Intellect or Insanity, Jonathan Klinger's Blog

0.

About a month ago I blogged about the requirement to protect cloud storage users from the cloud service providers. I offered a mechanism to protect a person’s files from the cloud and gave Dropbox as an example. The reason I provided Dropbox as the example was both the simplicity of things, and that due to Dropbox’s architecture, I knew that the last month’s events are bound to happen. First, we found out that Dropbox did not protect end-users from the cloud and allowed law enforcement to access them, as a part of their privacy policy. Second, Dropbox misbehaved when terminating an open source file sharing project which based itself on a file sharing flaw in Dropbox, which was a feature, not a bug.

1.

In order to understand how the feature worked, you have to understand how Dropbox dealt with files, as a part of their service: Dropbox recognized files and their digital signatures, and when it saw that it already had a copy of the file, it used the existing copy instead of downloading it from the end-user’s computer. For example, if I wanted to put my (legally purchased) Justin Bieber MP3s in my Dropbox, then when connecting to the Internet, Dropbox would have recognized that it already has those files from another person (who, of course, legally purchased them) and just copied them to my cloud folder. This was not a bug, but a feature: it saved storage, bandwidth and computing power and it allowed users to thrive.

2.

However, it also allowed another thing: some people decided to use Dropbox to share files: all they needed to know in order to do so was to share the hash value of each file, where Dropbox did the rest: it took the files from the cloud and copied them to their computers. Of course, they could always create shared folders of pirate downloads and share them with the public, but the users decided to create a peer-to-peer system for cloud hosting. However, Dropbox did not like the idea at all and issued DMCA takedowns of the source code for the hack, called Dropship, calling the hosting companies that host the files (in this case, Dropbox itself) not to host it, as well as amended their services just to avoid such use.

3.

Dropship did not do anything illegal, it just did to Dropbox what AIMSter did to chat services a decade ago, When they found a security hole, which allowed you to copy files simply by knowing their Hash Value, Dropship showed the public the flaw with Dropbox, the fact that any person can copy any file from any other Dropbox without knowing anything but the Hash Value; this was not a feature anymore, it became a bug; where the only way to terminate the bug is actually to rewrite Dropbox with privacy by design.

4.

Dropbox came out as the lesser party. After enjoying a wave of great publicity and reaching 25,000,000 users without any marketing or advertisements, it seems that they jumped a bit too high. Freedom and flexibility were the main reasons to use Dropbox, as well as the lack of actual competition. However, once you know that your information is both insecure and constantly monitored, you feel less than safe in the cloud.

5.

Maybe it’s time to reconsider the whole cloud hosting model. Dropbox was great while it lasted, but it should go in the way of the dodo and find a more cooperative, interactive, friendly cloud storage service.

This Wednesday I’ll speak in CloudCon 2011, instead of a regulatory lecture, I decided to focus about a technological solution to a legal problem, which I believe might be elegant. I’d appreciate it if you could join me at CloudCon or just come over to say hi.

0. The Cloud and Your Information.
On the verge of the Age of Intelligent Machines, Cloud Computing brings a new era for data processing. The Cloud holds more and more information, where data owners and data subjects lose physical control over it. If the old-world model was that data was about the end-user was held by the service provider, which processed and brought the data to the end-user, the cloud model allows the service provider to hold the information for the end-user at the quarters of 3rd parties. For this brief lecture, we’ll use Dropbox as an example, but when Dropbox’s examples fail, we’ll move on to others. In brief, Dropbox is a storage service which remotely backups your information on Amazon’s S3 Servers automatically. When you Install Dropbox, you use at least one more CSP (Cloud Service Provider) and are subject to its terms.

1. Shared Hosting, Shared Computing, Shared Control [meaning: The Problem];
Now, who has control over your information? Dropbox’s privacy policy suggests that “Dropbox cooperates with government and law enforcement officials and private parties to enforce and comply with the law. We will disclose any information about you to government or law enforcement officials or private parties as we, in our sole discretion, believe necessary or appropriate to respond to claims and legal process“; also, Amazon S3′s privacy policy which states that “We release account and other personal information when we believe release is appropriate to comply with the law; enforce or apply our Conditions of Use and other agreements“. Meaning, both Amazon and Dropbox shall abide to law enforcement requests and provide information if a court says so. Generally speaking, this is a good thing.

Let’s take this into proportions, however: Let’s say that I produce Lemonade and have a trade secret: the recipe; I store it in my Dropbox folder, as i need to provide access to several employees and I want it to be backed up securely. Now, my biggest competitor wants to access my Lemonade recipe. He goes to court, and with a good attorney gets an Anton Piller Order (an order allowing him to seize my assets held by a third party before any legal process is in progress); the order is based on his claims that I stole the recipe and the court rules, ex-parte that Dropbox should grant him access to my files. This is done because my competitor’s claim was that Dropbox itself holds the files. Dropbox receives the order and does not know how to treat it: it is unable to understand whether I am the actual owner of the file or stole it, and has to provide the files to my competitor: an order is an order.

