Intellect or Insanity, Jonathan Klinger's Blog

0.
Israel is to attempt, again, to pass a bill that authorizes police officers to issue warrants to Internet service providers to block or restrict access to specific websites involved either in gambling, child pornography or copyright infringement. The bill itself proposes that such administrative procedures shall be clandestine and that court decisions shall be made ex-parte, where some of the court’s ruling will not be even disclosed to the owner of the website, and the court may hear and use inadmissible evidence.

In my opinion, one of the saddest things in a democracy is that powers with authority can change the rules after the game commenced. This is story with blocking of gambling sites, an experiment which began around 2010.

Fortunately, after a lot of hard work by the Israeli Internet Society, The District Court of Tel-Aviv quashed the block and ruled that the police had no authority to order Internet service providers to block access to certain sites or IP addresses (decision now on appeal, see the Hebrew original ruling at AA 45606-10-10 ISOC N. Shachar Ayalon).

However, Israel is famous for presenting bills that bypass constitutional rulings, and now wants to reassert this authority, without limitation, by presenting a new bill: The Bill for Restricting Uses for Preventing Crimes (Amendment – Restriction of Access to a Website and various revisions),2012 , (Google Translation).

1.
You can read a bit more about the bill at Oded Yaron’s article at Haaretz.com (behind a paywall). In general, the bill’s purpose is to circumvent the relevant court ruling and allow the police to block websites. In the district court ruling, the police’s authority to shut down gambling houses cannot apply to websites. However, the bill’s current wishes seem to be broader:

Had a certified police officer reasonable grounds for suspecting that the website is used to commit an offense specified in the Second Schedule [gambling, child pornography or copyright infringement - jk], and that there are reasonable grounds for concern that the website will continue to be used for committing a crime unless access is restricted, he may issue a warrant for Internet Service Providers to limit the access to that Web site; a warrant under this section may be issued even if the website also contains activity which is considered legal [or legitimate - jk] provided that the illegitimate activity is the main purpose of the website.

Now, as befits any modern legislation, justice it made but us not seen. Article 3 of the bill discusses execution of additional warrants, where everything shall be made ex-parte:

“material relating to the request to extend the validity of an administrative restriction or information based on which such request and any other material provided subject of the application process will be made to the judge only; material will be marked and returned to the police officer or authorized claimant (in this section the applicant) after examining “

But it’s not just that material will be ex-parte; in some cases, the ruling itself may be withheld from the appellant. “The court shall notify the owner or occupier and the police officer on its decisionunder this section, and it may determine that the decision, or parts of it, shall be confidential“.

2.
This means Israeli that citizens may find themselves in a situation where they are subject to a warrant which is confidential. In such case, They will not be able to challenge such an order, because the grounds for the decision will unlisted . Sounds interesting? Well, I remind you that when we discussed that Communication Metadata Law, which allows police to receive GPS data on phone and Internet subscribers and records of their phone calls, everything was made in confidential decisions (with no further judicial review on them). Therefore, do not know how the law is implemented, how these requests really served illegally, and how judicial review works.

3.
The bill itself is absurd if you understand the Internet: everybody knows that no matter what order blocking a given Web site, its validity is about as much as an order of Police fires in summer temperature does not exceed 25 degrees Celsius (or if you’re in the US, that it won’t snow on Christmas). I mean, okay, ISPs will restrict users from browsing, but that’s not actually something that works (proxy servers et all).

4.
But of course there’s the issue of the slippery slope. The original act, which is to be amended by the bill, gave a judge the authority to issue a warrant under careful review; however, the bill conveys this authority to a police officers.

5.
What about additional uses? Well, in order to pass the bill, the police began with abhorrent offenses considered: child pornography and gambling. Clearly, no one will oppose the authority to block such websites if he’s not a pedophile or a gambler. Well, not really. That’s why the phrase “Second Schedule” is used to described to offenses that are subject to this authority, in fact the bill asserts a short list of offenses, where the minister of justice can always add additional offenses. Once the bill is passed, no one can be certain that no additional offenses will enter there.

6.
The real danger here is practice: in the same week where we discovered that the military police apparently investigated a blogger which was exposed using the metadata act without respecting his journalistic immunity and confidentiality of sources, and on the same week as the non-democratic nations want to rule the internet through the ITU convention, Israel decides to publish this bill. And why? because Israel deems it ok to gamble all your money is the state lottery, but not right when you give money to foreign websites.

0.
A few months ago, Russia’s president, Vladimir Putin, arrived to Israeli for a brief visit. The President, who receives embarrassing support from Israel’s minister of foreign affair, Avigdor Liberman and almost magical admiration from Knesset member Anastasia Michaeli, also received a warm warm hug from the Israeli government’s leaders, and first and foremost, Benyamin Netanyahu. Actually, there’s no place for doubt that there is a strong link between the two states. However, another embarrassing affair that Putin had to face recently may show that Putin is the one admiring Israel, and not vice versa.

1.
Israel is known for times where its legal system falls victim to political constraints from left to right, and just in not the higher courts, but the magistrate courts as well. Sometimes, indictments are colored more politically than usual, and are attached with circumstances that cannot allow acquittal. The stories of Jonathan Pollack, who was convicted for riding his bicycle slowly in a demonstration against the Cast Lead Operation and was sentenced for three months in prison, and of Rahamim Nasimi who blocked a road during anti-disengagement protests and received the same penalty show that there’s a problem in the method. The problem is that not once demonstrations are meant to disrupt the public order, offend, hurt and show the government that there is criticism and it’s not nice: but these have to be the rules of the game. Protesters are allowed to be rude, disgusting and violate the public order : The police, on the other hand, cannot be brutal and it has to respect the political expression, since if it will not do so, we will live in the “Ok State”.

2.
And that’s the case of Pussy Riot; a Russian feminist band that decided sometime in February to organize and demonstrate in a spontaneous way to protest against Putin. During the last weekend, three members were sentenced to two years in prison after being charged with harming the public order with religious circumstances; of course, that there was not relation to the content of the expression, but to the deed itself: the members of Pussy Riot organized in a public place, offended the public, and tried to protest against the current situation. If they had protested where they are allowed to, in their homes, then no one will have heard about Pussy Riot.

3.
It is quite doubtful that this could be perceived as a just trial, even though the Russian public supports it; but that is the case: when the political hooligans are indicted, the content of the speech is not mentioned, and therefore not discussed in court. They say “he was a hooligan, and we don’t care if it’s left or right, if it was a toothpaste advertisement or a protest against a mayor. What offends us is the breaking of the public order”. In this case, you cannot put up a defense that says “look at the content and not the form”, because the content is indisputable. So, the architecture of the trial prevents justice.

