OSS and cryptography regulations

Draft Cryptography Regulations, released on September 1 by the Department of Communications, are available for comment. In a Tectonic report, Morgan Collett writes that while it had been hoped that these would further define what entities would need to register in terms of the Electronic Communications and Transactions Act as either providers of cryptography services or products, the issue of how open source software fits into the regulations remains unclear.

In terms of the ECT Act nobody may provide cryptography products in SA without registering with the government. In addition, all providers need to provide the government with a list of contact details of customers to whom a cryptography product was delivered, sold, made available or distributed to directly or a service was rendered in the preceding six months, which is updated every six months. Collett notes that open source cryptography software packages can be distributed in a variety of different ways and this can be done anonymously via download or even P2P networks. According to the report, unless these issues can be resolved, open source cryptography software may fall into a legal grey area. Full report on the Tectonic site