On 16th September 1999 the Clinton Administration announced a new, far more lenient export policy in respect of encryption commodities. After years during which the American security agencies had claimed that the free export of means of encryption would endanger national security and had required encryption programs to leave a "back door" through which they could access the hidden information, the new policy can be viewed as a real revolution.

The changes brought about by the Internet in the character of encryption, its use and prevalence have forced the hand of the Washington Administration. From something designed for military organisations, encryption tools have come to have clearly civil purposes: the security of data en route from the browser of the surfer in the on-line shop to the shop's servers; the security of information on e-commerce servers that store customer and credit card details; the encryption of information on private virtual networks that link separate offices by means of the Internet as though they were located next door to each other - these are all routine, clearly civil applications of encryption technology. Alongside these uses the Administration has decided to change its policy due to the availability of free encryption commodities on the Internet; the liberal export policy of some of the countries that develop such commodities; pressure from the information industry in the USA, that has felt that its hands have been tied in the battle to acquire new markets; the position of privacy protection organisations; and no less important, novel precedent by one of the USA's higher federal courts and attempts in Congress at legislation aimed at making Washington's rigid licensing policy more lenient.

Three principles underlie the new encryption policy: technical examination of encryption commodities before they are sold; a simple reporting system after their export; and control over their export to governments (as opposed to private users). On 14th January 2000, the US Department of Commerce published an official amendment to the Export Administration Regulations, which was basically welcomed by the American information industry. In a nutshell, the modifications introduced are -

  • In encryption the length of the key expresses the strength of the tool. The export of means of encryption whose key length was up to 40 bits was formerly permitted without restraint, whilst the export of means with keys more than 56 bits long was permitted subject to restraints. The new Regulations permit the sale of encryption products to companies, individuals and non-governmental organisations without limiting the key and without first needing to obtain an export licence.
  • Commercial encryption products that are easily available on the open market can henceforth also be exported to governments.
  • The export of the source code of commercial means of encryption and of tools used for the development of encryption programs has been permitted.
  • The restraints relating to the distribution to individuals of commercial encryption products over the Internet, including their source code, have been removed.
  • The restraints have been left in force in respect of the export of encryption commodities to seven states that support terror - Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria.

Dramatic expression of the change in the Administration's export policy can be found in Network Associates' announcement of 13th December last year that it had been permitted to export the PGP encryption program without limitation to almost every country in the world. PGP, the initials for "pretty good privacy", is one of the strongest encryption programs that exists. It is used for the security of information on computers and the encryption of messages sent by e-mail. The original developer, Philip Zimmerman, conducted protracted legal proceedings against the Administration with regard to the restraints imposed over the program that he had developed. PGP therefore became a symbol of the struggle for encryption freedom and the safeguarding of privacy.

The Administration in Washington has not eased encryption policy merely because it has come to understand that it required change. Alongside pressure from the relevant industries, two important developments helped the US Department of Commerce realise what was required by the changing times -

  • On 6th May 1999 a federal appeal court held that the regulations limiting the export of encryption commodities were contrary to the First Amendment, which guarantees freedom of expression. The claim of Prof. Daniel Bernstein, who had developed an encryption program and petitioned against the restraints, was allowed. Although the decision was based on the First Amendment, the court also held that because of the growing need to safeguard privacy, the restraints might also be illegal in view of the Fourth Amendment. A few months later the decision was set aside and the court decided to re-hear the issue. Nevertheless, the judgment had presumably already managed to leave an impression on the Administration, especially since it had upheld the ruling of an inferior instance.
  • At the same time, the enactment of the Security and Freedom Through Encryption Act, promoted by the Republican, Robert Goodlatte, was proceeding in the House of Representatives. The Act was aimed at removing the export restraints more sweepingly than ultimately done by the Administration.

The revolutionary changes in the USA put Israeli encryption law in an unfavourable light. Whilst the basic controversy in the USA has revolved around the export of encryption commodities, Israeli law prohibits the use of such commodities even by the State's own nationals. Whilst the Protection of Privacy Law places the owners of databases under a duty to secure the information kept in them, the Encryption Order greatly limits the use of the basic means to safeguard the information - encryption. To this must be added the restraints imposed by the law on the very development of encryption commodities (not merely their sale). The overall result is law in respect of which there is basis to argue that parts clearly exceed what is reasonable or are contrary to the basic principles of freedom of occupation. They are therefore open to judicial review and annulment.