4.
In this is how Israel is so close to Putin’s dictatorship: even here there is hard work to limit the protest; and of course it’s not political at all: a simple policy of requiring a license for every activity of public expression is perceived by the court as a way to preserve public order (AA 6095-07-12 Hatzav v. Tel-Aviv). It’s not just a saying: the Tel-Aviv municipality issued an administrative order stating that “festivities and any other activity to express an idea, opinion, value, demonstration, meeting, ceremony, solidarity, fund raising, belief or world view – which is not made in cooperation with the municipality”
has to obtain its consent. Meaning that if I sat down with a friend in Rotschild boulevard to discuss my opinion about the country’s financial status or the street’s garbage, I have to approach the municipality’s CEO, fill out the proper forms and obtain a permit.

These procedures are not only unlawful, but they make Putin ovulate from joy. the resemblance, the inspiration, maybe he should receive royalties for it.

5.
And in the meantime? Israel does not have a local Pussy Riot. And maybe its for the better; their music is not so soothing. But until we have one, we all have to admire King Bibi.

[Originally In Hebrew]

0. Abstract.

[This Wednesday I shall lecture at the LiSS working group conference, here is a draft of my lecture] From 2003, and until today, the Israeli Government has been working diligently in order to legislate the biometric database act and the orders and ordinances according to it. However, This biometric database is not the only biometric database in Israel and is not the only database where government authorities have access to. In my brief lecture, I shall present a different approach, asking whether this database act was actually required and what are the reasons for choosing a legislative act when doing so. When doing so, I’ll have to ask whether the act of legislation was needed because the social contract was broken, or because it was a megalomaniac act made out in will to block any different approach to databases.

1. Database Laws, Privacy.

Let’s first understand how government databases operate. The Israeli Privacy Protection Act does not differentiate public sector databases from private sector ones; moreover, article 23D provides any person the right to know about such database and article 23C provides government bodies the right to request and transfer data from other databases when the action is required by law or by the body’s function. Meaning, if it was it’s desire, the Government could have set up a registered database and operated the biometric database out of such act; but in such case, it couldn’t have mandated the people to provide their biometric information.

So what could it do? It could have amended the Census Act. The Israeli Census Act is the act regulating the management of the Israeli Census (which, as we already know, was leaked to the Internet); article 2 writes down the fields in the database that are required to be listed. In such case, amending and mandating a person’s biometric data under it could have solved the biometric database problem in a 1-line amendment, without requiring massive legislation.

However, The Israeli legislator decided to pass a 30 page long act (PDF), which describes in full the security and use in detail, and allow public debate over it. In order to understand why, let’s understand how other government databases work.

2. Government Databases and legislation.

First let’s see what are the databases which were legislated and which weren’t; Meir Sheetrit, the biometric database’s entrepreneur, said that “Israel has enough [other] biometric databases“. However, if we inspect his claims, we find out a different perspective; the one who says who and when is required to provide his information willfully to the database.

Let’s first inspect what are the databases that were legislated under the Israeli Law: The Israeli Anti-Money Laundering Act, The Israeli Census Act (which actually does not establish a database, but only allows the inquiry of information), The Police DNA Database (The Criminal Procedure Act (Searching in a person’s body and taking of identifying information)), Criminal Records (The Criminal Record Act).

On the other hand, there are quite a lot of databases which contain information which is as personal and as sensitive as the legislated databases, including the migrant workers biometric database, the driver’s license database which includes photographs and according to the Israeli transportation office, does not require legislation in order to retain a database (where the transportation office provides this biometric information at least to the ministry of interior), the unemployed database, which contains fingerprints of unemployed and  the Bus Authority database that contains information regarding passengers and their routes.

3. Why do you legislate databases?

We can see that while some databases were legislated because of their sensitive nature (money laundering, f.e), there is no actual difference between the sensitivity; There is no actual difference between money laundering information or the biometrics of a migrant worker. We can also say that legislation did not come because of the voluntary nature of the database; a person cannot choose to be unemployed or not to travel by car or bus. None of the non-legislated databases are actually voluntary; they just address specific needs and puts the person “agreeing” to provide the information in an inferior place: he is either unemployed, or he wishes to travel to Israeli to work, he may want to drive in Israel or take a bus. These are all daily functions that a person cannot go without.

4. Why Legislation.

Now, let’s go to the theoretical assumption that legislating the biometric database could have been made without any real or substantial legislation; It could have actually just establish a national database by issuing an order of the Passport Act, seeing that most Israelies have a passport, and hold the information in a way that is “required” to issue a passport; he could have went in the same way the Transportation Office went, and required just the issuance of fingerprints. However, the choice to legislate the database was taken. And why?

The reason is the Israeli Privacy Protection Act, but not the article requiring willful consent, nor the article mandating informing the data subject on its rights, but because of article 23C. Let’s inspect the text:

“Notwithstanding article 23b, providing the information is permitted, if not prohibited by any legislation or professional ethics – (1) between public bodies, if one of the following exists (a) providing the information is in the authority or role of the body who provides the data and it is required to exercise a law or a cause by the authority of the data provider or its recipient; (b) providing the database is to a public body who is allowed to demand such information according to law from any other source; (2) from a public body to a government office or another state establishment, or between offices or bodies as such, if the providing of information is required to exercise any legislation or for a purpose in the authority or roles of the data provider or its recipient …”

Well, we do need to read this carefully: There could have been a state-wide database without legislation;  however, in such case the Police could not have been granted access to the information. And why? because neither article 23b(a)(i) nor article 23b(a)(ii) allow it: The first alternative requires specific authorization under law to disclose the information and the second requires that the police would have been authorized to request the information at source. However, the police are not entitled to coerce a person to give them his biometric information, and the ministry of interior [was] not authorized to specifically assist the police.

Therefore, unlike other databases, the mobility of the information and the detachment between the cause of why it was collected and its use brought the actual need for legislation.

5. Ruling out other factors.

Now, we can inquire about the question of whether this was actually the reason; whether there was a secret hand that required it. The only reason to explain why a 30-page long bill was passed was explained when alternatives were presented to the government. The rejection of the Adi Shamir proposal, for a non-identifiable database, and the choice to store both a person’s facial photo and fingerprint (where such information is not required to maintain a clean database, see Yoram Oren’s statement “if the purpose is to reduce a list, then yes“). Meaning, the legislator was presented with at least two alternatives that allow a secure database that does not allow double-inclusion and does not retain so much sensitive data, but rejected it.

Such rejection may be discussed later in courts when inquiring about the constitutionality of the act, but that’ out of the point. The choice of both legislating and deciding on this architecture was made solely in order to allow surveillance.

6. Summary and Conclusions.

We know that the legislator had other options to legislate a database (or not to legislate it); and that it could have allowed it to be used quicker, without any pilot and even with the coercion against the persons, but in such case, the police and other security authorities could not have obtained access to the database. Therefore, the sole purpose of addressing legislation is in order to allow such access, and unless we can rule this out, this is the true purpose of the database.

0.
Terms and Conditions (and Privacy Policies) are a bitch. I know, because I write them for a living. Yes, it’s me who made you agree to provide that website with an “irrevocable, unlimited, commercial right to access your personal information stored in the service” just so they could fight the spam they tackle on a day-by-day basis. I’m also the guy that these websites call when some random schmuck send them a cease-and-desist letter claiming they hold the copyright on the word “party” or something like that.

1.
Lawyers face a terrible problem, most users don’t read the terms and conditions; this causes them to be unenforceable in some cases (DeFontes v. Dell, Inc., No. 2004-137, 2009, more here) and lawyers tend to create presumptions of acceptance in different terms, which are always uncertain because they are never tested in court. Some lawyers tend to add the “I Agree” button only at the end of the document, some require email confirmation and some just add an “I Agree” checkbox.

2.
In comes CommonTerms. CommonTerms tries to simplify the reading of hard to read legal documents by adding nice icons about how the service providers use your data, if they are allowed to revise the terms for any reason or other information. In order to do so, Common Terms analyzes existing agreements and attempts to draft a database of practices. While their idea is nice, it’s yet to be perfect for the end-user because he needs to know such icons exist and actually read the terms for it.

3.
In comes my solution; however it requires some cooperation from lawyers. Lawyers could use XML tags or RDF, where lawyers could tag their Terms and Conditions with specific tags, such as “Shares your user generated content with 3rd parties” or “allows other users to create derivative works of content you upload”. In terms of Privacy Policies, it may be even easier, as a privacy policy is a set of specific questions, where the Icons just may show “uses 3rd party cookies” or “profiles you and sends information to advertisers”. Now, once the specific list of terms are defined, we can actually create a tag generator so the tech guys could mark the site; then, like websites put the Truste seal, they could mark their website in terms of user-friendliness.

4.
After we get the marking down, we still have some problems, but all are solvable: Self-Enforcement and Information, as well as comparing sites in terms of their Terms and Conditions. The other factor may be creating common grounds for tagging and creating child-friendly filters or other uses that users may do to understand what happens when they post their content in websites: is it sold, reused, mixed, shares or just removed after 36 hours.

5.
The thing is, that as a lawyer, I cannot code and I cannot enforce these things on people: not on other lawyers and not on my clients (or other lawyers’ clients). So, in order to make this happen, a demand has to come from the public, and that’s you.

You also appreciate reading about the EULA Generator.

In about two weeks time, I’ll attend the Wikimania2011 Conference and discuss Cultural Fair Use, Political Narrative and Copyright; while this might sound as one big mashup, because there is no apparent connection between copyright and political narrative. The story of fair use, however, points us to why copyright, more than any other thing, has to do with Politics. The text of this lecture is somewhat derived from my research with Dr. Nimrod Kozlovski for Consumers International about Fair Use in Israel.

But first, a short story. One of my favorite TV shows is South Park. I’ve been watching them from 1997, and have been a fan of the authors and their opinions; when Trey Parker and Matt Stone described their approach towards copyright in their interview for Reason Magazine back in 2006 i was quite happy to find out their approach for copyright was that of a true artist, a wish to reach a wider audience. In a same manner, back in 2008 when they launched South Park Studios, a website to allow watching all their episodes through video streaming as well as remixing and sharing their content, I understood how much they were artists and how they were not just in it for the money.

In 2008, South Park paid tribute to the internet nation with an episode criticizing the Writer’s Guild of America’s Strike while paying tribute to some of the latest internet meme sensations such as the sneezing panda and the Star Wars Kid. One of the subjects of criticism was Samwell, whose video “What What (in the butt)” depicted an African American male pondering whether the viewers of the video wish to “do it in the butt” with him. The video was displayed in the popular YouTube site free of charge and received millions of views.

In the “Canada on Strike” episode, the four prepubescent characters in South Park wish to earn a quick buch from the internet and decide to film a viral video. The position Butters, one of the characters, in the same way as Samwell is in the video and make the unconceivable, take the already grotesque video and make it even more grotesque. This is basically why I love South Park so much: the interaction between extreme free speech and the ability to mock the already mocked to a grain gives them the ability to go on for so many shows. This is the video that Butters produced:

Samwell decided that South Park’s use of his “Work” constituted as copyright infringement and decided to sue Viacom for copyright infringement. Viacom decided to be the better person and instead of settling the case out of court (which would help it, as a copyright owner to fight others who make similar uses of its content) decided to try and use the affirmative Fair Use defense. This week, a Wisconsin federal judge dismissed the case, arguing that South Park’s use of the work was fair (read the full opinion of 10-CV-1013 Brownmark Films LLC, v. Comedy Partners). The court weighed in favor of what I try to call “Cultural Fair Use” which became somewhat popular recently, but is not actually in the general Fair Use exemptions.

For all you non-lawyers, fair use is a defense (codified in 17 USC 107 for those who use copyrighted works for causes such as “criticism, comment, news reporting, teaching, scholarship, or research”. However, South Park’s use, in spite of the wish to be considered criticism, is not really criticism, but mockery or homage. South Park used Samwell’s work in order to criticize the viral videos altogether, not the work itself. In a similar case, where a famous Israeli Comic Book (or should I actually say “Graphic Novel”) cartoonist depicted Donald Duck in order to mock the Isreali Society, the Israeli Supreme Court ruled that his use was not fair as the criticism was not on the work itself (RCA 2687/92 Geva v. Disney). Only recently, the lower courts acknowledged that other, cultural aspects of fair use in order to stretch society’s public domain and ability add some works of authorship to the public domain without the formal requirements of copyright terms, solely because such works have become works of the public due to popularity and demand.

The recent cultural fair use is based on folklore more than anything else. The basic elements are that once a work has exhausted its commercial value and became a part of popular culture, it may allow others to create additional social value by reusing the work. Such uses may be mashups, remixes or other uses which are not highly criticizing or transformative, but are without any impact on the actual market value.

[Here comes that part where if you read this prior to hearing my lecture you thanked me, because the crowd will be rickrolled]

A good example is Rickrolling, the phenomenon of baiting someone into clicking a link on the internet which leads to Rick Astley‘s “Never Gonna Give You Up” video, which is not as grotesque as Samwell’s “What What”, but is no less funny. People have used this song and attempted to add it into popular culture and other works as an homage to the internet nation; either by playing it instead of the end credits to Bill O’Rielly‘s show, paying tribute in an episode of the popular TV show Family Guy, using Barack Obama as the singer by mashing up his speeches or even a Stephen Hawking tribute to the song.

But putting Rick Astley‘s career aside, let’s discuss Government Works for a bit. The US, as well as other states, has a “Government Works” clause that determines that any work of authorship made by the state itself is not subject to copyright. Unlike the US, Israel does not have such clause. Therefore, a material part of Israel’s history is subject to copyright; meaning that the national photo archives and other government works such as reports of the Central Bureau of Statistics are subject to copyright. In such case, when Israeli nationals (and other nationals, actually) wish to use government works, they must either license them or find other sources.

This creates a burden, first of all because the Israeli government does not benefit from selling licenses. It is not one of its positions as a government nor is it a material source of profit. The government has set up its Press Office to allow dissemination of information freely from the government outwards and copyright restrictions seems to contradict Israel’s wish to disseminate its message.

During the 2010 term, Parliament Member Meir Sheetrit submitted a bill introduced by Wikipedia Israel, proposing that non-commercial use of government pictures shall be free of charge, as long as the use is with credit, and does not manipulate or alter the photos in any way. In an interview, Sheetrit stated that one of the reasons for the governmental opposition to the bill was the fear from use of the photos by organisations
which are hostile to Israel or wish to promote the opposing narrative.

The bill was prepared following a study by Creative Commons Israel and Wikimedia, which dealt with Crown Copyrights. The understanding and discussions were whether to apply fair use principles to these uses or to exempt them individually. The tension between personal uses and political uses was balanced by the Israeli ministry of justice, which drafted the bill for MK Sheetrit, and exempted non-commercial use only.

Interestingly enough, the definition of what is commercial and what is not has yet to be discussed. It is interesting to note that both the language of the bill and the language opposing the bill use copyright as censorship or impediments on free speech. The rationale behind the bill, at least as stated by MK Sheetrit, was to allow the dissemination of Israeli Hasbara (propaganda) and use of the Israeli imagery for free by bloggers, Wikipedia and other organisations who wish to use them in order to enrich their works. However, at least as stated by MK Sheetrit, the governmental opposition was based on the fear of use by hostile organisations. Both parties held an opinion that government works are a part of the discourse and that copyright may be used to prohibit others’ speech or to allow them to undertake one’s narrative. These rationales underplay the economical aspects of copyright, and deal with fair use in a different manner, which is the ability to silence political speech.

If, indeed, the only rationale for copyright in Israeli government works is political: to maintain the political narrative, then one material aspect, which is the commercial value of the work, has to be let aside when discussing government works. Let’s, for this cause, inspect the incentives behind copyright and see whether they apply for government works (based on the incentives described by Julie E, Cohen in Copyright as Property in the Post-Industrial Economy: A Research Agenda); the purpose of Copyright was to encourage new and original authorship, however, in Government Works, there is little originality, most Government Works are either documentary (formal photographs or official journals) or are the result of a research; and even if commercial uses were made using these works, then the Government shall continue to create.

Therefore, the incentives for Government Works do not exist in copyright. Now, what’s left is the apparatus of control, and this is actually what’s important in copyright nowadays, more than the economical incentives in Copyright, it seems that Governments, like artists, wish to keep the control of what others shall do with their works, therefore applying their political narrative through copyright.

Israel’s offer for a “Israel Friendly License” shows that we do have a problem: Israel wishes to enforce its political narrative through copyright, by granting a license to use its works solely for those who adhere to its standards. Because the Government does not work for-profit, we can learn, more than from any commercial entity, that fair use is required for criticism, because it is made exactly where people do not want others to use their intellectual property.

Last Thursday marked the final approval of the biometric database regulations and the biometric database order in Israel; the regulations and order were approved by a special panel participated solely by Meir Sheetrit and Abraham Michaeli, where Sheetrit was the initial entrepreneur of the Biometric Database in his position as minister of interior. This marks the end of a two year process that began two years ago when The Knesset approved the biometric bill. The discussions prior to the approval were on who shall be granted access to the citizen’s biometric database (but not to whether it’s really needed). According to the biometric law, any citizen or resident that shall join the database shall have to provide the ministry of interior his fingerprints and a photograph of his face which will be stored in a central database which may be accessible to the ministry of interior, the police and other security services.

Following the public protest, made mostly in the internet, it was decided that the database shall commence with a pilot program which shall be no longer than four years. during this term, which shall commence this November, the necessity   of the database shall be examined (however, recent statements show that the pilot is not actually a pilot). The only way you can help during this pilot is to refuse to provide the government with your fingerprint.

On the actual question why is the biometric database dangerous to you and your country there are numerous answers which were already raised by experts and discussed over and over again. Briefly, the stated purpose of the database is to prevent forgery of identity cards (and identities). However, it order to prevent identity theft and ID forgery there is no actual need for a biometric database and several other methods already exist, including electronic identification cards. However, as we learned from a recently leaked document, the only reason that a biometric database is required was to pass information to the police about the citizens of Israel. We learned so when the police rejected a safer mean of storing biometric information detailed by Prof. Adi Shamir (the S in RSA), claiming that it cannot utilize the database if made in the Shamir method. And yes, the same police that uses extreme violence on protesters from right and left, against Arabas and against social activists.

Another reason to object to biometric identification and the biometric database is that once your biometrics is your unique identifier, then anyone with access to this information could possibly steal your identity. And of course I need not remind you that you leave your fingerprints on any cup of coffee you drink, right?

So, once we passed the “why we detest a biometric database in two paragraphs or less” the question that comes to mind is how you, as citizens, could protest against it. First, you have to understand that the state is going to try as hard as it can to persuade you to provide it with your fingerprints; the bureaucrats and clerks in the ministry of interior are obliged, by the national order, to offer you to join the pilot. Yes, in the same way that your grocery store clerk is obliged to offer you to join their value club, so does the clerk in the ministry of interior have to offer you to join the experiment.

However, one of the criteria set in the pilot is how many people did not join the database out of the entire population; these people have to be you. Beginning November first it is your civil duty to go to the ministry of interior’s offices and have new, non-biometric, cards, so that your refusal to enter the pilot will be counted and in two years time, when the pilot shall be examined, the parliament shall find out that no one wants it.

If you will not do so, then you will find yourselves in two years with a biometric database, that like any other database held in Israel, makes us forfeit our privacy.

[Originally published in 972Mag]

A rumor was spread that Israel was the brain behind an elaborate trojan horse, Stuxnet, which alegedly penetrated into the Iranian nuclear reactor and apparently caused damage. the trojan horse contaminated some civil facilities as well. The trojan horse, which utilizes no less than four different zero-day vulnerabilities in Microsoft Windows seems interesting and elaborate. However, the alleged involvement of Israel, alongside the claim that civilian facilities were damaged in the act, raise one interesting question: Could there be electronic war crimes?

The Public International Law, which bases the humane treatment to civilians in the different Geneva Conventions, sets the standards to use in times of war and defines acts prohibited by states in order to keep wars as civil as possible. The different conventions limit force and sanctions against civilians, but do those treaties and conventions apply on electronic warfare?

Prima facia, article 53 to the fourth Geneva Convention which deals in protecting civilians in times of war states that “Any destruction by the Occupying Power of real or personal property belonging individually or collectively to private persons, or to the State, or to other public authorities, or to social or cooperative organizations, is prohibited, except where such destruction is rendered absolutely necessary by military operations“. However, the fourth convention applies only, in this article, to occupied territories (Prosecutor v. Dario Kordic, Mario Cerkez). In contrast, the 1977 protocol amended and added to article 51 and stated that “Indiscriminate attacks are prohibited. Indiscriminate attacks are:those which are not directed at a specific military objective; “. Meaning that an electronic attack against civilian property that couldn’t discriminate between military and civilian facilities are prohibited (However, most states have not adopted the 1977 protocol).

Jack Goldsmith states that the inability to determine which computers are military and which are civilian may protect the use of computer viruses in electronic warfare, but I reckon the other way around: In the same way that indiscriminate shooting against innocent civilians is a war crime, so is using a trojan horse that does not differ civilian and military computers. The indiscriminate use is as prohibited as the use of chemical weapons which cannot discriminate civilians and soldiers. It is not a coincidence that the terminology is the same: computer or biological viruses.

And what about the civil liability? Theoretically, the state immunity (and liability) should be limited in times of war (and see, in IsraelThe Act of Civil Torts (State Liability) 1952) and the state should not be liable for acts where the state protected itself; however, this doctrine should not be used in cases where civil damage arose when the state knew, should have known and forseen the damage (HCJ 8276/05Adallah v. Minister of Defense). Therefore, the civilian casualties in Israel’s alleged cyber-attack should have liability against it.

0.
Around two days ago, Israeli ISPs began to block access to certain websites from Israel. The list of the websites is considered confidential, and included, by media reports two websites related to gambling. The issue in matter began around two months ago, when the Israeli police, alongside the tax authorities arrested 28 suspects who were suspected in collaborating with two websites: Stan James and Victor Chandler. Following a brief period of time, the police approached the Israeli ISPs in request to block access to those sites claiming it has the authority to do so by clause 229 to the Israeli Penal Code. Though they had not had a court order, the commander of the police district interpreted his authority enacted in the act, which is defined as “The Chief of a police district may order the closing down of a place where prohibited gaming, raffles or gambling is taking place” as such which governs also the realm of IP addresses and Internet Service Providers. However, up to this moment no ISP has challenged this authority in court.

1.
First, to the question of whether the police actually has jurisdiction according to clause 229 (and see Adv Ori Goldman‘s opinion on the matter); In two cases the courts heard cases which are similar, though none had to face clause 229. The first was the Carlton Case (CR 90861/07 Michael Gary Carlton v. Israeli Police, Dr. Omer Tene‘s explanation on Carlton) where the Israeli police requested to detain a foreign national who was involved in the operation of the Victor Chandler website (blocked now). Carlton stated that as the website does not operate from Israel, the Israeli law does not apply to acts performed outside of Israel by non-Israelites. The court denied the claim, and asserted that Carlton’s acts were illegal as “In light of the fact, that the appellant has the ability to identify the place of the end-user, prior to registering to the website, the appellant and his company’s blind-sight is material. It is expressed by the fact that while they are aware that gambling is prohibited in Israel, and by greed, knowing that the Israeli public is profitable to the company, they do not act in order to block access to Israel“. The other case is related to blocking a file sharing website by request of the record companies (OCR 3485/08 NMC v. Eli Amar. However, the Amar decision was not a reasoned one, but a brief consensual decision.

2.
As a general rule, the Israeli courts ruled that actions which are available to Israelites are under their jurisdiction and the Israeli criminal law may be applied on any activities. However, where the authority under clause 229 applies remain unanswered by Israeli courts, as the supreme court has yet to rule on the interpretation of the matter, without relation to the Internet, and lower courts ruled regarding the clause without actual discussion on the cases, and approved warrants as a matter of habit without discussing constitutional right. In one rare case, the court observed the infringement of constitutional rights (AA (Jer)1666/09 Salima Kazam v. Israeli Police) and explained that the court is too extensive: The police chief has a rare authority to issue, based on administrative ex-parte evidence, a closing warrant which is permanent and constitutional human rights, both a person’s right for freedom of employment according to Basic Law of Freedom of Employment and his right for property according to clause 2 to the Basic Law of Human Dignity and Freedom. This is performed in the same place where the court, even after convicting a person in possession or managing a place of unlawful gaming according to clause 228 to the penal act, may only fine or incarcerate the person“. The court emphasized the personal manner of the warrant, and human rights, even after rejecting the request to quash it. However, in another case, the court ruled that “the warrant is to close a place, it goes with the place and is applied on the place without regards to who operates his business in such place. changes in the identity of the person who operates the place do not affect it … a warrant could be issued even without personal names, where you do not know who operates the place. The warrant has in rem applicability” (AA (Haifa) 538/02 Romach Trade Co. v. Zevulun Police).

3.
However, in one case the district court interpreted the rationale behind 229, where it ruled, interpreting the Supereme Court’s ruling in RCA9140/99 Romano v. State that “The rationale behind the law’s foundations … is not detached from the law’s purpose, which is to rule out social plagues who endanger a person and society” (OCR (Tel-Aviv) 32354/03 Gilian Trade and Marketing v. Israeli Police). The purpose in issuing a 229 warrant was made to assist in preventing the negative impacts of gambling on society, such as criminal activities; the rule is, that the police may act only to enforce the law and not deter or punish (ACD 2316/95 Ganimat v. State, C (Krayot) 15336-01-10 State v. Amiaz); you cannot punish the proprietors of the place, its users and others from legitimate uses in the same way you cannot arrest a person as a penalty.

4.
Therefore, the requested conclusion is that when both gambling and non-gambling occur in a segregated manner, the legal activity cannot be closed down (AA 236/04 The 7th Heaven v. Israeli Police, where other courts ruled, strangely, that 229 is punitive or deterring, AA 1709/09 Amar Razam v. Jerusalem Chief of Police) and the gambling itself the police has to stop, where the collaborators have to be arrested. This conclusion arises from the same constitutional rights, including freedom of employment and right for property and dignity. The police’s authority could not be used to deter and cannot be directed towards activity which is not gambling. The police has to perform its acts in a responsible manner for the public. From here, we address the issue.

5.
First, the police did not act in accordance to its authority under 229: the warrant was not personal and was not addressed to the proprietor of the place, but solely to who provided access to it; a warrant to block websites served to an ISP is like providing the bus company a warrant to remove a bus station next to a gambling house. The ISP is not the proprietor, not the operator and is not the required party. As far as the police has claims against a website, it should address its operators even if they are outside of Israel and initiate criminal proceedings. If the police still believes that the Carlton decision is in force, then they are are free to act with accordance to it.

6.
Second, the warrant’s breath. The warrant, granted against the websites and IP addresses [See Hebrew Warrant] requested to block the website in full, even the parts not related to gambling. For example, if a person plays without waging a bet, solely in thePlay for Fun part of the website, then he is affected by the warrant without need. In such case, the warrant is not narrowly tailored in the means needed and affects constitutional rights. Moreover, providing a warrant against an IP address and a domain is considered equal to closing a shopping mall because one kiosk sells raffle tickets. In contrast to the Amar Razam decision, these are two distinct different groups of users, different communities and uses, and no need to block the play for fun.

7.
This means that we already began the slippery slope (which our ministry of communication rejected): some of the websites blocked are not gambling sites, but only facilitate funds; one case. of KeshCard.com, at least until proven otherwise, is a website for financial services and not gambling. The websites allows payment, amongst other things, for gambling, but is a financial service similar to others and is not different from credit cards; therefore, there is no reason to block it.

8.
Finally, it is quite difficult not to discuss the websites blocked. Though the police know about hundreds of sites, the two families blocked relate to a regulated market in Israel: sports booking. The Israeli Council for Sports Betting regulates and operates the market heavily, and the proximity to the World-Cup, where the Council’s earning skyrocketed, is strange. Moreover, the proximity to the Israeli Anti-Trust Authority’s decision to consider pressing charges against The Pais, Israel’s second licensed gambling operation, after suspicion arose that it entered into a restraining agreement where the Israeli Association for the Soldier which is licensed to act as well, where ISA shall not engage in raffles, against a material donation from The Pais. Moreover, The Pais offered more money to be provided to the country for more gambling rights, and even to pay salaries in local municipalities, and has previously offered to assist the police financially in the struggle against unlawful gambling.

9.
In conclusion, it is quite obvious the censorship could not stand; in order to drop it, a person using KeshCard or plays VC with “Play for fun” (meaning a person who was hurt by the warrant) shall appeal against the censorship to a court. The ISPs forgot what is the public interest they are meant to protect, and the ministry of communication, who’s authority was run over in one police warrant, does nothing.

[Material Comment: I am writing this without the consent or knowledge of any of my clients, and it does not reflect my opinion or any legal review I provided them]

[Originally in Hebrew]

0.
Erez Wolf reports about a serious security problem which resulted from hacking an Israeli website and stealing the usernames, emails and passwords of 32,561 accounts. The database of that commercial website contained user login details: usernames, emails and passwords, where using the presumption that most people use the same login details for most websites, allowed Turkish hackers to hack and deface many user accounts in Facebook, as well as other sites, who depended on the login details in the database. In the Turkish website containing the list, there are more indications of websites hacked, including account details of 70,000 other accounts.

1.
We can point out two problems: the first, which we all know we do, is using the same password in more than one website. Even security experts do it (we call it bitch password) in unimportant websites. The problem is that most people cannot remember more than a few passwords so they use the same password over and over. More than 20% of the passwords people use are in a short 5,000 password list; moreover, people use their birthdate, phone number or SSN as their passwords.

2.
The first problem, however, is the layperson’s problem. The second problem is the law authorities problem. The hacked website kept the passwords in retrievable format in case the user forgets it. Meaning: the password was saved in plain text in the database, and accessible to more than just the website’s administrator. The common method to retain passwords is Password Hashing, which means that the passwords are unilaterally encrypted and the password could only be authenticated, but never restored. By using this method, you could never send the user his own password but only reset it when the user forgets it. Therefore, you need to authenticate the user’s identity in a different form, like email; this ties the user identity and allows more credibility in e-commerce, but has other implications as well.

By using this method, if the database is hacked, there is no way to use the passwords (with one exemption, if the password is a dictionary word and by using Cain & Able). Therefore, you can be certain that if your database is stolen, no one could use it.

3.
The problem becomes a tad more legal when you understand the Israeli Privacy Protection Act which defines Information Security in clause 7 as “protection of the Data’s integrity, or protecting the data from disclosure, use or copying, and all without legal authority”. Clause 17 states that an owner of a database, its manager or the holder of it are all liable for the database security and integrity; meaning, that the owner of this website, and whoever provided him with the information security services, are liable for the data protection here and may face criminal sanctions. However, up to today, no criminal charges were brought against people who violated the data protection clauses, but it seems that this time, the the Israeli Law, Technology and Infromation Authority should apply its legal power and apply sanctions.

4.
When the authority wants more and more power, where amongst other powers is the power to search databases, it shows it has the intent to enforce the law. On the other hand, the leak of 30,000 records of usernames and passwords show how the lives of people may be hurt solely because of faulty data protection procedures. In any other case where thirty thousand people would suffer damages, the case would seem different. When Heftziba, a big contractor, became insolvent, it left 4,300 people homeless or with half-built apartments. People became angry, sued and criminal charges were brought.

5.
The information in the database is highly personal, it is dangerous and there are people who are liable for its leak, will they go to prison? I doubt it. However, they did not apply means to protect the data and no reasonable security person would allow what they did. Someone has to pay.

[Originally Published in Hebrew]

0. Abstract
Could a state with no secrets function better when protecting national security than a state that keeps information away from the general public? In this brief article, we will inspect the reasons for keeping classified information, what they are meant to protect and how they protect national security. We will present the method used by Israel, which is similar to most states. Israel’s approach, which is to keep all the information from the public, failed in general and caused nothing but costs on privacy, freedom of expression and national budgets.

Following our review, we will compare the classified information model to a model in information security, called Security through Obscurity and present how this model was perceived as flawed. Against it, we will present the Open Source Model, which creates transparency towards the general public, allowing it to inspect the security flaws, and therefore creates stronger protection.

Our conclusion would be that better national security could be reached by removing all classified information and disclosing all information to the general public. We believe that by making the information public, the cost of the censorship apparatus will be eliminated. We also believe that by adopting a ‘no classified information’ approach, governments may improve physical security when they rely on the foundations of open source security as detailed herein.

In my brief argumentation I will use the Israeli law, but provide some examples from other cases.

1. Classified Information and what it Protects.
Every state has its secrets. States choose, in certain cases to classify information from the general public. Classifying information goes back as far as Greek times, and goes under the standard four categories: Top Secret, Secret, Confidential and Restricted. Israel has four apparatuses which are in charge of Confidential information: The Information Security Department, whose goal is to prevent classified information from leaking from the army, The Military Censorship, which operates under the Defense Ordinance (Time of Emergency), 1945, that controls media publication and telecommunication, and has authority to refuse the publication of any information that has any relation to national security, the General Security Service (Shin Bet) that acts according to the General Security Service Act of 2002, where clause 7(2) allows the service to classify documents and determine how to handle such documents and the Director of Security of the Defense Establishment, which is in charge of security in military industries, research facilities and other national security industries.

