Abstract: With active debate in the United States and Western Europe about how governments should deal with the challenges of powerful, commercially available encryption, it is instructive to examine how Israel has been regulating encryption for decades.
Recent terrorist attacks have rekindled debate about the limits of surveillance and how governments should deal with the challenges of powerful, commercially available encryption.
Israel is an interesting case study in this field because successful high-tech encryption and cyber entrepreneurism flourish amidst perpetual internal and external national security threats and extensive surveillance needs. For perspective, Israel’s population comprises less than 0.11% of the world’s population, yet Israeli companies are estimated to have sold 10% ($6 billion out of $60 billion) of global encryption and cyber technologies in 2014. Domestically, this figure surpassed the aggregate value of defense contracts signed by Israel’s government last year.
Israel also merits attention because it goes significantly further than required by the international agreement regulating encryption-capable products. The Wassenar Arrangement, which similarly regulates intrusion software and surveillance technologies, (as discussed in this Unfolding post), is limited to the creation of export controls for such goods and technologies. Israel has adopted a much farther-reaching regulatory system that effectively governs all forms of encrypted software and hardware, regardless of export. At the same time, the Israeli encryption control mechanisms operate without directly legislating any form of encryption-key depositories, built-in back or front door access points, or other similar requirements. Instead, Israel’s system emphasizes smooth initial licensing processes and cultivates government-private sector collaboration.
Israel’s Encryption Licensing System
Israel law empowers certain government ministers to enact subsidiary legislation for regulating certain designated products and services. On the basis of this broad authority, in 1974, the Israeli Minister of Defense imposed control over all forms of “Engagement in Encryption” and created Israel’s encryption-control licensing regime.
According to the relevant encryption order, controlled “Engagement in Encryption” is a broad category that includes “the development, production, modification, integration, purchase, use, possession, transfer, handling from one location to another or from one person to another, import, distribution, sale or negotiations to export or export of encryption items.”
In practical operation, companies submit license applications for engagement in encryption to the MOD’s specialized Encryption Control Department. The basic application includes details of the relevant product and its encryption interfaces and components as well several other accompanying materials.
In response to application requests, the MOD may issue a “General”, “Restricted”, or “Special” license or, alternatively, deny the request. Restricted Licenses are commonly issued and generally contain a set of standard restrictions and require quarterly reporting of export and sales data to the MOD. Standard restrictions include a ban on exports to Iran, Lebanon, Sudan, Syria, North Korea and Cuba, as well as a requirement to obtain specific MOD permission for all transfers of source-code and of other similar “knowhow” underlying the product. General Licenses are available for certain non-sensitive off-the-shelf commercial products. Finally, Special Licenses are issued in circumstances warranting more tailored licensing conditions and are required for any prospective export to Iraq, Libya or to areas governed by the Palestinian Authority.
Softening Factors – Legislative Exemptions and MOD Practice
Although it may appear that Israel maintains draconian controls over all forms and uses of encryption, which in today’s information society amounts to strict control over virtually all software and data, this is not actually the case in practice. These strict controls are subject to a variety of “softening factors”. For starters, a 1998 amendment to the relevant encryption order instituted a “Free Means” exemption, whereby certain products can be decontrolled by the MOD and become exempt from any further encryption controls. Other examples of license exemptions include a broad exception for the work of patent attorneys, exceptions relating to electronic signatures, and exemptions for downloads of online open-source encryption for personal uses. In addition, the Encryption Control Department staff is generally very sensitive to commercial needs and have a reputation for working efficiently and adopting a problem-solving approach to licensees and new applicants. Finally, to date, no known enforcement action has been brought against an individual or company for past violations of Israeli encryption control rules. And while discussions of bringing the first case against a violator are ongoing, the MOD decision to date has been to encourage compliance without resorting to aggressive enforcement tactics.
Despite the softening factors, it would appear—at least on its face—that the system works. Even without aggressive enforcement, IT companies generally choose to comply with the licensing system. In each of 2013 and 2014 approximately 4,000 licenses were issued. Licensees include thousands of companies, from small cyber startups to the world’s leading technology giants.
The patterns of behavior by both regulators and companies raise several questions. First, what does the MOD hope to accomplish with this system? Second, why exactly are compliance rates are so high?
Encryption Control Objectives and Compliance
As to the MOD’s aim, the encryption licensing process facilitates information-exchange from the private sector and assists Israeli authorities in remaining continually apprised of encryption-related advancements. An approach that simply mandated all companies deposit encryption keys or create concealed access points would probably undermine this initial dialogue. In the MOD’s view, this cooperation is better encouraged through smooth licensing processes.
The high levels of compliance, may be attributed in part to the generally accommodating nature of the encryption control system, as manifested by the lack of enforcement, ample license exemptions, and expeditious licensing processes. Put simply, MOD encourages compliance by minimizing reasons not to comply. However, an additional contributing element is the well documented positive rapport between Israel’s private-sector and government security establishment, a relationship fostered through Israeli history and sociocultural factors.
Overall, the MOD has implemented its encryption regulation regime in a manner that has encouraged compliance and cultivated private-sector engagement with government on matters related to information security.