Intellect or Insanity, Jonathan Klinger's Blog

0.Why are everyone afraid of open source?
One of the most amazing things is that in a material portion of the Share Purchase Agreements (or investment agreements) I’ve reviewed in my life, the invested company was prohibited from using Open Sourced software as a material condition for the investment. The “No-Open-Source” clause was added in companies which a major part of their business model was open source or cloud services, so that in fact there were clauses that excluded the specific Open-Source applications used from the warranty and prohibited the company to utilise any other Open Source application. This prohibition, in my humble opinion, represents and archaic misconception that investment in start-ups is in liquidatable property such as patents or copyrights, and not in the persons behind the company.

1. Why is the cellular market afraid of open source?
Both Apple and Microsoft are afraid of Open-Source. Apple recently banned the open sourced VLC player to attend its cellular festivities as it was released under the popular GPL (and a funny story with XPilot) and so does the Windows Phone 7 developer agreement which states that open sourced software may not be distributed by the WP7 marketplace (which caused several developers to change their licensing models). But Microsoft and Apple’s prohibition comes from ignorance in regarding to the licenses more than anything.

2. About Microsoft’s misconception?
Microsoft prohibits inclusion of what they refer to as “Excluded Licenses”, which are “any license requiring, as a condition of use, modification and/or distribution of the software subject to the license, that the software or other software combined and/or distributed with it be (i) disclosed or distributed in source code form; (ii) licensed for the purpose of making derivative works; or (iii) redistributable at no charge” (clause 1.l) but, open source licenses apply only when there is distribution of the software, and not when there’s use, therefore, many cloud services use open sourced software (as they don’t distribute the code, only use it). A clause prohibiting excluded licenses in any software reigns over applications developed for WM6.x and WP7. In some portions of the application are server side or server dependant, some interesting questions raised.

3. Open source prohibition and cloud computing?
This next case is purely theoretical: Facebook, which bases most of its activity on open source infrastructure, develops a Windows Phone 7 application which interacts with the Facebook servers which are under open source licenses. While these open source components are used, they are definitely not distributed and therefore the draconian clauses of Microsoft’s license are terrible. A better example would be more feasible; imagine that some person grabs Wikipedia and creates a mobile application; Wikipedia’s content is released under a Creative Commons license which allows free distribution as long as any amendment or contribution is distributed under the same license. Now, Microsoft may come to the developer in questions and claim that clause 5.e to the developer agreement was in breach and remove Wikipedia from its marketplace.

4. Why Microsoft was afraid of Open Source??
Microsoft’s scare from open source licenses is clear. Microsoft is terrified from the misconception of the GPL’s viral nature which was perceived as turning all proprietary code which interacts with open-source code turns open-source and is afraid of defending itself against he who comes and asks it to open it’s code. However, this fear is disproportional: like the VCs who heard, somewhere, that there’s a risk in open source and decided to ban it completely, Microsoft detaches itself from a world that can do it only good: Microsoft could have started its marketplace with thousands of free applications from day one and giving it a competitive edge over Apple. Microsoft, however, is afraid of not being able to limit its users, and that’s what it does.

5. So now?
The solution is quite obvious, if Microsoft restricts open source from its playground, it will restrict popular browsers, media players and other software from playing the game and it will fail. There’s no comfort in locking the garden, just another step towards the separation between the proprietary world and the open source one.

[Originally in Hebrew]

Bonus for my English readers, my Open Source Presentation:

Software, as a matter of principle, is usually licensed but not sold; this is what the recent ruling in 42:07-cv-01189-RAJ Vernor v. Autodesk was all about. Therefore, usually, when a person sells (or licenses) software, the end user signs or accepts an End User License Agreement (EULA) which includes the array of rights and duties attached to the software itself.

Copyright laws limit the rights to create copies or distribute software without the original author’s permission, and the EULA is the permission to hold the end-user’s copy of the software. Without the EULA, any action performed may infringe on the author’s copyright. However, both clause 12 to the Israeli Copyright Act and clause 106 to the US Copyright Act do not limit the use of software, solely its copying and distribution. The court ruled in Vernor that the author may limit consumer right and therefore software developers may limit the way that their end-users will use software or interact with other components.

However, most software developers prefer to use EULAs in order to allow the use of the software and not sell copies, so that they could redefine the rights attached to it. For example, clause 24 to the Israeli copyright act allows modifying copies of software for security purposes and court also acknowledged that consumer rights may overcome eulas (MAI Systems Corp. v. Peak Computer, Inc., 991 F. 2d 511 – Court of Appeals, 9th Circuit).

While the courts were not supportive in acknowledging the consent to these agreements in all cases (Specht v. Netscape Communications Corp., 150 F. Supp. 2d 585 (S.D.N.Y.2001)), it is quite obvious that they govern the ability to distribute, but not use, the software (CV 07-3106 SJO UMG v. Augusto). Meaning that the need of a software license is meant to define what exactly is the relationship between the developer and the end-user and rearrange the rights attached to the copyright laws.