Alongside its traditional military and defence applications, encryption is used in modern communications to encode cellular phone calls; for the security of information sent from Internet browsers to e-commerce sites; the protection of intellectual property in computer files; the management of virtual networks that link remote sites by the Internet; the verification of contracting parties' identities; the security of computer data; etc., etc. In practice, the Internet is inconceivable without encoding and encryption but, nevertheless, the development, production, export and use of encryption commodities are subject to anachronistic law that makes hundreds and thousands of people into involuntary offenders and precludes the free use of encryption for the security of information on computer systems. This is just because encryption can also be used for illegitimate purposes. It is like outlawing the manufacture of knives because they can be used to harm people.

Encryption is controlled in Israel by the Control of Commodities and Services (Engagement in Means of Encryption) Order, 5735-1974, which is known as the Code Order. It is accompanied by the Means of Encryption Control Declaration of the same year, that provided that encryption means were a controlled service. The Order and Declaration were issued by virtue of the Control of Commodities and Services Law, 5718-1957 and whoever contravenes their provisions therefore commits a criminal offence that carries with it up to three years' imprisonment. The power of control has been vested in the Director-General of the Ministry of Defence since 1998 (the previous person responsible being a professional officer of the IDF's chief communications and electronics command) and the Director-General has empowered the Director of Defence Exports to deal with encryption licensing procedures.

Whilst most law in the western world concentrates on the export of encryption commodities, the Code Order also prohibits their development, production, export, purchase and sale - and even their use - without a licence from the Director-General of the Ministry of Defence. He may issue one of three types of licence: a general licence that applies to all uses of encryption commodities; a limited licence that is valid for only one year and merely applies to types of engagement in means of encryption, a certain means of encryption or particular countries, depending on the type of user or other criteria; and a special licence for a specific engagement, including a particular transaction, in certain means of encryption. "Free means" are ones in respect of which the Director has of his own initiative awarded a general licence or published that its use is "free", i.e. exempt from the duty to obtain a licence.

For a person to lawfully purchase and use means of encryption, he must ensure that one of the following applies:

  • either a licence has been granted to sell or transfer them to that person. This essentially applies to means that have been developed in Israel by local companies that naturally comply with the provisions of the Code Order. It is doubtful whether it can apply to encryption commodities that have been developed abroad (for example those embedded in Windows NT and 2000) and it is certainly not applicable when the seller is a foreign company and the commodity is sold over the Internet; or
  • the commodity has been declared "free means". To date three schedules of such means have been published in the Official Gazette. More than anything, they indicate a very strict interpretation of the Code Order, according to which Zip file compression programs are means of encryption (only a very small proportion of these programs has been authorised even though a file compressed by any of them can be decompressed by any other); Internet browsers are also means of encryption (the use of only the most common being authorised) as are certain models of cellular phone (what about the rest?). Moreover, presumably "free means" are ones that the defence establishment knows how to crack, the use of which is therefore not sufficiently secure. Ultimately, it is perfectly clear that the pace at which means are declared "free" cannot keep up with the wealth of programs and tools that include encryption commodities as an integral part of them.

The overall result is that a substantial proportion of people who purchase encryption commodities for legitimate uses, like information security, need to apply for a licence to do so.

On the other hand, a person wishing to engage in encryption needs to obtain a licence when he starts work. This is a grave restraint of the freedom of occupation that is protected by a Basic Law, which provides that all government authorities must respect the citizen's freedom of occupation. In view of the fact that the restraint with regard to the development and manufacture of encryption commodities does not distinguish between different types of commodity, their strength and intended use, there is prima facie basis to challenge it on the ground that it is not directed towards a proper purpose or that it exceeds what is necessary. However, provisions of an enactment that would have been valid but for the Basic Law: Freedom of Occupation, will remain in effect for a further two years. Until then, prima facie, they can only be interpreted within the spirit of the Basic Law.

