On Tue, 2002-10-01 at 21:20, Lukas Geyer wrote: > The South African government passed a law (apparently two > month ago) which requires all crypto providers to register with the > government for some fee. The law can be found under > http://co.za/ect/a25-02.pdf (this is ridiculously large, seems to be a > bitmap of some scanned-in document or such). The critical section is > Chapter V, on pages 18 and 19 of said pdf. Specifically the law does > not require that the provider resides in South Africa, it is enough to > provide it to persons present in South Africa.
(Analysis is at the end of the message, for those familiar with the legislation. Typos are likely my fault except where noted; this PDF is a bitmap and cannot be cut-and-pasted, so I am transcribing it.) Specifically, the law provides for a cryptography provider registry, and then places the following restrictions: ----- 30. (1) No person may provide cryptography services or cryptography products in the Republic until the particulars referred to in section 29 in respect of that person have been recorded in the register contemplated in section 29. (2) A cryptography provider must in the prescribed manner furnish the Director-General with the information required and pay the prescribed administrative fee. (3) A cryptography service or cryptography product is regarded as being provided in the Republic if it is provided-- (a) from premises in the Republic; (b) to a person who is present in the Republic when that person makes use of the service or product; or (c) to a person who uses the service or product for the purposes of a business carried on in the Republic or from premises in the Republic. ----- The penalties for violating this section of the law are described as follows: ----- 32. (1) The provisions of this Chapter do not apply to the National Intelligence Agency established in terms of section 3 of the Intelligence Services Act. 1994 (Act No. 38 of 1994). (2) A person who contravenes or fails to comply with a provision of this Chapter is guilty of an offence and liable on conviction to a fine or to imprisonment for a period not exceeding two years. ----- There is a definitions section, in which we find: ----- "cryptography product" means any product that makes use of cryptographic techniques and is used by a sender or recipient of data messages for the purposes of ensuring-- (a) that such data can be accessed only by relevant persons; (b) the authenticity of the data; (c) the integrity of the data; or (d) that the source of the data can be correctly ascertained; "cryptography provider" means any person who provides or who proposes to provide cryptography services or products in the Republic; "cryptography service" means any service which is provided to a sender or a recipient of a data message or to anyone storing a data message, and which is designed to facilitate the use of cryptographic techniques for the purpose of ensuring-- (a) that such data or data message can be accessed or can be put into an intelligible form only by certain persons; (b) that the authenticity or integrity of such data or data message is capable of being ascertained; (c) the integrity of the data or date message; or (d) that the source of the data or data message can be correctly ascertained; ----- > I am neither familiar > with international law nor with South African law, so could some > clueful people please comment on how this will affect Debian? Is > providing crypto software on the internet already subject to this law > or does it only apply if one ships CDs? Do we have any South African > developers or what would be the consequences for the Debian project, > i.e. would we risk to be arrested when traveling to South Africa? I am not a lawyer in any jurisdiction, so the standard disclaimers apply. First of all, it seems clear that distribution of free cryptography software is not allowed without registering with the government. Our official CD images, therefore, cannot be distributed to any South African business doing business anywhere in the world (for example, the De Beers New York office) or any person of any nationality in South Africa; neither can any packages containing crypto. Note that "crypto" is defined to include data authenticity and integrity algorithms as well, so md5sum is likely in the same boat as gpg or openssl in this case. Furthermore, providing cryptography services is not allowed. This appears to be limited to the act of encrypting or decrypting; relaying previously encrypted data appears to be OK. Again, the data integrity/authenticity clauses affect this; something as innocuous as signing a ZA developer's key could be construed as an "encryption service". Since services are considered provided "when that person makes use of the service or product" (30(3)(b)), this may also affect our provision of services such as online apt repositories. The fact that MD5 checksums of various files are precalculated and stored in static files without reference to any South Africans may not help, since someone in ZA who types "apt-get update" will be comparing locally-calculated checksums with downloaded values. Besides the fact that apt is a "cryptography product" (since it calculates MD5 checksums), we are providing apt with input used in a cryptographic protocol, which sounds like a cryptography service under the definition. What's more, registration with the government does not end our problems. The GPL states: ----- 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. ----- The restrictions imposed by this law may be analogous to patent restrictions. The implication of this paragraph is that you must grant distribution rights to all recipients of a GPLed program you distribute, and that no other law (patent, court judgment, contract, or otherwise) may supersede that requirement. Granting such rights under this law would be impossible for cryptography software, as you could not grant distribution rights to recipients that were not registered. Therefore, it is possible that GPLed software that qualifies as a cryptography product cannot be legally distributed in South Africa, even by people who are registered. Again, I should point out that this is a lay opinion. I may be interpreting the ZA law too tightly; there may be other information that affects the interpretation of the law that I don't know. I'd love to be wrong in this case.