The method is buried about 60% through the article, but it's interesting. It seems incredibly risky for the cloud companies to do this. Was it agreed by some salespeople without the knowledge of legal / management?
Leaked documents from Israel’s finance ministry, which include a finalised version of the Nimbus agreement, suggest the secret code would take the form of payments – referred to as “special compensation” – made by the companies to the Israeli government.
According to the documents, the payments must be made “within 24 hours of the information being transferred” and correspond to the telephone dialing code of the foreign country, amounting to sums between 1,000 and 9,999 shekels.
If either Google or Amazon provides information to authorities in the US, where the dialing code is +1, and they are prevented from disclosing their cooperation, they must send the Israeli government 1,000 shekels.
If, for example, the companies receive a request for Israeli data from authorities in Italy, where the dialing code is +39, they must send 3,900 shekels.
If the companies conclude the terms of a gag order prevent them from even signaling which country has received the data, there is a backstop: the companies must pay 100,000 shekels ($30,000) to the Israeli government.
> Was it agreed by some salespeople without the knowledge of legal / management?
Never worked for either company, but there's a zero percent chance. Legal agrees to bespoke terms and conditions on contracts (or negotiates them) for contracts. How flexible they are to agreeing to exotic terms depends on the dollar value of the contract, but there is no chance that these terms (a) weren't outlined in the contract and (b) weren't heavily scrutinized by legal (and ops, doing paybacks in such a manner likely require work-arounds for their ops and finance teams).
That's my experience too, but it seems impossible that a competent legal team would have agreed to this.
Legal can advise, but it's ultimately up to the business to risk-accept. If they think the risk vs reward analysis makes it worthwhile, they can overrule legal and proceed.
When advice from legal conflicts with the upcoming sound of ka-ching! the only question that matters is: "how loud is that cashier going to be?"
(b) weren't heavily scrutinized by legal ...
You mean like in financing a ball room?
It does seem a bit baffling. This method just adds a second potential crime, in the form of fraudulent payments.
Why would it be fraudulent in this case? I assume that these would be paid as refunds accounted for as a discount to a particular customer - aren't these generally discretionary? Also, I would assume that it would be the Israeli government getting services from the Israeli subsidiary of that company, so it's not clear whether even if it were a crime, which jurisdiction would have an issue with it.
You could argue that it's against something like the OECD Anti‑Bribery Convention, but that would be a much more difficult case, given that this isn't a particular foreign official, but essentially a central body of the foreign government.
Just to clarify, not saying that it's ok, but just that accusing it of being a "crime" might be a category error.
Not speaking to the fraudulence of this specific case, but wire fraud is an umbrella term that covers pretty much every non tangible crime.
It's kind of like how everything can be securities fraud[0]
bloomberg article: https://archive.is/ixwRi
"Everything" here meaning "blatant lying" - and knowingly staying silent on something that obviously has a huge impact on a company is lying - which in corporate America is so normalized that some mistake it for being "everything". Securities fraud is incredibly easy to avoid if executives just stop lying. This soon becomes clear when clicking through the links in the article.
> Yesterday New York State Attorney General Barbara Underwood filed a securities-fraud lawsuit against Exxon Mobil Corp. “alleging that the company misled investors regarding the risk that climate change regulations posed to its business.”
Blatant lying
> if you are a public company that suffers a massive data breach and exposes sensitive data about millions of customers without their consent, and that data is then used for nefarious purposes, and you find out about the breach, and then you wait for years to disclose it, and when you do disclose it your stock loses tens of billions of dollars of market value, then shareholders are going to sue you for not telling them earlier
Blatant lying
The fact that most of this lying (see Exxon) is done under some kind of "nudge nudge, wink wink, we all know what's really going in" doesn't stop it from knowingly lying.
That knowingly lying is securities fraud seems very logical, and nothing like "everything".
This is all moot anyway now that the US is no longer interested in upholding any laws against large companies whatsoever.
Or like Target? https://www.reuters.com/legal/target-sued-by-florida-defraud...
