Intellect or Insanity, Jonathan Klinger's Blog

The ruling in C 48511-07 Dr. Dov Klein v. Proportzia ltd will most probably not be in any future cyberlaw schoolbook unless Google, one of the defendants (or actually three of them), will decide do appeal even though such a small amount (around 12,000 US$) was ruled against it and Proportzia. In brief, before we discuss the problems of this ruling, let’s tell the story. Dr. Dov Klein is a plastic surgeon. One day he found out that Proportzia, a clinic providing cosmetic surgery and other beauty treatments, decided to purchase AdWords under his name. Klein did not like the use of his name and decided to sue Proportzia as well as Google, the service provider. The Magistrate Court of Tel Aviv-Jaffa ruled that Proportzia and Google are liable for invasion of privacy and must compensate Dr. Klein.

Google AdWords lawsuits were a big issue in the past (where the most famous was Government Employees Insurance Co. v. Google, Inc., No. 1:04cv507, see more at Eric Goldman’s blog). In Israel, however, there was one material ruling, OP 506/06 Matim Li v. Crazy Line, where the Israeli District Court of Tel-Aviv ruled that as long as the ad itself is not misleading, there is no problem with purchasing ads using someone’s tradename. But here the court needs to explain why he deviated from this decision, so he ruled that “These are keywords which contain a personal name, and not a trademark, and therefore you cannot say that in regards to this name the internet is an advertising space similar to others. So it would be adequate to rule that in regards that without the personal name’s holder’s permission, the name shall not be used for advertising”

The court goes with the infamous publicity rights and determines that when the use use is of someone’s personal name, and not a trade name, then the use has to be with permission of its “owners“. However, here already stands a first problem in regards to publicity rights. Dr. Klein is a celebrity, and as such he has not right for privacy (in regards to publicity rights). Israeli courts ruled that when a person uses his name for trade, he cannot later state that he does not want others to rely on such business name. In a recent case, the court ruled that “the right for privacy is a right that protects the emotional-personal interest of a person, his autonomy and his private matters, but not his financial interests” (C 534-08 Hava Koren v. Shai Cohen). Meaning, the rationale behind publicity rights apply where a person does not wish to be known publicly and is coerced to do so, not where he is already known.

The second problem here is where is the border between a person’s name and a trade name. Is Ford protected under this ruling, being the surname of Henry Ford? This is the incoherence that later calls of over-litigation and pays the lawyer’s retainer is bad lawsuits. If the court had a reasonable rationale, it had to provide it in a detailed manner, even if it means writing 50 pages instead of 14.

Now, after having said that, the real problem arises. As the court did not provide reasoning for its ruling, it did not explain where Google’s active involvement that provides incurring liability on it. That’s why Google did not know, and was not expected to know, about the existence of a person named Dr. Klein and that he does not want others to use his name. The court here goes against any other service provider liability case in Israe (C 567-08-09 ALIS v. Rotter, C 1559/05 Hemda Gilad v. Netvision, C 64045/04 Al Hashulchan v. Ort).

The fact that the court did not provide reasoning to its ruling is a problem. It does not let us understand why it decided that Google is liable and does not let us understand the issue. We have to wait and see whether Google appeals this.

[Originally in Hebrew]

Software patents are a problem, not a solution; that’s why when the Israeli Patent Registrar wanted to hear what the public thinks of them, we (at Hamakor, Israel’s Free Software and Open Source Association) wrote a detailed paper about it; in the end, the Israeli Patent Registrar gave a final decision stating that software by itself is not patentable in Israel [Hebrew Link]. However, other jurisdictions may not think the same.

That’s why corporations like Microsoft tend to use software patents as a strategic whip; for example, Microsoft approached HTC with a patent settlement offer, that will cause HTC to pay 5 US$ for every Android mobile device it sells. The thing is that Microsoft directly competes with Android with its “Windows Phone” operating system. Therefore, Microsoft makes more money when its competitors sell Android devices than when it sells its Windows Phone. But, of course, that the problem, not the solution.

Yesterday, David Drummond, Google’s chief legal counsel, ranted in the official Google blog about this conduct (covered also by TechCruch). He said that ”
A smartphone might involve as many as 250,000 (largely questionable) patent claims, and our competitors want to impose a “tax” for these dubious patents that makes Android devices more expensive for consumers“. The thing is that Drummond is also relating to the problem, and not the solution.

