Israel: The Unreasonableness Of The Encryption Order

Last Updated: 26 January 2001
Article by Haim Ravia

On 16th September 1999 the Clinton Administration announced a new, far more lenient export policy in respect of encryption commodities. After years during which the American security agencies had claimed that the free export of means of encryption would endanger national security and had required encryption programs to leave a "back door" through which they could access the hidden information, the new policy can be viewed as a real revolution.

The changes brought about by the Internet in the character of encryption, its use and prevalence have forced the hand of the Washington Administration. From something designed for military organisations, encryption tools have come to have clearly civil purposes: the security of data en route from the browser of the surfer in the on-line shop to the shop's servers; the security of information on e-commerce servers that store customer and credit card details; the encryption of information on private virtual networks that link separate offices by means of the Internet as though they were located next door to each other - these are all routine, clearly civil applications of encryption technology. Alongside these uses the Administration has decided to change its policy due to the availability of free encryption commodities on the Internet; the liberal export policy of some of the countries that develop such commodities; pressure from the information industry in the USA, that has felt that its hands have been tied in the battle to acquire new markets; the position of privacy protection organisations; and no less important, novel precedent by one of the USA's higher federal courts and attempts in Congress at legislation aimed at making Washington's rigid licensing policy more lenient.

Three principles underlie the new encryption policy: technical examination of encryption commodities before they are sold; a simple reporting system after their export; and control over their export to governments (as opposed to private users). On 14th January 2000, the US Department of Commerce published an official amendment to the Export Administration Regulations, which was basically welcomed by the American information industry. In a nutshell, the modifications introduced are -

  • In encryption the length of the key expresses the strength of the tool. The export of means of encryption whose key length was up to 40 bits was formerly permitted without restraint, whilst the export of means with keys more than 56 bits long was permitted subject to restraints. The new Regulations permit the sale of encryption products to companies, individuals and non-governmental organisations without limiting the key and without first needing to obtain an export licence.
  • Commercial encryption products that are easily available on the open market can henceforth also be exported to governments.
  • The export of the source code of commercial means of encryption and of tools used for the development of encryption programs has been permitted.
  • The restraints relating to the distribution to individuals of commercial encryption products over the Internet, including their source code, have been removed.
  • The restraints have been left in force in respect of the export of encryption commodities to seven states that support terror - Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria.

Dramatic expression of the change in the Administration's export policy can be found in Network Associates' announcement of 13th December last year that it had been permitted to export the PGP encryption program without limitation to almost every country in the world. PGP, the initials for "pretty good privacy", is one of the strongest encryption programs that exists. It is used for the security of information on computers and the encryption of messages sent by e-mail. The original developer, Philip Zimmerman, conducted protracted legal proceedings against the Administration with regard to the restraints imposed over the program that he had developed. PGP therefore became a symbol of the struggle for encryption freedom and the safeguarding of privacy.

The Administration in Washington has not eased encryption policy merely because it has come to understand that it required change. Alongside pressure from the relevant industries, two important developments helped the US Department of Commerce realise what was required by the changing times -

  • On 6th May 1999 a federal appeal court held that the regulations limiting the export of encryption commodities were contrary to the First Amendment, which guarantees freedom of expression. The claim of Prof. Daniel Bernstein, who had developed an encryption program and petitioned against the restraints, was allowed. Although the decision was based on the First Amendment, the court also held that because of the growing need to safeguard privacy, the restraints might also be illegal in view of the Fourth Amendment. A few months later the decision was set aside and the court decided to re-hear the issue. Nevertheless, the judgment had presumably already managed to leave an impression on the Administration, especially since it had upheld the ruling of an inferior instance.
  • At the same time, the enactment of the Security and Freedom Through Encryption Act, promoted by the Republican, Robert Goodlatte, was proceeding in the House of Representatives. The Act was aimed at removing the export restraints more sweepingly than ultimately done by the Administration.

