A substantially rewritten and expanded version of the bill is now being considered by the National Assembly. This document is available on-line at www.pmg.org.za/docs/2002/appendices/020524imbill.htm.
ISPA has several major concerns about the proposed legislation:
1. Costs of interception and monitoring
The bill requires all telecommunications providers (including Internet service providers) to install equipment on their networks capable of monitoring and intercepting all of their users' communications. The costs of this equipment is to be carried by the service providers, and ultimately, will have to be passed on to consumers. The bill also provides for ISPs (and other service providers) to pay for links from their networks to government operated 'interception centres'.
The current draft of the bill contains welcome provisions allowing the Minister to provide exemptions to ISPs from some of the monitoring requirements, but ISPA is still concerned about the costs of installing the necessary equipment.
ISPA is concerned that the added costs of interception and monitoring capabilities will result in a sharp increase in the cost of Internet access in South Africa. Studies done in the Netherlands, where similar legislation was enacted, illustrated that the average industry expenditure was approximately 30 million Euros and this resulted in many of the smaller ISP facing bankruptcy. ISPA is concerned that the sharp increase in costs resulting from the I&M Bill would damage efforts to increase Internet penetration in South Africa.
ISPA queries whether any cost effectiveness or regulatory impact assessment studies have been done. International experience is proving that the costs of establishing surveillance enabled networks can be so onerous, that countries are having to either subsidise the interception and monitoring equipment, budget for their internal security department to cover the costs, or delay the requirements for a number of years to allow operators and service providers to budget accordingly.
2. Privacy and data retention
ISPs are required to retain personal data they have collected from customers indefinitely, and make it available to law enforcement when requested to. ISPs are also required to store communication-related or call traffic information for a period of one year.
The financial implications for the Internet industry will be massive if ISPs are required to store large quantities of users' personal data for lengthy periods of time. Data storage will have an ongoing, and steadily increasing cost impact on ISPs compared to the once-off capital expenditure required for monitoring equipment.
In addition to the commercial implications, ISPA is concerned about the personal privacy ramifications for our members' subscribers and customers, of this data retention provision and the Bill in general. While the nature of law enforcement requires some encroachment into privacy rights, ISPA suggests that all data retention provisions be rigorously examined in light of the personal privacy guarantees contained in the Bill of Rights. While none of these rights are absolute in operations, ISPA believes that for the Internet to grow, citizens need to feel confident that their privacy online is given the maximum possible protection. Extensive data retention laws potentially threaten this vital confidence.
In this light, ISPA hopes that the completed draft will also contain some requirement for annual public accounting of surveillance activity by government departments.
3. Requirements for identity confirmation
The bill requires all telecommunications providers (including ISPs) to have positive proof of identity from customers before entering into a service agreement. Such stringent identity policing requirements would make current consumer-oriented business practices -- such as automatic sign-up procedures for dial-up services -- illegal.
ISPA queries the need for consumers to produce identification in order to access the Internet.
The practical value of such identification requirements is also questionable. Determined Internet users -- or those with criminal intent -- can dial around the system, connecting to the Internet via an international telephone call to a foreign country without identification requirements. There is already international case law illustrating this phenomenon.
4. Overly broad definition of Internet service provider
The current draft of the I&M bill defines 'Internet service provider' as 'any person who provides access to, or any other service related to, the Internet to another person', and clarifies that this is not limited to telecommunications licence holders.
This definition is extremely broad and could be interpreted as including all companies providing Internet access to employees, academic institutions providing Internet access to students, and even providers of related services such as e-mail and web site hosting.
Will Internet cafes be required to install monitoring and interception capabilities? Will tourists visiting Internet cafes have to present their passports to get access the Internet? Will companies be required to track their employees' Internet use? Will Universities have to log which students are using which machines in computer labs? Will web-mail service providers be required to run identity checks on their users?
5. Ministerial Discretion
Akin to the ECT Bill, the Minister is given broad powers in the draft I&M Bill. All of the technical and security requirements for networks to be monitored, including capacity, the systems to be used, the facilities and devices to be acquired and the type of communication-related information to be stored must be specified by the Minister at the time of issuing a telecommunications licence.
While ISPA is certain that the reference to the Minister issuing licences is a typographical error (as is it ICASA which issues licences, not the Minister), we remain concerned about the lack of consultation in developing these standards. Consultation appears to be limited to the Minister, other relevant Ministers and telecommunication service providers, but allows no consultation with public interest or technical manufacturing bodies.
ISPA has concerns about some other sections of the bill -- for instance, section 32 makes failing to report the loss of a SIM-card to the police a criminal offence -- but the Association wishes to highlight the five issues above as having the most impact on the Internet industry.
ISPA has historically found the Portfolio Committee on Justice and Constitutional Development to be extremely open to input and comment from industry, and ISPA encourages other organisations and members of the public to read the draft bill and give their input to government. Because of the importance of this Bill and its implications, ISPA hopes that the Portfolio Committee will provide another opportunity for public submissions in this regard, prior to finalising the Bill.
