“Read the Terms of Service!” An Interview With Jonathan J. Klinger

Jonathan J. Klinger is an attorney who specializes in technology law in general and privacy and security law in particular.  He has been practicing law for over 11 years and has been an independent sole-practitioner since 2007. The majority of his clients are technology companies, in the areas of security, publishing, and data mining.  Jonathan is very passionate about digital rights and volunteers 2 days a week at the Israel Digital Rights Movement in addition to academic lectures and organization training on privacy and security.

I recently had the opportunity to chat with Jonathan about VPN usage and other privacy issues. I was impressed by his combination of legal knowledge, clarity of expression, and practical insights.

Photo credit: Gilad Iluz

VPNs and Privacy

vpnMentor: I remember when VPNs (Virtual Private Networks) first became popular, mainly to allow employees to securely access a corporate network from home or other remote locations.   I am sure that is still a major usage, but it seems that a LOT of people today use VPNs to access services like Netflix and Amazon in countries where those services are unavailable.

There are actually two different issues driving people to access such services and other web sites via a VPN to mask or change their IP address:

1.       Services Not Offered - The service provider refuses (or licensing agreements do not allow them) to provide the services to a particular country.

2.      Service Discrimination – The prices of identical services are different in different countries, or that the services the service provider allows you to receive are different..

For example, I recently wanted to purchase a Pebble smart watch online and I noticed that if I accessed  the web site from Israel the price was US$99, but if I accessed it from Germany, the price was 149 Euro [approx. US$169].

vpnMentor: Is it illegal for me to access such web sites with a VPN?  Can I go to jail if I am caught?

You are only liable to go to jail if you are breaking a law. The main issue at stake here is (just) copyright infringement. The law is obvious specific to every different country, but under Israeli law, you must actually sell and profit from the copyright infringement in order to face criminal charges.

vpnMentor: That’s a Relief!  🙂

Yes, but in theory, you could still be liable to face a civil lawsuit.

vpnMentor: Have there been any cases of legal action being taken against such VPN users – or is it limited to having their accounts shut down?

To the best of my knowledge, there has never been such a lawsuit against an individual in Israel– UNLESS they try to sell the service or product.

The truth is, even if a user was in fact liable, as a practical matter, it would not be worthwhile for a company to pursue such a lawsuit against and individual.

vpnMentor: What about VPN vendors – Are they in any way liable for how their products are being used?

The issue depends on the vendor's method of marketing their product. If the product is being advertised as a general-purpose tool or solution, there isn't much ground for holding the vendor liable. However, if the vendor is endorsing the tool and actively promoting its usage for copyright infringement, then that indeed becomes an issue. Such behavior was one of the primary factors that led to Napster's downfall—they were inciting users to download specific albums.

Google Results for “Unblock Netflix” - Are VPN sites at risk of soliciting to perform a crime?

Privacy, Cookies, and More

vpnMentor: I’d like to now talk more generally about web site privacy. Let’s start with web site cookies.  I see this issue as something of a paradox – on one hand it is in the news a lot because of changing governmental laws, and on the other hand it is often ignored by web site developers.

Cookies are small files that are placed on your computer and allow a website to know some things about you.  They can be used to identify or profile you – for example, knowing your web site preferences or knowing what types of products you normally purchase.

People think that if they surf in private or incognito mode and don’t allow cookies on their computer that they are safe – but they are not!

As I said, originally, cookies were small files stored on your computer. However, today there are other technologies and techniques to identify a user.

vpnMentor: Such as?

One example is what is called “Fingerprinting.” This is done by combining specific information about a user’s computer. Combining data items such as a user’s browser and operating system versions, IP address, time zone, screen size, fonts, MAC address, installed apps, etc. can allow a web site to uniquely (or almost uniquely) identify a user.

So even if you are using a VPN, your privacy is not ensured because of fingerprinting.

vpnMentor: So what should users do to protect their privacy?!

First and foremost – read the Privacy Policy! Know how different web sites and organizations are going to use and/or share your information.

Realistically, I know that most people aren’t going to do that…

So the other things users should do are to install ad blocking and tracking filter tools.  Of course, that means that your experience on the web will be more limited – but that is the tradeoff.

vpnMentor: What do web site developers need to know?

The first step for developers is to consult a lawyer with experience in this area.  Be aware that you may be sued if you have not taken reasonable measures and informed the users of how you are using their data.

Don’t use a generic template for your site’s Privacy Policy and Terms of Service.  A good lawyer can understand your needs and prepare simple and clear 1-2 page documents.

vpnMentor: Is it enough for a web site to simply have links to these documents or must they make sure the user actively agree to the terms (e.g. click or checkbox)?

That really depends on what is being saved and shared.  The more identifiable and sensitive the data, the more important it is to obtain affirmative (active) consent from the user.

vpnMentor: Have there been lawsuits or other legal actions taken against web site developers because of this?

Yes – when there has been an invasion of privacy. And it’s usually when the website owner has a lot of money -otherwise, it’s just not profitable to sue.

vpnMentor: I reviewed a presentation you gave entitled “Your Privacy is Our Currency” where you discuss “Big Data.” What exactly is that?

“Big Data” is a hot buzz word today. When I talk about big data I am referring to the co-mingling of multiple sources of data and using data that was given for one reason for a different purpose.  For example, if I am given access to your phone’s list of contacts and then I go ahead and advertise to your contacts on Facebook or some other ad network, based on their income levels, that’s using big data.

When you target users in such a way, the question is whether you have their consent to do so.  Some ad networks are already requiring advertisers to state so.

vpnMentor: I saw another presentation of yours entitled “Privacy By Design” What exactly does that mean?

Simply put, the general guideline for develops is “Don’t save what you don’t really need.”

Of course, this generally goes against the normal approach of developers, which is to save whatever they can and then later on decide what to do with it.

I am calling on developers to switch their thinking and look at it the other way around – decide up front what you want to do with collected data and store only that. Even better, store only enough data to enable you to deduce the information you are interested in. For example, instead of profiling a user’s exact age, profile the user’s age group.

Believe me - the cost of dealing with a data/privacy breach is MUCH greater than the cost of deducing this data.

Looking Ahead

vpnMentor: What do you see as the major challenges and changes in the coming years?

The most immediate developments and challenges are in regard to the international transfer of private data.  This is becoming increasingly regulated and will mean that organizations will need to set up local shops if they want to store private data.

The bigger challenges are going to be in the area of digital signing and identification.  We are seeing more and more biometric apps that can identify people.   One simple example is the face recognition app Masquerade.

We are already seeing advertisers using biometric applications to customize ads to particular users.  The popular press reported about highway billboards that recognized approaching drivers and would customize the billboard ads.

In malls, there we’ll be seeing customized ads based on “gating” biometrics – how a person walks.

vpnMentor: What VPN do you personally use?

I actually don’t use a VPN. I use other services and methods to protect my privacy, such as ad blockers, Ghostery, and Google Public DNS.  I also don’t install many apps – I don’t use most of the services that my friends do.