Intellect or Insanity, Jonathan Klinger's Blog

0.
A few months ago, Russia’s president, Vladimir Putin, arrived to Israeli for a brief visit. The President, who receives embarrassing support from Israel’s minister of foreign affair, Avigdor Liberman and almost magical admiration from Knesset member Anastasia Michaeli, also received a warm warm hug from the Israeli government’s leaders, and first and foremost, Benyamin Netanyahu. Actually, there’s no place for doubt that there is a strong link between the two states. However, another embarrassing affair that Putin had to face recently may show that Putin is the one admiring Israel, and not vice versa.

1.
Israel is known for times where its legal system falls victim to political constraints from left to right, and just in not the higher courts, but the magistrate courts as well. Sometimes, indictments are colored more politically than usual, and are attached with circumstances that cannot allow acquittal. The stories of Jonathan Pollack, who was convicted for riding his bicycle slowly in a demonstration against the Cast Lead Operation and was sentenced for three months in prison, and of Rahamim Nasimi who blocked a road during anti-disengagement protests and received the same penalty show that there’s a problem in the method. The problem is that not once demonstrations are meant to disrupt the public order, offend, hurt and show the government that there is criticism and it’s not nice: but these have to be the rules of the game. Protesters are allowed to be rude, disgusting and violate the public order : The police, on the other hand, cannot be brutal and it has to respect the political expression, since if it will not do so, we will live in the “Ok State”.

2.
And that’s the case of Pussy Riot; a Russian feminist band that decided sometime in February to organize and demonstrate in a spontaneous way to protest against Putin. During the last weekend, three members were sentenced to two years in prison after being charged with harming the public order with religious circumstances; of course, that there was not relation to the content of the expression, but to the deed itself: the members of Pussy Riot organized in a public place, offended the public, and tried to protest against the current situation. If they had protested where they are allowed to, in their homes, then no one will have heard about Pussy Riot.

3.
It is quite doubtful that this could be perceived as a just trial, even though the Russian public supports it; but that is the case: when the political hooligans are indicted, the content of the speech is not mentioned, and therefore not discussed in court. They say “he was a hooligan, and we don’t care if it’s left or right, if it was a toothpaste advertisement or a protest against a mayor. What offends us is the breaking of the public order”. In this case, you cannot put up a defense that says “look at the content and not the form”, because the content is indisputable. So, the architecture of the trial prevents justice.

4.
In this is how Israel is so close to Putin’s dictatorship: even here there is hard work to limit the protest; and of course it’s not political at all: a simple policy of requiring a license for every activity of public expression is perceived by the court as a way to preserve public order (AA 6095-07-12 Hatzav v. Tel-Aviv). It’s not just a saying: the Tel-Aviv municipality issued an administrative order stating that “festivities and any other activity to express an idea, opinion, value, demonstration, meeting, ceremony, solidarity, fund raising, belief or world view – which is not made in cooperation with the municipality”
has to obtain its consent. Meaning that if I sat down with a friend in Rotschild boulevard to discuss my opinion about the country’s financial status or the street’s garbage, I have to approach the municipality’s CEO, fill out the proper forms and obtain a permit.

These procedures are not only unlawful, but they make Putin ovulate from joy. the resemblance, the inspiration, maybe he should receive royalties for it.

5.
And in the meantime? Israel does not have a local Pussy Riot. And maybe its for the better; their music is not so soothing. But until we have one, we all have to admire King Bibi.

[Originally In Hebrew]

This Wednesday I’ll speak in CloudCon 2011, instead of a regulatory lecture, I decided to focus about a technological solution to a legal problem, which I believe might be elegant. I’d appreciate it if you could join me at CloudCon or just come over to say hi.

0. The Cloud and Your Information.
On the verge of the Age of Intelligent Machines, Cloud Computing brings a new era for data processing. The Cloud holds more and more information, where data owners and data subjects lose physical control over it. If the old-world model was that data was about the end-user was held by the service provider, which processed and brought the data to the end-user, the cloud model allows the service provider to hold the information for the end-user at the quarters of 3rd parties. For this brief lecture, we’ll use Dropbox as an example, but when Dropbox’s examples fail, we’ll move on to others. In brief, Dropbox is a storage service which remotely backups your information on Amazon’s S3 Servers automatically. When you Install Dropbox, you use at least one more CSP (Cloud Service Provider) and are subject to its terms.

1. Shared Hosting, Shared Computing, Shared Control [meaning: The Problem];
Now, who has control over your information? Dropbox’s privacy policy suggests that “Dropbox cooperates with government and law enforcement officials and private parties to enforce and comply with the law. We will disclose any information about you to government or law enforcement officials or private parties as we, in our sole discretion, believe necessary or appropriate to respond to claims and legal process“; also, Amazon S3′s privacy policy which states that “We release account and other personal information when we believe release is appropriate to comply with the law; enforce or apply our Conditions of Use and other agreements“. Meaning, both Amazon and Dropbox shall abide to law enforcement requests and provide information if a court says so. Generally speaking, this is a good thing.

Let’s take this into proportions, however: Let’s say that I produce Lemonade and have a trade secret: the recipe; I store it in my Dropbox folder, as i need to provide access to several employees and I want it to be backed up securely. Now, my biggest competitor wants to access my Lemonade recipe. He goes to court, and with a good attorney gets an Anton Piller Order (an order allowing him to seize my assets held by a third party before any legal process is in progress); the order is based on his claims that I stole the recipe and the court rules, ex-parte that Dropbox should grant him access to my files. This is done because my competitor’s claim was that Dropbox itself holds the files. Dropbox receives the order and does not know how to treat it: it is unable to understand whether I am the actual owner of the file or stole it, and has to provide the files to my competitor: an order is an order.

There are two material differences that come to mind between cases where I hold the information and where the ISP holds it, and such difference explain the problems of using cloud storage for such sensitive information: (1) If I held the material, the execution of each order had to be with knowledge of such order because the files were stored at my quarters and under my control [see, for example, RCA 1810/10 PCIC v. Kaplan, where a shared hosting provided was requested to reveal the email accounts of one of its users without their knowledge]; (2) The CSP has a rational indifference as to disclosing my information, as if it does not, it might incur liability. Israeli Courts ruled in several cases that active participation and interest in not removing content even after knowledge of infringement may incur liability [For example, C 176992/09 Eti Abramov v. Aviv Frenkel, C 32986/03 Buschmitz v. Refuah]. Therefore, the when you post information on the cloud, you are at risk that your information might be sought by other parties.

The question is whether it is technically possible to do so? meaning, could CSPs access your files? let’s say that, legally, Dropbox’s terms allow such use, and that other CSPs (such as google as providing email services) already ordered to reveal a user’s IP address (C 4854/07 Berlomenfeld v. Google) and disabled access to other accounts. Moreover, Dropbox (and let’s see Dropbox as an example) designed the architecture, it has the ability to recover my files and to recover my password, meaning that it can always bypass its internal security mechanisms.

2. Loss of Centralization;

Now, as we see it, when we discuss CSPs, we know that the control has to move from one centralized user to many distributed players, where each has the ability to disclose the information. At least prima facia, the CSP is considered as a 3rd party that either retains the information or processes it. In such cases, the Israeli Law, Technology and Information Authority has issued a draft set of regulations regarding processing by 3rd parties or outsourcing services.

Now, if I hold sensitive information on 3rd parties, and some of it is held on the cloud, then I have to make sure that my CSPs adhere to a privacy policy that protects my information. For example, if I am a lawyer, I have to notify Dropbox that I am one and that all my information is protected under an attorney-client privilege so that when they receive such Anton-Piller orders, they’ll refuse and defend me. Moreover, I have to make sure that my CSP shall not divulge any personal, private or sensitive information to any 3rd party either with or without my consent.

3. Protecting Yourself from Your CSP;
How can one protect himself from his CSP? Theoretically, there are a few suggestions for Encrypted Cloud Storage (for example, Kamara et al, “Cryptographic Cloud Storage“) which offer theoretical, yet to be implemented, method of encrypting information on the cloud. Generally speaking, their proposal is that “Before uploading data to the cloud, Alice uses the data processor to encrypt and encode the documents along with their metadata (tags, time, size, etc.), then she sends them into the cloud. When she wants to download some documents, Alice uses the TG to generate a token and a decryption key“.

Another technological option is to encrypt the virtual machine’s drive or to use encrypted file systems on cloud storage. Another option is to use an encryption software, such as TrueCrypt on your cloud storage service (such as Dropbox); however, such a solution may be problematic as Dropbox cannot access your filesystem and might have to back up your entire folder each time you change each and every one of your files.

A different approach may be to establish a secret sharing mechanism where the information may be distributed on several different clouds, each holding only a portion of the information (such as in Parakh et al, Recursive Secret Sharing for Distributed Storage and Information Hiding).

However,  these solutions are theoretical and have yet to be implemented by organizations or storage services as an integral part of their scope of services (maybe, apart from this one).

4. Solution[s];

Let’s discuss solutions as well. We need to form a strict set of rules of how to define a cloud system as privacy enabled. Our requirements are that the CSP shall allow: (1) seamless access to the set of files; (2) indexing and searching; (3) sharing parts of the information with 3rd parties; (4) reporting on each authorized and unauthorized access.

Mounting an encrypted virtual filesystem allows three out of the four: access, indexing and reporting. However, in order to share the information with 3rd parties, access to the filesystem has to be granted to the CSP (especially in order to allow sharing, see Y unqi Ye et al, Dependable and High Performance Cloud Storage). The other option is to encrypt each file differently (with different symmetric keys for each file so that no problems with sharing the files exist); however, such option shall not allow search and indexing (or require a central key database), therefore allowing three out of the four conditions.

Even if we assume that the encryption is symmetric, and that each sharespace between  users receives different symmetric keys, then we cannot define the solution as seamless, as in order to convert files from a privatespace to sharespace a client-side conversion of the files is required, as well as when files are copied from a private folder to the shared folder (also, a keyserver is required).

Let’s take, for the solution, Adi Shamir‘s secret sharing mechanism (Shamir, How to share a secret) and for the purpose of this solution define our efficient threshold as one (1) user. In such case, we define the shared folders with at least three cryptographic keys (one for the folder, to be shared with anyone, and one for each user) in such way, each user could read or write to the folder seamlessly, he could also index and search using his key (and the shared key), share the information with others (by adding another key).

Implementing secret sharing in such a case (which was yet to be tested) may allow enhanced privacy with the flexibility of sharing the information through networks and users.

5. Conclusions.

We have yet to implement a technological solution to a legal problem we might face in the near future. The much unrequired loss of control over data stored in the cloud, especially sensitive information, is inevitable nowadays due to current architecture, CPU and bandwidth limits and other problems.

However, theoretically and with a little hassle, an encryption based model may be implemented in order to allow storage of information on remote servers (i.e cloud) where the CSP cannot access the files but the end user may share such files with 3rd parties of his choice.

The US Courts of Appeals’ ruling in Maynard v United States amends and reinstates to certainty the right for privacy in public places. Around two years ago I said that “the problem with ongoing photographing in the public domain is a different problem than the random photography that Google performs when it maps our state, it is the moment where photography becomes surveillance, an harassing act. Photography becomes surveillance when it is ongoing, when the use of the photo is for purposes other than displaying it and where the quality of the photo is too good to be only used for demonstration“. My opinion was rejected by the state and step through step it began installing surveillance cameras in municipalities, and even insisted that businesses convey information to the authorities, including their video feed, even from businesses who didn’t want to, like information about crowds in bars and pubs. Today, following the court’s decision in Maynard, it seems that all this intrusive apparatus may be quashed, or at least repeal any evidence gained by it.

Material which was obtained through invasion of privacy will be disqualified from being submitted as evidence in court, without the consent of the person harmed, apart from where the court allowed, for special reasons which will be listed to use the material; or if the infringer, which was a part of the process, had a defense or exemption under this act (clause 32 of the Israeli Privacy Protection Act)

In the case of Maynard, we are inspecting the appeal of his co-conspirator, Jone. (EFF has a brief on the ruling). Jones’ case was quite simple: the police suspected that Jones and Maynard were involved in drug dealing and installed a GPS Tracker without a warrant. The police used the information to follow Jones’ steps during a month and learn his routes. In the court, Jones raised the constitutional claim that this was an invasion of his privacy and therefore the charges against him should be rejected; the court rejected Jones’ claim and said that when a person is in public places, traveling where any person can see him, a GPS tracker does not infringe on his right for privacy, as he does not have a reasonable expectation of privacy.

The court’s claim explains how the right for privacy is a delicate one when it comes to digital privacy where the quantity becomes quality. The court of Appeals explained that in Jones’ case: “A reasonable person does not expect anyone to monitor and retain a record of every time he drives his car, including his origin, route, destination, and each place he stops and how long he stays there; rather, he expects each of those movements to remain ―disconnected and anonymous

Indeed, a reasonable person does not believe that when he is out in the public he will be followed on all times, the reasonable person believes that he will be exposed to photography in random acts (C 6023/07 Afriat v. Yedioth) but not constant ones, or to photographs where he is in the background, or smiling to the cameraCA 1055/09 Shertzer v. Samira), the reasonable person believes that he can tell a photographer he does not wish for him to publish his picture, and may be entitled to so do (RCA 6902/02 Tzadik v. Libak) but may not always be allowed to revoke his consent to use his photos. The reasonable person does not believe that an elaborate web of cameras will track him at any moment and prevent him from even breaching the most minor acts, or being subject to constant surveillance. Therefore, the Maynard decision explains how a single act, which is not infringing by itself, may be come one when repeated.

From the same reasons exactly, the CCTVs in municipalities are infringing on everyone’s privacy. When the discourse began, I was too formalistic and claimed that the rationale to oppose them is the lack of authority of municipalities to enforce the law; I was wrong. Even if they had the authority, they would still violate my privacy.

[Originally in Hebrew]

0.
Erez Wolf reports about a serious security problem which resulted from hacking an Israeli website and stealing the usernames, emails and passwords of 32,561 accounts. The database of that commercial website contained user login details: usernames, emails and passwords, where using the presumption that most people use the same login details for most websites, allowed Turkish hackers to hack and deface many user accounts in Facebook, as well as other sites, who depended on the login details in the database. In the Turkish website containing the list, there are more indications of websites hacked, including account details of 70,000 other accounts.

1.
We can point out two problems: the first, which we all know we do, is using the same password in more than one website. Even security experts do it (we call it bitch password) in unimportant websites. The problem is that most people cannot remember more than a few passwords so they use the same password over and over. More than 20% of the passwords people use are in a short 5,000 password list; moreover, people use their birthdate, phone number or SSN as their passwords.

2.
The first problem, however, is the layperson’s problem. The second problem is the law authorities problem. The hacked website kept the passwords in retrievable format in case the user forgets it. Meaning: the password was saved in plain text in the database, and accessible to more than just the website’s administrator. The common method to retain passwords is Password Hashing, which means that the passwords are unilaterally encrypted and the password could only be authenticated, but never restored. By using this method, you could never send the user his own password but only reset it when the user forgets it. Therefore, you need to authenticate the user’s identity in a different form, like email; this ties the user identity and allows more credibility in e-commerce, but has other implications as well.

By using this method, if the database is hacked, there is no way to use the passwords (with one exemption, if the password is a dictionary word and by using Cain & Able). Therefore, you can be certain that if your database is stolen, no one could use it.

3.
The problem becomes a tad more legal when you understand the Israeli Privacy Protection Act which defines Information Security in clause 7 as “protection of the Data’s integrity, or protecting the data from disclosure, use or copying, and all without legal authority”. Clause 17 states that an owner of a database, its manager or the holder of it are all liable for the database security and integrity; meaning, that the owner of this website, and whoever provided him with the information security services, are liable for the data protection here and may face criminal sanctions. However, up to today, no criminal charges were brought against people who violated the data protection clauses, but it seems that this time, the the Israeli Law, Technology and Infromation Authority should apply its legal power and apply sanctions.

4.
When the authority wants more and more power, where amongst other powers is the power to search databases, it shows it has the intent to enforce the law. On the other hand, the leak of 30,000 records of usernames and passwords show how the lives of people may be hurt solely because of faulty data protection procedures. In any other case where thirty thousand people would suffer damages, the case would seem different. When Heftziba, a big contractor, became insolvent, it left 4,300 people homeless or with half-built apartments. People became angry, sued and criminal charges were brought.

5.
The information in the database is highly personal, it is dangerous and there are people who are liable for its leak, will they go to prison? I doubt it. However, they did not apply means to protect the data and no reasonable security person would allow what they did. Someone has to pay.

[Originally Published in Hebrew]

0. Abstract
Could a state with no secrets function better when protecting national security than a state that keeps information away from the general public? In this brief article, we will inspect the reasons for keeping classified information, what they are meant to protect and how they protect national security. We will present the method used by Israel, which is similar to most states. Israel’s approach, which is to keep all the information from the public, failed in general and caused nothing but costs on privacy, freedom of expression and national budgets.

Following our review, we will compare the classified information model to a model in information security, called Security through Obscurity and present how this model was perceived as flawed. Against it, we will present the Open Source Model, which creates transparency towards the general public, allowing it to inspect the security flaws, and therefore creates stronger protection.

Our conclusion would be that better national security could be reached by removing all classified information and disclosing all information to the general public. We believe that by making the information public, the cost of the censorship apparatus will be eliminated. We also believe that by adopting a ‘no classified information’ approach, governments may improve physical security when they rely on the foundations of open source security as detailed herein.

In my brief argumentation I will use the Israeli law, but provide some examples from other cases.

1. Classified Information and what it Protects.
Every state has its secrets. States choose, in certain cases to classify information from the general public. Classifying information goes back as far as Greek times, and goes under the standard four categories: Top Secret, Secret, Confidential and Restricted. Israel has four apparatuses which are in charge of Confidential information: The Information Security Department, whose goal is to prevent classified information from leaking from the army, The Military Censorship, which operates under the Defense Ordinance (Time of Emergency), 1945, that controls media publication and telecommunication, and has authority to refuse the publication of any information that has any relation to national security, the General Security Service (Shin Bet) that acts according to the General Security Service Act of 2002, where clause 7(2) allows the service to classify documents and determine how to handle such documents and the Director of Security of the Defense Establishment, which is in charge of security in military industries, research facilities and other national security industries.

Some authorities in classifying information do not appear to exist in laws, and some operate under the vague and broad exemption added in the Freedom of Information Act, 1998. Clause 9 to the Israeli FOIA exempts disclosure of any information which may harm national security, foreign relations, public safety or a person’s well-being. Even in cases where classified information was disclosed, the courts still allowed the security agencies broad discretion as to what to blur out (HCJ 258/07 Zehava Galon v. The Governmental Committee for Inspecting the Battles in Lebanon 2006)

But what constitutes as confidential information? There are no actual guidelines for applying what is confidential and how confidential specific documents are, and every document that contains ‘information’ as defined in the Israeli Penal Code, in part II, chapter 7, the Penal code provides a broad definition, inflicting legal sanctions on disclosing any information to an enemy where it might be useful to him (clause 111). Confidential Information is defined as any information where national security requires keeping it secret, or information relating to any matter that the government, with the consent of the parliament committee for foreign relations and security, declared as confidential. Critics to this arrangement offered an amendment, but following the Parliament’s research center’s comments, these amendments were not implemented.

The burden of proving what constitutes non-confidential information lays on the defendants in cases (see, for example, CC 1055/01 State v. Yacov), in Yacov, the court explained that while “the military censor is qualified to strike out information which is most-likely about to severely damage national security”; the penal code is wider, and applies to cases where national security requires keeping it secret.

In another interesting case, the widow of a person who worked in the nuclear research facility requested to receive the results of an epidemiological survey between the facility’s workers which the facility took. The State declined to provide the information by explaining that it relates to national security. However, when the court rejected the state claims, it expressed criticism over the state’s conduct: “the state wiggles in its arguments and cannot point to a normative authority where it draws the classification of the information. It is, according to the state, basic foundations, but these basic foundations have to be applied by the General Security Service Act, 2002, and the rules according to it (which are classified, so the state cannot disclose them to the court, but as a graceful act the state is willing to summarize them)” (CA (Tel-Aviv) 2571/01 Hanna Hizi v. State ); the court itself explained that it cannot understand classification, and the state has to acknowledge the differences between confidentiality and classification. Classification does not create basis for exclusion of evidence, and unless the state decides to exclude an evidence by means of national security according to the Evidence Act, 1971. However, in cases where the court finds the evidence may have had something to assist the party who wishes to submit the evidence, then the state shall default (OCR 2489/09 Zeev Braude v. State).

The Israeli Supreme Court deal with the question of what constitutes classified information in Vanunu (CA 172/88 Mordechai Vanunu v. State); in Vanunu, a former worker of the nuclear research facility was charged for espionage when he disclosed information regarding Israel’s nuclear activity to press agents in the UK. The supreme court decided to convict Vanunu for collecting and disseminating information to the enemy. The court analyzed this clause and explained that “He who provides information to the enemy; meaning, any information, even if it is public information arising from the press, his activities fall into clause 111”. Therefore eliminating classification need at all.

What Does Classified Information Protect? The question of what classified information protects is a difficult one to answer. Some claim that the purpose of classifying information is withholding it from foreign agents, and explain that when many people have access to certain information, it harms national security. Classifying information makes it harder for counter intelligence and foreign military forces to obtain information regarding a state’s forces, and allows it to operate where the other party does not know its rules of engagement, its powers, officers, or even defense mechanisms.

But the real question is how much this information, used by foreign intelligence,  endangers national security , and does the burden of protecting this information overcome the value of keeping it secret or not.

When the classified information is the actual secret (e.g the actual location or time of a specific operation) then it is assumed (though not significant) that information about the operation that becomes available to hostile forces may lead to less successful results, at least. There are specific sets of information that are considered confidential and are not pieces of information that have (statistically insignificant) connection to current, ongoing operations or other information that if leaked may cause damage to national security.

For example, the actual existence of a specific weapon or the location where a missile fell after an air-strike cannot be considered a state secret for several reasons: the first is that it is not kept away from the public; as what the general public sees cannot be considered national secrets. For example, during the 2006 war, the military censorship requested Tapuz, Israel’s largest forum operator, to censor posts made by civilians about where Hizbullah missiles fell. Another case  where information that is in the public’s plain view was considered confidential was when Parliament Member Yossi Sarid threatened that he may disclose information about weapons used by the IAF after the IAF killed and wounded dozens of Palestinians, including civilians, in weapons that were allegedly in plain view.

Another case where public plain viewed information was considered confidential was when Israel denied using phosphorous during the Cast Lead Operation of 2009, where the evidence was left in the Gaza Strip, which allowed the Goldstone committee, which inspected Israel’s activity following the operation, to find that Israel’s denial was false. So, in this case, how could the use of phosphorous be considered confidential information where there is evidence in plain view regarding the use?

Therefore, confidential information could be considered confidential as long as no public information regarding it exists. For example, the location of specific military or nuclear facilities that are located close by to cities and have road signs directing to them, could not be considered confidential information. Israeli Blogger Ido Kenan points out that Israel has a policy of withholding this confidential information in road signs presented in Arabic, and leave the confidential information only in Hebrew and English.

In conclusion, classified information in Israel is defined in an overbroad manner, containing information that may be considered in plain view and known to the general public. By acknowledging this flaw, we may understand the basis of information security and examine the weak points of such method of information security.

We believe that there has to be a difference between the classification of security mechanisms by themselves and information (data) which relates to specific, mission critical, information that is classified. The difference is between information regarding the existence and functions of a specific unit, its weapons , its history, and current plans regarding  an operation.

2. Security By Obscurity, A Problem
2.1 Security By Obscurity
When trying to protect information in a digital environment, there are two popular methods used by Information Security experts. The first is Security through Obscurity: this method, which is quite similar to the Israeli Classified Information method or approach, hides all information related to security from plain view and classified it as confidential; by using this method, “a system relying on security through obscurity may have theoretical or actual security vulnerabilities, but its owners or designers believe that the flaws are not known, and that attackers are unlikely to find them”. The model bases itself on the fact that others are unaware of the activities taken and that most confidential activities could be disguised from plain view.

However, the flaws of this model are that the secrecy of the information is exactly what lets security flaws to remain secret as well. For example, GSM encryption was hacked during 2003, and again during 2009. These hacks were published to the public because they were a part of academic researches; however, in certain cases the hacker may not be so eager to publish its research. In some cases, employees or contractors may sell known exploits which were not taken care of and criminals may sell unknown exploits either to other criminals or to the company itself. Moreover, relying on a sole provider to fix the security breach could sometimes cause more problems.

The main disadvantages of Security through Obscurity may be summed up to: (1) few people inspect the system for flaws, and sometimes actually inspecting the system may be considered illegal; (2) hostile entities reviewing the security of the system do not disclose their results; (3) dependency on one vendor/provider to review and fix security breaches.

2.2 The Open Source Model.
In contrast to Security through Obscurity, Open Source advocates rely heavily on Security Through Transparency, using this method, the algorithms and software used to encrypt or protect information are known to the public, providing the public an efficient way to report security vulnerabilities, and even to propose bug-fixes. The more people have the chance to inspect the security mechanism, the safer they will be.

For example, Security firm Secunia found that more security flaws were found in the Open Sourced Firefox than in proprietary code browsers, but the number of Zero-Day unpatched flaws was significantly lower and so was the time that it took to fix any flaw. By making all of its information public, a software vendor may create better security and allow any researcher to discover flaws. Moreover, transparent security mechanisms may also deter hackers from looking how to circumvent zero day flaws in fear of being caught (See aso, David Wheeler, “Is Open Source Good for Security?”).

The Open Source Model does not ignore the basic concepts of information security, but it acknowledges their flaws and attempts to build better models.

3. Could Building a Transparent State Solve National Security?
Could we imagine a state where all public information could be deemed as non-confidential, security mechanisms would be public and open for scrutiny and confidential information would be reduced to a minimum? We believe so.

Currently, a state like Israel has to operate counter intelligence just to solve the problem of collection of plain-view information and to protect from hostile action. When operating an open source model, counter-intelligence could be abandoned and replaced with crowd sourced models, which will help to build stronger mechanisms of protection.

Moreover, removing the ambiguity relating at-least to nuclear weapons in Israel would assist deterrence and strengthen national security. Weak points  in Israeli theoretical protection would be visible to the public and could be fixed quickly; moreover, the actual items that require protection could receive the needed funds and resources to protect them.

3.1 What is there to lose from revealing all classified information?
While we do not necessarily wish to reveal all information, certain information relating to means of operation and security regulations have to be declassified. For example, both the General Security Services Act and the recent Inclusion of Biometric Information and Data in Identification Documents and Database Act of 2009 state that all regulation and orders will be classified, as well as any information regarding security breaches. Moreover, when discussing the act in Parliament, security experts raised concerns over the database possible flaws, and the Minister of Interior, Eli Yishai, ordered to open the security protocols for discussion, but such discussion was never made. Keeping the database, as well as security guidelines and notifications of security breaches secret seems good in the eye of a person who thinks that an enemy may abuse such faults; however in the eyes of a security researcher, these allow zero day flaws and known vulnerabilities to be used against the database  (see, for example) and allows a false feeling of security.

