Privacy By Design [2014] : Plan Your Apps

Written By: Jonathan under Categories: privacy and Tags: Tags: , , , , ,   , It has 0 Comments and It was posted on May 27, 2014

[Based on my WordCamp 2014 Presentation, Prezi here]

Take a look at this video about Woosh Water‘s project. Woosh provide an amazing service, where the ordinary municipal water fountains were replaced by hi-tech fountains, providing clean water for residents, with user experience and less of the dirt and homelessness affiliated with water fountains. Their project seems, at first glance, as amazing. However, when you inspect the service in depth, some things change.

In order to provide their service, Woosh require that you register and receive a wireless token. When you use Woosh’s services, your location data is stored, as well as your usage. Then, you understand that in order to drink purified tap water you have to sign a ten-page agreement. This constitutes quite a problem. Moreover, reading Woosh’s agreement with the municipality of Tel-Aviv once can deduce that Woosh’s privacy policy was inadherent to the agreement; as it requires Woosh to share your location data with the municipality.

But it’s not just water, you know. When people interact, either online or offline, they create crumbles of information. For example, the Israeli Transit Card, “Rav Kav”, allows you to purchase bus passes. However, in order to do so, it shares quite a lot of information with the transit operators; some of which are not really required. For example, it is not sure that data is erased after use, and there’s really no need for the bus operators to retain your photos or travel history. The same goes for your location data from the cellular operators. While the cellular operator needs your current location to serve your calls, it does not need to retain a history of your data. However, once it retains this information, then others may use it. For example, the Israeli startup “Trendit” receives information from cellular providers to estimate the number of people in a specific venue.

We call this information “Residual Data”.

Now, when you develop an application, you’re eager to store as much information as possible. Who knows what you may need it for in the future. This is based on two wrong assumptions: the first is that people will not misuse the information; we don’t really have to look for the obvious numerous examples of police misuse of information. The second wrong assumption is that statistical and anonymous information, if gathered, is harmless. The act of redientifying anonymous information becomes easier with growing power of computing.

For me, the problem begins when you retain information: you want people to access the information you retain (if you’re a social network, for example), and you can’t really protect information you store which should always be available. A good example is Yoav Even’s review of the Israeli medical history general availability. Mr. Even called in order to receive the medical information of one of his friends. In order to have the information faxed to his offices, all he had to do is give the friend’s ID number (which is generally available after the Israeli census leak). However, you usually only start to think about privacy when the personal information leaks.

My claim is that privacy is not a nuisance that you can nag off with a privacy policy or by encrypting information or adding an additional firewall. Privacy is a major concern you have to add to your application when you design it. Here goes “Privacy By Design”: this means think first, act later.

Here is how I (usually) work when I help clients design their project: First, we ask do we really need this information. This goes for every aspect; not just names and email addresses, but also information that is considered anonymous but may later be reidentified. Things like browsing history, IP address or browser identification. Ask yourself why do you need it, and can you replace it (either with hash or other information). For example, keeping your users’ email to contact them is great; but keeping their IP address for more than 14 days has no actual use.

Next, ask yourself if the end-user can store the information at the client’s end, and not on your server. A lot of times, using distributed storage may save costs for application developers, but may also limit the data breach. Quite a lot of information, where it is not needed for processing, may be saved at the client.

Then, once we decided that this information is used, ask ourselves what are the benefits from retaining this information? For example, if we save a person’s purchase history in order to profile him and tailor advertisements, we might consider just storing the profile information or the categories of the purchased products.

Then, let’s ask ourselves what is the cost of retaining the information. The cost is divided into two groups: (a) the actual cost of saving the information; and (b) the cost of repairing a data breach. Meaning, that we need to ask whether the benefit of storing a large amount of data is lower than the cost of repairing the breach where the personal information of X users is online (and see eBay’s latest scandal as an example).

So, what can you do? My recommendation is to plan privacy ahead. Think of your product as something that should not be “keep everything, analyze later” but more like “let’s only keep what we must, and dump the rest”. This will make the cost of a data breach lower, and will actually help you in the long run as being more privacy oriented.

Israeli Waze hit with GPL class action lawsuit: plaintiff requests source code.

Written By: Jonathan under Categories: copyleft and Tags: Tags: , , ,   , It has 3 Comments and It was posted on Mar 27, 2014

An interesting class action lawsuit has been brought in Israel against Waze, the Israeli navigation company who were acquired by Google last year. The class action raises an interesting question: according to the class action plaintiff, Mr. Roey Gorodish, Waze was first released as GPLv2 licensed software (which require to provide end-users with the original source code), and the data which Waze uses is based on a warranty to the Waze community to maintain it free. Such warranty was provided via freemap’s data (which Waze used), who selected to license it under the GPL, as well as under a proprietary license. Therefore, the plaintiff requests statutory damages and the release of Waze’s source code and map data.

