Intellect or Insanity, Jonathan Klinger's Blog

0.
Israel is to attempt, again, to pass a bill that authorizes police officers to issue warrants to Internet service providers to block or restrict access to specific websites involved either in gambling, child pornography or copyright infringement. The bill itself proposes that such administrative procedures shall be clandestine and that court decisions shall be made ex-parte, where some of the court’s ruling will not be even disclosed to the owner of the website, and the court may hear and use inadmissible evidence.

In my opinion, one of the saddest things in a democracy is that powers with authority can change the rules after the game commenced. This is story with blocking of gambling sites, an experiment which began around 2010.

Fortunately, after a lot of hard work by the Israeli Internet Society, The District Court of Tel-Aviv quashed the block and ruled that the police had no authority to order Internet service providers to block access to certain sites or IP addresses (decision now on appeal, see the Hebrew original ruling at AA 45606-10-10 ISOC N. Shachar Ayalon).

However, Israel is famous for presenting bills that bypass constitutional rulings, and now wants to reassert this authority, without limitation, by presenting a new bill: The Bill for Restricting Uses for Preventing Crimes (Amendment – Restriction of Access to a Website and various revisions),2012 , (Google Translation).

1.
You can read a bit more about the bill at Oded Yaron’s article at Haaretz.com (behind a paywall). In general, the bill’s purpose is to circumvent the relevant court ruling and allow the police to block websites. In the district court ruling, the police’s authority to shut down gambling houses cannot apply to websites. However, the bill’s current wishes seem to be broader:

Had a certified police officer reasonable grounds for suspecting that the website is used to commit an offense specified in the Second Schedule [gambling, child pornography or copyright infringement - jk], and that there are reasonable grounds for concern that the website will continue to be used for committing a crime unless access is restricted, he may issue a warrant for Internet Service Providers to limit the access to that Web site; a warrant under this section may be issued even if the website also contains activity which is considered legal [or legitimate - jk] provided that the illegitimate activity is the main purpose of the website.

Now, as befits any modern legislation, justice it made but us not seen. Article 3 of the bill discusses execution of additional warrants, where everything shall be made ex-parte:

“material relating to the request to extend the validity of an administrative restriction or information based on which such request and any other material provided subject of the application process will be made to the judge only; material will be marked and returned to the police officer or authorized claimant (in this section the applicant) after examining “

But it’s not just that material will be ex-parte; in some cases, the ruling itself may be withheld from the appellant. “The court shall notify the owner or occupier and the police officer on its decisionunder this section, and it may determine that the decision, or parts of it, shall be confidential“.

2.
This means Israeli that citizens may find themselves in a situation where they are subject to a warrant which is confidential. In such case, They will not be able to challenge such an order, because the grounds for the decision will unlisted . Sounds interesting? Well, I remind you that when we discussed that Communication Metadata Law, which allows police to receive GPS data on phone and Internet subscribers and records of their phone calls, everything was made in confidential decisions (with no further judicial review on them). Therefore, do not know how the law is implemented, how these requests really served illegally, and how judicial review works.

3.
The bill itself is absurd if you understand the Internet: everybody knows that no matter what order blocking a given Web site, its validity is about as much as an order of Police fires in summer temperature does not exceed 25 degrees Celsius (or if you’re in the US, that it won’t snow on Christmas). I mean, okay, ISPs will restrict users from browsing, but that’s not actually something that works (proxy servers et all).

4.
But of course there’s the issue of the slippery slope. The original act, which is to be amended by the bill, gave a judge the authority to issue a warrant under careful review; however, the bill conveys this authority to a police officers.

5.
What about additional uses? Well, in order to pass the bill, the police began with abhorrent offenses considered: child pornography and gambling. Clearly, no one will oppose the authority to block such websites if he’s not a pedophile or a gambler. Well, not really. That’s why the phrase “Second Schedule” is used to described to offenses that are subject to this authority, in fact the bill asserts a short list of offenses, where the minister of justice can always add additional offenses. Once the bill is passed, no one can be certain that no additional offenses will enter there.

6.
The real danger here is practice: in the same week where we discovered that the military police apparently investigated a blogger which was exposed using the metadata act without respecting his journalistic immunity and confidentiality of sources, and on the same week as the non-democratic nations want to rule the internet through the ITU convention, Israel decides to publish this bill. And why? because Israel deems it ok to gamble all your money is the state lottery, but not right when you give money to foreign websites.

The ruling in C 48511-07 Dr. Dov Klein v. Proportzia ltd will most probably not be in any future cyberlaw schoolbook unless Google, one of the defendants (or actually three of them), will decide do appeal even though such a small amount (around 12,000 US$) was ruled against it and Proportzia. In brief, before we discuss the problems of this ruling, let’s tell the story. Dr. Dov Klein is a plastic surgeon. One day he found out that Proportzia, a clinic providing cosmetic surgery and other beauty treatments, decided to purchase AdWords under his name. Klein did not like the use of his name and decided to sue Proportzia as well as Google, the service provider. The Magistrate Court of Tel Aviv-Jaffa ruled that Proportzia and Google are liable for invasion of privacy and must compensate Dr. Klein.