The licensing procedures in respect of encryption commodities that have already been developed are even more problematic. The applicant has to submit to the Director of Defence Exports a working version of the program and ancillary material and documentation, together with the program source codes! The source codes reveal to the defence establishment the algorithm underlying the encryption system and they constitute the developer's trade secret. It is inconceivable that they would otherwise be disclosed. The Code Order does not per se require the disclosure and it is merely a requirement of the executive agency. In the absence of express power to require the source codes, the legality of the requirement is unclear and there is basis to argue that it is inconsistent with the provisions of the Basic Law: Human Dignity and Liberty, which prohibits the infringement of a person's property. One way or another, in view of the duty to furnish the source codes, it is not surprising that Israeli software companies that wish to export encryption commodities frequently suspect that the means developed by them have a secret "back door" that enables the Israeli military to penetrate them.

In praise of the defence establishment it can be said that it is aware of the need to change the Code Order. It began the process of change about a year and a half ago with the amendment to the Order and is continuing it with the publication of new policy on the export of encryption commodities. The change is very slow and being made step by step. The new export policy emphasises that the provisions of the Order are not being altered. Nevertheless, in principle, an export licence will now be awarded for the export of encryption commodities to non-governmental entities without any limitation as to the length of the encryption key (i.e. as to their power). This policy is in fact very surprising. If encryption commodities can be exported without restraint, why can they not be used for legitimate purposes without restraint? Indeed, this is a material obstacle to the liberalisation of this sphere in Israel. Companies with commercial interests are promoting it with hardly a murmur from the protection of privacy lobby. The result is a serious discrepancy between the statutory duty to keep information secure and the ability to use the basic means of security - encryption.

Secrets have special standing in Israeli law. As the Supreme Court has stated: "There are those who view the trade secret as property... and others view it as 'quasi-property' or a proprietary interest... Nevertheless, it would appear that everyone accepts that the trade secret does 'exist' in law and that the law provides means to protect against its exploitation without the agreement of the person entitled to it" (HCJ 1683/93, Yavin Plast Ltd v. The National Labour Court). It is therefore not surprising that there are more than 100 provisions of Israeli statute law that require the maintenance of secrecy. The reasons for requiring secrecy are based on the nature of the information that the law seeks to protect:

  • information concerning individual, intimate life - for example, section 3 of the Detection of the Aids Virus in Minors Law provides that "a person acting pursuant to this Law owes the minor a duty of secrecy in all respects relating to the test to detect the aids virus in the minor; should a person obtain information or documents under this Law, he shall not make use of them or disclose them to another except for the purpose of delivering notification to a welfare officer, if the conditions for the delivery thereof have been fulfilled, whilst protecting the minor's privacy". Other provisions deal with confidentiality in the context of adoption, kidnapping and health;
  • economic information - for example the Commercial Wrongs Law, 5759-1999 provides in section 6 that "a person shall not misappropriate another person's trade secret";
  • state security and national information - for example, the Sources of Energy Law, 5750-1989 imposes a duty to keep information secret.

Privacy As A Constitutional Right

Another reason for the legal requirement of secrecy is to protect the source of the information:

  • the duty of confidentiality owed by lawyers, doctors and psychologists is embodied in statute;
  • other positions also necessitate the maintenance of confidentiality. For example, a conciliator owes a duty of confidentiality in respect of the information that he has received from the parties who refer their case to him by virtue of the Courts (Conciliation) Regulations, 5753-1993; and the Central Bureau of Statistics must keep secret the information acquired by it as the basis for its reports.

There are also certain statutes that provide that the unlawful disclosure of information is a criminal offence. A clear example is the Computers Law, 5755-1995 in relation to computer hacking.

The statutory provisions reach their climax in the Basic Law: Human Dignity and Liberty, which raises the protection of property (and with it, according to those who maintain that secrets are property, the protection of secrets) to the level of a constitutional right. At the same time, the Law also lays down that privacy is a constitutional right, section 7 providing that "every person is entitled to privacy and to the confidentiality of his life" and that "the confidentiality of a person's conversations, writings and records shall not be infringed".