The revolutionary changes in the USA put Israeli encryption law in an unfavourable light. Whilst the basic controversy in the USA has revolved around the export of encryption commodities, Israeli law prohibits the use of such commodities even by the State's own nationals. Whilst the Protection of Privacy Law places the owners of databases under a duty to secure the information kept in them, the Encryption Order greatly limits the use of the basic means to safeguard the information - encryption. To this must be added the restraints imposed by the law on the very development of encryption commodities (not merely their sale). The overall result is law in respect of which there is basis to argue that parts clearly exceed what is reasonable or are contrary to the basic principles of freedom of occupation. They are therefore open to judicial review and annulment.

Alongside its traditional military and defence applications, encryption is used in modern communications to encode cellular phone calls; for the security of information sent from Internet browsers to e-commerce sites; the protection of intellectual property in computer files; the management of virtual networks that link remote sites by the Internet; the verification of contracting parties' identities; the security of computer data; etc., etc. In practice, the Internet is inconceivable without encoding and encryption but, nevertheless, the development, production, export and use of encryption commodities are subject to anachronistic law that makes hundreds and thousands of people into involuntary offenders and precludes the free use of encryption for the security of information on computer systems. This is just because encryption can also be used for illegitimate purposes. It is like outlawing the manufacture of knives because they can be used to harm people.

Encryption is controlled in Israel by the Control of Commodities and Services (Engagement in Means of Encryption) Order, 5735-1974, which is known as the Code Order. It is accompanied by the Means of Encryption Control Declaration of the same year, that provided that encryption means were a controlled service. The Order and Declaration were issued by virtue of the Control of Commodities and Services Law, 5718-1957 and whoever contravenes their provisions therefore commits a criminal offence that carries with it up to three years' imprisonment. The power of control has been vested in the Director-General of the Ministry of Defence since 1998 (the previous person responsible being a professional officer of the IDF's chief communications and electronics command) and the Director-General has empowered the Director of Defence Exports to deal with encryption licensing procedures.

Whilst most law in the western world concentrates on the export of encryption commodities, the Code Order also prohibits their development, production, export, purchase and sale - and even their use - without a licence from the Director-General of the Ministry of Defence. He may issue one of three types of licence: a general licence that applies to all uses of encryption commodities; a limited licence that is valid for only one year and merely applies to types of engagement in means of encryption, a certain means of encryption or particular countries, depending on the type of user or other criteria; and a special licence for a specific engagement, including a particular transaction, in certain means of encryption. "Free means" are ones in respect of which the Director has of his own initiative awarded a general licence or published that its use is "free", i.e. exempt from the duty to obtain a licence.

For a person to lawfully purchase and use means of encryption, he must ensure that one of the following applies:

  • either a licence has been granted to sell or transfer them to that person. This essentially applies to means that have been developed in Israel by local companies that naturally comply with the provisions of the Code Order. It is doubtful whether it can apply to encryption commodities that have been developed abroad (for example those embedded in Windows NT and 2000) and it is certainly not applicable when the seller is a foreign company and the commodity is sold over the Internet; or
  • the commodity has been declared "free means". To date three schedules of such means have been published in the Official Gazette. More than anything, they indicate a very strict interpretation of the Code Order, according to which Zip file compression programs are means of encryption (only a very small proportion of these programs has been authorised even though a file compressed by any of them can be decompressed by any other); Internet browsers are also means of encryption (the use of only the most common being authorised) as are certain models of cellular phone (what about the rest?). Moreover, presumably "free means" are ones that the defence establishment knows how to crack, the use of which is therefore not sufficiently secure. Ultimately, it is perfectly clear that the pace at which means are declared "free" cannot keep up with the wealth of programs and tools that include encryption commodities as an integral part of them.

The overall result is that a substantial proportion of people who purchase encryption commodities for legitimate uses, like information security, need to apply for a licence to do so.

On the other hand, a person wishing to engage in encryption needs to obtain a licence when he starts work. This is a grave restraint of the freedom of occupation that is protected by a Basic Law, which provides that all government authorities must respect the citizen's freedom of occupation. In view of the fact that the restraint with regard to the development and manufacture of encryption commodities does not distinguish between different types of commodity, their strength and intended use, there is prima facie basis to challenge it on the ground that it is not directed towards a proper purpose or that it exceeds what is necessary. However, provisions of an enactment that would have been valid but for the Basic Law: Freedom of Occupation, will remain in effect for a further two years. Until then, prima facie, they can only be interpreted within the spirit of the Basic Law.