Recently, Android had became less and less of Open Source and more proprietary, where Google refused to release Android’s source code. Also, the choice of non-GPL license caused it to be less free. Of course, this lead Google further from the Solution.

The solution to Patent Trolling in the Android market segment is inherent with free software: detach the software distribution from hardware distribution. When people can purchase the devices and then install their OS at home, when they download it for free from the Internet, then these Patent Trolls will have to go against the actual distributor: Google.

As you know, Google, unlike other software companies, has the backbone and endurance to go into legal battle and keep the software segment patent-free. They did it during their long dispute with Viacom over YouTube and they’ll do it again and again.

The only way to win is to fight.

0. Abstract
Could a state with no secrets function better when protecting national security than a state that keeps information away from the general public? In this brief article, we will inspect the reasons for keeping classified information, what they are meant to protect and how they protect national security. We will present the method used by Israel, which is similar to most states. Israel’s approach, which is to keep all the information from the public, failed in general and caused nothing but costs on privacy, freedom of expression and national budgets.

Following our review, we will compare the classified information model to a model in information security, called Security through Obscurity and present how this model was perceived as flawed. Against it, we will present the Open Source Model, which creates transparency towards the general public, allowing it to inspect the security flaws, and therefore creates stronger protection.

Our conclusion would be that better national security could be reached by removing all classified information and disclosing all information to the general public. We believe that by making the information public, the cost of the censorship apparatus will be eliminated. We also believe that by adopting a ‘no classified information’ approach, governments may improve physical security when they rely on the foundations of open source security as detailed herein.

In my brief argumentation I will use the Israeli law, but provide some examples from other cases.

1. Classified Information and what it Protects.
Every state has its secrets. States choose, in certain cases to classify information from the general public. Classifying information goes back as far as Greek times, and goes under the standard four categories: Top Secret, Secret, Confidential and Restricted. Israel has four apparatuses which are in charge of Confidential information: The Information Security Department, whose goal is to prevent classified information from leaking from the army, The Military Censorship, which operates under the Defense Ordinance (Time of Emergency), 1945, that controls media publication and telecommunication, and has authority to refuse the publication of any information that has any relation to national security, the General Security Service (Shin Bet) that acts according to the General Security Service Act of 2002, where clause 7(2) allows the service to classify documents and determine how to handle such documents and the Director of Security of the Defense Establishment, which is in charge of security in military industries, research facilities and other national security industries.

Some authorities in classifying information do not appear to exist in laws, and some operate under the vague and broad exemption added in the Freedom of Information Act, 1998. Clause 9 to the Israeli FOIA exempts disclosure of any information which may harm national security, foreign relations, public safety or a person’s well-being. Even in cases where classified information was disclosed, the courts still allowed the security agencies broad discretion as to what to blur out (HCJ 258/07 Zehava Galon v. The Governmental Committee for Inspecting the Battles in Lebanon 2006)

But what constitutes as confidential information? There are no actual guidelines for applying what is confidential and how confidential specific documents are, and every document that contains ‘information’ as defined in the Israeli Penal Code, in part II, chapter 7, the Penal code provides a broad definition, inflicting legal sanctions on disclosing any information to an enemy where it might be useful to him (clause 111). Confidential Information is defined as any information where national security requires keeping it secret, or information relating to any matter that the government, with the consent of the parliament committee for foreign relations and security, declared as confidential. Critics to this arrangement offered an amendment, but following the Parliament’s research center’s comments, these amendments were not implemented.

The burden of proving what constitutes non-confidential information lays on the defendants in cases (see, for example, CC 1055/01 State v. Yacov), in Yacov, the court explained that while “the military censor is qualified to strike out information which is most-likely about to severely damage national security”; the penal code is wider, and applies to cases where national security requires keeping it secret.