There are two material differences that come to mind between cases where I hold the information and where the ISP holds it, and such difference explain the problems of using cloud storage for such sensitive information: (1) If I held the material, the execution of each order had to be with knowledge of such order because the files were stored at my quarters and under my control [see, for example, RCA 1810/10 PCIC v. Kaplan, where a shared hosting provided was requested to reveal the email accounts of one of its users without their knowledge]; (2) The CSP has a rational indifference as to disclosing my information, as if it does not, it might incur liability. Israeli Courts ruled in several cases that active participation and interest in not removing content even after knowledge of infringement may incur liability [For example, C 176992/09 Eti Abramov v. Aviv Frenkel, C 32986/03 Buschmitz v. Refuah]. Therefore, the when you post information on the cloud, you are at risk that your information might be sought by other parties.

The question is whether it is technically possible to do so? meaning, could CSPs access your files? let’s say that, legally, Dropbox’s terms allow such use, and that other CSPs (such as google as providing email services) already ordered to reveal a user’s IP address (C 4854/07 Berlomenfeld v. Google) and disabled access to other accounts. Moreover, Dropbox (and let’s see Dropbox as an example) designed the architecture, it has the ability to recover my files and to recover my password, meaning that it can always bypass its internal security mechanisms.

2. Loss of Centralization;

Now, as we see it, when we discuss CSPs, we know that the control has to move from one centralized user to many distributed players, where each has the ability to disclose the information. At least prima facia, the CSP is considered as a 3rd party that either retains the information or processes it. In such cases, the Israeli Law, Technology and Information Authority has issued a draft set of regulations regarding processing by 3rd parties or outsourcing services.

Now, if I hold sensitive information on 3rd parties, and some of it is held on the cloud, then I have to make sure that my CSPs adhere to a privacy policy that protects my information. For example, if I am a lawyer, I have to notify Dropbox that I am one and that all my information is protected under an attorney-client privilege so that when they receive such Anton-Piller orders, they’ll refuse and defend me. Moreover, I have to make sure that my CSP shall not divulge any personal, private or sensitive information to any 3rd party either with or without my consent.

3. Protecting Yourself from Your CSP;
How can one protect himself from his CSP? Theoretically, there are a few suggestions for Encrypted Cloud Storage (for example, Kamara et al, “Cryptographic Cloud Storage“) which offer theoretical, yet to be implemented, method of encrypting information on the cloud. Generally speaking, their proposal is that “Before uploading data to the cloud, Alice uses the data processor to encrypt and encode the documents along with their metadata (tags, time, size, etc.), then she sends them into the cloud. When she wants to download some documents, Alice uses the TG to generate a token and a decryption key“.

Another technological option is to encrypt the virtual machine’s drive or to use encrypted file systems on cloud storage. Another option is to use an encryption software, such as TrueCrypt on your cloud storage service (such as Dropbox); however, such a solution may be problematic as Dropbox cannot access your filesystem and might have to back up your entire folder each time you change each and every one of your files.

A different approach may be to establish a secret sharing mechanism where the information may be distributed on several different clouds, each holding only a portion of the information (such as in Parakh et al, Recursive Secret Sharing for Distributed Storage and Information Hiding).

However,  these solutions are theoretical and have yet to be implemented by organizations or storage services as an integral part of their scope of services (maybe, apart from this one).

4. Solution[s];

Let’s discuss solutions as well. We need to form a strict set of rules of how to define a cloud system as privacy enabled. Our requirements are that the CSP shall allow: (1) seamless access to the set of files; (2) indexing and searching; (3) sharing parts of the information with 3rd parties; (4) reporting on each authorized and unauthorized access.

Mounting an encrypted virtual filesystem allows three out of the four: access, indexing and reporting. However, in order to share the information with 3rd parties, access to the filesystem has to be granted to the CSP (especially in order to allow sharing, see Y unqi Ye et al, Dependable and High Performance Cloud Storage). The other option is to encrypt each file differently (with different symmetric keys for each file so that no problems with sharing the files exist); however, such option shall not allow search and indexing (or require a central key database), therefore allowing three out of the four conditions.

Even if we assume that the encryption is symmetric, and that each sharespace between  users receives different symmetric keys, then we cannot define the solution as seamless, as in order to convert files from a privatespace to sharespace a client-side conversion of the files is required, as well as when files are copied from a private folder to the shared folder (also, a keyserver is required).

Let’s take, for the solution, Adi Shamir‘s secret sharing mechanism (Shamir, How to share a secret) and for the purpose of this solution define our efficient threshold as one (1) user. In such case, we define the shared folders with at least three cryptographic keys (one for the folder, to be shared with anyone, and one for each user) in such way, each user could read or write to the folder seamlessly, he could also index and search using his key (and the shared key), share the information with others (by adding another key).

Implementing secret sharing in such a case (which was yet to be tested) may allow enhanced privacy with the flexibility of sharing the information through networks and users.

5. Conclusions.

We have yet to implement a technological solution to a legal problem we might face in the near future. The much unrequired loss of control over data stored in the cloud, especially sensitive information, is inevitable nowadays due to current architecture, CPU and bandwidth limits and other problems.

However, theoretically and with a little hassle, an encryption based model may be implemented in order to allow storage of information on remote servers (i.e cloud) where the CSP cannot access the files but the end user may share such files with 3rd parties of his choice.