The only thing that may be lost when protocols, orders or regulations that remain secret are disclosed is the misconduct of an authority or its acts against the law; for example, as a result of Israel’s Freedom of Information Movement’s appeal, it was revealed that the cellular companies were required to adhere to secret regulation regarding cooperation with intelligence agencies and disclose subscriber information.

Therefore, when the governmental default approach is that there is no need for privacy unless a person has something to hide from the government (which seems to be the default approach when discussing the Israeli government, as the Biometric Database Act, the Criminal Order (Submission of Metadata) Act of 2007, and other statutes turning Israel into a surveillance state) then the default approach towards the government should be that all its secrets are meant to cover up unlawful activities.

3.2 What is there to gain from revealing all classified information?
First and foremost, the Israeli Government may regain public trust by disclosing all activities. The Israeli public, for example, strongly believes that the Biometric Database will leak, mostly due to the fact that quite a lot of sensitive data has  already leaked from Government databases and that 70% of the general public does not trust database protection in Israel. A different survey by Symantec found that 60% of the people do not trust the government with their private or personal information.

The feeling of misused trust may be healed and cured when disclosing information regarding data breaches and information security to the public. But more than that, apart from public trust, the government may gain better protection of its classified information. The Israeli government may adopt what computer giants like Google and 3Com already did, and that is to pay for every security breach found.

Currently Israel has many unknown security flaws, which remain confidential until a hacker gets caught. For example, Israeli white-hat hacker Moshe Halevi (Halemo) was charged for hacking when he used a pre-paid credit card to show that the Israeli Fines and Fees Center had a bug in the URL handler that allowed resetting a person’s fines. In a detailed case (C 9497/08 State v. Moshe Halevi) Judge Avraham Tenenbaum explains why Halemo’s activity was not hacking, but was solely security checking (a similar case, CA 8333/03 State v. Mizrachi, explains that port-scanning cannot be criminal if done for a cause of security inspection). Therefore, we can argue that the state has a compelling interest to discover flaws.

3.3 The state’s approach to security flaws.
However, we see that in most cases the state prefers to withhold information from the public regarding security flaws and to litigate against persons discovering such flaws. Moreover, when flaws are found, usually adopting the Security through Obscurity approach shows that the way the state fixes the vulnerability is not only insufficient, but negligent.

In one case, white-hat hacker Halemo discovered that the Israeli Court System’s website discloses Judge’s ID Numbers (equivalent to Social Security numbers). The way it disclosed them was that the URL Source of the Judge’s page in the website was his ID number. After the flaw was exposed, the state went to fix the flaw, and replaced the ID with a Base-64 representation of the number.

However, if we require the state to disclose its means of security it would have to disclose how the judges ID numbers were encrypted or protected, and therefore every person would have understood that neither plain-text nor base-64 are good enough mechanisms to protect sensitive information.

4. Applying Software Solutions to State Secrets: A Conclusion.
We believe that not all information has to be public. There are things that are better off secret. However, if we learn from information security methods, we must acknowledge that better security could be achieved when disclosing more information to the public. Applying the open source model of information security allows transparency in decision-making, better algorithms, less resources on counter-intelligence and more resources to allocate to what is mission critical information.

Moreover, better trust could be gained between governments and citizens, reinforcing the social contract and allowing better results in political participation.

Currently, governments over trust security through obscurity when operating mission critical processes, and therefore, when flawed, the flaws and results are enormous. Utilizing open source models could prevent mishaps such as Israel’s phosphorous use, George Bush’s Weapons of Mass Destruction lie and Israel’s racial profiling in Airports as a mean of security.

Israeli racial profiling is such a great example, as it is highly efficient nowadays and even better than the US TSA guidelines but bases itself mostly on the assumption that Jewish nationals may not be considered a threat to national security but Arabs may (HCJ 4797/07 The Israeli Association of Civil Rights v. The Terminal Security Authority, Pending decision). As long as the security guidelines were secret, it seemed amazing that no security flaw occurred. However, now, that the guidelines are known and understood, it is easier to design a mechanism to circumvent them. Therefore, even adopting new guidelines will be useless, as they are inefficient (unless based, again, on racial profiling).

Therefore, in order to regain national security, Israel will have to change its approach to the Open Source Model before a major security event occurs that will make it understand that this is the only option. Staying in a Security through Obscurity approach could protect confidential information, but it cannot protect national security.

The Israeli Supreme Court ruled on February that the clause in the Israeli Criminal Procedure Act which allows ex-parte court hearings for suspects in terror or national security crimes was unconstitutional and void (OCR 8823/07 Doe v. State). In the same case, the supreme court balanced between the burden of a democratic state has to face when facing terror within and due process and ruled that a suspect’s right for due process prevails as it is what makes Israel a democratic state:

Harming those who can’t defend from their arrest either by personal appearance or by ‘representative educated appearance’ is a material violation of human rights. it may annul the process and make the legal process void. … When an attorney did not meet the suspect, and the court is prevented as well from asking the suspect and inquiring about matters that need clearing, there is an actual burden on the possibility of exercising efficient and fair legal review. The court, in fact, relies on the statements of one party only. This result is grave in regards to the character of the legal due process and the matter is discussion – limiting a person’s freedom”.

