Intellect or Insanity, Jonathan Klinger's Blog

0.
Israel is to attempt, again, to pass a bill that authorizes police officers to issue warrants to Internet service providers to block or restrict access to specific websites involved either in gambling, child pornography or copyright infringement. The bill itself proposes that such administrative procedures shall be clandestine and that court decisions shall be made ex-parte, where some of the court’s ruling will not be even disclosed to the owner of the website, and the court may hear and use inadmissible evidence.

In my opinion, one of the saddest things in a democracy is that powers with authority can change the rules after the game commenced. This is story with blocking of gambling sites, an experiment which began around 2010.

Fortunately, after a lot of hard work by the Israeli Internet Society, The District Court of Tel-Aviv quashed the block and ruled that the police had no authority to order Internet service providers to block access to certain sites or IP addresses (decision now on appeal, see the Hebrew original ruling at AA 45606-10-10 ISOC N. Shachar Ayalon).

However, Israel is famous for presenting bills that bypass constitutional rulings, and now wants to reassert this authority, without limitation, by presenting a new bill: The Bill for Restricting Uses for Preventing Crimes (Amendment – Restriction of Access to a Website and various revisions),2012 , (Google Translation).

1.
You can read a bit more about the bill at Oded Yaron’s article at Haaretz.com (behind a paywall). In general, the bill’s purpose is to circumvent the relevant court ruling and allow the police to block websites. In the district court ruling, the police’s authority to shut down gambling houses cannot apply to websites. However, the bill’s current wishes seem to be broader:

Had a certified police officer reasonable grounds for suspecting that the website is used to commit an offense specified in the Second Schedule [gambling, child pornography or copyright infringement - jk], and that there are reasonable grounds for concern that the website will continue to be used for committing a crime unless access is restricted, he may issue a warrant for Internet Service Providers to limit the access to that Web site; a warrant under this section may be issued even if the website also contains activity which is considered legal [or legitimate - jk] provided that the illegitimate activity is the main purpose of the website.

Now, as befits any modern legislation, justice it made but us not seen. Article 3 of the bill discusses execution of additional warrants, where everything shall be made ex-parte:

“material relating to the request to extend the validity of an administrative restriction or information based on which such request and any other material provided subject of the application process will be made to the judge only; material will be marked and returned to the police officer or authorized claimant (in this section the applicant) after examining “

But it’s not just that material will be ex-parte; in some cases, the ruling itself may be withheld from the appellant. “The court shall notify the owner or occupier and the police officer on its decisionunder this section, and it may determine that the decision, or parts of it, shall be confidential“.

2.
This means Israeli that citizens may find themselves in a situation where they are subject to a warrant which is confidential. In such case, They will not be able to challenge such an order, because the grounds for the decision will unlisted . Sounds interesting? Well, I remind you that when we discussed that Communication Metadata Law, which allows police to receive GPS data on phone and Internet subscribers and records of their phone calls, everything was made in confidential decisions (with no further judicial review on them). Therefore, do not know how the law is implemented, how these requests really served illegally, and how judicial review works.

3.
The bill itself is absurd if you understand the Internet: everybody knows that no matter what order blocking a given Web site, its validity is about as much as an order of Police fires in summer temperature does not exceed 25 degrees Celsius (or if you’re in the US, that it won’t snow on Christmas). I mean, okay, ISPs will restrict users from browsing, but that’s not actually something that works (proxy servers et all).

4.
But of course there’s the issue of the slippery slope. The original act, which is to be amended by the bill, gave a judge the authority to issue a warrant under careful review; however, the bill conveys this authority to a police officers.

5.
What about additional uses? Well, in order to pass the bill, the police began with abhorrent offenses considered: child pornography and gambling. Clearly, no one will oppose the authority to block such websites if he’s not a pedophile or a gambler. Well, not really. That’s why the phrase “Second Schedule” is used to described to offenses that are subject to this authority, in fact the bill asserts a short list of offenses, where the minister of justice can always add additional offenses. Once the bill is passed, no one can be certain that no additional offenses will enter there.

6.
The real danger here is practice: in the same week where we discovered that the military police apparently investigated a blogger which was exposed using the metadata act without respecting his journalistic immunity and confidentiality of sources, and on the same week as the non-democratic nations want to rule the internet through the ITU convention, Israel decides to publish this bill. And why? because Israel deems it ok to gamble all your money is the state lottery, but not right when you give money to foreign websites.