Blatant lying also?
> Yesterday New York State Attorney General Barbara Underwood filed a securities-fraud lawsuit against Exxon Mobil Corp. “alleging that the company misled investors regarding the risk that climate change regulations posed to its business.”
>Blatant lying
Can you elaborate? Looking at the case it seems pretty clear that Exxon did not lie, especially not in any "blatant" manner.
In what sense would the payments be fraudulent? It would be real money paid out of Amazon's accounts as part of a contract they willingly signed with Israel.
It is two crimes:
1. Alerting a country to secret actions taken by a third party government (my nation of citizenship, the US, definitely has rules against that)
2. Passing money to commit a crime. See money laundering.
Honestly, the second crime seems aggravated and stupid. Just pass random digits in an API call if you want to tell Israel you did something.
Wouldn't just having 1000 canaries be a "legal" way to do the alerting?
A government can compel Amazon to avoid notifying a target (Israel in this case) that their information has been subpoenaed, but can't compel Amazon to lie and say it hasn't sent their info.
Or is the concept of a canary pretty much useless now?
I'm personally one of the "activists" who is trying to avoid Amazon and Google to a practical degree, due to project Nimbus, so I'd be more than happy if their data could be accessed, and even happier to see Amazon and Google just cut ties with them altogether.
And I'm personally one of the "activists" who is trying to avoid Amazon and Google to a practical degree, because they might be ordered by a foreign government (or my own government) to turn over my data to that government and be legally forbidden from saying that they have been required to do this. Or because they might succumb to activist pressure to deplatform me.
> (my nation of citizenship, the US, definitely has rules against that)
US rules are, unfortunately, nortoriously and outlandishly broken whenever it comes to Israel: Foreign Agent Registration Act, the Leahy Law, and probably a bunch of others as well.
I'm not disputing that the company would be breaking the law by doing this. That's not what fraud is though.
Fraud is intentional deception + criminal intent. The deception comes from using payments as a code instead of say an encrypted channel.
No, fraud is intentional deception to deprive a victim of a legal right or to gain from a victim unlawfully or unfairly.
Who exactly here is the victim that gets it legal rights deprived or what is the gain at the expense of the victim?
The shareholders of Microsoft or Amazon are deprived of their value.
then every crime is fraud. I murder you. Your employers shareholders are deprived of a worker.
That's reductive and silly. Here's the scenario:
1. You work for AWS, probably in account management or billing operations.
2. Your "buddy" in legal tells you that a subpeona has been processed that effects an Israeli government affiliated account.
3. Your buddy is breaking work rules and the law. You don't report it, as you are required to do. You're now a party to a criminal conspiracy.
4. Instead, you arrange for a payment to be made from AWS to an account in some pre-determined amount to communicate the confidential or legally sealed information that you conspired to steal.
Let's review. You're engaging in a criminal conspiracy to share restricted, sealed legal information with a foreign government. You are doing so by fraudulently stealing/embezzling money from your employer in a predetermined amount.
If that's not clearly understandable to you as a "bad thing" and a fraudulent activity, you're overthinking, lack any sense of law and ethics, are lacking cognitive ability, are a troll, or are just a schill for whatever team you're rooting for.
> You are doing so by fraudulently stealing/embezzling money from your employer
In this scenario Amazon is contractually obligated to pay Israel (unless they determine that they can't legally). If this employee is dutifully fulfilling that obligation in compliance with any relevant company approval process or other policies, then it's certainly not theft or embezzlement.
You seem to be adding a twist of "what if this is some random employee, not the one authorized to make the payments"? In that case sure, they might be defrauding their employer, but that has very little to do with the contract that this story was about.
It's like saying "what if instead of making the authorized payment to Israel, they keep the cash for themselves, then steal some monitors and assault some colleagues"? We've come up with a hypothetical where crimes are committed, yes, but it's hard to see how Israel would be to blame or would even be relevant.
Google not Microsoft. Microsoft didn't want to implicate themselves apparently.