Out of this need, to provide end uses with a clear and simple license, lawyers earn a good living. Every software developer has a simple choice: should he pay a few thousand dollars to a lawyer who will draft a document in non-readable legalese, or release the software without any license and hope for the best. The licenses, usually, contain liability limiting clauses (and see, for example, clauses 15 to 18 to the Windows XP EULA which limit Microsoft’s liability to any damage and for any cause).

EULA should come in any place where code is conveyed, but not for web-based services, where a copy of the work is not distributed. Therefore, the difference between EULAs and Terms of Service, which are an agreement regarding the use of the service, should be acknowledged.

Now, after understanding this, we can relate to the subject matter. This week, binpress launched its beta service. Binpress is a commerce platform for web applications and allows web developers, and any other person who wrote a script, plug-in, code or service to upload the code and sell it to others. Amongst other this, it allows the developers to create their own software licenses and save the costs in drafting a license by using the generator, picking what rights apply to the end-user and what don’t (decent disclosure: I wrote the modular license agreement). For example, the developer could pick whether the person who bought the software may distribute it to other people (a developer license), the term of the license, the ability to chose how many cores and websites may use the software (for example). Eran Galperin wrote a comprehensive post about binpress’ licensing mechanism you should read.

In brief, the system is quite similar to the Creative Commons license generator, by allowing the user to pick what license he wants for his software and what rights are attached to it. The difference is that binpress’ license is commercial and for web applications.

Then why should I, as a lawyer, cooperate with a system that may take away money I could charge my clients for EULAs and allow my future potential clients to write licenses by themselves? Theoretically, any person which develops applications could choose binpress as his marketplace and save the cost (and see also my Hebrew post on Freemium by lawyers); well, the answer is double: first, is that the system is dedicated to web applications which are sold by binpress. Meaning that whoever develops large-scale software, commercial distributions or software containing more than a mere conveying of code (like validation keys) would still have to find a lawyer to draft an agreement. The second is simpler: I believe that this system does not prevent lawyers from earning money, it just makes their living more efficient.

Most licenses you read are generic and written in a way that no human could grasp or read, they were written by chewing hundreds of requests and demands time after time and served to developers without any understanding. In contrast, large systems with legal questions of privacy, open source and real legal problems would still need legal consultation and will avoid using this systems.

Therefore, the generator does not harm my earnings, it does not replace my legal work, it just allows the end-user to pick an educated pick between paying a few thousand dollars when he doesn’t need and tailoring the agreement for him. When it’s a developer who sells a few copies every day for a dollar or two, it’s not right to pay that much for legal counsel.

[Originally in Hebrew]

Intellectual Property laws have more than a few political implications; many times issues of political speech interfere with copyright. For example, Shepard Fairey, an artist who authored the famous “Hope” poster for Barack Obama, was sought by the Associated Press for copyright infringement as the image of Obama was based on a copyrighted photo (and in Israel, a the Supreme Court will soon hear a similar case, RCA 7774/09 Weinberg v. Weisshoff, where the Defendant is sought for copying a photo the Plaintiff took into a coin made in memory of the assassinated prime minister, Yitzhak Rabin). In another case, the US Senate candidate, Sharon Angle is sought by the proprietors of rights to newspaper articles for presenting copies of the articles which she appeared in, on her personal website and there are more cases; mostly, these cases are borderline in relation to copyright protection, but they are classical monetary suits, not political.

In contrast, the story which was spread on the press during the last few days was not less surprising, but at least ended in an interesting manner. Two days ago, the New York Times reported that the Russian government and police use copyright laws in order to supress political dissidents. The system worked as follows: The Russian police used its granted authority to enforce copyright laws in a violent manner (and it did so in the past, where it sent a school principal to prison for using unauthorized copies of Microsoft Windows) and claimed that copies of Microsoft Windows installed on the dissident organization’s computers are unlicensed (pirated – jk); In Russia, where the unlicensed software rates are only second to the Israeli conviction rates by a person’s confession, it is more than likely that a political organization will use unauthorized software>.

First, it was reported that Microsoft encouraged the enforcement as a part of its zero-tolerance to copyright infringement policy; however, after suffering from damage to its public image, apparently, it decidedto reform its licensing policy, so that a general license will be granted to non-profits in order to protect them from political pursuit. In a post published by Brad Smith, Microsoft Senior VP and Counsel, he explained that Microsoft could not be a part of this and must take an ethical stand.

The claim may be true, but it could also reflect a wise business approach. Until today, Microsoft profited from unlicensed use in 3rd world countries. Microsoft also knows that if raids like this will continue, dissidents will stop using Windows and move to open source software, and primarily Linux, in one distribution or another. Moving to Linux is unilateral, it changes a person’s point of view: from organization that were dependent of a specific software to a part of a larger community; Most organization who hear about open source are enchanted by it, they have an option to donate, contribute, change, share information and not just run the program.