A Duty Without The Power To Fulfil It

The law does not content itself with this. The Protection of Privacy Law, 5741-1981 makes the owners, keepers and managers of databases liable for the security of the information in them. "Information security" is defined in section 7 as "protecting the information's integrity or protecting the information against disclosure, use or copying without lawful authority". The Protection of Privacy (Conditions for the Keeping and Safeguarding of Information and Arrangements for the Transmission of Information Between Public Entities) Regulations, 5746-1986 detail the tasks to be done in order to secure information. Analysing them shows that the objective of information security is inter alia the protection of the information's confidentiality, integrity, availability and verity.

These objectives are exactly what encryption is designed to achieve. From Adv. Jonathan Bar-Sadeh's book, The Internet & the Law of On-Line Commerce (Perlstein-Ginossar, 1998), it can be seen that in addition to these four objectives, encryption achieves another purpose - it safeguards and attests to the information's ownership. Encryption is therefore a prime tool for fulfilling the legal liability of database owners and managers for the security of the information kept in their databases. It is also the ideal tool for someone seeking to exercise his constitutional right to protect the confidentiality of his conversations and writings, or to fulfil his legal duty to keep the information in his possession confidential. However, Israeli law is conspicuously asymmetrical: whilst the law lays down the rights and duties, to a large extent it denies the actual ability to protect or fulfil them in the best way by prohibiting the use of encryption without a licence from the Director-General of the Ministry of Defence. The encryption commodities that can be used are those that have been licensed or declared "free" - that is to say that their secrets are open to the Government authority. First and foremost, privacy requires protection against the authority. It is difficult to conceive of a more conspicuous discrepancy than exists between the imposition of the duty on the one hand and the denial of the power to take the most elementary steps to fulfil it on the other hand.

Encryption And Terror

It is also difficult to understand why the defence authorities need to permit the use of encryption for purposes like protecting the medical records of hospital patients, safeguarding commercial and business information etc. If the Ministry of Defence were to be asked its position, it would argue that it is seeking to guard against the concealment of illegal information, like plans for the commission of terrorist action. Although the perpetrators of the terrorist attack on Twin Towers in New York reportedly exchanged coded messages by e-mail, someone planning to commit a terrorist attack is not going to be deterred from using encryption merely because the use is controlled. The argument is therefore a feeble one.

In October 1998, the European Union's directive on the protection of individuals with regard to the processing of personal data and the movement of such data became effective. The directive requires the members of the European Union to adapt their protection of privacy law to its provisions. Amongst other things, it prohibits the transfer of information to countries that do not take adequate measures to protect the information. One of the criteria laid down by the directive for examining the protection of information is the rules of law in the country of destination. The European Union has long been in negotiations with the USA in this context and it is currently not considering the statutory arrangements existing in other countries. If and when it does consider the position in Israel, it will presumably also have regard to encryption law. As we have shown above, Israel's encryption law is no longer consistent with modern principles for the protection of information in computer systems.

Conclusion

The Code Order is making hundreds of thousands of people offenders since they use encryption (cellular phones or computer programs) without obtaining an appropriate licence. Since this is the scale of infringement, the Order is unenforceable. It is archaic law that is no longer consistent with constitutional rights of property and privacy. It is inconsistent with the duty resting with the owners, managers and keepers of databases for the security of the information held by them. It grants power to the military in connection with clearly civil uses of encryption that are of no interest to the military. It puts Israel at risk of a European boycott with regard to information-sharing. It is inconsistent with the modern western approach on the export of encryption and is unclear in relation to key issues of modern encryption, like the use of encryption for identification purposes (digital signatures). As such, the Code Order is unreasonable. There is reason to believe that some of its provisions - especially those that prohibit the use of encryption without a licence - are so extremely unreasonable as to make it possible to claim their annulment. The most obvious candidates to raise such claims are the companies that deal in encryption commodities but they prefer to avoid controversy with the licensing authorities. This places the responsibility to act on those concerned with the protection of privacy in Israel, headed by the Council for the Protection of Privacy and the Registrar of Databases.

First published in February 2000

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.