In a same manner, clause 34 to the criminal procedure act states that the right to consult an attorney is one of the basics of due process; without decent representation a person will not have actual knowledge of his rights, will not have his day in court and therefore, any violation of this right, even if indirect, may cause damages to the legal process itself (and see, for this matter, HCJ 1548/07 Israel Bar v. Minister of Homeland Security which discusses the right to consult an attorney via video conference). However, foreign sources report that Israel has, again, not only violated the law, but kept covering it up. According to foreign sources, The Israeli-Arab author Ameer Makhoul was arrested in suspicion of committing crimes against national security and was prevented from meeting his attorney (and thanks to Yossi Gurvitz from Friends of George who referred me to this story). According to the reports, Makoul was prohibited from leaving Israel a month ago by the Minister of Interior Affairs, Eli Yishai, and that was against specific stipulations in Israel’s Basic Statute of Freedom and Dignity which states that “every person is free to exist Israel”.

Two problems come to mind when thinking about this, if it were actually true; the first is that now no one knows what Makhoul is a suspect of. his disappearance by the security services was not reported in the press, and we were not given any information, as a public, as to what he is suspected of. What actually happened is that the public trust that if it were taken by the dead of night for now reason, his friends, acquaintances, family and attorneys would know about it was lost due to the serial disappearance drawn by the government for dissidents. The graver danger in these cases, and cases such as deprevation of Jack Titel‘s right to consult an attorney, is that the damages to the due process would be irreversible. Not only that the public trust would be gone, but a person would not be able to evaluate in an educated manner what to do and sometimes is willing to do anything just to make the torture go away (and see RT 3032/99 Baranes v. State and HCJ 5100/94 Public Committee Against Torture v. Government).

The seconds problem is the gag orders; if in the Anat Kamm affair there were confused bloggers who couldn’t understand how to deal with unknown gag orders, when they understood that the Israeli Police does not want to enforce the gag order on Facebook since its servers are outside of Israel (and that’s in spite of the decision in OR 90861//7 Carlton v. State which ruled that “hiding under the veil that the company operates and runs outside of Israel, its servers are not in the state, does not exempt the appellant and the company he heads from the Israeli criminal law”). But it seems that the police and secret services do not wish for gag orders to become a dead letter and will just ignore the bloggers, and let the farce play in the national media.

No matter how you look at it, the arrest of dissidents and their disappearance does not fit Israel’s character as a Jewish-Democratic state.

Whilst I, as an Israeli citizen and national, cannot discuss what is known throughout the globe as the Israel’s censorship scandal, I can at least say that we can learn that Israel is not alone. Israeli courts, apparently, issued a gag order against reporting on a case relating to security measures, but that’s all I might have been allowed to state had the gag order was available to my hand.

However, Israel learned from it’s greatest friend: The United States was quite militant in fighting Wikileaks, a website dedicated to unveil corruption and unjustice, which was already involved in discovering money laundering schemes and (was taken off the web in a court order on Julius Bael v. Wilileaks). There was a reason why the US wanted Wikileaks off the web, as it is now known that Wikileaks published a video showing the US military forces in Iraq killing journalists (Available here).

But there are a few more similarities between the US and Israel. Israel also, as detailed in Uri Blau’s report from November 2008, was killing wanted Hamas militants instead of arresting them, against the supreme court’s decision and in contradiction to the law. However, the Israeli generals who disobeyed the Israeli law will never be brought to justice.

[Partially based on my Hebrew Post]. The assasination of Mahmood Al-Mabhouh is still a mystery, though many links point to the Israeli Mossad as responsible, and security cameras show a general operation, some might understand that biometrics played an important part in the game, as both The Biometric Architect, Meir Sheetrit stated that the biometric database would have prevented the identity theft and we, as opposers, stated that the biometric database allows the Mossad and other security agencies unlimited access to personal information.

However, we could be certain, without a shadow of a doubt, that no matter who is right, some problems arise from the definition of the access to Israel’s biometric database.

It doesn’t matter if MI6 was tipped by the Mossad about the assasination or not; as under the new Biometric Database Act passed in Israel, the Mossad and Shin-Bet would have unlimited access to the biometric database. In such case, and as the biometric data encrypted in passports is only Facial, they could attempt to find persons with double citizenship, let’s say, both Israeli and Irish, and use their original documents, making forgery of Biometric passports irrelevant.

The current law allows them Access, without explaining what is access. During the discussions over the biometric bill in parliament, I tried to ask the Secret Service’s representatives what does this access mean; this is how the conversation was listed in the 20.07.2009 official protocol:

Chair Meir Sheetrit: Ok, the sunlight does not apply for secret things.
Jonathan Klinger: what is ‘pass information from the database’? it could be from the entire database
(…)
Parliament Member Eitan Cabel: Mr. Geva is still in the midst of his matters, afterwards we shall relate to it, as my mind is not at ease.
Danny Geva: This clause was phrased after all the other possibilities were examined and in order to allow us to tolerate our needs. What I want to say is that what we create here, with the issuing of the new biometric cards and the database is something new that did not exist before. This new situation has to allow us to continue to act in order to fulfil our role and destination.
Nira Lamay: When they say ‘allow them access to the database’, they mean that they could just enter to the actual place… will they have permissions in the database? when they say ‘allow them acces’, it is not just to convey them -
Chair Meir Sheetrit: Not through communication.
Nira Lamay: So what is ‘allow them access”?
Nissim Alyasaf: They could come to the database and obtain information.
(…)
Nissim Alyasaf: The database will not have communication.
Chair Meir Sheetrit: So why won’t you change the word ‘Access’?
Nira Lamay: So what is access?
Danny Geva: it doesn’t matter what access is, the word access has to stay because we inspected all other possibilities -
Chair Meir Sheetrit: do explain.
Danny Geva: Sir, there are things I cannot explain.