[my assumptions here are based on the news article, not the claim itself, which has yet to be published]

The problem here is that the class action lawsuit stands on problematic pillars. The first is the request for statutory damages for copyright infringement, and the second is the request to avail all data through a class action suit.

The first pillar, for statutory damages, is quite problematic: Article 20 to the Israeli Class Action Suit Act states that no statutory damages shall be granted in a class action lawsuit. This was upheld by several court rulings (CA 1379-09 Peled v. All You Need, for example), and is quite consistent with the principle that class action lawsuits come to cure a specific action which will be unactionable otherwise. If each software developer is entitled to statutory damages, it would be quite efficient for him to sue. So, my prima-facia assumption is that this part of the claim will be quashed in the preliminary stage.

The plaintiff’s other request is for a declaratory remedy, which states that he is entitled for both the source code and the map data. At first glance, it might be something nice to have (assuming that his claim that the GPL license applies here). However, Waze actually claim that when moving from version 2.0 to 3.0 they completely re-wrote the code. This was actually done mostly due to Apple’s App Store licensing requirements, and is well documented (unless Waze deceived the community).

In order to prove that Waze still uses GPL licensed code, which require the release of source code to the public, the plaintiff will have to first review the source code and find the appropriate equivalent in the GPL branch of the code. However, in order to get access to the code, he’ll have to first prove that there’s a reason for his suspicion.

Currently, I don’t think that there’s a shred of evidence showing this, so most likely that this prong will also be rejected. Israeli courts have yet to allow full source code reviews in the discovery stage with no hard evidence. The closest case was in a copyright infringement case where the look and feel of the software were similar (RCA 1068/12 Dan-El v. Snapir).

Therefore, I believe that this will be one hard case to snap.

PRISM? Come to Israel to study our surveillance state.

Written By: Jonathan under Categories: Cybercrime, Internet, security, State Secrets and Tags: Tags: , , , , ,   , It has 14 Comments and It was posted on Jun 10, 2013

It seems that those who were astonished, abhorred, enraged or outraged from finding out that the National Security Agency (NSA) tracked millions of united states citizens and did so with the cooperation of numerous internet service providers, telecommunication companies and web-based hosting services had not even bothered to read the news in the last decade and to see reports on unauthorized searches in computers and about the way that the law authorities act. We, as Israelies, can only be jealous of the public outrage from such authoritarian conduct, because, well, in Israel, the situation is quite worse. The Israeli authorities took George Orwell’s book, Ninteen Eighty Four, and made it in to a master plan.

CC-BY-NC-ND Gerard Van der Leun

To us, as Israelies, the NSA’s authorities sound like a poor joke. Because, the NSA can only pray to get the legal and popular acceptance that the Israeli Police and other investigative authorities obtained. During the last decade, Israel enacted many surveillance laws that allowed unprecedented use of personal information for investigatory uses, and not just for the prevention of terror.

In 2007, the Israeli parliament enacted the Criminal Procedure (Enforcement Authorities – Metadata) Act. The act itself granted the police, as well as other investigative agencies, abhorrent authority to obtain widespread information about nationals, and even without judicial review. The authorities could approach the telecommunication providers (ISPs, mobile operators and phone operators), pay a few Shekels, and obtain answers to queries, as long as such queries relate to specific crimes or investigations. For example, if a murder occurred in a specific street, the police could have approached the cellular providers and request the subscribers who were in the street at a specific time.

In a similar manner, the police could approach an Internet service provider and request a list of subscribers who browsed a certain page, or inquire who was the subscriber who leaked anonymous information to a military correspondent about inadherence to the supreme court’s ruling in the military’s conduct.

The act’s application was so successful that the police requested more information about subscribers, even though it was not authorized to do so; the police, for example, requested to find out who is the sales representative who sold the mobile devices and what payment means were used to pay the bills. The act, which made the courts into a rubber stamp (because no metadata request was denied, apparently) allowed the police to request 9,000 requests in 2009; out of which, almost 2,000 were related to political activities such as public disturbances.

That’s why the Israeli Civil Rights Association appealed against the act (HCJ 3809/08 ACRI v. The Police), but the appeal was rejected. Following the rejection of the appeal, the state decided it wants more authority for more authorities, so that even authorities like the Parks and Forests Authority will be entitled for your GPS location, and that more information will be provided without judicial review, as the courts already approve almost all the requests.

Here, in Zion, we can only be jealous about the US Citizens who are abhorred; Israel addressed Google for subscriber information (not by the Metadata act, as it does not apply to Google), about 350 times since 2009. Google responded to most of these requests; meaning that there are 350 people in Israel that the government obtained their correspondence, and that we cannot be certain that they were informed about such intrusion. But Google is an exemption, it provides us with reports.

Israeli nationals are always subjected to espionage and surveillance: employers read your email, the state sets up traffic cameras, parking cameras, security cameras and protection cameras. And all this time we ask: do we need protection from criminals or the state?

[Originally Published in Room 404 / Haaret’z

Israeli Bill to Block Access to Gambling & Child Porn Websites

Written By: Jonathan under Categories: Cybercrime, File Sharing, Internet, israel, law and Tags: Tags: , , , ,   , It has 10 Comments and It was posted on Dec 22, 2012

Israel is to attempt, again, to pass a bill that authorizes police officers to issue warrants to Internet service providers to block or restrict access to specific websites involved either in gambling, child pornography or copyright infringement. The bill itself proposes that such administrative procedures shall be clandestine and that court decisions shall be made ex-parte, where some of the court’s ruling will not be even disclosed to the owner of the website, and the court may hear and use inadmissible evidence.

In my opinion, one of the saddest things in a democracy is that powers with authority can change the rules after the game commenced. This is story with blocking of gambling sites, an experiment which began around 2010.

Fortunately, after a lot of hard work by the Israeli Internet Society, The District Court of Tel-Aviv quashed the block and ruled that the police had no authority to order Internet service providers to block access to certain sites or IP addresses (decision now on appeal, see the Hebrew original ruling at AA 45606-10-10 ISOC N. Shachar Ayalon).

However, Israel is famous for presenting bills that bypass constitutional rulings, and now wants to reassert this authority, without limitation, by presenting a new bill: The Bill for Restricting Uses for Preventing Crimes (Amendment – Restriction of Access to a Website and various revisions),2012 , (Google Translation).

You can read a bit more about the bill at Oded Yaron’s article at (behind a paywall). In general, the bill’s purpose is to circumvent the relevant court ruling and allow the police to block websites. In the district court ruling, the police’s authority to shut down gambling houses cannot apply to websites. However, the bill’s current wishes seem to be broader:

Had a certified police officer reasonable grounds for suspecting that the website is used to commit an offense specified in the Second Schedule [gambling, child pornography or copyright infringement - jk], and that there are reasonable grounds for concern that the website will continue to be used for committing a crime unless access is restricted, he may issue a warrant for Internet Service Providers to limit the access to that Web site; a warrant under this section may be issued even if the website also contains activity which is considered legal [or legitimate - jk] provided that the illegitimate activity is the main purpose of the website.

Now, as befits any modern legislation, justice it made but us not seen. Article 3 of the bill discusses execution of additional warrants, where everything shall be made ex-parte:

“material relating to the request to extend the validity of an administrative restriction or information based on which such request and any other material provided subject of the application process will be made to the judge only; material will be marked and returned to the police officer or authorized claimant (in this section the applicant) after examining “

But it’s not just that material will be ex-parte; in some cases, the ruling itself may be withheld from the appellant. “The court shall notify the owner or occupier and the police officer on its decisionunder this section, and it may determine that the decision, or parts of it, shall be confidential“.

This means Israeli that citizens may find themselves in a situation where they are subject to a warrant which is confidential. In such case, They will not be able to challenge such an order, because the grounds for the decision will unlisted . Sounds interesting? Well, I remind you that when we discussed that Communication Metadata Law, which allows police to receive GPS data on phone and Internet subscribers and records of their phone calls, everything was made in confidential decisions (with no further judicial review on them). Therefore, do not know how the law is implemented, how these requests really served illegally, and how judicial review works.

The bill itself is absurd if you understand the Internet: everybody knows that no matter what order blocking a given Web site, its validity is about as much as an order of Police fires in summer temperature does not exceed 25 degrees Celsius (or if you’re in the US, that it won’t snow on Christmas). I mean, okay, ISPs will restrict users from browsing, but that’s not actually something that works (proxy servers et all).

But of course there’s the issue of the slippery slope. The original act, which is to be amended by the bill, gave a judge the authority to issue a warrant under careful review; however, the bill conveys this authority to a police officers.

What about additional uses? Well, in order to pass the bill, the police began with abhorrent offenses considered: child pornography and gambling. Clearly, no one will oppose the authority to block such websites if he’s not a pedophile or a gambler. Well, not really. That’s why the phrase “Second Schedule” is used to described to offenses that are subject to this authority, in fact the bill asserts a short list of offenses, where the minister of justice can always add additional offenses. Once the bill is passed, no one can be certain that no additional offenses will enter there.

The real danger here is practice: in the same week where we discovered that the military police apparently investigated a blogger which was exposed using the metadata act without respecting his journalistic immunity and confidentiality of sources, and on the same week as the non-democratic nations want to rule the internet through the ITU convention, Israel decides to publish this bill. And why? because Israel deems it ok to gamble all your money is the state lottery, but not right when you give money to foreign websites.

Putin’s Pussy Scandal may Be Inspiration for Israel

Written By: Jonathan under Categories: israel, justice, security and Tags: Tags: , , , , , ,   , It has 0 Comments and It was posted on Aug 20, 2012

A few months ago, Russia’s president, Vladimir Putin, arrived to Israeli for a brief visit. The President, who receives embarrassing support from Israel’s minister of foreign affair, Avigdor Liberman and almost magical admiration from Knesset member Anastasia Michaeli, also received a warm warm hug from the Israeli government’s leaders, and first and foremost, Benyamin Netanyahu. Actually, there’s no place for doubt that there is a strong link between the two states. However, another embarrassing affair that Putin had to face recently may show that Putin is the one admiring Israel, and not vice versa.

Israel is known for times where its legal system falls victim to political constraints from left to right, and just in not the higher courts, but the magistrate courts as well. Sometimes, indictments are colored more politically than usual, and are attached with circumstances that cannot allow acquittal. The stories of Jonathan Pollack, who was convicted for riding his bicycle slowly in a demonstration against the Cast Lead Operation and was sentenced for three months in prison, and of Rahamim Nasimi who blocked a road during anti-disengagement protests and received the same penalty show that there’s a problem in the method. The problem is that not once demonstrations are meant to disrupt the public order, offend, hurt and show the government that there is criticism and it’s not nice: but these have to be the rules of the game. Protesters are allowed to be rude, disgusting and violate the public order : The police, on the other hand, cannot be brutal and it has to respect the political expression, since if it will not do so, we will live in the “Ok State”.

And that’s the case of Pussy Riot; a Russian feminist band that decided sometime in February to organize and demonstrate in a spontaneous way to protest against Putin. During the last weekend, three members were sentenced to two years in prison after being charged with harming the public order with religious circumstances; of course, that there was not relation to the content of the expression, but to the deed itself: the members of Pussy Riot organized in a public place, offended the public, and tried to protest against the current situation. If they had protested where they are allowed to, in their homes, then no one will have heard about Pussy Riot.

It is quite doubtful that this could be perceived as a just trial, even though the Russian public supports it; but that is the case: when the political hooligans are indicted, the content of the speech is not mentioned, and therefore not discussed in court. They say “he was a hooligan, and we don’t care if it’s left or right, if it was a toothpaste advertisement or a protest against a mayor. What offends us is the breaking of the public order”. In this case, you cannot put up a defense that says “look at the content and not the form”, because the content is indisputable. So, the architecture of the trial prevents justice.

In this is how Israel is so close to Putin’s dictatorship: even here there is hard work to limit the protest; and of course it’s not political at all: a simple policy of requiring a license for every activity of public expression is perceived by the court as a way to preserve public order (AA 6095-07-12 Hatzav v. Tel-Aviv). It’s not just a saying: the Tel-Aviv municipality issued an administrative order stating that “festivities and any other activity to express an idea, opinion, value, demonstration, meeting, ceremony, solidarity, fund raising, belief or world view – which is not made in cooperation with the municipality”
has to obtain its consent. Meaning that if I sat down with a friend in Rotschild boulevard to discuss my opinion about the country’s financial status or the street’s garbage, I have to approach the municipality’s CEO, fill out the proper forms and obtain a permit.

These procedures are not only unlawful, but they make Putin ovulate from joy. the resemblance, the inspiration, maybe he should receive royalties for it.

And in the meantime? Israel does not have a local Pussy Riot. And maybe its for the better; their music is not so soothing. But until we have one, we all have to admire King Bibi.

[Originally In Hebrew]

Legislating Surveillance: Was the biometric act needed?