A year ago, I conducted alongside Dr. Nimrod Kozlovski a comprehensive research about Fair Use in Israel, which was made for Consumers International. The 2010 Report about Fair Use in Israel was the first of its kind; we reviewed almost all the court decisions regarding fair use ever since the young state of Israel was established, conducted a survey between hundreds of content creators and interviewed dozens of people whose work involved copyright: musicians, artists, photographers, journalists and others. We wanted to find out how they felt with subjects such as remix artist Kutiman‘s Thru You and other issues relating to sampling, remixing and creating upon other’s works. One of the interviews I conducted was with Terry Poison‘s Bruno Grife. Terry Poison, for non-Israeli readers [wiki article] is a popular music band, with electro-pop influences and quite interestingly, displays the new Israeli music, as it is not targeted to Israelies, written in English, and performed worldwide.

I spoke with Bruno for about an hour and one of the subjects was, because of Terry Poison’s music genre, the question of remixing and fair use. Actually, not the “fair use” in the classical form of the Israeli Copyright Act that is solely for self learning, research, criticism, review, journalistic reporting, quotation or teaching and examining by an educational establishment, but the Cultural Fair Use which was created in C 7648-09-08 Smadar Katz v. Ben-Tzion Rothman and OCR 11646/08 Premier League v. John Doe. In both cases, the court addressed fair use as a cultural right, and ruled that uses may be fair even if they are not in the extensive list of purposes.

Bruno explained that “when fans upload a portion of our show to YouTube it disturbs me, but when our fans perform homages such as LipDubs, it doesn’t … if a fan takes something that is ours and then remixes it, we’d love to integrate it. If it’s good, it’s good. But when something turns commercial, the line is drawn”. afterwards, he explained about where hew uses others’ materials: “we perform live mash-ups, I can take the chorus of someone else and take-off my music, because is is a part of respect for the influence he gave me, and live music is the place to let others discover music we love”.

But putting all of of this aside, a recent arbitration between two popular Israeli musicians puts this issue in a whole new perspective. [Hebrew link to the news story]. In 2002, Israeli band Hadag Nachash released an album called Local Substance (actually, more like “Local Material”, but the reference for drugs all over the album is a part of the decision). One of their songs, “Ma Naase” (what will we do), was influenced or quite similar to another Israeli artist classic hit, Ariel Zilber “Veeich Shelo” (no matter what, literally). Zilber sought arbitration, claiming Hadag Nachash violated his intellectual property rights; and Justice Theodore Or, residing as the arbitrator, ruled damages for Zilber and issued an injunction prohibiting Hadag Nachash from performing this song in their shows, mandating them to redact their albums from record stores and removing this song from the ACUM (the Israeli equivalent to ASCAP) repertoire.

Hadag Nachash’s Song

Zilber’s Song:

However, the question of whether whether Hadag Nachash copied the song isn’t relevant if you discuss cultural fair use. This right is a person’s right to perform homage, to give credit, to take the music he grew on without harming the original music’s commercial value. Hadag Nachash’s homage to Ariel Zilber does not harm Zilber’s ability to sell even one album. In the same way that sampled music never harmed the value or commercial potential of music. If we take interesting examples of sampling showing increased sales, we can see that Eminem’s song, Stan was what brought the success of the sampled Thank You, performed by Dido.

this shows how the tort in copyright, where copyright should prevent damages to the plaintiff, crashed. Zilber did not and won’t lose money here. In old songs, older than 5-6 years, the commercial value of the work was already maximized. And as usual, the fact that someone creates work based on your work and makes money off of it doesn’t mean that you have to be compensated (see, for example, C 1074/05 Maariv v. All You Need).

Therefore, the unconstitutional prohibition of playing the song makes it a part of the Illegal Art Corpus, in a same way that DJ Danger Mouse‘s The Grey Album was: the only way to hear the song is to download it illegal in the file sharing networks. Now, the question arising about what will Zilber do against all the bloggers who put up the song in their blogs to explain about the case.

And finally, I want to show a small Homage that Israeli artist Edan Alterman gave to many artists. Alterman performed a song in one of his shows which “infringes” the rights of a dozen artists; however, the cultural value in the performance exceeds any infringement. This is a distinct example on how Fair Use has to include homage as an exemption: music this good can’t be illegal.

Justice Or’s arbitration ruling does not apply to myself. I am not a party for the subject matter and unlike courts, which can issue injunctions against the general public, the arbitration ruling applies only to the parties. Moreover, one has to remember that one of the articles in The Israeli Arbitration Act is that the court may invalidate an arbitration is the decision is unconscionable. The result of this arbitration, if it like the press is reporting it (as it does not appear anywhere, and we can’t find the ruling) harms my right as a public for culture. As such, it has to be invalidated. If Hadag Nachash wants, the court is open to hear them.

As a footnote, this version of the songs so how many homages could be put in one song, and nothing goes wrong:

[Originally in Hebrew]

0.Why are everyone afraid of open source?
One of the most amazing things is that in a material portion of the Share Purchase Agreements (or investment agreements) I’ve reviewed in my life, the invested company was prohibited from using Open Sourced software as a material condition for the investment. The “No-Open-Source” clause was added in companies which a major part of their business model was open source or cloud services, so that in fact there were clauses that excluded the specific Open-Source applications used from the warranty and prohibited the company to utilise any other Open Source application. This prohibition, in my humble opinion, represents and archaic misconception that investment in start-ups is in liquidatable property such as patents or copyrights, and not in the persons behind the company.

1. Why is the cellular market afraid of open source?
Both Apple and Microsoft are afraid of Open-Source. Apple recently banned the open sourced VLC player to attend its cellular festivities as it was released under the popular GPL (and a funny story with XPilot) and so does the Windows Phone 7 developer agreement which states that open sourced software may not be distributed by the WP7 marketplace (which caused several developers to change their licensing models). But Microsoft and Apple’s prohibition comes from ignorance in regarding to the licenses more than anything.

2. About Microsoft’s misconception?
Microsoft prohibits inclusion of what they refer to as “Excluded Licenses”, which are “any license requiring, as a condition of use, modification and/or distribution of the software subject to the license, that the software or other software combined and/or distributed with it be (i) disclosed or distributed in source code form; (ii) licensed for the purpose of making derivative works; or (iii) redistributable at no charge” (clause 1.l) but, open source licenses apply only when there is distribution of the software, and not when there’s use, therefore, many cloud services use open sourced software (as they don’t distribute the code, only use it). A clause prohibiting excluded licenses in any software reigns over applications developed for WM6.x and WP7. In some portions of the application are server side or server dependant, some interesting questions raised.

3. Open source prohibition and cloud computing?
This next case is purely theoretical: Facebook, which bases most of its activity on open source infrastructure, develops a Windows Phone 7 application which interacts with the Facebook servers which are under open source licenses. While these open source components are used, they are definitely not distributed and therefore the draconian clauses of Microsoft’s license are terrible. A better example would be more feasible; imagine that some person grabs Wikipedia and creates a mobile application; Wikipedia’s content is released under a Creative Commons license which allows free distribution as long as any amendment or contribution is distributed under the same license. Now, Microsoft may come to the developer in questions and claim that clause 5.e to the developer agreement was in breach and remove Wikipedia from its marketplace.

4. Why Microsoft was afraid of Open Source??
Microsoft’s scare from open source licenses is clear. Microsoft is terrified from the misconception of the GPL’s viral nature which was perceived as turning all proprietary code which interacts with open-source code turns open-source and is afraid of defending itself against he who comes and asks it to open it’s code. However, this fear is disproportional: like the VCs who heard, somewhere, that there’s a risk in open source and decided to ban it completely, Microsoft detaches itself from a world that can do it only good: Microsoft could have started its marketplace with thousands of free applications from day one and giving it a competitive edge over Apple. Microsoft, however, is afraid of not being able to limit its users, and that’s what it does.

5. So now?
The solution is quite obvious, if Microsoft restricts open source from its playground, it will restrict popular browsers, media players and other software from playing the game and it will fail. There’s no comfort in locking the garden, just another step towards the separation between the proprietary world and the open source one.

[Originally in Hebrew]

Bonus for my English readers, my Open Source Presentation:

[or: "aren't there some words you could add to the terms and conditions to make this sh*t legal?"] The latest ruling in Mortensen v. BRESNAN COMMUNICATION, LLC, Dist. Court, D. Montana 2010 is interesting in all so many cases (you can read a full summary of the case and a short review at Eric Goldman’s blog). To sum up, a class action lawsuit was filed against an internet service provider who operated a service that examined its users’ traffic, injected a cookie inside their computer and according to their browsing habits offered them advertisements. (the service, NebuAd,was discontinued in the meantime); In court, the ISP raised a claim that its users are subject to an agreement that allowed it to inspect their traffic, and therefore the Electronic Communication Privacy Act claim (ECPA) should be denied. The court accepted most of the ISP’s claims and ruled that apart from the question of whether injecting the cookie was consensual, the remainder of the lawsuit should be denied.

Unfortunately, the court addresses the consents granted in the agreement in an exaggerated manner and leans on the agreement not being an agreement of adhesion or unconscionable (and in comparison, see Harris v. Blockbuster Inc., 622 F. Supp. 2d 396 – Dist. Court, ND Texas 2009); However, the substantial question is whether this agreement is the only instance that sums up the relations between the parties? In general, most non-lawyers tend to think that an agreement between A and B could influence the question of whether B’s actions against C are legal or not. This misunderstanding is somewhat popular with internet entrepreneurs who perform problematic actions legally, and would rather create agreements to protect them that to shape their privacy policy in some ethical manner (see, for example, the District court ruling in RPA 2542/03 Suissa v. Bar Haim).

However, the problematic question is about NebuAd’s infringement of other website holders’ right who the ISP’s users browse to (and see, in comparison, the question of this in regards to advertisement blocking): NebuAd utilizes information who is, prima facia, the property of other websites: the identity of their users, and commits (even in a minor way) amendments to their source code; similar activities are performed by companies such as Phorm, where users’ browsing habits are analyzed; allegedly, when a user browses website A, it receives a derivative work which was created by the NebuAd servers, which harms the work’s integrity and infringe the author’s copyright and enriches NebuAd unjustly; This proposition is required to understand the problems facing the ISP; unlike a toolbar, which is installed by the users with active consent, for personal and private use, this is an application that a part of infringes the reputation and tools of others.

