How Does Israel Regulate Encryption?
Recent terrorist attacks and resulting questions about the limits of surveillance have rekindled debate about how governments should deal with the challenges of powerful, commercially available encryption. With active debate in the United States and Western Europe surrounding this issue, it is instructive to note that Israel has been regulating encryption for decades.
Published by The Lawfare Institute
in Cooperation With
Recent terrorist attacks and resulting questions about the limits of surveillance have rekindled debate about how governments should deal with the challenges of powerful, commercially available encryption. With active debate in the United States and Western Europe surrounding this issue, it is instructive to note that Israel has been regulating encryption for decades.
Israel is an interesting case study in this field because its successful high-tech encryption and cyber entrepreneurism flourishes amidst perpetual internal and external national security threats and the extensive associated surveillance needs. For perspective, companies in Israel, a country comprising less than 0.11% of the world’s population, are estimated to have sold 10% ($6 billion out of $60 billion) of global encryption and cyber technologies for 2014. Domestically, this figure surpassed the aggregate value of defense contracts signed by Israel’s government last year.
Israel also merits attention because it goes significantly further than required by the international agreement regulating encryption-capable products. The Wassenar Arrangement, which similarly regulates intrusion software and surveillance technologies—discussed in this October New York Times article—is limited to the creation of export controls for such goods and technologies. Israel has adopted a much farther-reaching regulatory system that effectively governs all forms of “engagement in encryption,” a phrase examined below. At the same time, the Israeli encryption control mechanisms operate without directly legislating any form of encryption-key depositories, built-in back or front door access points, or other similar requirements. Instead, Israel’s system emphasizes smooth initial licensing processes and cultivates government-private sector collaboration. These processes help ensure that Israeli authorities are apprised of the latest encryption and cyber developments and position the government to engage effectively with the private sector when national security risks are identified.
Israel’s Encryption Licensing System
Israel’s 1957 Control of Commodities and Services Law, 5717-1957 empowers government ministers to enact subsidiary legislation for regulating certain designated products and services. On the basis of this broad authority, in 1974, the Israeli Minister of Defense imposed control over all forms of “Engagement in Encryption” and created Israel’s encryption-control licensing regime. The regulations were amended in the 1990s and the MOD has since published several guidelines and policy statements to update anachronistic provisions.
According to the relevant encryption order, controlled “Engagement in Encryption” is a broad category that includes “the development, production, modification, integration, purchase, use, possession, transfer, handling from one location to another or from one person to another, import, distribution, sale or negotiations to export or export of encryption items.” The term “encryption” includes all forms of scrambling or unscrambling of any form of data or of its modes of transfer, regardless of whether an encryption key is used, whether the data can be recovered, or whether secondary tangible or intangible cryptographic devices are required. By design, these rules empower the MOD with expansive purview and discretion to assert control in appropriate circumstances.
In practical operation, companies submit license applications for engagement in encryption to the MOD’s specialized Encryption Control Department. The basic application includes details of the relevant product and its encryption interfaces and components. Product brochures and technical specification documents must generally be appended to applications and first-time applicants are required to present a signed declaration certifying their commitment to remain compliant with MOD encryption-control regulations. Requests for encryption-related exports must be accompanied by signed end-user certificates, even if other export licensing for the same product has already been obtained.
In response to application requests, the MOD may issue a “General”, “Restricted”, or “Special” license or, alternatively, deny the request. Restricted Licenses are commonly issued and generally contain a set of standard restrictions and require quarterly reporting of export and sales data to the MOD. Standard restrictions include a ban on exports to Iran, Lebanon, Sudan, Syria, North Korea and Cuba, as well as a requirement to obtain specific MOD permission for all transfers of source-code and of other similar “knowhow” underlying the encryption product. General Licenses are available for certain non-sensitive off-the-shelf commercial products. Finally, Special Licenses are issued in circumstances warranting more tailored licensing conditions and are required for any prospective export to Iraq, Libya or to areas governed by the Palestinian Authority.
Softening Factors – Legislative Exemptions and MOD Practice
Although it may appear that Israel maintains draconian controls over all forms and uses of encryption, which in today’s information society amounts to strict control over virtually all software and data, this is not actually the case in practice. These strict controls are subject to a variety of “softening factors,” such as license exemptions, lax enforcement for encryption-control misconduct, and—by most regulatory-bureaucracy standards—an accommodating, business-friendly MOD Encryption Control Department bureaucracy and staff.
For starters, a 1998 amendment to the relevant encryption order instituted a “Free Means” exemption, whereby products can be decontrolled by the MOD and become exempt from any further encryption controls. While obtaining “Free Means” status can be challenging, nearly 11,000 products have been so designated to date. Additionally, the MOD has established an “Internal Use” rule allowing an individual person or organization to encrypt data for personal or intra-company purposes without obtaining encryption licenses. Other examples of license exemptions include a broad exception for the work of patent attorneys, exceptions relating to electronic signatures, and exemptions for downloads of online open-source encryption for personal uses.
The Encryption Control Department staff is typically sensitive to commercial needs and have a general reputation for working efficiently and adopting a problem-solving approach to licensees and new applicants. The MOD’s average licensing times in 2014 consisted of an average processing period of less than eight days per request, according to MOD statistics.
In addition, to date, no known enforcement action has been brought against an individual or company for violations of Israeli encryption control rules. And although regulatory violations of encryption controls constitute criminal misconduct, there have been no known investigations or prosecutions. Furthermore, when applying for licenses, the current practice of the MOD’s Encryption Control Department is to refrain from assessing past performance, preferring instead to incentivize approaching the MOD and working collaboratively towards compliance.
