Cryptography Regulation in Ethiopia: in Light of INSA’s Call for Registration

 By Habtamu Hailemeskel & Hawi Dadhi

Habtamu Hailemeskel is a consultant and attorney at law specializing in business and investment laws. He also teaches law.

Hawi Dadhi is a business journalist who’s interested in technology, finance and digital technologies.

The council of ministers during its fifth regular session held on March 19, 2022 approved a regulation to determine Fee Rates Payable for Services provided by the Information Network Security Administration (Root Certificate Authority).

The regulation is a clear indication of the scope of INSA’s mandate in regulating cryptography.

The services to be provided by INSA, as a Root Certificate Authority, are briefly explained in the article. In addition to licensing certificate providers, INSA is also mandated to give recognition to foreign certificate providers. A corresponding fee required by INSA is provided in the regulation for this service. In addition, a key service related to key management is repository service. “Repository” is defined under article 2(14) of the Electronic Signature Proclamation (ESP) as “a system for disclosing, storing and retrieving certificates or other information related to certificates.”

Time stamp service is one of the services that certificate providers are allowed to offer. However, the ESP also authorises the Root Certificate Authority/INSA to recognize entities other than certificate providers to provide a time stamp service (Art. 23 (2)). The regulation provides the fee to be paid for services related to licensing and recognition of time stamp services.

In a recent announcement, the Information Network Security Administration (INSA) required “individuals and entities who are involved in providing crypto services, including mining and transfer” to register on its website within 10 days as of August 22, 2022. It also warns that the appropriate body may take legal measures on those that fail to register and continue to carry out crypto services.

INSA invokes Article 6 (9) of its establishment Proclamation (Proclamation No. 808/2013). This provision gives it the power to “regulate cryptographic products and their transactions, set necessary criteria for establishing operating procedures, and develop and implement cryptographic infrastructure.”

What is Cryptography?

In its Guidelines for Cryptography Policy, the Organization for Economic Co-operation and Development (OECD) defines cryptography as “the discipline which embodies principles, means, and methods for the transformation of data in order to hide its information content, establish its authenticity, prevent its undetected modification, prevent its repudiation and/or prevent its unauthorized use.”

Basically, cryptography is a method of ensuring confidentiality in electronic communications, thereby helping build trust in electronic transactions. Digital monies use cryptography to maintain confidentiality and prevent repudiation and/or alteration of electronic transactions. This is usually made possible by using cryptographic keys – a public key and a private key. The public key, as the name indicates, is publicly available. It is linked to the private key, known to the key-owner only. The public key, through algorithms, helps authenticate an electronic message/digital signature created using a private key. In an asymmetric cryptosystem, where there is no close relationship between parties in the electronic communication, the cryptographic keys are important because they are used with cryptographic algorithms to transform, validate, authenticate, encrypt or decrypt data.

Under INSA’s establishment Proclamation, cryptography is defined as “a science of coding data so that they cannot be read or altered by any person or any machine other than the intended recipient or a science of authentication and non-repudiation in the electronic transaction.” (Article 2 (9)

As can be understood from the nature of cryptography, there are two legitimate interests to balance. One is the need to protect the confidentiality of electronic communications/transactions and ensure their integrity. The other is public safety and national security. Cryptographic regulations are required to strike a proper balance between these interests. Leaving cryptography unregulated may result in its use for illegal activities that may infringe consumers’ and businesses’ interests and negatively affect public safety and national security.

Governments regulate the sector by adopting laws and standards for the proper use of cryptography. This includes ensuring the interoperability, mobility and portability of the crypto system. The regulator usually takes two roles. One is acting as a root certificate authority, which is explained below. The other is in the development of standards that help ensure the integrity, compatibility and interoperability of the crypto system.

What Exactly is the Mandate of INSA in Regulating Cryptographic Products?

The announcement from INSA is too general  and unclear as to who should actually incline and register. It simply refers to “crypto service owners and transfer providers”. It also refers to mining.

What exactly is the mandate of INSA in regulating crypto services? Even though the law lacks clarity, the Administration’s mandate can be established from the definition provided for “cryptography” in the establishment proclamation. It implies that cryptographic products are products that provide or are used to provide encryption and authentication services (this is a reference to the asymmetric encryption) and transfer of the same.

Regulatory intervention takes the form of certification and governments establish a certification standard. In line with this practice, the establishing Proclamation contains a very important provision indicating what the mandate of INSA should be in regulating cryptographic products and their transactions. This provision states that INSA has the duty to serve as a national “Root Certificate Authority” to perform its functions related to the regulation of cryptographic products and their transaction (Article 6 (10)).