Written By: Jonathan under Categories: israel, law, State Secrets and Tags: Tags: , , , , , , , ,   , It has 1 Comments and It was posted on Dec 4, 2011

0. Abstract.

[This Wednesday I shall lecture at the LiSS working group conference, here is a draft of my lecture] From 2003, and until today, the Israeli Government has been working diligently in order to legislate the biometric database act and the orders and ordinances according to it. However, This biometric database is not the only biometric database in Israel and is not the only database where government authorities have access to. In my brief lecture, I shall present a different approach, asking whether this database act was actually required and what are the reasons for choosing a legislative act when doing so. When doing so, I’ll have to ask whether the act of legislation was needed because the social contract was broken, or because it was a megalomaniac act made out in will to block any different approach to databases.

1. Database Laws, Privacy.

Let’s first understand how government databases operate. The Israeli Privacy Protection Act does not differentiate public sector databases from private sector ones; moreover, article 23D provides any person the right to know about such database and article 23C provides government bodies the right to request and transfer data from other databases when the action is required by law or by the body’s function. Meaning, if it was it’s desire, the Government could have set up a registered database and operated the biometric database out of such act; but in such case, it couldn’t have mandated the people to provide their biometric information.

So what could it do? It could have amended the Census Act. The Israeli Census Act is the act regulating the management of the Israeli Census (which, as we already know, was leaked to the Internet); article 2 writes down the fields in the database that are required to be listed. In such case, amending and mandating a person’s biometric data under it could have solved the biometric database problem in a 1-line amendment, without requiring massive legislation.

However, The Israeli legislator decided to pass a 30 page long act (PDF), which describes in full the security and use in detail, and allow public debate over it. In order to understand why, let’s understand how other government databases work.

2. Government Databases and legislation.

First let’s see what are the databases which were legislated and which weren’t; Meir Sheetrit, the biometric database’s entrepreneur, said that “Israel has enough [other] biometric databases“. However, if we inspect his claims, we find out a different perspective; the one who says who and when is required to provide his information willfully to the database.

Let’s first inspect what are the databases that were legislated under the Israeli Law: The Israeli Anti-Money Laundering Act, The Israeli Census Act (which actually does not establish a database, but only allows the inquiry of information), The Police DNA Database (The Criminal Procedure Act (Searching in a person’s body and taking of identifying information)), Criminal Records (The Criminal Record Act).

On the other hand, there are quite a lot of databases which contain information which is as personal and as sensitive as the legislated databases, including the migrant workers biometric database, the driver’s license database which includes photographs and according to the Israeli transportation office, does not require legislation in order to retain a database (where the transportation office provides this biometric information at least to the ministry of interior), the unemployed database, which contains fingerprints of unemployed and  the Bus Authority database that contains information regarding passengers and their routes.

3. Why do you legislate databases?

We can see that while some databases were legislated because of their sensitive nature (money laundering, f.e), there is no actual difference between the sensitivity; There is no actual difference between money laundering information or the biometrics of a migrant worker. We can also say that legislation did not come because of the voluntary nature of the database; a person cannot choose to be unemployed or not to travel by car or bus. None of the non-legislated databases are actually voluntary; they just address specific needs and puts the person “agreeing” to provide the information in an inferior place: he is either unemployed, or he wishes to travel to Israeli to work, he may want to drive in Israel or take a bus. These are all daily functions that a person cannot go without.

4. Why Legislation.

Now, let’s go to the theoretical assumption that legislating the biometric database could have been made without any real or substantial legislation; It could have actually just establish a national database by issuing an order of the Passport Act, seeing that most Israelies have a passport, and hold the information in a way that is “required” to issue a passport; he could have went in the same way the Transportation Office went, and required just the issuance of fingerprints. However, the choice to legislate the database was taken. And why?

The reason is the Israeli Privacy Protection Act, but not the article requiring willful consent, nor the article mandating informing the data subject on its rights, but because of article 23C. Let’s inspect the text:

“Notwithstanding article 23b, providing the information is permitted, if not prohibited by any legislation or professional ethics – (1) between public bodies, if one of the following exists (a) providing the information is in the authority or role of the body who provides the data and it is required to exercise a law or a cause by the authority of the data provider or its recipient; (b) providing the database is to a public body who is allowed to demand such information according to law from any other source; (2) from a public body to a government office or another state establishment, or between offices or bodies as such, if the providing of information is required to exercise any legislation or for a purpose in the authority or roles of the data provider or its recipient …”

Well, we do need to read this carefully: There could have been a state-wide database without legislation;  however, in such case the Police could not have been granted access to the information. And why? because neither article 23b(a)(i) nor article 23b(a)(ii) allow it: The first alternative requires specific authorization under law to disclose the information and the second requires that the police would have been authorized to request the information at source. However, the police are not entitled to coerce a person to give them his biometric information, and the ministry of interior [was] not authorized to specifically assist the police.