"everything is securities fraud"
In this scheme, the government would be deprived of its legal right to obtain information about a business's customer without the consent or knowledge of said customer.
In many/most? cases, a customer can be notified and can attempt to block such information gathering, but there are also many where it's not permitted.
then pretty much every crime is ”fraud”. You are wrong.
No, speeding and nearly every other traffic offense is just brazenly doing the thing. There’s no deception required to facilitate drunk and disorderly conduct, trespassing, dumping your sofa by the side of the road, or just walk up to someone and start beating on them.
Really most crimes don’t require deception.
IE criminal intent vs criminal activity, critically the criminal activity only needs to be intended not actually occur for it to be fraud. Specifying which criminal intent is applicable is reasonable but nothing I said was incorrect.
The victims are the people being deprived of their legal protections.
Not everyone agrees which information should be protected but sending information can be a form of harm. If I break into your bank, find all your financial transactions, and post it on Facebook, I have harmed you.
Courts imposing gag orders over criminal or civil matters is a critical protection, and attempting to violate those gag orders is harm. The specific victims aren’t known, but they intend for there to be victims.
so which intent of benefit at the cost of which victim do you claim that Aws had when they committed the crime?
The payoff for AWS is the contract itself. Ultimately, it’s Israel that benefits from this information but being paid by your employer to commit fraud in a call center counts even if you’re not getting a cut of that specific victim.
IANAL, but all criminal definitions of fraud that I am aware of require an intention to harm to a victim. It's kind of hard to argue that sending money fulfills this criteria.
The harm is not to the recipient of the funds in this case, but to the investigating authorities, who have had the secrecy of their subpoena compromised.
There is wide latitude in the criminal code to charge financial crimes. This reminds me a bit of Trump's hush money conviction. IIRC, a central issue was how the payment was categorized in his books. In this case, there would be a record of this payment to Israel in the books, but the true nature of the payment would be concealed. IANAL, but I believe that is legally problematic.
The investigating authorities aren't being defrauded though; making someone's job harder isn't fraud. Google or Amazon could be committing other crimes,[1] but not fraud.
[1] If they actually violated a gag order, which realistically they won't. In all likelihood there's language to ensure they're not forced to commit crimes. Even if that wasn't explicit, the illegality doctrine covers them anyway, and they can just ignore any provisions which would require them to commit crimes.
>The investigating authorities aren't being defrauded though; making someone's job harder isn't fraud.
It can very well be, and it's called obstruction of justice.
Though in this case, the real crime is treason. Those companies collaborate with a foreign government against their own.
> obstruction of justice
Possibly, depending on intent. But even if so, obstruction of justice is not fraud.
> the real crime is treason
This hypothetical crime (which I'd say is highly unlikely to occur) would definitely not be treason, which has a narrow legal definition. We're not at war with Israel.
>Possibly, depending on intent. But even if so, obstruction of justice is not fraud.
Sure, but it's a crime still. Not just something neutral.
>This hypothetical crime (which I'd say is highly unlikely to occur) would definitely not be treason, which has a narrow legal definition. We're not at war with Israel.
No, just on several on behalf of them.
Which one feels should also have been part of this "narrow legal definition".
This is a bizarre reddit-brained legal theory.
Almost all crime requires some form of lying, at least by omission and often of the explicit sort. Fraud though, is much more narrow than "they deceived but also crimed"... and anyone saying otherwise should be so embarrassed that we never have to hear their halfwittery ever again.
Americans get legal protections for their private health data because the disclosure of such information is considered harmful.
Other countries provide legal protections for other bits of information because disclosure of that information is considered harmful to the individual, it’s that protection they are trying to breach which thus harms the person.
How is this related to the fraud discussion in this thread? Illegal disckosure of confidential information is usually handled by a separate legal framework.
Stuff is generally also fraud rather than only being fraud. We don’t know the details of what else happened so we can’t say what other crimes occurred.
Same deal as most illegal things public companies do also being SEC violations.