Google AdWords lawsuits were a big issue in the past (where the most famous was Government Employees Insurance Co. v. Google, Inc., No. 1:04cv507, see more at Eric Goldman’s blog). In Israel, however, there was one material ruling, OP 506/06 Matim Li v. Crazy Line, where the Israeli District Court of Tel-Aviv ruled that as long as the ad itself is not misleading, there is no problem with purchasing ads using someone’s tradename. But here the court needs to explain why he deviated from this decision, so he ruled that “These are keywords which contain a personal name, and not a trademark, and therefore you cannot say that in regards to this name the internet is an advertising space similar to others. So it would be adequate to rule that in regards that without the personal name’s holder’s permission, the name shall not be used for advertising”

The court goes with the infamous publicity rights and determines that when the use use is of someone’s personal name, and not a trade name, then the use has to be with permission of its “owners“. However, here already stands a first problem in regards to publicity rights. Dr. Klein is a celebrity, and as such he has not right for privacy (in regards to publicity rights). Israeli courts ruled that when a person uses his name for trade, he cannot later state that he does not want others to rely on such business name. In a recent case, the court ruled that “the right for privacy is a right that protects the emotional-personal interest of a person, his autonomy and his private matters, but not his financial interests” (C 534-08 Hava Koren v. Shai Cohen). Meaning, the rationale behind publicity rights apply where a person does not wish to be known publicly and is coerced to do so, not where he is already known.

The second problem here is where is the border between a person’s name and a trade name. Is Ford protected under this ruling, being the surname of Henry Ford? This is the incoherence that later calls of over-litigation and pays the lawyer’s retainer is bad lawsuits. If the court had a reasonable rationale, it had to provide it in a detailed manner, even if it means writing 50 pages instead of 14.

Now, after having said that, the real problem arises. As the court did not provide reasoning for its ruling, it did not explain where Google’s active involvement that provides incurring liability on it. That’s why Google did not know, and was not expected to know, about the existence of a person named Dr. Klein and that he does not want others to use his name. The court here goes against any other service provider liability case in Israe (C 567-08-09 ALIS v. Rotter, C 1559/05 Hemda Gilad v. Netvision, C 64045/04 Al Hashulchan v. Ort).

The fact that the court did not provide reasoning to its ruling is a problem. It does not let us understand why it decided that Google is liable and does not let us understand the issue. We have to wait and see whether Google appeals this.

[Originally in Hebrew]

In about two weeks time, I’ll attend the Wikimania2011 Conference and discuss Cultural Fair Use, Political Narrative and Copyright; while this might sound as one big mashup, because there is no apparent connection between copyright and political narrative. The story of fair use, however, points us to why copyright, more than any other thing, has to do with Politics. The text of this lecture is somewhat derived from my research with Dr. Nimrod Kozlovski for Consumers International about Fair Use in Israel.

But first, a short story. One of my favorite TV shows is South Park. I’ve been watching them from 1997, and have been a fan of the authors and their opinions; when Trey Parker and Matt Stone described their approach towards copyright in their interview for Reason Magazine back in 2006 i was quite happy to find out their approach for copyright was that of a true artist, a wish to reach a wider audience. In a same manner, back in 2008 when they launched South Park Studios, a website to allow watching all their episodes through video streaming as well as remixing and sharing their content, I understood how much they were artists and how they were not just in it for the money.

In 2008, South Park paid tribute to the internet nation with an episode criticizing the Writer’s Guild of America’s Strike while paying tribute to some of the latest internet meme sensations such as the sneezing panda and the Star Wars Kid. One of the subjects of criticism was Samwell, whose video “What What (in the butt)” depicted an African American male pondering whether the viewers of the video wish to “do it in the butt” with him. The video was displayed in the popular YouTube site free of charge and received millions of views.

In the “Canada on Strike” episode, the four prepubescent characters in South Park wish to earn a quick buch from the internet and decide to film a viral video. The position Butters, one of the characters, in the same way as Samwell is in the video and make the unconceivable, take the already grotesque video and make it even more grotesque. This is basically why I love South Park so much: the interaction between extreme free speech and the ability to mock the already mocked to a grain gives them the ability to go on for so many shows. This is the video that Butters produced:

Samwell decided that South Park’s use of his “Work” constituted as copyright infringement and decided to sue Viacom for copyright infringement. Viacom decided to be the better person and instead of settling the case out of court (which would help it, as a copyright owner to fight others who make similar uses of its content) decided to try and use the affirmative Fair Use defense. This week, a Wisconsin federal judge dismissed the case, arguing that South Park’s use of the work was fair (read the full opinion of 10-CV-1013 Brownmark Films LLC, v. Comedy Partners). The court weighed in favor of what I try to call “Cultural Fair Use” which became somewhat popular recently, but is not actually in the general Fair Use exemptions.

For all you non-lawyers, fair use is a defense (codified in 17 USC 107 for those who use copyrighted works for causes such as “criticism, comment, news reporting, teaching, scholarship, or research”. However, South Park’s use, in spite of the wish to be considered criticism, is not really criticism, but mockery or homage. South Park used Samwell’s work in order to criticize the viral videos altogether, not the work itself. In a similar case, where a famous Israeli Comic Book (or should I actually say “Graphic Novel”) cartoonist depicted Donald Duck in order to mock the Isreali Society, the Israeli Supreme Court ruled that his use was not fair as the criticism was not on the work itself (RCA 2687/92 Geva v. Disney). Only recently, the lower courts acknowledged that other, cultural aspects of fair use in order to stretch society’s public domain and ability add some works of authorship to the public domain without the formal requirements of copyright terms, solely because such works have become works of the public due to popularity and demand.

The recent cultural fair use is based on folklore more than anything else. The basic elements are that once a work has exhausted its commercial value and became a part of popular culture, it may allow others to create additional social value by reusing the work. Such uses may be mashups, remixes or other uses which are not highly criticizing or transformative, but are without any impact on the actual market value.