In another interesting case, the widow of a person who worked in the nuclear research facility requested to receive the results of an epidemiological survey between the facility’s workers which the facility took. The State declined to provide the information by explaining that it relates to national security. However, when the court rejected the state claims, it expressed criticism over the state’s conduct: “the state wiggles in its arguments and cannot point to a normative authority where it draws the classification of the information. It is, according to the state, basic foundations, but these basic foundations have to be applied by the General Security Service Act, 2002, and the rules according to it (which are classified, so the state cannot disclose them to the court, but as a graceful act the state is willing to summarize them)” (CA (Tel-Aviv) 2571/01 Hanna Hizi v. State ); the court itself explained that it cannot understand classification, and the state has to acknowledge the differences between confidentiality and classification. Classification does not create basis for exclusion of evidence, and unless the state decides to exclude an evidence by means of national security according to the Evidence Act, 1971. However, in cases where the court finds the evidence may have had something to assist the party who wishes to submit the evidence, then the state shall default (OCR 2489/09 Zeev Braude v. State).

The Israeli Supreme Court deal with the question of what constitutes classified information in Vanunu (CA 172/88 Mordechai Vanunu v. State); in Vanunu, a former worker of the nuclear research facility was charged for espionage when he disclosed information regarding Israel’s nuclear activity to press agents in the UK. The supreme court decided to convict Vanunu for collecting and disseminating information to the enemy. The court analyzed this clause and explained that “He who provides information to the enemy; meaning, any information, even if it is public information arising from the press, his activities fall into clause 111”. Therefore eliminating classification need at all.

What Does Classified Information Protect? The question of what classified information protects is a difficult one to answer. Some claim that the purpose of classifying information is withholding it from foreign agents, and explain that when many people have access to certain information, it harms national security. Classifying information makes it harder for counter intelligence and foreign military forces to obtain information regarding a state’s forces, and allows it to operate where the other party does not know its rules of engagement, its powers, officers, or even defense mechanisms.

But the real question is how much this information, used by foreign intelligence,  endangers national security , and does the burden of protecting this information overcome the value of keeping it secret or not.

When the classified information is the actual secret (e.g the actual location or time of a specific operation) then it is assumed (though not significant) that information about the operation that becomes available to hostile forces may lead to less successful results, at least. There are specific sets of information that are considered confidential and are not pieces of information that have (statistically insignificant) connection to current, ongoing operations or other information that if leaked may cause damage to national security.

For example, the actual existence of a specific weapon or the location where a missile fell after an air-strike cannot be considered a state secret for several reasons: the first is that it is not kept away from the public; as what the general public sees cannot be considered national secrets. For example, during the 2006 war, the military censorship requested Tapuz, Israel’s largest forum operator, to censor posts made by civilians about where Hizbullah missiles fell. Another case  where information that is in the public’s plain view was considered confidential was when Parliament Member Yossi Sarid threatened that he may disclose information about weapons used by the IAF after the IAF killed and wounded dozens of Palestinians, including civilians, in weapons that were allegedly in plain view.

Another case where public plain viewed information was considered confidential was when Israel denied using phosphorous during the Cast Lead Operation of 2009, where the evidence was left in the Gaza Strip, which allowed the Goldstone committee, which inspected Israel’s activity following the operation, to find that Israel’s denial was false. So, in this case, how could the use of phosphorous be considered confidential information where there is evidence in plain view regarding the use?

Therefore, confidential information could be considered confidential as long as no public information regarding it exists. For example, the location of specific military or nuclear facilities that are located close by to cities and have road signs directing to them, could not be considered confidential information. Israeli Blogger Ido Kenan points out that Israel has a policy of withholding this confidential information in road signs presented in Arabic, and leave the confidential information only in Hebrew and English.

In conclusion, classified information in Israel is defined in an overbroad manner, containing information that may be considered in plain view and known to the general public. By acknowledging this flaw, we may understand the basis of information security and examine the weak points of such method of information security.

We believe that there has to be a difference between the classification of security mechanisms by themselves and information (data) which relates to specific, mission critical, information that is classified. The difference is between information regarding the existence and functions of a specific unit, its weapons , its history, and current plans regarding  an operation.

2. Security By Obscurity, A Problem
2.1 Security By Obscurity
When trying to protect information in a digital environment, there are two popular methods used by Information Security experts. The first is Security through Obscurity: this method, which is quite similar to the Israeli Classified Information method or approach, hides all information related to security from plain view and classified it as confidential; by using this method, “a system relying on security through obscurity may have theoretical or actual security vulnerabilities, but its owners or designers believe that the flaws are not known, and that attackers are unlikely to find them”. The model bases itself on the fact that others are unaware of the activities taken and that most confidential activities could be disguised from plain view.

However, the flaws of this model are that the secrecy of the information is exactly what lets security flaws to remain secret as well. For example, GSM encryption was hacked during 2003, and again during 2009. These hacks were published to the public because they were a part of academic researches; however, in certain cases the hacker may not be so eager to publish its research. In some cases, employees or contractors may sell known exploits which were not taken care of and criminals may sell unknown exploits either to other criminals or to the company itself. Moreover, relying on a sole provider to fix the security breach could sometimes cause more problems.

The main disadvantages of Security through Obscurity may be summed up to: (1) few people inspect the system for flaws, and sometimes actually inspecting the system may be considered illegal; (2) hostile entities reviewing the security of the system do not disclose their results; (3) dependency on one vendor/provider to review and fix security breaches.

2.2 The Open Source Model.
In contrast to Security through Obscurity, Open Source advocates rely heavily on Security Through Transparency, using this method, the algorithms and software used to encrypt or protect information are known to the public, providing the public an efficient way to report security vulnerabilities, and even to propose bug-fixes. The more people have the chance to inspect the security mechanism, the safer they will be.

For example, Security firm Secunia found that more security flaws were found in the Open Sourced Firefox than in proprietary code browsers, but the number of Zero-Day unpatched flaws was significantly lower and so was the time that it took to fix any flaw. By making all of its information public, a software vendor may create better security and allow any researcher to discover flaws. Moreover, transparent security mechanisms may also deter hackers from looking how to circumvent zero day flaws in fear of being caught (See aso, David Wheeler, “Is Open Source Good for Security?”).

The Open Source Model does not ignore the basic concepts of information security, but it acknowledges their flaws and attempts to build better models.

3. Could Building a Transparent State Solve National Security?
Could we imagine a state where all public information could be deemed as non-confidential, security mechanisms would be public and open for scrutiny and confidential information would be reduced to a minimum? We believe so.

Currently, a state like Israel has to operate counter intelligence just to solve the problem of collection of plain-view information and to protect from hostile action. When operating an open source model, counter-intelligence could be abandoned and replaced with crowd sourced models, which will help to build stronger mechanisms of protection.

Moreover, removing the ambiguity relating at-least to nuclear weapons in Israel would assist deterrence and strengthen national security. Weak points  in Israeli theoretical protection would be visible to the public and could be fixed quickly; moreover, the actual items that require protection could receive the needed funds and resources to protect them.

3.1 What is there to lose from revealing all classified information?
While we do not necessarily wish to reveal all information, certain information relating to means of operation and security regulations have to be declassified. For example, both the General Security Services Act and the recent Inclusion of Biometric Information and Data in Identification Documents and Database Act of 2009 state that all regulation and orders will be classified, as well as any information regarding security breaches. Moreover, when discussing the act in Parliament, security experts raised concerns over the database possible flaws, and the Minister of Interior, Eli Yishai, ordered to open the security protocols for discussion, but such discussion was never made. Keeping the database, as well as security guidelines and notifications of security breaches secret seems good in the eye of a person who thinks that an enemy may abuse such faults; however in the eyes of a security researcher, these allow zero day flaws and known vulnerabilities to be used against the database  (see, for example) and allows a false feeling of security.

The only thing that may be lost when protocols, orders or regulations that remain secret are disclosed is the misconduct of an authority or its acts against the law; for example, as a result of Israel’s Freedom of Information Movement’s appeal, it was revealed that the cellular companies were required to adhere to secret regulation regarding cooperation with intelligence agencies and disclose subscriber information.

Therefore, when the governmental default approach is that there is no need for privacy unless a person has something to hide from the government (which seems to be the default approach when discussing the Israeli government, as the Biometric Database Act, the Criminal Order (Submission of Metadata) Act of 2007, and other statutes turning Israel into a surveillance state) then the default approach towards the government should be that all its secrets are meant to cover up unlawful activities.

3.2 What is there to gain from revealing all classified information?
First and foremost, the Israeli Government may regain public trust by disclosing all activities. The Israeli public, for example, strongly believes that the Biometric Database will leak, mostly due to the fact that quite a lot of sensitive data has  already leaked from Government databases and that 70% of the general public does not trust database protection in Israel. A different survey by Symantec found that 60% of the people do not trust the government with their private or personal information.

The feeling of misused trust may be healed and cured when disclosing information regarding data breaches and information security to the public. But more than that, apart from public trust, the government may gain better protection of its classified information. The Israeli government may adopt what computer giants like Google and 3Com already did, and that is to pay for every security breach found.

Currently Israel has many unknown security flaws, which remain confidential until a hacker gets caught. For example, Israeli white-hat hacker Moshe Halevi (Halemo) was charged for hacking when he used a pre-paid credit card to show that the Israeli Fines and Fees Center had a bug in the URL handler that allowed resetting a person’s fines. In a detailed case (C 9497/08 State v. Moshe Halevi) Judge Avraham Tenenbaum explains why Halemo’s activity was not hacking, but was solely security checking (a similar case, CA 8333/03 State v. Mizrachi, explains that port-scanning cannot be criminal if done for a cause of security inspection). Therefore, we can argue that the state has a compelling interest to discover flaws.

3.3 The state’s approach to security flaws.
However, we see that in most cases the state prefers to withhold information from the public regarding security flaws and to litigate against persons discovering such flaws. Moreover, when flaws are found, usually adopting the Security through Obscurity approach shows that the way the state fixes the vulnerability is not only insufficient, but negligent.

In one case, white-hat hacker Halemo discovered that the Israeli Court System’s website discloses Judge’s ID Numbers (equivalent to Social Security numbers). The way it disclosed them was that the URL Source of the Judge’s page in the website was his ID number. After the flaw was exposed, the state went to fix the flaw, and replaced the ID with a Base-64 representation of the number.

However, if we require the state to disclose its means of security it would have to disclose how the judges ID numbers were encrypted or protected, and therefore every person would have understood that neither plain-text nor base-64 are good enough mechanisms to protect sensitive information.

4. Applying Software Solutions to State Secrets: A Conclusion.
We believe that not all information has to be public. There are things that are better off secret. However, if we learn from information security methods, we must acknowledge that better security could be achieved when disclosing more information to the public. Applying the open source model of information security allows transparency in decision-making, better algorithms, less resources on counter-intelligence and more resources to allocate to what is mission critical information.

Moreover, better trust could be gained between governments and citizens, reinforcing the social contract and allowing better results in political participation.

Currently, governments over trust security through obscurity when operating mission critical processes, and therefore, when flawed, the flaws and results are enormous. Utilizing open source models could prevent mishaps such as Israel’s phosphorous use, George Bush’s Weapons of Mass Destruction lie and Israel’s racial profiling in Airports as a mean of security.

Israeli racial profiling is such a great example, as it is highly efficient nowadays and even better than the US TSA guidelines but bases itself mostly on the assumption that Jewish nationals may not be considered a threat to national security but Arabs may (HCJ 4797/07 The Israeli Association of Civil Rights v. The Terminal Security Authority, Pending decision). As long as the security guidelines were secret, it seemed amazing that no security flaw occurred. However, now, that the guidelines are known and understood, it is easier to design a mechanism to circumvent them. Therefore, even adopting new guidelines will be useless, as they are inefficient (unless based, again, on racial profiling).

Therefore, in order to regain national security, Israel will have to change its approach to the Open Source Model before a major security event occurs that will make it understand that this is the only option. Staying in a Security through Obscurity approach could protect confidential information, but it cannot protect national security.

“I don’t think that there are many tragedies in China and there are no serious problems in china as long as you don’t fuck with the government“; that’s what John Perry Barlow said when Ido Kenan, Jonathan Silber and I interviewed him on August 2007. Barlow was enchanted by china so much that it seemed to forget that we have an inherent right to fuck with our government.

However, if you see Hillary Clinton‘s attack on China which marks the shot for the next world wide war, the war on information freedom, you need to think twice. Indeed, the alleged actions by China were hideous. Entering into a dissident’s email account and exploing zero-day vulnerabilities in Internet Explorer (the same browser that the Israeli Government requires people to use in order to interact with it) and Adobe’s Acrobat Reader is no less than troubling. However, Clinton’s rage on the involvement, censorship of political websites that try to undermine the government and reading personal emails was that it was blocking free trade. Therefore, China’s response was no less obvious: China reckons that Clinton (and Google) should obey the local laws, which include China’s ability to monitor and enforce the net.