0. Abstract.

[This Wednesday I shall lecture at the LiSS working group conference, here is a draft of my lecture] From 2003, and until today, the Israeli Government has been working diligently in order to legislate the biometric database act and the orders and ordinances according to it. However, This biometric database is not the only biometric database in Israel and is not the only database where government authorities have access to. In my brief lecture, I shall present a different approach, asking whether this database act was actually required and what are the reasons for choosing a legislative act when doing so. When doing so, I’ll have to ask whether the act of legislation was needed because the social contract was broken, or because it was a megalomaniac act made out in will to block any different approach to databases.

1. Database Laws, Privacy.

Let’s first understand how government databases operate. The Israeli Privacy Protection Act does not differentiate public sector databases from private sector ones; moreover, article 23D provides any person the right to know about such database and article 23C provides government bodies the right to request and transfer data from other databases when the action is required by law or by the body’s function. Meaning, if it was it’s desire, the Government could have set up a registered database and operated the biometric database out of such act; but in such case, it couldn’t have mandated the people to provide their biometric information.

So what could it do? It could have amended the Census Act. The Israeli Census Act is the act regulating the management of the Israeli Census (which, as we already know, was leaked to the Internet); article 2 writes down the fields in the database that are required to be listed. In such case, amending and mandating a person’s biometric data under it could have solved the biometric database problem in a 1-line amendment, without requiring massive legislation.

However, The Israeli legislator decided to pass a 30 page long act (PDF), which describes in full the security and use in detail, and allow public debate over it. In order to understand why, let’s understand how other government databases work.

2. Government Databases and legislation.

First let’s see what are the databases which were legislated and which weren’t; Meir Sheetrit, the biometric database’s entrepreneur, said that “Israel has enough [other] biometric databases“. However, if we inspect his claims, we find out a different perspective; the one who says who and when is required to provide his information willfully to the database.

Let’s first inspect what are the databases that were legislated under the Israeli Law: The Israeli Anti-Money Laundering Act, The Israeli Census Act (which actually does not establish a database, but only allows the inquiry of information), The Police DNA Database (The Criminal Procedure Act (Searching in a person’s body and taking of identifying information)), Criminal Records (The Criminal Record Act).

On the other hand, there are quite a lot of databases which contain information which is as personal and as sensitive as the legislated databases, including the migrant workers biometric database, the driver’s license database which includes photographs and according to the Israeli transportation office, does not require legislation in order to retain a database (where the transportation office provides this biometric information at least to the ministry of interior), the unemployed database, which contains fingerprints of unemployed and  the Bus Authority database that contains information regarding passengers and their routes.

3. Why do you legislate databases?

We can see that while some databases were legislated because of their sensitive nature (money laundering, f.e), there is no actual difference between the sensitivity; There is no actual difference between money laundering information or the biometrics of a migrant worker. We can also say that legislation did not come because of the voluntary nature of the database; a person cannot choose to be unemployed or not to travel by car or bus. None of the non-legislated databases are actually voluntary; they just address specific needs and puts the person “agreeing” to provide the information in an inferior place: he is either unemployed, or he wishes to travel to Israeli to work, he may want to drive in Israel or take a bus. These are all daily functions that a person cannot go without.

4. Why Legislation.

Now, let’s go to the theoretical assumption that legislating the biometric database could have been made without any real or substantial legislation; It could have actually just establish a national database by issuing an order of the Passport Act, seeing that most Israelies have a passport, and hold the information in a way that is “required” to issue a passport; he could have went in the same way the Transportation Office went, and required just the issuance of fingerprints. However, the choice to legislate the database was taken. And why?

The reason is the Israeli Privacy Protection Act, but not the article requiring willful consent, nor the article mandating informing the data subject on its rights, but because of article 23C. Let’s inspect the text:

“Notwithstanding article 23b, providing the information is permitted, if not prohibited by any legislation or professional ethics – (1) between public bodies, if one of the following exists (a) providing the information is in the authority or role of the body who provides the data and it is required to exercise a law or a cause by the authority of the data provider or its recipient; (b) providing the database is to a public body who is allowed to demand such information according to law from any other source; (2) from a public body to a government office or another state establishment, or between offices or bodies as such, if the providing of information is required to exercise any legislation or for a purpose in the authority or roles of the data provider or its recipient …”

Well, we do need to read this carefully: There could have been a state-wide database without legislation;  however, in such case the Police could not have been granted access to the information. And why? because neither article 23b(a)(i) nor article 23b(a)(ii) allow it: The first alternative requires specific authorization under law to disclose the information and the second requires that the police would have been authorized to request the information at source. However, the police are not entitled to coerce a person to give them his biometric information, and the ministry of interior [was] not authorized to specifically assist the police.

Therefore, unlike other databases, the mobility of the information and the detachment between the cause of why it was collected and its use brought the actual need for legislation.

5. Ruling out other factors.

Now, we can inquire about the question of whether this was actually the reason; whether there was a secret hand that required it. The only reason to explain why a 30-page long bill was passed was explained when alternatives were presented to the government. The rejection of the Adi Shamir proposal, for a non-identifiable database, and the choice to store both a person’s facial photo and fingerprint (where such information is not required to maintain a clean database, see Yoram Oren’s statement “if the purpose is to reduce a list, then yes“). Meaning, the legislator was presented with at least two alternatives that allow a secure database that does not allow double-inclusion and does not retain so much sensitive data, but rejected it.

Such rejection may be discussed later in courts when inquiring about the constitutionality of the act, but that’ out of the point. The choice of both legislating and deciding on this architecture was made solely in order to allow surveillance.

6. Summary and Conclusions.

We know that the legislator had other options to legislate a database (or not to legislate it); and that it could have allowed it to be used quicker, without any pilot and even with the coercion against the persons, but in such case, the police and other security authorities could not have obtained access to the database. Therefore, the sole purpose of addressing legislation is in order to allow such access, and unless we can rule this out, this is the true purpose of the database.

Last Thursday marked the final approval of the biometric database regulations and the biometric database order in Israel; the regulations and order were approved by a special panel participated solely by Meir Sheetrit and Abraham Michaeli, where Sheetrit was the initial entrepreneur of the Biometric Database in his position as minister of interior. This marks the end of a two year process that began two years ago when The Knesset approved the biometric bill. The discussions prior to the approval were on who shall be granted access to the citizen’s biometric database (but not to whether it’s really needed). According to the biometric law, any citizen or resident that shall join the database shall have to provide the ministry of interior his fingerprints and a photograph of his face which will be stored in a central database which may be accessible to the ministry of interior, the police and other security services.

Following the public protest, made mostly in the internet, it was decided that the database shall commence with a pilot program which shall be no longer than four years. during this term, which shall commence this November, the necessity   of the database shall be examined (however, recent statements show that the pilot is not actually a pilot). The only way you can help during this pilot is to refuse to provide the government with your fingerprint.

On the actual question why is the biometric database dangerous to you and your country there are numerous answers which were already raised by experts and discussed over and over again. Briefly, the stated purpose of the database is to prevent forgery of identity cards (and identities). However, it order to prevent identity theft and ID forgery there is no actual need for a biometric database and several other methods already exist, including electronic identification cards. However, as we learned from a recently leaked document, the only reason that a biometric database is required was to pass information to the police about the citizens of Israel. We learned so when the police rejected a safer mean of storing biometric information detailed by Prof. Adi Shamir (the S in RSA), claiming that it cannot utilize the database if made in the Shamir method. And yes, the same police that uses extreme violence on protesters from right and left, against Arabas and against social activists.

Another reason to object to biometric identification and the biometric database is that once your biometrics is your unique identifier, then anyone with access to this information could possibly steal your identity. And of course I need not remind you that you leave your fingerprints on any cup of coffee you drink, right?

So, once we passed the “why we detest a biometric database in two paragraphs or less” the question that comes to mind is how you, as citizens, could protest against it. First, you have to understand that the state is going to try as hard as it can to persuade you to provide it with your fingerprints; the bureaucrats and clerks in the ministry of interior are obliged, by the national order, to offer you to join the pilot. Yes, in the same way that your grocery store clerk is obliged to offer you to join their value club, so does the clerk in the ministry of interior have to offer you to join the experiment.

However, one of the criteria set in the pilot is how many people did not join the database out of the entire population; these people have to be you. Beginning November first it is your civil duty to go to the ministry of interior’s offices and have new, non-biometric, cards, so that your refusal to enter the pilot will be counted and in two years time, when the pilot shall be examined, the parliament shall find out that no one wants it.

If you will not do so, then you will find yourselves in two years with a biometric database, that like any other database held in Israel, makes us forfeit our privacy.

[Originally published in 972Mag]

[or: "aren't there some words you could add to the terms and conditions to make this sh*t legal?"] The latest ruling in Mortensen v. BRESNAN COMMUNICATION, LLC, Dist. Court, D. Montana 2010 is interesting in all so many cases (you can read a full summary of the case and a short review at Eric Goldman’s blog). To sum up, a class action lawsuit was filed against an internet service provider who operated a service that examined its users’ traffic, injected a cookie inside their computer and according to their browsing habits offered them advertisements. (the service, NebuAd,was discontinued in the meantime); In court, the ISP raised a claim that its users are subject to an agreement that allowed it to inspect their traffic, and therefore the Electronic Communication Privacy Act claim (ECPA) should be denied. The court accepted most of the ISP’s claims and ruled that apart from the question of whether injecting the cookie was consensual, the remainder of the lawsuit should be denied.

Unfortunately, the court addresses the consents granted in the agreement in an exaggerated manner and leans on the agreement not being an agreement of adhesion or unconscionable (and in comparison, see Harris v. Blockbuster Inc., 622 F. Supp. 2d 396 – Dist. Court, ND Texas 2009); However, the substantial question is whether this agreement is the only instance that sums up the relations between the parties? In general, most non-lawyers tend to think that an agreement between A and B could influence the question of whether B’s actions against C are legal or not. This misunderstanding is somewhat popular with internet entrepreneurs who perform problematic actions legally, and would rather create agreements to protect them that to shape their privacy policy in some ethical manner (see, for example, the District court ruling in RPA 2542/03 Suissa v. Bar Haim).

However, the problematic question is about NebuAd’s infringement of other website holders’ right who the ISP’s users browse to (and see, in comparison, the question of this in regards to advertisement blocking): NebuAd utilizes information who is, prima facia, the property of other websites: the identity of their users, and commits (even in a minor way) amendments to their source code; similar activities are performed by companies such as Phorm, where users’ browsing habits are analyzed; allegedly, when a user browses website A, it receives a derivative work which was created by the NebuAd servers, which harms the work’s integrity and infringe the author’s copyright and enriches NebuAd unjustly; This proposition is required to understand the problems facing the ISP; unlike a toolbar, which is installed by the users with active consent, for personal and private use, this is an application that a part of infringes the reputation and tools of others.

For example, when Bezeq International, one if Israel’s major ISPs, launched a service that hijacked some of its users’ traffic for promotional uses the end users’ consent (or lack of) could not affect the rights of 3rd parties (innocent 3rd parties who preferred that Bezeq International would not block their and their freedom of speech and expression would not be harmed by it. Thus, in this case, the question is not whether the users were harmed by the placement of a cookie in their computer and whether they consented that their traffic would be intercepted, but whether an ISP may even provide such service that manipulates packets (consensually or without consent).

This is, in my humble opinion, the original err of the court; the court should have consider unconscionably according to the public interest (and, the freedom of the internet); according to the Israeli caselaw, the court has inherent powers to preempt agreements, even if the parties still agree on, when these agreements go against the public interest (See, for example, CA 6601/96 AES System Inc. v. Saar). In Saar, the court ruled that:

“We are facing the invalidity of a contractual stipulation due to the public policy. We found that the perspective is the of the people’; therefore, “the legitimacy of the parties’ interests is determined from the perspective of the public interest. Moreover, the different human rights – such as the freedom of contracts, freedom of employment,  right to property and other human rights – express both a private and a public interest. Indeed, we should not separate between legitimate interests of the parties (excluding banal interests) and the public interest.. We are interested in the public interest, which accepts all the relevant information, including the parties’ legitimate interests“.

Meaning, not only should we consider the interests of the ISP and the user, but the entire public, including the relationship between NebuAd and parties who are not a part of this agreement. In such case, the court should inspect what constitutes as reasonable policies. I want to believe that the final decision will come to a different arrangement, as currently it is quite problematic.

[Originally posted in Hebrew here][Administrative Comment: If you registered for e-mail updates from my Hebrew blog and keep getting this by mistake, please take a moment to re-register, as my Hebrew readers registered to this mailing list by mistake]

Software, as a matter of principle, is usually licensed but not sold; this is what the recent ruling in 42:07-cv-01189-RAJ Vernor v. Autodesk was all about. Therefore, usually, when a person sells (or licenses) software, the end user signs or accepts an End User License Agreement (EULA) which includes the array of rights and duties attached to the software itself.

Copyright laws limit the rights to create copies or distribute software without the original author’s permission, and the EULA is the permission to hold the end-user’s copy of the software. Without the EULA, any action performed may infringe on the author’s copyright. However, both clause 12 to the Israeli Copyright Act and clause 106 to the US Copyright Act do not limit the use of software, solely its copying and distribution. The court ruled in Vernor that the author may limit consumer right and therefore software developers may limit the way that their end-users will use software or interact with other components.

However, most software developers prefer to use EULAs in order to allow the use of the software and not sell copies, so that they could redefine the rights attached to it. For example, clause 24 to the Israeli copyright act allows modifying copies of software for security purposes and court also acknowledged that consumer rights may overcome eulas (MAI Systems Corp. v. Peak Computer, Inc., 991 F. 2d 511 – Court of Appeals, 9th Circuit).

While the courts were not supportive in acknowledging the consent to these agreements in all cases (Specht v. Netscape Communications Corp., 150 F. Supp. 2d 585 (S.D.N.Y.2001)), it is quite obvious that they govern the ability to distribute, but not use, the software (CV 07-3106 SJO UMG v. Augusto). Meaning that the need of a software license is meant to define what exactly is the relationship between the developer and the end-user and rearrange the rights attached to the copyright laws.

Out of this need, to provide end uses with a clear and simple license, lawyers earn a good living. Every software developer has a simple choice: should he pay a few thousand dollars to a lawyer who will draft a document in non-readable legalese, or release the software without any license and hope for the best. The licenses, usually, contain liability limiting clauses (and see, for example, clauses 15 to 18 to the Windows XP EULA which limit Microsoft’s liability to any damage and for any cause).

EULA should come in any place where code is conveyed, but not for web-based services, where a copy of the work is not distributed. Therefore, the difference between EULAs and Terms of Service, which are an agreement regarding the use of the service, should be acknowledged.

Now, after understanding this, we can relate to the subject matter. This week, binpress launched its beta service. Binpress is a commerce platform for web applications and allows web developers, and any other person who wrote a script, plug-in, code or service to upload the code and sell it to others. Amongst other this, it allows the developers to create their own software licenses and save the costs in drafting a license by using the generator, picking what rights apply to the end-user and what don’t (decent disclosure: I wrote the modular license agreement). For example, the developer could pick whether the person who bought the software may distribute it to other people (a developer license), the term of the license, the ability to chose how many cores and websites may use the software (for example). Eran Galperin wrote a comprehensive post about binpress’ licensing mechanism you should read.

In brief, the system is quite similar to the Creative Commons license generator, by allowing the user to pick what license he wants for his software and what rights are attached to it. The difference is that binpress’ license is commercial and for web applications.

Then why should I, as a lawyer, cooperate with a system that may take away money I could charge my clients for EULAs and allow my future potential clients to write licenses by themselves? Theoretically, any person which develops applications could choose binpress as his marketplace and save the cost (and see also my Hebrew post on Freemium by lawyers); well, the answer is double: first, is that the system is dedicated to web applications which are sold by binpress. Meaning that whoever develops large-scale software, commercial distributions or software containing more than a mere conveying of code (like validation keys) would still have to find a lawyer to draft an agreement. The second is simpler: I believe that this system does not prevent lawyers from earning money, it just makes their living more efficient.

Most licenses you read are generic and written in a way that no human could grasp or read, they were written by chewing hundreds of requests and demands time after time and served to developers without any understanding. In contrast, large systems with legal questions of privacy, open source and real legal problems would still need legal consultation and will avoid using this systems.

Therefore, the generator does not harm my earnings, it does not replace my legal work, it just allows the end-user to pick an educated pick between paying a few thousand dollars when he doesn’t need and tailoring the agreement for him. When it’s a developer who sells a few copies every day for a dollar or two, it’s not right to pay that much for legal counsel.

[Originally in Hebrew]

A rumor was spread that Israel was the brain behind an elaborate trojan horse, Stuxnet, which alegedly penetrated into the Iranian nuclear reactor and apparently caused damage. the trojan horse contaminated some civil facilities as well. The trojan horse, which utilizes no less than four different zero-day vulnerabilities in Microsoft Windows seems interesting and elaborate. However, the alleged involvement of Israel, alongside the claim that civilian facilities were damaged in the act, raise one interesting question: Could there be electronic war crimes?

The Public International Law, which bases the humane treatment to civilians in the different Geneva Conventions, sets the standards to use in times of war and defines acts prohibited by states in order to keep wars as civil as possible. The different conventions limit force and sanctions against civilians, but do those treaties and conventions apply on electronic warfare?

Prima facia, article 53 to the fourth Geneva Convention which deals in protecting civilians in times of war states that “Any destruction by the Occupying Power of real or personal property belonging individually or collectively to private persons, or to the State, or to other public authorities, or to social or cooperative organizations, is prohibited, except where such destruction is rendered absolutely necessary by military operations“. However, the fourth convention applies only, in this article, to occupied territories (Prosecutor v. Dario Kordic, Mario Cerkez). In contrast, the 1977 protocol amended and added to article 51 and stated that “Indiscriminate attacks are prohibited. Indiscriminate attacks are:those which are not directed at a specific military objective; “. Meaning that an electronic attack against civilian property that couldn’t discriminate between military and civilian facilities are prohibited (However, most states have not adopted the 1977 protocol).

Jack Goldsmith states that the inability to determine which computers are military and which are civilian may protect the use of computer viruses in electronic warfare, but I reckon the other way around: In the same way that indiscriminate shooting against innocent civilians is a war crime, so is using a trojan horse that does not differ civilian and military computers. The indiscriminate use is as prohibited as the use of chemical weapons which cannot discriminate civilians and soldiers. It is not a coincidence that the terminology is the same: computer or biological viruses.

And what about the civil liability? Theoretically, the state immunity (and liability) should be limited in times of war (and see, in IsraelThe Act of Civil Torts (State Liability) 1952) and the state should not be liable for acts where the state protected itself; however, this doctrine should not be used in cases where civil damage arose when the state knew, should have known and forseen the damage (HCJ 8276/05Adallah v. Minister of Defense). Therefore, the civilian casualties in Israel’s alleged cyber-attack should have liability against it.

Intellectual Property laws have more than a few political implications; many times issues of political speech interfere with copyright. For example, Shepard Fairey, an artist who authored the famous “Hope” poster for Barack Obama, was sought by the Associated Press for copyright infringement as the image of Obama was based on a copyrighted photo (and in Israel, a the Supreme Court will soon hear a similar case, RCA 7774/09 Weinberg v. Weisshoff, where the Defendant is sought for copying a photo the Plaintiff took into a coin made in memory of the assassinated prime minister, Yitzhak Rabin). In another case, the US Senate candidate, Sharon Angle is sought by the proprietors of rights to newspaper articles for presenting copies of the articles which she appeared in, on her personal website and there are more cases; mostly, these cases are borderline in relation to copyright protection, but they are classical monetary suits, not political.

In contrast, the story which was spread on the press during the last few days was not less surprising, but at least ended in an interesting manner. Two days ago, the New York Times reported that the Russian government and police use copyright laws in order to supress political dissidents. The system worked as follows: The Russian police used its granted authority to enforce copyright laws in a violent manner (and it did so in the past, where it sent a school principal to prison for using unauthorized copies of Microsoft Windows) and claimed that copies of Microsoft Windows installed on the dissident organization’s computers are unlicensed (pirated – jk); In Russia, where the unlicensed software rates are only second to the Israeli conviction rates by a person’s confession, it is more than likely that a political organization will use unauthorized software>.

First, it was reported that Microsoft encouraged the enforcement as a part of its zero-tolerance to copyright infringement policy; however, after suffering from damage to its public image, apparently, it decidedto reform its licensing policy, so that a general license will be granted to non-profits in order to protect them from political pursuit. In a post published by Brad Smith, Microsoft Senior VP and Counsel, he explained that Microsoft could not be a part of this and must take an ethical stand.

The claim may be true, but it could also reflect a wise business approach. Until today, Microsoft profited from unlicensed use in 3rd world countries. Microsoft also knows that if raids like this will continue, dissidents will stop using Windows and move to open source software, and primarily Linux, in one distribution or another. Moving to Linux is unilateral, it changes a person’s point of view: from organization that were dependent of a specific software to a part of a larger community; Most organization who hear about open source are enchanted by it, they have an option to donate, contribute, change, share information and not just run the program.

Moreover, Privacy Enhancing Technologies are more available on open source operating systems. From the EXT4 file system which comes by default in Ubuntu and encrypts your hard drives (similar to Microsoft’s BitLocker, but it just works), through TOR servers who reduce censorship: Open Source is the new heaven of dissidents.

Therefore, Microsoft’s blanket license comes to heal a small shallow scratch, not the problem: Copyrights are ill, and Microsoft took the right way to take care of it: acknowledging that non-profit use is fair and allowed. However, until further technologies, innovative ones, will protect dissidents, the raids will continue. Today it’s the operating system, tomorrow, the word processor, afterwards? image editing programs.

The US Courts of Appeals’ ruling in Maynard v United States amends and reinstates to certainty the right for privacy in public places. Around two years ago I said that “the problem with ongoing photographing in the public domain is a different problem than the random photography that Google performs when it maps our state, it is the moment where photography becomes surveillance, an harassing act. Photography becomes surveillance when it is ongoing, when the use of the photo is for purposes other than displaying it and where the quality of the photo is too good to be only used for demonstration“. My opinion was rejected by the state and step through step it began installing surveillance cameras in municipalities, and even insisted that businesses convey information to the authorities, including their video feed, even from businesses who didn’t want to, like information about crowds in bars and pubs. Today, following the court’s decision in Maynard, it seems that all this intrusive apparatus may be quashed, or at least repeal any evidence gained by it.

Material which was obtained through invasion of privacy will be disqualified from being submitted as evidence in court, without the consent of the person harmed, apart from where the court allowed, for special reasons which will be listed to use the material; or if the infringer, which was a part of the process, had a defense or exemption under this act (clause 32 of the Israeli Privacy Protection Act)

In the case of Maynard, we are inspecting the appeal of his co-conspirator, Jone. (EFF has a brief on the ruling). Jones’ case was quite simple: the police suspected that Jones and Maynard were involved in drug dealing and installed a GPS Tracker without a warrant. The police used the information to follow Jones’ steps during a month and learn his routes. In the court, Jones raised the constitutional claim that this was an invasion of his privacy and therefore the charges against him should be rejected; the court rejected Jones’ claim and said that when a person is in public places, traveling where any person can see him, a GPS tracker does not infringe on his right for privacy, as he does not have a reasonable expectation of privacy.

The court’s claim explains how the right for privacy is a delicate one when it comes to digital privacy where the quantity becomes quality. The court of Appeals explained that in Jones’ case: “A reasonable person does not expect anyone to monitor and retain a record of every time he drives his car, including his origin, route, destination, and each place he stops and how long he stays there; rather, he expects each of those movements to remain ―disconnected and anonymous

Indeed, a reasonable person does not believe that when he is out in the public he will be followed on all times, the reasonable person believes that he will be exposed to photography in random acts (C 6023/07 Afriat v. Yedioth) but not constant ones, or to photographs where he is in the background, or smiling to the cameraCA 1055/09 Shertzer v. Samira), the reasonable person believes that he can tell a photographer he does not wish for him to publish his picture, and may be entitled to so do (RCA 6902/02 Tzadik v. Libak) but may not always be allowed to revoke his consent to use his photos. The reasonable person does not believe that an elaborate web of cameras will track him at any moment and prevent him from even breaching the most minor acts, or being subject to constant surveillance. Therefore, the Maynard decision explains how a single act, which is not infringing by itself, may be come one when repeated.

From the same reasons exactly, the CCTVs in municipalities are infringing on everyone’s privacy. When the discourse began, I was too formalistic and claimed that the rationale to oppose them is the lack of authority of municipalities to enforce the law; I was wrong. Even if they had the authority, they would still violate my privacy.

[Originally in Hebrew]

The District Court’s decision in CA 1055/09 Liat Shertzer-Bar v. Rebecca Samira (see also Haim Ravia‘s summary) is a substantial decision not only under privacy protection laws, but in lex informatica altogether, amongst other things, as it discussed for the first time what is use of a person’s name, nickname, image or voice for profit. The Israeli Privacy Protection Act, prohibits such use in clause 2(6), and the use was materially discussed by the Israeli Supreme Court (for example, see CA 8483/02 Aloniel v. McDonalds), but the question what is considered for profit remained open.

By oversimplification, the facts of the matter are: Liat Shertzer was a guest in a wedding around 2002. Around 2007, she discovered that a photograph from the wedding, where she appeared in the background, appears in a website of a bridal salon. By the magistrate court’s findings (C 47047/07 Shertzer v. Samira), Shertzer appeared in the background, where the bride, wearing the dress designed by the defendant, was in the center. Shertzer petitioned the court for invasion of privacy (Israeli Privacy Laws cover Publicity Rights, unlike other jurisdictions), where the magistrate courts denied her suit, ruling that the plaintiff provided consent by conduct and the lawsuit was to be rejected by the deminimis clause. Upon these findings, Shertzer appealed.

The District court discussed, in brief, two material questions: the first is what is for profit, and the second is the deminimis defense in invasion of privacy. While the second claim was detailed and with detailed court precedents and literature, where the court ruled that not any invasion constitutes compensation and that there are, in cases which the matter is immaterial, to deny a claim under the privacy protection act (and see, in comparison, C (Tel-Aviv) 37759/07 Shochat v. Maarivמ). The idea was to deter false plaintiffs and people who want to gain compensation just because their photograph was in the background of a photo in a newspaper or where a name similar to them was used (and see, for example, C (Jerusalem) 6157/04 Daivd “The Best” Devash v. Adler Homsky).