The other person is saying that disclosure of health data in violation of HIPAA wouldn't be fraud. It would be a HIPAA violation, not fraud.
The same action can break multiple laws. Unlawful discharge of a firearm is a crime, but it can also kill someone and thus break a different law. https://www.azleg.gov/ars/13/03107.htm
Here we don’t know which specific laws were broken because we lack details, but the companies definitely signed a contract agreeing to commit fraud.
Anyway, the comment I responded to had “require an intention to harm to a victim” it’s that aspect I was addressing. My point was the transmission of information itself can be harmful to someone other than the recipient of that information. So the same act fulfills both aspects of fraud (deception + criminal intent), and also breaks some other law.
It depends on the context. I’ve gathered evidence to support prosecution of an individual disclosing PHI who was doing so to facilitate criminal acts.
But this is a signaling system, not a meaningful transfer of money.
The signal based on private information is what’s causing the harm not the movement of money. They could cause the same harm by encoding a signal in the timing of a money transfer, or hell using carrier pidgins.
I could send your username and password using similar methods, the medium doesn’t matter here but the signal and their attempt to hide it does.
The payments are an act of fraud as they deprive the company of resources for no tangible business purpose. No contract authorizes the use of payments to bypass communications controls and exfiltrate data.
The act of communicating privileged or sealed information on itself is at minimum contempt of court and perhaps theft of government property, wire fraud or other crimes. Typically accounts payable aren’t aware of evidence gathering or discovery, so the actor is also facing conspiracy or other felonies.
Lol are we still pretending laws are more than ink on a paper?
No laws require prosecution and enforcement. Western countries shield Israel from all of that.
Who is going to prosecute those crimes?
> If either Google or Amazon provides information to authorities in the US, where the dialing code is +1, and they are prevented from disclosing their cooperation, they must send the Israeli government 1,000 shekels.
its a buggy method, considering canada also uses +1, and a bunch of countries look like they use +1 but dont, like barbados +1(246) using what looks like an area code as part of the country code.
> its a buggy method, considering canada also uses +1, and a bunch of countries look like they use +1 but dont, like barbados +1(246) using what looks like an area code as part of the country code.
You are correct that ITU code is not specific enough to identify a country, but I'm sorry, +1 is the ITU country code for the North American Numbering Plan Area. 246 is the NANPA area code for Barbados (which only has one area code) but as a NANPA member, Barbados' country code is +1, same as the rest of the members. There is no '+1246' country code.
There's not a lot of countries that are in a shared numbering plan other than NANPA, but for example, Khazakstan and Russia share +7 (Of course, the USSR needed a single digit country code, or there would have been a country code gap), and many of the former Netherland Antilles share +599, although Aruba has +297, and Sint Maarten is in +1 (with NANPA Area code 721)
It's a criminal scheme to spy on law enforcement. Both the company and the scheming country are committing crimes.
spy on law enforcement that spy on your government, seem like a fair game
Does that apply for China, Russia, North Korea, Iran, Venezuela, Brazil and so on?
That's how competition works, yes.
This is not about spying, but fighting money laundering, persecuting war criminals, even common crimes.
To spy on law enforcement that is trying to fight crime is not a good thing. Israel is not the world police.
Can a country commit a crime?
No, it's the government that commits it.
People use the country = government metaphor as a shortcut for communication, but this one takes it further than usual.
> country = government metaphor
This will probably never be particularly useful, but this figure of speech is a "synecdoche" (a "metonymy" instead of a "metaphor")
As long as we’re being pedantic, synecdoche means referring to part as the whole (nice wheels = car, nice threads = clothes).
Saying the US did something when referring to the government is metonymy, but not synecdoche.
A synecdoche can either be when you use a part to represent the whole, or conversely use the whole to represent a part
I think it’s valid to consider the US government a part of the US. Thus, referring to the US government when saying that the US did something is a synecdoche
Extradition by tectonic subduction
Obviously illegal lowbrow schemes asixe, it's hilarious that the company has to SEND money to Israel to notify them of a breach.
It seems weirdly complicated. At this point I would assume it's much easier and secure just to bribe someone to tell them directly. This is like roleplay of secret sleeper agents during the cold war.
Maybe they just really need the 555 shekels or so.
Very much doubt something this hot in an agreement with a foreign government as counterparty gets signed off by some random salesman
> If either Google or Amazon provides information to authorities in the US, where the dialing code is +1, and they are prevented from disclosing their cooperation, they must send the Israeli government 1,000 shekels
This is criminal conspiracy. It's fucking insane that they not only did this, but put the crime in writing.;
I'm always surprised how often crimes get put in writing in big companies, often despite the same companies having various "don't put crimes in writing" trainings.
To be fair it is not necessarily true that they did this. Devil's advocate (emphasis on the devil part) -- google and amazon may have agreed to do this / put it in the contract but never followed through.
It is criminal conspiracy, a federal felony in the US, if you contract to commit a crime. Conspiracy is a standalone crime on its own, independent if the contracted crime is never carried out (in breach of contract).
The mob tried your argument generations ago. It never worked.
The US Gov effectively is the mob now, laws don’t matter anymore
Source?
My source was on a boat that was destroyed by a military strike
They publicly agreed to do genocide, having a slightly criminal communications protocol in a contract on the side amounts to an ethical rounding error.
I’d assume they have agents inside the companies smoothing the way or even running interference against any inconvenient questions.
> If the companies conclude the terms of a gag order prevent them from even signaling which country has received the data, there is a backstop: the companies must pay 100,000 shekels ($30,000) to the Israeli government.
Uhm doesn't that mean that Google and Amazon can easily comply with US law despite this agreement?
There must be more to it though, otherwise why use this super suss signaling method?
How can they comply with a law that forbids disclosing information was shared, by doing just that? THe fact it's a simply kiddie code instead of explicit communication doesn't allow you to side step the law.
[dead]
I don't quite understand this. How much money would Israel be able to milk from this? It can't be that much, can it?
It's not about money, it's about sending information while arguably staying within the letter of US law
Kinda similar to a https://en.wikipedia.org/wiki/Warrant_canary, with the same untested potential for "yeah that's not allowed and now you're in even more trouble".
Are there any instances anyone knows of in which a warrant canary has been found to violate antidisclosure law?
(Australia apparently outlaws the practice, see: <https://boingboing.net/2015/03/26/australia-outlaws-warrant-...>.)
Any such case seems likely to wind up in something like the secret FISA court.
https://en.wikipedia.org/wiki/United_States_Foreign_Intellig...
Except this is an affirmative action. Warrant canaries are simply removing from the TOS that the company has not/will not interact with law enforcement.
This is directly violating gag orders. Passing a message, even if it's encrypted or obfuscated is absolutely illegal. The article is a little BS as this sort of thing has been tested in court.
The only reason warrant canaries are in the gray zone is because they are specifically crafted that the business has to remove their cooperation clause to keep the ToS contract valid.
There's nothing like that at play here. It's literally "Just break the gag order, here's our secret handshake".
I don't understand these legal mambo jumbo, but lets make it simpler. Israel and the US have a tight intelligence agreements. No one have to keep secrets since they share information readily. That is what it means to be friends. Israel is the best outpost for western influence in the Middle East, and the US have a strategic need to maintain that to oppose forces such as China, Russia and Iran axis. There is no need for bribes or anything like that to get intelligence from both sides... The last time they started lying to each other was disastrous and henceforth I believe the relationship is stable. Not to mention it includes European powers, even though they are happy to defame Israel, they share intelligence, participate in joint operations and buy a huge amount of arms and technology from Israel and sell arms to Israel. So don't let the media fool you...
Do you have any thoughts on these reports from 2019?
https://www.politico.com/story/2019/09/12/israel-white-house...
> The U.S. government concluded within the past two years that Israel was most likely behind the placement of cellphone surveillance devices that were found near the White House and other sensitive locations around Washington, according to three former senior U.S. officials with knowledge of the matter.