Whether Clinton (and Google) are right, and whether China is right, one should still see Clinton’s hypocrisy.

During the same week where the United States decides to pick on China, we discover that the FBI made warrentless surveillance and obtained data illegally claiming that these activities were made against terror suspects. The US also performs warrantless and causeless searches in laptops when crossing the US border, copies their content and violates the privacy of those who enter the US, and even without need for cause. Meaning, the United States’ conduct is no different than China; The only difference is that the US performs this due to rules and regulations and China hacks.

“It is easier for the United States to point at China and say that they have a human-rights problem than to look at themselves”, Barlow said. But the Democracy residing in Zion is not innocent. When we blame China and stand next to our greatest friend we have to remember what Israel has been doing during the last year. Just last year we buried the Internet Censorship act, and now a new bill by Danny Danon threatens the freedom of the net, where the bill, if passed, will allow the Israeli government to shut down websites harming the Government’s stability, or sites which risk national security. More than that, the MetaData act in Israel allows the same crimes we blame China: our phone and Internet providers must provide the government with details about their users.

Israel already addmitted searching Mordechai Vanunun‘s computer when violating the law and tapping his emails; the same actions China made and is being blamed for; we just call these actions “National Security”

[Originally Posted in Hebrew on TheMarkerIT]

[Also in Hebrew]

0.

“You acknowledge and agree that Facebook may at any time in its sole discretion, without liability, with or without cause and with or without notice: (a) terminate this Agreement; (b) terminate or suspend your access to Facebook Platform, Facebook Properties and/or the Facebook Site or any portion or feature of any of them; and/or (c) remove, block, delete or disable access to your Facebook Platform Applications and/or or any Facebook Platform Application Content, including without limitation if we determine, in our sole discretion, that your Facebook Platform Application or any Facebook Platform Application Content is unsuitable for Facebook Platform, Facebook Site or Facebook Users (…)

1.
While the blogoshpere and the technological sections in the newspapers are running around the Web 2.0 buzz (and some of the 3.0 buzz as well), We keep forgetting where the real bubble for this technology lies. When Om Malik explained yesterday at TWS2008 that advertisers are the ones impeding the net from developing and dot com startups that develop Facebook applications without any business models get millions of dollars in funding, there’s only one question: when will people realise what Facebook‘s real business model?

2.
Google shut down a few blogs which opposed Barack Obama, possibly because Obama supporters tagged them as spam. It was ll executed by automatic systems where the censorship was made by private entities, but it doesn’t actually matter, as Blogspot’s terms of service state that “Google may, in its sole discretion, at any time and for any reason, terminate the Service, terminate this Agreement, or suspend or terminate your account”.

3.
Constitutional Law is probably dead and irrelevant; what was the private sector until recently  was settled in under “Private Law” or “Civil Law”, but today everything changed: Companies that develop applications for social networks or webservices are subjected to the new constitutional law, the Terms of Service.: The problem begins when stable business models that companies build upon and get their funding due to them are based on social networks’ grace. This is not a stable agreement, but a unilateral agreement that grants the social network (or the search engine) an exclusive right to terminate the agreement and prevent the company from operating. (And it’s important to understand that when I relate to facebook in this post I also mean any other social network or webservice like Twitter that allows 3rd party applications)
4.
Now, some might say that Facebook’s income and  value are derived from the amount of applications it has. Cynicists may say something completely different: Facebook’s value is derived from its ability to monetize the applications that those will be able to run on the platform.
Mark Zuckerberg, Facebook’s founder, photo by KK+ under cc-by-nc-sa license.

5.
In a year or two Facebook’s shareholders will come to their senses and start asking money from the leading hundred applications, as they are allowed to do. Their policy would be similar to this: An application with less than a million users may run freely, but once you obtained a million users, you’ll pay us one US$ per user. That’s fair, isn’t it? And then what? will these companies shut down and go home? not really.

6.
It’s crucial to understand that when you develop a Facebook application or any other social network based application, you’re writing your source code on ice; it’s more than reasonable to assume that Facebook won’t charge you anything and will never shut you down. The problem starts when you want to establish a business model on something that’s more than “more than reasonable” (like investing your pension funds). That’s why, like you wouldn’t deploy a real product without contracting your deployment contractor, you really should consider doing the same with Facebook.