20 January 2021

SA interception and cryptography laws tell WhatsApp Privacy changes to “hold my beer”


If you think Whatsapp™’s recent changes to their privacy policy are scary, wait until you remember that SA has some of the most unfettered data-interception laws in the world, controlled and used by some of the most under-supervised and overly-agenda’d clandestine appointees. These vague interception laws are also compounded by lax control over cryptography providers, to provide a perfect legal storm in SA with regards to privacy in the modern world.

Whilst the Facebook™ group of companies, who owns WhatsApp™, have clear terms and conditions, give you immense services for free, and are extremely limited in their use of your data, the SA government does very little in direct return for having extremely wide powers when it comes to intercepting and using your private information, even when encrypted.

The issue is that hardly anyone reads the old, convoluted laws about data-interception or encryption in SA, but rather focuses on hot-topics like social media scandals when they arise. For Pete’s sake, the full name of the applicable “RICA” Act is the Regulation of Interception of Communications and Provision of Communication-Related Information Act, 2002… not exactly an enticing read for a teenager posting online!

Should people read these old laws, they will see that Facebook™ and WhatsApp™ are not the scary ones who may get your data, but it is actually our very own government who has had very wide powers allowing them to perform even worse actions for over a decade now, with little oversight over foreign cryptography providers servicing millions in our borders.


Understanding SA’s current data-interception and cryptography laws:

In order to understand why our own laws and authorities involved in data-interception and cryptography in SA are nightmare-inducing compared to WhatsApp™’s changes focused on marketing only, we need to consider some notable elements of data-interception and encryption laws and regulators currently in SA.

The first place to start is to understand the RICA and the Electronic Communications and Transactions Act, 2002 (“ECTA”) and their main provisions. RICA is the salient law dictating what the government and its agencies can do when intercepting and using such intercepted communications from its residents within the borders of the Republic of South Africa (including listening or recording live or pre-recorded communications). ECTA is used to regulate cryptography services and providers, such as WhatsApp™.

Some of the more interesting features of RICA and ECTA are listed below for your understanding of its various functions, according to whether the feature is Good, Bad or downright Ugly:

The Good:

  • Whilst authorities can abuse the available laws such as RICA for their own ends, at least we have some oversight statutes available to reign-in maverick private companies who do in fact abuse your data (which many other countries simply do not have), where RICA is one such statutory limitation.

The Bad:

  • Local regulators authorised to enforce ECTA have little practical enforcement powers against major multinational and foreign companies providing cryptography services overseas, but which are accessed and used by literally millions of SA citizens with no limits. By way of example, how is our small SA regulator supposed to action a severe sanction against a monolith like Facebook Inc.™ based in the US?
    • Without such practical and effective oversight and enforceability, there is essentially no impetus for these companies to comply with SA’s laws on cryptography, leaving them to do what they want, and have the comfortable choice of complying with an ECTA enforcement notice or not.
  • The law controlling data-interception in SA (RICA) is tough to read and hard to understand for average citizens, who are the exact people who should be masters in understanding their privacy rights, especially in light of the current push towards the implementation of the Protection of Personal Information Act.

The Ugly:

  • Whilst ECTA requires that all cryptography providers register with the Department, citizens are not normally allowed to inspect the register of legal cryptography providers in SA (as per RICA). This has the effect that there is no room for citizen oversight of government, and no ability of SA citizens to see if their chosen cryptography-using service provider is even lawful in SA!
  • The law controlling data-interception in SA (RICA) has been analyzed as unconstitutional on many grounds. Further, it was found that the main safeguard preventing spurious or abused interception powers has been sidestepped for years, meaning that instead of a judge having to sign-off on every such interception direction (providing some sort of judicial and reasonable oversight of government’s powers), government and various authorities have been using loopholes to intercept private communications for years without first getting such an order of court!
    • As such, the main tool (i.e. RICA) used by the SA government to intercept data is apparently broken and easy to exploit to whatever ends, with little oversight.


Before we scream bloody murder at private companies who have heaps of international law and their own comprehensive terms restricting their limited powers, maybe we should all go back to being responsible citizens, and understand the affairs of our own country and its laws first. Let us fix our own affairs and regulation before we start preaching to others from a moral and legal high ground that we do not have.

Thomas Reisenberger – 19 January 2021

Have any questions? Drop us a message below and we’ll be in touch!