The Liability of Software Developers
The definition of the Israeli Law regarding the developers of software that could infiltrate a computer is highly problematic, leading to selective enforcement that may or may not be just. It might also play into the hands of criminals
Adv. Admit Ivgi
| 05/05/2016
Illustration: Bigstock
Currently, software development is mostly done by using existing libraries and codes, built-in protocols, etc., which make the development process a more comfortable and efficient one, relieving the developer from performing multiple technical actions to adjust the software to the designated device. In practice, using such tools allows a developer with basic development skills to create software with complex technological capabilities. For instance, in using several certain libraries in Android development, one can develop an application that allows its owners access to all information on the private phone: starting with the user’s phonebook, personal photos, browsing history, and also controlling the phone’s camera, microphone, the device itself, and more. Such software capabilities infiltrate PCs; they can compromise user privacy, and perform bugging, among other things. This is basically a description of any application in all of our devices, from built-in smartphone applications such as the Flashlight and Calculator to game and content applications, etc.
If so, then can the development of software with the aforementioned capabilities establish criminal liability for the software developer? The answer, as aforesaid, probably depends on the circumstances.
Section 6 of the Israeli Computers Law imposes a three-year imprisonment on the maker of software that could infiltrate a computer, interrupt or disrupt its action, delete or change computer files, perform secret monitoring or compromising user privacy, all with intent to unlawfully execute one of the mentioned actions. Furthermore, the section sets an increased five-year imprisonment on a person who distributes, offers to the public, transfers to another, inserts or installs such software to another in order to unlawfully execute an action as aforesaid.
In 2012, as a result of legislation passed by the European Convention on Cybercrime the “Budapest Convention”, which was approved, signed and adopted by European countries and the US, and for which hard work is being done to have it approved in Israel, Section 6 has been revised. Section 6 now includes prohibition on the preparation and distribution of software even if it does not cause damage or disruption to a computer or computer files – if it is performed in order to infiltrate a computer or perform actions that result in false information, and also in order to compromise privacy or perform secret monitoring. By doing so, the legislator sought to prevent future immoral behavior.
However, in contrast with the Budapest Convention, the Israeli section does not differentiate between preparing software that was mostly planned or adjusted for an unlawful purpose, which is prohibited. It might also include a prohibition on the preparation and distribution of software that is essentially dual-purpose – software that was not planned for criminal purposes, however it can be used for criminal purposes.
Since this concerns a revision to a relatively new section, rulings regarding its text in Israel have yet to be given. However, a case that occurred in the US expresses the lack of differentiation of dual-purpose software as aforesaid. In May 2014, Alex Yohal, a 25 year old student and a Swedish citizen, who was captured in Moldova and extradited to the US, was convicted of being the owners of the Blackshades organization, through which he developed, sold and distributed RAT (remote access tool) software. The software allowed its users, and mainly individuals with basic technical skills, to hack computers and then perform any action they desired, such as: infiltrate, delete and change files, take control over and operate the computer’s camera, include the infected computer in the Botnet network for the purpose of DDoS attacks, download and open system files, use the computer as a proxy server, and more. According to official data, over 500,000 computers have been infected with the software worldwide.
Yohal personally developed the software and put it up for sale. He did not make any use of it beyond that, but still he is accused with two counts of computer hacking (the maximum punishment of each is 10 years of imprisonment), one count of conspiring to commit access device fraud (the maximum punishment of which is 15 years of imprisonment), and additional counts.
In his defense, Yohal argued that he did not develop the software for criminal purposes, rather for information and research purposes – to provide computer sciences students with a platform for practice and experimentation. In his trial, he even showed remorse for starting the project: “I deeply regret starting this whole project, which obviously went out of control.” The court ignored this data and said in response that “The message must go forth that this is a serious crime worthy of a serious punishment, cybercriminals deserve stiffer punishments because crimes committed on the internet are especially difficult to detect and root out.” Eventually, following a plea arrangement with Yohal in return for his confession, charges against him have been reduced and he was sentenced to 4 years in jail and a $200,000 fine.
