The Unreasonableness of The Israeli Encryption Order (Second Part)

Alongside its traditional military and defence applications, encryption is used in modern communications to encode cellular phone calls; for the security of information sent from Internet browsers to e-commerce sites; the protection of intellectual property in computer files; the management of virtual networks that link remote sites by the Internet; the verification of contracting parties' identities; the security of computer data; etc., etc. In practice, the Internet is inconceivable without encoding and encryption but, nevertheless, the development, production, export and use of encryption commodities are subject to anachronistic law that makes hundreds and thousands of people into involuntary offenders and precludes the free use of encryption for the security of information on computer systems. This is just because encryption can also be used for illegitimate purposes. It is like outlawing the manufacture of knives because they can be used to harm people.

Encryption is controlled in Israel by the Control of Commodities and Services (Engagement in Means of Encryption) Order, 5735-1974, which is known as the Code Order. It is accompanied by the Means of Encryption Control Declaration of the same year, that provided that encryption means were a controlled service. The Order and Declaration were issued by virtue of the Control of Commodities and Services Law, 5718-1957 and whoever contravenes their provisions therefore commits a criminal offence that carries with it up to three years' imprisonment. The power of control has been vested in the Director-General of the Ministry of Defence since 1998 (the previous person responsible being a professional officer of the IDF's chief communications and electronics command) and the Director-General has empowered the Director of Defence Exports to deal with encryption licensing procedures.

Whilst most law in the western world concentrates on the export of encryption commodities, the Code Order also prohibits their development, production, export, purchase and sale - and even their use - without a licence from the Director-General of the Ministry of Defence. He may issue one of three types of licence: a general licence that applies to all uses of encryption commodities; a limited licence that is valid for only one year and merely applies to types of engagement in means of encryption, a certain means of encryption or particular countries, depending on the type of user or other criteria; and a special licence for a specific engagement, including a particular transaction, in certain means of encryption. "Free means" are ones in respect of which the Director has of his own initiative awarded a general licence or published that its use is "free", i.e. exempt from the duty to obtain a licence.

For a person to lawfully purchase and use means of encryption, he must ensure that one of the following applies:

  • either a licence has been granted to sell or transfer them to that person. This essentially applies to means that have been developed in Israel by local companies that naturally comply with the provisions of the Code Order. It is doubtful whether it can apply to encryption commodities that have been developed abroad (for example those embedded in Windows NT and 2000) and it is certainly not applicable when the seller is a foreign company and the commodity is sold over the Internet; or
  • the commodity has been declared "free means". To date three schedules of such means have been published in the Official Gazette. More than anything, they indicate a very strict interpretation of the Code Order, according to which Zip file compression programs are means of encryption (only a very small proportion of these programs has been authorised even though a file compressed by any of them can be decompressed by any other); Internet browsers are also means of encryption (the use of only the most common being authorised) as are certain models of cellular phone (what about the rest?). Moreover, presumably "free means" are ones that the defence establishment knows how to crack, the use of which is therefore not sufficiently secure. Ultimately, it is perfectly clear that the pace at which means are declared "free" cannot keep up with the wealth of programs and tools that include encryption commodities as an integral part of them.

The overall result is that a substantial proportion of people who purchase encryption commodities for legitimate uses, like information security, need to apply for a licence to do so.

On the other hand, a person wishing to engage in encryption needs to obtain a licence when he starts work. This is a grave restraint of the freedom of occupation that is protected by a Basic Law, which provides that all government authorities must respect the citizen's freedom of occupation. In view of the fact that the restraint with regard to the development and manufacture of encryption commodities does not distinguish between different types of commodity, their strength and intended use, there is prima facie basis to challenge it on the ground that it is not directed towards a proper purpose or that it exceeds what is necessary. However, provisions of an enactment that would have been valid but for the Basic Law: Freedom of Occupation, will remain in effect for a further two years. Until then, prima facie, they can only be interpreted within the spirit of the Basic Law.

The licensing procedures in respect of encryption commodities that have already been developed are even more problematic. The applicant has to submit to the Director of Defence Exports a working version of the program and ancillary material and documentation, together with the program source codes! The source codes reveal to the defence establishment the algorithm underlying the encryption system and they constitute the developer's trade secret. It is inconceivable that they would otherwise be disclosed. The Code Order does not per se require the disclosure and it is merely a requirement of the executive agency. In the absence of express power to require the source codes, the legality of the requirement is unclear and there is basis to argue that it is inconsistent with the provisions of the Basic Law: Human Dignity and Liberty, which prohibits the infringement of a person's property. One way or another, in view of the duty to furnish the source codes, it is not surprising that Israeli software companies that wish to export encryption commodities frequently suspect that the means developed by them have a secret "back door" that enables the Israeli military to penetrate them.

In praise of the defence establishment it can be said that it is aware of the need to change the Code Order. It began the process of change about a year and a half ago with the amendment to the Order and is continuing it with the publication of new policy on the export of encryption commodities. The change is very slow and being made step by step. The new export policy emphasises that the provisions of the Order are not being altered. Nevertheless, in principle, an export licence will now be awarded for the export of encryption commodities to non-governmental entities without any limitation as to the length of the encryption key (i.e. as to their power). This policy is in fact very surprising. If encryption commodities can be exported without restraint, why can they not be used for legitimate purposes without restraint? Indeed, this is a material obstacle to the liberalisation of this sphere in Israel. Companies with commercial interests are promoting it with hardly a murmur from the protection of privacy lobby. The result is a serious discrepancy between the statutory duty to keep information secure and the ability to use the basic means of security - encryption.

Translated by Word Power