The licensing procedures in respect of encryption commodities that have already been developed are even more problematic. The applicant has to submit to the Director of Defence Exports a working version of the program and ancillary material and documentation, together with the program source codes! The source codes reveal to the defence establishment the algorithm underlying the encryption system and they constitute the developer's trade secret. It is inconceivable that they would otherwise be disclosed. The Code Order does not per se require the disclosure and it is merely a requirement of the executive agency. In the absence of express power to require the source codes, the legality of the requirement is unclear and there is basis to argue that it is inconsistent with the provisions of the Basic Law: Human Dignity and Liberty, which prohibits the infringement of a person's property. One way or another, in view of the duty to furnish the source codes, it is not surprising that Israeli software companies that wish to export encryption commodities frequently suspect that the means developed by them have a secret "back door" that enables the Israeli military to penetrate them.

In praise of the defence establishment it can be said that it is aware of the need to change the Code Order. It began the process of change about a year and a half ago with the amendment to the Order and is continuing it with the publication of new policy on the export of encryption commodities. The change is very slow and being made step by step. The new export policy emphasises that the provisions of the Order are not being altered. Nevertheless, in principle, an export licence will now be awarded for the export of encryption commodities to non-governmental entities without any limitation as to the length of the encryption key (i.e. as to their power). This policy is in fact very surprising. If encryption commodities can be exported without restraint, why can they not be used for legitimate purposes without restraint? Indeed, this is a material obstacle to the liberalisation of this sphere in Israel. Companies with commercial interests are promoting it with hardly a murmur from the protection of privacy lobby. The result is a serious discrepancy between the statutory duty to keep information secure and the ability to use the basic means of security - encryption.

Secrets have special standing in Israeli law. As the Supreme Court has stated: "There are those who view the trade secret as property... and others view it as 'quasi-property' or a proprietary interest... Nevertheless, it would appear that everyone accepts that the trade secret does 'exist' in law and that the law provides means to protect against its exploitation without the agreement of the person entitled to it" (HCJ 1683/93, Yavin Plast Ltd v. The National Labour Court). It is therefore not surprising that there are more than 100 provisions of Israeli statute law that require the maintenance of secrecy. The reasons for requiring secrecy are based on the nature of the information that the law seeks to protect:

  • information concerning individual, intimate life - for example, section 3 of the Detection of the Aids Virus in Minors Law provides that "a person acting pursuant to this Law owes the minor a duty of secrecy in all respects relating to the test to detect the aids virus in the minor; should a person obtain information or documents under this Law, he shall not make use of them or disclose them to another except for the purpose of delivering notification to a welfare officer, if the conditions for the delivery thereof have been fulfilled, whilst protecting the minor's privacy". Other provisions deal with confidentiality in the context of adoption, kidnapping and health;
  • economic information - for example the Commercial Wrongs Law, 5759-1999 provides in section 6 that "a person shall not misappropriate another person's trade secret";
  • state security and national information - for example, the Sources of Energy Law, 5750-1989 imposes a duty to keep information secret.

Privacy As A Constitutional Right

Another reason for the legal requirement of secrecy is to protect the source of the information:

  • the duty of confidentiality owed by lawyers, doctors and psychologists is embodied in statute;
  • other positions also necessitate the maintenance of confidentiality. For example, a conciliator owes a duty of confidentiality in respect of the information that he has received from the parties who refer their case to him by virtue of the Courts (Conciliation) Regulations, 5753-1993; and the Central Bureau of Statistics must keep secret the information acquired by it as the basis for its reports.

There are also certain statutes that provide that the unlawful disclosure of information is a criminal offence. A clear example is the Computers Law, 5755-1995 in relation to computer hacking.

The statutory provisions reach their climax in the Basic Law: Human Dignity and Liberty, which raises the protection of property (and with it, according to those who maintain that secrets are property, the protection of secrets) to the level of a constitutional right. At the same time, the Law also lays down that privacy is a constitutional right, section 7 providing that "every person is entitled to privacy and to the confidentiality of his life" and that "the confidentiality of a person's conversations, writings and records shall not be infringed".