Similarly to the American Court, which sought to prohibit the development of software the allows unlawful infiltration regardless of the circumstances of its development (research), a ruling given by the Israeli Supreme Court in last December (8464/14 State of Israel vs. Nir Ezra, 2015) can in fact outlaw any software with computer infiltration capabilities in Israel. It was determined that “unlawful access to a computer” is any insertion of information to a computer without the consent of its owners. And in the context of the aforesaid Section 6 – the making of a software that can infiltrate a computer without the consent of the computer owners is prohibited. In fact, this definition includes, among others, internet search engines and various tools for locating security breaches and information security. It might actually expose the persons or companies that developed them, such as Google, Yahoo and others, to criminal liability.
The Supreme Court addressed this problematic state in its ruling and admitted that such wide interpretation creates uncertainty on whether a person falls within the felony or not. However, the Court preferred it, given the Court’s opinion that the enormous potential damage that is involved with computer crimes requires such wide definition. As a tool for handling such problem, the Supreme Court offers to make use of common sense and the reservation “De minimis” of the Israeli penal code. Namely, even if a certain social behavior is negative or violates a law, and yet such behavior does not have the anti-social level that is worthy of being included as part of a felonious phenomenon – it will not be considered as criminal behavior. The Supreme Court imposes this differentiation on the Prosecution. However, imposing the differentiation as aforesaid on the Prosecution is akin to “letting the cat guard the milk” and creates selective enforcement that may or may not be just.
In addition, this definition can play into the hands of criminals who, by one very simple action of wording unified, discriminatory and draconian terms of use that no one bothers to read, users will grant their consent to performing the “unlawful” actions of the software, in order to empty the purpose of the law of its content.
What can be done? It seems now that a person or company seeking to develop software having the aforesaid capabilities must formulate clear license terms, alerting against illegal usage, and also require certain and informed consent of its user. Moreover, it is fitting that Israel’s authorities and the legislator adopt the Budapest Convention exemption on the matter, according to which only the development of software that is mostly for the purpose of breaking the law shall be included in the Section and relieve dual-purpose software.
Adv. Admit Ivgi is the owner of AI-LAW Law Offices, specializes in technology, cyber and information laws. Adv. Ivgi is a fellow-researcher of cyber law in Tel-Aviv University and Haifa University, and has technological experience in the cyber field due to her working at RSA as an internet fraud analyst and forensics researcher, among others.
If so, then can the development of software with the aforementioned capabilities establish criminal liability for the software developer? The answer, as aforesaid, probably depends on the circumstances.
Section 6 of the Israeli Computers Law imposes a three-year imprisonment on the maker of software that could infiltrate a computer, interrupt or disrupt its action, delete or change computer files, perform secret monitoring or compromising user privacy, all with intent to unlawfully execute one of the mentioned actions. Furthermore, the section sets an increased five-year imprisonment on a person who distributes, offers to the public, transfers to another, inserts or installs such software to another in order to unlawfully execute an action as aforesaid.
In 2012, as a result of legislation passed by the European Convention on Cybercrime the “Budapest Convention”, which was approved, signed and adopted by European countries and the US, and for which hard work is being done to have it approved in Israel, Section 6 has been revised. Section 6 now includes prohibition on the preparation and distribution of software even if it does not cause damage or disruption to a computer or computer files – if it is performed in order to infiltrate a computer or perform actions that result in false information, and also in order to compromise privacy or perform secret monitoring. By doing so, the legislator sought to prevent future immoral behavior.
However, in contrast with the Budapest Convention, the Israeli section does not differentiate between preparing software that was mostly planned or adjusted for an unlawful purpose, which is prohibited. It might also include a prohibition on the preparation and distribution of software that is essentially dual-purpose – software that was not planned for criminal purposes, however it can be used for criminal purposes.