Now, you may understand that no matter what, Sheetrit’s statement that “Effective use of biometric data could have prevented the apparent theft of Anglo-Israelis’ identities” is incorrect; had the Mossad wished to do so, it could have just as easily found the people it needed in the database and use the government’s own facilities to issue original biometric passports.

The other point of failure is the ease of stealing Israel’s biometric database; as I explained briefly in a Round-Table held at the Israeli Democracy Institute, more than 30,000 People would have access to the biometric database. This number constitutes around 0.5% of the Israeli population. No secret is secure enough when so many people have access to it.

We are turning more and more into a surveillance society, this has to be stopped before we lose ourselves.

The Government’s wish to issue self-signed electronic signatures on the newly inaugurated biometric cards is more of a monetary mishap than a privacy Issue. However, some critics may say that this is more than a failure, it’s a way of doing business.

In 2001, Israel legislated an Electronic Signature Act, which allowed authorised bodies to issue digital signatures to encrypt and digitally sign documents, in order to replace their physical presence [further reading at the Israel Justice Department website]. To sum up: when acquiring a digital signature, a certificate authority issues a signature, and then validates your identity and warrants that you are who you say you are.

However, due mostly to overburden created by the state, Israel holds only one certificate authority, ComSign. The problem? ComSign is (a) a private company and (b) charges 300 ILS (~75 US$) per signature. The lack of competition caused the government to try a new approach: as every biometric ID has to be digitally signed, the government wishes to be both the certificate authority and the entity which relies on the validty. There are two main advantages for this scheme: first, the costs of issuing electronic ID cards reduce, as there is only need to pay the issuer of the plastic card; Second, the government is certain that the certificate authority will never go out of business.

However, there is one major flaw: when the government issues a person’s private key, it can never (and i mean never) hold a copy of that private key. Exposing this key to any person which may be able to access it is a major flaw that could assist identity theft and other causes. Here comes the need for a certificate authority’s liability. When inflicting liability on a CA, it may exercise best care and warrant that no information may be misused. Moreover, it, by itself, lacks the interest of infringing its users’ privacy. Therefore, opening the market to competition and allowing more private CAs is the solution, not allowing the government to have more force.

However, a minor tongue-slip by Adi Sagi, from the military’s CA, during last week’s discussion, may show that something is not all-that-ok wiith a self-issuing certificate authority; Sagi stated that the certificate exists “not only on service cards, but also for Keva [additional service, after the mandatory - jk], soldier service cards, smart ID cards for the military’s needs. I want to raise two other points: the first is the trust in the soldiers or loss of cards. Once a soldier loses a smart card or a card is stolen, he has to notify the police and the ministry of interior that the card was stolen. Then you need to operate systems where the certificate is not valid anymore and a new certificate needs to be issued. I don’t know, and i guess that Boaz [Dolev, the head of the computing unit in the government - jk] doesn’t know, any authority that if a certificate is stolen may…” here Sagi was interrupted, stating that he exceeded his authority.

But it seems that the architecture of privacy here was not in the main interest of the government. Issuing seven milion ID cards and paying a private entity 300 ILS per card may cost the government more than it is willing to pay for the biometric experiment. Therefore, the government decided, for monetary reasons to risk the citizens’ privacy, and be its own certificate authority.

When explaining it to the committee, i said that “I am afraid from my government. I am afraid from the government in a place where a corrupt social security employee was bribed to pass private information; I am afraind from a government that cannot investigate the leak of its own census; I am afraid from the government and I am entitled to do so, and it is still the government’s duty to protect me. But this is not the discussion. The question is a certificate authority could be the entity that verifies the identity and still hold my cryptographic keys“.

Something has to be done here, before it gets too late.

0.
We lost the skyline. The parliament approved yesterday Meir Sheetrit‘s proposal to establish a biometric database. After a few months of delay, including endless discussions in parliament trying to persuade Sheetrit not to go with the database, we lost. It didn’t matter that we brought Two Nobel Prize Laureates and many other professors to explain the dangers, Sheetrit just explained that they don’t know a thing and that they do not represent the best minds in the field. It doesn’t matter that the Israeli census leaked or that the company who is meant to issue the biometric ID cards is the one who was in charge of the census: the Parliament Members just don’t get it.

CC-BY-SA Tomer Lichtash

1.
A biometric database is not something to be taken lightly. While Sheetrit claims that other states have a biometric database, we know he lied. A research by Karine Barzilai-Nahon showed that a biometric database is something unprecedented in the entire world, at least if we think about biometric databases that are used with census data. Even that controversial Dutch database is not as extensive as the Israeli one. The UK ID initiative was not as comprehensive as ours, and yet was not as popular. When we try to understand where we went wrong, I think that it was the international aspect.

2.
We blogged in Hebrew, twitted in Hebrew, interviewed in Hebrew and lobbied in Hebrew. The holy language was not as holy when it involved legislation. We can try the International human rights courts, we can try to petition to Israel’s supreme court, but nothing is as fine as international pressure. It didn’t even hit the international press, only our local Jewish Ghetto.

3.
Now we have two years of an experiment. Let’s see how it goes.