As such, encryption equipment is a controlled commodity within the meaning of the Control of Commodities and Services Law, 5718-1957 and it is therefore subject to the prohibitions, restraints, supervision and control governing it by virtue of the Control of Commodities and Services (Engagement in Means of Encryption) Order, 5734-1974. This sweeping Order, which is nicknamed "the Code Order", prohibited engagement in means of encryption otherwise than pursuant to a licence from the Director ("the person appointed by the Minister of Defence as Director for the purpose of this Order"). The current Director is a professional officer of the IDF's Chief Communications and Electronics Command, and the person who actually deals with the grant of permits and licences by virtue of the Order is a senior Non-Commissioned Officer!
These laws are a remnant of the days in which the only use of encryption was clearly military. That is not the case in the Internet age. Encryption is a condition precedent to secure on-line commerce and to the prevention of unauthorised access to computer networks which are to the Internet. In these circumstances a modification to the Code Order has been necessary.
Indeed, even State authorities have aired the view that the law of encryption should be revised. For example in the Report on Israel in the Computer Networking Era, which was prepared by a committee headed by the then MK Michael Eitan, a recommendation was made to modify the Code Order to the effect that all activity, other than in certain security-related spheres, would be permitted. Alternatively, the committee proposed a sweeping exclusion from the Order of technological applications in the area of electronic trade.
In Subsidiary Legislation No. 5917 of 13th August 1998, extensive amendments to the Israeli law of encryption were published. It was to be expected that these amendments would recognise the need to adapt the law to the changing reality and have some regard to the recommendations mentioned above, however they are disappointing and surprising. The main amendments are set out below.
- The Commodities and Services (Engagement in Means of Encryption) (Amendment) Declaration, 5758-1998 revises all the definitions so as to be consistent with modern encryption technology. The revision of the definitions is not a simple matter, since the subsidiary legislature has created a contorted series of definitions, one containing another, to the point where it is difficult to follow them.
- The heart of the new definitions is "engagement in means of encryption" (which requires a licence), which means "the development, manufacture, modification, integration, purchase, use, keeping, transfer from place to place or from hand to hand, import, distribution, sale or conduct of export negotiations or export of means of encryption". This definition is more far reaching and stringent than its predecessor. From the old definition it could be inferred that the prohibition applied to use in business. It is not the business of individual members of the public to make occasional purchases over the Internet and it could therefore have been argued that the use of security protocols by them was not prohibited. On the other hand, the result of the new definition is that any incidental user of encryption over a network is prima facie an offender.
The Commodities and Services (Engagement in Means of Encryption) (Amendment) Order, 5758-1998 applies the new definitions and adds more.
- Firstly, it makes it clear that the person authorised to grant permits is henceforth the Director-General of the Ministry of Defence. Alongside him, an "advisory committee" consisting of at least five members has been appointed. Its function is not clearly defined and it can merely be inferred from its name that it will recommend to the Director-General how to act in granting licences and permits. Although the Order takes pains to make it clear that the committee is not empowered to grant licences or the like, it is clear that it will in fact have extensive power.
- A material innovation can be found in the definition of "free means", which are means of encryption in respect of which the Director-General has granted a general licence or published notice that they are free. The purchase, use, holding, transfer, distribution, sale or export of free means does not require a licence.
- The Order further explains that the purchase, use or keeping of encryption means does not require a licence if sold pursuant to a licence from the Director-General.
It is to be hoped that the first declaration which the Director-General makes will prescribe that secure Internet communications protocols are "free means". However the wealth of other encryption programs, some of which are designed to conceal data and encode email messages, will naturally evade the Director-General's eye. The user of such programs will prima facie continue to be an offender. And as much as the Director-General declares means of this type to be "free", the suspicion will always linger that the State has the technology to decipher the encryption (a back door) and for that reason has permitted their unrestricted use.
More than the new orders permit, they clearly delineate the grave restrictions governing both users and developers of encryption means. Since encryption underlies Internet information security, Israeli companies which are involved in the sphere are still placed in a position of inferiority, compared with their overseas competitors: it will be difficult for customers to understand why it should be necessary to obtain a permit even to negotiate the sale of systems with them. The revisions to the Code Order do not contain the good news that these companies were waiting for.
Translated by Word Power