Intellect or Insanity, Jonathan Klinger's Blog

This Wednesday I’ll speak in CloudCon 2011, instead of a regulatory lecture, I decided to focus about a technological solution to a legal problem, which I believe might be elegant. I’d appreciate it if you could join me at CloudCon or just come over to say hi.

0. The Cloud and Your Information.
On the verge of the Age of Intelligent Machines, Cloud Computing brings a new era for data processing. The Cloud holds more and more information, where data owners and data subjects lose physical control over it. If the old-world model was that data was about the end-user was held by the service provider, which processed and brought the data to the end-user, the cloud model allows the service provider to hold the information for the end-user at the quarters of 3rd parties. For this brief lecture, we’ll use Dropbox as an example, but when Dropbox’s examples fail, we’ll move on to others. In brief, Dropbox is a storage service which remotely backups your information on Amazon’s S3 Servers automatically. When you Install Dropbox, you use at least one more CSP (Cloud Service Provider) and are subject to its terms.

1. Shared Hosting, Shared Computing, Shared Control [meaning: The Problem];
Now, who has control over your information? Dropbox’s privacy policy suggests that “Dropbox cooperates with government and law enforcement officials and private parties to enforce and comply with the law. We will disclose any information about you to government or law enforcement officials or private parties as we, in our sole discretion, believe necessary or appropriate to respond to claims and legal process“; also, Amazon S3′s privacy policy which states that “We release account and other personal information when we believe release is appropriate to comply with the law; enforce or apply our Conditions of Use and other agreements“. Meaning, both Amazon and Dropbox shall abide to law enforcement requests and provide information if a court says so. Generally speaking, this is a good thing.

Let’s take this into proportions, however: Let’s say that I produce Lemonade and have a trade secret: the recipe; I store it in my Dropbox folder, as i need to provide access to several employees and I want it to be backed up securely. Now, my biggest competitor wants to access my Lemonade recipe. He goes to court, and with a good attorney gets an Anton Piller Order (an order allowing him to seize my assets held by a third party before any legal process is in progress); the order is based on his claims that I stole the recipe and the court rules, ex-parte that Dropbox should grant him access to my files. This is done because my competitor’s claim was that Dropbox itself holds the files. Dropbox receives the order and does not know how to treat it: it is unable to understand whether I am the actual owner of the file or stole it, and has to provide the files to my competitor: an order is an order.

There are two material differences that come to mind between cases where I hold the information and where the ISP holds it, and such difference explain the problems of using cloud storage for such sensitive information: (1) If I held the material, the execution of each order had to be with knowledge of such order because the files were stored at my quarters and under my control [see, for example, RCA 1810/10 PCIC v. Kaplan, where a shared hosting provided was requested to reveal the email accounts of one of its users without their knowledge]; (2) The CSP has a rational indifference as to disclosing my information, as if it does not, it might incur liability. Israeli Courts ruled in several cases that active participation and interest in not removing content even after knowledge of infringement may incur liability [For example, C 176992/09 Eti Abramov v. Aviv Frenkel, C 32986/03 Buschmitz v. Refuah]. Therefore, the when you post information on the cloud, you are at risk that your information might be sought by other parties.

The question is whether it is technically possible to do so? meaning, could CSPs access your files? let’s say that, legally, Dropbox’s terms allow such use, and that other CSPs (such as google as providing email services) already ordered to reveal a user’s IP address (C 4854/07 Berlomenfeld v. Google) and disabled access to other accounts. Moreover, Dropbox (and let’s see Dropbox as an example) designed the architecture, it has the ability to recover my files and to recover my password, meaning that it can always bypass its internal security mechanisms.

2. Loss of Centralization;

Now, as we see it, when we discuss CSPs, we know that the control has to move from one centralized user to many distributed players, where each has the ability to disclose the information. At least prima facia, the CSP is considered as a 3rd party that either retains the information or processes it. In such cases, the Israeli Law, Technology and Information Authority has issued a draft set of regulations regarding processing by 3rd parties or outsourcing services.

Now, if I hold sensitive information on 3rd parties, and some of it is held on the cloud, then I have to make sure that my CSPs adhere to a privacy policy that protects my information. For example, if I am a lawyer, I have to notify Dropbox that I am one and that all my information is protected under an attorney-client privilege so that when they receive such Anton-Piller orders, they’ll refuse and defend me. Moreover, I have to make sure that my CSP shall not divulge any personal, private or sensitive information to any 3rd party either with or without my consent.

