Gill Nadel, Goldfarb Seligman, Israel
The Law Governing the Control of Commodities and Services (Order Regarding the Engagement in Encryption Items) – 1974 (Hereinafter: “Encryption Order”), regulates the engagement in encryption items while balancing individual and industry requirements with the necessity to have proper supervision of the distribution of encryption items; thus in order to prevent these items from reaching countries which are declared as supporting terrorist organizations; from reaching terrorist organizations and criminal entities; and preventing these items from being put to improper use.
According to the Encryption Order, anyone wishing to engage in encryption items must receive a license to do so from the Director-General of the Israel Ministry of Defense.
What is Encryption?
The Declaration Governing the Control of Commodities and Services (Engagement in Encryption Items) 1974 – which was amended in 1998 (Hereinafter: “The Declaration”), defines encryption as scrambling of data, entirely or in part, by modifying the data or how it is transferred, using mathematical equations or algorithms, whether by means of a key or not, and in such a way as to enable it to be used to recover the original data or a part thereof; as well as commonality of the encryption keys.
What is an Encryption Item?
The Declaration defines an encryption item as each of the following:
a. “Encryption Tool” – software or device, including a series, part or model thereof that cause or are intended to cause encryption or decryption, including whether or not the encryption or decryption are done by means of another device or software;
b. “Encryption Key” – data that are used in the encryption method for encrypting or decrypting, and which are subject to change;
c. “Encryption-Related Record” – any form of description, including an entry, drawing, photograph, recording on magnetic media or anything programmed in the memory of a computerized system or another electronic device, of an encryption tool, of an encryption method, of an encryption key, or a part thereof or of their attributes or of their performance capability, whether they exist or not;
d. “Encryption Method” – an approach, plan, equation or algorithm for encrypting or decrypting;
What is Engagement in Encryption Items which requires a License?
The Declaration defines “engagement in encryption items” through a broad range, which includes: the development, production, modification, conversion, shearing, improvement, adding or removing features from one encryption item following integration, purchase, use, possession, transfer, handling from one location to another or from one person to another, import, distribution, sale or negotiations to export in writing or unwritten, through all means of communications and regardless of its results; or export of encryption items, export of know-how and/or guidance and/or training which relates to engagement in encryption items, including an Israeli corporation that is controlled by someone who is not a resident of Israel.
In other words, contrary to the supervision of the export and marketing of other dual-use goods, when the goods include encryption components, and even if they are designated for the civilian industry, the supervision is also imposed on the development, production and even the possession and transfer of the product, and not only on import, export, sale and marketing.
On the other hand, the Israel Ministry of Defense’s declared policy distinguishes between personal use of an encryption item and other use:
– Civil “personal use” for the requirements of a certain individual (or company, organization, non-profit organization, etc.), without the transfer of the encryption item to another individual, does not require a license for Engagement in Encryption Items.
– Any other use[b/], such as development, distribution, sale and export, requires applying for a license for Engagement in Encryption Items. In addition, if the product or Encryption Items was purchased from a license holder for sale and distribution of Commercial Encryption Items, or the product or Encryption Item was “Downloaded” from the Internet for personal use for Data Security or Electronic Signature, the person is exempted from applying for a license for Engagement in Encryption Items.
Types of Engagement Licenses and “Free Means”
The Encryption Order defines three types of licenses for engagement in encryption items:
1. “Restricted License” – a license which imposes restrictions to forms of engagement in encryption items. The restrictions could be regarding the type of engagement permitted, and the type of sales permitted (restricting sales for only certain encryption items or destination countries).
2. “Special License”/ – a license for a certain form of engagement, usually relating to sales to clients which deviate from the restrictions imposed on a holder of a restricted license.
3. “General License”/ – a license for all forms of engagement in encryption items (excluding the modification and integration of encryption items which in effect create a new encryption item). The sale of encryption items under this license is free and is not required to be reported, and the license’s validity is not limited in time.
An individual requesting a license to engage in encryption items is obligated to apply to the Israel Ministry of Defense which will determine which type of license would be provided to the product, according to the specific circumstances of every application. It is important to note that the license refers to the product and not to the encryption components included in it. The integration of encryption components in another product without obtaining a new license is prohibited.
It is also important to note that a license for the export of a product does not include a license to export know-how and technology of an encryption item. If the case in question relates to the export of know-how and technology of an encryption item, it shall be explicitly stated.
It shall be affirmed that the regularization of engagement in encryption items supplements any other requirement under the law, including obtaining any permit or license under any other legislation.
What are the Sanctions for Violating the Order?
The Law Governing the Control of Commodities and Services – 1957, under which the Encryption Order was legislated, states, among others, that whomever acted on a matter which requires a license or permit, without obtaining a valid license or permit, or violated the terms of a license or permit provided to him, should be sentenced to three years in prison or receive a monetary fine; and if the offense is an aggravated offense, the individual should be sentenced to five years in prison or to a monetary fine.
In addition, the supervision law also imposes responsibility on an active manager, partner – excluding a restricted partner – or senior administrative employee who is responsible for that field of practice, if it was not proven that he was not aware of the performance of the offense, and that he took all reasonable measures to secure the withholding of this law; and on an employer or client if the offense was performed by an employee or an authorized individual during the course of his work, and if it was not proven that he was not aware of the performance of the offense, and that he took all reasonable measures to secure the withholding of the supervision law.
If the case in question relates to the marketing, export or transfer of a product with encryption components which is under the Defense Export Control Law – 2007, the sanctions determined under that law would also apply. The law states that an individual who markets and/or exports defense equipment without a license or violates the terms of the license provided to him, should be sentenced to three years in prison or receive a monetary fine of up to 6 million NIS; and if the case in question relates to an aggravated offense, such as the marketing or export of a security classified product, or marketing or export to the enemy, the individual should be sentenced to up to five years in prison or receive a monetary fine of up to 10 million NIS.
The authority is also authorized to impose civil fines and monetary sanctions of up to 1 million NIS as an alternative to criminal punishment, considering, among others, the violator’s good track record, and his behavior in amending the failures which led to the violation, or by him personally reporting the violation.