A Duty Without The Power To Fulfil It

The law does not content itself with this. The Protection of Privacy Law, 5741-1981 makes the owners, keepers and managers of databases liable for the security of the information in them. "Information security" is defined in section 7 as "protecting the information's integrity or protecting the information against disclosure, use or copying without lawful authority". The Protection of Privacy (Conditions for the Keeping and Safeguarding of Information and Arrangements for the Transmission of Information Between Public Entities) Regulations, 5746-1986 detail the tasks to be done in order to secure information. Analysing them shows that the objective of information security is inter alia the protection of the information's confidentiality, integrity, availability and verity.

These objectives are exactly what encryption is designed to achieve. From Adv. Jonathan Bar-Sadeh's book, The Internet & the Law of On-Line Commerce (Perlstein-Ginossar, 1998), it can be seen that in addition to these four objectives, encryption achieves another purpose - it safeguards and attests to the information's ownership. Encryption is therefore a prime tool for fulfilling the legal liability of database owners and managers for the security of the information kept in their databases. It is also the ideal tool for someone seeking to exercise his constitutional right to protect the confidentiality of his conversations and writings, or to fulfil his legal duty to keep the information in his possession confidential. However, Israeli law is conspicuously asymmetrical: whilst the law lays down the rights and duties, to a large extent it denies the actual ability to protect or fulfil them in the best way by prohibiting the use of encryption without a licence from the Director-General of the Ministry of Defence. The encryption commodities that can be used are those that have been licensed or declared "free" - that is to say that their secrets are open to the Government authority. First and foremost, privacy requires protection against the authority. It is difficult to conceive of a more conspicuous discrepancy than exists between the imposition of the duty on the one hand and the denial of the power to take the most elementary steps to fulfil it on the other hand.

Encryption And Terror

It is also difficult to understand why the defence authorities need to permit the use of encryption for purposes like protecting the medical records of hospital patients, safeguarding commercial and business information etc. If the Ministry of Defence were to be asked its position, it would argue that it is seeking to guard against the concealment of illegal information, like plans for the commission of terrorist action. Although the perpetrators of the terrorist attack on Twin Towers in New York reportedly exchanged coded messages by e-mail, someone planning to commit a terrorist attack is not going to be deterred from using encryption merely because the use is controlled. The argument is therefore a feeble one.

In October 1998, the European Union's directive on the protection of individuals with regard to the processing of personal data and the movement of such data became effective. The directive requires the members of the European Union to adapt their protection of privacy law to its provisions. Amongst other things, it prohibits the transfer of information to countries that do not take adequate measures to protect the information. One of the criteria laid down by the directive for examining the protection of information is the rules of law in the country of destination. The European Union has long been in negotiations with the USA in this context and it is currently not considering the statutory arrangements existing in other countries. If and when it does consider the position in Israel, it will presumably also have regard to encryption law. As we have shown above, Israel's encryption law is no longer consistent with modern principles for the protection of information in computer systems.

Conclusion

The Code Order is making hundreds of thousands of people offenders since they use encryption (cellular phones or computer programs) without obtaining an appropriate licence. Since this is the scale of infringement, the Order is unenforceable. It is archaic law that is no longer consistent with constitutional rights of property and privacy. It is inconsistent with the duty resting with the owners, managers and keepers of databases for the security of the information held by them. It grants power to the military in connection with clearly civil uses of encryption that are of no interest to the military. It puts Israel at risk of a European boycott with regard to information-sharing. It is inconsistent with the modern western approach on the export of encryption and is unclear in relation to key issues of modern encryption, like the use of encryption for identification purposes (digital signatures). As such, the Code Order is unreasonable. There is reason to believe that some of its provisions - especially those that prohibit the use of encryption without a licence - are so extremely unreasonable as to make it possible to claim their annulment. The most obvious candidates to raise such claims are the companies that deal in encryption commodities but they prefer to avoid controversy with the licensing authorities. This places the responsibility to act on those concerned with the protection of privacy in Israel, headed by the Council for the Protection of Privacy and the Registrar of Databases.

First published in February 2000

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
 
Related Articles
 
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions