 I'm a lawyer. I work at you guys are known see that the legal parts are less interesting to people than the technical parts I do a lot of work in technology and law and this lecture is going to be about law and the cybersecurity industry in Israel and specifically it's going to be about how the law in Israel is very different in certain respects than the law in the rest of the world in fact Israel is very unique in certain aspects of cybersecurity law so in this lecture I'll talk a little bit about the law I'll talk a little bit about specific cases so that to illustrate what the law is and I'll try and give some practical tips about what people in the industry can do that's what I'll give you but the reason I'm here I'm somewhat expecting what I hope to get from the audience is this is an interesting field for me I wrote a paper about it it would be very interesting for me if someone could give me examples of whether or even maybe this difference in Israeli law has no impact on the industry but if it does and if you've perhaps encountered this in your professional career it would be very interesting to me if you could give me examples of how this has affected you these differences in Israeli law so here we go okay so when we talk about law that impacts cybersecurity there's basically three kinds three kinds of laws there's hacking laws right hacking laws and what hack anti hacking laws that talk about preventing hacking basically what they do is they say don't hack into someone else's computer don't hack into if there's a network don't hack into the network don't try and hack into someone else's computer don't get information that doesn't belong to you that's what these kind of laws are meant to do and there's the Hokemach Shaveem in Israel the computer law in the United States there's the computer fraud and abuse act in the United States and there's lots of laws in the United States every state has its own law there's a federal law Europe has its cybercrime laws and there's international treaties and etc and etc there's the international cybercrime convention but basically you know there's a lot of words here the whole point of all of these laws is to say don't hack into someone else's computer in five words but they use a lot of words to say that's the point of those laws then there's laws about intellectual property and intellectual property it's similar to the anti hacking laws and the point of those laws is to say don't use someone else's not their physical property but their intellectual property so those kind of laws are you know often we talk about in when we come to computers the most relevant are often copyright laws or laws about reverse engineering and these laws are relevant not only in the not only laws inside Israel and in every other country in Europe in the United States but there's also international treaties about intellectual property and these laws are very standardized across the world and basically again the point is don't use someone else's property and then there's a third kind of law which is very common in the world and it's anti-circumvention law and anti-circumvention law it doesn't talk about you know it can relate to someone else's computer or someone else's network or someone else's property but it also relates to your own property so for example when Apple says don't jailbreak your iPhone and they threaten you with lawsuits or if someone distributes technology to jailbreak an iPhone and they threaten you with lawsuits so what kind of laws can they sue you they can't sue you against hacking with hacking laws because we're talking about an iPhone that you bought it's yours they can't sue you with intellectual property laws again you bought the iPhone you're not copying anything you're not distributing anything you're only hacking into your own iPhone what can they sue you with what are they threatening you with they're threatening you with more or less most of the time with anti-circumvention laws which talks about hacking into your own computers so those are the kind of laws that we're talking about today and again so what do anti-circumvention laws talk about they prohibit breaking digital locks like we talked about jailbreaking into your iPhone or circumventing well here's a list so basically so content encryption any kind of content encryption so music that keeps the music in a certain ecosystem or ebooks that means you can only use it on certain readers or music which keeps it on certain devices if you circumvent any of those systems that those digital rights management systems then you are breaching these kind of anti-circumvention laws even though it's your own device or your own computer and the music that you purchased even though you're doing that that's what those kind of laws are meant to prohibit and then there's a lot of other things that they can prohibit so anti-authentication handshakes so when you're confirming that the other side is who you think it is if you secure or hardware security if you modify the security inside a hardware device so that you can use it for matters that you weren't supposed to use it for that's also breaking these laws and code signing all these things are basically breaches of anti-circumvention law and what's the point originally when these kind of laws were started being these kind of laws started being enacted in around 1999, 1998, 1999 and the original intent of these laws these kind of laws these anti-circumvention laws was to prohibit privacy not digital privacy sorry I meant to see piracy right so stealing someone else's content so you bought a CD and the CD and you're only supposed to use it on this kind of computer only supposed to use it in the United States and not in Europe or you're not supposed to copy