An argument that the use of e-mail blocking software will be illegal in South Africa soon will no doubt raise concerns and confusion in the IT sector – most big companies use such software packages and many people in South Africa make a living through the programming, marketing and licensing of content filtering software products.
However, a careful examination of recent legislation seems to indicate that the filtering and blocking of e-mail and attachments thereto will be illegal soon and use thereof may result in criminal liability (fines and imprisonment) and civil liability amounting to millions.
This article will also suggest some solutions to ensure that the licensing, installation and use of blocking software is legal.
Blocking software products allow businesses to censor the content of incoming and outgoing e-mail. Or prevent access to certain Internet websites. The content of a message is scanned to determine if it contains a set of pre-determined keywords or phrases like 'sex', 'Nazi' or 'credit card number'. Some products block all messages that contain images, relying on some strange assumption that all electronic images are either non-commercial or at least pornographic and harmful.
If an e-mail (or attachments thereto) contains one of these keywords or phrases, the message is blocked and/or deleted. In some cases a return message is addressed to the sender, informing him or her that the e-mail was blocked. Examples of these notifications I actually received after e-mailing the Buys Inc newsletter to our consent-based database include:
* 'Your message dated Sat, 14 Jun 2003 07:14:20+0200 intended for XYZ with subject ABC contained an image and was quarantined.'
* 'Your message was blocked by our firewall because of the following rule: Block IMAGEfile. The blocked e-mail will be automatically deleted after 5 days.'
* 'Our blocking software has been stopped for the following reason: It believes that it contained language or inappropriate material. Please clean-up or re-phrase the message and send it again.'
Criminal liability for filtering and blocking e-mail
In terms of the Regulation of Interception of Communications and the Provision of Communication-Related Information (RIC) Act 70 of 2002 (gazetted in December 2002 but not in operation yet), it is a criminal offence to intercept or attempt to intercept any communication in South Africa1. A 'communication' is defined2 to include an e-mail as an indirect communication.
The important question to answer is therefore whether the operation of blocking and filtering software amounts to the interception of an e-mail. The term 'interception' is defined as follows in section 1 of the RIC Act:
'.and includes the -
a) monitoring of any such communication by means of a monitoring device;
b) viewing, examination or inspection of the contents of any indirect communication.'
Blocking software does examine and inspect the content of an e-mail and therefore amounts to the interception thereof, bringing e-mail blocking into the scope of the RIC Act.
The RIC Act, furthermore, creates some exceptions to the general rule that a communication may not be intercepted - these include interception in terms of a court order, interception by one of the parties to the communication or interception if one of the parties to the communication consents thereto in writing.
Section 4 of the RIC Act states that any person, other than a law enforcement officer, may intercept a communication if he or she is a party to that communication. The definition3 of 'party to a communication' confirms that it refers to the natural person sending or receiving the e-mail and not the business employing such person. Content filtering and blocking products are, in most cases, licensed to and used by businesses and not their individual employees and therefore the interception exception detailed in section 4 cannot be employed to ensure that content blocking is used legally.
That leaves us with the controversial section 5 of the RIC Act which states that any person, other than a law enforcement officer, may intercept any communication if one of the parties to the communication has given prior consent thereto in writing.
The bottom line is that businesses will only be able to use content filtering and blocking products legally if their employees consented thereto in writing. Doing so without the required consent will be a criminal offence punishable with a prison sentence or a R2 000 000 fine4.
Some may argue that section 6 allows the interception of communications without the consent of one of the parties thereto. To a certain extent that is true as the section provides as follows:
6(1) Any person may, in the course of the carrying on of any business, intercept any indirect communication -
(a) by means of which a transaction is entered into in the course of that business;
(b) which otherwise relates to that business; or
(c) which otherwise takes place in the course of the carrying on of that business, in the course of its transmission over a telecommunication system.
Although most IT lawyers agree that section 6 is badly drafted, there is disagreement over its application. The clause seems to indicate that only business-related communications may be intercepted. Furthermore, the clause comes with the proviso that communications may only be intercepted without consent 'in the course of its transmission over a telecommunications system'. A 'telecommunications system' is defined in terms of the Telecommunications Act of 1996 and a server operated by a private business is probably not part thereof.
In light of the confusion and uncertainty over the application of section 6 and the high fines for illegal interception, prior consent is the safest way to prevent criminal liability.
Civil liability resulting from filtering and blocking messages
The Electronic Communications and Transactions (ECT) Act 25 of 2002 deals with the civil liability that may result from the use of blocking and filtering software.
In law and commerce, the exact time an e-mail was received is, for a number of reasons, of crucial importance - for example, tender documents normally should be submitted on or before a certain time and date, options should be effected on or before specific dates, some contracts determine that evidence on money transfers should be e-mailed on or before a specific time and date, most commercial quotes and offers are only valid for a specific time, and so on. It is easy to imagine the liabilities that may be incurred if an e-mail containing date and time sensitive information is blocked - for example, Company A may award a tender to Company B because Company C's e-mailed tender application was blocked, notwithstanding the fact that it was sent four days before the close of the tender period.
Section 23 of the ECT Act deals with the time an e-mail is presumed to have been received. It states that an e-mail (being a 'data message') is regarded to be received by the addressee when such an e-mail enters the information system of the addressee and is capable of being retrieved and processed by the addressee5. This 'time of receipt' presumption will only apply if the parties to the e-mail did not agree otherwise6.