Moreover, Privacy Enhancing Technologies are more available on open source operating systems. From the EXT4 file system which comes by default in Ubuntu and encrypts your hard drives (similar to Microsoft’s BitLocker, but it just works), through TOR servers who reduce censorship: Open Source is the new heaven of dissidents.

Therefore, Microsoft’s blanket license comes to heal a small shallow scratch, not the problem: Copyrights are ill, and Microsoft took the right way to take care of it: acknowledging that non-profit use is fair and allowed. However, until further technologies, innovative ones, will protect dissidents, the raids will continue. Today it’s the operating system, tomorrow, the word processor, afterwards? image editing programs.

0. Abstract
Could a state with no secrets function better when protecting national security than a state that keeps information away from the general public? In this brief article, we will inspect the reasons for keeping classified information, what they are meant to protect and how they protect national security. We will present the method used by Israel, which is similar to most states. Israel’s approach, which is to keep all the information from the public, failed in general and caused nothing but costs on privacy, freedom of expression and national budgets.

Following our review, we will compare the classified information model to a model in information security, called Security through Obscurity and present how this model was perceived as flawed. Against it, we will present the Open Source Model, which creates transparency towards the general public, allowing it to inspect the security flaws, and therefore creates stronger protection.

Our conclusion would be that better national security could be reached by removing all classified information and disclosing all information to the general public. We believe that by making the information public, the cost of the censorship apparatus will be eliminated. We also believe that by adopting a ‘no classified information’ approach, governments may improve physical security when they rely on the foundations of open source security as detailed herein.

In my brief argumentation I will use the Israeli law, but provide some examples from other cases.

1. Classified Information and what it Protects.
Every state has its secrets. States choose, in certain cases to classify information from the general public. Classifying information goes back as far as Greek times, and goes under the standard four categories: Top Secret, Secret, Confidential and Restricted. Israel has four apparatuses which are in charge of Confidential information: The Information Security Department, whose goal is to prevent classified information from leaking from the army, The Military Censorship, which operates under the Defense Ordinance (Time of Emergency), 1945, that controls media publication and telecommunication, and has authority to refuse the publication of any information that has any relation to national security, the General Security Service (Shin Bet) that acts according to the General Security Service Act of 2002, where clause 7(2) allows the service to classify documents and determine how to handle such documents and the Director of Security of the Defense Establishment, which is in charge of security in military industries, research facilities and other national security industries.

Some authorities in classifying information do not appear to exist in laws, and some operate under the vague and broad exemption added in the Freedom of Information Act, 1998. Clause 9 to the Israeli FOIA exempts disclosure of any information which may harm national security, foreign relations, public safety or a person’s well-being. Even in cases where classified information was disclosed, the courts still allowed the security agencies broad discretion as to what to blur out (HCJ 258/07 Zehava Galon v. The Governmental Committee for Inspecting the Battles in Lebanon 2006)

But what constitutes as confidential information? There are no actual guidelines for applying what is confidential and how confidential specific documents are, and every document that contains ‘information’ as defined in the Israeli Penal Code, in part II, chapter 7, the Penal code provides a broad definition, inflicting legal sanctions on disclosing any information to an enemy where it might be useful to him (clause 111). Confidential Information is defined as any information where national security requires keeping it secret, or information relating to any matter that the government, with the consent of the parliament committee for foreign relations and security, declared as confidential. Critics to this arrangement offered an amendment, but following the Parliament’s research center’s comments, these amendments were not implemented.

The burden of proving what constitutes non-confidential information lays on the defendants in cases (see, for example, CC 1055/01 State v. Yacov), in Yacov, the court explained that while “the military censor is qualified to strike out information which is most-likely about to severely damage national security”; the penal code is wider, and applies to cases where national security requires keeping it secret.

In another interesting case, the widow of a person who worked in the nuclear research facility requested to receive the results of an epidemiological survey between the facility’s workers which the facility took. The State declined to provide the information by explaining that it relates to national security. However, when the court rejected the state claims, it expressed criticism over the state’s conduct: “the state wiggles in its arguments and cannot point to a normative authority where it draws the classification of the information. It is, according to the state, basic foundations, but these basic foundations have to be applied by the General Security Service Act, 2002, and the rules according to it (which are classified, so the state cannot disclose them to the court, but as a graceful act the state is willing to summarize them)” (CA (Tel-Aviv) 2571/01 Hanna Hizi v. State ); the court itself explained that it cannot understand classification, and the state has to acknowledge the differences between confidentiality and classification. Classification does not create basis for exclusion of evidence, and unless the state decides to exclude an evidence by means of national security according to the Evidence Act, 1971. However, in cases where the court finds the evidence may have had something to assist the party who wishes to submit the evidence, then the state shall default (OCR 2489/09 Zeev Braude v. State).

The Israeli Supreme Court deal with the question of what constitutes classified information in Vanunu (CA 172/88 Mordechai Vanunu v. State); in Vanunu, a former worker of the nuclear research facility was charged for espionage when he disclosed information regarding Israel’s nuclear activity to press agents in the UK. The supreme court decided to convict Vanunu for collecting and disseminating information to the enemy. The court analyzed this clause and explained that “He who provides information to the enemy; meaning, any information, even if it is public information arising from the press, his activities fall into clause 111”. Therefore eliminating classification need at all.

What Does Classified Information Protect? The question of what classified information protects is a difficult one to answer. Some claim that the purpose of classifying information is withholding it from foreign agents, and explain that when many people have access to certain information, it harms national security. Classifying information makes it harder for counter intelligence and foreign military forces to obtain information regarding a state’s forces, and allows it to operate where the other party does not know its rules of engagement, its powers, officers, or even defense mechanisms.

But the real question is how much this information, used by foreign intelligence,  endangers national security , and does the burden of protecting this information overcome the value of keeping it secret or not.

When the classified information is the actual secret (e.g the actual location or time of a specific operation) then it is assumed (though not significant) that information about the operation that becomes available to hostile forces may lead to less successful results, at least. There are specific sets of information that are considered confidential and are not pieces of information that have (statistically insignificant) connection to current, ongoing operations or other information that if leaked may cause damage to national security.

For example, the actual existence of a specific weapon or the location where a missile fell after an air-strike cannot be considered a state secret for several reasons: the first is that it is not kept away from the public; as what the general public sees cannot be considered national secrets. For example, during the 2006 war, the military censorship requested Tapuz, Israel’s largest forum operator, to censor posts made by civilians about where Hizbullah missiles fell. Another case  where information that is in the public’s plain view was considered confidential was when Parliament Member Yossi Sarid threatened that he may disclose information about weapons used by the IAF after the IAF killed and wounded dozens of Palestinians, including civilians, in weapons that were allegedly in plain view.

Another case where public plain viewed information was considered confidential was when Israel denied using phosphorous during the Cast Lead Operation of 2009, where the evidence was left in the Gaza Strip, which allowed the Goldstone committee, which inspected Israel’s activity following the operation, to find that Israel’s denial was false. So, in this case, how could the use of phosphorous be considered confidential information where there is evidence in plain view regarding the use?

Therefore, confidential information could be considered confidential as long as no public information regarding it exists. For example, the location of specific military or nuclear facilities that are located close by to cities and have road signs directing to them, could not be considered confidential information. Israeli Blogger Ido Kenan points out that Israel has a policy of withholding this confidential information in road signs presented in Arabic, and leave the confidential information only in Hebrew and English.

In conclusion, classified information in Israel is defined in an overbroad manner, containing information that may be considered in plain view and known to the general public. By acknowledging this flaw, we may understand the basis of information security and examine the weak points of such method of information security.

We believe that there has to be a difference between the classification of security mechanisms by themselves and information (data) which relates to specific, mission critical, information that is classified. The difference is between information regarding the existence and functions of a specific unit, its weapons , its history, and current plans regarding  an operation.

2. Security By Obscurity, A Problem
2.1 Security By Obscurity
When trying to protect information in a digital environment, there are two popular methods used by Information Security experts. The first is Security through Obscurity: this method, which is quite similar to the Israeli Classified Information method or approach, hides all information related to security from plain view and classified it as confidential; by using this method, “a system relying on security through obscurity may have theoretical or actual security vulnerabilities, but its owners or designers believe that the flaws are not known, and that attackers are unlikely to find them”. The model bases itself on the fact that others are unaware of the activities taken and that most confidential activities could be disguised from plain view.

However, the flaws of this model are that the secrecy of the information is exactly what lets security flaws to remain secret as well. For example, GSM encryption was hacked during 2003, and again during 2009. These hacks were published to the public because they were a part of academic researches; however, in certain cases the hacker may not be so eager to publish its research. In some cases, employees or contractors may sell known exploits which were not taken care of and criminals may sell unknown exploits either to other criminals or to the company itself. Moreover, relying on a sole provider to fix the security breach could sometimes cause more problems.

The main disadvantages of Security through Obscurity may be summed up to: (1) few people inspect the system for flaws, and sometimes actually inspecting the system may be considered illegal; (2) hostile entities reviewing the security of the system do not disclose their results; (3) dependency on one vendor/provider to review and fix security breaches.

2.2 The Open Source Model.
In contrast to Security through Obscurity, Open Source advocates rely heavily on Security Through Transparency, using this method, the algorithms and software used to encrypt or protect information are known to the public, providing the public an efficient way to report security vulnerabilities, and even to propose bug-fixes. The more people have the chance to inspect the security mechanism, the safer they will be.

For example, Security firm Secunia found that more security flaws were found in the Open Sourced Firefox than in proprietary code browsers, but the number of Zero-Day unpatched flaws was significantly lower and so was the time that it took to fix any flaw. By making all of its information public, a software vendor may create better security and allow any researcher to discover flaws. Moreover, transparent security mechanisms may also deter hackers from looking how to circumvent zero day flaws in fear of being caught (See aso, David Wheeler, “Is Open Source Good for Security?”).

The Open Source Model does not ignore the basic concepts of information security, but it acknowledges their flaws and attempts to build better models.

3. Could Building a Transparent State Solve National Security?
Could we imagine a state where all public information could be deemed as non-confidential, security mechanisms would be public and open for scrutiny and confidential information would be reduced to a minimum? We believe so.

Currently, a state like Israel has to operate counter intelligence just to solve the problem of collection of plain-view information and to protect from hostile action. When operating an open source model, counter-intelligence could be abandoned and replaced with crowd sourced models, which will help to build stronger mechanisms of protection.

Moreover, removing the ambiguity relating at-least to nuclear weapons in Israel would assist deterrence and strengthen national security. Weak points  in Israeli theoretical protection would be visible to the public and could be fixed quickly; moreover, the actual items that require protection could receive the needed funds and resources to protect them.

3.1 What is there to lose from revealing all classified information?
While we do not necessarily wish to reveal all information, certain information relating to means of operation and security regulations have to be declassified. For example, both the General Security Services Act and the recent Inclusion of Biometric Information and Data in Identification Documents and Database Act of 2009 state that all regulation and orders will be classified, as well as any information regarding security breaches. Moreover, when discussing the act in Parliament, security experts raised concerns over the database possible flaws, and the Minister of Interior, Eli Yishai, ordered to open the security protocols for discussion, but such discussion was never made. Keeping the database, as well as security guidelines and notifications of security breaches secret seems good in the eye of a person who thinks that an enemy may abuse such faults; however in the eyes of a security researcher, these allow zero day flaws and known vulnerabilities to be used against the database  (see, for example) and allows a false feeling of security.

The only thing that may be lost when protocols, orders or regulations that remain secret are disclosed is the misconduct of an authority or its acts against the law; for example, as a result of Israel’s Freedom of Information Movement’s appeal, it was revealed that the cellular companies were required to adhere to secret regulation regarding cooperation with intelligence agencies and disclose subscriber information.

Therefore, when the governmental default approach is that there is no need for privacy unless a person has something to hide from the government (which seems to be the default approach when discussing the Israeli government, as the Biometric Database Act, the Criminal Order (Submission of Metadata) Act of 2007, and other statutes turning Israel into a surveillance state) then the default approach towards the government should be that all its secrets are meant to cover up unlawful activities.

3.2 What is there to gain from revealing all classified information?
First and foremost, the Israeli Government may regain public trust by disclosing all activities. The Israeli public, for example, strongly believes that the Biometric Database will leak, mostly due to the fact that quite a lot of sensitive data has  already leaked from Government databases and that 70% of the general public does not trust database protection in Israel. A different survey by Symantec found that 60% of the people do not trust the government with their private or personal information.

The feeling of misused trust may be healed and cured when disclosing information regarding data breaches and information security to the public. But more than that, apart from public trust, the government may gain better protection of its classified information. The Israeli government may adopt what computer giants like Google and 3Com already did, and that is to pay for every security breach found.

Currently Israel has many unknown security flaws, which remain confidential until a hacker gets caught. For example, Israeli white-hat hacker Moshe Halevi (Halemo) was charged for hacking when he used a pre-paid credit card to show that the Israeli Fines and Fees Center had a bug in the URL handler that allowed resetting a person’s fines. In a detailed case (C 9497/08 State v. Moshe Halevi) Judge Avraham Tenenbaum explains why Halemo’s activity was not hacking, but was solely security checking (a similar case, CA 8333/03 State v. Mizrachi, explains that port-scanning cannot be criminal if done for a cause of security inspection). Therefore, we can argue that the state has a compelling interest to discover flaws.

3.3 The state’s approach to security flaws.
However, we see that in most cases the state prefers to withhold information from the public regarding security flaws and to litigate against persons discovering such flaws. Moreover, when flaws are found, usually adopting the Security through Obscurity approach shows that the way the state fixes the vulnerability is not only insufficient, but negligent.

In one case, white-hat hacker Halemo discovered that the Israeli Court System’s website discloses Judge’s ID Numbers (equivalent to Social Security numbers). The way it disclosed them was that the URL Source of the Judge’s page in the website was his ID number. After the flaw was exposed, the state went to fix the flaw, and replaced the ID with a Base-64 representation of the number.

However, if we require the state to disclose its means of security it would have to disclose how the judges ID numbers were encrypted or protected, and therefore every person would have understood that neither plain-text nor base-64 are good enough mechanisms to protect sensitive information.