[Here comes that part where if you read this prior to hearing my lecture you thanked me, because the crowd will be rickrolled]

A good example is Rickrolling, the phenomenon of baiting someone into clicking a link on the internet which leads to Rick Astley‘s “Never Gonna Give You Up” video, which is not as grotesque as Samwell’s “What What”, but is no less funny. People have used this song and attempted to add it into popular culture and other works as an homage to the internet nation; either by playing it instead of the end credits to Bill O’Rielly‘s show, paying tribute in an episode of the popular TV show Family Guy, using Barack Obama as the singer by mashing up his speeches or even a Stephen Hawking tribute to the song.

But putting Rick Astley‘s career aside, let’s discuss Government Works for a bit. The US, as well as other states, has a “Government Works” clause that determines that any work of authorship made by the state itself is not subject to copyright. Unlike the US, Israel does not have such clause. Therefore, a material part of Israel’s history is subject to copyright; meaning that the national photo archives and other government works such as reports of the Central Bureau of Statistics are subject to copyright. In such case, when Israeli nationals (and other nationals, actually) wish to use government works, they must either license them or find other sources.

This creates a burden, first of all because the Israeli government does not benefit from selling licenses. It is not one of its positions as a government nor is it a material source of profit. The government has set up its Press Office to allow dissemination of information freely from the government outwards and copyright restrictions seems to contradict Israel’s wish to disseminate its message.

During the 2010 term, Parliament Member Meir Sheetrit submitted a bill introduced by Wikipedia Israel, proposing that non-commercial use of government pictures shall be free of charge, as long as the use is with credit, and does not manipulate or alter the photos in any way. In an interview, Sheetrit stated that one of the reasons for the governmental opposition to the bill was the fear from use of the photos by organisations
which are hostile to Israel or wish to promote the opposing narrative.

The bill was prepared following a study by Creative Commons Israel and Wikimedia, which dealt with Crown Copyrights. The understanding and discussions were whether to apply fair use principles to these uses or to exempt them individually. The tension between personal uses and political uses was balanced by the Israeli ministry of justice, which drafted the bill for MK Sheetrit, and exempted non-commercial use only.

Interestingly enough, the definition of what is commercial and what is not has yet to be discussed. It is interesting to note that both the language of the bill and the language opposing the bill use copyright as censorship or impediments on free speech. The rationale behind the bill, at least as stated by MK Sheetrit, was to allow the dissemination of Israeli Hasbara (propaganda) and use of the Israeli imagery for free by bloggers, Wikipedia and other organisations who wish to use them in order to enrich their works. However, at least as stated by MK Sheetrit, the governmental opposition was based on the fear of use by hostile organisations. Both parties held an opinion that government works are a part of the discourse and that copyright may be used to prohibit others’ speech or to allow them to undertake one’s narrative. These rationales underplay the economical aspects of copyright, and deal with fair use in a different manner, which is the ability to silence political speech.

If, indeed, the only rationale for copyright in Israeli government works is political: to maintain the political narrative, then one material aspect, which is the commercial value of the work, has to be let aside when discussing government works. Let’s, for this cause, inspect the incentives behind copyright and see whether they apply for government works (based on the incentives described by Julie E, Cohen in Copyright as Property in the Post-Industrial Economy: A Research Agenda); the purpose of Copyright was to encourage new and original authorship, however, in Government Works, there is little originality, most Government Works are either documentary (formal photographs or official journals) or are the result of a research; and even if commercial uses were made using these works, then the Government shall continue to create.

Therefore, the incentives for Government Works do not exist in copyright. Now, what’s left is the apparatus of control, and this is actually what’s important in copyright nowadays, more than the economical incentives in Copyright, it seems that Governments, like artists, wish to keep the control of what others shall do with their works, therefore applying their political narrative through copyright.

Israel’s offer for a “Israel Friendly License” shows that we do have a problem: Israel wishes to enforce its political narrative through copyright, by granting a license to use its works solely for those who adhere to its standards. Because the Government does not work for-profit, we can learn, more than from any commercial entity, that fair use is required for criticism, because it is made exactly where people do not want others to use their intellectual property.

WPP, the advertising giant, leased a database that allows profiling more than 500,000,000 internet users and allows showing them, using this information, relevant and tiered ads. The profile based advertising method means that there is no actual knowledge about the specific person browsing the internet, but the advertising companies know better than him what he likes, where he browses and other information.

The collection of the information was made available mostly by third party cookies, the same cookies which are set in your computer when you browse websites by advertising and media companies. These companies have a better understanding than the specific sites they provide services to. For example, if WPP purchases media in websites A and B, it knows who uses both A and B, and moreover, it knows that if C, a person, uses the sport section more both in A and B, it will show him sport-related advertisements when it uses D, a non-sport website.

Well, as troubling as it may sound, just when we are are meant to be calmed down with privacy issues things get worse. Google’s launch of Google Plus, the search giant’s antisocial network, which was meant to be with privacy by design and allows sharing of information according to different circles of proximity: a person could be a left-winged activist for his immediate family, but be a closet right-wing bigot for his school friends. It’s not that the other antisocial-netowork, Facebook, does not have the functionality to create friend lists and share the information, but it’s a lot more complicated there.

So, Google Plus was meant to be a haven for privacy seekers: It brought the best from Facebook, which was a walled garden for many years and from Twitter, which allows asynchronous social contacts (meaning I could add Benjamin Netanyahu as a person I follow, without him having to follow me ). Theoretically, an intertopia.