it and people circumvent that and they break the encryption on the disk and so they use it in the wrong area or they copy it and they send it to people that they're not supposed to send it to originally these laws were meant to stop those kind of actions and they were also meant to enable certain kind of business models like the fact that you can stream video and the intent was I don't know if this really came to pass but the intent was that you could have a business model that said well stream video you'll pay for it and we'll have these measures around it that prohibit you from that stop you from copying the content and if you somehow circumvent that and manage to copy the content then you're breaking the law and we can see you I guess and I don't know how much this ever really came to pass but that's what these were the original intentions the purposes of these laws but they've gone much beyond that and here's just in the United States the United States is just a good example but these laws are all over the world and the United States has no person sells circumvent right you can't get around La Cof it's a technological measure that effectively controls access to a copyright work so if you have a work an e-book or some music or something like that and you circumvent the protection that stops you from copying it or that stops you from distributing it then that's a that you're violating this law it's you're violating the anti-circumvention law but it's not just the action that's prohibited it's also so not just the fact of circumvention is prohibited but also the trafficking the trafficking in tools that are used for circumvention so if someone develops code some kind of software tool that aids in circumvention and you start selling it over the internet or you offer it for sale then that's also a violation of these laws so you can't circumvent the access controls and you can't start distributing code that allows someone else to circumvent the access tools if I can find a second word it's not effective that's a good point we'll talk later but it's a good point but basically effectively doesn't mean anything that's what they've decided but it's a good point so these laws are all over the world right so will the US we'll get there in one second we'll get there in one second that's right but if you somehow and there are people that not with kindles yet there aren't any cases about it but there are cases with other formats of e-books that someone gets around the copy protection and for example turns it into a PDF and then sells it then they can be a it's true I agree so some cases where this came up in court so jailbreaking so jailbreaking an iPhone I already said is a problem under these laws but we're not going to talk about jailbreaking an iPhone there was a case in I think 2011 where this guy George Hotsey did keys and code for jailbreaking the PlayStation PlayStation 3 and now I looked on github and there's lots of code for jailbreaking playstations but this was a big deal it seems like in 2011 and he posted it and what happened Sony sued this man individually under these laws the DMCA is what the laws are called in the United States they sued him personally and they brought him to court he's even a criminal trial because he posted these keys and then Sony went to court and they got the IP addresses of everyone that ever downloaded the code from the internet so they were very they were really running after these people anyone that because they got the IP addresses anyone that downloaded the code because they wanted to show that he had actually caused some damage in the United States so they got all those IP addresses and they sued him and I think in the end they came to some settlement and I forgot exactly what the settlement was but they probably offered him a job but that was that he declined yeah okay and then more interesting I don't know if it was him but the code itself the code the jailbreaking code was posted on Github and Getorius and Sony sent them both letters both to Github and to Getorius Getorius doesn't exist anymore but then it was posted there and they sent them both letters take it down take down the code if you don't take down the code we're going to sue you because you are in effect distributing these keys this code that allows people to circumvent the jailbreak the PlayStation and we can sue you so you have to take it down and they did they took it down because they were scared Getorius doesn't exist anymore but it's not in the United States Github is in the United States it's servers in the United States but Getorius servers were in Norway so they answered like someone asked me about outside the United States Getorius was in Norway and they answered we're not in the United States you can't sue us under the American laws so thank you very much we're going to keep it up there and then Sony who has a lot of lawyers they wrote back to them they found I said these laws are all over the world they said even in Norway there are laws like that that you can't distribute code that circumvents protection and so you have to take it down and Getorius took it down and you would think that this code would no longer be available but like I said you can do a search and I think you can find it now anyway so it wasn't so successful but Sony pursued this very aggressively so that's one case another case where this came up is in car hacking so car hacking has recently gone into the news a lot so for example Volkswagen everyone knows about the scandal with Volkswagen they put this defeat device into the emissions and it controlled the emissions so they could pass the emissions test no one really discovered the code for that no one ever found the code that did it what happened is that Volkswagen