Israeli State-owned Website Sends Personal Info to Private Server

Send in e-mailSend in e-mail
Send in e-mailSend in e-mail
Why is Israel's official patent website secretly recording your search data? The answer is unbelievable and poses a real danger
Why is Israel's official patent website secretly recording your search data? The answer is unbelievable and poses a real danger Credit: Leo Altman

Israel is a high-tech hub and home to thousands upon thousands of patents. The Israel Patent Office in the Justice Ministry manages a website where one can search the archive for patents. However, what users don’t know is that the site secretly records the searches and stores them, not on a secure ministry server but a privately owned one. No government agency supervises or secures the collected data, raising serious concerns about privacy and even possibly antitrust.

When we enter a website, its owner can track every move we make – typing, clicking and even moving the mouse. That sounds reasonable and quite a few site owners monitor and examine this information to improve their services with the help of what is called “cookies.” There are two Israeli companies that provide this service - Clicktale and Glassbox - and they record this information and display it to the site owner so that they can see if clients have difficulty with certain actions.

Government sites also do that occasionally, but as they lack a proprietary interest and its readers are actually citizens, not clients; in their case keeping track of users usually involves sensitive information.

However, since the information remains on a state-owned server or in a system that can only be accessed through official accounts, the limited exposure seems justified.

But that’s not always the case. The Israel Patent Office in the Justice Ministry operates an attractive new website allowing users to search for patents. The site is useful and important and you don’t need to register in advance to use it.

The website for searching for Israeli patents. Note how it tells users it "maintains" some of the information. It fails to note this information is actually private data stored in a private serverCredit: Screen capture

The site even calls your attention to the fact that “the moves you make on the site are saved for quality control and for improving public service.”

Valuable data

The naive searcher thinks the information is kept on the site’s server, as is common - but this is apparently not the case. Every move, every mouse click or every search result are sent to a completely private and unregulated server that does not belong to the government. The server, whose address is https://shoko.efasi.org (note: org, not org.il and anyone can write this address down), is owned by one a contractor and is stored online by Bezeq International, a large Israeli telecommunication firm and internet service provider.

The server and site owner is employed as a contractor for the Justice Ministry’s security manager. A Glassbox monitoring system is installed on the site and the server owner has full access to these details.

This means that every move a citizen makes on this government site, as well as their the IP address, is sent to a private monitoring system whose ownership is private and is unregulated. The system isn’t stored on a government server, but on a server outside the state’s internet infrastructure and not subject to any government oversight - and this information is valuable.

A search in patent data is an important tool before writing a patent. When I wrote patents I was always searching for similar or related patents. If someone had collected data on my search, they could have understood very quickly what I wanted to do and what my patent was focused on. And it’s not only the search. If I marked and copied a text within a patent, for example, this information too is stored.

This type of information is extremely important, especially if my IP is affiliated to a certain organization, which could allow someone to understand not just my patent my strive to do but also what the firm I work for is investing in. If a lot of activity is detected in patents pertaining to a certain area from an IP linked to an organization, certain individuals can obtain considerable information about the organization’s business plans. When you monitor where the mouse paused, what text I highlighted and what I copied and what place on the page I was searching on and of course the questions I searched for and the patents I visited – the information is worth a fortune.

For this reason, people involved in development and research are usually instructed to search only government-owned data banks, based on the assumption that these will not leak information to competitors or to commercial parties. 

All the data is sent to an external address. Note how the address is '.org' and not '.org.il' Credit: צילום מסך

Information about searches carried out by litigation lawyers who are working on their clients’ cases can disclose valuable information about their defense or prosecution strategy.

Information isn’t only personal details, which are available to all in data banks that leaked during the past elections from the Elector app and are (still) available on Telegram. Sensitive information is also the search results that are affiliated to a certain IP. The state’s job, especially on official government sites, is to make sure this information doesn’t leak to other places. Sometimes they make use of paid suppliers like Google Analytics, who gain access to some of the information, but work under agreements and regulation.

Sending information to a private server owned by a ministry employee – even if it wasn’t done with bad intent – is unprofessional at best and reckless at worst.

Cyber lawyer Jonathan Klinger says: “Since the search in the patent engine is carried out as part of the Patent Office’s legal authority, it’s supposed not only to keep the secrecy of the information obtained but to notify and explain what information is kept and where. In this case, it apparently failed to carry out both commitments, even before we’ve mentioned the security risks if they had notified the users about using the information. This poses a serious breach of privacy and requires a more comprehensive examination. In this case, the risk could expose the Patent Office to a lawsuit.”

Ambiguity

The Justice Ministry said in response that: “The digital technologies division operates a Glassbox system that monitors and records the activity on Justice Ministry sites in order to monitor user’s experience, detect backlogs and areas in which members of the public have difficulty.

The goal is to improve the ministry’s sites and fix the services that cause users difficulties, like improper wording or overly-complex user interfaces. 

“Also, if a user requests it, their moves on the site may be reconstructed to help him more effectively.

“The server belongs to the Justice Ministry, all the information is kept in the ministry’s servers and is accessible only to those with special authorization.”

The response is problematic for a number of reasons, however its last point is downright illogical. The Justice Ministry said that, “The address of the server isn’t in the ministry’s name to help maintain ambiguity as a defense mechanism, which won’t enable associating it with the Justice Ministry easily. We’ll be grateful [if Haaretz] keep it that way. The information isn’t passed or sold to anyone, but serves the ministry.”

How searches in Israel's online database of patents are recorded and stored on a private server that is not under any official oversight. The data is worth a lot for those in the patent business Credit: Screen capture

In other words, the fact that the information is stored on a private server and is not directly connected in name or address to the official government body operating is not a mistake but part of a wider policy of “ambiguity.”

Here’s my response to this very strange response, which is mainly “techno babble.” There is simply no problem in using a data gathering system of course, and quite a few companies do it, but no company I know collects the information on a server registered on the name of one of its employees for “security” purposes. Does the bank gather information on clients on a server registered on the name of one of its employees for “security?” No, because bank servers are supposed to be more secure than a private one. If a state server in the state’s internet infrastructure is secure enough for the site, why isn’t it secure enough for the information that is obtained from it?

As for the “ambiguity” we were asked to preserve, anyone armed with a browser can track the information sent to the shoko.efasi.org website and use sites like WHOIS to understand who is behind it. This is a very bizarre method that is tantamount to walking around with transparent plastic trousers in the search for modesty.

Click the alert icon to follow topics:

Comments