But the question is: how does Google benefit from Plus? (or what’s the plus for Google). Google is a media and advertising giant more than anything else. It earns money from selling advertising space; therefore it is in need for two indices: the first is the number of webpages viewed by end users and the time they consume in said pages (billboarding) and the second is the quality of the data it has for selling advertisements better (profiling).

In billboarding, Google suffered a grave loss recently; people spend less time in Google’s services and more in the other antisocial network; moreover, Google, that displays advertisements in 3rd party websites, is in fear of the day where Facebook shall launch a competing service and allow displaying “Facebook Ads”. In profiling, Google had a not-so-awful knowledge on your browsing behaviour, the things you liked and the people you connected with, it just didn’t know how to organize them. For example, if you’re interested in three different data, Google did not have the ability to connect datum to datum.

In came Google Plus and helped to solve the two problems: First, at least in the launch date, more and more people use this service to meticulously sort their friends in close circles and spend more time in their website (more billboards and profiling).

Now, all that Google needs to do is to integrate the social network seamlessly in the services it already provides. If Facebook made people take effort to amend their website’s code and display the “Like Button” in one million websites within a year of the product’s launch [which, of course, allows behavioural targerting] then Google could take one simple step to kill the like button, which is reasonable and mean.

A material portion from the websites, as said, implement Google-Analytics, Google’s statistics service that collects behavioural data. It is activated every time that a user browses a website and retrieves a file from Google’s servers which include JavaScript commands that request data and collect statistics. In the same manner, Google could change the file to allow social interaction and display a social toolbar in a same way to how Wibiya interacts with websites, and they can do it without obtaining the websites’ consent.

Indeed, it is not an optimal step and might cause antagonism, but it could be implemented to wipe Facebook’s remains from the earth, just because it already holds a neat market share. At this moment, Google has the best data to sell advertisements, and that cannot be taken away.

This Wednesday I’ll speak in CloudCon 2011, instead of a regulatory lecture, I decided to focus about a technological solution to a legal problem, which I believe might be elegant. I’d appreciate it if you could join me at CloudCon or just come over to say hi.

0. The Cloud and Your Information.
On the verge of the Age of Intelligent Machines, Cloud Computing brings a new era for data processing. The Cloud holds more and more information, where data owners and data subjects lose physical control over it. If the old-world model was that data was about the end-user was held by the service provider, which processed and brought the data to the end-user, the cloud model allows the service provider to hold the information for the end-user at the quarters of 3rd parties. For this brief lecture, we’ll use Dropbox as an example, but when Dropbox’s examples fail, we’ll move on to others. In brief, Dropbox is a storage service which remotely backups your information on Amazon’s S3 Servers automatically. When you Install Dropbox, you use at least one more CSP (Cloud Service Provider) and are subject to its terms.

1. Shared Hosting, Shared Computing, Shared Control [meaning: The Problem];
Now, who has control over your information? Dropbox’s privacy policy suggests that “Dropbox cooperates with government and law enforcement officials and private parties to enforce and comply with the law. We will disclose any information about you to government or law enforcement officials or private parties as we, in our sole discretion, believe necessary or appropriate to respond to claims and legal process“; also, Amazon S3′s privacy policy which states that “We release account and other personal information when we believe release is appropriate to comply with the law; enforce or apply our Conditions of Use and other agreements“. Meaning, both Amazon and Dropbox shall abide to law enforcement requests and provide information if a court says so. Generally speaking, this is a good thing.

Let’s take this into proportions, however: Let’s say that I produce Lemonade and have a trade secret: the recipe; I store it in my Dropbox folder, as i need to provide access to several employees and I want it to be backed up securely. Now, my biggest competitor wants to access my Lemonade recipe. He goes to court, and with a good attorney gets an Anton Piller Order (an order allowing him to seize my assets held by a third party before any legal process is in progress); the order is based on his claims that I stole the recipe and the court rules, ex-parte that Dropbox should grant him access to my files. This is done because my competitor’s claim was that Dropbox itself holds the files. Dropbox receives the order and does not know how to treat it: it is unable to understand whether I am the actual owner of the file or stole it, and has to provide the files to my competitor: an order is an order.

There are two material differences that come to mind between cases where I hold the information and where the ISP holds it, and such difference explain the problems of using cloud storage for such sensitive information: (1) If I held the material, the execution of each order had to be with knowledge of such order because the files were stored at my quarters and under my control [see, for example, RCA 1810/10 PCIC v. Kaplan, where a shared hosting provided was requested to reveal the email accounts of one of its users without their knowledge]; (2) The CSP has a rational indifference as to disclosing my information, as if it does not, it might incur liability. Israeli Courts ruled in several cases that active participation and interest in not removing content even after knowledge of infringement may incur liability [For example, C 176992/09 Eti Abramov v. Aviv Frenkel, C 32986/03 Buschmitz v. Refuah]. Therefore, the when you post information on the cloud, you are at risk that your information might be sought by other parties.

The question is whether it is technically possible to do so? meaning, could CSPs access your files? let’s say that, legally, Dropbox’s terms allow such use, and that other CSPs (such as google as providing email services) already ordered to reveal a user’s IP address (C 4854/07 Berlomenfeld v. Google) and disabled access to other accounts. Moreover, Dropbox (and let’s see Dropbox as an example) designed the architecture, it has the ability to recover my files and to recover my password, meaning that it can always bypass its internal security mechanisms.

2. Loss of Centralization;

Now, as we see it, when we discuss CSPs, we know that the control has to move from one centralized user to many distributed players, where each has the ability to disclose the information. At least prima facia, the CSP is considered as a 3rd party that either retains the information or processes it. In such cases, the Israeli Law, Technology and Information Authority has issued a draft set of regulations regarding processing by 3rd parties or outsourcing services.