Therefore, unlike other databases, the mobility of the information and the detachment between the cause of why it was collected and its use brought the actual need for legislation.

5. Ruling out other factors.

Now, we can inquire about the question of whether this was actually the reason; whether there was a secret hand that required it. The only reason to explain why a 30-page long bill was passed was explained when alternatives were presented to the government. The rejection of the Adi Shamir proposal, for a non-identifiable database, and the choice to store both a person’s facial photo and fingerprint (where such information is not required to maintain a clean database, see Yoram Oren’s statementif the purpose is to reduce a list, then yes“). Meaning, the legislator was presented with at least two alternatives that allow a secure database that does not allow double-inclusion and does not retain so much sensitive data, but rejected it.

Such rejection may be discussed later in courts when inquiring about the constitutionality of the act, but that’ out of the point. The choice of both legislating and deciding on this architecture was made solely in order to allow surveillance.

6. Summary and Conclusions.

We know that the legislator had other options to legislate a database (or not to legislate it); and that it could have allowed it to be used quicker, without any pilot and even with the coercion against the persons, but in such case, the police and other security authorities could not have obtained access to the database. Therefore, the sole purpose of addressing legislation is in order to allow such access, and unless we can rule this out, this is the true purpose of the database.

Dr. Klein v. Proportzia: Google is liable for AdWords.

Written By: Jonathan under Categories: copyright, Internet and Tags: Tags: , , ,   , It has 0 Comments and It was posted on Sep 26, 2011

The ruling in C 48511-07 Dr. Dov Klein v. Proportzia ltd will most probably not be in any future cyberlaw schoolbook unless Google, one of the defendants (or actually three of them), will decide do appeal even though such a small amount (around 12,000 US$) was ruled against it and Proportzia. In brief, before we discuss the problems of this ruling, let’s tell the story. Dr. Dov Klein is a plastic surgeon. One day he found out that Proportzia, a clinic providing cosmetic surgery and other beauty treatments, decided to purchase AdWords under his name. Klein did not like the use of his name and decided to sue Proportzia as well as Google, the service provider. The Magistrate Court of Tel Aviv-Jaffa ruled that Proportzia and Google are liable for invasion of privacy and must compensate Dr. Klein.

Google AdWords lawsuits were a big issue in the past (where the most famous was Government Employees Insurance Co. v. Google, Inc., No. 1:04cv507, see more at Eric Goldman’s blog). In Israel, however, there was one material ruling, OP 506/06 Matim Li v. Crazy Line, where the Israeli District Court of Tel-Aviv ruled that as long as the ad itself is not misleading, there is no problem with purchasing ads using someone’s tradename. But here the court needs to explain why he deviated from this decision, so he ruled that “These are keywords which contain a personal name, and not a trademark, and therefore you cannot say that in regards to this name the internet is an advertising space similar to others. So it would be adequate to rule that in regards that without the personal name’s holder’s permission, the name shall not be used for advertising

The court goes with the infamous publicity rights and determines that when the use use is of someone’s personal name, and not a trade name, then the use has to be with permission of its “owners“. However, here already stands a first problem in regards to publicity rights. Dr. Klein is a celebrity, and as such he has not right for privacy (in regards to publicity rights). Israeli courts ruled that when a person uses his name for trade, he cannot later state that he does not want others to rely on such business name. In a recent case, the court ruled that “the right for privacy is a right that protects the emotional-personal interest of a person, his autonomy and his private matters, but not his financial interests” (C 534-08 Hava Koren v. Shai Cohen). Meaning, the rationale behind publicity rights apply where a person does not wish to be known publicly and is coerced to do so, not where he is already known.

The second problem here is where is the border between a person’s name and a trade name. Is Ford protected under this ruling, being the surname of Henry Ford? This is the incoherence that later calls of over-litigation and pays the lawyer’s retainer is bad lawsuits. If the court had a reasonable rationale, it had to provide it in a detailed manner, even if it means writing 50 pages instead of 14.

Now, after having said that, the real problem arises. As the court did not provide reasoning for its ruling, it did not explain where Google’s active involvement that provides incurring liability on it. That’s why Google did not know, and was not expected to know, about the existence of a person named Dr. Klein and that he does not want others to use his name. The court here goes against any other service provider liability case in Israe (C 567-08-09 ALIS v. Rotter, C 1559/05 Hemda Gilad v. Netvision, C 64045/04 Al Hashulchan v. Ort).

