The Unreasonableness of The Israeli Encryption Order (Third Part)

Secrets have special standing in Israeli law. As the Supreme Court has stated: "There are those who view the trade secret as property... and others view it as 'quasi-property' or a proprietary interest... Nevertheless, it would appear that everyone accepts that the trade secret does 'exist' in law and that the law provides means to protect against its exploitation without the agreement of the person entitled to it" (HCJ 1683/93, Yavin Plast Ltd v. The National Labour Court). It is therefore not surprising that there are more than 100 provisions of Israeli statute law that require the maintenance of secrecy. The reasons for requiring secrecy are based on the nature of the information that the law seeks to protect:

  • information concerning individual, intimate life - for example, section 3 of the Detection of the Aids Virus in Minors Law provides that "a person acting pursuant to this Law owes the minor a duty of secrecy in all respects relating to the test to detect the aids virus in the minor; should a person obtain information or documents under this Law, he shall not make use of them or disclose them to another except for the purpose of delivering notification to a welfare officer, if the conditions for the delivery thereof have been fulfilled, whilst protecting the minor's privacy". Other provisions deal with confidentiality in the context of adoption, kidnapping and health;
  • economic information - for example the Commercial Wrongs Law, 5759-1999 provides in section 6 that "a person shall not misappropriate another person's trade secret";
  • state security and national information - for example, the Sources of Energy Law, 5750-1989 imposes a duty to keep information secret.

Privacy As A Constitutional Right

Another reason for the legal requirement of secrecy is to protect the source of the information:

  • the duty of confidentiality owed by lawyers, doctors and psychologists is embodied in statute;
  • other positions also necessitate the maintenance of confidentiality. For example, a conciliator owes a duty of confidentiality in respect of the information that he has received from the parties who refer their case to him by virtue of the Courts (Conciliation) Regulations, 5753-1993; and the Central Bureau of Statistics must keep secret the information acquired by it as the basis for its reports.
  • There are also certain statutes that provide that the unlawful disclosure of information is a criminal offence. A clear example is the Computers Law, 5755-1995 in relation to computer hacking.

    The statutory provisions reach their climax in the Basic Law: Human Dignity and Liberty, which raises the protection of property (and with it, according to those who maintain that secrets are property, the protection of secrets) to the level of a constitutional right. At the same time, the Law also lays down that privacy is a constitutional right, section 7 providing that "every person is entitled to privacy and to the confidentiality of his life" and that "the confidentiality of a person's conversations, writings and records shall not be infringed".

A Duty Without The Power To Fulfil It

The law does not content itself with this. The Protection of Privacy Law, 5741-1981 makes the owners, keepers and managers of databases liable for the security of the information in them. "Information security" is defined in section 7 as "protecting the information's integrity or protecting the information against disclosure, use or copying without lawful authority". The Protection of Privacy (Conditions for the Keeping and Safeguarding of Information and Arrangements for the Transmission of Information Between Public Entities) Regulations, 5746-1986 detail the tasks to be done in order to secure information. Analysing them shows that the objective of information security is inter alia the protection of the information's confidentiality, integrity, availability and verity.

These objectives are exactly what encryption is designed to achieve. From Adv. Jonathan Bar-Sadeh's book, The Internet & the Law of On-Line Commerce (Perlstein-Ginossar, 1998), it can be seen that in addition to these four objectives, encryption achieves another purpose - it safeguards and attests to the information's ownership. Encryption is therefore a prime tool for fulfilling the legal liability of database owners and managers for the security of the information kept in their databases. It is also the ideal tool for someone seeking to exercise his constitutional right to protect the confidentiality of his conversations and writings, or to fulfil his legal duty to keep the information in his possession confidential. However, Israeli law is conspicuously asymmetrical: whilst the law lays down the rights and duties, to a large extent it denies the actual ability to protect or fulfil them in the best way by prohibiting the use of encryption without a licence from the Director-General of the Ministry of Defence. The encryption commodities that can be used are those that have been licensed or declared "free" - that is to say that their secrets are open to the Government authority. First and foremost, privacy requires protection against the authority. It is difficult to conceive of a more conspicuous discrepancy than exists between the imposition of the duty on the one hand and the denial of the power to take the most elementary steps to fulfil it on the other hand.

Encryption And Terror

It is also difficult to understand why the defence authorities need to permit the use of encryption for purposes like protecting the medical records of hospital patients, safeguarding commercial and business information etc. If the Ministry of Defence were to be asked its position, it would argue that it is seeking to guard against the concealment of illegal information, like plans for the commission of terrorist action. Although the perpetrators of the terrorist attack on Twin Towers in New York reportedly exchanged coded messages by e-mail, someone planning to commit a terrorist attack is not going to be deterred from using encryption merely because the use is controlled. The argument is therefore a feeble one.

In October 1998, the European Union's directive on the protection of individuals with regard to the processing of personal data and the movement of such data became effective. The directive requires the members of the European Union to adapt their protection of privacy law to its provisions. Amongst other things, it prohibits the transfer of information to countries that do not take adequate measures to protect the information. One of the criteria laid down by the directive for examining the protection of information is the rules of law in the country of destination. The European Union has long been in negotiations with the USA in this context and it is currently not considering the statutory arrangements existing in other countries. If and when it does consider the position in Israel, it will presumably also have regard to encryption law. As we have shown above, Israel's encryption law is no longer consistent with modern principles for the protection of information in computer systems.

Conclusion

The Code Order is making hundreds of thousands of people offenders since they use encryption (cellular phones or computer programs) without obtaining an appropriate licence. Since this is the scale of infringement, the Order is unenforceable. It is archaic law that is no longer consistent with constitutional rights of property and privacy. It is inconsistent with the duty resting with the owners, managers and keepers of databases for the security of the information held by them. It grants power to the military in connection with clearly civil uses of encryption that are of no interest to the military. It puts Israel at risk of a European boycott with regard to information-sharing. It is inconsistent with the modern western approach on the export of encryption and is unclear in relation to key issues of modern encryption, like the use of encryption for identification purposes (digital signatures). As such, the Code Order is unreasonable. There is reason to believe that some of its provisions - especially those that prohibit the use of encryption without a licence - are so extremely unreasonable as to make it possible to claim their annulment. The most obvious candidates to raise such claims are the companies that deal in encryption commodities but they prefer to avoid controversy with the licensing authorities. This places the responsibility to act on those concerned with the protection of privacy in Israel, headed by the Council for the Protection of Privacy and the Registrar of Databases.

Translated by Word Power