Some authorities in classifying information do not appear to exist in laws, and some operate under the vague and broad exemption added in the Freedom of Information Act, 1998. Clause 9 to the Israeli FOIA exempts disclosure of any information which may harm national security, foreign relations, public safety or a person’s well-being. Even in cases where classified information was disclosed, the courts still allowed the security agencies broad discretion as to what to blur out (HCJ 258/07 Zehava Galon v. The Governmental Committee for Inspecting the Battles in Lebanon 2006)

But what constitutes as confidential information? There are no actual guidelines for applying what is confidential and how confidential specific documents are, and every document that contains ‘information’ as defined in the Israeli Penal Code, in part II, chapter 7, the Penal code provides a broad definition, inflicting legal sanctions on disclosing any information to an enemy where it might be useful to him (clause 111). Confidential Information is defined as any information where national security requires keeping it secret, or information relating to any matter that the government, with the consent of the parliament committee for foreign relations and security, declared as confidential. Critics to this arrangement offered an amendment, but following the Parliament’s research center’s comments, these amendments were not implemented.

The burden of proving what constitutes non-confidential information lays on the defendants in cases (see, for example, CC 1055/01 State v. Yacov), in Yacov, the court explained that while “the military censor is qualified to strike out information which is most-likely about to severely damage national security”; the penal code is wider, and applies to cases where national security requires keeping it secret.

In another interesting case, the widow of a person who worked in the nuclear research facility requested to receive the results of an epidemiological survey between the facility’s workers which the facility took. The State declined to provide the information by explaining that it relates to national security. However, when the court rejected the state claims, it expressed criticism over the state’s conduct: “the state wiggles in its arguments and cannot point to a normative authority where it draws the classification of the information. It is, according to the state, basic foundations, but these basic foundations have to be applied by the General Security Service Act, 2002, and the rules according to it (which are classified, so the state cannot disclose them to the court, but as a graceful act the state is willing to summarize them)” (CA (Tel-Aviv) 2571/01 Hanna Hizi v. State ); the court itself explained that it cannot understand classification, and the state has to acknowledge the differences between confidentiality and classification. Classification does not create basis for exclusion of evidence, and unless the state decides to exclude an evidence by means of national security according to the Evidence Act, 1971. However, in cases where the court finds the evidence may have had something to assist the party who wishes to submit the evidence, then the state shall default (OCR 2489/09 Zeev Braude v. State).

The Israeli Supreme Court deal with the question of what constitutes classified information in Vanunu (CA 172/88 Mordechai Vanunu v. State); in Vanunu, a former worker of the nuclear research facility was charged for espionage when he disclosed information regarding Israel’s nuclear activity to press agents in the UK. The supreme court decided to convict Vanunu for collecting and disseminating information to the enemy. The court analyzed this clause and explained that “He who provides information to the enemy; meaning, any information, even if it is public information arising from the press, his activities fall into clause 111”. Therefore eliminating classification need at all.

What Does Classified Information Protect? The question of what classified information protects is a difficult one to answer. Some claim that the purpose of classifying information is withholding it from foreign agents, and explain that when many people have access to certain information, it harms national security. Classifying information makes it harder for counter intelligence and foreign military forces to obtain information regarding a state’s forces, and allows it to operate where the other party does not know its rules of engagement, its powers, officers, or even defense mechanisms.

But the real question is how much this information, used by foreign intelligence,  endangers national security , and does the burden of protecting this information overcome the value of keeping it secret or not.

When the classified information is the actual secret (e.g the actual location or time of a specific operation) then it is assumed (though not significant) that information about the operation that becomes available to hostile forces may lead to less successful results, at least. There are specific sets of information that are considered confidential and are not pieces of information that have (statistically insignificant) connection to current, ongoing operations or other information that if leaked may cause damage to national security.

For example, the actual existence of a specific weapon or the location where a missile fell after an air-strike cannot be considered a state secret for several reasons: the first is that it is not kept away from the public; as what the general public sees cannot be considered national secrets. For example, during the 2006 war, the military censorship requested Tapuz, Israel’s largest forum operator, to censor posts made by civilians about where Hizbullah missiles fell. Another case  where information that is in the public’s plain view was considered confidential was when Parliament Member Yossi Sarid threatened that he may disclose information about weapons used by the IAF after the IAF killed and wounded dozens of Palestinians, including civilians, in weapons that were allegedly in plain view.

Another case where public plain viewed information was considered confidential was when Israel denied using phosphorous during the Cast Lead Operation of 2009, where the evidence was left in the Gaza Strip, which allowed the Goldstone committee, which inspected Israel’s activity following the operation, to find that Israel’s denial was false. So, in this case, how could the use of phosphorous be considered confidential information where there is evidence in plain view regarding the use?

Therefore, confidential information could be considered confidential as long as no public information regarding it exists. For example, the location of specific military or nuclear facilities that are located close by to cities and have road signs directing to them, could not be considered confidential information. Israeli Blogger Ido Kenan points out that Israel has a policy of withholding this confidential information in road signs presented in Arabic, and leave the confidential information only in Hebrew and English.

In conclusion, classified information in Israel is defined in an overbroad manner, containing information that may be considered in plain view and known to the general public. By acknowledging this flaw, we may understand the basis of information security and examine the weak points of such method of information security.

We believe that there has to be a difference between the classification of security mechanisms by themselves and information (data) which relates to specific, mission critical, information that is classified. The difference is between information regarding the existence and functions of a specific unit, its weapons , its history, and current plans regarding  an operation.

2. Security By Obscurity, A Problem
2.1 Security By Obscurity
When trying to protect information in a digital environment, there are two popular methods used by Information Security experts. The first is Security through Obscurity: this method, which is quite similar to the Israeli Classified Information method or approach, hides all information related to security from plain view and classified it as confidential; by using this method, “a system relying on security through obscurity may have theoretical or actual security vulnerabilities, but its owners or designers believe that the flaws are not known, and that attackers are unlikely to find them”. The model bases itself on the fact that others are unaware of the activities taken and that most confidential activities could be disguised from plain view.

However, the flaws of this model are that the secrecy of the information is exactly what lets security flaws to remain secret as well. For example, GSM encryption was hacked during 2003, and again during 2009. These hacks were published to the public because they were a part of academic researches; however, in certain cases the hacker may not be so eager to publish its research. In some cases, employees or contractors may sell known exploits which were not taken care of and criminals may sell unknown exploits either to other criminals or to the company itself. Moreover, relying on a sole provider to fix the security breach could sometimes cause more problems.

The main disadvantages of Security through Obscurity may be summed up to: (1) few people inspect the system for flaws, and sometimes actually inspecting the system may be considered illegal; (2) hostile entities reviewing the security of the system do not disclose their results; (3) dependency on one vendor/provider to review and fix security breaches.