Of course, and as explained below, this is likely only part of the story. The Israeli government has other levers of control and the government may negotiate secret arrangements with companies. On its face, Israel has created a system that appears to assert tough controls on a broad range of software and technology providers but, in reality, offers a variety of licensing exemptions, eschews direct enforcement, and adopts an overall approach that seeks to encourage compliance and facilitate private sector and government collaboration.
So, why does a government agency with an apparently broad and powerful regulatory regime to wield, elect not to assert its authority and, to the contrary, to adopt an approach of lax enforcement and lenient licensing?
Features or Bugs of the System?
The rationale behind the MOD’s ostensibly lenient approach is a matter for debate. Critics might argue that Israel’s encryption regime simply lacks teeth and is founded upon anachronistic and untenable legislation. Therefore, the lack of enforcement, they would argue, stems from scarcity of institutional resources for investigations and for enforcement of its rules, or it reflects the MOD’s resignation to the futility of attempting to oversee and control the mass proliferation of intangible encryption technologies.
An alternative explanation for the lenient licensing processes is that the MOD fears litigation—and the corresponding public disclosures and judicial scrutiny of its own activities. Were the MOD to issue overly strict license-conditions or to deny a reasonable license request, it could find itself embroiled in administrative hearings, the jurisdiction of which for purposes of the relevant encryption legislation rests with the Israeli Supreme Court sitting as the High Court of Justice. Likewise, a decision to enforce MOD rules would involve criminal proceedings. And to pass constitutional muster in either an administrative or criminal legal proceeding, the MOD would almost certainly be required, for the first time, to articulate its view as to the objectives and effectiveness of its encryption control regime and to show that no more lenient alternatives exist to accomplish similar ends.
Whatever the underlying animating principal, it would appear—at least on its face—that the system works. Despite the lack of aggressive enforcement, IT companies generally choose to comply with the licensing system. Each year thousands of licenses are issued to companies of all types. In each of 2013 and 2014 approximately 4,000 licenses were issued. Licensees include small cyber companies as well as leading technology giants such as IBM, Huawei, Cisco, HP, Motorola, Samsung, Apple, Microsoft, Fortinet, Symantec, Adobe, Sony, Nokia, Hitachi, VMware – and many hundreds more. Those numbers and names would indicate that, notwithstanding the lack of a developed enforcement component, private sector compliance remains quite consistent.
The patterns of behavior by both regulators and companies raise questions. First, what does the MOD hope to accomplish with this system? And second, why, exactly, are compliance rates are so high?
Encryption Control Objectives and Compliance
Through Israel’s encryption control system, the MOD facilitates information-exchange from the private sector and assists Israeli authorities in remaining continually apprised of encryption-related advancements. An approach that simply mandated all companies deposit encryption keys or create concealed access points would probably undermine this initial dialogue. In the MOD’s view, this cooperation is better encouraged through smooth licensing processes.
Indeed, for the majority of technologies, the Encryption Control Department’s basic licensing process is quite straightforward and quickly alleviates national security concerns, thereby allowing the MOD to issue unrestrictive, commercial-friendly encryption licenses. In those cases where concerns do arise, either within the MOD or other government authorities, the government can engage applicants in discussions regarding how best to mitigate national security risks while preserving the applicant’s business interests.
This process can result in any number of solutions, from negotiated access points to commitments by the developers to modify technology to address concerns. In less dramatic cases, agreements might be reached to allow MOD approval of potential customers or to restrict sales to certain classes of end-users based on geography, industry, and other factors. These processes of negotiation are not formally part of the MOD’s encryption control licensing regime and would only become necessary if red flags arise during the formal licensing stages or where threatening technologies are proactively identified by Israeli authorities. Unsurprisingly, there is no publicly available information regarding these highly confidential discussions. And there is no guarantee this dialogue can resolve the hardest cases, especially if owners of powerful encryption refuse to accommodate the MOD. To date, however, neither indigenous industry nor foreign companies with sales in Israel have generated any form of public pushback or outcry against the Israeli government licensing scheme.
This positive rapport between Israel’s private sector and government and the private sector’s broad compliance with encryption controls—at least, so far as we know—may be attributed in part to the generally accommodating nature of the encryption control system, as manifested by the lack of enforcement, ample license exemptions, and expeditious licensing processes. Put simply, MOD encourages compliance by minimizing reasons not to comply. But beyond a mutually-beneficial bureaucracy, there are sociocultural factors unique to Israel fostering this relationship. Indeed, the unusually close relations between Israeli entrepreneurs and the country’s defense and intelligence establishment are well documented.
At least with respect to local industry, some of this relationship stems from the fact that many high-tech innovators began their careers in Israeli military intelligence, and they continue to support former units as reservists. Israel’s small population and mandatory conscription policy further supports the reciprocal relationship between Israeli civilian business and its defense establishment. The Israel Defense Forces are also known to actively support their veteran’s economic success following discharge; one especially strong demonstration being the active decision by the military to not defend its intellectual property rights in inventions produced by retired soldiers, as criticized by Israel’s Comptroller in a recent 2014 report (in Hebrew). These factors facilitate an encryption regime that operates less out of tough enforcement and more through dialogue and mutual assistance between private tech companies and government national security entities.
Overall, the MOD’s regulatory practices encourage private-sector engagement with government on matters related to information security. This engagement helps ensure that the MOD is continually updated regarding encryption developments and, when necessary, serves to initiate collaboration in managing specific encryption-related challenges.