The fact that the court did not provide reasoning to its ruling is a problem. It does not let us understand why it decided that Google is liable and does not let us understand the issue. We have to wait and see whether Google appeals this.

[Originally in Hebrew]

Alis v. Rotter: Israeli District Court rules that linking is not direct infringement

Written By: Jonathan under Categories: copyleft, copyright, File Sharing and Tags: Tags: , , , , , , ,   , It has 0 Comments and It was posted on Aug 11, 2011

A recent Israel court ruling stated that linking to copyright infringing content does not constitute a direct copyright infringement (CA 567-08-09 ALIS – Association for the protection of cinematic works v. Ltd) was quite an interesting one. Alis, the Israeli equivalent of the MPAA sought a popular forum website,, in regards to user generated content in two of its popular forums: Downloads and Movies. Alis’ claim was that by providing links to infringing content, Rotter is liable for direct infringement.

The court recognized that notice and takedown is the correct way to handle user generated content and ruled that Rotter is not liable for any user generated content as long as it removes the infringing content promptly. By ruling this way, the court created the so requested connection between the recent Supreme Court ruling in CA 5977/07 Hebrew University v. Schoken (which dealt with the university’s liability for coursebooks distributed by students creating infringing content) and the virtual world (and in regards to notice and takedown under Israeli law, see RCA 1700/10 Avi Roy Dubitzky v. Liav Shapira, C 1559-/05 Hemda Gilad v. Netvision and C 64054/04 Al Hashulchan v. Ort).

However, the main issue with notice and takedown was the amount of actual knowledge the court required: The court determined that it is not enough that Rotter is reported that a specific forum has infringing content, but they have to have actual knowledge of any specific infringement. However, the court opened a latch for “bad forums”, meaning that a place where the service provider knew about a material amount of infringements it shall be liable to the forum’s activity. In the court’s words “the presumption is that the website’s owner is aware that he is assisting in the existence of direct infringements, and that such assistance is actual and material contribution to them. Therefore, the burden is on that website owner where a suspected forum exists to prove that the existence of the forum serves a legitimate purpose or that he was unaware of the infringing activity (and if so, he shall not be liable until he was notified that this is a “bad forum”“. Therefore, the court actually narrowed the service provider exemption from liability.

In the court’s opinion, “as a rule of thumb, we can determine that a closed forum, where in a specific time there are more than 10 links to infringing sites, and that the messages including links to infringing sites constitute more than a quarter of the substantial content of the forum (meaning, messages that are not information requests or responses to other messages), should be suspected as a “bad forum”“. Meaning, the court determines that a forum that has more than 10 infringing links, and when these links are more than a quarter of the content, even if the website owner had no actual knowledge, he may be liable. This ruling may be dangerous, and having being a district court one, we should put our fingers on the pulse to see how it goes in the future.

From where did the court conclude the numbers? why didn’t he include the number of absolute postings in the website as a criteria (in contrast of forum messages), why didn’t it inquire whether opening a forum requires the owner’s consent? all these questions were irrelevant to the ruling and were not included in the court’s opinion.

However, this part of the ruling is not the material part, but only the part easy to understand. The important decision was in the question whether directly linking to an infringing content on another site constitutes as direct infringement. Here is the time and place to remember how copyright works: actually, there are specific actions where the copyright holder is the only person entitled to perform, and the rest of the actions are allowed. These are specified in clause 11 to the Copyright Act. One of these rights, in Israel, is making a work available to the public.

Alice tried to claim that linking is making a work available to the public, defined as “performing an action in a work so that people from the public may have access from a place and time of their choice”. However, the court rejected this claim and said: “creating a link which transfers the user directly to the infringing site (either to the homepage or an internal page) is not “making a work available” … First, creating the link is not “performing an action in a work”; second, the link, by itself eases people from the public to locate the infringing work, but it does not create the access. In other words, the work has already been made available by the infringing site and therefore linking to that site cannot be deemed as “making a work available”“.

The court determined that there is no actual direct infringement (but may allow contributory, secondary or vicarious ones) by linking, this is a blessed interpretation of the law, which was not always acknowledged by the court (it was, however, ruled so in 11-cv-20427 Disney v Hotfile).

The meaning of this ruling may be relevant, however, to other torts. For example, could a person being slandered in a website sue all people directly linking to it? It seems that in such case, this ruling goes in favor of the actual logic.

[Originally in Hebrew, here]

How-to avoid patent-trolling: The only way to win is fight.