Now, if I hold sensitive information on 3rd parties, and some of it is held on the cloud, then I have to make sure that my CSPs adhere to a privacy policy that protects my information. For example, if I am a lawyer, I have to notify Dropbox that I am one and that all my information is protected under an attorney-client privilege so that when they receive such Anton-Piller orders, they’ll refuse and defend me. Moreover, I have to make sure that my CSP shall not divulge any personal, private or sensitive information to any 3rd party either with or without my consent.

3. Protecting Yourself from Your CSP;
How can one protect himself from his CSP? Theoretically, there are a few suggestions for Encrypted Cloud Storage (for example, Kamara et al, “Cryptographic Cloud Storage“) which offer theoretical, yet to be implemented, method of encrypting information on the cloud. Generally speaking, their proposal is that “Before uploading data to the cloud, Alice uses the data processor to encrypt and encode the documents along with their metadata (tags, time, size, etc.), then she sends them into the cloud. When she wants to download some documents, Alice uses the TG to generate a token and a decryption key“.

Another technological option is to encrypt the virtual machine’s drive or to use encrypted file systems on cloud storage. Another option is to use an encryption software, such as TrueCrypt on your cloud storage service (such as Dropbox); however, such a solution may be problematic as Dropbox cannot access your filesystem and might have to back up your entire folder each time you change each and every one of your files.

A different approach may be to establish a secret sharing mechanism where the information may be distributed on several different clouds, each holding only a portion of the information (such as in Parakh et al, Recursive Secret Sharing for Distributed Storage and Information Hiding).

However,  these solutions are theoretical and have yet to be implemented by organizations or storage services as an integral part of their scope of services (maybe, apart from this one).

4. Solution[s];

Let’s discuss solutions as well. We need to form a strict set of rules of how to define a cloud system as privacy enabled. Our requirements are that the CSP shall allow: (1) seamless access to the set of files; (2) indexing and searching; (3) sharing parts of the information with 3rd parties; (4) reporting on each authorized and unauthorized access.

Mounting an encrypted virtual filesystem allows three out of the four: access, indexing and reporting. However, in order to share the information with 3rd parties, access to the filesystem has to be granted to the CSP (especially in order to allow sharing, see Y unqi Ye et al, Dependable and High Performance Cloud Storage). The other option is to encrypt each file differently (with different symmetric keys for each file so that no problems with sharing the files exist); however, such option shall not allow search and indexing (or require a central key database), therefore allowing three out of the four conditions.

Even if we assume that the encryption is symmetric, and that each sharespace between  users receives different symmetric keys, then we cannot define the solution as seamless, as in order to convert files from a privatespace to sharespace a client-side conversion of the files is required, as well as when files are copied from a private folder to the shared folder (also, a keyserver is required).

Let’s take, for the solution, Adi Shamir‘s secret sharing mechanism (Shamir, How to share a secret) and for the purpose of this solution define our efficient threshold as one (1) user. In such case, we define the shared folders with at least three cryptographic keys (one for the folder, to be shared with anyone, and one for each user) in such way, each user could read or write to the folder seamlessly, he could also index and search using his key (and the shared key), share the information with others (by adding another key).

Implementing secret sharing in such a case (which was yet to be tested) may allow enhanced privacy with the flexibility of sharing the information through networks and users.

5. Conclusions.

We have yet to implement a technological solution to a legal problem we might face in the near future. The much unrequired loss of control over data stored in the cloud, especially sensitive information, is inevitable nowadays due to current architecture, CPU and bandwidth limits and other problems.

However, theoretically and with a little hassle, an encryption based model may be implemented in order to allow storage of information on remote servers (i.e cloud) where the CSP cannot access the files but the end user may share such files with 3rd parties of his choice.

0.
The Wall Street Journal’s findings that Facebook applications share personal and identifiable information with 3rd parties and advertising networks was not surprising though it echoed in the mediashpere and even made some changes coerced the removal of some applications of the popular social network; However, the disturbing part was what Facebook did not do, and that is to remove Zynga, Facebook’s new strategic partner and the developer of the popular game FarmVille.

1.
In brief, the Wall Street Journal’s findings were that most of the popular applications in the social network transmit or convey information to advertising networks and 3rd parties. These activities go against Facebook’s clause 8 to the developer policy that prohibit the transmission of any personal information obtained from Facebook to an advertising network. The prohibition, of course, is not due to worries on your privacy, but because Facebook wants its monopoly over advertising in the network. Following this publication, Facebook removed some applications by the popular developer, LOLapps, who was one of those who conveyed information and restored it after a few hours (see LOLapps release).

2.
But the removal did not inherently cause from conveying information; but as the Inquirer states, the information was passed because of the way the internet was build, where in every click information about the referring page is transmitted, so at least in some of the causes, advertising companies received the information solely because they knew what was the referring page. On the other hand, one can say that by reasonable steps this security breach would have been fixed and therefore allowing reasonable measures to be taken is one part of security.

3.
Up to here there’s nothing new: Facebook removes a certain application because it infringes on your privacy (and Facebook’s ability to monetize by being the exclusive designated advertiser) and וfour and a half million dollars go down the drain because they solely rely on the Zuckerberg family’s whims, where they determine the laws of the game. However, what needs to be learned is what Facebook did not do, and how it relates to your privacy.