3. Protecting Yourself from Your CSP;
How can one protect himself from his CSP? Theoretically, there are a few suggestions for Encrypted Cloud Storage (for example, Kamara et al, “Cryptographic Cloud Storage“) which offer theoretical, yet to be implemented, method of encrypting information on the cloud. Generally speaking, their proposal is that “Before uploading data to the cloud, Alice uses the data processor to encrypt and encode the documents along with their metadata (tags, time, size, etc.), then she sends them into the cloud. When she wants to download some documents, Alice uses the TG to generate a token and a decryption key“.

Another technological option is to encrypt the virtual machine’s drive or to use encrypted file systems on cloud storage. Another option is to use an encryption software, such as TrueCrypt on your cloud storage service (such as Dropbox); however, such a solution may be problematic as Dropbox cannot access your filesystem and might have to back up your entire folder each time you change each and every one of your files.

A different approach may be to establish a secret sharing mechanism where the information may be distributed on several different clouds, each holding only a portion of the information (such as in Parakh et al, Recursive Secret Sharing for Distributed Storage and Information Hiding).

However,  these solutions are theoretical and have yet to be implemented by organizations or storage services as an integral part of their scope of services (maybe, apart from this one).

4. Solution[s];

Let’s discuss solutions as well. We need to form a strict set of rules of how to define a cloud system as privacy enabled. Our requirements are that the CSP shall allow: (1) seamless access to the set of files; (2) indexing and searching; (3) sharing parts of the information with 3rd parties; (4) reporting on each authorized and unauthorized access.

Mounting an encrypted virtual filesystem allows three out of the four: access, indexing and reporting. However, in order to share the information with 3rd parties, access to the filesystem has to be granted to the CSP (especially in order to allow sharing, see Y unqi Ye et al, Dependable and High Performance Cloud Storage). The other option is to encrypt each file differently (with different symmetric keys for each file so that no problems with sharing the files exist); however, such option shall not allow search and indexing (or require a central key database), therefore allowing three out of the four conditions.

Even if we assume that the encryption is symmetric, and that each sharespace between  users receives different symmetric keys, then we cannot define the solution as seamless, as in order to convert files from a privatespace to sharespace a client-side conversion of the files is required, as well as when files are copied from a private folder to the shared folder (also, a keyserver is required).

Let’s take, for the solution, Adi Shamir‘s secret sharing mechanism (Shamir, How to share a secret) and for the purpose of this solution define our efficient threshold as one (1) user. In such case, we define the shared folders with at least three cryptographic keys (one for the folder, to be shared with anyone, and one for each user) in such way, each user could read or write to the folder seamlessly, he could also index and search using his key (and the shared key), share the information with others (by adding another key).

Implementing secret sharing in such a case (which was yet to be tested) may allow enhanced privacy with the flexibility of sharing the information through networks and users.

5. Conclusions.

We have yet to implement a technological solution to a legal problem we might face in the near future. The much unrequired loss of control over data stored in the cloud, especially sensitive information, is inevitable nowadays due to current architecture, CPU and bandwidth limits and other problems.

However, theoretically and with a little hassle, an encryption based model may be implemented in order to allow storage of information on remote servers (i.e cloud) where the CSP cannot access the files but the end user may share such files with 3rd parties of his choice.

0.
The Wall Street Journal’s findings that Facebook applications share personal and identifiable information with 3rd parties and advertising networks was not surprising though it echoed in the mediashpere and even made some changes coerced the removal of some applications of the popular social network; However, the disturbing part was what Facebook did not do, and that is to remove Zynga, Facebook’s new strategic partner and the developer of the popular game FarmVille.

1.
In brief, the Wall Street Journal’s findings were that most of the popular applications in the social network transmit or convey information to advertising networks and 3rd parties. These activities go against Facebook’s clause 8 to the developer policy that prohibit the transmission of any personal information obtained from Facebook to an advertising network. The prohibition, of course, is not due to worries on your privacy, but because Facebook wants its monopoly over advertising in the network. Following this publication, Facebook removed some applications by the popular developer, LOLapps, who was one of those who conveyed information and restored it after a few hours (see LOLapps release).

2.
But the removal did not inherently cause from conveying information; but as the Inquirer states, the information was passed because of the way the internet was build, where in every click information about the referring page is transmitted, so at least in some of the causes, advertising companies received the information solely because they knew what was the referring page. On the other hand, one can say that by reasonable steps this security breach would have been fixed and therefore allowing reasonable measures to be taken is one part of security.

3.
Up to here there’s nothing new: Facebook removes a certain application because it infringes on your privacy (and Facebook’s ability to monetize by being the exclusive designated advertiser) and וfour and a half million dollars go down the drain because they solely rely on the Zuckerberg family’s whims, where they determine the laws of the game. However, what needs to be learned is what Facebook did not do, and how it relates to your privacy.

4.
The question why Zynga was not removed from Facebook is the exact signaling for the reason why Facebook removed LOLapps; both applications infringed the same developer agreement and your privacy, however, Zynga signed a commercial agreement with Facebook and uses the Facebook currency as its payment method and promotes Facebook’s business. This was a signaling to other developers: either migrate to Facebook’s services and be a part of the Zuckerberg family’s ecosystem, or find yourselves subject to our whims. Facebook’s commercial dependency on Zynga doesn’t allow Facebook’s interests to remove it; and LOLapps? it can seek its friends elsewhere.

[Originally in Hebrew]

The US Courts of Appeals’ ruling in Maynard v United States amends and reinstates to certainty the right for privacy in public places. Around two years ago I said that “the problem with ongoing photographing in the public domain is a different problem than the random photography that Google performs when it maps our state, it is the moment where photography becomes surveillance, an harassing act. Photography becomes surveillance when it is ongoing, when the use of the photo is for purposes other than displaying it and where the quality of the photo is too good to be only used for demonstration“. My opinion was rejected by the state and step through step it began installing surveillance cameras in municipalities, and even insisted that businesses convey information to the authorities, including their video feed, even from businesses who didn’t want to, like information about crowds in bars and pubs. Today, following the court’s decision in Maynard, it seems that all this intrusive apparatus may be quashed, or at least repeal any evidence gained by it.

Material which was obtained through invasion of privacy will be disqualified from being submitted as evidence in court, without the consent of the person harmed, apart from where the court allowed, for special reasons which will be listed to use the material; or if the infringer, which was a part of the process, had a defense or exemption under this act (clause 32 of the Israeli Privacy Protection Act)

In the case of Maynard, we are inspecting the appeal of his co-conspirator, Jone. (EFF has a brief on the ruling). Jones’ case was quite simple: the police suspected that Jones and Maynard were involved in drug dealing and installed a GPS Tracker without a warrant. The police used the information to follow Jones’ steps during a month and learn his routes. In the court, Jones raised the constitutional claim that this was an invasion of his privacy and therefore the charges against him should be rejected; the court rejected Jones’ claim and said that when a person is in public places, traveling where any person can see him, a GPS tracker does not infringe on his right for privacy, as he does not have a reasonable expectation of privacy.

The court’s claim explains how the right for privacy is a delicate one when it comes to digital privacy where the quantity becomes quality. The court of Appeals explained that in Jones’ case: “A reasonable person does not expect anyone to monitor and retain a record of every time he drives his car, including his origin, route, destination, and each place he stops and how long he stays there; rather, he expects each of those movements to remain ―disconnected and anonymous

Indeed, a reasonable person does not believe that when he is out in the public he will be followed on all times, the reasonable person believes that he will be exposed to photography in random acts (C 6023/07 Afriat v. Yedioth) but not constant ones, or to photographs where he is in the background, or smiling to the cameraCA 1055/09 Shertzer v. Samira), the reasonable person believes that he can tell a photographer he does not wish for him to publish his picture, and may be entitled to so do (RCA 6902/02 Tzadik v. Libak) but may not always be allowed to revoke his consent to use his photos. The reasonable person does not believe that an elaborate web of cameras will track him at any moment and prevent him from even breaching the most minor acts, or being subject to constant surveillance. Therefore, the Maynard decision explains how a single act, which is not infringing by itself, may be come one when repeated.

From the same reasons exactly, the CCTVs in municipalities are infringing on everyone’s privacy. When the discourse began, I was too formalistic and claimed that the rationale to oppose them is the lack of authority of municipalities to enforce the law; I was wrong. Even if they had the authority, they would still violate my privacy.

