Encryption and Electronic Commerce - The Israeli Law

Israel is at the forefront of encryption development. Companies like Check Point, Algorithmic Research, Aliroo, Rad-Guard and many others are developing security and encryption systems based on codes. Israeli law contains many provisions which require steps to be taken for the security of information or make certain types of information privileged. Provisions of this type are a convenient platform for the modern, developed law of encryption. It is therefore surprising to learn that the development and use of encryption without permits from the security establishment is still a criminal offence under Israeli law.

In a lecture given at the beginning of 1998 to the annual convention of the Israeli Internet Association, Adv. Yaron Lehman of Haifa enumerated more than 100 provisions of statute which expressly or impliedly oblige or permit information to be kept secret. The main ones are:

  • section 7(d) of the Basic Law: Human Dignity and Liberty provides that: "the confidentiality of a person's conversations, writings and records shall not be infringed";

  • the Protection of Privacy Law contains a whole Chapter on the security of databases. The Protection of Privacy (Conditions for the Keeping and Safeguarding of Information and Arrangements for the Transfer of Information Between Public Entities) Regulations, which were made by virtue of the Law, inter alia require the "taking of reasonable security measures, depending on the sensitivity of the information, to prevent intentional or accidental entry into the system beyond the user's authorised areas of information";

  • the Israel Bar (Professional Ethics) Rules provide that: "an advocate shall keep confidential everything brought to his knowledge by or on behalf of a client in the performance of his duties".

Despite the existence of a convenient legal basis for liberal regulations concerning encryption, Israeli law prohibits developing, trading in, using or keeping means of encryption without a permit. The prohibition derives from the days when the sole purpose of encryption was military. Thus, for example, section 2 of the Control of Commodities and Services (Engagement in Means of Encryption) Order, 5735-1974 provides that:

"A person may not engage in means of encryption otherwise than pursuant to a licence from the Director and in accordance with the terms of the licence".

The Director is defined as the person appointed by the Minister of Defence for the purpose (currently a professional officer of the IDF's Chief Communications and Electronics Command).

"Engagement in means of encryption" is defined in section 1 of the Control of Commodities and Services (Engagement in Means of Encryption) Declaration, 5735-1974 as follows:

"Engaging in the development, manufacture, keeping, use, import, carriage, transfer from place to place or from hand to hand, distribution, sale or purchase of means of encryption, a method of encryption, an encryption key or of a record relating to encryption or the treatment thereof in any other manner."

The law further refers to the export of means of encryption in the same way as it relates, for example, to the sale of missiles. The law treats them both as "weapons", the export of which requires a permit pursuant to the Control of Exports (Weapons and Military Know-How) Order, 5737-1977.

These regulations make every Internet surfer an offender: the browsers incorporate SSL encryption technologies designed to enable the transfer of sensitive personal details, like credit card numbers, with relative security. Consequently, anyone buying a CD or book over the Internet is "using" means of encryption, which prima facie requires a permit from the person appointed for the purpose by the Minister of Defence!

Israel's government agencies are becoming more and more aware of the need to revise the law. The Eitan Committee Report on Israel in the Computer Networking Era recommended permitting the use of information security products which incorporate 56 bit encryption mechanisms (the same length as can be exported from the USA, although recently a 56 bit key was deciphered in 39 working days of thousands of computers operating together over the Internet - see last week's article). The Israeli Report also recommended permitting the free use and export of products which use any encryption mechanisms for the purpose of identification and verification, examining the authenticity of information and non-denial mechanisms. The Committee ultimately recommended facilitating the grant of export approvals in respect of products which contain greater than 56 bit encryption keys.

A document recently published on the Government of Israel's Internet Policy Committee web site, which was written by, amongst others, the Committee's legal counsel, Adv. Brian Negin, also recommends sweepingly permitting the use of any encryption strength whatsoever for identification purposes. Nevertheless it states that it should be ensured that such identification products cannot be converted into information encryption products.

The document states: "The encryption of information, per se, is the heart of the matter. The competent entities should weigh the security factors against the need for reliable network use and trading and the freedom of the individual to protect his private domain. A standard could be fixed for the length of the encryption key, in respect of the use of which a sweeping permit could be published. The length could be revised from time to time. Alternatively, a schedule of programs for domestic use, in which encryption is permitted, could be published periodically".

It is to be hoped that the law's revision is only a matter of time.

Translated by Word Power