For example, when Bezeq International, one if Israel’s major ISPs, launched a service that hijacked some of its users’ traffic for promotional uses the end users’ consent (or lack of) could not affect the rights of 3rd parties (innocent 3rd parties who preferred that Bezeq International would not block their and their freedom of speech and expression would not be harmed by it. Thus, in this case, the question is not whether the users were harmed by the placement of a cookie in their computer and whether they consented that their traffic would be intercepted, but whether an ISP may even provide such service that manipulates packets (consensually or without consent).

This is, in my humble opinion, the original err of the court; the court should have consider unconscionably according to the public interest (and, the freedom of the internet); according to the Israeli caselaw, the court has inherent powers to preempt agreements, even if the parties still agree on, when these agreements go against the public interest (See, for example, CA 6601/96 AES System Inc. v. Saar). In Saar, the court ruled that:

“We are facing the invalidity of a contractual stipulation due to the public policy. We found that the perspective is the of the people’; therefore, “the legitimacy of the parties’ interests is determined from the perspective of the public interest. Moreover, the different human rights – such as the freedom of contracts, freedom of employment,  right to property and other human rights – express both a private and a public interest. Indeed, we should not separate between legitimate interests of the parties (excluding banal interests) and the public interest.. We are interested in the public interest, which accepts all the relevant information, including the parties’ legitimate interests“.

Meaning, not only should we consider the interests of the ISP and the user, but the entire public, including the relationship between NebuAd and parties who are not a part of this agreement. In such case, the court should inspect what constitutes as reasonable policies. I want to believe that the final decision will come to a different arrangement, as currently it is quite problematic.

[Originally posted in Hebrew here][Administrative Comment: If you registered for e-mail updates from my Hebrew blog and keep getting this by mistake, please take a moment to re-register, as my Hebrew readers registered to this mailing list by mistake]

0.
The Wall Street Journal’s findings that Facebook applications share personal and identifiable information with 3rd parties and advertising networks was not surprising though it echoed in the mediashpere and even made some changes coerced the removal of some applications of the popular social network; However, the disturbing part was what Facebook did not do, and that is to remove Zynga, Facebook’s new strategic partner and the developer of the popular game FarmVille.

1.
In brief, the Wall Street Journal’s findings were that most of the popular applications in the social network transmit or convey information to advertising networks and 3rd parties. These activities go against Facebook’s clause 8 to the developer policy that prohibit the transmission of any personal information obtained from Facebook to an advertising network. The prohibition, of course, is not due to worries on your privacy, but because Facebook wants its monopoly over advertising in the network. Following this publication, Facebook removed some applications by the popular developer, LOLapps, who was one of those who conveyed information and restored it after a few hours (see LOLapps release).

2.
But the removal did not inherently cause from conveying information; but as the Inquirer states, the information was passed because of the way the internet was build, where in every click information about the referring page is transmitted, so at least in some of the causes, advertising companies received the information solely because they knew what was the referring page. On the other hand, one can say that by reasonable steps this security breach would have been fixed and therefore allowing reasonable measures to be taken is one part of security.

3.
Up to here there’s nothing new: Facebook removes a certain application because it infringes on your privacy (and Facebook’s ability to monetize by being the exclusive designated advertiser) and וfour and a half million dollars go down the drain because they solely rely on the Zuckerberg family’s whims, where they determine the laws of the game. However, what needs to be learned is what Facebook did not do, and how it relates to your privacy.

4.
The question why Zynga was not removed from Facebook is the exact signaling for the reason why Facebook removed LOLapps; both applications infringed the same developer agreement and your privacy, however, Zynga signed a commercial agreement with Facebook and uses the Facebook currency as its payment method and promotes Facebook’s business. This was a signaling to other developers: either migrate to Facebook’s services and be a part of the Zuckerberg family’s ecosystem, or find yourselves subject to our whims. Facebook’s commercial dependency on Zynga doesn’t allow Facebook’s interests to remove it; and LOLapps? it can seek its friends elsewhere.

[Originally in Hebrew]

Software, as a matter of principle, is usually licensed but not sold; this is what the recent ruling in 42:07-cv-01189-RAJ Vernor v. Autodesk was all about. Therefore, usually, when a person sells (or licenses) software, the end user signs or accepts an End User License Agreement (EULA) which includes the array of rights and duties attached to the software itself.

Copyright laws limit the rights to create copies or distribute software without the original author’s permission, and the EULA is the permission to hold the end-user’s copy of the software. Without the EULA, any action performed may infringe on the author’s copyright. However, both clause 12 to the Israeli Copyright Act and clause 106 to the US Copyright Act do not limit the use of software, solely its copying and distribution. The court ruled in Vernor that the author may limit consumer right and therefore software developers may limit the way that their end-users will use software or interact with other components.

However, most software developers prefer to use EULAs in order to allow the use of the software and not sell copies, so that they could redefine the rights attached to it. For example, clause 24 to the Israeli copyright act allows modifying copies of software for security purposes and court also acknowledged that consumer rights may overcome eulas (MAI Systems Corp. v. Peak Computer, Inc., 991 F. 2d 511 – Court of Appeals, 9th Circuit).