[Originally in Hebrew]

0.
It is only a matter of time until both the Facebook Application Developers and Facebook Users join together and tell Facebook “there is no taxation without representation” while requesting Facebook both to amend its terms of service for enhanced privacy and allow application developers to rely on business models that are not subject to Facebook’s whims. The sanction, if not understood, is not mass removal of accounts, but blocking Facebook’s 3rd party services when not browsing in Facebook, therefore harming Facebook’s new found business model.

1.
The reason? Facebook has been vigorously expanding its control over both user information and application developers. It began today when Facebook coerced Zynga into an agreement to use Facebook Credits as its currency after a long dispute, and will continue when Facebook will do so to other application developers.

2.
Facebook forgot that it is solely a conduit, the incumbent who provides connection between users, other users and applications. It is not a core application and its business model is not based on being such. Two years ago, I wrote that “In a year or two Facebook’s shareholders will come to their senses and start asking money from the leading hundred applications, as they are allowed to do” … “when you develop a Facebook application or any other social network based application, you’re writing your source code on ice; it’s more than reasonable to assume that Facebook won’t charge you anything and will never shut you down. The problem starts when you want to establish a business model on something that’s more than “more than reasonable” (like investing your pension funds). That’s why, like you wouldn’t deploy a real product without contracting your deployment contractor, you really should consider doing the same with Facebook”.

3.
The time has come when Facebook wants to have its day. Facebook Application Developers raise capital from investors, some VCs target only Facebook apps, other VCs invest in another icy road, iPhone Apps raise capital as well, and quite a lot of it. The iPhone app store is also known to block applications, especially when those applications compete with Apple’s business models. Some day, Venture Capitalists will say to application developers that they will not invest in applications where the conduit may revoke them at any time and for no reason. Therefore, application developers will have to look for stable business models, such as using OpenID as a social network or allowing data portability, applications may prefer to use old social models or rely on Twitter as a social network instead of Facebook, just so they will not be coerced into using a currency of choice. No one will develop for a platform that has no stability (this is why, by the way, net neutrality is so important)

4.
Users, from the other end of the scope, will negotiate with Facebook. Explaining that it may not be as simple as Facebook reckons, and that without users, it is a mere conduit, connecting sockets and bits. “If you want us to stay here“, they will say, “you have to grant us our rights. We want to have the privacy of our choice, we want to have the ability to control, and if you grant us those rights, we will grant you the information you need to sell to ³rd parties“.

5.
Without such negotiations, Facebook is doomed. Funds will not invest in companies who develop Facebook Applications, as these applications have no solid business model, and Users will leave (or block) Facebook. It will remain with a magnificent apparatus that is left unused. And when unused, it will be sold, like scrapmetal.

0.
No matter what, at this moment all the Israeli legal community knows that someone, somewhere in the internet, called Rami Mor a quack.

1.
The supreme court’s decision in RCA 4447/07 Rami Mor v. Barak was quite a surprise. Rami Mor an alternative medicine practitioner, was enraged that someone, somewhere in the internet, slandered him. Mor filed two different motions, the first against 013-Barak, (OCR 1238/07 Rami Mor v. Barak) and another one against Bezeq International (OCR 1752/06 Rami Mor v. Bezeq Int) to reveal the identity of anonymous posters. After the motions were dismissed, Mor petitioned to the Haifa District Court, where judge Yitzhak Amit ruled (RPA 850/06 Rami Mor v. Yedioth Internet) that the veil of anonymity shall only be removed where a cause of action against the anonymous commenter exists and where the anonymity was used in order to avoid liability; moreover, the court explained that “an additional mean is required” in order to accept the petition. Mor, who did not accept the ruling, appealed again to the supreme court. This week, in a precedent decision, the Israeli supreme court ruled that the veil of anonymity is, sometimes, a constitutional right, and that currently Israel has no procedure to unmask commenters who post anonymously as there is no legislation.