4. Applying Software Solutions to State Secrets: A Conclusion.
We believe that not all information has to be public. There are things that are better off secret. However, if we learn from information security methods, we must acknowledge that better security could be achieved when disclosing more information to the public. Applying the open source model of information security allows transparency in decision-making, better algorithms, less resources on counter-intelligence and more resources to allocate to what is mission critical information.

Moreover, better trust could be gained between governments and citizens, reinforcing the social contract and allowing better results in political participation.

Currently, governments over trust security through obscurity when operating mission critical processes, and therefore, when flawed, the flaws and results are enormous. Utilizing open source models could prevent mishaps such as Israel’s phosphorous use, George Bush’s Weapons of Mass Destruction lie and Israel’s racial profiling in Airports as a mean of security.

Israeli racial profiling is such a great example, as it is highly efficient nowadays and even better than the US TSA guidelines but bases itself mostly on the assumption that Jewish nationals may not be considered a threat to national security but Arabs may (HCJ 4797/07 The Israeli Association of Civil Rights v. The Terminal Security Authority, Pending decision). As long as the security guidelines were secret, it seemed amazing that no security flaw occurred. However, now, that the guidelines are known and understood, it is easier to design a mechanism to circumvent them. Therefore, even adopting new guidelines will be useless, as they are inefficient (unless based, again, on racial profiling).

Therefore, in order to regain national security, Israel will have to change its approach to the Open Source Model before a major security event occurs that will make it understand that this is the only option. Staying in a Security through Obscurity approach could protect confidential information, but it cannot protect national security.

After a few weeks of work, and many comments from various open source enthusiasts, we (Hamakor) filed our memorandum today in response to the Israeli Patent Authority’s call for submissions (more here), calling the Israeli regulatory authorities to refrain from granting patents on software [Hebrew Memorandum].

Our main claim was that protecting software through patents shall provide protection on ideas, which are usually expressible in more than one manner, and shall be the beginning to a race to the bottom where every person shall register as many patents possible and incur high costs on each player in the software field.

We noted that the chilling effect created by the fear of using software protected by patents, be it free software or proprietary software, and incur costs on the system solely in order to purchase insurance from the theoretical patent infringement. In such case, any independent development of software without legal assistance from the first day of development shall be problematic, and deter developers from developing free software or promote innovation.

In Israel, unlike the United States which awaits decision in re Bilski, and a recent USPTO decision in Srinivas Gutta & Kaushal Kurapat, and unlike the EU which has a strict approach towards software patents (clause 52 to the EU Patent Directive does not acknowledge software patents), Israel has a theoretical decision by the patent registrar, Noam Meir in Pat 131733 Eli Tamir, which was yet to be examined by the supreme court and has yet to be accepted as precedential. Meir stated, in his decision that “the hardware is patentable and the software is outside the realm of patentability (…) even though software itself is unpatentable, physical computed systems, which integrate hardware and software, or who make technological use of new software in order to present a new result with inventional progress, may be patentable in several conditions”.

We believe that software patents do not promote innovation but are only used to bash business opponents and prevent innovation. For example, patent number 5960411 which was filed by Amazon. This patents tries to own exclusivity over “one click purchases” in electronic commerce website. The same could be said on patent number 6727830, which describes a method of double clicking in order to open an application. Both patents present no innovation apart from algorithms. Moreover, a research conducted between 2000 and 2001 in Stanford found out that the use of patented software technologies enhance sales in websites and allows the general wealth to grow, while it deters other from using similar technologies. Therefore, even if Amazon invested millions of dollars in a system which would enable faster purchases and lower drop rates, the innovation does not contain any technological or industrial nature, but conceptual. Protecting ideas is not something that should occur in free markets, where we find that we wish for greater competition between the expression of these ideas.

Patents in the digital world are different from physical patents in two manners: The period of protection and the form of expression. Where technological applications such as the tumbler lock was created more than 4,000 years ago, different types of applications based on it were registered as patents for more than a century. However, protecting a specific lock for a period of a few decades does not interfere with the free market in the same manner which protecting software does. In the computing industry, and especially in software, five years are eternal, let alone twenty years.

The exponential growth in computer chips, based on Moore’s Law, causes a fast development of technology where five year old software are almost irrelevant.

The second rationale is that in the physical world an idea may be applied in two different forms, establishing free competition, without infringing the patent (for comparison, C 2469/02 Hasbro v. Lee-Dan, CA 9678/05 Beytimu v. ARRABON -HK- limited, C (Haifa) 399/04 ARRABON HK v. Beytimu). For example, the patent granted to General Mills in regards to the Monopoly Game was so wide where it prohibited almost any board game that allowed transacting funds (see also Anti-Monopoly, Inc. v. General Mills 55 A.L.R.Fed. 223; 204 U.S.P.Q. 978; 611 F.2d 296): “This invention relates to board game apparatus and is intended primarily to provide a game of barter, thus invoking trading and bargaining”. In such a situation, theoretically a game may had been applied in a way that wouldn’t breach the patent; however, in software the thing would be impossible.

The problem is that in the world of software patents the border between the definition of the problem and its solution is unclear; sometimes, the patent granted is on the problem’s definition and not on its solution. For example, the voice codec MP3 is protected by a software patent. In the field of video and audio compression patents were granted so that they protect using the files using algorithms different from the patented algorithm.

In such case, the proprietary algorithm’s creators demands royalties also for the decompression of a compressed file, so that every media player’s manufacturer should pay even when the decompression was made by a different algorithm (and see, for example clause 24 to the Israeli Copyright Act which states that “Use of the computer program for purposes for which it was intended, including correction of errors in the computer program or making it interoperable with a computer system or with another computer program” is permitted).

An additional problem, which defines software patents as a race to the bottom, is that the Israeli venture capital corporations measure intellectual property in start-ups by patents. Under their method of inspection, the sole manner to quantify property is by the possible amount of patents. This characteristic creates a race to the bottom that usually incurs high costs of registering patents on start ups, and attempts to patent any piece of innovation, even when it is obvious it isn’t patentable. In a similar manner, Netex applied in 1998 for a patent on smart and semantic browser address bar, so that every search using the URL box in a browser would be covered by the patent. However, though the patent lacks innovation in our opinion, and where there is no indication that there was no prior art, the question is what separates the address bar from every other input box, be it by website or software. They are all input boxes that operate in a similar manner.

We believe that the unstoppable registration of patents shall not only incurr costs on the Israeli High-Tech field, but also harm software due to the Software Patents Arms Race.

In a similar manner, there were a few attempts to enforce what is known in the industry as a standard (6:07-CV-113 i4i v. Microsoft and Microsoft’s Settlement with TomTom over FAT32), so that products who tried to interface with known and acceptable standards in the industry were sought for patent infringement. These lawsuits implicate on how innovation is perceived and how interacting with free market occurs. For example, the lawsuit brought by Microsoft against TomTom was in order to prevent TomTom from using open source and free software; the apparatus built by TomTom was based on Linux, and Microsoft claimed that storing data on Fat32 drives was a breach of their intellectual property rights. However, more than any other thing, Microsoft, who holds a de-facto monopoly over Operating Systems, attempted to prevent competition from growing.

We believe that changing the legal atmosphere to a situation where patents shall not be granted over software will not only enable free competition in the Software field, but provide incentives to the Israeli economy, provide quality investments and will base the investment in people and not patents. In such case, not acknowledging software patents shall allow Israeli companies to develop software without fear of being sought for alleged infringement for a different patent. The main insight is that the core of the Israeli Software field is people, and that allows development without fear.

The uncertainty in developing software where an arms race exists discriminates between developers of free software and proprietary software. Free software developers are mostly volunteers and a community which allows progress in an harmonic way that allows the entire society to utilize technology and labor. In such case, many companies may compete on the best technological product, and adapt the software to their product. For example, cellular phones using Google’s Android Operating System could patent the chips in the cellphone, but others may use the same operating system in order to donate and help the development. Acknowledging software patents may incur costs on the millions who develop for no financial purpose, and they will have to seek legal counsel prior to even writing any software.

While we acknowledge that many companies may write to the registrar and call to protect what they perceive is their property, we know that the greater good could grow where software patents shall not exist.

For the reasons specified, we believe that no software patents shall be granted in Israel.

When Richard Stallman first thought of Free Software he had the four basic freedoms of the GPL in mind: the freedom to run the program, the freedom to modify the source code, the freedom to redistribute the program and the freedom to allow improvement and evolution of software. Stallman’s case was quite simple: He worked as a programmer at MIT’s AI labs and wanted to fix the Xerox printer  drivers. When Xerox moved to proprietary drivers and prevented Stallman to access the printer’s source code, he first thought of free software in order to help himself and others share knowledge and tinker with software. (Read more here)

Since the evolution of GPL began, there were many debates (and I’ve had the pleasure to take part in at least one of them) about the virtues of free software. However, this week’s events and announcements show that the basic freedoms of the GPL are not what the Free Software  Movement has in mind when they interpret the GPL, when sometimes their interpretation may be the one that might harm the community instead of helping it.

Two popular content management systems (CMS) who are quite popular decided to implement a strict interpretation of the GPL. the two popular open source systems are server based and released under the popular GPL licence. Both WordPress and Joomla decided that in order to appear in their add-on database, you must release your theme or plug-in under the terms of the GPL. WordPress’ decision that WordPress themes must be GPL to be listed and Joomla’s decision that all extensions need to be released under the GPL both rely on the same strict interpretation of the GPL by the SFLC: “it is our opinion that the themes presented, and any that are substantially similar, contain elements that are derivative works of the WordPress software as well as elements that are potentially separate works”.