Since this concerns a revision to a relatively new section, rulings regarding its text in Israel have yet to be given. However, a case that occurred in the US expresses the lack of differentiation of dual-purpose software as aforesaid. In May 2014, Alex Yohal, a 25 year old student and a Swedish citizen, who was captured in Moldova and extradited to the US, was convicted of being the owners of the Blackshades organization, through which he developed, sold and distributed RAT (remote access tool) software. The software allowed its users, and mainly individuals with basic technical skills, to hack computers and then perform any action they desired, such as: infiltrate, delete and change files, take control over and operate the computer’s camera, include the infected computer in the Botnet network for the purpose of DDoS attacks, download and open system files, use the computer as a proxy server, and more. According to official data, over 500,000 computers have been infected with the software worldwide.
Yohal personally developed the software and put it up for sale. He did not make any use of it beyond that, but still he is accused with two counts of computer hacking (the maximum punishment of each is 10 years of imprisonment), one count of conspiring to commit access device fraud (the maximum punishment of which is 15 years of imprisonment), and additional counts.
In his defense, Yohal argued that he did not develop the software for criminal purposes, rather for information and research purposes – to provide computer sciences students with a platform for practice and experimentation. In his trial, he even showed remorse for starting the project: “I deeply regret starting this whole project, which obviously went out of control.” The court ignored this data and said in response that “The message must go forth that this is a serious crime worthy of a serious punishment, cybercriminals deserve stiffer punishments because crimes committed on the internet are especially difficult to detect and root out.” Eventually, following a plea arrangement with Yohal in return for his confession, charges against him have been reduced and he was sentenced to 4 years in jail and a $200,000 fine.
Similarly to the American Court, which sought to prohibit the development of software the allows unlawful infiltration regardless of the circumstances of its development (research), a ruling given by the Israeli Supreme Court in last December (8464/14 State of Israel vs. Nir Ezra, 2015) can in fact outlaw any software with computer infiltration capabilities in Israel. It was determined that “unlawful access to a computer” is any insertion of information to a computer without the consent of its owners. And in the context of the aforesaid Section 6 – the making of a software that can infiltrate a computer without the consent of the computer owners is prohibited. In fact, this definition includes, among others, internet search engines and various tools for locating security breaches and information security. It might actually expose the persons or companies that developed them, such as Google, Yahoo and others, to criminal liability.
The Supreme Court addressed this problematic state in its ruling and admitted that such wide interpretation creates uncertainty on whether a person falls within the felony or not. However, the Court preferred it, given the Court’s opinion that the enormous potential damage that is involved with computer crimes requires such wide definition. As a tool for handling such problem, the Supreme Court offers to make use of common sense and the reservation “De minimis” of the Israeli penal code. Namely, even if a certain social behavior is negative or violates a law, and yet such behavior does not have the anti-social level that is worthy of being included as part of a felonious phenomenon – it will not be considered as criminal behavior. The Supreme Court imposes this differentiation on the Prosecution. However, imposing the differentiation as aforesaid on the Prosecution is akin to “letting the cat guard the milk” and creates selective enforcement that may or may not be just.
In addition, this definition can play into the hands of criminals who, by one very simple action of wording unified, discriminatory and draconian terms of use that no one bothers to read, users will grant their consent to performing the “unlawful” actions of the software, in order to empty the purpose of the law of its content.
What can be done? It seems now that a person or company seeking to develop software having the aforesaid capabilities must formulate clear license terms, alerting against illegal usage, and also require certain and informed consent of its user. Moreover, it is fitting that Israel’s authorities and the legislator adopt the Budapest Convention exemption on the matter, according to which only the development of software that is mostly for the purpose of breaking the law shall be included in the Section and relieve dual-purpose software.
Adv. Admit Ivgi is the owner of AI-LAW Law Offices, specializes in technology, cyber and information laws. Adv. Ivgi is a fellow-researcher of cyber law in Tel-Aviv University and Haifa University, and has technological experience in the cyber field due to her working at RSA as an internet fraud analyst and forensics researcher, among others.