While the courts were not supportive in acknowledging the consent to these agreements in all cases (Specht v. Netscape Communications Corp., 150 F. Supp. 2d 585 (S.D.N.Y.2001)), it is quite obvious that they govern the ability to distribute, but not use, the software (CV 07-3106 SJO UMG v. Augusto). Meaning that the need of a software license is meant to define what exactly is the relationship between the developer and the end-user and rearrange the rights attached to the copyright laws.

Out of this need, to provide end uses with a clear and simple license, lawyers earn a good living. Every software developer has a simple choice: should he pay a few thousand dollars to a lawyer who will draft a document in non-readable legalese, or release the software without any license and hope for the best. The licenses, usually, contain liability limiting clauses (and see, for example, clauses 15 to 18 to the Windows XP EULA which limit Microsoft’s liability to any damage and for any cause).

EULA should come in any place where code is conveyed, but not for web-based services, where a copy of the work is not distributed. Therefore, the difference between EULAs and Terms of Service, which are an agreement regarding the use of the service, should be acknowledged.

Now, after understanding this, we can relate to the subject matter. This week, binpress launched its beta service. Binpress is a commerce platform for web applications and allows web developers, and any other person who wrote a script, plug-in, code or service to upload the code and sell it to others. Amongst other this, it allows the developers to create their own software licenses and save the costs in drafting a license by using the generator, picking what rights apply to the end-user and what don’t (decent disclosure: I wrote the modular license agreement). For example, the developer could pick whether the person who bought the software may distribute it to other people (a developer license), the term of the license, the ability to chose how many cores and websites may use the software (for example). Eran Galperin wrote a comprehensive post about binpress’ licensing mechanism you should read.

In brief, the system is quite similar to the Creative Commons license generator, by allowing the user to pick what license he wants for his software and what rights are attached to it. The difference is that binpress’ license is commercial and for web applications.

Then why should I, as a lawyer, cooperate with a system that may take away money I could charge my clients for EULAs and allow my future potential clients to write licenses by themselves? Theoretically, any person which develops applications could choose binpress as his marketplace and save the cost (and see also my Hebrew post on Freemium by lawyers); well, the answer is double: first, is that the system is dedicated to web applications which are sold by binpress. Meaning that whoever develops large-scale software, commercial distributions or software containing more than a mere conveying of code (like validation keys) would still have to find a lawyer to draft an agreement. The second is simpler: I believe that this system does not prevent lawyers from earning money, it just makes their living more efficient.

Most licenses you read are generic and written in a way that no human could grasp or read, they were written by chewing hundreds of requests and demands time after time and served to developers without any understanding. In contrast, large systems with legal questions of privacy, open source and real legal problems would still need legal consultation and will avoid using this systems.

Therefore, the generator does not harm my earnings, it does not replace my legal work, it just allows the end-user to pick an educated pick between paying a few thousand dollars when he doesn’t need and tailoring the agreement for him. When it’s a developer who sells a few copies every day for a dollar or two, it’s not right to pay that much for legal counsel.

[Originally in Hebrew]

A rumor was spread that Israel was the brain behind an elaborate trojan horse, Stuxnet, which alegedly penetrated into the Iranian nuclear reactor and apparently caused damage. the trojan horse contaminated some civil facilities as well. The trojan horse, which utilizes no less than four different zero-day vulnerabilities in Microsoft Windows seems interesting and elaborate. However, the alleged involvement of Israel, alongside the claim that civilian facilities were damaged in the act, raise one interesting question: Could there be electronic war crimes?

The Public International Law, which bases the humane treatment to civilians in the different Geneva Conventions, sets the standards to use in times of war and defines acts prohibited by states in order to keep wars as civil as possible. The different conventions limit force and sanctions against civilians, but do those treaties and conventions apply on electronic warfare?

Prima facia, article 53 to the fourth Geneva Convention which deals in protecting civilians in times of war states that “Any destruction by the Occupying Power of real or personal property belonging individually or collectively to private persons, or to the State, or to other public authorities, or to social or cooperative organizations, is prohibited, except where such destruction is rendered absolutely necessary by military operations“. However, the fourth convention applies only, in this article, to occupied territories (Prosecutor v. Dario Kordic, Mario Cerkez). In contrast, the 1977 protocol amended and added to article 51 and stated that “Indiscriminate attacks are prohibited. Indiscriminate attacks are:those which are not directed at a specific military objective; “. Meaning that an electronic attack against civilian property that couldn’t discriminate between military and civilian facilities are prohibited (However, most states have not adopted the 1977 protocol).

Jack Goldsmith states that the inability to determine which computers are military and which are civilian may protect the use of computer viruses in electronic warfare, but I reckon the other way around: In the same way that indiscriminate shooting against innocent civilians is a war crime, so is using a trojan horse that does not differ civilian and military computers. The indiscriminate use is as prohibited as the use of chemical weapons which cannot discriminate civilians and soldiers. It is not a coincidence that the terminology is the same: computer or biological viruses.

And what about the civil liability? Theoretically, the state immunity (and liability) should be limited in times of war (and see, in IsraelThe Act of Civil Torts (State Liability) 1952) and the state should not be liable for acts where the state protected itself; however, this doctrine should not be used in cases where civil damage arose when the state knew, should have known and forseen the damage (HCJ 8276/05Adallah v. Minister of Defense). Therefore, the civilian casualties in Israel’s alleged cyber-attack should have liability against it.