there were these emissions testers that were testing the car they were trying to see what comes out of the car what comes out when it's tested what comes out when it's on the road what comes out in these conditions and they found out that there were very different very different emissions depending on where the car was so eventually the authorities in the United States went to Volkswagen they said what's up and after a long process Volkswagen eventually volunteered they told them that this was really a software issue and it was the code that had changed the emissions of the device but no one ever found the code no one ever independently examined the car defined the code and a lot of researchers and organizations in the United States said that the reason no one ever looked for the code no one ever tried to take this apart was because of these laws because if you bought a Volkswagen and you started taking apart the code and you started looking for it and you started hacking the car then there was a real possibility and if you started publishing the code or started publishing the way that you were eventually circumventing these things in the car that stopped you from getting access to the code then you would be sued under these laws and so they said that this was a big problem one of the reasons why no one ever found the code and why it took so many years I think seven years for this issue to be discovered was because of these laws so what happened? it turns out that in October of last year the copyright office in the United States was trying to look for exemptions every three years they look for they say that there are certain exemptions to the law and one of these exemptions it turned out which they granted was now you can examine cars you can hack the software and the cars for security issues and one of the big reasons that they granted this exemption was because of all of these scandals that people ended up hacking jeeps and jeeps in other cars and also because they showed that the car companies always said that you shouldn't have this exemption for cars why? because then people will hack the cars and they'll make the emissions and they'll hack the cars so that they increase the performance of the cars and they'll bypass the emissions control laws it turned out that it was exactly the opposite that the car companies were bypassing the emission control laws and people were actually looking for the software that allows them to do that so eventually they said there's an exemption you don't have to this law doesn't apply for car hacking so if you want to car hack a car in the United States you can probably do it now but it doesn't apply this only applies to you yourself hacking the car it doesn't apply so if someone would develop tools for hacking a car you could still get sued under that and there were two cases just this year about this company Autel that developed software for servicing vehicles so you bought a GM car you bought a Ford car and you didn't want to go to the dealership because it was very expensive you wanted to go to someone cheaper so they got this all this cheap software that you could use to diagnose and fix the Ford and the GM cars and Ford and GM sued them because how did they develop the software they only developed it by circumventing the controls inside the vehicles and then by distributing that software to dealerships so in the United States now what happens is that you can hack your own car but you can't distribute software for hacking cars or for examining the security issues in this anyway so all of this was a roundabout way of saying that hacking a device hacking an iPhone or hacking a phone or anything to find out the security problems in the device even if it's only for security purposes even if it's only to find the bugs or the vulnerabilities in the device it's still a problem legally and many jurisdictions it can still be a problem you can still violate the laws that are about these issues now this is a problem for security companies that look for vulnerabilities for professionals that try and do pen testing or things like that they have to be aware of these issues and they have to get the right permissions and they have to make sure that they're doing this legally so there's been a lot of concerns even when the laws were first developed that these kind of laws are problematic and they can stop people from doing security research so what happened? the law started adding exemptions to the law exemptions for security testing and for encryption and for reverse engineering there are all these exceptions to the law that say even though in general you can't hack your own device you are allowed to do security testing you are allowed to do encryption research you can do reverse engineering but these exceptions are very complicated so for example this is the security testing exemption it's very complicated it's not an easy exception so even though there are exceptions they're complicated and these laws still apply to a lot of activities so people should be aware of them and this came up just last week just last week there was a case of medical device hacking which didn't really involve these laws but it's worth talking about for a second there was the case maybe people heard about it the St. Jude's device they make heart pacemakers and MedSec is a company that found security problems inside the pacemakers MedSec gave the security information to Muddy Waters and Muddy Waters, what did they do? they sold the stock of St. Jude's and it fell so they made I think $50 million just because they found cybersecurity problems in pacemakers and by selling the stock what happens if you're St. Jude's what's the first thing you do? so I think on Wednesday or Thursday St. Jude's