In order to understand this, one must understand the GPL and its terms. The GPL requires that  all derivative works (meaning works based on the original program) will be released under the GPL as well (clause 2 of the GPLv2): “You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work…”; the user is granted the freedom to modify the work without any concern as long as he  does not distribute the modification in any form of license but the GPL. This is the viral nature of the GPL: all improvements in the software have to be released under GPL (if they are released).

However, freedom 1, as defined by Stallman himself, means the freedom to tinker with the software, without having to share your tinkers. When I patch a computer software to fit my system, or when I design a blog theme, I do not have to release it to the public (that’s what the aGPL is for, and if wordpress wasn’t so heavily based on other’s GPL code, it could have been released under aGPL to assert those freedoms). What Joomla and WordPress are doing is quite the opposite, they are taking away freedoms instead of using the freedoms of free software.

Take, for example, Omry Yadan’s popular software, Firestats. Omry wrote a php application to provide simple and efficient web analytics. This software runs on virtually any server and with any CMS, and is provided for free. Moreover, Firestats is definitely not a derivative work of WordPress or Joomla, it is a “separate and independent work” (GPLv3 clause 5, GPLv2 clause 2) which means that they are in the safe zone for GPL, as it states that ” If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works.”

Meaning that even were Firestats was distributed with one of the GPL’d CMSs, it would still be considered ok to distribute without licensing it under the GPL. However, in order to be included in the Plug-in directory it has to comply with the GPL for no legal reason.

Now, this absurdity comes to mind when GPL-laundrying occurs. Think of the following situation: I used several pieces of code in my design, including CC-licensed code from a manual, and designed a template. In order to run my template, I used both WordPress commands and PHP commands:

<title><?php if (is_home () ) { bloginfo('name'); } elseif ( is_category() ) {
single_cat_title(); echo " - "; bloginfo('name');
} elseif (is_single() || is_page() ) {
single_post_title();
} elseif (is_search() ) {
bloginfo('name'); echo " search results: "; echo wp_specialchars($s);
} else { wp_title('',true); }
?></title>

This example demonstrates the use of PHP, MySQL and WordPress libraries, all use in the same script. However, this is not a derivative work of PHP or MySQL; this is obvious. Therefore, why is this considered a derivative work from WordPress? Would things be considered different if WordPress had an API for posts and information, and the Theme itself was running separately? Right, a theme (most of the time) can’t be considered Independent, but only Separate. However, a plug-in might be considered both.

This problem even goes beyond that, as the themes and plug-ins are not distributed with WordPress, but separately, therefore need not to comply: freedom 1 (as well as fair use) grants me the freedom to tinker the software on my server for my personal use; I need not to worry about it as long as I don’t distribute. Should I wish to distribute WordPress with several plug-ins (or themes) pre-installed, then I would have to  get the right permission from all the developers to package it as one software.

The latest interpretation of the GPL as restricting use of non-GPL’d code in GPL’d software only restricts the freedoms in free software, and might provide others incentives to package their code differently and use it under a different name.

[Title originated here]

0.
Never rely on a machine and never trust it: The Israeli Labour Party’s primary elections were cancelled due to malfunctions in voting machines. The voting machines were mere PC computers linked together, allowing voters to vote for their candidates. One problem was that Benjamin Ben Eliezer (Fouad) was absent from the votes after he was thrown away from the promised 7th place only four days earlier. However, the failure in deciding to go on voting machines was a human error: Choosing a system that will obviously fail is wrong, and since we knew that this is about to happen, someone has to go home. It is not only The Simpsons’ parody, but also claims for failures in the recent US elections as well rigging the 2004 ones. But still, people want “Progress” and try to use technology where they can’t.

1.
The main issue with electronic voting is that there’s no paper trail of the actual vote (apart from the inherent way of breaching one’s privacy); in contrast of ballots in real votes, the computer just lists the time and the candidate you voted for.. A comprehensive article from Illinois Business Law Journal reviews these problems and explains why electronic voting systems are not fail-safe. These systems are subjected to hacking in a roughly easy manner, and without using complicated tools or technological know-how (and it’s always a good sign when the hacker is threatened by a lawsuit). The fact that these machines use proprietary code and not open source increases both the inherent risk of fraud and hacking, and since no one knows what they record, it’s always open for business.

2.
Moreover, along the years a few conspiracy theorists linked between political candidates and voting machine manufacturers. This also may be a problem, when they go malfunct and there’s no way to know what went wrong.

3.
The Israeli Ministry of Interior משרד הפנים מעוניין wants e-voting in Israel after all. Democracy, according to them, is only a small consideration when the costs are too hight. Of course, by looking at our electronic booths you can understand the means of security we implemented. This is a small PC that anyone can hack from a distance and inject with fraudulent votes, or just circumvent it (I was told it uses a cellular connection, which might not be encrypted).

4.
Our politicians got an extension, what are their skeletons?

[Originally in Hebrew]