4.
The question why Zynga was not removed from Facebook is the exact signaling for the reason why Facebook removed LOLapps; both applications infringed the same developer agreement and your privacy, however, Zynga signed a commercial agreement with Facebook and uses the Facebook currency as its payment method and promotes Facebook’s business. This was a signaling to other developers: either migrate to Facebook’s services and be a part of the Zuckerberg family’s ecosystem, or find yourselves subject to our whims. Facebook’s commercial dependency on Zynga doesn’t allow Facebook’s interests to remove it; and LOLapps? it can seek its friends elsewhere.

[Originally in Hebrew]

0.
Around two days ago, Israeli ISPs began to block access to certain websites from Israel. The list of the websites is considered confidential, and included, by media reports two websites related to gambling. The issue in matter began around two months ago, when the Israeli police, alongside the tax authorities arrested 28 suspects who were suspected in collaborating with two websites: Stan James and Victor Chandler. Following a brief period of time, the police approached the Israeli ISPs in request to block access to those sites claiming it has the authority to do so by clause 229 to the Israeli Penal Code. Though they had not had a court order, the commander of the police district interpreted his authority enacted in the act, which is defined as “The Chief of a police district may order the closing down of a place where prohibited gaming, raffles or gambling is taking place” as such which governs also the realm of IP addresses and Internet Service Providers. However, up to this moment no ISP has challenged this authority in court.

1.
First, to the question of whether the police actually has jurisdiction according to clause 229 (and see Adv Ori Goldman‘s opinion on the matter); In two cases the courts heard cases which are similar, though none had to face clause 229. The first was the Carlton Case (CR 90861/07 Michael Gary Carlton v. Israeli Police, Dr. Omer Tene‘s explanation on Carlton) where the Israeli police requested to detain a foreign national who was involved in the operation of the Victor Chandler website (blocked now). Carlton stated that as the website does not operate from Israel, the Israeli law does not apply to acts performed outside of Israel by non-Israelites. The court denied the claim, and asserted that Carlton’s acts were illegal as “In light of the fact, that the appellant has the ability to identify the place of the end-user, prior to registering to the website, the appellant and his company’s blind-sight is material. It is expressed by the fact that while they are aware that gambling is prohibited in Israel, and by greed, knowing that the Israeli public is profitable to the company, they do not act in order to block access to Israel“. The other case is related to blocking a file sharing website by request of the record companies (OCR 3485/08 NMC v. Eli Amar. However, the Amar decision was not a reasoned one, but a brief consensual decision.

2.
As a general rule, the Israeli courts ruled that actions which are available to Israelites are under their jurisdiction and the Israeli criminal law may be applied on any activities. However, where the authority under clause 229 applies remain unanswered by Israeli courts, as the supreme court has yet to rule on the interpretation of the matter, without relation to the Internet, and lower courts ruled regarding the clause without actual discussion on the cases, and approved warrants as a matter of habit without discussing constitutional right. In one rare case, the court observed the infringement of constitutional rights (AA (Jer)1666/09 Salima Kazam v. Israeli Police) and explained that the court is too extensive: The police chief has a rare authority to issue, based on administrative ex-parte evidence, a closing warrant which is permanent and constitutional human rights, both a person’s right for freedom of employment according to Basic Law of Freedom of Employment and his right for property according to clause 2 to the Basic Law of Human Dignity and Freedom. This is performed in the same place where the court, even after convicting a person in possession or managing a place of unlawful gaming according to clause 228 to the penal act, may only fine or incarcerate the person“. The court emphasized the personal manner of the warrant, and human rights, even after rejecting the request to quash it. However, in another case, the court ruled that “the warrant is to close a place, it goes with the place and is applied on the place without regards to who operates his business in such place. changes in the identity of the person who operates the place do not affect it … a warrant could be issued even without personal names, where you do not know who operates the place. The warrant has in rem applicability” (AA (Haifa) 538/02 Romach Trade Co. v. Zevulun Police).

3.
However, in one case the district court interpreted the rationale behind 229, where it ruled, interpreting the Supereme Court’s ruling in RCA9140/99 Romano v. State that “The rationale behind the law’s foundations … is not detached from the law’s purpose, which is to rule out social plagues who endanger a person and society” (OCR (Tel-Aviv) 32354/03 Gilian Trade and Marketing v. Israeli Police). The purpose in issuing a 229 warrant was made to assist in preventing the negative impacts of gambling on society, such as criminal activities; the rule is, that the police may act only to enforce the law and not deter or punish (ACD 2316/95 Ganimat v. State, C (Krayot) 15336-01-10 State v. Amiaz); you cannot punish the proprietors of the place, its users and others from legitimate uses in the same way you cannot arrest a person as a penalty.

4.
Therefore, the requested conclusion is that when both gambling and non-gambling occur in a segregated manner, the legal activity cannot be closed down (AA 236/04 The 7th Heaven v. Israeli Police, where other courts ruled, strangely, that 229 is punitive or deterring, AA 1709/09 Amar Razam v. Jerusalem Chief of Police) and the gambling itself the police has to stop, where the collaborators have to be arrested. This conclusion arises from the same constitutional rights, including freedom of employment and right for property and dignity. The police’s authority could not be used to deter and cannot be directed towards activity which is not gambling. The police has to perform its acts in a responsible manner for the public. From here, we address the issue.

5.
First, the police did not act in accordance to its authority under 229: the warrant was not personal and was not addressed to the proprietor of the place, but solely to who provided access to it; a warrant to block websites served to an ISP is like providing the bus company a warrant to remove a bus station next to a gambling house. The ISP is not the proprietor, not the operator and is not the required party. As far as the police has claims against a website, it should address its operators even if they are outside of Israel and initiate criminal proceedings. If the police still believes that the Carlton decision is in force, then they are are free to act with accordance to it.