sued both MedSec and Muddy Waters they sued them for publishing the security vulnerabilities inside the code and they said what was the reason that they gave what was the reason of the lawsuit so they said it was defamation because these weren't really security vulnerabilities these were made up no I won't say I won't say it okay I don't know when does it stop this liability stuff that I can move the liability whenever I want okay we'll talk about that after we'll talk about it, okay so anyways so they sued them they sued St. Jude's for publishing a vulnerability that they said wasn't a real vulnerability it was just that they could have sued them also under these laws under these anti-circumvention laws because they had a medical device and they had circumvented the controls inside the device why didn't they do that why didn't they sue them under these laws it's a good question and there's a lot of discussion about that why not maybe it's because they didn't want the security community to be on the other side of the lawsuit to say no these laws are not good laws and we don't support the lawsuit it's a good question but some people think that they may in the end also sue them under these laws here's another case someone I'm going to run through this quickly a Russian programmer presented he came to the United States and he presented a presentation about e-book security and how you could get around the e-book security and then the FBI arrested him because this was a long time ago this was in 2001 and then Russia said don't programmers shouldn't travel to the United States it's too dangerous under these laws again anyways, so these kind of laws are all over the world we said they're in the United States they're in Europe there's an international treaty the White Pole Copyright Treaty that says basically everyone that signed this treaty has to make these laws in their country and here's 90-something countries basically almost every important country in the world that has signed this treaty and that has laws and you'll see that Israel is on the top of the second column so you think that Israel should have these laws also and no, it's not true Israel signed the treaty signed the treaty but in Israel there are no laws like this because Israel even though they signed it the treaty has to pass in the Knesset and the Knesset decided that they're not going to pass this law there are no laws like this in the United States in Israel and the case went up to the Supreme Court and the Supreme Court decided it was a case where someone was where the signal for the Mondial was broadcast over the satellite and they decrypted the signal and that person was sued and they said here you're decrypting the signal you're circumventing the encryption and there are these laws all over the world and we can see you under these laws and no, there are no laws like that in Israel so these laws apply all but it's true, there are laws but they haven't signed the treaty the treaty was against someone who signed it in his place, in his SX he did he didn't copy it there were also copyright issues in the case but this person didn't copy it the case was about the decryption the decryption of the signal there could have been other instances of copyright but about the decryption of the signal the Supreme Court said that it was permitted under Israel in Israel you're allowed to decrypt signals and as long as you don't also violate the copyright it's okay to decrypt the signals and there's nothing that anyone can do about it they can't sue you about it in Israel so what does this mean in Israel? how has this impact so these laws are all over the world in every other country in every other country the security community complains these laws are affecting us we can't examine devices, we can't pent-test we can't do this it impacts how we can research in our field in Israel there are no laws like this has this impacted any industry in Israel any of this is hyper security in Israel and as far as I can tell the answer is no it has not made a difference so if someone else can tell me something different I'd be happy to know but in so far in Israel there are no laws like this at all it's the only developed country in the world that is like that so one answer is that none of this matters that the laws don't matter people violate them elsewhere people violate them in Israel that's one option the other option is that people even in Israel think that it's a problem and therefore they don't circumvent the laws so that could be but I don't think that large companies like Google and Facebook and Microsoft that are in Israel really think that way so another possibility is the Israeli cyber security is connected to the defense industry and these laws often don't apply to the defense industry or to security or to the police or to things like that that's one option another option is that it's hard it's hard for a big company to say you know what only in the United States I won't do these kind of things in Israel I'll do it and my employees in the United States won't be involved in these kind of anti-circumvention activities my employees in Israel can do it it's very hard to draw those distinctions companies just say no one can do it no one can do this kind of research and another option is that like as people said before trafficking, selling code that circumvents these things is illegal so if you develop something in Israel that's circumventing and then you sell it into the United States even though you actually didn't develop in the United States it's still illegal it helps people in Israel from doing these kind of activities or makes the lack of these laws not important for the cybersecurity industry in Israel so I said I'd give you some practical tips