Regulation of Interception of Communications and Provision of Communication-Related Information Act, 2002 (Act 70 of 2002)Directives in Respect of Different Categories of Telecommunications Service Providers made in terms of The Regulation of Interception of Communications and Provision of Communication-Related Information Act, 2002 (Act No. 70 of 2002)Schedule C : Directive for Internet Service Providers in terms of Section 30(7)(a) read with Section 30(2) of the Regulation of Interception of Communications Information Act, 2002 (Act No. 70 of 2002)Part 2 : Interception of Indirect Communications6. Security requirements for interception |
6.1 | Information on the manner in which interception measures are implemented in a given telecommunication installation shall not be made available to unauthorised persons. |
6.2 | Information relating to target identities and target services to which interception is being applied shall not be made available to unauthorised persons. |
6.3 | To the extent that the ISP is obligated to consult on the manner in which interception measures are implemented in a given telecommunications or other technical installation with the designer, manufacturer, distributor, installer and/or other supplier of such telecommunications or other technical installations for the implementation of interception measures, such consultation shall be subject to appropriate confidentiality undertakings by the relevant designer, manufacturer, distributor, installer and/or other supplier. |
6.4 | The technical arrangements required within a telecommunication system to allow implementation of the interception measures shall be realised with due care exercised in operating telecommunication installations, particularly with respect to: |
(a) | the need to protect information on which and how many target identities are or were subject to interception and the periods during which the interception measures were active; |
(b) | the restricting to a minimum, the number of staff engaged in implementation and operation of the interception measure; |
(c) | ensuring the clear delimitation of functions and responsibilities and the maintenance of third-party telecommunications privacy, by ensuring that interception provisioning is carried out only by authorised personnel; |
(d) | ensuring that the results of interception are delivered through a handover interface to the IC; |
(e) | preventing any form of unauthorised access to the handover interface shall be granted to unauthorized persons; |
(f) | appropriate measures to protect the handover interface against misuse; |
(g) | ensuring that the results of interception shall only be routed to the IC as indicated in the direction or request and ascertaining that proof of the authority to receive has been received from the IC, and ensuring that proof of the authority to send to the handover interface, has been furnished; authority to send will be in the form of a signature by the designated judge on the warrant or direction; authority to receive will be in the form of a lawful interception ID (LIID) configured by the IC and indicated in the warrant or direction. |
(h) | authentication of each call set-up where switched lines to the IC are used; |
(i) | the use of encryption as specified in section 9 of this directive, and the use of additional encryption or other confidentiality measures to protect the routing of the results of such interception, at the cost of the IC, where this is specified in the directive or request; |
(j) | ensuring that handover interfaces support the use of encryption, authentication, integrity checking or other confidentiality measures specified in this directive and shall co-operate with applicants or the lC, or a person authorised by the IC, to implement such measures if required at the cost of the IC; |
(k) | preventing or tracing misuse of the technical functions integrated in the telecommunication installation enabling interception. In particular, any activation or application of these functions in relation to a given identity shall be fully recorded, including any activation or application caused by faulty or unauthorised input, and the records shall cover: |
(i) | the target identities of the target service or target services concerned; |
(ii) | the beginning and end of the activation or application of the interception measure; |
(iii) | the IC to which the result of interception is routed; |
(iv) | an authenticator suitable to identify the operating staff (including date and time of input); |
(v) | a reference to the direction or request. |
6.5 | The lSPs shall take reasonable steps to ensure that the records referred to in paragraph 6.4(k) are secure and only accessible to specific nominated staff within their organisations. |