2.2 The Open Source Model.
In contrast to Security through Obscurity, Open Source advocates rely heavily on Security Through Transparency, using this method, the algorithms and software used to encrypt or protect information are known to the public, providing the public an efficient way to report security vulnerabilities, and even to propose bug-fixes. The more people have the chance to inspect the security mechanism, the safer they will be.

For example, Security firm Secunia found that more security flaws were found in the Open Sourced Firefox than in proprietary code browsers, but the number of Zero-Day unpatched flaws was significantly lower and so was the time that it took to fix any flaw. By making all of its information public, a software vendor may create better security and allow any researcher to discover flaws. Moreover, transparent security mechanisms may also deter hackers from looking how to circumvent zero day flaws in fear of being caught (See aso, David Wheeler, “Is Open Source Good for Security?”).

The Open Source Model does not ignore the basic concepts of information security, but it acknowledges their flaws and attempts to build better models.

3. Could Building a Transparent State Solve National Security?
Could we imagine a state where all public information could be deemed as non-confidential, security mechanisms would be public and open for scrutiny and confidential information would be reduced to a minimum? We believe so.

Currently, a state like Israel has to operate counter intelligence just to solve the problem of collection of plain-view information and to protect from hostile action. When operating an open source model, counter-intelligence could be abandoned and replaced with crowd sourced models, which will help to build stronger mechanisms of protection.

Moreover, removing the ambiguity relating at-least to nuclear weapons in Israel would assist deterrence and strengthen national security. Weak points  in Israeli theoretical protection would be visible to the public and could be fixed quickly; moreover, the actual items that require protection could receive the needed funds and resources to protect them.

3.1 What is there to lose from revealing all classified information?
While we do not necessarily wish to reveal all information, certain information relating to means of operation and security regulations have to be declassified. For example, both the General Security Services Act and the recent Inclusion of Biometric Information and Data in Identification Documents and Database Act of 2009 state that all regulation and orders will be classified, as well as any information regarding security breaches. Moreover, when discussing the act in Parliament, security experts raised concerns over the database possible flaws, and the Minister of Interior, Eli Yishai, ordered to open the security protocols for discussion, but such discussion was never made. Keeping the database, as well as security guidelines and notifications of security breaches secret seems good in the eye of a person who thinks that an enemy may abuse such faults; however in the eyes of a security researcher, these allow zero day flaws and known vulnerabilities to be used against the database  (see, for example) and allows a false feeling of security.

The only thing that may be lost when protocols, orders or regulations that remain secret are disclosed is the misconduct of an authority or its acts against the law; for example, as a result of Israel’s Freedom of Information Movement’s appeal, it was revealed that the cellular companies were required to adhere to secret regulation regarding cooperation with intelligence agencies and disclose subscriber information.

Therefore, when the governmental default approach is that there is no need for privacy unless a person has something to hide from the government (which seems to be the default approach when discussing the Israeli government, as the Biometric Database Act, the Criminal Order (Submission of Metadata) Act of 2007, and other statutes turning Israel into a surveillance state) then the default approach towards the government should be that all its secrets are meant to cover up unlawful activities.

3.2 What is there to gain from revealing all classified information?
First and foremost, the Israeli Government may regain public trust by disclosing all activities. The Israeli public, for example, strongly believes that the Biometric Database will leak, mostly due to the fact that quite a lot of sensitive data has  already leaked from Government databases and that 70% of the general public does not trust database protection in Israel. A different survey by Symantec found that 60% of the people do not trust the government with their private or personal information.

The feeling of misused trust may be healed and cured when disclosing information regarding data breaches and information security to the public. But more than that, apart from public trust, the government may gain better protection of its classified information. The Israeli government may adopt what computer giants like Google and 3Com already did, and that is to pay for every security breach found.

Currently Israel has many unknown security flaws, which remain confidential until a hacker gets caught. For example, Israeli white-hat hacker Moshe Halevi (Halemo) was charged for hacking when he used a pre-paid credit card to show that the Israeli Fines and Fees Center had a bug in the URL handler that allowed resetting a person’s fines. In a detailed case (C 9497/08 State v. Moshe Halevi) Judge Avraham Tenenbaum explains why Halemo’s activity was not hacking, but was solely security checking (a similar case, CA 8333/03 State v. Mizrachi, explains that port-scanning cannot be criminal if done for a cause of security inspection). Therefore, we can argue that the state has a compelling interest to discover flaws.

3.3 The state’s approach to security flaws.
However, we see that in most cases the state prefers to withhold information from the public regarding security flaws and to litigate against persons discovering such flaws. Moreover, when flaws are found, usually adopting the Security through Obscurity approach shows that the way the state fixes the vulnerability is not only insufficient, but negligent.

In one case, white-hat hacker Halemo discovered that the Israeli Court System’s website discloses Judge’s ID Numbers (equivalent to Social Security numbers). The way it disclosed them was that the URL Source of the Judge’s page in the website was his ID number. After the flaw was exposed, the state went to fix the flaw, and replaced the ID with a Base-64 representation of the number.

However, if we require the state to disclose its means of security it would have to disclose how the judges ID numbers were encrypted or protected, and therefore every person would have understood that neither plain-text nor base-64 are good enough mechanisms to protect sensitive information.

4. Applying Software Solutions to State Secrets: A Conclusion.
We believe that not all information has to be public. There are things that are better off secret. However, if we learn from information security methods, we must acknowledge that better security could be achieved when disclosing more information to the public. Applying the open source model of information security allows transparency in decision-making, better algorithms, less resources on counter-intelligence and more resources to allocate to what is mission critical information.

Moreover, better trust could be gained between governments and citizens, reinforcing the social contract and allowing better results in political participation.

Currently, governments over trust security through obscurity when operating mission critical processes, and therefore, when flawed, the flaws and results are enormous. Utilizing open source models could prevent mishaps such as Israel’s phosphorous use, George Bush’s Weapons of Mass Destruction lie and Israel’s racial profiling in Airports as a mean of security.

Israeli racial profiling is such a great example, as it is highly efficient nowadays and even better than the US TSA guidelines but bases itself mostly on the assumption that Jewish nationals may not be considered a threat to national security but Arabs may (HCJ 4797/07 The Israeli Association of Civil Rights v. The Terminal Security Authority, Pending decision). As long as the security guidelines were secret, it seemed amazing that no security flaw occurred. However, now, that the guidelines are known and understood, it is easier to design a mechanism to circumvent them. Therefore, even adopting new guidelines will be useless, as they are inefficient (unless based, again, on racial profiling).

Therefore, in order to regain national security, Israel will have to change its approach to the Open Source Model before a major security event occurs that will make it understand that this is the only option. Staying in a Security through Obscurity approach could protect confidential information, but it cannot protect national security.