In contrast, the second question is material, and did not gain the proper discussion in the decision, amongst other things, because it is the first time where this question was raised. The question of when was a profit made by using a person’s name was yet to be answered (and compare C (Haifa) 534-08 Hava Koren Israeli v. Shai Cohen, where the district court accepted that celebrities do not have a right for privacy when using their names under the privacy protection act). The court asserts, clearly, that “in order to assert such damage, the defendant has to show causation between the image where his image appears, and the profit purpose in the use”. Such assertion allows interpretation, for the first time, for a long discussion which was in the copyright field.

On of the most popular licenses in open content is the Creative Commons Attribution Share-Alike Non-Commercial. The license, generally, allows use of other’s works, as longs as three terms are met: (1) proper credit is granted; (2) any work based on the original work must be released under the same terms; and (3) the use of the work would be for non-commercial purposes. The uncertainty of what is “non-commercial” caused a long study about what non-commercial is, which resulted in inconclusive findings. As a result, the question of whether using released under this license in websites, that for example, show advertisements, were unmet. The Shertzer ruling may, at first, provide us with a prism to understand through what does “non-commercial” mean (though there is a difference between non-commercial and for-profit).

The causation requirement is a material and coherent test. Meaning that if I use images for illustration in a website, one cannot prove, distinctly, that there is a statistical and direct connection between such display and my profit from advertisements (even in cases where I use the image in websites that are behind a paywall). Direct profit comes when there is trade in the work, meaning, by trading or by building a business model which results income as a result of using the content.

Therefore, the question of what is non-commercial is a factual and hard one, but does not come from the nature of the user, but from the nature of the use.

[Originally Published in Hebrew]

0.
Erez Wolf reports about a serious security problem which resulted from hacking an Israeli website and stealing the usernames, emails and passwords of 32,561 accounts. The database of that commercial website contained user login details: usernames, emails and passwords, where using the presumption that most people use the same login details for most websites, allowed Turkish hackers to hack and deface many user accounts in Facebook, as well as other sites, who depended on the login details in the database. In the Turkish website containing the list, there are more indications of websites hacked, including account details of 70,000 other accounts.

1.
We can point out two problems: the first, which we all know we do, is using the same password in more than one website. Even security experts do it (we call it bitch password) in unimportant websites. The problem is that most people cannot remember more than a few passwords so they use the same password over and over. More than 20% of the passwords people use are in a short 5,000 password list; moreover, people use their birthdate, phone number or SSN as their passwords.

2.
The first problem, however, is the layperson’s problem. The second problem is the law authorities problem. The hacked website kept the passwords in retrievable format in case the user forgets it. Meaning: the password was saved in plain text in the database, and accessible to more than just the website’s administrator. The common method to retain passwords is Password Hashing, which means that the passwords are unilaterally encrypted and the password could only be authenticated, but never restored. By using this method, you could never send the user his own password but only reset it when the user forgets it. Therefore, you need to authenticate the user’s identity in a different form, like email; this ties the user identity and allows more credibility in e-commerce, but has other implications as well.

By using this method, if the database is hacked, there is no way to use the passwords (with one exemption, if the password is a dictionary word and by using Cain & Able). Therefore, you can be certain that if your database is stolen, no one could use it.

3.
The problem becomes a tad more legal when you understand the Israeli Privacy Protection Act which defines Information Security in clause 7 as “protection of the Data’s integrity, or protecting the data from disclosure, use or copying, and all without legal authority”. Clause 17 states that an owner of a database, its manager or the holder of it are all liable for the database security and integrity; meaning, that the owner of this website, and whoever provided him with the information security services, are liable for the data protection here and may face criminal sanctions. However, up to today, no criminal charges were brought against people who violated the data protection clauses, but it seems that this time, the the Israeli Law, Technology and Infromation Authority should apply its legal power and apply sanctions.

4.
When the authority wants more and more power, where amongst other powers is the power to search databases, it shows it has the intent to enforce the law. On the other hand, the leak of 30,000 records of usernames and passwords show how the lives of people may be hurt solely because of faulty data protection procedures. In any other case where thirty thousand people would suffer damages, the case would seem different. When Heftziba, a big contractor, became insolvent, it left 4,300 people homeless or with half-built apartments. People became angry, sued and criminal charges were brought.

5.
The information in the database is highly personal, it is dangerous and there are people who are liable for its leak, will they go to prison? I doubt it. However, they did not apply means to protect the data and no reasonable security person would allow what they did. Someone has to pay.

[Originally Published in Hebrew]