A certificate authority, as defined in the OECD Guideline for Cryptography Policy, is “a ‘trusted’ entity that provides information about the identity of a key holder in the form of an authenticated ‘key certificate'”. Certificate authorities can be established by either the public or private sector, and they may operate either “in-house” for an individual organization or for the public at large, it adds.

As INSA’s establishment proclamation does not provide a definition for “root certificate authority”, one should look into the Electronic Signature Proclamation (ESP) No. 1072/2018. Reference to the ESP is warranted and important for three reasons.

First, the definition given to cryptography indicates that the science of cryptography is important in enhancing trust, integrity, authenticity and non-repudiation of electronic transactions. Second, one of the areas where cryptography has application is electronic signature. Third, the ESP itself cross-references INSA’s establishing Proclamation.

The ESP explicitly provides that INSA shall “act as the Root Certificate Authority (RCA) pursuant to the mandate given to it in its establishment proclamation” (Article 9). The ESP indirectly defines a root certificate authority as “a body legally authorized to perform the power and duties stated under Article 10”. The reading of Article 10  shows that INSA, as a Root Certificate Authority, has the power to issue licenses to certificate providers and monitor their activities and operations; ensure the trustworthiness and the overall safety of the cryptosystem, and issue working procedures and standards that certificate providers shall follow.

Certificate providers can be considered as cryptographic service providers. The law permits them to issue digital certificates, and provide encryption service and time stamps for electronic messages. The ESP clearly prohibits the provision of these services without being licensed by INSA, the Root Certificate Authority.

To the best of the writer’s knowledge, INSA has yet to start issuing licenses to certificate providers. To exercise its powers and duties as a National Root Certificate Authority, INSA has been doing some preparatory work in developing guidelines and standards to ensure the security of the cryptosystem.  However, the documents have been at the draft stage and were available on its website. The draft documents include the Security Guideline for Certificate Authorities, Ethiopian PKI National Root Certificate Authority Certificate Practice, Ethiopian PKI X.590 Certificate Policy, and Ethiopian National PKI Technical Standards Guideline. It is important that INSA finalizes the development of standards and guidelines and the enactment of subsidiary laws to fully operationalize its establishing Proclamation and ESP and to fully discharge its obligation as a National Root Certificate Authority.

For the reasons mentioned above, INSA’s mandate in regulating cryptographic products is narrow in scope and concerns providers of encryption and authentication services as it relates to electronic communication. In the eyes of the law, the call for registration from INSA applies to those engaged in certificate provision. As pointed out above, individuals or entities engaged in the provision of encryption, time stamping and issuance of digital certificates are required by law to carry out the business upon issuance of license by INSA.  

The fact that we refer to the ESP does not mean that INSA’s mandate only relates to electronic signatures. It also relates to the cryptographic products used for other purposes including in electronic payment and operation of the electronic commerce/transaction in general, protection of business and financial interests, protection of intellectual property rights and protection of national security and public safety.

Hazy Mandates

In June, a few months prior to the call made by INSA, a stern letter of warning was issued by the National Bank of Ethiopia (NBE) out of fear of the proliferation of crypto-based transactions leading to illegal fund transfers. The letter iterated that crypto trading is “illegal” and cited the central bank’s establishment Proclamation and the National Payment System Proclamation.

The 2008 Proclamation grants the NBE the power to issue its own debt and payment instruments. It later limits any monetary transactions in Ethiopia to Birr.

“All monetary transactions taking place in Ethiopia shall be presumed to be expressed in Birr unless validly agreed upon otherwise by the permission of the National Bank,” reads the Proclamation. “All monetary transactions shall be recorded and settled in Birr unless otherwise authorized by the National Bank or provided for in any international agreement to which Ethiopia is a party or in any domestic law.”

The Payment System Proclamation gives the central bank the power to designate payment instruments that can be issued, determine conditions, limitations and standards for their issuance, and authorize entities to establish, operate and issue payment instruments.

In its warning letter, the central bank cautions that failing to comply with its ban may result in measures. These measures are defined differently across various legislation within the central bank’s purview. The Criminal Code stipulates that whomever sets up a form of currency without proper authorization is subject to punishment with simple imprisonment or a fine.

The Payment System Proclamation on its part says making, forging or altering any payment instrument without lawful authority shall be punished with rigorous imprisonment from 10 to 15 years and with a fine from 50,000 Birr to 100,000 Birr. 

There appear to be additional regulations with overlapping oversight powers that specify punishments for using illicit payment instruments and/or currencies, in addition to the ones listed above. These overlapping mandates and laws call for a higher-level policy decision to establish unequivocally and more transparently the government’s position on crypto, demarcation of mandates and mode of regulation.

Leave a Reply

Your email address will not be published. Required fields are marked *