The implication of the abovementioned presumption is that an addressee is presumed to have received an e-mail notwithstanding the fact that the e-mail was blocked by the addressee's blocking software - the server running the software is part of the addressee's information system and it is reasonably possible to retrieve the message. An argument claiming that it is totally impossible for an addressee to retrieve a blocked e-mail will probably not be accepted by the courts (or myself), as a mere phone call to the systems operator will make it possible to release the message7 and retrieve it. If blocking a message is an allowed excuse to deny the receipt thereof, everybody will use that excuse - "The reason I did not pay your invoice is that I never received it. Our system must have blocked and deleted it - sorry. Please send it again and if our system does not block it again I will pay it." The implications for commerce and law would be ridiculous.
Content filtering and blocking amounts to nothing less than a new form of corporate censorship that conflicts with free speech rights in any democracy. In most applications the filtering and blocking rules are determined through an undemocratic and one-sided process that is not open to review or challenge - a specific software developer's sense of the 'immoral' or 'pornographic' is forced on every message sent to a system that employs the product, resulting in the censoring of content that is not only legal but also constitutionally protected. As detailed above, some products rely on the absurd assumption that every image in an e-mail or attachment should be blocked. Immoral, illegal, pornographic content can only be determined by an examination of the context and not through the identification of single words or phrases.
Although it is not my intention to criticise any specific product or to generalise, it is a proven fact that the use of content filtering and blocking may have absurd results like the following:
* Most blocking products will block an e-mail containing the word 'Middlesex', because 'sex' (in any context whatsoever) is a pre-determined keyword.
* Products that block content that includes the word 'pornographic' will block not only this article but also communications from the user's human resources department detailing the communications policy of the user.
* Filtering software installed in Utah schools was found to also block the Bible, anti-drug information, HIV information, safe sex information, the US Constitution and most of Shakespeare's works8.
* The use of blocking software has been found to have unequal results and enforce prejudice based on race, homophobia and the like9.
To frustrate the effectiveness of filtering software, adult content is distributed with spelling mistakes or other identifiers such as 'p*rnography' and 's@x'.
Numerous courts in the United States, including the Supreme Court, held that the installation and use of filtering and blocking software at public places such as libraries and schools, is unconstitutional. If presented with a similar question, blocking software will probably also not survive scrutiny by the South African Constitutional Court because the use thereof infringes on the constitutional rights of free speech, the right to information and equality.
There is a very strong argument to be made that businesses should be allowed to use blocking software and to intercept employee communications - the distribution of certain forms of content by employees may result in liability for the employer and the employer has a duty to address such risks.
However, an argument that a business should be allowed to employ blocking software is one thing, the fact that such software should be used legally is quite another.
What can a business do to ensure that blocking software is operated legally?
* All current and new employees must consent to the interception of their e-mail. The consent must be provided 'in writing', which does not imply that it has to be 'on paper'. The correct use of an electronic consent will satisfy the writing requirement.10
* A workplace communications policy should address the use of e-mail and Internet access by employees as well as the employers right to filter and block incoming and outgoing e-mail.
* A business should use an e-mail legal notice (accessible as an hyperlink from every outgoing e-mail) that addresses, amongst others, the interception and possible blocking of return e-mail.
* The time and date an incoming e-mail is regarded to be received by the recipient should be agreed upon with third parties. The required agreement may be achieved through proper website terms and conditions, e-mail legal notices and a workplace communications policy. It is important to address these issues in written agreements as well, as e-mails may be sent and received in the course of performance as detailed in the agreement. For example, a paper-based agreement may state that the agreement may be terminated through written notice by either party. Written notice will not exclude an e-mail notice and failure to address the time such e-mail is received will result in the application of the deeming provisions of the ECT Act.11
The developers and vendors of blocking software will be well advised to address the concerns raised in this article in their client packages because, from the moment the President declares the RIC Act operative, all their clients will potentially be exposed to the R2 000 000 fine or imprisonment for illegal interception. Failure or refusal to address these concerns will amount to the sale and license of an illegal software product, inviting severe financial liability and reputational ruin.
Personally I feel that the use of blocking software should not be illegal or regulated by law - it should be a form of self-regulation employed by businesses as they see fit. My arguments detailed above are therefore based on an interpretation of the RIC Act and the ECT Act and not my personal views.
I am highly critical of the RIC Act. During the Parliamentary Justice Portfolio Committee deliberations on the RIC Act, Buys Inc addressed a letter to the Chairperson in which we raised concerns about the Act's wide scope of application - although a patronising remark about the letter is recorded in the Committee Minutes, we have to date received neither an acknowledgement of receipt nor an official response.
However, the sale and use of blocking software will be perfectly legal if the concerns raised herein are addressed correctly. Software vendors that do so urgently will have a competitive advantage as the use of their applications will not be illegal or invite civil liabilities.
Reinhardt Buys is the managing partner of Buys Inc Attorneys, a law firm specialising in IT and Internet law. Reinhardt was also the editor of Cyberlaw@SA, South Africa's first textbook on Internet law. Views and opinions expressed in this article are published for information purposes only and are not intended to be professional advice. Readers should seek professional assistance if they wish to act on any of the suggestions detailed in this article.
1. Section 2 of the RIC Act.
2. Section 1 of the RIC Act.
3. Section 1 of the RIC Act.
4. Section 49 read with section 51(1)(b) of the RIC Act.
5. Section 23(b) of the ECT Act read with the section 1 definition of a 'data message'.
6. Section 21 of the ECT Act.
7. The definition of 'information system' in section 1 of the ECT.
10. Section 5 of the RIC Act read with sections 11 and 12 of the ECT Act.
11. Section 23 of the ECT Act.