Intellectual Property laws have more than a few political implications; many times issues of political speech interfere with copyright. For example, Shepard Fairey, an artist who authored the famous “Hope” poster for Barack Obama, was sought by the Associated Press for copyright infringement as the image of Obama was based on a copyrighted photo (and in Israel, a the Supreme Court will soon hear a similar case, RCA 7774/09 Weinberg v. Weisshoff, where the Defendant is sought for copying a photo the Plaintiff took into a coin made in memory of the assassinated prime minister, Yitzhak Rabin). In another case, the US Senate candidate, Sharon Angle is sought by the proprietors of rights to newspaper articles for presenting copies of the articles which she appeared in, on her personal website and there are more cases; mostly, these cases are borderline in relation to copyright protection, but they are classical monetary suits, not political.

In contrast, the story which was spread on the press during the last few days was not less surprising, but at least ended in an interesting manner. Two days ago, the New York Times reported that the Russian government and police use copyright laws in order to supress political dissidents. The system worked as follows: The Russian police used its granted authority to enforce copyright laws in a violent manner (and it did so in the past, where it sent a school principal to prison for using unauthorized copies of Microsoft Windows) and claimed that copies of Microsoft Windows installed on the dissident organization’s computers are unlicensed (pirated – jk); In Russia, where the unlicensed software rates are only second to the Israeli conviction rates by a person’s confession, it is more than likely that a political organization will use unauthorized software>.

First, it was reported that Microsoft encouraged the enforcement as a part of its zero-tolerance to copyright infringement policy; however, after suffering from damage to its public image, apparently, it decidedto reform its licensing policy, so that a general license will be granted to non-profits in order to protect them from political pursuit. In a post published by Brad Smith, Microsoft Senior VP and Counsel, he explained that Microsoft could not be a part of this and must take an ethical stand.

The claim may be true, but it could also reflect a wise business approach. Until today, Microsoft profited from unlicensed use in 3rd world countries. Microsoft also knows that if raids like this will continue, dissidents will stop using Windows and move to open source software, and primarily Linux, in one distribution or another. Moving to Linux is unilateral, it changes a person’s point of view: from organization that were dependent of a specific software to a part of a larger community; Most organization who hear about open source are enchanted by it, they have an option to donate, contribute, change, share information and not just run the program.

Moreover, Privacy Enhancing Technologies are more available on open source operating systems. From the EXT4 file system which comes by default in Ubuntu and encrypts your hard drives (similar to Microsoft’s BitLocker, but it just works), through TOR servers who reduce censorship: Open Source is the new heaven of dissidents.

Therefore, Microsoft’s blanket license comes to heal a small shallow scratch, not the problem: Copyrights are ill, and Microsoft took the right way to take care of it: acknowledging that non-profit use is fair and allowed. However, until further technologies, innovative ones, will protect dissidents, the raids will continue. Today it’s the operating system, tomorrow, the word processor, afterwards? image editing programs.

0.
Around two days ago, Israeli ISPs began to block access to certain websites from Israel. The list of the websites is considered confidential, and included, by media reports two websites related to gambling. The issue in matter began around two months ago, when the Israeli police, alongside the tax authorities arrested 28 suspects who were suspected in collaborating with two websites: Stan James and Victor Chandler. Following a brief period of time, the police approached the Israeli ISPs in request to block access to those sites claiming it has the authority to do so by clause 229 to the Israeli Penal Code. Though they had not had a court order, the commander of the police district interpreted his authority enacted in the act, which is defined as “The Chief of a police district may order the closing down of a place where prohibited gaming, raffles or gambling is taking place” as such which governs also the realm of IP addresses and Internet Service Providers. However, up to this moment no ISP has challenged this authority in court.

1.
First, to the question of whether the police actually has jurisdiction according to clause 229 (and see Adv Ori Goldman‘s opinion on the matter); In two cases the courts heard cases which are similar, though none had to face clause 229. The first was the Carlton Case (CR 90861/07 Michael Gary Carlton v. Israeli Police, Dr. Omer Tene‘s explanation on Carlton) where the Israeli police requested to detain a foreign national who was involved in the operation of the Victor Chandler website (blocked now). Carlton stated that as the website does not operate from Israel, the Israeli law does not apply to acts performed outside of Israel by non-Israelites. The court denied the claim, and asserted that Carlton’s acts were illegal as “In light of the fact, that the appellant has the ability to identify the place of the end-user, prior to registering to the website, the appellant and his company’s blind-sight is material. It is expressed by the fact that while they are aware that gambling is prohibited in Israel, and by greed, knowing that the Israeli public is profitable to the company, they do not act in order to block access to Israel“. The other case is related to blocking a file sharing website by request of the record companies (OCR 3485/08 NMC v. Eli Amar. However, the Amar decision was not a reasoned one, but a brief consensual decision.