Written By: Jonathan under Categories: copyleft, copyright and Tags: Tags: , , , , , , , , ,   , It has 4 Comments and It was posted on Aug 4, 2011

Software patents are a problem, not a solution; that’s why when the Israeli Patent Registrar wanted to hear what the public thinks of them, we (at Hamakor, Israel’s Free Software and Open Source Association) wrote a detailed paper about it; in the end, the Israeli Patent Registrar gave a final decision stating that software by itself is not patentable in Israel [Hebrew Link]. However, other jurisdictions may not think the same.

That’s why corporations like Microsoft tend to use software patents as a strategic whip; for example, Microsoft approached HTC with a patent settlement offer, that will cause HTC to pay 5 US$ for every Android mobile device it sells. The thing is that Microsoft directly competes with Android with its “Windows Phone” operating system. Therefore, Microsoft makes more money when its competitors sell Android devices than when it sells its Windows Phone. But, of course, that the problem, not the solution.

Yesterday, David Drummond, Google’s chief legal counsel, ranted in the official Google blog about this conduct (covered also by TechCruch). He said that ”
A smartphone might involve as many as 250,000 (largely questionable) patent claims, and our competitors want to impose a “tax” for these dubious patents that makes Android devices more expensive for consumers“. The thing is that Drummond is also relating to the problem, and not the solution.

Recently, Android had became less and less of Open Source and more proprietary, where Google refused to release Android’s source code. Also, the choice of non-GPL license caused it to be less free. Of course, this lead Google further from the Solution.

The solution to Patent Trolling in the Android market segment is inherent with free software: detach the software distribution from hardware distribution. When people can purchase the devices and then install their OS at home, when they download it for free from the Internet, then these Patent Trolls will have to go against the actual distributor: Google.

As you know, Google, unlike other software companies, has the backbone and endurance to go into legal battle and keep the software segment patent-free. They did it during their long dispute with Viacom over YouTube and they’ll do it again and again.

The only way to win is to fight.

Terms and Conditions, an XML solution for a Legal Problem

Written By: Jonathan under Categories: copyright, israel and Tags: Tags: , , , ,   , It has 0 Comments and It was posted on Jul 19, 2011

Terms and Conditions (and Privacy Policies) are a bitch. I know, because I write them for a living. Yes, it’s me who made you agree to provide that website with an “irrevocable, unlimited, commercial right to access your personal information stored in the service” just so they could fight the spam they tackle on a day-by-day basis. I’m also the guy that these websites call when some random schmuck send them a cease-and-desist letter claiming they hold the copyright on the word “party” or something like that.

Lawyers face a terrible problem, most users don’t read the terms and conditions; this causes them to be unenforceable in some cases (DeFontes v. Dell, Inc., No. 2004-137, 2009, more here) and lawyers tend to create presumptions of acceptance in different terms, which are always uncertain because they are never tested in court. Some lawyers tend to add the “I Agree” button only at the end of the document, some require email confirmation and some just add an “I Agree” checkbox.

In comes CommonTerms. CommonTerms tries to simplify the reading of hard to read legal documents by adding nice icons about how the service providers use your data, if they are allowed to revise the terms for any reason or other information. In order to do so, Common Terms analyzes existing agreements and attempts to draft a database of practices. While their idea is nice, it’s yet to be perfect for the end-user because he needs to know such icons exist and actually read the terms for it.

In comes my solution; however it requires some cooperation from lawyers. Lawyers could use XML tags or RDF, where lawyers could tag their Terms and Conditions with specific tags, such as “Shares your user generated content with 3rd parties” or “allows other users to create derivative works of content you upload”. In terms of Privacy Policies, it may be even easier, as a privacy policy is a set of specific questions, where the Icons just may show “uses 3rd party cookies” or “profiles you and sends information to advertisers”. Now, once the specific list of terms are defined, we can actually create a tag generator so the tech guys could mark the site; then, like websites put the Truste seal, they could mark their website in terms of user-friendliness.

After we get the marking down, we still have some problems, but all are solvable: Self-Enforcement and Information, as well as comparing sites in terms of their Terms and Conditions. The other factor may be creating common grounds for tagging and creating child-friendly filters or other uses that users may do to understand what happens when they post their content in websites: is it sold, reused, mixed, shares or just removed after 36 hours.

The thing is, that as a lawyer, I cannot code and I cannot enforce these things on people: not on other lawyers and not on my clients (or other lawyers’ clients). So, in order to make this happen, a demand has to come from the public, and that’s you.

You also appreciate reading about the EULA Generator.