6.
Second, the warrant’s breath. The warrant, granted against the websites and IP addresses [See Hebrew Warrant] requested to block the website in full, even the parts not related to gambling. For example, if a person plays without waging a bet, solely in thePlay for Fun part of the website, then he is affected by the warrant without need. In such case, the warrant is not narrowly tailored in the means needed and affects constitutional rights. Moreover, providing a warrant against an IP address and a domain is considered equal to closing a shopping mall because one kiosk sells raffle tickets. In contrast to the Amar Razam decision, these are two distinct different groups of users, different communities and uses, and no need to block the play for fun.

7.
This means that we already began the slippery slope (which our ministry of communication rejected): some of the websites blocked are not gambling sites, but only facilitate funds; one case. of KeshCard.com, at least until proven otherwise, is a website for financial services and not gambling. The websites allows payment, amongst other things, for gambling, but is a financial service similar to others and is not different from credit cards; therefore, there is no reason to block it.

8.
Finally, it is quite difficult not to discuss the websites blocked. Though the police know about hundreds of sites, the two families blocked relate to a regulated market in Israel: sports booking. The Israeli Council for Sports Betting regulates and operates the market heavily, and the proximity to the World-Cup, where the Council’s earning skyrocketed, is strange. Moreover, the proximity to the Israeli Anti-Trust Authority’s decision to consider pressing charges against The Pais, Israel’s second licensed gambling operation, after suspicion arose that it entered into a restraining agreement where the Israeli Association for the Soldier which is licensed to act as well, where ISA shall not engage in raffles, against a material donation from The Pais. Moreover, The Pais offered more money to be provided to the country for more gambling rights, and even to pay salaries in local municipalities, and has previously offered to assist the police financially in the struggle against unlawful gambling.

9.
In conclusion, it is quite obvious the censorship could not stand; in order to drop it, a person using KeshCard or plays VC with “Play for fun” (meaning a person who was hurt by the warrant) shall appeal against the censorship to a court. The ISPs forgot what is the public interest they are meant to protect, and the ministry of communication, who’s authority was run over in one police warrant, does nothing.

[Material Comment: I am writing this without the consent or knowledge of any of my clients, and it does not reflect my opinion or any legal review I provided them]

[Originally in Hebrew]

0.
Erez Wolf reports about a serious security problem which resulted from hacking an Israeli website and stealing the usernames, emails and passwords of 32,561 accounts. The database of that commercial website contained user login details: usernames, emails and passwords, where using the presumption that most people use the same login details for most websites, allowed Turkish hackers to hack and deface many user accounts in Facebook, as well as other sites, who depended on the login details in the database. In the Turkish website containing the list, there are more indications of websites hacked, including account details of 70,000 other accounts.

1.
We can point out two problems: the first, which we all know we do, is using the same password in more than one website. Even security experts do it (we call it bitch password) in unimportant websites. The problem is that most people cannot remember more than a few passwords so they use the same password over and over. More than 20% of the passwords people use are in a short 5,000 password list; moreover, people use their birthdate, phone number or SSN as their passwords.

2.
The first problem, however, is the layperson’s problem. The second problem is the law authorities problem. The hacked website kept the passwords in retrievable format in case the user forgets it. Meaning: the password was saved in plain text in the database, and accessible to more than just the website’s administrator. The common method to retain passwords is Password Hashing, which means that the passwords are unilaterally encrypted and the password could only be authenticated, but never restored. By using this method, you could never send the user his own password but only reset it when the user forgets it. Therefore, you need to authenticate the user’s identity in a different form, like email; this ties the user identity and allows more credibility in e-commerce, but has other implications as well.

By using this method, if the database is hacked, there is no way to use the passwords (with one exemption, if the password is a dictionary word and by using Cain & Able). Therefore, you can be certain that if your database is stolen, no one could use it.

3.
The problem becomes a tad more legal when you understand the Israeli Privacy Protection Act which defines Information Security in clause 7 as “protection of the Data’s integrity, or protecting the data from disclosure, use or copying, and all without legal authority”. Clause 17 states that an owner of a database, its manager or the holder of it are all liable for the database security and integrity; meaning, that the owner of this website, and whoever provided him with the information security services, are liable for the data protection here and may face criminal sanctions. However, up to today, no criminal charges were brought against people who violated the data protection clauses, but it seems that this time, the the Israeli Law, Technology and Infromation Authority should apply its legal power and apply sanctions.

4.
When the authority wants more and more power, where amongst other powers is the power to search databases, it shows it has the intent to enforce the law. On the other hand, the leak of 30,000 records of usernames and passwords show how the lives of people may be hurt solely because of faulty data protection procedures. In any other case where thirty thousand people would suffer damages, the case would seem different. When Heftziba, a big contractor, became insolvent, it left 4,300 people homeless or with half-built apartments. People became angry, sued and criminal charges were brought.

5.
The information in the database is highly personal, it is dangerous and there are people who are liable for its leak, will they go to prison? I doubt it. However, they did not apply means to protect the data and no reasonable security person would allow what they did. Someone has to pay.

[Originally Published in Hebrew]

0.
It is only a matter of time until both the Facebook Application Developers and Facebook Users join together and tell Facebook “there is no taxation without representation” while requesting Facebook both to amend its terms of service for enhanced privacy and allow application developers to rely on business models that are not subject to Facebook’s whims. The sanction, if not understood, is not mass removal of accounts, but blocking Facebook’s 3rd party services when not browsing in Facebook, therefore harming Facebook’s new found business model.