right so why not so if you do decide to do some hacking or to investigate your iPhone so in Israel it's probably okay you don't have to worry about it but if you're in another country you want to investigate in Israel and publish it on the web and on the web they concede in the United States so it can be a problem so then some things that you should do is first of all you should do it in controlled environments so if you're hacking medical devices don't hack the medical device don't have to hack the pacemaker that in someone's body hack a pacemaker on the table to make sure it doesn't affect anyone that's one thing make sure that you're really doing it to promote safety don't infringe copyrights make sure that your disclosure is reasonable don't start disclosing it on and selling the disclosure for money unless the company has a bug bounty but don't extort the company for the disclosure and if you're going to be selling the devices so selling is a bigger problem so talk to the lawyer don't start selling the software that circumvents devices and that's it if anyone has any insights I'd be happy to hear it is an issue the United States has this report that every year they report on the countries that don't have enough intellectual property enforcement so every year the United States says the fact that Israel doesn't have these laws is not there are people that don't like it that Israel doesn't have these laws but there are also a lot of people that think it's a good thing not to have these laws there's a lot of pushback against these laws if you have an iPhone you can't experiment with it or if you have content there are things that you can't do with the software or the content that you bought and you own yourself so there's a lot of there's a reasonable position to be made in the world that these laws are not only good and that they harm a lot of beneficial activity and Israel has taken that position that's what it said every time the United States complains that Israel doesn't have these laws it's a response as responded publicly that it doesn't think that these are good laws these are not protecting intellectual property it's harming it's stopping people from using their own property and devices in the way that they think that they should be able to use it so it's a reasonable position for Israel to take it's not just that it's not enforcing intellectual property and that's the position it has taken that's I agree I agree and that's one of the arguments against these kind of laws because once they prevent people from actually investigating what's inside the product whether it's good security or bad security and if these laws didn't exist then it would be easier for people to investigate the products and that's why you have these exemptions like the security testing exemption and things like that whether they actually work it's hard to know but that's the argument against these kind of laws and that's why you have the exceptions so it's never been tried it's never been tried most of the time what happens is so the exceptions have recently been made stronger but until they were made stronger it's never been tried and what's always been happened is that someone's investigated something and tried to disclose it and they've been threatened with a lawsuit and either they did it anyways and they weren't sued or they decided not to disclose it and it wasn't it wasn't important enough for them and they just decided they're not going to disclose it because it's not worth the threat of the lawsuit so it's never been tested really in the court either people have decided they're not going to disclose the vulnerabilities or the companies have decided that it's not worth the bad press because I mean legal if the legal answer to that the straight and narrow legal answer to that is because when people sign up for Facebook for example and they post information on Facebook they agree to their terms of service and those terms of services that Facebook can do it wants with the information that you posted there and if you're a security researcher no one's agreed to your terms of service and so it's a that's the straight answer okay so there are laws about that there are laws about that in every country they're usually complicated and are complicated to understand and it's not a question that I could answer just off the top of my head memorizing what it says you have to think about it but in Israel there's the copyright law and there's an exception for reverse engineering and in the United States there's an exception and the exception is stronger in Europe but there are those exceptions in the world you have to really dive into it and start taking it apart so you have to be careful when you do things like that you have to be careful one thing is you could be sued under these kind of laws you could be sued under copyright laws it's a problem you have to think about you have to think about it when you when you start doing things like that you have to be careful it you could end up you have to be careful that it's not defamation you have to be careful about that that it's a real vulnerability and that it's you have to be careful you have to be sure that it's a real vulnerability these laws won't bother you you have to be careful that you're not hacking into someone else's computer in order to disclose the vulnerability once you're hacking into someone else's computer and now your own computer then you come under different laws you're hacking your own iPhone and you disclose it in Israel then under these laws you won't have a problem but I'm not giving legal advice here so talk to me if that's a real if you disclose it everywhere then if you put it up on the internet then it's that's right it could be okay, thank you