2.
As a general rule, the Israeli courts ruled that actions which are available to Israelites are under their jurisdiction and the Israeli criminal law may be applied on any activities. However, where the authority under clause 229 applies remain unanswered by Israeli courts, as the supreme court has yet to rule on the interpretation of the matter, without relation to the Internet, and lower courts ruled regarding the clause without actual discussion on the cases, and approved warrants as a matter of habit without discussing constitutional right. In one rare case, the court observed the infringement of constitutional rights (AA (Jer)1666/09 Salima Kazam v. Israeli Police) and explained that the court is too extensive: The police chief has a rare authority to issue, based on administrative ex-parte evidence, a closing warrant which is permanent and constitutional human rights, both a person’s right for freedom of employment according to Basic Law of Freedom of Employment and his right for property according to clause 2 to the Basic Law of Human Dignity and Freedom. This is performed in the same place where the court, even after convicting a person in possession or managing a place of unlawful gaming according to clause 228 to the penal act, may only fine or incarcerate the person“. The court emphasized the personal manner of the warrant, and human rights, even after rejecting the request to quash it. However, in another case, the court ruled that “the warrant is to close a place, it goes with the place and is applied on the place without regards to who operates his business in such place. changes in the identity of the person who operates the place do not affect it … a warrant could be issued even without personal names, where you do not know who operates the place. The warrant has in rem applicability” (AA (Haifa) 538/02 Romach Trade Co. v. Zevulun Police).

3.
However, in one case the district court interpreted the rationale behind 229, where it ruled, interpreting the Supereme Court’s ruling in RCA9140/99 Romano v. State that “The rationale behind the law’s foundations … is not detached from the law’s purpose, which is to rule out social plagues who endanger a person and society” (OCR (Tel-Aviv) 32354/03 Gilian Trade and Marketing v. Israeli Police). The purpose in issuing a 229 warrant was made to assist in preventing the negative impacts of gambling on society, such as criminal activities; the rule is, that the police may act only to enforce the law and not deter or punish (ACD 2316/95 Ganimat v. State, C (Krayot) 15336-01-10 State v. Amiaz); you cannot punish the proprietors of the place, its users and others from legitimate uses in the same way you cannot arrest a person as a penalty.

4.
Therefore, the requested conclusion is that when both gambling and non-gambling occur in a segregated manner, the legal activity cannot be closed down (AA 236/04 The 7th Heaven v. Israeli Police, where other courts ruled, strangely, that 229 is punitive or deterring, AA 1709/09 Amar Razam v. Jerusalem Chief of Police) and the gambling itself the police has to stop, where the collaborators have to be arrested. This conclusion arises from the same constitutional rights, including freedom of employment and right for property and dignity. The police’s authority could not be used to deter and cannot be directed towards activity which is not gambling. The police has to perform its acts in a responsible manner for the public. From here, we address the issue.

5.
First, the police did not act in accordance to its authority under 229: the warrant was not personal and was not addressed to the proprietor of the place, but solely to who provided access to it; a warrant to block websites served to an ISP is like providing the bus company a warrant to remove a bus station next to a gambling house. The ISP is not the proprietor, not the operator and is not the required party. As far as the police has claims against a website, it should address its operators even if they are outside of Israel and initiate criminal proceedings. If the police still believes that the Carlton decision is in force, then they are are free to act with accordance to it.

6.
Second, the warrant’s breath. The warrant, granted against the websites and IP addresses [See Hebrew Warrant] requested to block the website in full, even the parts not related to gambling. For example, if a person plays without waging a bet, solely in thePlay for Fun part of the website, then he is affected by the warrant without need. In such case, the warrant is not narrowly tailored in the means needed and affects constitutional rights. Moreover, providing a warrant against an IP address and a domain is considered equal to closing a shopping mall because one kiosk sells raffle tickets. In contrast to the Amar Razam decision, these are two distinct different groups of users, different communities and uses, and no need to block the play for fun.

7.
This means that we already began the slippery slope (which our ministry of communication rejected): some of the websites blocked are not gambling sites, but only facilitate funds; one case. of KeshCard.com, at least until proven otherwise, is a website for financial services and not gambling. The websites allows payment, amongst other things, for gambling, but is a financial service similar to others and is not different from credit cards; therefore, there is no reason to block it.

8.
Finally, it is quite difficult not to discuss the websites blocked. Though the police know about hundreds of sites, the two families blocked relate to a regulated market in Israel: sports booking. The Israeli Council for Sports Betting regulates and operates the market heavily, and the proximity to the World-Cup, where the Council’s earning skyrocketed, is strange. Moreover, the proximity to the Israeli Anti-Trust Authority’s decision to consider pressing charges against The Pais, Israel’s second licensed gambling operation, after suspicion arose that it entered into a restraining agreement where the Israeli Association for the Soldier which is licensed to act as well, where ISA shall not engage in raffles, against a material donation from The Pais. Moreover, The Pais offered more money to be provided to the country for more gambling rights, and even to pay salaries in local municipalities, and has previously offered to assist the police financially in the struggle against unlawful gambling.

9.
In conclusion, it is quite obvious the censorship could not stand; in order to drop it, a person using KeshCard or plays VC with “Play for fun” (meaning a person who was hurt by the warrant) shall appeal against the censorship to a court. The ISPs forgot what is the public interest they are meant to protect, and the ministry of communication, who’s authority was run over in one police warrant, does nothing.

[Material Comment: I am writing this without the consent or knowledge of any of my clients, and it does not reflect my opinion or any legal review I provided them]

[Originally in Hebrew]