2.
Hon. Justice Eliezer Rivlin dismissed Mor’s petition and analysed the procedure to reveal anonymous posters. According to his ruling “it is an attempt to harness, prior to a legal proceeding, the justice system and a third party in order to conduct an inquiry which will lead to the revealing of a person committing a tort so that a civil suit could be filed against him. It is, de facto, an investigative-like procedure that the court is drafted to in a preliminary procedure in this way or another. This procedure is not trivial, it involves policy consideration and requires legislative regulation“. His decision rules, actually, that until a procedure will be legislated, petitions to reveal anonymous users may not be granted (and according to estimations, there is at least one daily request per ISP).

3.
Justice Rivlin alson rules out the availability of an Israeli John Doe process as it contradicts due process. “It is, in fact, a judicial change of the civil procedure rules by adding a new chapter titled ‘John Doe Lawsuits’, if such update is needed, it should be done by legislation“. This is a substantial ruling as it has implications on standing cases where John Does are presenting their case to avoid being revealed (see, for example, OCR 567/08 א 4854/07 Barlomenfeld v. Google Inc). But it mostly have meaning in another pending case, the appeal on OCR 11646/08 Premier League v. Doe (which the supreme court is hearing under CA 9183/09 Premier League v. Doe) (English summary of the case). The Premier League’s request was to reveal an anonymous website operator who posted links to video streams of sport events. But does the Rami Mor decision say anything else?

4.The supreme court ruled that:

Shattering the ‘illusion of anonymity’, in a reality where a user’s privacy feeling is a myth, may raise associations of a “big brother”. Such violation of privacy should be minimized. In adequate boundaries the anonymity shelters should be preserved as a part of the Internet Culture. You may say that anonymity makes the internet what it is, and without it the virtual freedom may be reduced.

Actually, at this moment there are dozens of requests to unmask anonymous users that following the Mor decision may be dismissed; apart from that, several lawsuits are based on evidence that was obtained in such manner (or not in such manner, decent disclosure etc) and may be dismissed as the evidence was obtained by violation of privacy (see HCJ 6650/04 Doe v. The Rabbinical Court of Netanya). In fact, the supreme court took five years of case law, and ruled that it is based on a legal mistake. No more cases which need to choose between Judge Amit’s approach to the method construed by Judge Michal Agmon-Gonen in PP 541/07 Jacob Sabo v. Yedioth Internet and the interpretation of Judge Drora Pilpel in PP (Tel-Aviv) 250/08 Brokertov v. Google, but a ruled precedent by the supreme court.

5.
The real meaning is that now a hasty legislator needs to start drafting an adequate procedure, where the Knesset may ask if there is room for a John Doe process in Israel or not.

[Originally in Hebrew]

Sometimes, we prefer to lose our privacy in exchange for comfort; we do so when we store our contacts on a cellular phone or when we print business cards which we exchange with strangers; the social interaction itself is a difficult and dangerous transaction. However, the real danger lies where privacy and comfort decide to interact, in involuntary exchange of information.

Today’s, Techonomy, a conference about the interaction between technology and economy, was held in Tel-Aviv. The winners of the Start-up competition were face.com. face.com provides a face recognition platform for social networks (in the meantime) which locates images of you and your friends in other users’ tagged photos. face.com’s face recognition is quite amazing and has the ability to find you even when you’re in the background or wearing sunglasses. They are currently in closed alpha, and I had the pleasure to play with it for a few minutes before writing this blogpost (which was sufficient to know that it’s quite efficient).

However, my main concern comes from face.com’s database. face.com can recognise faces of your facebook contacts even though they are not in your albums, but in friends’ albums. This means that by cross indexing a relatively small amount of facebook connectors, face could retain (or store) the facial recognition of a high percentage of users.

Here comes the privacy issue from the privacy freak; however. Now, take Israel’s new attempt to establish a biometric and face database and their recent attempts for installing cctvs and imagine the hypothetical scenario where our benevolent dictator comes and asks face.com’s database in order to examine a suspect in terrorism or issues a warrant to require face.com to search for a specific missing/suspected person in social networks and/or cctvs. Can face.com actually refuse such generous offer?

When face.com only indexes my own photos, and only tags me if I gave my consent (and not opted out) then it’s all yet consensual waiver of privacy; privacy in exchange for comfort, what we usually do. However, when it’s other’s faces, without their consent or knowledge, such a database might be extremely dangerous. I’d love to inspect the guts of face.com’s database and see how can they protect users’ privacy without limiting this application, but if they manage to do that, well, let them sell it to our government