people that say "What do you need to encrypt stuff for, if you aren't doing anything wrong" and the best thing you can come up with is "Do you send everyone postcards?", think of this.
One of the main reasons the entire world should be involved in strong, government free crypto is for nations that systematically deprive their citizens of basic human rights. And I am not talking about your right to fly without being frisked.
South Africa has long been known for its obscene treatment of people, and it hasn't gotten any better since Mandella took over. If anything it has gotten worse.
People need to be able to send out cries for help without those cries bringing down even more heat. Human rights workers are probably the most legitimate users of crypto, but until everyone uses crypto to send love notes, grocery lists, and the like, these messages and the people that send them, will stick out like sore thumbs.
1. The SA gov't is trying to create an embargo on the importation of crypto in order to spur domestic development of crypto. Unlikely, the fees apply to local stuff as well. And foreigners are better able to pay them.
The SA gov't believes that if they know who is distributing and receiving crypto, it will make things easier for them to track and quash any political uprising that may come as a result of a particular group having the ability to communicate securely. Also unlikely, they could use very rudimentary, but nonetheless worthwhile, crypto that came with their computers (i.e. ssh/sftp, ssl, etc.) This would be innocuous, because lots of people use ssl and the like.
It seems more likely that the government is just paranoid and technologically illiterate. You would expect more of them, but the US government did (and is still doing, see my sig) similarly silly stuff, and SA does not exactly have a track record for having an enlightened government.
I hereby place the above post in the public domain.
so that certain people in that part of the world don't find out about the redirection of all the surplus government cheese...
?!?!
.. this doesn't sound like a per-seat deal, just a registration of the fact that you are selling a crypto product in SA.
WHAT?!
Anyone who supplies SA's with an encryption product
Can you prove to me that this is a per-seat tarrif, or just an attempt at monitoring what crypto technologies have been imported into the country, let me know.
Until then, to suggest that they want to eliminate crypto via this registeration fee makes me ask: Why don't they just ban crypto altogether then?
"Old man yells at systemd"
i love that this was posted "by Anonymous Coward". It underscores everything that is wrong with that post.
-Malakai
A Dragon Lives in my Garage
Why must everything be framed in terms of commerce and profit? Where does this leave a free OpenSSL mirror (not selling anything)?
-fb Everything not expressly forbidden is now mandatory.
"Yeah, because $200 is going to really break the MPAA and RIAA."
Yes, but, the idea of laws is that they carry enough force to dissuade people from routinely violating them. A party who willfully breaks a law, considering the fines to be merely a cost of doing business, should be punished harshly on the basis of their contempt for the law, regardless of the fine.
If there's a $100.00 fine for dumping, you cannot dump your trash there once a week and drop off a check for $100.00 at the courthouse clerk's office. The willful, repetitive nature of your violation will take on a legal signifigance beyond the scope of the original violation.
In practice, of course, many *do* get away with such practices, but not indefinitely, and not without risk.
-fb Everything not expressly forbidden is now mandatory.
have fun trying to extradite the millions of people who are "supplying crypto" to the people of your country, BTW, is it just me, or does "CRYPTO" sound like one of those fake "movie" drugs? Just an observation of mine.
I hate sigs.
1: reasonable doubt. Did you know that NOWHERE in the criminal code is the term "reasonable doubt", or what constitutes a reasonable doubt, actually defined? Reasonable doubt is one of those legal niceties off which lawyers grow rich, and which, given the ever-changing social environment, any attempt to define it would be doomed to failure.
2: Existing software already can make encrypted files that don't depend on file extensions. Why would I, or any other developer who wants to screw over The Man, do something as dumb as using a default file extension? Why not have it generate random extensions?
3: Renaming a whole bunch of *.txt files to *.yap still leaves them in plain text, readable in any text viewer. It would tend to show that the user did NOT use the software, and was depending on the "security through obscurity" model.
4: If I can show that there are other ways of creating *.yap files, then I am definitely off the hook, because the courts would have to consider that, maybe, someone else's application created those files. Especially if the code for creating those files is open-source. Wow - another good argument for open source
5: Is it reasonable? One protester back in the '60s took a piece of paper and wrote FUCK THE FBI on it in big, bold letters a bunch of times, then ran it through a paper shredder, then tore up the strands, and left them in his hotel room, knowing it was going to be searched. Can you picture some poor crime tech reassembling that document? Was it reasonable? No. Did it happen? Yes.
Courts have to consider evidence. If there is no evidence, then motives become irrelevant. Show me the body! If there is no evidence that only my app can create and read *.yap files, there is no direct connection to me. It's like trying to prove murder without a corpse. Especially if, after being charged, I produce an alternative, for example, evidence that the deceased is still alive, or died of natural causes.
Thanks for replying - it's been interesting so far...
"Anyone who supplies SA's with an encryption product .. this doesn't sound like a per-seat deal, just a registration of the fact that you are selling a crypto product in SA."
This type of law doesn't normally limit itself to commercial transactions: remember that the Californian courts will consider that you "do business in" california if someone from that state can access your website. In fact, you would also be "publishing" in california. Doesn't bother them that a user would have to post a request to your server in the UK, and retrieve a document created in the UK; as far as they're concerned, it's as good as living there and running a press.
It may be illogical, uninformed, and just plain wrong, but don't be surprised if courts take a weird interpretation of things. Is pgpi.org visible from South Africa?
Or they could just try the guy's birthdate, pet's name, girlfriend's name, or favorite sports team as passwords. It's pretty good proof when all the file sucessfully decrypt.
Chuckle.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
Have you been to Argentina?
When I saw it, I nearly had a heart attack, I write freely available Java crypto BouncyCastle.org and thought of the horrible problems that we're going to have keeping SAf off the site.
I spent the 2 seconds actually reading the paragraph at the SAf Gov Site and it says:
All Cryptography Providers providing services or products in South Africa are required to register their services or products with the register maintained by the Department of Communications.
Note, the wording is in.
We won't mention the massive tariffs that the US places on imports like Australian lamb or Canadian timber or anything steel to subsidise poorly performing local industries...
or those wonderful pieces of *US* legislation like the DCMA and CDBTPA, which, regardless of their intended jurisdiction, have ramifications on software developers and technology providers worldwide.
The US doles out more shit like this SA crypto legislation than any other country in the world.
'sapientia potestas est'
Neither. Its thawte
My point was that the cost is so low there is no reason for the MPAA and RIAA to break it. They'll pay it and not think twice. Therefor the parent post to mine was not realistic.
It is more productive to voice thoughtful opinions (reply) than to judge (moderate) others.
Good work, sir. A fine meta-troll, and a shining example to us all.
> Where does this leave a free OpenSSL mirror (not selling anything)?
Well, I'd bet that they would consider this a "sale" that requires registration.
If not, then the law is pointless. As a vendor, I could just say "I'm only selling the hardware; the encryption is free." Sellers love to give things away "for free", if you only get the free things by paying for something else.
Whether they could actually impose a registration fee on openssh.org isn't obvious. Who would they extradite and toss in jail?
There's still the prospect that a clueless SA computer user will use encryption without realizing the fact. How many people realize that when you order a CD or a shirt from a web site, you are using encryption? But you can be sure that the software installed at the ISP will notice your encrypted messages.
Unless you can present a receipt for the registration fee for your encryption library, what defense do you have when they come knocking on your door?
Those who do study history are doomed to stand helplessly by while everyone else repeats it.