1.
The reason? Facebook has been vigorously expanding its control over both user information and application developers. It began today when Facebook coerced Zynga into an agreement to use Facebook Credits as its currency after a long dispute, and will continue when Facebook will do so to other application developers.

2.
Facebook forgot that it is solely a conduit, the incumbent who provides connection between users, other users and applications. It is not a core application and its business model is not based on being such. Two years ago, I wrote that “In a year or two Facebook’s shareholders will come to their senses and start asking money from the leading hundred applications, as they are allowed to do” … “when you develop a Facebook application or any other social network based application, you’re writing your source code on ice; it’s more than reasonable to assume that Facebook won’t charge you anything and will never shut you down. The problem starts when you want to establish a business model on something that’s more than “more than reasonable” (like investing your pension funds). That’s why, like you wouldn’t deploy a real product without contracting your deployment contractor, you really should consider doing the same with Facebook”.

3.
The time has come when Facebook wants to have its day. Facebook Application Developers raise capital from investors, some VCs target only Facebook apps, other VCs invest in another icy road, iPhone Apps raise capital as well, and quite a lot of it. The iPhone app store is also known to block applications, especially when those applications compete with Apple’s business models. Some day, Venture Capitalists will say to application developers that they will not invest in applications where the conduit may revoke them at any time and for no reason. Therefore, application developers will have to look for stable business models, such as using OpenID as a social network or allowing data portability, applications may prefer to use old social models or rely on Twitter as a social network instead of Facebook, just so they will not be coerced into using a currency of choice. No one will develop for a platform that has no stability (this is why, by the way, net neutrality is so important)

4.
Users, from the other end of the scope, will negotiate with Facebook. Explaining that it may not be as simple as Facebook reckons, and that without users, it is a mere conduit, connecting sockets and bits. “If you want us to stay here“, they will say, “you have to grant us our rights. We want to have the privacy of our choice, we want to have the ability to control, and if you grant us those rights, we will grant you the information you need to sell to ³rd parties“.

5.
Without such negotiations, Facebook is doomed. Funds will not invest in companies who develop Facebook Applications, as these applications have no solid business model, and Users will leave (or block) Facebook. It will remain with a magnificent apparatus that is left unused. And when unused, it will be sold, like scrapmetal.

The Israeli Supreme Court ruled on February that the clause in the Israeli Criminal Procedure Act which allows ex-parte court hearings for suspects in terror or national security crimes was unconstitutional and void (OCR 8823/07 Doe v. State). In the same case, the supreme court balanced between the burden of a democratic state has to face when facing terror within and due process and ruled that a suspect’s right for due process prevails as it is what makes Israel a democratic state:

Harming those who can’t defend from their arrest either by personal appearance or by ‘representative educated appearance’ is a material violation of human rights. it may annul the process and make the legal process void. … When an attorney did not meet the suspect, and the court is prevented as well from asking the suspect and inquiring about matters that need clearing, there is an actual burden on the possibility of exercising efficient and fair legal review. The court, in fact, relies on the statements of one party only. This result is grave in regards to the character of the legal due process and the matter is discussion – limiting a person’s freedom”.

In a same manner, clause 34 to the criminal procedure act states that the right to consult an attorney is one of the basics of due process; without decent representation a person will not have actual knowledge of his rights, will not have his day in court and therefore, any violation of this right, even if indirect, may cause damages to the legal process itself (and see, for this matter, HCJ 1548/07 Israel Bar v. Minister of Homeland Security which discusses the right to consult an attorney via video conference). However, foreign sources report that Israel has, again, not only violated the law, but kept covering it up. According to foreign sources, The Israeli-Arab author Ameer Makhoul was arrested in suspicion of committing crimes against national security and was prevented from meeting his attorney (and thanks to Yossi Gurvitz from Friends of George who referred me to this story). According to the reports, Makoul was prohibited from leaving Israel a month ago by the Minister of Interior Affairs, Eli Yishai, and that was against specific stipulations in Israel’s Basic Statute of Freedom and Dignity which states that “every person is free to exist Israel”.

Two problems come to mind when thinking about this, if it were actually true; the first is that now no one knows what Makhoul is a suspect of. his disappearance by the security services was not reported in the press, and we were not given any information, as a public, as to what he is suspected of. What actually happened is that the public trust that if it were taken by the dead of night for now reason, his friends, acquaintances, family and attorneys would know about it was lost due to the serial disappearance drawn by the government for dissidents. The graver danger in these cases, and cases such as deprevation of Jack Titel‘s right to consult an attorney, is that the damages to the due process would be irreversible. Not only that the public trust would be gone, but a person would not be able to evaluate in an educated manner what to do and sometimes is willing to do anything just to make the torture go away (and see RT 3032/99 Baranes v. State and HCJ 5100/94 Public Committee Against Torture v. Government).

The seconds problem is the gag orders; if in the Anat Kamm affair there were confused bloggers who couldn’t understand how to deal with unknown gag orders, when they understood that the Israeli Police does not want to enforce the gag order on Facebook since its servers are outside of Israel (and that’s in spite of the decision in OR 90861//7 Carlton v. State which ruled that “hiding under the veil that the company operates and runs outside of Israel, its servers are not in the state, does not exempt the appellant and the company he heads from the Israeli criminal law”). But it seems that the police and secret services do not wish for gag orders to become a dead letter and will just ignore the bloggers, and let the farce play in the national media.

No matter how you look at it, the arrest of dissidents and their disappearance does not fit Israel’s character as a Jewish-Democratic state.